Legal
Privacy Policy
Last updated: June 2026 · Pursuant to GDPR / DSGVO
1. Controller
The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR / DSGVO) is: Vortex Interactive (Shenzhen) Co., Ltd., Xinxing Community Workstation, No. 133 Meilin Road, Futian District, Shenzhen, Guangdong 518049, China. Email: [email protected]. You can find full contact details in the Imprint. All references to "Vortex", "we", or "us" refer to this controller.
2. Overview of Data Processed
We process the following categories of personal data: (a) Authentication data — Discord user ID, username, and avatar hash, received via Discord OAuth2 at login; (b) Whitelist data — Roblox user ID, Discord ID, licence tier, and access timestamps; (c) Execution logs — Roblox user ID, script name, server/place ID, timestamp, and anonymised hardware fingerprint, transmitted by the executor at runtime; (d) Technical/server logs — IP addresses, HTTP request paths, user-agent strings, and response codes, collected automatically by our web server; (e) Communication data — messages sent to us via Discord support tickets, to the extent they contain personal data.
3. Legal Basis for Processing
We process your data on the following legal bases under Art. 6 GDPR: (a) Art. 6(1)(b) GDPR — processing is necessary for the performance of the contract (licence agreement) with you, covering authentication, whitelist management, and execution log delivery; (b) Art. 6(1)(f) GDPR — processing is based on our legitimate interests in preventing fraud, abuse, ban evasion, and unauthorised account sharing, and in ensuring the security and integrity of our systems; (c) Art. 6(1)(c) GDPR — processing is necessary to comply with a legal obligation, including retention requirements under German commercial and tax law where applicable.
4. Discord OAuth2
Login is handled via Discord's OAuth2 service. When you authenticate, Discord transmits your user ID, username, and avatar to us. We request only the "identify" scope — we do not access your email address, guild memberships, or messages. Discord's own privacy practices are governed by Discord's Privacy Policy at discord.com/privacy.
5. Cookies & Session Data (§ 25 TTDSG)
We use a single HTTP-only, Secure session cookie to maintain your authenticated state on the dashboard. This cookie is strictly technically necessary for the operation of the Service and is set only after successful login. It expires when you log out or after a maximum session lifetime of 7 days. Because this cookie is strictly necessary, it does not require your consent pursuant to § 25 Abs. 2 Nr. 2 TTDSG. No advertising, analytics, tracking, or third-party cookies of any kind are used on this website. No cookie banner is displayed as no consent-based cookies are in use.
6. Data Retention
We retain data only for as long as necessary for the stated purpose or as required by law. Specifically: Authentication and whitelist data are retained for the duration of your active licence and for 6 months thereafter, to allow for dispute resolution and licence-related enquiries. Execution logs are retained for a maximum of 12 months, after which they are deleted or anonymised — unless a specific security investigation is open (see Section 7). Technical server logs are retained for 90 days for security monitoring, then deleted. Communication data (support tickets) is retained for 12 months after the ticket is closed. No category of data is retained indefinitely under normal circumstances.
7. Security Investigations & Abuse Prevention
Where we have documented, specific grounds to believe that a user has committed or is committing a material breach of our Terms — including account sharing, ban evasion, chargeback fraud, or unauthorised redistribution — we may retain all associated personal data for the duration of the investigation and for up to 24 months thereafter. The legal basis for this extended retention is Art. 6(1)(f) GDPR (legitimate interest in protecting the integrity of our systems and recovering damages). We will inform the affected person of this retention where legally permissible and unless doing so would compromise the investigation.
8. Data Sharing & Third Parties
We do not sell your personal data. We share data only in the following circumstances: (a) Payment processors — purchase data is transmitted to our payment provider to process transactions; their privacy practices are governed by their own policies; (b) Discord — OAuth2 data is transmitted to/from Discord as described above; (c) Legal obligation — we may disclose data if required to do so by applicable law, court order, or at the request of competent authorities; (d) Service providers — we may engage processors (e.g. hosting providers) who process data on our behalf under a data processing agreement pursuant to Art. 28 GDPR.
9. International Data Transfers (Art. 44–49 GDPR)
Vortex Interactive is headquartered in the People's Republic of China. China has not received an adequacy decision from the European Commission under Art. 45 GDPR. Where personal data of EEA residents is transferred to and processed by Vortex Interactive in China, such transfers are carried out on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Art. 46(2)(c) GDPR, supplemented by appropriate technical and organisational measures to ensure an equivalent level of data protection. You may request a copy of the applicable SCCs by contacting us at [email protected]. Discord (United States) and our payment processors may also receive data; transfers to the US are similarly based on SCCs or other appropriate safeguards under Art. 46 GDPR.
10. Data Security
All data is transmitted encrypted over TLS 1.2 or higher. Access to production systems and databases is restricted to authorised personnel and protected by authentication controls. We apply technical and organisational measures appropriate to the risk in accordance with Art. 32 GDPR. We cannot, however, guarantee absolute security of any transmission over the Internet.
11. Automated Decision-Making (Art. 22 GDPR)
Certain decisions affecting your access to the Service are made in a fully or partially automated manner. Specifically: (a) Whitelist access — upon purchase, access is granted automatically based on your Discord ID and Roblox user ID without human review; (b) Access revocation — our systems automatically flag and may revoke access in cases of detected ban evasion, concurrent logins from multiple hardware identifiers, or other automated abuse signals. Where automated revocation has a significant effect on you, you have the right to request human review of the decision by contacting us at [email protected]. We will review and respond within 14 days.
12. Your Rights Under GDPR
You have the following rights regarding your personal data: Right of access (Art. 15 GDPR) — you may request a copy of the data we hold about you. Right to rectification (Art. 16 GDPR) — you may request correction of inaccurate data. Right to erasure (Art. 17 GDPR) — you may request deletion of your data, subject to our retention obligations and legitimate interests described above. Right to restriction (Art. 18 GDPR) — you may request that we restrict processing in certain circumstances. Right to data portability (Art. 20 GDPR) — you may request a machine-readable copy of data you have provided to us. Right to object (Art. 21 GDPR) — you may object to processing based on legitimate interests; we will cease processing unless we can demonstrate compelling legitimate grounds. To exercise any of these rights, please contact us via Discord support ticket or via the email address in the Imprint. We will respond within one month (Art. 12 GDPR). Please note: deletion of your account data results in immediate and permanent revocation of service access without refund.
13. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority (Aufsichtsbehörde) pursuant to Art. 77 GDPR if you believe that the processing of your personal data infringes the GDPR. The competent supervisory authority in Germany depends on your federal state of residence. A list of German supervisory authorities is available at bfdi.bund.de. You may also contact the supervisory authority in your country of residence within the EU.
14. Children
Our Service is not directed at children under 16. We do not knowingly collect personal data from persons under 16 without verifiable parental consent. If we become aware that we have collected data from a child under 16 without such consent, we will delete it without delay.
15. Changes to This Policy
We may update this Privacy Policy periodically. The current version is always available at getvortex.vip/privacy. For material changes affecting your rights, we will provide notice via our Discord server. Continued use of the Service after a policy update constitutes acceptance of the revised Policy.
16. Contact
For all data protection enquiries, please contact us via the email address listed in the Imprint or open a support ticket at discord.gg/getvortex.