How we collect, process and protect your personal data when using devcon.studio. Compliant with GDPR (EU 2016/679) and BDSG.
Data controller within the meaning of Article 4(7) GDPR is BCP - Business Control Panel UG (haftungsbeschränkt), Berliner Straße 161, 10715 Berlin, represented by Managing Director Matteo Presser.
Email: legal@bcpanel.de
Discord: discord.gg/devCon
No external Data Protection Officer is appointed (not legally required for our size).
devcon.studio is hosted on servers operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. All data is processed exclusively within the EU.
Processing is based on Art. 6(1)(f) GDPR (legitimate interest in providing a stable, secure website) and a Data Processing Agreement (DPA) under Art. 28 GDPR with Hetzner.
When you log in via Discord OAuth 2.0, we receive: your Discord User ID, username, avatar URL and (if you authorize the email scope) your email address. We do not see your Discord password at any point.
Used solely for account identification, license assignment and customer support. Legal basis: Art. 6(1)(b) GDPR (contract execution).
Discord Inc. is based in the USA. Data transfer is secured via Standard Contractual Clauses (SCC) and Discord\'s GDPR-compliant infrastructure. Privacy policy: discord.com/privacy.
All payments are processed by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland. Stripe is PCI-DSS Level 1 certified.
We never see card data. From Stripe we only receive: transaction ID, payment status, currency, amount, and (for invoicing) name and email. Card details remain exclusively with Stripe.
Art. 6(1)(b) GDPR (contract execution). Stripe privacy policy: stripe.com/privacy.
For each purchased license: license key, your Discord user ID, the bound server IP (FiveM scripts) or Discord guild ID (bots), product version, and timestamps for first bind and last heartbeat.
License bindings prevent piracy and unauthorized resale, and let us deliver updates only to legitimate customers. Legal basis: Art. 6(1)(b) GDPR (contract execution) and Art. 6(1)(f) GDPR (legitimate interest in protecting our products).
License records are kept for the duration of the license plus 6 years (commercial retention obligations under § 257 HGB / § 147 AO). Heartbeat logs older than 90 days are automatically deleted.
Our nginx access logs store IP address, timestamp, requested URL, HTTP status and user-agent for security and debugging. Logs are rotated and deleted after 14 days.
We use a single essential session cookie (devcon_panel_session) for login state. No analytics, no advertising, no third-party tracking. Therefore no cookie consent banner is required under TTDSG / DSGVO.
We do not use Google Analytics, Facebook Pixel, Hotjar or any other tracking service. We have no interest in your browsing behavior.
Under Articles 15-22 GDPR you have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17 — except where retention is legally required), restriction (Art. 18), portability (Art. 20) and objection (Art. 21).
Send an email to legal@bcpanel.de with the subject "GDPR Request". We confirm receipt within 72 hours and respond fully within one month (Art. 12(3) GDPR).
Wherever processing is based on consent (Art. 6(1)(a) GDPR), you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). For us, this is the Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, datenschutz-berlin.de.
If you believe we are processing your data incorrectly, please contact us first — most issues can be resolved within hours via Discord or email.