Privacy Policy
Last Updated: 22 December 2024
This Privacy Policy explains how Obsidian Squad ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
Obsidian Squad is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, please contact us at:
- Email: info@obsidiansquad.com
2. Information We Collect
We collect and process the following categories of personal data:
2.1 Account Registration Data
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Username | Account identification and display | Contract performance |
| Password (hashed) | Account security and authentication | Contract performance |
| Discord ID (hashed) | Membership verification and account linking | Contract performance |
2.2 Data Collected During Use
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Last Login Timestamp | Account security monitoring | Legitimate interest |
| Print Request Messages | Fulfilling your 3D print requests | Contract performance |
| Discord Username (for print requests) | Providing custom 3D print files and contacting you about your request | Contract performance |
| Theme Preference | Personalising your experience (stored locally in your browser) | Consent |
2.3 Data NOT Collected
We do NOT collect:
- Your real name or physical address
- Your email address (we do not require email registration)
- Payment or financial information
- Location data or IP addresses for tracking purposes
- Discord messages, friends list, or server content
- Browsing history or activity on other websites
3. Discord OAuth Integration
3.1 What We Access
When you authenticate with Discord, we use the minimal scope (guilds.members.read) to access only:
- Your Discord User ID
- Your membership status in the Obsidian Squad Discord server
- Your roles within the Obsidian Squad Discord server
3.2 How We Process Discord Data
- Your Discord User ID is immediately hashed using HMAC-SHA256 encryption
- Only the hashed ID is stored in our database
- We cannot reverse the hash to obtain your original Discord ID
- Membership and role data is checked once during verification and not stored
3.3 Discord's Privacy Policy
Your use of Discord is subject to Discord's Privacy Policy. We are not responsible for Discord's data practices.
4. How We Use Your Data
We use your personal data for the following purposes:
4.1 Account Management
- Creating and maintaining your user account
- Authenticating your login sessions
- Verifying your membership in the Obsidian Squad community
- Processing account updates (username changes, password resets)
4.2 Service Provision
- Providing access to member-exclusive content
- Processing and fulfilling 3D print requests
- Remembering your display preferences (theme)
4.3 Security
- Protecting your account from unauthorised access
- Recording login timestamps to detect suspicious activity
- Maintaining the integrity of our systems
5. Legal Basis for Processing
Under the UK GDPR, we process your data based on the following legal grounds:
5.1 Contract Performance (Article 6(1)(b))
Processing necessary for the performance of a contract with you, including:
- Creating and managing your account
- Providing member services and content
- Processing 3D print requests
5.2 Legitimate Interests (Article 6(1)(f))
Processing necessary for our legitimate interests, where those interests are not overridden by your rights and freedoms, including:
- Recording login timestamps for account security
- Protecting our systems from abuse or unauthorised access
- Improving and maintaining our website
5.3 Consent (Article 6(1)(a))
Where you have given consent for specific processing, such as:
- Storing theme preferences in your browser's local storage
You may withdraw consent at any time by clearing your browser's local storage.
6. Data Storage and Security
6.1 Password Security
- Passwords are hashed using bcrypt (PHP's PASSWORD_DEFAULT algorithm)
- We never store passwords in plain text
- Password hashes are one-way and cannot be reversed
6.2 Session Security
- Session cookies are marked as HttpOnly (inaccessible to JavaScript)
- Session cookies are marked as Secure (only transmitted over HTTPS)
- Sessions are regenerated after login and password changes
- Sessions expire after a period of inactivity
6.3 Database Security
- All database queries use parameterised statements to prevent SQL injection
- Database access is restricted to authorised systems only
- Discord IDs are stored only as hashed values
6.4 Data Location
Your data is stored on secure servers. We take appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.
7. Data Retention
We retain your personal data as follows:
| Data Type | Retention Period |
|---|---|
| Account Data (username, password hash, Discord ID hash) | Until you delete your account |
| Print Request Data (including Discord username) | Until you delete your account or request deletion |
| Session Data | Automatically expires after inactivity; cleared on logout |
| Theme Preference (localStorage) | Until you clear your browser data |
8. Your Rights Under GDPR
Under the UK GDPR, you have the following rights regarding your personal data:
8.1 Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you. To exercise this right, contact us at info@obsidiansquad.com.
8.2 Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data. You can update your username directly through your Account page.
8.3 Right to Erasure (Article 17)
You have the right to request deletion of your personal data. You can delete your account at any time through the Account page. This will permanently remove all your data from our systems.
8.4 Right to Restrict Processing (Article 18)
You have the right to request restriction of processing in certain circumstances. Contact us to exercise this right.
8.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format. Contact us to request a data export.
8.6 Right to Object (Article 21)
You have the right to object to processing based on legitimate interests. Contact us to exercise this right.
8.7 Right to Withdraw Consent
Where we process data based on consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.
8.8 Exercising Your Rights
To exercise any of these rights, please contact us at info@obsidiansquad.com. We will respond to your request within one month.
9. Cookies and Local Storage
9.1 Session Cookies
We use essential session cookies to maintain your login state. These cookies are:
- Strictly necessary for the website to function
- HttpOnly - cannot be accessed by JavaScript
- Secure - only transmitted over HTTPS
9.2 Local Storage
We use your browser's local storage to remember your theme preference (blue or red theme). This data:
- Is stored only in your browser, not on our servers
- Contains only the value "alt" or "default"
- Can be cleared by clearing your browser data
- Is not transmitted to us or any third party
9.3 No Tracking Cookies
We do NOT use:
- Google Analytics or other analytics tracking
- Advertising or marketing cookies
- Social media tracking pixels
- Third-party tracking cookies of any kind
10. Third-Party Services
10.1 Discord
We use Discord for authentication and membership verification. When you authenticate with Discord, your data is subject to Discord's Privacy Policy.
10.2 CloudFlare CDN
We use CloudFlare's Content Delivery Network to serve Font Awesome icons. This is a static resource that does not involve personal data processing. See CloudFlare's Privacy Policy for more information.
11. International Data Transfers
Discord is based in the United States. When you authenticate with Discord, your Discord User ID may be processed in the US. Discord has implemented appropriate safeguards for international data transfers.
12. Children's Privacy
Our website is not intended for children under 18 years of age. We do not knowingly collect personal data from children under 18. If you believe we have collected data from a child under 18, please contact us immediately at info@obsidiansquad.com.
13. Data Breaches
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours where required
- Notify affected users without undue delay if the breach is likely to result in high risk
- Document the breach and actions taken
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this Privacy Policy periodically.
For significant changes that materially affect your rights, we will make reasonable efforts to notify you (e.g., via the website or Discord announcements).
15. Complaints
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Telephone: 0303 123 1113
We encourage you to contact us first at info@obsidiansquad.com so we can try to resolve your concerns.
16. Contact Us
If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:
- Email: info@obsidiansquad.com
- Discord: Obsidian Squad Discord Server