Privacy Policy
Last updated: March 19, 2026
1. Introduction
Rawframe ("we", "us", or "our") operates the rawframe.net website, api.rawframe.net API, the Rawframe game engine, Mod Market, multiplayer server infrastructure, and related services (collectively, the "Platform"). This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you interact with any part of the Platform.
Rawframe is operated from Turkey and serves users globally. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), Turkey's Personal Data Protection Law (KVKK, Law No. 6698), and other applicable data protection legislation.
By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Platform. For questions or concerns, contact us at legal@rawframe.net.
2. Information We Collect
2.1 Information You Provide
- Account Information: Username, email address, password (stored as a bcrypt hash — we never store your plaintext password), display name, bio, and avatar image.
- Social Links: Optional Discord, Twitter/X, and GitHub handles you add to your profile.
- Profile Data: Your numeric user ID, account role, verified status, and account creation date.
- Payment Information: When you make a purchase, we store your Stripe customer ID, subscription status, and purchase history. We do not store your credit card number, CVV, or full card details — all payment card data is processed and stored exclusively by Stripe, which is PCI DSS Level 1 compliant.
- User Content: Mods you upload, servers you create and list, reviews you write, screenshots you share, blog comments you post, and collections you curate.
- Social Interactions: Your friend list, follow list, direct messages (DMs), badges earned, and collection memberships.
- Reports & Communications: Content reports you submit (including reporter ID, target, and reason), support requests, and any other communications you send to us.
2.2 Information Collected Automatically
- IP Address: Collected for rate limiting, security (detecting abuse, preventing brute-force attacks), and multiplayer server connections. IP addresses are logged alongside server heartbeat data when you host or connect to game servers.
- User Agent: Your browser or client user agent string, used for compatibility and security analysis.
- Preferences: Your locale (language) and theme (dark/light mode) settings, stored locally on your device.
- Analytics: Anonymous page view counts. We do not use third-party trackers, Google Analytics, or any advertising-related analytics on the frontend.
- Notification Data: Notification history and read/unread status for your in-platform notifications.
- Server Heartbeat Data: When you operate a game server, we collect server name, host IP, port, player count, region, and gamemode for the server browser listing.
2.3 Information from Third Parties
- Discord OAuth: If you link your Discord account or sign in via Discord, we receive your Discord user ID and username from Discord's API.
- Google OAuth: If you sign in via Google, we receive your Google user ID and email address from Google's API.
We only request the minimum scopes necessary for authentication. We do not access your contacts, messages, or other private data from these providers.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Account Management: To create and maintain your account, authenticate your identity, and enable account recovery (password reset emails).
- Platform Services: To provide core platform functionality including the Mod Market, server browser, multiplayer connections, direct messaging, and social features.
- Payment Processing: To process purchases, manage subscriptions, handle refunds, and generate purchase receipts.
- Content Delivery: To host, display, and distribute mods, reviews, screenshots, and other user-generated content across the Platform.
- Multiplayer Networking: To enable real-time multiplayer connections between players and game servers, including IP-based server routing.
- Security & Abuse Prevention: To detect and prevent fraud, abuse, unauthorized access, and other security threats through IP logging, rate limiting, and ban enforcement.
- Content Moderation: To review reported content, enforce community guidelines, and maintain a safe platform environment.
- Communications: To send you essential platform notifications, password reset emails, security alerts, and important service updates.
- Analytics & Improvement: To understand how the Platform is used (through anonymous, aggregated data) and to improve our services, performance, and user experience.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes, including tax obligations and law enforcement requests.
- Audit & Accountability: To log administrative actions (actor, action, target, timestamp) for internal accountability and security auditing.
4. Legal Basis for Processing (GDPR)
Under the GDPR (Article 6), we process your personal data based on the following legal grounds:
| Data Category | Legal Basis | GDPR Article |
|---|---|---|
| Account creation & management | Performance of contract | Art. 6(1)(b) |
| Payment processing | Performance of contract | Art. 6(1)(b) |
| Multiplayer networking (IP sharing) | Performance of contract | Art. 6(1)(b) |
| OAuth login (Discord, Google) | Consent | Art. 6(1)(a) |
| Optional social links (Discord/Twitter/GitHub) | Consent | Art. 6(1)(a) |
| Security logging (IP, user agent) | Legitimate interest | Art. 6(1)(f) |
| Rate limiting & abuse prevention | Legitimate interest | Art. 6(1)(f) |
| Content moderation & reports | Legitimate interest | Art. 6(1)(f) |
| Anonymous analytics | Legitimate interest | Art. 6(1)(f) |
| Administrative audit logs | Legitimate interest | Art. 6(1)(f) |
| Purchase records retention (7 years) | Legal obligation (tax law) | Art. 6(1)(c) |
| Law enforcement disclosure | Legal obligation | Art. 6(1)(c) |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time by contacting legal@rawframe.net.
Where we rely on consent, you may withdraw your consent at any time through your account settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
6. Data Sharing & Disclosure
We do not sell your personal data. We have never sold personal data and will never do so.
We may share your data in the following limited, specific circumstances:
- Server Operators: When you connect to a multiplayer game server, your IP address is transmitted to the server operator as a technical requirement of peer-to-peer and client-server networking. Rawframe operates on a safe harbor model: we provide the multiplayer infrastructure, but individual server operators are responsible for their own data handling practices on their servers.
- Public Profile Data: Your username, display name, avatar, published mods, reviews, screenshots, and badge list are publicly visible on the Platform. You control what optional information (bio, social links) appears on your profile.
- Stripe (Payment Processing): When you make a purchase, your payment information is processed by Stripe, which acts as an independent data controller for payment card data. Stripe is PCI DSS Level 1 compliant.
- Cloudflare (Hosting & CDN): Our website and API are served through Cloudflare, which processes HTTP requests and stores uploaded files (such as mod assets and avatars) in Cloudflare R2 storage. Cloudflare acts as a data processor on our behalf.
- OAuth Providers (Discord, Google): When you choose to sign in via Discord or Google, an authorization code is exchanged with the respective provider's API. We receive only the minimum profile data necessary for authentication (user ID and username/email). We do not share your Rawframe data back to these providers.
- SMTP Provider (Email): Your email address is shared with our email service provider for the sole purpose of delivering password reset emails, security notifications, and essential platform communications.
- Law Enforcement & Legal Requirements: We may disclose personal data when we believe in good faith that disclosure is necessary to comply with applicable law, regulation, legal process, or enforceable governmental request; to enforce our Terms of Service; or to protect the safety, rights, or property of Rawframe, our users, or the public.
7. International Data Transfers
Rawframe is operated from Turkey. Your personal data may be transferred to and processed in countries outside your country of residence, including:
- European Union: Cloudflare operates data centers within the EU. Where technically feasible, requests from EU-based users are processed within the EU.
- United States: Stripe's payment processing infrastructure is based in the United States. Cloudflare also maintains data centers in the US.
- Turkey: Our primary infrastructure and databases are located in Turkey.
For transfers to countries that the European Commission has not recognized as providing an adequate level of data protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms. Our third-party processors (Stripe, Cloudflare) maintain their own SCC agreements and data processing addenda.
Under KVKK, cross-border transfers are conducted in accordance with Article 9, with appropriate safeguards in place including contractual commitments from our data processors.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our specific retention periods are:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data (profile, content, social) | Until you request deletion + 30-day grace period | Service provision; grace period for accidental deletion recovery |
| Deleted account data | Anonymized after 30 days | After the grace period, personal data is irreversibly anonymized or deleted |
| Database backups | 90 days | Disaster recovery and data integrity |
| IP address logs | 90 days | Security analysis and abuse prevention |
| Purchase records | 7 years | Tax law compliance (Turkish Tax Procedure Law, EU VAT Directive) |
| Audit logs (admin actions) | 2 years | Internal accountability and security |
When data reaches the end of its retention period, it is either securely deleted or irreversibly anonymized so that it can no longer be associated with any individual.
9. Your Rights
Depending on your location, you have specific rights regarding your personal data. We honor these rights regardless of where you are located, to the extent technically feasible and not in conflict with legal obligations.
9.1 GDPR Rights (EU/EEA Residents)
Under the General Data Protection Regulation, you have the right to:
- Access — Request a copy of the personal data we hold about you (Art. 15).
- Rectification — Request correction of inaccurate or incomplete data (Art. 16).
- Erasure — Request deletion of your personal data ("right to be forgotten") (Art. 17).
- Restrict Processing — Request that we limit how we process your data in certain circumstances (Art. 18).
- Data Portability — Receive your data in a structured, commonly used, machine-readable format (Art. 20).
- Object — Object to processing based on legitimate interest, including profiling (Art. 21).
- Withdraw Consent — Withdraw consent at any time where processing is based on consent (Art. 7(3)).
- Lodge a Complaint — File a complaint with your local Data Protection Authority (DPA).
9.2 UK GDPR Rights (UK Residents)
UK residents enjoy the same rights as listed above under the UK GDPR. You may lodge a complaint with the Information Commissioner's Office (ICO).
9.3 CCPA Rights (California Residents)
Under the California Consumer Privacy Act, California residents have the right to:
- Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete — Request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out of Sale — We do not sell your personal information and have never done so. No opt-out action is required.
- Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights.
9.4 KVKK Rights (Turkey Residents)
Under Turkey's Personal Data Protection Law (KVKK, Law No. 6698), you have rights equivalent to the GDPR, including the right to learn whether your data is being processed, request information about processing, learn the purpose of processing, know third parties to whom your data has been transferred, request correction of incomplete or inaccurate data, request deletion or destruction of your data, object to adverse results arising from automated analysis, and claim compensation for damages due to unlawful processing.
Rawframe will complete VERBİS (Data Controllers Registry Information System) registration as required by KVKK. You may exercise your KVKK rights by contacting us at legal@rawframe.net.
9.5 How to Exercise Your Rights
You can exercise your privacy rights through any of the following channels:
- Email: legal@rawframe.net — for formal data subject requests (access, deletion, portability, objection).
- Account Settings: You can update your profile information, manage linked OAuth accounts, change your password, and delete your account directly from the Settings page.
- Data Export: Request a full export of your personal data in JSON format via email.
We will respond to all legitimate requests within 30 days. If a request is particularly complex or we receive a high volume of requests, we may extend the response period by an additional 60 days with prior notice. We may ask you to verify your identity before processing your request to prevent unauthorized access to your data.
9.6 Rights Comparison
| Right | GDPR | UK GDPR | CCPA | KVKK |
|---|---|---|---|---|
| Access / Right to Know | Yes | Yes | Yes | Yes |
| Rectification / Correction | Yes | Yes | Yes* | Yes |
| Erasure / Deletion | Yes | Yes | Yes | Yes |
| Data Portability | Yes | Yes | No | No |
| Restrict Processing | Yes | Yes | No | Yes |
| Object to Processing | Yes | Yes | No | Yes |
| Opt-Out of Sale | N/A | N/A | Yes** | N/A |
| Non-Discrimination | Implicit | Implicit | Yes | Yes |
| Lodge Complaint with Authority | DPA | ICO | AG | KVKK Board |
* CCPA correction rights via CPRA amendment. ** We do not sell data; no opt-out action needed.
10. Children's Privacy
Rawframe is rated PEGI 16. The Platform is not intended for use by anyone under the age of 16. We do not knowingly collect, solicit, or store personal data from anyone under 16 years of age.
If we become aware that we have collected personal data from a person under 16, we will take immediate steps to delete that data and terminate the associated account. If you are a parent or guardian and believe that your child under 16 has provided personal data to Rawframe, please contact us immediately at legal@rawframe.net so we can take appropriate action.
This policy applies in compliance with the EU GDPR (Article 8), the US Children's Online Privacy Protection Act (COPPA), and Turkey's KVKK provisions regarding minors.
11. Data Security
We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS). API communications between services are similarly encrypted.
- Password Hashing: User passwords are hashed using bcrypt with appropriate cost factors. We never store plaintext passwords.
- Multiplayer Encryption: All multiplayer game traffic is encrypted using libsodium (authenticated encryption with associated data).
- Payment Security: Payment card data is handled exclusively by Stripe, which maintains PCI DSS Level 1 compliance — the highest level of payment security certification.
- Access Controls: Internal access to user data is restricted to authorized personnel on a need-to-know basis. Administrative actions are logged for audit purposes.
- Infrastructure Security: Our infrastructure is protected by Cloudflare's security features, including DDoS protection, Web Application Firewall (WAF), and bot management.
- Regular Security Audits: We conduct periodic security reviews of our codebase, infrastructure, and third-party dependencies.
- Incident Response: We maintain an incident response plan for security events, including procedures for identification, containment, eradication, and notification.
While we take extensive measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents that may occur.
12. Data Breach Notification
In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will:
- Notify the Supervisory Authority: Report the breach to the relevant Data Protection Authority within 72 hours of becoming aware of it, as required by GDPR Article 33. For Turkish residents, notification will also be made to the KVKK Board.
- Notify Affected Users: Where the breach is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay, describing the nature of the breach, the likely consequences, and the measures we have taken or propose to take to address it (GDPR Article 34).
- Document and Remediate: We will document the breach, its effects, and the remedial actions taken, and take all necessary steps to prevent recurrence.
Breach notifications will be sent via email to the address associated with your account and, where appropriate, through in-platform notifications.
13. Automated Decision-Making
Rawframe does not engage in automated decision-making or profiling that produces legal effects or similarly significant effects concerning you, as described in GDPR Article 22.
We may use automated tools to assist with content moderation (such as detecting prohibited content in mod uploads or identifying spam in reviews and comments). However, these tools serve as a first-pass filter only. Any moderation action that materially affects your account — such as content removal, account suspension, or banning — involves human review. You have the right to appeal any moderation decision and request human review by contacting legal@rawframe.net or through the Support page.
Rate limiting (such as limiting API requests per second or login attempts) is applied automatically based on technical thresholds and does not constitute profiling in the GDPR sense.
14. Third-Party Links
The Platform may contain links to third-party websites, services, or content that are not operated or controlled by Rawframe. This includes links within user profiles (Discord, Twitter/X, GitHub), mod descriptions, blog posts, and community content.
We are not responsible for the privacy practices, content, or security of any third-party websites or services. We encourage you to review the privacy policies of any third-party sites you visit. The inclusion of a link on our Platform does not imply endorsement of the linked site or its practices.
Similarly, when you connect to a third-party game server through the Rawframe server browser, the server operator's own privacy practices and policies apply to any data collected on that server beyond what Rawframe transmits for connection purposes.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, the Platform, legal requirements, or regulatory guidance. When we make changes:
- Material Changes: For significant changes that affect how we collect, use, or share your data, we will provide at least 30 days' advance notice via email to registered users and through an in-platform notification before the changes take effect.
- Minor Changes: For non-material changes (such as clarifications or formatting updates), we will update the "Last updated" date at the top of this page.
The current version of this Privacy Policy is always available at rawframe.net/privacy. Your continued use of the Platform after changes take effect constitutes acceptance of the revised policy. If you do not agree with any changes, you should stop using the Platform and, if desired, request deletion of your account.
16. Contact & Data Protection
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can reach us through the following channels:
- Email: legal@rawframe.net — for privacy inquiries, data subject requests, and legal matters.
- Support: rawframe.net/support — for general account and platform inquiries.
- Mailing Address: Rawframe, Istanbul, Turkey. (Full registered address will be published upon company registration.)
Data Protection Officer
A Data Protection Officer (DPO) will be formally appointed when required by applicable law based on the scale and nature of our data processing activities. In the interim, all data protection inquiries are handled by our legal team at legal@rawframe.net.
Supervisory Authorities
If you are unsatisfied with our response to a privacy concern, you may contact:
- EU/EEA: Your local Data Protection Authority (DPA). A list is available at edpb.europa.eu.
- UK: The Information Commissioner's Office (ICO) at ico.org.uk.
- Turkey: The Personal Data Protection Authority (KVKK) at kvkk.gov.tr.
- California: The California Attorney General's Office at oag.ca.gov/privacy.