Privacy Policy

Account data (if you register): username, email address, bcrypt-hashed password (12 rounds), registration IP address, last-seen IP address, and browser user agent. Passwords are never stored in plain text and are never transmitted to third parties.

Session data: a cryptographically random session token stored as a SHA-256 hash in our database. The raw token is stored only in your browser's httpOnly cookie and is never logged.

Lookup data: the Discord ID you searched, the source (web or API), a timestamp, and your IP address. This is retained to power your search history and for abuse prevention.

API key data: key name, a SHA-256 hash of your key (never the raw key), plan type, and usage count. The raw API key is shown only once at creation time and is not recoverable.

Visit analytics: page URL, IP address, user agent, and referrer, collected in aggregate for platform analytics.

Request logs: IP, endpoint, HTTP status, and timestamp, retained for 90 days for security monitoring.

We do not collect payment information. Donations are processed directly via external crypto wallet addresses with no payment data touching our servers.

Providing the service: authenticating your account, performing lookups, returning search history and favorites.

Security: detecting API abuse, enforcing rate limits, banning accounts that violate our Terms of Service.

Analytics: understanding usage patterns via aggregate, anonymised metrics. We do not use third-party analytics trackers.

Legal compliance: responding to valid legal requests from competent authorities where required by law.

When you perform a lookup, we make outbound requests to the following services on your behalf:

• —Discord API to fetch public profile data. Governed by Discord's Privacy Policy.
• —Private breach data aggregator to search breach records by Discord ID.
• —FiveM index an internal database of publicly disclosed FiveM server records.
• —EU DSA Transparency Database publicly available official EU government records.

We act as data controller for your account data. For third-party data, we are a data processor acting on your instruction. We do not sell or share your personal data with advertisers.

Account data: retained until you delete your account via Settings → Account → Delete Account, or request deletion at [email protected].

Search history: retained up to 12 months per entry, or until you clear it manually from your Dashboard.

Sessions: expire after 7 days. Logging out deletes the session immediately.

Request logs: retained 90 days, then permanently deleted.

Visit analytics: retained 30 days in aggregate form.

We use the following cookies:

• —token session cookie (httpOnly, Secure in production, SameSite=Lax, 7 days). Required for login.
• —cc.csrf CSRF protection token (httpOnly, SameSite=Strict). Required for form submissions. See our Cookie Policy.

We use no third-party tracking cookies, no advertising cookies, and no analytics SDKs.

If you are in the European Economic Area or California, you have the following rights:

• —Access: request a copy of the personal data we hold about you.
• —Rectification: correct inaccurate data (change email/username in Settings).
• —Erasure ("right to be forgotten"): delete your account and all associated data.
• —Restriction: request we pause processing while a dispute is resolved.
• —Portability: receive your data in a structured, machine-readable format.
• —Objection: object to processing based on legitimate interest.

To exercise any right: email [email protected] from your registered email address. We will respond within 30 days.

• —Passwords hashed with bcrypt (12 rounds).
• —Session tokens stored as SHA-256 hashes; raw tokens live only in httpOnly cookies.
• —API keys stored as SHA-256 hashes; raw keys shown once at creation and not recoverable.
• —All connections encrypted via TLS 1.2+.
• —CSRF protection on all state-mutating endpoints.
• —Rate limiting and bot detection on all API routes.

Despite these measures, no system is 100% secure. We will notify affected users within 72 hours of discovering a breach, as required by GDPR Art. 33.

CordCat is not directed at children under 16. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a minor, contact us immediately at [email protected] and we will delete it.

We may update this policy. The "Last updated" date at the top of this page reflects the most recent revision. Significant changes (material impact on how we use your data) will be announced via email to registered users at least 7 days in advance.

Data protection questions: [email protected]

General enquiries: [email protected]