30% off·ends in 4d 4h 18m
Xenoware
← Home

Privacy Policy

Last updated: 2026-05-14

This policy explains what personal data Xenoware (“we”) collects about users of xenoware.xyz and the Xenoware launcher (collectively, “the Service”), why we collect it, and what rights you have over it. We try to keep the data we hold about you to the minimum needed to run the Service.

1. Who we are

The Service is operated by the Xenoware team. For privacy enquiries, contact privacy@xenoware.xyz.

2. What we collect

From account creation

  • Email address - used for sign-in and transactional email (verification, password reset, expiry warnings).
  • Username + display name - used on the forum and in the dashboard.
  • Password - stored only as a salted hash (bcrypt-family). We never see your plaintext password.

From the launcher

  • HWID- a SHA-256 hash of your machine's SMBIOS UUID, primary disk volume serial, and primary MAC address. The raw inputs never leave your machine; we receive and store only the resulting hash. The hash binds your subscription to a specific machine to prevent account sharing.
  • IP address - recorded on every authentication event for abuse detection, rate-limit enforcement, and audit logging.
  • User-agent / launcher version - recorded for compatibility debugging.
  • Refresh token - generated server-side on login and stored on your device (DPAPI-encrypted on Windows, tied to your Windows user account). On our side we store only a SHA-256 hash of the token, so we can never recover the value to impersonate you.

From payments

  • Card payments (Stripe): we never receive your card details. Stripe gives us the payment intent ID and a confirmation event; that's all we store. Their privacy policy applies to the card data itself - see stripe.com/privacy.
  • Crypto payments (CoinRemitter): invoice ID, coin symbol, and confirmation status. We do not receive your wallet address beyond what is necessary to verify payment.
  • Skin payments (AssetPay): your Steam ID 64, your Steam trade URL, and the trade UUID + item references for each deposit. AssetPay's privacy policy applies to data shared with them.

Cookies

We use a small number of strictly-necessary cookies for authentication (the Better Auth session cookie, HTTP-Only and SameSite=Lax). We do not use advertising, analytics, or third-party tracking cookies. We do not place any cookies before you sign in.

3. Why we collect it (lawful basis)

For EU residents, our lawful bases under GDPR Article 6(1) are:

  • Contract performance (6(1)(b)) - account, license, HWID binding, payment processing.
  • Legitimate interests (6(1)(f)) - fraud and abuse prevention (rate limiting, audit logs, HWID verification), security incident response, watermarking of distributed binaries.
  • Legal obligation (6(1)(c)) - retention of payment records for tax and accounting compliance.

4. Who we share data with

We use the following processors. Each has its own privacy policy:

  • Stripe - card payment processing. Policy.
  • CoinRemitter - crypto payment processing.
  • AssetPay - Steam skin payment processing.
  • Resend - transactional email delivery. Policy.
  • Supabase (EU region) - managed Postgres for our application database. Policy.
  • Vercel - web hosting + edge network. Policy.

We do not sell your personal data, ever. We do not share data with advertisers or analytics brokers.

5. International transfers

Some of the processors above (Stripe, Vercel) operate infrastructure outside the EU. Where data is transferred outside the European Economic Area, the transfer is covered by Standard Contractual Clauses or an equivalent legal mechanism. Supabase primary storage is configured to an EU region.

6. How long we keep data

  • Account, subscription, and license records: for as long as your account exists, plus up to 12 months after deletion for fraud-investigation purposes.
  • Payment records: 10 years, as required by applicable tax and accounting law.
  • Authentication logs (login events, IP, HWID): 12 months rolling.
  • Webhook payloads (Stripe, CoinRemitter, AssetPay): 18 months rolling.
  • Server logs: 14 days rolling.
  • Local launcher log (xenoware.log on your machine): capped at 2 MB and deleted on clean engine exit unless XW_KEEP_LOG=1 is set.

7. Your rights

If you live in the EU/EEA/UK, you have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • delete your account and associated data (subject to legal retention requirements for payment records);
  • receive your data in a portable format;
  • object to or restrict processing based on legitimate interests;
  • lodge a complaint with your local data-protection authority (Lithuania: vdai.lrv.lt).

To exercise any of these rights, email privacy@xenoware.xyz from the email address on your account. We respond within 30 days as required by GDPR.

8. Security

We use industry-standard technical and organisational measures to protect your data, including TLS in transit, encrypted database connections, hashed credentials, scoped service-role keys, row-level security on application tables, rate limiting on authentication endpoints, and per-download watermarking of distributed binaries. No system is perfectly secure; if we ever experience a breach affecting your data, we will notify you and the relevant authorities as required by law.

9. Children

The Service is not intended for, and we do not knowingly collect data from, children under 18. If we learn that a child has created an account, we will close it.

10. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent change. Material changes will be notified by email to the address on your account.