Privacy Policy

1. General Information

Protecting your personal data is important to us. This privacy policy explains what personal data is collected when you use ChatGolem and how it is processed.

2. Controller

Responsible for data processing:

Manuel Mayer
Porzer Straße 142A
53859 Niederkassel
Germany

Email: manuel.mayer@chatgolem.io

3. Collection and Processing of Personal Data

When you create an account, we collect and process:

• Email address (for account management and communication)
• First and last name
• Password (stored as encrypted hash)
• Account verification status and tokens
• Two-factor authentication data (if enabled)
• Account preferences and settings

This data is necessary for providing our services and is processed based on contract performance (Art. 6 para. 1 lit. b GDPR).

For servers connected to ChatGolem, we collect:

• Server information (name, IP address, configuration)
• Chat messages from players (up to 256 characters)
• Player identifiers (Minecraft UUIDs and usernames)
• Moderation actions and results
• Server usage statistics and audit logs

This data is essential for providing moderation services and is processed based on contract performance (Art. 6 para. 1 lit. b GDPR) and legitimate interests (Art. 6 para. 1 lit. f GDPR) for service improvement.

Important: Chat messages processed through our AI moderation system are anonymized and used for training purposes to improve our AI models and services. This anonymization process removes all personally identifiable information including player names, UUIDs, server identifiers, and timestamps.

Anonymized training data:

• Cannot be linked back to specific users, players, or servers
• Remains in our systems for training purposes even after account or server deletion
• Is used solely for improving AI moderation accuracy and developing new features
• May be shared with trusted AI research partners under strict data protection agreements

This processing is based on our legitimate interest in service improvement (Art. 6 para. 1 lit. f GDPR). You can opt out of AI processing entirely by disabling AI features in your server settings, though this will limit moderation capabilities.

When visiting our website, data is automatically collected by the web server and stored in log files. This includes:

• IP address of the requesting device (pseudonymized)
• Date and time of the request
• Browser type and version
• User's operating system
• Referrer URL (the previously visited page)

These data are used solely for technical purposes, particularly to ensure system stability and security. They are not merged with other data sources.

Our website uses cookies and local storage for:

• Essential functionality (authentication tokens, session management)
• User preferences and settings
• Security features (CSRF protection)

You can adjust your cookie preferences at any time via your browser settings or delete cookies manually. Note that disabling essential cookies may impair website functionality.

If you contact us for support, we collect:

• First and last name
• Email address
• Your message and any attached files
• Technical information relevant to your inquiry

This data is used exclusively to process your request and provide support. Data transmission is encrypted according to current security standards.

We integrate with several external services that may process your data:

Cloudflare Turnstile: We use Cloudflare Turnstile as an anti-bot protection service. This may process IP addresses and behavioral data based on our legitimate interest in service security (Art. 6 para. 1 lit. f GDPR).
Privacy Policy: https://www.cloudflare.com/privacypolicy/

Google Gemini AI: Chat messages, player names, and UUIDs may be sent to Google's Gemini AI service for content moderation. Google may process this data according to their privacy policy. You can disable AI features to prevent this processing.
Privacy Policy: https://policies.google.com/privacy

ZeptoMail: We use ZeptoMail for sending transactional emails (account verification, password resets, billing notifications). This involves processing email addresses and message content.
Privacy Policy: https://www.zoho.com/privacy.html

Stripe: Payment processing is handled by Stripe, which processes billing information, names, addresses, and payment details as necessary for contract fulfillment (Art. 6 para. 1 lit. b GDPR).
Privacy Policy: https://stripe.com/privacy

MC-Heads.net: We use mc-heads.net, a third-party service, to display Minecraft player avatars and head icons. This service processes Minecraft player UUIDs and usernames to generate and cache avatar images (cached for 24 hours on their servers). We have no control over how mc-heads.net processes, stores, or handles this data, and they do not provide a formal privacy policy. This integration is based on our legitimate interest in providing enhanced user interface features (Art. 6 para. 1 lit. f GDPR). If you have privacy concerns about this service, you may contact them directly at support@mc-heads.net.

4. Data Security and Technical Measures

We implement appropriate technical and organizational measures to protect your data:

• All data transmission is encrypted using HTTPS/TLS
• Database connections are secured and encrypted
• Access controls and authentication mechanisms protect against unauthorized access
• Regular security updates and monitoring
• Data backups are encrypted and securely stored
• Staff access is limited to necessary personnel and logged

5. Legal Basis for Processing

The processing of personal data is carried out in accordance with the General Data Protection Regulation (GDPR). Legal bases include:

• Art. 6 para. 1 lit. a GDPR – Consent (e.g., for optional features and marketing)
• Art. 6 para. 1 lit. b GDPR – Contract performance (e.g., account management, service delivery, payment processing)
• Art. 6 para. 1 lit. f GDPR – Legitimate interest (e.g., system security, service improvement, anonymized training data)

6. Data Sharing and International Transfers

We do not sell or rent your personal data to third parties. Data may be shared only in the following circumstances:

• With external service providers as described above, under appropriate data protection agreements
• When required by law or to protect our legal rights
• In case of business merger or acquisition (with appropriate notice)

Some of our service providers are located outside the EU/EEA. In such cases, we ensure adequate protection through appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

7. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

• Account data: Until account deletion or 3 years after last activity
• Chat messages: Until server/account deletion (but anonymized versions may be retained for training)
• Payment data: As required by tax and accounting laws (typically 10 years)
• Log files: Maximum 12 months
• Support communications: 3 years after case closure
• Anonymized training data: Indefinitely for service improvement

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): Request information about stored personal data
• Right to rectification (Art. 16 GDPR): Request correction of inaccurate data
• Right to erasure (Art. 17 GDPR): Request deletion of your data (subject to legal retention requirements)
• Right to restriction (Art. 18 GDPR): Request limitation of processing under certain circumstances
• Right to data portability (Art. 20 GDPR): Request your data in a machine-readable format
• Right to object (Art. 21 GDPR): Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent for consent-based processing at any time

To exercise these rights, please contact us at manuel.mayer@chatgolem.io. We will respond within one month of your request.

9. Account Deletion and Data Removal

You may delete your user account at any time through the dashboard. Upon deletion:

• All personal account data will be permanently deleted
• Server data and chat messages will be removed
• Billing information will be retained by Stripe as required by law
• Anonymized training data cannot be deleted as it cannot be linked back to you

Important: We cannot control how external AI providers handle previously submitted data. Anonymized training data will remain in our systems for service improvement purposes.

10. Automated Decision-Making and Profiling

Our AI moderation system makes automated decisions about chat message content (blocking, flagging). This processing:

• Is necessary for contract performance (providing moderation services)
• Can be reviewed and overridden through your dashboard
• Does not create profiles for marketing or other purposes
• Focuses solely on message content, not user behavior patterns

11. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected such data, please contact us immediately.

12. Data Protection Officer and Contact

For privacy-related questions or concerns, contact:

Manuel Mayer
Porzer Straße 142A
53859 Niederkassel, Germany
Email: manuel.mayer@chatgolem.io

13. Supervisory Authority

You have the right to lodge a complaint with the competent data protection authority:

State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
Kavalleriestraße 2-4
40213 Düsseldorf
Phone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
Website: https://www.ldi.nrw.de/

14. Changes to This Privacy Policy

We may update this privacy policy to reflect changes in our practices or applicable law. We will notify users of material changes via email or prominent website notice. The current version is always available on this website.

Last updated: July 24, 2025