YOUR DATA, IN PLAIN ENGLISH.

GDPR + LOPDGDD · SPANISH JURISDICTION

EFFECTIVE 2026-04-22· VERSION 1.0

SHORT VERSION

We keep your Minecraft history: blocks, deaths, playtime, servers, biomes. Only what the mod captures — disclosed in full below, tier by tier. You can export everything as JSON at any time, delete by category, or wipe your whole account from the Data Vault. We do not sell data, we do not run ads, we do not track you across the web.

01 · WHO WE ARE

Minecraft Wrapped is a personal-play analytics service operated from Spain. The data controller (as defined by Article 4(7) GDPR) is the operator of Minecraft Wrapped, a natural person resident in Spain.

For any data-protection question or to exercise the rights listed in Section 07, contact privacy@minecraftwrapped.com. Full legal identity of the operator is available to regulators and to data subjects on written request to that address, per Article 12 GDPR.

The supervisory authority is the Agencia Española de Protección de Datos (AEPD), Calle Jorge Juan 6, 28001 Madrid, Spain — aepd.es. You may lodge a complaint with the AEPD at any time.

02 · WHAT WE COLLECT

We collect exactly what the Fabric mod sends to the server, plus what’s needed to operate the website account. Nothing else. Three tiers, declared up front.

Tier 1 — Standard tracking (on by default)

What any play tracker must capture to produce a useful Wrapped card. Collected from the moment you install the mod.

Session start/stop, with the server IP or hostname
Active vs AFK playtime (configurable idle threshold)
Blocks broken + placed (type, tool, biome, timestamp, coordinate)
Deaths (cause, dimension, coordinate)
Distance walked / sprinted / swum / flown
Biome time, time-of-day patterns
Items crafted, mobs killed, XP + level progression
Advancements and achievements earned
Your own chat messages — what you typed

Tier 2 — Detailed tracking (on by default, clearly disclosed)

Enables deeper features. You are told plainly at install; can toggle off in the Data Vault.

Coordinates attached to block events (heatmaps, base archaeology)
Periodic inventory snapshots (every 10 min or on major change)
Damage dealt / taken (combat + PvP stats)
Villager trades, items picked up and dropped
Food consumed, potions used, fishing + breeding events
Co-play session metadata — UUIDs of other mod users you played with (permanent); UUIDs of non-mod users are anonymized after 30 days

Tier 3 — Never collected

We commit in writing to never collect the following, regardless of feature requests:

IP addresses (authenticated UUIDs are a sufficient identity)
Device fingerprinting, canvas or font enumeration
Keyboard or mouse input patterns
System information beyond Minecraft version and OS (OS is opt-in)
Microphone, camera, file-system scans
Persistent identifiable data about players who do not have the mod, beyond short-term anonymized aggregates

Website account

If you claim a profile, we additionally store your Microsoft-authenticated account email, your Supabase auth user id, and the Minecraft UUID it is linked to. We do not see or store your Microsoft password.

03 · WHY WE COLLECT IT

Under Articles 6 and 9 GDPR, each category is processed on a specific legal basis. We do not mix bases.

Contract (Art. 6(1)(b)) — account email, auth user id, Minecraft UUID link. Necessary to provide your dashboard and Wrapped cards.
Consent (Art. 6(1)(a)) — Tier 1 + Tier 2 event data. Installing the mod is an affirmative act that signals consent; the mod discloses what is captured before the first event is sent. You can withdraw consent at any time by uninstalling the mod or deleting your data in the Vault.
Legitimate interest (Art. 6(1)(f)) — aggregate, non-identifying service-health telemetry (Vercel Speed Insights, Vercel Analytics). Limited to performance and anti-abuse monitoring; you can object (Section 07).

04 · HOW LONG WE KEEP IT

Event data + account data — kept until you delete it, or until the service shuts down. There is no automatic expiry. The promise is honest: we keep your Minecraft history so you can actually have years of it.
Anonymized non-mod-user co-play UUIDs — rotated to non-reversible anonymous ids after 30 days.
Server-side logs (error + access) — 90 days, then deleted.
Data-export + deletion-request records — kept for 12 months after fulfillment, as a GDPR audit trail.

05 · WHO ELSE PROCESSES IT

We use a small set of sub-processors, each covered by a Data Processing Agreement and each with a named purpose. No data broker. No ad network.

Supabase (Supabase Inc., USA / EU data residency) — Postgres storage, authentication, and API. Holds all event and account data.
Vercel (Vercel Inc., USA) — web hosting, Open Graph image generation, Speed Insights, Analytics.
Microsoft (Microsoft Corp., USA) — OAuth provider for sign-in; we receive only your email and Xbox Live Minecraft profile id, never your password.
mc-heads.net — CDN that renders your public skin from your Minecraft UUID. Receives only the UUID.
Modrinth / CurseForge — mod distribution. They receive download metadata per their own policies; we receive nothing from them about individual downloaders.

We do not share your data with anyone else, and we do not sell it. Not now, not as part of a future monetization plan.

06 · INTERNATIONAL TRANSFERS

Supabase, Vercel, Microsoft, and mc-heads.net are based in the United States. Transfers of personal data to the US rely on the EU-US Data Privacy Framework(for certified providers) and/or the European Commission’s Standard Contractual Clauses(2021/914). We keep a copy of each provider’s SCC or DPF certification on file.

If you want the specific clauses for a given sub-processor, request them at privacy@minecraftwrapped.com.

07 · YOUR RIGHTS

Under GDPR and the Spanish LOPDGDD you have the following rights. The Data Vault is the fastest way to exercise most of them — no ticket, no queue.

Access (Art. 15) — download every event we have ever stored about you as JSON, from /dashboard/vault.
Rectification (Art. 16) — event data is Minecraft-sourced and immutable; if you think a record is wrong, email us.
Erasure (Art. 17) — delete by category or delete your entire account from the Vault. Irreversible after 30 days.
Portability (Art. 20) — the Vault export is a machine-readable JSON with a stable schema.
Object (Art. 21) — opt out of analytics or pause event capture while keeping your history.
Restrict processing (Art. 18) — pause collection keeps existing data frozen while we stop new capture.
Withdraw consent (Art. 7(3)) — uninstall the mod and/or delete your data; the effect is immediate.
Lodge a complaint — with the AEPD (see Section 01) or with any EU supervisory authority of your residence.

08 · CHILDREN

Minecraft has a large under-14 audience. Our policy follows Article 8 GDPR as implemented in Spain by Article 7 LOPDGDD:

14 is the age of digital consent in Spain. We do not knowingly collect, sync, or store data from users under 14, whether through the mod or the website.
The mod sends play data to our servers from launch; there is no “local-only” mode for under-14 users. Both the mod and the website are 14+ — see Terms §02.
If we become aware that an account, mod installation, or batch of events belongs to a user under 14, we delete the associated data within 72 hours. Until verifiable parental consent is obtained, all visibility settings on any such account are forced to OFF and further sync is blocked.

If you believe we hold data for a child under 14 without valid consent, email privacy@minecraftwrapped.com and we will delete it within 72 hours.

09 · SECURITY

Event data and account data are stored in Supabase Postgres with row-level-security policies enabled on every table. Service-role keys are used only from server code, never exposed to the browser. All traffic is TLS. Microsoft OAuth tokens are never stored; we keep only the Supabase-issued session token in an HTTP-only cookie.

We do not consider Minecraft event data to be “special categories” under Article 9. We apply conservative handling throughout regardless.

If a breach occurs that is likely to result in a risk to your rights or freedoms, we will notify you and the AEPD within 72 hours, per Article 33 GDPR.

10 · COOKIES + LOCAL STORAGE

We use the minimum set of cookies and local-storage entries necessary to run the site. None are used for cross-site tracking.

Authentication cookie — a single HTTP-only session token issued by Supabase, required to keep you signed in. Strictly necessary; no consent banner required under Article 22.2 LSSI.
Vercel Speed Insights + Analytics— Vercel’s own cookieless implementation; no persistent identifier is stored in the browser.

We do not load advertising cookies, social-network pixels, or cross-site trackers. If that changes we will add a consent banner before loading them, per LSSI-CE Article 22.2.

11 · CHANGES TO THIS POLICY

We version this policy. The footer shows the effective date. Material changes will be announced at least 14 days before they take effect, via the Discord, the dashboard, and email to any address we hold. If a change would broaden the scope of collection or the legal basis, it applies only to future data and you will be prompted to re-consent.

The full version history will eventually live at /privacy/history (not yet populated; there has only been one version so far).

12 · HOW TO EXERCISE YOUR RIGHTS

The fastest path is the Data Vault at /dashboard/vault — export, delete by category, or delete your entire account without contacting us.

For anything the Vault does not cover, email privacy@minecraftwrapped.com. We respond to rights requests within 30 days per Article 12(3) GDPR, with a possible 60-day extension for complex requests (we will tell you if we need it). Requests are free unless manifestly unfounded or excessive.

Public profile example: /p/blocklibrarian. Every section on this page translates into a concrete control in the Vault.