To do before monetizing traffic Replace every bracketed placeholder (for example “[LEGAL ENTITY NAME]”) with your accurate business details, list the subprocessors your deployment actually touches (CDN, VPS, Postgres host, moderation vendors), and circulate this PDF to legal counsel familiar with CPRA/FCPA + GDPR obligations.
Overview
This Privacy Policy describes how [LEGAL ENTITY NAME] (“we”, “us”) collects, stores, shares, and secures personal information when visitors and streamers interact with SiegeQueue and related overlays (collectively, the “Services”). SiegeQueue is an independent toolkit for Siege communities; it is not affiliated with Ubisoft Entertainment or its licensors.
- Data controller: [LEGAL ENTITY NAME], [PRIMARY BUSINESS ADDRESS]
- Contact email: [PRIVACY EMAIL]
- Site host / deploy note: [HOSTING COMPANY + LOCATION]
Personal data we collect
Depending on your deployment, SiegeQueue can process dashboards, TikTok/Twitch relay traffic, OBS overlays, queue state, tournaments, moderation actions, telemetry, subscriptions, payouts, backups, diagnostics, analytics, advertising, and anti-abuse logging.
- Account & authentication. Display name, email, password hashes, OAuth tokens tied to TikTok/Twitch relay configuration, webhook secrets, MFA seeds (future), invoices (future).
- Streamer configuration. Stream keys (only if pasted), TikTok/Twitch identifiers, overlays, overlays settings, OBS URLs, moderation lists, bans, timeouts, queue contents, skins, spectator metadata.
- Visitor / spectator data. Nicknames queued for overlays, Twitch/TikTok usernames surfaced in relays, spectator IP-derived metrics (CDN logs), hashed browser fingerprint for abuse analytics (if activated).
- Messages & moderation. Chat mirror logs, flagged messages, moderator notes.
- Diagnostics & telemetry. Server logs containing IP addresses, timestamps, UA strings, referrer, performance traces, uptime pings.
- Payments. If you monetize tipping or subscriptions separately, Stripe / PayPal / Cash App disclosures must be pasted here with legal names + retention windows.
How we use personal data
- Deliver synchronized queues and overlays reliably.
- Authenticate streamers securely and prevent spoofed dashboards.
- Detect abuse / botting / queue flooding.
- Improve reliability (aggregated telemetry, QA sandboxes).
- Process optional advertising & analytics placements if consented (details).
- Fulfill legal obligations (court orders with jurisdiction review).
Legal bases (EEA / UK visitors)
For visitors who fall under GDPR, we rely on (a) performance of contract for registered streamers, (b) legitimate interests (anti-abuse, infrastructure monitoring) balanced against visitor rights, (c) consent banners for personalized ads / non-essential cookies, and (d) legal obligations for lawful requests verified by counsel.
Recipients & subprocessors
- Supabase: Auth + Postgres for streamer dashboards when deployed in cloud mode (Supabase policy).
- Railway or alternative host: container runtime (example policy).
- DNS / CDN / TLS: [Cloudflare/Fastly/Other URL].
- Advertising & measurement: [Google AdSense / Ezoic / Mediavine / etc.] only after affirmative consent (Advertising page).
- Payout rails: [Stripe sandbox/prod MID].
Update this enumerated list anytime you onboard a vendor that accesses personal information.
Cookies, pixels & local storage
Essential cookies include r6_browser_id (signed browser id for queue sessions and mini-game leaderboard names on the server).
Mini-games (Snake, Pac-Man, Guess, Flap Rush) may also store your display name and local high scores in browser local storage so you are not prompted every round. Optional ad/analytics tags load only after a separate consent banner if enabled (see docs/LEGAL_AND_MONETIZATION.md).
Retention
- Accounts: until deletion + cryptographic wipe of hashed credentials.
- Temporary relays: rolling [X]-day TTL unless legal hold attaches.
- Advertising logs: follow partner policies (typically 9–13 months).
- Infrastructure backups: rotated every [n] weeks in [region]. Document restore drill dates.
Privacy rights requests
You may submit access / correction / portability / deletion / objection / restriction notices to [PRIVACY EMAIL]. Californians learn about CPRA categories in Exhibit A (CPPA summaries help). EEA residents may escalate complaints to Lead Supervisory Authority after contacting us.
Children
The Services target adults active in multiplayer communities. Accounts created by minors should have verifiable parental permission; COPPA-compliant offerings require additional engineering we have not asserted here unless you obtain counsel sign-off.
International transfers
Our infrastructure may reside in the United States, European Union cloud regions, and other failover regions. Supplemental safeguards such as SCCs/DPA attestations accompany processor agreements—keep URLs to signed PDFs pinned in Ops vault.
Updates
This page may evolve with product changes. Highlight major revisions inside your newsletter / changelog. Material regressions impacting prior consent invalidate older records until you bump the consent version shipped in legal-consent.js.