Legal

Privacy Policy

Last updated: July 9, 2026

1. Introduction

Control ("we", "our", "us") operates the Control FiveM anti-cheat platform at control.vaeliex.com. This Privacy Policy explains what personal data we collect, how we use it, and your rights. By using our Service, you agree to this policy.

2. Data Controller

Control is the data controller for personal data processed through the Service. Contact: privacy@control.vaeliex.com. Our EU representative (if applicable): Control EU, Berlin, Germany.

3. Data We Collect

We collect only data necessary for the Service: **Account Data** (provided by you): - Email address, name (for account creation) - Organization name, billing address (for invoicing) - Payment details (processed by Stripe/PayPal; we store only last 4 digits) **Organization & Server Data** (generated by use): - Organization name, slug, owner - License keys (hashed with SHA-256 in database; full key shown once at creation) - Server metadata: server name, server identifier (hash), CFX project name, IP hash, player count, resource version, last heartbeat timestamp - License validation logs: timestamp, result, server ID **Security Events** (generated by anti-cheat resource): - Detection type, severity (LOW/MEDIUM/HIGH/CRITICAL) - Player identifiers: FiveM license identifier, Steam hex, IP hash, Discord ID (if linked by server) - Detection metadata: coordinates, values, timestamps, evidence hashes - Ban records: issuer, reason, duration, evidence references **Audit Logs** (admin actions): - Actor user ID, action, target type/ID, timestamp, metadata **Analytics** (optional, opt-out available): - Dashboard usage, feature adoption, performance metrics (no PII)

4. What We Do NOT Collect

We explicitly do NOT collect unless part of a security event: - Player real names, email addresses, phone numbers - Discord messages, chat logs, voice data - Steam profile details beyond hex ID - Credit card numbers (processed by payment provider) - Biometric data, location tracking, device fingerprints - Any data not listed in Section 3

5. Legal Basis (GDPR)

Processing is based on: - **Contract performance** (Art. 6(1)(b)): Account, licensing, server management - **Legitimate interest** (Art. 6(1)(f)): Security events, fraud prevention, service improvement - **Legal obligation** (Art. 6(1)(c)): Billing records, legal requests - **Consent** (Art. 6(1)(a)): Analytics cookies, marketing emails (opt-in)

6. How We Use Your Data

• Provide and maintain the Service (license validation, heartbeats, dashboard) • Detect and prevent cheating on your servers • Send service-related communications (billing, security alerts, updates) • Improve detection algorithms (aggregated, anonymized security events) • Comply with legal obligations and respond to lawful requests • Bill and process payments (via processors)

7. Data Sharing

We do not sell personal data. We share only with: - **Subprocessors**: Neon (database, AWS us-east-1), Vercel (hosting, AWS), Stripe/PayPal (payments), SendGrid (transactional email). All have DPAs and SCCs. - **Your Organization**: Admins/members see org data per role. - **Legal Authorities**: When required by law (valid subpoena, court order). - **Business Transfers**: In merger/acquisition, data transfers with notice. We do NOT share security events or player identifiers with other organizations, FiveM, or third parties.

8. International Transfers

Data is stored in AWS us-east-1 (Virginia, USA). For EU/UK users, transfers rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework. You may request EU-only storage (Enterprise plan).

9. Data Retention

• Account data: Until account deletion + 30 days • Billing records: 7 years (tax law) • License/Server metadata: Plan-based (Starter 30d, Pro 1yr, Enterprise unlimited) • Security events: Same as license retention • Audit logs: 2 years minimum • Analytics: 13 months (opt-out available) After retention, data is deleted or irreversibly anonymized.

10. Your Rights

Under GDPR/CCPA/UK DPA, you have the right to: - **Access**: Request a copy of your data - **Rectification**: Correct inaccurate data - **Erasure**: Delete your account and personal data (security events anonymized) - **Restriction**: Limit processing - **Portability**: Receive data in machine-readable format - **Object**: Object to legitimate interest processing - **Withdraw Consent**: For analytics/marketing Submit requests via dashboard → Settings → Privacy or email privacy@control.vaeliex.com. We respond within 30 days.

11. Security Measures

• TLS 1.3 for all API/dashboard traffic • AES-256 encryption at rest (Neon managed) • SHA-256 hashing for license keys in database • Bcrypt (cost 12) for passwords • JWT tokens (RS256) for API auth • Rate limiting on all public endpoints • Regular penetration testing (annual) • SOC 2 Type II infrastructure (Neon, Vercel) • Incident response plan with 72-hour breach notification

12. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect data from minors. If you believe a child has provided data, contact us for immediate deletion.

13. Changes to This Policy

We may update this policy. Material changes: 30-day notice via email and dashboard banner. Continued use after changes constitutes acceptance. Version history available in dashboard.

14. Contact

Data Protection Officer: dpo@control.vaeliex.com Privacy Team: privacy@control.vaeliex.com Postal: Control Privacy, 123 Tech St, San Francisco, CA 94105, USA

Have questions about these terms? Contact our legal team