Karasu ClassicLogin

Privacy Policy

Effective date: 2026-04-19. This policy explains how KarasuMatchmaking processes personal data for Steam-based account access, competitive matchmaking, KarasuClient compliance checks, billing, support, moderation, and analytics.

1. Data Controller

KarasuMatchmaking operates this platform. For privacy requests, contact support through the in-platform ticket center with category `SUPPORT` or `APPEAL` and include "Privacy Request" in the subject.

2. Data We Process

  • Account identity data: Steam ID, username, avatar URL, role, region, and optional email.
  • Match and gameplay records: parties, queue entries, veto actions, assigned teams, match state, results, and player stats.
  • KarasuClient compliance data: session ID, client version, secure boot, TPM and driver-enforcement status, heartbeat recency, and attestation metadata.
  • Moderation and safety data: warnings, punishments, reasons, issuer, appeal/dispute notes, and enforcement timestamps.
  • Ticket and support data: categories, message history, internal staff notes, and ticket audit trail.
  • Billing data: subscription status, provider references, webhook status, invoice/receipt metadata, and failed payment signals.
  • Mail delivery data: message type, recipient, delivery status, provider message ID, and failure diagnostics.
  • Infrastructure and security logs: internal request signature metadata, nonce checks, rate-limit events, and server heartbeat telemetry.
  • Demo data: filename, storage key, checksum, upload status, and access permissions for participants and staff.

3. Why We Process Data (Purpose and Legal Basis)

  • Contract performance: provide queueing, matchmaking, match hosting, profile history, demo access, and ticket support.
  • Legitimate interests: competitive integrity, abuse prevention, operational monitoring, and service reliability.
  • Legal obligations: accounting evidence, fraud prevention, and handling statutory data-subject requests.
  • Consent (where required): optional account notices and non-essential communications.

4. KarasuClient and Compliance Telemetry

KarasuClient is required for ranked queue eligibility. The client sends heartbeat/compliance status so the backend can verify secure boot, TPM, and driver enforcement checks and can enforce queue restrictions when the compliance session is missing or unhealthy.

5. Billing and PayPal Processing

Karasu+ subscriptions are processed via PayPal. We do not store full card details. We store provider subscription references, subscription state, and billing notifications needed for entitlement and accounting flows.

6. Ticketing, Moderation, and Safety

We process report and dispute data to investigate abuse, enforce platform rules, and maintain fair matchmaking. Moderation records can affect queue eligibility and may be shown in profile summaries where relevant.

7. Analytics

Admin analytics aggregate website activity, matchmaking health, rank distribution, subscriptions, revenue, mail delivery, and moderation workload. We use aggregated data to operate and improve the platform.

8. Data Sharing and Processors

  • Steam OpenID for authentication assertions.
  • PayPal for subscription billing and webhook events.
  • Email provider for transactional notifications.
  • Cloud/storage and hosting vendors for platform operation.

9. Retention

  • Active account profile and ranking data: retained while account is active.
  • Match and stat history: retained for competitive integrity and profile history.
  • Compliance sessions and heartbeats: short-lived operational retention.
  • Moderation and ticket audit data: retained for enforcement consistency.
  • Billing and invoice records: retained per accounting/legal requirements.
  • Demo metadata and files: retained according to storage policy and access rules.

10. Your GDPR Rights

You may request access/export, correction, deletion (where applicable), restriction, objection, and portability rights under GDPR. Use the built-in GDPR request routes and support tickets for identity-verified processing.

11. Security Measures

  • Role-based admin access controls and permission separation.
  • Signed internal requests with timestamp/nonce verification.
  • Session-based auth and protected demo download routes.
  • Rate limiting, audit logging, and operational health monitoring.

12. International Transfers

If infrastructure or processors operate across regions, we apply appropriate safeguards and contractual controls required by applicable privacy law.

13. Changes

We may update this policy when features or legal requirements change. Material changes are announced in-platform.

Legal review note: this policy is product-complete for MVP scope but must still be reviewed by qualified legal counsel before production launch.