MCLogger — Privacy Policy

1. Controller & Contact

The controller responsible for data processing within this service is:

Simon
E-Mail: simon@devanturas.net

For any questions, requests, or concerns regarding your personal data, please contact the address above.

2. What Is MCLogger?

MCLogger is a self-hosted logging and analytics panel for Minecraft server operators. It collects and displays in-game activity data (sessions, chat, commands, deaths, block events, proxy events) and provides a multi-tenant web interface for authorised server administrators and group members.

3. Data We Collect

3.1 Minecraft Player Data

When players connect to a Minecraft server that uses the MCLogger plugin, the following data is automatically recorded:

• Player identity: Minecraft username, UUID
• Sessions: join time, leave time, session duration, server name
• IP addresses: the IP address used at connection time
• Chat messages: message content, timestamp, username
• Commands: command text, timestamp, username
• Deaths: death message/cause, timestamp, location, username
• Block events: block type, action (place/break), coordinates, username, timestamp
• Proxy events: connect/disconnect events on the proxy network, timestamp

This data is stored in a MariaDB database operated by the server operator. Players should be informed about this logging by the Minecraft server's own rules or MOTD.

3.2 Panel User Accounts

When a user account is created for the web panel, the following data is stored:

• Username
• Password (stored as a salted PBKDF2-HMAC-SHA256 hash; the plain-text password is never stored)
• E-mail address (when provided via the invite flow)
• Group membership and role
• Account creation date

3.3 Invite Tokens

When a group administrator invites a user by e-mail, a time-limited invite token is generated and stored together with the recipient's e-mail address. The token expires after 72 hours. Accepted and revoked tokens are retained in the database for audit purposes.

3.4 Session Data

MCLogger uses server-side sessions (Flask session cookie) to keep you logged in. The session cookie is HTTP-only, SameSite-protected, and expires when your browser session ends.

3.5 Panel Audit Log

MCLogger maintains an internal audit log in the panel database that records security-relevant and data-access events. Each entry contains:

• The panel user who performed the action (username and internal ID)
• The action taken (e.g. login, logout, member role change, viewing player data)
• The affected entity (e.g. a Minecraft player's UUID when player profile pages are accessed)
• The IP address of the panel user at the time of the action
• A UTC timestamp

This includes access to pages that display Minecraft player data (player list, player detail, chat history, commands, deaths, block events, sessions, proxy events). The log therefore records who in the panel team accessed which player's data and when, providing an accountable audit trail as required by Art. 32 GDPR. Audit log entries are automatically deleted after 90 days (configurable by the operator).

3.6 Server Log Files

The web server (gunicorn) may write standard HTTP access logs containing IP addresses, request paths, and timestamps. These logs are used for operational security monitoring and are not shared with third parties.

4. Purpose & Legal Basis of Processing

Data	Purpose	Legal Basis (GDPR)
Minecraft player activity data	Server administration, moderation, abuse prevention	Art. 6(1)(f) — legitimate interest of the server operator
Panel user accounts	Authentication and authorisation for the web panel	Art. 6(1)(b) — performance of a contract / access service
E-mail addresses (invites)	Sending one-time panel invitation links	Art. 6(1)(a) — consent (the invite was requested by a group admin)
Server access logs	Security monitoring and error diagnosis	Art. 6(1)(f) — legitimate interest
Panel audit log (incl. IP addresses of panel users)	Accountability for access to personal data; security incident traceability	Art. 6(1)(c) — legal obligation / Art. 32 GDPR (security of processing)

5. Data Retention

• Minecraft logs are retained as long as the server operator deems necessary for moderation purposes.
• Panel accounts are retained until manually deleted by a site administrator.
• Invite tokens expire after 72 hours and are never sent to third parties beyond the intended recipient.
• Panel audit log entries are automatically deleted after 90 days. This includes IP address data logged on data-access events.
• Server access logs are typically rotated within 30 days.

6. Data Sharing & Third Parties

Data collected by MCLogger is not sold, rented, or shared with third parties. All data remains within the infrastructure controlled by the server operator. No third-party analytics services, advertising networks, or tracking pixels are used.

Player head images are loaded from minotar.net, a public Minecraft avatar service. Minotar may process the Minecraft username and your IP address as part of serving the image. Please consult minotar.net for their privacy practices. If the image cannot be loaded, a local fallback placeholder is displayed.

External resources loaded by the web interface (Bootstrap CSS/JS and Bootstrap Icons) are served from the jsDelivr CDN (cdn.jsdelivr.net). jsDelivr may process your IP address as part of delivering these static files. Please consult jsDelivr's privacy policy for details.

7. Security

MCLogger applies the following technical safeguards:

• Passwords are hashed with PBKDF2-HMAC-SHA256 (per-user salt + server pepper).
• Stored database credentials and SMTP credentials are encrypted with Fernet symmetric encryption before being written to the database.
• CSRF tokens are enforced on all state-changing requests.
• Security response headers (X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, Referrer-Policy) are set on every response.
• SMTP connections use STARTTLS.

8. Your Rights (GDPR)

If you are subject to the GDPR you have the following rights:

• Right of access (Art. 15) — request a copy of your personal data.
• Right to rectification (Art. 16) — request correction of inaccurate data.
• Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten").
• Right to restriction of processing (Art. 18) — request that processing is restricted while a dispute is resolved.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)) — withdraw any consent you have given at any time.

To exercise any of these rights, please contact: simon@devanturas.net

You also have the right to lodge a complaint with your national data protection supervisory authority.

9. Changes to This Policy

This privacy policy may be updated to reflect changes in the software or applicable law. The "Last updated" date at the top of this page indicates when the most recent revision was made.