Privacy Policy

This platform is operated by Section.8 VRChat Group, acting as data controller. For any privacy-related request, contact [email protected].

We only collect what we need to run the community. This includes:

• Account information from the provider you sign in with — user ID, username, display name, profile picture, email address.
• Linked accounts you choose to connect — limited to public profile details and subscription status needed for the feature you are linking.
• Profile data you enter — pronouns, birthday, bio, social handles (all optional).
• Submissions — membership applications, suggestions, support tickets, ban appeals, and any files you attach.
• Moderation records — warnings, bans, appeal history, and related staff notes and evidence.
• Sign-in and security data — the IP address and device used for each session, and records of the policies you accept. IP addresses from sign-in events are hashed immediately after the session ends and never stored in raw form beyond 72 hours for abuse prevention.
• Aggregate analytics about how the site is used. We do not use cookies or any persistent identifiers for analytics. Page views are counted ephemerally without deduplication, so no consent is required.

Providing sign-in information is required to access the platform; everything else is optional and can be edited or removed at any time from your settings page.

We process this data to run your account, operate the community (events, applications, support, moderation), keep the platform secure, and understand how the site is used in aggregate.

Our legal bases under the GDPR are:

• Performance of our agreement with you,
• Your consent (for optional integrations and notifications),
• Our legitimate interest in a safe, functional community.

We do not sell your data, share it for advertising, or use it to train AI models.

We use only strictly necessary cookies — to keep you signed in and to protect sign-in flows from abuse.

We do not use any analytics cookies, deduplication cookies, or tracking cookies. Therefore no consent banner is required.

We use third-party providers acting as data processors on our behalf, strictly for the purposes shown: identity and sign-in, optional account linking you initiate, file storage, transactional email, and real-time notifications. We may also disclose data to competent authorities where legally obliged. We do not sell your data or share it for advertising.

Some of these providers are based outside the European Economic Area, including in the United States. Where that is the case, transfers are protected by Standard Contractual Clauses (SCCs). A copy of the SCCs we use is available on request — email [email protected].

• Account data — for as long as your account is active. If you deactivate, the account enters a 30-day grace period before being permanently deleted.
• Sessions — until they expire, you sign out, or you revoke them.
• Support tickets — up to 365 days after the last activity on the ticket.
• Applications & submissions — for the time needed to process them and maintain a record of the decision.
• Moderation records — retained long-term to prevent ban evasion and enforce community rules, based on our legitimate interest. When your account is deleted, we irreversibly anonymise the moderation record (removing all links back to you) so it no longer constitutes personal data and is not subject to deletion rights.
• Analytics — kept in aggregate; no raw IP addresses are ever stored.

Under the GDPR you have the right to access, correct, delete, restrict, or port your data; to object to processing based on our legitimate interests; and to withdraw consent at any time for optional features. You can manage most of this self-service from your settings page — edit your profile, unlink integrations, revoke active sessions, or deactivate your account.

The processing we carry out under legitimate interest includes: security logs (hashed IPs, devices), moderation records (until anonymised), and aggregate analytics (no personal data).

For anything else, email [email protected] and we will respond within one month. You also have the right to lodge a complaint with the data protection authority in your country of residence. We do not engage in automated decision-making that has legal effects — all moderation decisions are made by human staff — and we do not use your data for direct marketing.

We take appropriate technical and organisational measures to protect your data, including encrypted transmission, encryption of sensitive fields at rest, strict access controls, rate limiting, staff audit logs, and optional two-factor authentication. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals without undue delay.

This service is for users 18 years of age or older. By using the platform you confirm you meet this requirement. If we become aware that a user is under 18, the account will be suspended and the associated personal data deleted without undue delay. We reserve the right to request age verification (e.g., a redacted government-issued ID showing only age) if we have reasonable doubt; failure to provide it will result in account suspension.

Report concerns to [email protected].

We may update this policy from time to time. The current version and the date of the most recent revision are shown at the top. For material changes, we will ask you to re-acknowledge the updated policy on your next sign-in.