MCLogger — Privacy Policy

Last updated: {{ last_updated }}

1. Controller & Contact

The controller responsible for data processing within this service is:

Simon
E-Mail: simon@devanturas.net

For any questions, requests, or concerns regarding your personal data, please contact the address above.

2. What Is MCLogger?

MCLogger is a self-hosted logging and analytics panel for Minecraft server operators. It collects and displays in-game activity data (sessions, chat, commands, deaths, block events, proxy events) and provides a multi-tenant web interface for authorised server administrators and group members.

3. Data We Collect

3.1 Minecraft Player Data

When players connect to a Minecraft server that uses the MCLogger plugin, the following data is automatically recorded:

  • Player identity: Minecraft username, UUID
  • Sessions: join time, leave time, session duration, server name
  • IP addresses: the IP address used at connection time
  • Chat messages: message content, timestamp, username
  • Commands: command text, timestamp, username
  • Deaths: death message/cause, timestamp, location, username
  • Block events: block type, action (place/break), coordinates, username, timestamp
  • Proxy events: connect/disconnect events on the proxy network, timestamp

This data is stored in a MariaDB database operated by the server operator. Players should be informed about this logging by the Minecraft server's own rules or MOTD.

3.2 Panel User Accounts

When a user account is created for the web panel, the following data is stored:

  • Username
  • Password (stored as a salted PBKDF2-HMAC-SHA256 hash; the plain-text password is never stored)
  • E-mail address (when provided via the invite flow)
  • Group membership and role
  • Account creation date

3.3 Invite Tokens

When a group administrator invites a user by e-mail, a time-limited invite token is generated and stored together with the recipient's e-mail address. The token expires after {{ invite_expiry_hours }} hours. Accepted and revoked tokens are retained in the database for audit purposes.

3.4 Session Data

MCLogger uses server-side sessions (Flask session cookie) to keep you logged in. The session cookie is HTTP-only, SameSite-protected, and expires when your browser session ends.

3.5 Server Log Files

The web server (gunicorn) may write standard HTTP access logs containing IP addresses, request paths, and timestamps. These logs are used for operational security monitoring and are not shared with third parties.

4. Purpose & Legal Basis of Processing

Data Purpose Legal Basis (GDPR)
Minecraft player activity data Server administration, moderation, abuse prevention Art. 6(1)(f) — legitimate interest of the server operator
Panel user accounts Authentication and authorisation for the web panel Art. 6(1)(b) — performance of a contract / access service
E-mail addresses (invites) Sending one-time panel invitation links Art. 6(1)(a) — consent (the invite was requested by a group admin)
Server access logs Security monitoring and error diagnosis Art. 6(1)(f) — legitimate interest

5. Data Retention

  • Minecraft logs are retained as long as the server operator deems necessary for moderation purposes.
  • Panel accounts are retained until manually deleted by a site administrator.
  • Invite tokens expire after {{ invite_expiry_hours }} hours and are never sent to third parties beyond the intended recipient.
  • Server access logs are typically rotated within 30 days.

6. Data Sharing & Third Parties

Data collected by MCLogger is not sold, rented, or shared with third parties. All data remains within the infrastructure controlled by the server operator. No third-party analytics services, advertising networks, or tracking pixels are used.

External resources loaded by the web interface (Bootstrap CSS/JS and Bootstrap Icons) are served from the jsDelivr CDN (cdn.jsdelivr.net). jsDelivr may process your IP address as part of delivering these static files. Please consult jsDelivr's privacy policy for details.

7. Security

MCLogger applies the following technical safeguards:

  • Passwords are hashed with PBKDF2-HMAC-SHA256 (per-user salt + server pepper).
  • Stored database credentials and SMTP credentials are encrypted with Fernet symmetric encryption before being written to the database.
  • CSRF tokens are enforced on all state-changing requests.
  • Security response headers (X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, Referrer-Policy) are set on every response.
  • SMTP connections use STARTTLS.

8. Your Rights (GDPR)

If you are subject to the GDPR you have the following rights:

  • Right of access (Art. 15) — request a copy of your personal data.
  • Right to rectification (Art. 16) — request correction of inaccurate data.
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten").
  • Right to restriction of processing (Art. 18) — request that processing is restricted while a dispute is resolved.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — withdraw any consent you have given at any time.

To exercise any of these rights, please contact: simon@devanturas.net

You also have the right to lodge a complaint with your national data protection supervisory authority.

9. Changes to This Policy

This privacy policy may be updated to reflect changes in the software or applicable law. The "Last updated" date at the top of this page indicates when the most recent revision was made.

Back to Login MCLogger — simon@devanturas.net