Privacy Policy

Last updated: May 8, 2026

Table of Contents

1. Data Controller
2. Data We Collect
3. Purposes & Legal Bases
4. Third Parties
5. International Transfers
6. Email Communications
7. Cookies & Sessions
8. Children's Data
9. Security
10. Data Retention
11. GDPR Rights
12. Payment Data
13. Policy Changes
14. Contact

1Data Controller

The data controller responsible for your personal data is:

Organization: HSR Games

E-mail: [email protected]

Address: Hungary

If a Data Protection Officer (DPO) is appointed, their contact details will be published here.

2Data We Collect

We process the following categories of personal data to operate the Service:

2.1 Roblox Account Data

Roblox user ID
Username and display name
Avatar/profile picture URL (Roblox CDN)
OAuth access and refresh tokens

2.2 Discord Account Data

Discord user ID
Discord username and avatar
Roles held on the HSR Discord server – automatically refreshed every 60 seconds
Discord OAuth tokens

2.3 Game Integration Data (Roblox)

Our Roblox game server (HSRServer) records the following:

Join and leave events with timestamps
Team assignment (Train Driver / Dispatcher / Passenger)
Playtime, distance traveled, XP and level
Aggregated gameplay statistics (UserStats)

2.4 Duty and Schedule Data

Active and completed duties (type, start/end time, train assignment)
Weekly duty summaries and compliance status
Supervisor requests (SupervisorRequest)
Schedule requests and train assignments
iOS Live Activity APNs push tokens – stored only during an active duty

2.5 Exam and Training Data

Exam attempts and their status (IN_PROGRESS, COMPLETED, TIMED_OUT, VIOLATION)
Per-question answers
Violation logs: browser tab switching and application focus loss events
Training registrations and attendance records
Training strikes for unexcused absences
Weekly duty strikes (WeeklyDutyStrike) and appeals

2.6 Support and Communication Data

Submitted support ticket content, messages, and agent assignments
Guest user identifier stored in a cookie (guest-support-id) for anonymous tickets

2.7 Push Notification Data

Web Push VAPID subscription endpoints and public keys
Mobile app Expo push tokens (Android and iOS)
APNs Live Activity push tokens (iOS, linked to an active duty entry)

2.8 Technical Logs

Full audit trail (e.g. LOGIN, DISCORD_LINK, BANNED, MOBILE_LOGIN, admin operations)
IP and device metadata for session security events
Session identifiers and session security data

3Purposes of Processing and Legal Bases

We process personal data only where a valid legal basis under Article 6 GDPR applies.

Purpose	Data Used	Legal Basis
Account registration, login, and authentication	Roblox/Discord ID, OAuth tokens, session data	(1)(b) – Contract
Core service delivery	Profile data, activity, technical logs	(1)(b) – Contract
Game integration and statistics	Game events, team assignment, UserStats	(1)(b) – Contract
Duty and schedule system	Duty data, schedule requests, weekly summaries	(1)(b) – Contract
Exam and training system	Exam attempts, answers, violation logs	(1)(b) – Contract
Security monitoring and abuse prevention	IP/device metadata, audit log	(1)(f) – Legitimate interests
Mandatory service emails	Email address, notification records	(1)(b) – Contract
Compliance with legal obligations	Relevant account and legal records	(1)(c) – Legal obligation
Optional newsletters	Email address, preference choices	(1)(a) – Consent

Where processing is based on legitimate interests, we conduct a balancing test to ensure your fundamental rights are not overridden.

4Third Parties

The Service relies on the following third-party providers:

Roblox CorporationOAuth authentication and game integration – roblox.com/info/privacy

Discord Inc.OAuth authentication and role management – discord.com/privacy

Stripe Inc.PCI DSS-compliant payment processing – stripe.com/privacy

Cloudflare Inc.File storage (R2 object storage), CDN and infrastructure

Expo / Expo SDKMobile app push notification infrastructure

Apple Inc. (APNs)iOS push notifications and Live Activity – apple.com/legal/privacy

5International Data Transfers

Due to the use of Roblox OAuth and Discord APIs, your data may be transferred outside the European Economic Area (EEA), including to countries without an EU adequacy decision. We apply appropriate safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable
Transfer impact assessments and supplementary technical measures as needed
Data minimization and strict access controls for transferred data

6Email Communications

We send two types of emails:

Mandatory emails – GDPR Art. 6(1)(b)

Security alerts, account notices, legal updates, schedule reminders, and weekly duty summaries. These are part of contract performance and cannot be opted out of.

Optional emails – GDPR Art. 6(1)(a)

Newsletters and feature announcements – sent only with your consent. Opt out at any time via the unsubscribe link or by contacting [email protected].

7Cookies and Sessions

We use the following cookies:

Cookie name	Purpose	Type
auth-token	JWT session token. Essential for maintaining login state.	HttpOnly, Secure – strictly necessary
guest-support-id	Anonymous support ticket identifier.	1st party – functional
hsr_locale	Language preference.	1st party – functional

We do not use third-party tracking or analytics cookies. If Google AdSense ads are displayed, Google's own cookie policy applies.

8Children's Data

The Service is not intended for children under 16 years of age in the EEA, unless the member state permits a lower digital age of consent (not below 13) and all legal requirements are met. If we learn that data has been collected from a child without the required consent, we will delete it without undue delay.

9Security Measures

We implement technical and organizational measures appropriate to risk, including:

Encryption in transit (TLS) and at rest for sensitive data
Role-based access controls and least-privilege administrative access
Secure handling, rotation, and storage of authentication tokens and secrets
Full audit logging, anomaly monitoring, and incident response procedures
Regular updates, patching, and security hardening of infrastructure
Backups, recovery controls, and data integrity safeguards

10Data Retention

We retain personal data only for as long as necessary for the relevant purpose:

Account and profile data: for the duration of the account and up to 30 days after a deletion request, unless longer retention is legally required.
Authentication and security logs: up to 12 months to investigate abuse and incidents.
Support and dispute records: up to 24 months after case closure.
Game, duty, and schedule data: for the duration of the account.
Exam and training logs: for the duration of the account, or as required by law.
Consent records (optional emails): up to 3 years after withdrawal.
Legal compliance records: as required by applicable law.

When retention is no longer necessary, data is deleted or irreversibly anonymized.

11Your GDPR Rights

Subject to legal conditions, you have the following rights:

Right of access – request a copy of your personal data
Right to rectification – request correction of inaccurate data
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to object to processing
Right to data portability – request your data in machine-readable format
Right to withdraw consent at any time (where processing is consent-based)
Right to lodge a complaint with your local supervisory authority (in Hungary: NAIH)

How to exercise your rights: Email [email protected] with the subject "GDPR Request". We may request identity verification before completing your request. We respond within 30 days.

12Payment Data and Donations

Donations are processed exclusively by Stripe, a PCI DSS-compliant payment processor. HSR does not collect, store, or access full card details (card number, CVV, expiry date).

We retain the following donation-related data: the amount, the timestamp, the Stripe reference identifier, and the fact of a successful payment. This is used solely to award Supporter status, send confirmation emails, and maintain financial records as required by law.

Your payment data is never sold, shared, or used for marketing. For details on how Stripe handles your data, see stripe.com/privacy.

13Policy Changes

We update this Privacy Policy when required by legal, technical, or operational changes. For material changes, we notify you via the Service and/or email, and update the "Last updated" date. We recommend reviewing this page periodically.

14Contact

For privacy inquiries and GDPR requests, contact us at:

E-mail: [email protected]

For GDPR requests, use the subject line: "GDPR Request". We respond within 30 days.