Privacy Policy

Pink Narwhal ("we", "us", "our") operates the Pink Narwhal platform and website (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website or use our Service. It applies to all users worldwide, including those in the European Economic Area (EEA), United Kingdom (UK), United States, and the State of California.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide

Account information — When you create an account, we collect your name, email address, username, and authentication credentials. Account authentication is handled by a third-party identity provider.
Billing information — When you subscribe to a paid plan, payment details (such as card number and billing address) are collected and processed by our third-party payment processor. We do not store full payment card details on our servers.
Third-party API credentials — To provide backup and restore functionality, you may provide us with API keys or access tokens for third-party game server management platforms (e.g. Pterodactyl panel client API keys). These credentials are encrypted at rest and used solely to perform the backup and restore operations you request.
Contact information — When you submit a support ticket or contact us, we collect your name, email address, and the content of your message.
Organisation data — If you create or join an organisation within the Service, we collect the organisation name, membership details, and role assignments.

1.2 Information Collected Automatically

Usage data — We collect information about how you interact with the Service, including pages visited, features used, backup and restore activity, timestamps, and referring URLs.
Device and browser data — We collect your IP address, browser type, operating system, device identifiers, and screen resolution.
Cookies and similar technologies — We use cookies, pixels, and similar tracking technologies for authentication, analytics, advertising, and bot protection. See Section 6 for details.
Log data — Our servers automatically record information including your IP address, access times, and pages viewed.

1.3 Information from Third Parties

Identity provider — We receive profile information (name, email, avatar) from your authentication provider when you sign in.
Payment processor — We receive subscription status and billing events from our payment processor.

2. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Service
Process your backups and restores using the API credentials you provide
Process payments and manage your subscription
Send transactional communications (receipts, alerts, support replies)
Send marketing communications where you have opted in or where we have a legitimate interest (you can opt out at any time)
Analyse usage patterns to improve the Service
Detect, prevent, and address fraud, abuse, and security issues
Comply with legal obligations
Display targeted advertising on third-party platforms

3. Legal Bases for Processing (EEA & UK)

If you are in the EEA or UK, we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR) and UK GDPR:

Performance of a contract — Processing necessary to provide the Service you have subscribed to, including account management, backup operations, and billing.
Legitimate interests — Processing necessary for our legitimate interests (such as analytics, fraud prevention, and improving the Service), provided these interests are not overridden by your rights.
Consent — Where you have given consent for specific processing activities, such as marketing emails or non-essential cookies. You may withdraw consent at any time.
Legal obligation — Processing necessary to comply with applicable laws and regulations.

We do not sell your personal information. We may share your data with the following categories of third parties:

Service providers — We use third-party companies to help us operate the Service, including:
- Cloud hosting and infrastructure providers
- Object storage providers (for backup storage)
- Identity and authentication providers
- Payment processing providers
- Email delivery services
- Analytics and performance monitoring services
- Advertising and marketing platforms
- Bot protection and security services
- Tag management and consent platforms
Legal requirements — We may disclose your information if required to do so by law, regulation, legal process, or government request.
Business transfers — In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
With your consent — We may share information for other purposes with your explicit consent.

5. International Data Transfers

Your personal data may be transferred to and processed in countries outside of your country of residence, including the United States and other countries where our service providers operate. These countries may not have data protection laws equivalent to those in your jurisdiction.

Where we transfer personal data from the EEA or UK to a country that has not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Addendum, or other legally recognised transfer mechanisms.

6. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

Strictly necessary — Required for authentication, security, and core Service functionality. These cannot be disabled.
Analytics and performance — Help us understand how visitors interact with our website, measure performance, and identify issues.
Advertising and targeting — Used to deliver relevant advertisements and measure campaign effectiveness across third-party platforms.
Marketing and email — Used to personalise marketing communications and track engagement.

You can manage your cookie preferences through your browser settings or through our cookie consent mechanism where available. Disabling certain cookies may affect the functionality of the Service.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law.

Account data — Retained for the duration of your account and for up to 30 days after deletion to allow for account recovery.
Backup data — Retained in accordance with your subscription plan. When you delete a backup or cancel your subscription, backup data is permanently deleted within 30 days.
API credentials — Deleted immediately upon account deletion or when you remove them from the Service.
Billing records — Retained as required by applicable tax and accounting laws (typically 6–10 years).
Log data — Retained for up to 90 days for security and debugging purposes.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit using TLS/SSL
Encryption of sensitive data at rest, including API credentials
Access controls and authentication for internal systems
Regular security reviews and monitoring
Secure backup storage with access logging

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

9. Your Rights

9.1 Rights Under GDPR (EEA & UK)

If you are in the EEA or UK, you have the following rights under the GDPR and UK GDPR:

Right of access — Request a copy of the personal data we hold about you.
Right to rectification — Request correction of inaccurate or incomplete data.
Right to erasure — Request deletion of your personal data ("right to be forgotten").
Right to restriction — Request that we limit how we process your data.
Right to data portability — Receive your data in a structured, machine-readable format.
Right to object — Object to processing based on legitimate interests or for direct marketing.
Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.
Right to lodge a complaint — You have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your national DPA in the EEA).

9.2 Rights Under California Law (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

Right to know — Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
Right to delete — Request deletion of personal information we have collected from you, subject to certain exceptions.
Right to correct — Request correction of inaccurate personal information.
Right to opt out of sale or sharing — We do not sell your personal information. If we use targeted advertising that constitutes "sharing" under the CPRA, you have the right to opt out.
Right to limit use of sensitive personal information — You may request that we limit the use of sensitive personal information to what is necessary to provide the Service.
Right to non-discrimination — We will not discriminate against you for exercising any of your privacy rights.

To exercise any of the rights described above, please contact us. We will respond within the timeframes required by applicable law (30 days for GDPR, 45 days for CCPA/CPRA).

9.3 Categories of Personal Information (California)

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

Identifiers (name, email address, username, IP address)
Commercial information (subscription plan, billing history, transaction records)
Internet or electronic network activity (browsing history, usage data, interactions with the Service)
Geolocation data (approximate location derived from IP address)
Inferences drawn from the above (e.g. usage patterns, preferences)

10. Third-Party API Credentials

To provide our backup and restore service, you may store API keys or access tokens for third-party game server management platforms within the Service. We want to be transparent about how we handle these credentials:

API credentials are encrypted at rest using industry-standard encryption.
Credentials are used exclusively to perform backup and restore operations that you initiate or schedule.
We do not share your API credentials with any third party.
You may revoke or delete your stored credentials at any time through the Service.
We recommend using API keys with the minimum permissions necessary for the Service to function.
You are responsible for the security of the credentials you provide, including rotating keys if you believe they have been compromised.

11. Children's Privacy

The Service is not directed at individuals under the age of 16 (or 13 in jurisdictions where that is the applicable threshold). We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us.

12. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. There is currently no industry standard for how companies should respond to DNT signals. We do not currently alter our data collection and usage practices in response to DNT signals, but we respect your right to manage tracking through your browser settings and any cookie consent tools we provide.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on our website with a revised "Last updated" date. For significant changes, we may also notify you via email or through a prominent notice on the Service.

Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint, please contact us.

If you are in the EEA or UK and are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority.