Privacy Policy
Effective: 2026-05-27 Last updated: 2026-05-27
The short version
If you use SkriptSuite without an account, we collect almost nothing — anonymous performance metrics, no personal data. If you create an account, we collect the minimum needed to run the service: your email, your Discord or Google identity, your age band, and the content you create. We do not sell your data, we do not run targeted ads, and we do not track you across the web.
This page explains the details.
Who we are
SkriptSuite is operated by Cairn, a sole proprietorship (DBA). When this policy says "we," "us," or "our," that means Cairn and the person behind it.
Contact: https://skriptsuite.com/contact Website: https://skriptsuite.com
SkriptSuite is not affiliated with Mojang Studios, Microsoft Corporation, or the Minecraft brand.
For questions about these terms of service that govern your use of SkriptSuite, see our Terms of Service.
What data we collect
When you use SkriptSuite without an account
We collect no personal data. Specifically:
- We do not require login, registration, or any identifying information to use the editor, browse templates, download `.sk` files, or read guides.
- Vercel Speed Insights collects anonymous performance metrics: page load times (LCP), interaction responsiveness (FID, INP), and layout stability (CLS). These are aggregate, anonymized measurements about how the site performs — not about who you are. No IP addresses, device fingerprints, or user identifiers are collected by Speed Insights.
- We do not use cookies for anonymous users. No third-party trackers, no advertising pixels, no analytics scripts that identify you.
When you create an account
If you choose to create an account (required for community features like commenting, voting, and submitting template forks), we collect:
| Data | Source | Why we need it |
|---|---|---|
| Email address | From your Discord or Google account during OAuth signup | Account identity, password resets, account deletion notifications, and (if you opt in) service announcements |
| Discord user ID, username, and avatar | From Discord OAuth | Display your identity in community features (comments, forks). The Discord user ID is a numeric snowflake — it identifies your Discord account. |
| Google account ID (if you sign up via Google) | From Google OAuth | Alternative authentication path. We store only the Google account identifier, not your Google password or other Google data. |
| Age band | You select during signup: 13–17 / 18–24 / 25–34 / 35+ | We use this to enforce the under-13 account block and to understand our audience demographics in aggregate. We do not store your exact age or date of birth. |
| Display name | You choose during setup | Shown on your comments, forks, and profile |
| Content you create | Your actions on the site | Comments, votes, template forks, and reports you submit. These are stored in our database and displayed on the site per the community features. |
When you buy a paid product
When you buy Pro or Creator Pass we collect your billing country (to calculate tax), a Stripe customer reference, and your transaction records (amount, date, product, tax, and country of purchase). Payments are processed by Stripe — we never see or store your full card number. Lawful bases: performing our contract with you (Art. 6(1)(b)) and meeting legal obligations such as tax record-keeping (Art. 6(1)(c)).
Data we do NOT collect
- Your exact age or date of birth (only age band)
- Your real name (unless you choose it as your display name)
- Your location or IP address for tracking purposes
- Your Minecraft server address, files, or player data
- Payment information directly — Stripe processes payments; see "When you buy a paid product" above.
Why we collect it
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Run your account (login, display identity, send deletion notices) | Email, Discord/Google ID, display name | Contract (Art. 6(1)(b)) — necessary to provide the service you signed up for |
| Display your contributions (comments, forks, votes) | Display name, content you create | Contract (Art. 6(1)(b)) |
| Enforce age restrictions | Age band | Legal obligation (Art. 6(1)(c)) — COPPA compliance |
| Site performance monitoring | Anonymous metrics (LCP, FID, CLS, INP) | Legitimate interest (Art. 6(1)(f)) — keeping the site fast for everyone |
| Respond to reports and enforce acceptable use | Reports, moderation audit logs | Legitimate interest (Art. 6(1)(f)) — platform safety |
| Process payments | Stripe customer ID, transaction records | Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) — tax records |
Who we share your data with
We do not sell your data. We do not share it with advertisers. We share it only with the services we use to run SkriptSuite:
| Service | Role | What they receive | Their privacy policy |
|---|---|---|---|
| Vercel | Hosting + deployment + Speed Insights | Anonymous performance metrics. Your HTTP requests pass through Vercel's infrastructure (standard for any hosted website). | vercel.com/legal/privacy-policy |
| Supabase | Authentication + database | Account data (email, OAuth identifiers, profile, content). Supabase hosts our database — all account data lives there. | supabase.com/privacy |
| Discord | OAuth sign-in + operational webhooks | During sign-in: your Discord user ID, username, email, and avatar (per OAuth scopes). Operational webhooks send event summaries (new signups, reports filed) to our private Discord channels — these contain display names and action descriptions, not raw user data. | discord.com/privacy |
| Stripe | Payment processing | Payment card details, billing address, transaction records. We do not see or store your full card number — Stripe does. We store only the Stripe customer ID in our database. | stripe.com/privacy |
We may also share data if legally required to (subpoena, court order, law enforcement request). We will notify you if legally permitted to do so.
How long we keep it
| Data type | Retention period | Why |
|---|---|---|
| Account data (email, profile, OAuth identifiers) | Until you delete your account | Your account exists until you say it doesn't |
| Comments, votes, template forks | Until you delete your account (then anonymized or deleted per your choice — see "Deleting your data" below) | Community content |
| Moderation records (reports filed, actions taken) | 2 years after the report is resolved | Needed for appeals, abuse pattern detection, and legal defense |
| Audit logs (account actions: login, link provider, deletion) | 7 years | Regulatory compliance — this is the standard retention period for business records in most jurisdictions |
| Discord webhook event payloads | 30 days (reports) / 90 days (all other events) | Operational observability. Report payloads have shorter retention because they reference third-party content. |
| Anonymous performance metrics (Vercel Speed Insights) | Controlled by Vercel — we do not set the retention | We have no ability to delete these; they are anonymous and aggregated |
Your rights
For everyone
- Access: You can ask us what data we have about you. Contact us and we will provide it.
- Correction: If something is wrong (display name, email after provider change), you can update it in your account settings or ask us to correct it.
- Deletion: You can delete your account at any time. See "Deleting your data" below.
- Export: You can request a copy of your data in a machine-readable format. Email us and we will provide it within 30 days.
Additional rights for EU, UK, and EEA residents
Under the GDPR (and UK GDPR), you also have the right to:
- Restrict processing: Ask us to limit how we use your data while a complaint is being resolved.
- Object to processing: Object to processing based on legitimate interest (e.g., analytics). We will stop unless we can demonstrate compelling legitimate grounds.
- Data portability: Receive your data in a structured, commonly used, machine-readable format and transmit it to another service.
- Lodge a complaint: File a complaint with your local data protection authority. We would prefer you contact us first so we can try to resolve it, but this is your right regardless.
To exercise any of these rights, contact us. GDPR and CCPA data subject requests are accepted through the contact form. We respond within 30 days (or 72 hours for breach notifications, per GDPR Art. 33/34 if applicable).
What happens when you delete your account?
When you request account deletion from your settings, here is exactly what happens:
The 30-day grace period
Your account enters a "pending deletion" state. All sessions are revoked (you are logged out everywhere). We send you an email with a cancel link that is valid for 30 days. If you change your mind, click the link and your account is restored.
After 30 days, the deletion is permanent and irreversible.
What gets deleted
- Your account record (auth credentials, email, OAuth identifiers)
- Your profile (display name, avatar reference)
- Your votes (vote counts on affected templates are recalculated)
- Your workspace data (if applicable)
What gets anonymized
- Comments: The comment text is replaced with "[deleted by user]." Your name is removed. The comment row stays so that reply threads remain coherent for other users.
- Reports you filed: Your reporter identity is removed. The report metadata is retained for up to 2 years for moderation integrity.
- Audit logs: Your user ID is removed from log entries. The log rows are retained for up to 7 years for regulatory compliance.
- Discord webhook event payloads: Any references to your Discord username or user ID are replaced with a redacted placeholder.
What gets retained (and why)
- Audit log rows (anonymized, 7 years) — regulatory compliance requirement.
- Report metadata (anonymized, 2 years) — needed for moderation appeals and abuse pattern detection.
- Billing and tax records — 7 years. When you delete your account we erase your profile and personal data, but tax law requires us to keep records of your purchases — amount, date, product, tax, and country of purchase — for up to 7 years. These records are de-identified from your profile where possible (we remove the Stripe customer reference that links them to you), are used only to meet that legal obligation, and are permanently deleted when the retention period ends. Stripe keeps its own records under its own retention policy. If you have an active Creator Pass when you delete your account, we cancel it first so you are not charged again.
- Your email hash in the ban list (if you were banned) — if your account was banned before deletion, a one-way hash of your email remains in our ban list to prevent re-registration. The hash cannot be reversed to recover your email.
Templates you created
During the deletion process, you choose:
- "Delete my templates too" — your templates and all associated data (versions, votes, comments on them) are deleted.
- "Keep my templates published" (default) — your templates remain live with a "Maintainer: missing" label. Your name is removed.
What we cannot delete
Discord webhook messages that were sent to our private ops channels before your deletion. Those messages live on Discord's servers. We link to Discord's own data deletion process if you want to pursue erasure on their side.
Cookies and tracking
Anonymous users
No cookies. No trackers. No analytics scripts that identify you. Vercel Speed Insights runs without cookies.
Logged-in users
When you log in, Supabase sets a session cookie to keep you authenticated. This is a functional cookie — it exists so you stay logged in, not for tracking. It expires when you log out or when the session times out.
We do not use:
- Third-party advertising cookies
- Cross-site tracking pixels
- Fingerprinting scripts
- Google Analytics or similar user-tracking analytics
Children's privacy
You must be 13 or older to create a SkriptSuite account. We ask for your age band during signup. If you select an age band that indicates you are under 13, the signup process stops and no account is created. No personal data is collected or stored from the blocked signup attempt.
Children under 13 can use the anonymous features of SkriptSuite (editor, templates, guides) without restriction, because those features collect no personal data.
We do not knowingly collect personal information from children under 13. If we learn that we have, we will delete it. If you believe a child under 13 has created an account, contact us.
We do not implement COPPA "verifiable parental consent" — the under-13 hard block is our compliance mechanism. This is a common approach for services that do not target children as a primary audience.
International users
SkriptSuite is operated from the United States. If you are in the EU, UK, EEA, or another jurisdiction with data protection laws, your data is transferred to and processed in the United States.
EU/UK/EEA users
- Your GDPR rights are listed in the "Your rights" section above.
- Data transfers to the US are conducted under standard contractual clauses (SCCs) where required by our sub-processors (Vercel, Supabase, Stripe).
- You have the right to lodge a complaint with your local data protection authority.
Users in other jurisdictions
We aim to respect the data protection laws of all jurisdictions we serve. If your local law grants you rights not listed here, contact us and we will work with you.
Changes to this policy
We can update this policy. When we make material changes — changes to what data we collect, who we share it with, or your rights — we will notify you via email (if you have an account) or a banner on the site at least 14 days before the changes take effect.
Non-material changes (typo fixes, clarifications) may be made without notice.
The "Last updated" date at the top of this page always reflects the most recent revision.
Contact
Privacy questions, data requests, or concerns? Contact us.
For terms of use, see our Terms of Service.