Privacy Policy

Last updated: May 4, 2026

1. Introduction

Elite Squadrons ("the Platform") is operated by Vintenxe, an individual hobbyist based in Nevada, USA, who acts as the data controller for the purposes of applicable data protection law. This privacy policy explains what information we collect, how we use it, and your rights regarding your data.

The Platform is used by players worldwide. All data is stored and processed in the United States. By using the Platform at elitesquadrons.com, you agree to the practices described below.

2. Information We Collect

We collect the following categories of information:

2.1 Discord Account Data

When you sign in via Discord OAuth, we receive and store your Discord user ID, username, avatar URL, email address, and guild membership information. This is required for authentication and to verify your membership in the linked Discord server.

2.2 Profile & Squadron Data

You may provide a commander name (in-game handle), and we track your squadron membership status (active, inactive, on-leave, suspended, left, kicked, or banned), join date, rank, functional tags (e.g., diplomat), and custom status. Squadron officers may record administrative notes and warnings about you. We also maintain a membership history that records joins, departures, kicks, and bans across squadrons, including the departure reason and date.

2.3 Operational & Activity Data

When you participate in squadron activities, we store:

  • Operation signups, assignments, and proof submissions (screenshots)
  • After-action reports
  • Colonization project deliveries, in-transit shipments, and colonization notes
  • Fleet carrier data: jump schedules, commodity inventories, carrier services and locations
  • Diplomatic pact data: stances, actions, and messages exchanged with other squadrons or factions
  • Lore entries you author (content, tags, publish status)
  • Recruitment applications (commander name, Discord username, platform, timezone, playstyle, introduction)
  • Awards and achievements granted to you
  • Donation proofs (amounts, screenshots, optional system and station name)

Uploaded files (screenshots, images) are stored on Backblaze B2 cloud storage.

2.4 Frontier Account Data (Optional)

If you choose to link your Frontier Developments account, we store encrypted access tokens (AES-256-GCM) and your linked commander name. This is entirely optional and used to import in-game data via the Frontier Companion API.

2.5 Telemetry Data

If you use a compatible EDMC plugin, activity telemetry events may be sent to the Platform. Telemetry data includes your commander name, in-game star system location, station docked at, faction influence readings, market/outfitting/shipyard data, and carrier status events. Each telemetry client records the last IP address used and total event count for security monitoring. Raw telemetry data (ingress envelopes) is retained for 30 days by default, after which it is automatically deleted.

2.6 Session & Cookie Data

We use database-backed session tokens (not JWTs) to keep you signed in. A single session cookie is set in your browser for authentication purposes only (SameSite=Lax, 7-day maximum age). We do not use tracking cookies or advertising cookies.

2.7 Audit Logs

Administrative actions (promotions, demotions, bans, settings changes, faction linking, proof reviews) are logged for accountability and security purposes.

2.8 IP Addresses

We collect your IP address for rate limiting on API and authentication endpoints. IP addresses are processed using a Redis sliding-window algorithm and are not stored permanently in the database. Your IP address is also processed by our reverse proxy (Traefik) and bot protection system (CrowdSec) for security purposes. Telemetry client credentials record the last IP address used.

2.9 In-Game Location Data

If you submit telemetry data or manually update your location, we store your current star system, the time it was last updated, and the source (telemetry or manual). This is displayed in the member directory and used for operational coordination.

2.10 Browser Local Storage

We store the following data in your browser's local storage. This data is stored only on your device and is not transmitted to our servers:

  • Pinned BGS systems for quick access
  • Carrier and member directory display preferences (layout, sort, grouping)
  • Whether you have completed the onboarding tour
  • PWA install prompt dismissal timestamp

These are not cookies and do not track you across sites.

2.11 Notification Data

We store in-app notifications including category, type, severity, read status, and timestamps. You may configure per-category notification preferences (enabled/disabled, minimum severity level).

3. How We Use Your Information

  • Authenticate your identity and verify Discord server membership
  • Display your profile within the squadron management interface
  • Coordinate squadron operations, fleet carriers, and BGS campaigns
  • Track colonization project progress and coordinate deliveries
  • Manage diplomatic relationships and facilitate inter-squadron communication
  • Publish lore entries and after-action reports
  • Track and display leaderboard rankings and awards
  • Record donation proofs for squadron transparency
  • Display event calendars aggregating operations, carrier jumps, and milestones
  • Process recruitment applications
  • Send automated Discord webhook notifications about squadron activity, configured by squadron administrators
  • Deliver in-app notifications about squadron activity
  • Automatically detect BGS conflicts and create operations
  • Update member location data from telemetry for operational coordination
  • Maintain audit logs for administrative accountability
  • Rate-limit API and authentication requests to prevent abuse
  • Generate daily backups to protect against data loss

4. Third-Party Services

We integrate with the following third-party services to operate the Platform:

  • Discord — Authentication, webhook notifications, avatar delivery, and server membership verification
  • Backblaze B2 — Secure file storage for uploaded screenshots, operation proofs, donation proofs, lore images, and encrypted database backups
  • Frontier Developments — Optional Companion API integration for in-game data (only if you link your account)
  • EDDN / EDSM / Spansh — Public Elite Dangerous galaxy data feeds for BGS tracking. No personal data is shared with these services; we only read from their public feeds
  • Ko-fi— External donation platform (ko-fi.com/elitesquadrons). If you visit the Ko-fi link, Ko-fi's own privacy policy applies. We do not share your data with Ko-fi
  • Umami — Self-hosted, first-party-proxied analytics on Vintenxe-controlled infrastructure. Cookie-free; honours Do Not Track; no advertising; no sale of analytics data. See section 14 for the full list of fields collected
  • CrowdSec — Bot and abuse protection integrated with our Traefik reverse proxy. CrowdSec may process your IP address to identify and block malicious traffic
  • Traefik — Reverse proxy that terminates TLS, routes requests, and writes short-lived access logs (path, status code, IP) used for operational and security purposes
  • Let's Encrypt— TLS certificates are provisioned automatically via Traefik. Let's Encrypt may log domain access as part of the certificate issuance process but does not receive user IP addresses

Fonts are loaded via Next.js next/font, which downloads and self-hosts font files at build time. No user data is transmitted to Google or any font CDN at runtime.

We do not sell, rent, or share your personal data with any third parties beyond what is described above.

5. Data Storage & Security

All data is stored on self-hosted servers located in Manassas, Virginia, USA. We use PostgreSQL with encrypted connections, AES-256-GCM encryption for sensitive tokens (such as Frontier OAuth credentials), and daily automated backups encrypted and stored on Backblaze B2 cloud storage. Access to the servers and database is restricted to the Platform operator (Vintenxe).

The Platform uses Redis for session caching, rate limiting, and real-time notification delivery. Redis data is ephemeral and password-protected. All API tokens (telemetry credentials) are stored as SHA-256 hashes; the raw token is shown once at creation and never stored. CSRF protection is enforced on all mutation endpoints via Origin header validation.

While we take reasonable measures to protect your data, no system is 100% secure, and we cannot guarantee absolute security.

6. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following:

  • Consent (Art. 6(1)(a) GDPR): You consent to data collection when you authenticate via Discord, create an account, optionally link your Frontier account, and submit telemetry data. You may withdraw consent at any time by deleting your account or unlinking services
  • Legitimate Interest (Art. 6(1)(f) GDPR): We process data for Platform security (rate limiting, audit logs, bot protection via CrowdSec), fraud prevention (detecting falsified proofs and telemetry), and maintaining the integrity of squadron operations and moderation
  • Performance of the Service (Art. 6(1)(b) GDPR): Processing necessary to provide the features you use, including squadron management, operations, BGS tracking, fleet carrier coordination, colonization projects, diplomacy, and notifications

7. Data Controller

The data controller for the Platform is:

Vintenxe
Nevada, USA
contact@vintenxe.com

As an individual hobbyist operator, we are not required to designate a Data Protection Officer (DPO) under Article 37 of the GDPR. However, you may direct any data protection inquiries to the contact email above.

If you are located in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe your personal data has been processed in violation of applicable data protection law.

8. Data Retention

  • Telemetry data (ingress envelopes): Automatically deleted after 30 days
  • Session tokens: Cleared on logout or expiration (7-day maximum)
  • Rate limit data: Ephemeral; automatically expires from Redis within 60 seconds
  • Active membership data: Squadron data, operations, diplomacy, colonization, lore, awards, and donations are retained for the duration of your membership
  • Membership history: Retained indefinitely for moderation audit purposes, even after account deletion (commander name, dates, departure reason)
  • Audit logs: Retained indefinitely for accountability
  • Database backups:Retained on Backblaze B2 according to the operator's backup rotation policy
  • Browser local storage: Persists until you clear your browser data or the Platform removes the key
  • All other personal data: Upon account deletion, your data will be removed within 30 days

9. Automated Processing

The Platform performs automated data processing in the following ways:

  • BGS data ingestion: Telemetry events, EDDN feeds, and scheduled data imports automatically update faction influence, star system data, and station information
  • Automatic operation creation:When BGS conflicts involving your squadron's tracked factions are detected, operations may be automatically created
  • Faction discovery: Scheduled scans automatically discover star systems where tracked factions have a presence and add them to the tracked system list
  • Discord synchronization: Member roles, nicknames, and status are periodically synchronized with the linked Discord server
  • Rate limiting: API requests are automatically throttled per-client or per-IP address using a sliding-window algorithm

No automated processing is used to make decisions that produce legal effects or similarly significant effects concerning you.

10. International Data Transfers

The Platform is operated from Nevada, USA, and all data is stored on servers located in Manassas, Virginia, USA. If you access the Platform from outside the United States, your data will be transferred to and processed in the United States.

For users in the EEA or UK: the transfer of your personal data to the United States is based on your explicit consent under Article 49(1)(a) of the GDPR. By creating an account and using the Platform, you explicitly consent to the transfer of your data to the United States, where data protection laws may differ from those in your country.

We do not specifically target users in any particular jurisdiction. The Platform is available globally as a fan-made tool for Elite Dangerous players.

11. Data Breach Notification

In the event of a data breach that affects your personal data, we will:

  • Investigate the breach promptly
  • Notify affected users via email (if we have your email address from Discord) and/or via an in-app announcement within 72 hours of becoming aware of the breach
  • Provide details about what data was affected and what steps we are taking to remediate
  • Where required by law, notify the relevant data protection authority

As a hobbyist project operated by a single individual, we will make every reasonable effort to respond swiftly, but our capacity is limited.

12. Your Rights

You have the right to:

  • Request a copy of all personal data we hold about you (right of access)
  • Request correction of inaccurate data (right to rectification)
  • Request deletion of your data and account (right to erasure)
  • Request a machine-readable export of your data (right to data portability)
  • Object to processing based on legitimate interest (right to object)
  • Request restriction of processing (right to restriction)
  • Withdraw consent for data processing at any time
  • Unlink your Frontier account at any time
  • Opt out of telemetry data collection by revoking your telemetry tokens or not using the EDMC plugin
  • Lodge a complaint with your local data protection supervisory authority (if applicable)

To exercise any of these rights, email us at contact@vintenxe.com. We will respond within 30 days.

13. Children's Privacy

The Platform is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at contact@vintenxe.com and we will promptly delete it.

14. Analytics

We use Umami, a privacy-respecting analytics tool, to understand how the Platform is used. Our Umami instance is self-hosted on Vintenxe-controlled infrastructure and the tracker script is served first-party from a same-origin path (/stats/v). No analytics data is sent to third-party services such as Google Analytics, and no analytics data is shared with external parties.

14.1 What we use analytics for

  • Understanding overall site usage and traffic patterns
  • Improving Platform performance and user experience
  • Identifying which pages and features are most used
  • Diagnosing product issues at an aggregate level

14.2 What Umami may collect

  • Page URL / path (with the query string and URL fragment stripped before recording)
  • Referrer URL
  • Browser type and version
  • Operating system
  • Device type (desktop, mobile, tablet)
  • Approximate country, region, or city-level location derived from IP at collection time, where Umami's built-in geolocation is enabled
  • Visit and session timestamps and aggregated session/visit counts
  • Custom events only if and when we explicitly implement them

The Umami tracker is configured to honour the browser Do Not Track signal. When DNT is enabled, no analytics events are recorded.

14.3 What analytics is NOT used for

  • Advertising of any kind
  • Selling, renting, or sharing analytics data
  • Cross-site tracking
  • Tying analytics records to your Discord account, Frontier account, telemetry tokens, or squadron membership. Unless we explicitly implement authenticated analytics events in the future, analytics data is not linked to your identity on the Platform

14.4 Cookies and storage

Umami's tracker is cookie-free. It does not set cookies in your browser, and it does not use cross-site fingerprinting. The Platform's normal authentication session cookie (described in section 2.6) is unaffected by analytics and continues to be set separately for login.

14.5 Retention

Analytics data is retained as needed for operational and product analytics purposes. Older data may be deleted, downsampled, or rolled up into aggregate metrics over time. We do not currently commit to a fixed retention duration in code; analytics is treated as operational telemetry rather than a long-term identity record.

15. Cookie Policy

The Platform uses a single first-party cookie for authentication:

  • Session cookie — Used for authentication only. SameSite=Lax, 7-day maximum age, refreshed on activity. This is not a tracking cookie

Our self-hosted Umami analytics tracker (described in section 14) is cookie-free and does not set any tracking cookies. We do not use advertising cookies or any third-party cookie-based services. Browser local storage items (described in section 2.10) are stored on your device and are not cookies.

16. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the Platform after changes are posted constitutes acceptance of the revised policy.

17. Contact

For any privacy-related questions or requests, contact us at contact@vintenxe.com.