Privacy Policy

Who we are

Carbon Stealth VCC (hereinafter "Carbon Stealth", "we", "us") is a limited company registered in Bulgaria (EIK BG208725180), with registered office at ul. Samuil 3, Bobov Dol 2670, Bulgaria, and operational staff based in Milan, Italy.

For the purposes of the EU General Data Protection Regulation (GDPR, Regulation 2016/679), the Bulgarian Personal Data Protection Act, and the Italian Personal Data Protection Code (d.lgs. 196/2003 as amended by d.lgs. 101/2018), Carbon Stealth VCC is the Data Controller for personal data processed through the Carbon Stealth Anticheat product, the carbonstealth.eu website, and any managed-tier panel we operate on your behalf.

What data we collect

2.1 Data collected via the Carbon Stealth scanner (end-user machine)

When a player runs the Carbon Stealth scanner on their machine (with explicit consent — see §4), the scanner inspects local system state to detect cheat software. The inspection is scoped to the following categories of data, each of which is read only to the extent necessary to produce a cheat-detection verdict. Only findings that match a detection rule — plus the minimal context needed for the operator to evaluate them — are submitted; everything else is discarded locally.

• Device fingerprint — a non-reversible hash derived from hardware identifiers (disk, network adapter, motherboard). Used only to correlate multiple scans of the same machine.
• Operating-system environment — OS name, version, and architecture, for scan scoping.
• Live process state — enumeration of currently running processes, modules loaded into supported game processes, and active network connections, compared against internal detection rules. Full process metadata is captured only for processes that match a rule.
• System configuration state — selected registry locations and file-system paths associated with known cheat installation patterns.
• Persistent system artefacts — OS housekeeping records that evidence recent or historical software execution. These are inspected to identify evidence of cheat software that has been used on the machine in the past and subsequently removed or concealed. Content extracted is limited to matches against internal detection rules.
• External-service interaction evidence — signals indicating prior interaction with distribution or command-and-control infrastructure known to be used by cheat vendors. Matching is against an internal curated list; other traffic and browsing history are not inspected.
• Scan metadata — timestamp, scan identifier, scanner version.

What we do NOT collect: personal documents, chat messages, email contents, stored passwords, credit-card numbers, cryptocurrency wallets, keystrokes, clipboard contents, screenshots, audio, or video. No browsing activity or network traffic is inspected other than the specific matches described above. No kernel driver is installed. The scanner does not run persistently in the background — it executes a single scan and exits.

For a detailed, version-specific technical inventory of inspection rules (provided under mutual NDA to operators and enterprise customers for procurement review), contact dpo@carbonstealth.eu.

2.2 Data collected via the Carbon Stealth Panel (operator)

When you create an operator account on a Carbon Stealth panel (self-hosted or managed), we collect:

• Account details — username, email, hashed password (bcrypt, cost 12), creation timestamp.
• Session metadata — IP address (rotated every session, retained 24 hours for CSRF / rate-limiting), user agent.
• Login events — IP + timestamp, retained 30 days for security audit.
• Uploaded scan reports — the signed JSON bundle produced by each scanner, stored in SQLite (self-hosted) or PostgreSQL (managed).

2.3 Data from payment processors

If you subscribe to a paid tier, Stripe Payments Europe Ltd. processes your payment and shares with us: cardholder name, billing country, last four digits of the card, transaction amount, subscription status. Your full card number, CVC, and authentication credentials are handled exclusively by Stripe under their privacy policy (stripe.com/privacy).

Why we collect it

DATA CATEGORY	PURPOSE	LEGAL BASIS (GDPR ART. 6)
Scanner findings	Detect cheating software for the server operator that requested the scan	Art. 6(1)(a) — explicit consent, obtained at each scan via in-scanner EULA
Operator account (email, password)	Provide access to the management panel	Art. 6(1)(b) — performance of a contract
Session IP & user agent	Session integrity, CSRF protection, rate-limiting	Art. 6(1)(f) — legitimate interest in security
Payment details	Process subscriptions	Art. 6(1)(b) — contract execution
Analytics (aggregated, anonymised)	Product improvement	Art. 6(1)(a) — consent via cookie banner

Legal basis & consent

The Carbon Stealth scanner never executes a scan without the end user's explicit, informed consent. On every launch, the scanner presents a plain-language EULA dialog (see Scanner EULA) describing what will be inspected, the purpose, and the retention period. The user must click "I accept" to proceed. Consent is freely given, specific, informed, and unambiguous as required by GDPR Art. 4(11) and Art. 7.

You may withdraw consent at any time by declining a scan or by contacting the data controller that requested the scan. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.

How long we keep data

DATA CATEGORY	RETENTION	AFTER RETENTION
Scan reports (self-hosted)	Controlled by server operator	Operator's responsibility
Scan reports (managed Operator tier)	365 days, or account life	Permanent deletion within 30 days
Session IP / CSRF token	24 hours	Automatic deletion
Login audit log	30 days	Automatic deletion
Operator account	Account life + 30 days	Permanent deletion
Payment records	10 years	Required by BG/IT accounting law
Analytics (no PII)	Rolling 26 months	Automatic deletion

Who we share with

We do not sell personal data. We do not share personal data except for the following service providers bound by data-processing agreements (DPAs):

• Stripe Payments Europe Ltd. (payments) — Dublin, Ireland. EU processor. Privacy Policy.
• Hetzner Online GmbH (hosting — managed tier) — Gunzenhausen, Germany. EU processor. ISO 27001 certified.
• Google Fonts — loaded from fonts.googleapis.com. Google receives referrer URL and IP. SCCs in place.
• Server operators — when you run Carbon Stealth as a scanner user, the operator who requested the scan receives your scan report and becomes an independent controller for that report.
• Law enforcement — only where compelled by a valid court order under EU law.

No advertising networks. No retargeting pixels. No cross-site tracking.

International data transfers

Primary storage is in the European Union (Hetzner Germany, managed tier). Stripe operates from Ireland. Google Fonts is served from a global CDN; where a transfer outside the EEA is necessary, Google relies on the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914). No transfer to a country without an adequacy decision occurs without appropriate safeguards.

Your rights under GDPR

Under Articles 12–22 GDPR you have the following rights:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — "right to be forgotten".
• Right to restrict processing (Art. 18) — pause processing in specific circumstances.
• Right to data portability (Art. 20) — receive your data in a machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)) — at any time, for consent-based processing.
• Right to lodge a complaint (Art. 77) — with your local supervisory authority (in Bulgaria: KZLD; in Italy: Garante Privacy).

To exercise any of these rights email dpo@carbonstealth.eu. We respond within 30 days (extendable by 60 days — Art. 12(3)). No fee is charged unless requests are manifestly unfounded or excessive (Art. 12(5)).

Security measures

We apply appropriate technical and organisational measures under Art. 32 GDPR:

• Encryption in transit — TLS 1.3 enforced on all endpoints, HSTS preload.
• Encryption at rest — server disks LUKS-encrypted; DB column-level encryption for sensitive fields.
• Password storage — bcrypt (cost 12) with per-user salt. Plain-text passwords are never written to disk, memory dumps, or logs.
• Report integrity — every scan report is HMAC-SHA256 signed at source; panel verifies before storage.
• Access controls — role-based (user / staff / admin / master), mandatory 2FA for admin.
• Audit logs — all admin actions logged with 30-day retention.
• Backups — daily encrypted snapshots, 30-day rolling retention, tested quarterly.
• Breach notification — supervisory authority notified within 72 hours per Art. 33.

Children under 16

Carbon Stealth is intended for use by adults and by teenagers aged 16 or older with parental consent. We do not knowingly process personal data of children under 16 without verified parental consent, consistent with Art. 8 GDPR. If you believe we have collected data of a minor in error, contact dpo@carbonstealth.eu and we will delete it within 72 hours.

Changes to this policy

We may update this Privacy Policy to reflect product or legal changes. Material changes will be announced on carbonstealth.eu and via email to operator accounts at least 30 days before taking effect.

Contact