Legal
Privacy Policy
Last updated: May 3, 2026
This policy applies to swiftservers.org and all related services operated by Jamie Penning.
1. Data Controller
The entity responsible for processing your personal data within the meaning of the GDPR (Art. 4 No. 7) is:
Jamie Penning
Enkhuizen, Netherlands
Netherlands
Email (privacy matters): [email protected]
Full postal contact details are shared upon verified legal or regulatory request.
We do not have a designated DPO as we do not fall under the mandatory DPO thresholds of Art. 37 GDPR. Further legal details can be found in our Legal Notice.
2. Data We Collect and Why
We only collect personal data that is necessary to provide our service. The table below maps each category to its legal basis under Art. 6 GDPR and its retention period.
| Category | Data | Legal Basis | Retention |
|---|---|---|---|
| Account data | Name, email, Clerk user ID | Art. 6(1)(b) – contract performance | Until account deletion |
| Server content | Game files, configs, plugins | Art. 6(1)(b) – contract performance | Deleted after 30 days of inactivity |
| Technical logs | IP address, browser, usage logs | Art. 6(1)(f) – legitimate interest (security) | Up to 30 days |
| Error monitoring | Error reports, stack traces, page URL, browser/device information, performance diagnostics, console errors, and recent interaction breadcrumbs. If enabled for a frontend error, Sentry may also receive a masked session replay showing what happened around the error. | Art. 6(1)(f) – legitimate interest (keeping the service secure, reliable, and debuggable) | Usually up to 90 days in Sentry, unless needed longer for a specific security or support issue |
| Private support messages | Messages sent through support/private message tools, including account identifiers and timestamps | Art. 6(1)(f) – legitimate interest (abuse prevention, fraud/security investigations, and support quality) | Automatically deleted after 30 days |
| Minecraft account | Minecraft UUID, username, skin | Art. 6(1)(b) – contract performance | Until account deletion or unlink |
| Analytics | Aggregated page views (Google Ads) | Art. 6(1)(a) – consent (GDPR) and Dutch Telecommunicatiewet cookie rules | Until consent withdrawn; max 26 months (Google) |
| Payment data | Transaction records (Xsolla) | Art. 6(1)(c) – legal obligation (applicable EU/NL tax and accounting law) | Up to 10 years where legally required |
| Optional Google Drive backup | Encrypted OAuth refresh token, linked Google email (for display), Drive file identifiers; server backup archives (e.g. .tar) uploaded to your Google Drive when you enable the feature | Art. 6(1)(b) – contract performance (optional feature you turn on) | On SwiftServers: until you disconnect the integration or delete the server/account. In Google Drive: under your control per Google's settings and terms |
Google Drive backups are optional. You link your own Google account from the panel. We do not access your broader Drive; we only create and rotate a small number of backup files you asked us to upload. Those files and your Google account are then subject to Google's privacy policy and terms in addition to this policy.
About Sentry error monitoring. Sentry helps us understand crashes and broken frontend/server flows without waiting for a user to manually describe every technical detail. We configure Sentry with privacy in mind: default personal information collection is disabled where the SDK supports it, and we scrub obvious secrets such as cookies, authorization headers, API keys, tokens, and UUID-like identifiers before events are sent. We do not use Sentry for advertising, selling data, or profiling users. Still, error reports can sometimes include information visible on the page or in technical context around the error, so please do not enter secrets into server names, file names, or support messages unless needed.
3. Recipients and Data Processors
We share personal data only with processors who are contractually bound by a Data Processing Agreement (DPA) and provide sufficient guarantees under Art. 28 GDPR:
Clerk (clerk.com)
Authentication and user management
Supabase (supabase.com)
Database storage for application data
Google LLC (Google Drive API & OAuth)
Optional automated backups: OAuth sign-in and uploads to your Google Drive when you enable the feature
Google LLC (ads.google.com)
Advertising analytics (only with your consent)
Sentry (sentry.io / Functional Software, Inc.)
Error monitoring, performance diagnostics, and masked session replay for debugging
Xsolla Inc.
Payment processing for purchasing credits
Hetzner Online GmbH
Physical server infrastructure
4. International Data Transfers
Several of our processors (Clerk, Supabase, Google, Sentry, Xsolla) are headquartered in the United States, which is a third country outside the European Economic Area (EEA).
For all such transfers we rely on the following transfer mechanisms under Chapter V GDPR:
- Standard Contractual Clauses (SCCs) — adopted by the EU Commission (Decision 2021/914) and included in each processor's DPA.
- EU–US Data Privacy Framework (DPF) — Google LLC and Sentry participate in the DPF where applicable (adequacy decision, Commission Decision 2023/1795), providing a recognised transfer mechanism for EEA-US transfers.
Despite these safeguards, transfers to the US carry residual risks (e.g., potential access by US authorities under FISA §702). You may request more information about transfer safeguards at [email protected].
6. Minors
Our services are not intended for children under 16 without parental or guardian consent. If you are under 16, you must obtain permission from a parent or legal guardian before using SwiftServers.
7. Additional Information Under Article 13(2) GDPR
Providing personal data required during registration and service use is necessary to create and maintain your account and hosting services. Without this data, the service cannot be provided.
We do not carry out automated decision-making or profiling within the meaning of Article 22 GDPR.
8. Your Rights Under GDPR (Arts. 15–22)
As a data subject you have the following rights, all of which you may exercise free of charge by contacting [email protected]. We will respond within one month (Art. 12(3) GDPR).
Right to Access (Art. 15)
Obtain a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
Correct inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Request deletion of your data ('right to be forgotten').
Right to Restriction (Art. 18)
Restrict how we process your data in certain circumstances.
Right to Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests.
Right to Withdraw Consent (Art. 7(3))
Withdraw any consent (e.g. analytics) at any time without penalty.
Right to Lodge a Complaint (Art. 77)
File a complaint with a supervisory authority — see Section 8.
9. Security Measures
We implement appropriate technical and organizational measures (TOMs) as required by Art. 32 GDPR. These include encryption in transit (TLS 1.2+), encryption at rest, access controls with least-privilege principles, and regular security reviews. Minecraft server data is isolated in Docker containers with private networking.
10. Right to Lodge a Complaint (Art. 77 GDPR)
If you believe we are processing your personal data in violation of the GDPR, you have the right to lodge a complaint with a supervisory authority. As SwiftServers is operated from the Netherlands, the competent lead supervisory authority is:
Autoriteit Persoonsgegevens (AP)
Hoog Catharijne, Catharinasingel 2, 2511 GX Den Haag
Website: autoriteitpersoonsgegevens.nl
You may also lodge a complaint with the supervisory authority in your EU member state of residence or place of work.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced via the website or by email. The "Last updated" date at the top of this page always reflects the most recent version.
Ready to start your Minecraft adventure?