Your data, and what we do with it

This is a short, honest rundown of how the AstuTech dashboard handles your information. It explains what we collect, the reason we collect each piece, how it is stored, how long it stays around, and how you can get it back or remove it.

We sign you in through OAuth, so your password never passes through us. Here is what actually happens when you log in:

• You enter your details on Google's or Discord's own page, not on our server.
• The provider sends back a sign-in result that includes a unique provider ID, and sometimes a bit of basic profile info such as your name or email if you let it.
• We save that provider ID so we can recognise your dashboard account the next time you show up.
• We may hold a few short-lived security values, like a nonce, so you get back in quickly on your next visit.

Binding is how we confirm that the game account you enter is really yours, so nobody can connect to your UID without your say-so.

• You type your game account ID (UID) into the dashboard.
• We drop a confirmation message into that account's in-game mailbox. This step on its own does not store any extra information about you.

• Sign-in data: your provider ID from Google or Discord, plus basic profile details (name or username, and email if the provider shares it).
• Binding data: your game account ID (UID), your in-game name where available, your verification status, and the times your binding events happen.
• Session data: the cookies and tokens that keep you logged in and protect your session.
• Verification data: temporary one-time codes used during binding and when confirming a deletion.
• Security data: your IP address, request timestamps, and basic device details such as your browser's user agent and device identifier.
• Activity records: simple logs of the actions that matter, for example bind and unbind attempts, deletion requests, blocked requests, and the feature usage we need to track down problems.

The data we hold goes toward three things only: signing you in and keeping accounts secure, confirming ownership through one-time codes, and protecting the service from abuse. We do not sell your data, and we do not use it for advertising.

• Provider ID: identifies your dashboard account without needing a password.
• UID and verification status: links your dashboard account only after you have proven the account is yours.
• Session tokens and cookies: keep you logged in safely.
• One-time codes: confirm ownership and guard sensitive actions like deletion.
• IP and request patterns: shut down spam and bots, block suspicious activity, and keep the system steady.
• Activity records: help us catch errors and fix bugs.

We use cookies, or similar storage, mostly to keep you logged in and to protect your session. If you block them, sign-in and some parts of the dashboard may stop working.

IP addresses help us keep the dashboard safe and running for real users. We never use them for marketing.

• Rate limiting: we cap how many requests can come from one IP in a short window, which stops spam, code flooding, and automated attacks.
• Account protection: if something looks off, like repeated failed sign-ins or a flood of code attempts from one IP, we can slow that IP down or block it for a while to keep accounts safe.
• Proxy and VPN checks: a lot of abuse rides in through VPNs, proxies, and datacenter IPs, so we screen for those and limit them to keep access fair for people on normal home connections.
• Bot and fraud signals: we read request speed, timestamps, repeated actions, and basic browser info alongside IP signals to spot automation and shady activity.
• Stability and troubleshooting: during attacks or outages, IP logs show us where traffic spikes are coming from so we can fix things faster.

You can ask for a copy of the data we hold on your dashboard account. Once the request is approved, we can send your stored data to your email as a file, for example as JSON.

• Request it by emailing [email protected].
• For your own safety, we may ask you to confirm that the account is yours.
• We only send data to the email tied to your OAuth profile when we have it, or to an address once we have confirmed it is really you.

• Session data: kept while you are logged in, and it expires once you have been inactive for a while.
• One-time codes: short-lived, and cleared automatically the moment they expire or get used.
• Security and rate-limit logs (IP included): kept for a limited time so we can look into abuse.
• Binding and account data: kept until you delete your data or unbind your account.

We lean on only a handful of trusted services, and only where they earn their place:

• Google and Discord: our sign-in providers (OAuth).
• Cloudflare Turnstile: helps block bots on sensitive actions.
• Hosting and infrastructure: keeps the servers running.

• Access and export: ask for a copy of your stored dashboard data by email.
• Unbind: disconnect your UID from your dashboard account any time you like.
• Delete: remove all of your dashboard data from Delete My Data. This one cannot be undone.

Got a privacy question or need a hand? Reach us here:

• Email: [email protected]
• Discord: discord.gg/astutech