Privacy Policy
Last updated: [DATE — e.g. 1 January 2026]
⚠️ Draft — not ready to publish
This document still contains [PLACEHOLDERS] and has not been reviewed by a lawyer. Fill in your business details in data/site-content.json (see lib/content.js for the shape), and have the final wording reviewed before you take real payments. This banner disappears once no placeholders remain.
This policy explains what personal data [YOUR LEGAL ENTITY NAME] collects when you use Hotspot Creations, why we collect it, and what you can do about it.
1. Who is responsible
[YOUR LEGAL ENTITY NAME], [YOUR REGISTERED BUSINESS ADDRESS], is the data controller for the personal data described here. For privacy questions, contact [privacy@yourdomain.com].
2. What we collect
When you create an account
- Your email address — used to identify your account and contact you about orders.
- Your password — stored only as a salted scrypt hash. We cannot read your password, and neither can anyone who obtains the stored value.
- Account creation date.
When you buy something
- Order records — what you bought, the price, the date, and your email, so we can give you access to your downloads and support your purchase.
- Payment details are not collected by us. Card details are handled by our payment providers and never reach our servers.
If you link your FiveM account
- Your Cfx.re username and the date you linked it — used only to connect your in-server purchases to your Store account. Linking is optional and you can unlink at any time from your account page.
When you contact us
- Your name, email, chosen topic and message — kept so we can answer you and keep a record of the conversation.
3. Cookies and local storage
We do not use advertising or analytics cookies. We use:
- A session cookie (
vc_customer_session) — set when you sign in so we know it's you. It is signed, HTTP-only, and expires after 30 days. Strictly necessary; the Store cannot log you in without it. - Local storage — your shopping cart and FiveM sign-in state are kept in your own browser, not on our servers.
4. Why we can use your data (legal bases)
- To perform our contract with you — creating your account, taking payment, delivering products and providing support.
- Our legitimate interests — keeping the Store secure and preventing fraud and abuse.
- Legal obligation— keeping records we're required to keep, such as for tax.
[REVIEW — LEGAL BASES ARE UK/EU (GDPR) CONCEPTS. IF YOU OPERATE ELSEWHERE, HAVE THIS SECTION CHECKED AGAINST YOUR LOCAL LAW.]
5. Who we share it with
We do not sell your personal data. We share it only with:
- Tebex — processes payment and delivery for in-server packages under its own privacy policy.
- Our payment provider — processes payment for direct purchases. [NAME YOUR PROVIDER ONCE CONFIGURED — e.g. Stripe]
- Our hosting provider — stores the data that runs the Store. [NAME YOUR HOST]
- Authorities, where we are legally required to.
6. How long we keep it
- Account data — while your account is open, and deleted on request.
- Order records — retained after your account closes where we need them for tax and accounting. [SPECIFY YOUR RETENTION PERIOD — often 6–7 YEARS]
- Contact messages — kept while relevant to supporting you.
7. Your rights
Depending on where you live, you may have the right to:
- Ask for a copy of the data we hold about you.
- Have inaccurate data corrected.
- Have your data deleted, where we don't need to keep it.
- Object to or restrict how we use it.
- Ask us to transfer it to another service.
- Complain to your data protection regulator. [NAME YOUR REGULATOR]
To exercise any of these, email [privacy@yourdomain.com]. We'll respond within the period required by law.
8. Security
Passwords are hashed with scrypt and never stored in readable form. Session cookies are signed and HTTP-only, so they can't be forged or read by scripts in your browser. Purchasable files are served only after we check your order. No system is perfectly secure, but if a breach affects you, we'll tell you and the regulator as required.
9. Children
The Store isn't intended for children under [MINIMUM AGE — e.g. 13, or 16 IN PARTS OF THE EU], and we don't knowingly collect their data. If you believe a child has given us data, contact us and we'll delete it.
10. Changes
If we change this policy we'll update the date at the top, and tell you directly if the change is significant.
11. Contact
Privacy questions: [privacy@yourdomain.com], or via our contact page.
Questions about this policy? Get in touch.