Privacy Policy

# Controller & contact details

For the purposes of the EU General Data Protection Regulation (GDPR), the "controller" responsible for your personal data is:

The controller is Ashwin Pillay, who operates the service under the name “Subdomain Manager” from Beau Bassin-Rose Hill, Mauritius. You can reach our privacy team via mcpandasmp@gmail.com or in the Discord support server at https://discord.gg/F43A8YE8xm.

References in this notice to “we,” “us,” or “Subdomain Manager” therefore mean Ashwin Pillay trading as Subdomain Manager, acting as the controller for your personal data.

We have not appointed a Data Protection Officer, as we are currently not legally required to do so. If that changes, we will update this Privacy Policy.

We do not currently have a representative in the EU/EEA or UK under Article 27 GDPR. Our processing of EU/EEA personal data is occasional, does not involve large scale processing of special categories or criminal records, and is unlikely to result in a high risk to individuals’ rights and freedoms. If that assessment changes, we will appoint a representative and update this notice.

# Who we are

Subdomain Manager is a free service that provisions and manages Minecraft subdomains and related DNS records. The service is operated from Mauritius and primarily provides support through our Discord server at https://discord.gg/F43A8YE8xm.

We do not host websites or run game servers; we simply automate DNS entries that point to infrastructure you control. You remain solely responsible for the content, conduct, and compliance of any server reachable through those DNS records.

If you contact us through the Discord support server we will process the messages or profile information you choose to share so that we can respond to your request. Discord remains the controller for data processed on its platform.

We process support requests on the basis of our legitimate interest in providing user support and improving the service (Art. 6(1)(f) GDPR), or where necessary to answer questions about your account on the basis of performance of a contract (Art. 6(1)(b) GDPR).

# Eligibility

You must be old enough to use Discord under the laws of your region, because account creation relies entirely on Discord OAuth. If you are below Discord’s minimum age or otherwise not permitted to use Discord, you are not allowed to use Subdomain Manager. We do not knowingly offer the service directly to children below that threshold or intentionally collect their personal data.

# Data we collect

Discord ID, username & display name: Required to associate your subdomains with your Discord account, show ownership inside the dashboard, and uniquely identify your profile. We do not copy your discriminator, avatar, Nitro status, or other profile metadata.

Email address: Required so we can reliably identify your account together with your Discord ID, and so we can contact you about abuse notices, security issues, and account recovery if Discord messaging fails. We do not send marketing emails.

We receive both data points directly from you or from Discord once you authorise Subdomain Manager. Discord remains an independent controller for the information it provides to us through OAuth. We do not store IP addresses, device identifiers, server hostnames, DNS targets, or other telemetry beyond what is strictly necessary to route your in-app request in real time and to generate the short lived security logs described in this notice. Short lived security logs may hold pseudonymised identifiers (for example, a hashed IP) for up to seven days solely to detect abuse, after which they are deleted or anonymised. DNS records that you create (for example, myserver.example.com:25565 → 192.0.2.10:25565) are treated as service configuration data rather than personal data; only their association with your Discord account becomes part of your personal record.

Providing your Discord ID, username, display name, and email address is required to create and maintain an account, because we need both identifiers to prevent impersonation and to reach you for account-level issues.

If you choose not to provide these details, you will not be able to create or maintain an account or use Subdomain Manager.

# Purposes, legal bases & retention

We only process personal data when it is necessary and rely on the legal bases set out in Article 6 GDPR. The following summary shows how each category of data is used, the legal basis relied upon, and the typical retention period:

Discord ID, username & display name: We process these identifiers to authenticate you, show ownership of a subdomain, prevent duplicate registrations, and uniquely map the Discord OAuth profile to your account. The legal bases are performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interest in keeping the service secure (Art. 6(1)(f) GDPR). The data stays in Supabase while your account exists and is deleted as soon as you close the account, with backups overwritten inside thirty days.

Email address: We keep your email alongside the Discord ID so that we can confirm ownership, help you recover access, and send essential service notices such as abuse reports or deletion confirmations when Discord delivery fails. Where the message is needed to administer the account, we rely on Art. 6(1)(b) GDPR; otherwise we rely on the legitimate interest in contacting you about safety-critical issues (Art. 6(1)(f) GDPR). Emails remain until you delete the account, after which they vanish from live systems immediately and from backups within thirty days.

Transient operational data (IP addresses, DNS queries, log snippets): These data points only exist in transit so that the internet can route your request, deliver DNS responses, and secure the platform against abuse. We process them under our legitimate interest in providing a secure service (Art. 6(1)(f) GDPR) and, where an authority requires evidence, under Art. 6(1)(c) GDPR. We do not store the data at rest and any diagnostic traces purge within twenty-four hours unless a critical incident mandates a longer retention window.

Short-lived security logs (for example, rate-limit counters or application error logs) may retain pseudonymised identifiers for up to seven days to help detect abuse. After that, data is either anonymised or deleted as part of our routine log rotation.

When we need to process data for a new purpose that is incompatible with the original one, we will inform you in advance and, where required, seek your consent.

# Legal bases for processing (GDPR)

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, we must have a legal basis to process your personal data. We rely on the following legal bases:

Performance of a contract (Art. 6(1)(b) GDPR): We rely on this basis to create and manage your account, authenticate you via Discord, provision DNS records and DDNS links, and provide core features such as quotas, referral rewards, and integrations (OAuth apps, API keys).

Without the identifiers and configuration data described in the “Data we collect” section we would not be able to provision or maintain subdomains, apply quota logic, or fulfil referral rewards. That is why those fields are marked as required when you use the product.

Legitimate interests (Art. 6(1)(f) GDPR): We process a minimal set of data to monitor service health, prevent abuse of our DNS infrastructure, secure the platform through audit logging, maintain logs for troubleshooting, and communicate important service changes such as maintenance notices. We balance these interests against your rights and expectations.

Each legitimate-interest activity is covered by a documented balancing test. In every case we considered the nature of the data (mostly technical metadata), the reasonable expectations of users, and the safeguards we implement (for example, strict retention limits and access controls). These measures keep the impact on you low and ensure that our interests do not override your rights.

Legal obligations (Art. 6(1)(c) GDPR): We may need to retain or disclose information to comply with laws, regulations, or lawful requests from public authorities.

Consent (Art. 6(1)(a) GDPR): We do not currently process your data for marketing or other purposes requiring consent. If that changes, we will seek your consent and you will be free to withdraw it at any time.

All processing activities described in this notice are carried out primarily within the EU/EEA (France and Germany), with limited technical processing via global edge infrastructure as described below.

You can contact us if you need additional information about the legitimate-interest assessments we have carried out or if you wish to object to processing grounded on those interests.

For each activity that relies on Article 6(1)(f) GDPR we complete a Legitimate Interests Assessment (LIA). The balancing tests confirm that the safeguards described in this notice keep the impact on you low, and none of those processing activities are strictly required for the service to function. You may request a summary of the relevant LIA by emailing mcpandasmp@gmail.com.

# How we use your data

We use your Discord identity to authenticate you, keep your session active, and link each subdomain to its legitimate owner. This also enables us to provision, update, and remove DNS records and DDNS links, apply quotas or referral rewards, and manage any integrations such as OAuth apps or API keys.

Minimal telemetry lets us monitor service health, prevent abuse of the DNS infrastructure, secure the platform through audit logging, and respond to support requests or maintenance events. None of the stored data is used for advertising or sold to third parties. Because we only manage DNS pointers, we are not involved in the hosting or operation of the destination servers, and any misuse or disputes that arise on those servers must be handled by their operators.

We do not use your personal data for targeted advertising or sell your personal information.

# Cookies & sessions

The service relies on standard session cookies for authentication so you remain signed in after using Discord. These cookies are strictly necessary because they maintain the session and protect access to your account, helping us detect fraudulent or unauthorised attempts. They are marked Secure, HttpOnly, and use SameSite=Lax to reduce the risk of interception or cross site request forgery. This falls within Article 5(3) of the ePrivacy Directive, so no additional consent is required. We do not deploy advertising or third party tracking cookies, and if any non essential technology is introduced later we will first request your consent.

# Hosting, storage & processors

We share personal data only with vendors that act on our written instructions, are bound by confidentiality commitments, and offer guarantees consistent with Article 28 GDPR. We have signed Data Processing Agreements (DPAs) or rely on published Standard Contractual Clauses where required.

Discord remains an independent controller: when you sign in, Discord shares the account metadata described in this notice with us under its own privacy policy, and you should review Discord’s terms for further details.

Supabase (EU region) acts purely as our processor. It hosts the minimal dataset of your Discord ID, username, display name, and email alongside the non-personal DNS configuration information you manage. The data is stored in EU data centers (currently France and/or Germany) under an Article 28 GDPR-compliant DPA.

Vercel provides the frontend and serverless runtime with EU deployment targets. Vercel acts as our processor under its DPA, but because it uses a global edge network the technical metadata accompanying your request may pass through third-country edge caches before it reaches the EU origin.

We operate DNS over a managed provider with a distributed anycast network. DNS queries therefore traverse the globe, and the IP address associated with a query may be processed on resolvers or name servers outside the EU/EEA. Only the metadata needed to publish your records (names, targets, TTLs) is shared with that provider.

In limited cases we rely on additional vendors (for example, error monitoring or code hosting), always subject to data-protection terms and our instructions. If law enforcement demands information we respond only after carefully reviewing the request. Each of these vendors signs a DPA that mirrors Article 28 GDPR requirements or provides equivalent contractual safeguards.

For automated DNS provisioning we use Cloudflare Tunnels between our backend and the managed DNS network, so the tunnel traffic carries only service-to-service commands (not end-user content), and regular visitors never interact with Cloudflare on our behalf. Cloudflare therefore processes limited technical metadata (such as connecting IP addresses and TLS handshake data) as a processor solely to establish and protect that tunnel. The traffic remains end-to-end encrypted and no persistent personal data is stored by Cloudflare beyond the metadata needed to maintain the connection. A DPA is in place with Cloudflare covering this service.

Our goal is to keep storage and core processing of your personal data within the EU/EEA. Where technical routing or content delivery through global infrastructure is unavoidable, we rely on appropriate safeguards as described below.

# International data transfers

Our primary storage and processing of your personal data takes place within the European Union, specifically in France and Germany (Supabase and EU-region hosting). We do not intentionally store your personal data on servers located outside the EU/EEA.

However, due to the use of global edge and DNS infrastructure, and standard internet routing, certain limited categories of personal data (such as your IP address, basic connection metadata, HTTP headers, and DNS query information) may be processed on systems located outside the EU/EEA. When you access Subdomain Manager from a non-EU country your request may be served via a nearby Vercel edge server, and DNS queries for your subdomains may be resolved by globally distributed name servers that briefly process your IP address and domain query outside the EU/EEA.

These routing events are limited in scope and duration. In line with EDPB guidance, many of them are treated as transient routing rather than a “transfer” within the meaning of Chapter V, because no controller or processor in a third country gains independent access to the full dataset. Nonetheless, we apply the contractual safeguards described below wherever a provider may act as a data importer.

Where such transfers involve personal data from the EU/EEA, UK, or Switzerland, we rely on Standard Contractual Clauses or equivalent safeguards included in our providers’ data-protection terms, or on other mechanisms permitted under Articles 45–49 GDPR, depending on the specific context.

You can contact us at mcpandasmp@gmail.com for more information about the safeguards used for international transfers.

# Retention & deletion

Your Discord ID, username, display name, and email remain in our systems only while the account is active so that you can manage your subdomains.

You can delete your account at any time from /profile. This action immediately removes the stored identifiers and the related non-personal DNS configuration data; any backups containing the old entries are overwritten within thirty days, and we cannot restore data from backups once that process begins.

Transient service traces needed to deliver traffic purge automatically within twenty-four hours and are not stored in long-term logging systems unless a serious abuse investigation requires a longer retention mandated by law. The same maximum twenty-four-hour window applies to Cloudflare Tunnel metadata, which is discarded once the operational troubleshooting window closes.

# Your rights under GDPR

If you are in the EU/EEA, UK, or Switzerland, you have the following rights with respect to your personal data, subject to the conditions and exceptions in Articles 12–23 GDPR:

Right of access: You can obtain confirmation of whether we process your personal data and receive a copy of that data.

Right to rectification: You may have inaccurate or incomplete data corrected.

Right to erasure: You may request deletion of your personal data, for example when it is no longer required. Deleting your account via /profile is the fastest way to remove most stored data.

Right to restriction: You can ask us to restrict processing in certain situations, such as while we verify accuracy or handle an objection.

Right to object: You may object to processing based on legitimate interests. We will stop unless we demonstrate compelling grounds or need the data for legal claims.

Right to data portability: You can receive certain personal data in a structured, machine-readable format and transmit it to another controller where technically feasible.

Right to withdraw consent: If we rely on consent, you may withdraw it at any time without affecting earlier processing.

Right to lodge a complaint: You may contact your local data protection authority if you believe our processing violates data-protection law.

We may need to verify your identity before fulfilling a rights request, as permitted by Article 12(6) GDPR, to protect your data from unauthorised access.

To exercise any of these rights, contact us at mcpandasmp@gmail.com or via our Discord support channels. We may need to verify your identity before responding to your request.

We aim to respond to GDPR requests within one month (Article 12 GDPR). You may also lodge a complaint with your local supervisory authority or with the Mauritius Data Protection Office (5th Floor, SICOM Tower, Wall Street, Ebene, Mauritius; https://dataprotection.govmu.org). EU/EEA residents can find their authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

# Mauritian Data Protection Act 2017

As a controller established in Mauritius we also comply with the Mauritian Data Protection Act 2017 (DPA 2017). The principles and obligations largely mirror the GDPR: purpose limitation, data minimisation, accountability, transparency, security and respect for data-subject rights.

Under the DPA 2017 you enjoy the following rights, which mirror those listed for GDPR:

• Access to personal data we hold about you.
• Rectification of inaccurate or incomplete records.
• Erasure where data is no longer necessary.
• Restriction or objection to processing, including direct marketing.
• Review of decisions based solely on automated processing.

You may exercise these rights by contacting us at mcpandasmp@gmail.com or through our Discord support server. You may also file a complaint with the Data Protection Office (5th Floor, SICOM Tower, Wall Street, Ebene, Mauritius).

International transfers from Mauritius take place only with appropriate safeguards (contractual clauses, technical measures, or, where necessary, approval from the Data Protection Office) to ensure protection comparable to the DPA 2017. Processing for users located in Mauritius is carried out under the same legal bases described in this notice, interpreted in line with the DPA 2017. The same cross border safeguards mentioned in the international transfers section apply whenever data is routed through or accessed from Mauritius.

# Additional information for California residents

If and to the extent the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies to our processing, California residents have additional rights with respect to their "personal information" (as defined in the CCPA).

We do not "sell" or "share" your personal information as those terms are defined under the CCPA. We use your information only to provide and secure the service, as described in this Privacy Policy.

We do not meet the revenue or volume thresholds that would require registration with the California Privacy Protection Agency (CPPA). This section is included voluntarily to make it easier for California residents to exercise their rights if the CCPA applies to our processing.

Subject to legal limitations, you can request to know the categories and specific pieces of personal information we hold, request deletion (with certain statutory exceptions), request correction of inaccurate information, and be free from discrimination for exercising CCPA rights.

You (or your authorised agent) can exercise these rights by contacting us at mcpandasmp@gmail.com. We may need to verify your identity before fulfilling your request.

# Security & your choices

We limit access to administrative tools and use industry-standard protections for secrets and infrastructure. No system is perfect, so please keep DDNS links, API keys, and OAuth credentials private and rotate them if you suspect misuse.

Technical and organisational measures include:

• Access control (least privilege, MFA, audit logging).
• Encryption in transit and at rest, plus secret rotation.
• Regular hardening and patching of infrastructure.
• Backup integrity checks and restricted restoration workflows.

Supabase stores data using encryption at rest and TLS in transit, and we enforce role-based controls. Secrets and API keys are rotated periodically and stored inside managed secret stores. Access and deletion requests can be submitted via email or our Discord support channel, though deleting your account remains the fastest way to purge stored data. If you are under the minimum age required to use Discord in your region, please do not use this service.

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects for you.

If we ever suffer a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, when required, also inform you (Articles 33 and 34 GDPR).

We assess the privacy impact of our OAuth authentication flows, Vercel’s edge delivery, and Cloudflare tunnel metadata and document the technical and organisational measures set out in this notice. These reviews show that no high residual risk remains for data subjects after the controls above are applied.

# Contact

For privacy questions or data requests, you can contact us:

Email mcpandasmp@gmail.com or message us in the Discord server at https://discord.gg/F43A8YE8xm (mention that your request relates to the Privacy Policy). We strive to respond within seventy-two hours.

# Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example when we add new features or change our vendors. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you through the app or via email or Discord.