Privacy Policy
What we collect, why, how long we keep it, and what your rights are. No third parties, no ad networks, no data sales.
Scope
This policy applies to everyone who creates an account, connects to the game server, or visits the Mapleonim website. The server is non-commercial, community-maintained. We don't sell data, run ads, or share data with marketers.
What We Collect
Account Data
Username, hashed password, email, date of birth, and security question - provided by you at sign-up.
Network Identifiers
Connection IP, MAC address, and machine Hardware ID. Logged for security and rule enforcement.
Gameplay Data
Characters, items, inventory, chat logs, trade actions, GM actions, disciplinary actions. Inherent to running the server.
Support Communications
Messages you send to the team (Discord / forum / support form). Kept to handle and follow up on requests.
Site Data
Session cookies (login), language preference, and basic operational web logs. No Google Analytics, no tracking pixels.
Why We Collect It
- To run the game server and website.
- To prevent multi-accounts, secure access, and identify repeat offenders.
- To investigate player reports - who traded what, who received items from where.
- To recover hacked accounts and fix bugs that affect players.
- To comply with applicable law - if compelled by a competent authority.
Retention
We don't keep data forever "just because." Each category has its own lifetime:
| Category | Retention period |
|---|---|
| Active account data | For as long as the account exists |
| Inactive account | 24 months - then eligible for automatic purge |
| In-game chat logs | 90 days |
| Trade & action logs | 12 months |
| IP / MAC / HWID | 12 months from last login |
| Ban & disciplinary logs | Permanent |
| Support conversations | 12 months after resolution |
| DB backups | 30-day rolling |
Third Parties
We do not sell, trade, or share your data with commercial parties. The only exceptions:
- Infrastructure providers - VPS hosts only see encrypted traffic; they have no access to our DB.
- Legal - only with a competent authority pursuant to a valid legal request.
- Security emergency - if a data leak affects you, we will notify you promptly.
Cookies & Sessions
We use exactly one cookie - a session identifier for login. No third-party tracking cookies. The session cookie expires when you close your browser or sign out.
PHPSESSID- session identifier, required for login. HttpOnly, SameSite=Lax.lang- language preference (en/he), 365 days. No personal data.
Your Rights
Access
Request a copy of the data we hold about you. We respond within 30 days.
Correction
Request correction of inaccurate data (email, security question).
Deletion
Request account deletion. We erase personal details, but consequential actions (bans, scams) remain logged for operational and rule-enforcement reasons.
Portability
The file you receive under "Access" is in a portable format (JSON / CSV).
Objection
You may object to data collection - but that means you can't use the server. We can't operate without a basic log.
Minimum Age
The minimum sign-up age is 13. Accounts found below this threshold will be suspended and, where appropriate, referred to a parent or guardian for confirmation.
Security Incidents
If a breach occurs that may affect personal data, we will notify affected users within 72 hours of confirmation. We publish a public notice on Discord, on the website, and via email to affected users.
Policy Changes
We may update this document. Material changes will be announced publicly. Continued use of the server after such a change means you accept the update.
Contact
Privacy requests (access, deletion, correction, objection) - via Discord (open a ticket in #support) or through the site's support form. Use "Privacy Request" in the subject.