Privacy Policy
Last updated: 2026-04-24
1. Introduction
L2 Afterwork respects your privacy and collects only the data needed to run the game service, deliver donations correctly, and keep the server secure. This Privacy Policy explains what we collect, why we collect it, how long we keep it, and who else processes it on our behalf.
2. Data Controller
L2 Afterwork is operated by a private individual based in the European Union. The operator is the data controller responsible for personal data collected through this website. For any privacy-related request, contact us at:
- Email: support@l2afterwork.com — please use the subject Data Request
- Contact form: /contact/
3. Data We Collect
3.1 Data you provide directly
- Email address — required for account registration and account recovery
- Username — chosen during registration
- Password — stored in hashed form (Argon2), never in plain text
- Game account login names — created through your dashboard
- Donation details — amount, order ID and payment-provider transaction ID linked to your account; we never see or store card numbers or bank credentials
- Messages you send through the contact form — name, email, subject and body
3.2 Data collected automatically
- IP address — for anti-spam, Turnstile captcha verification, rate-limiting and fraud prevention
- User-agent string (browser type, version, operating system)
- Referring website
- Pages visited and approximate time spent
- Country of origin (via Cloudflare) — used for automatic language detection only
4. How We Use Your Data
- To create and manage your account
- To deliver donation rewards to the correct character
- To provide access to game server services
- To detect your preferred language automatically
- To protect against unauthorized access, spam, fraud and abuse
- To answer your support requests
- To improve the website and the game service
- To communicate important service updates
5. Legal Basis for Processing
- Consent — you provide consent when creating an account
- Contract — processing is necessary to provide the services you have signed up for
- Legitimate interest — security, fraud prevention, donation accounting and service improvement
- Legal obligation — where we must retain specific records to comply with applicable law
6. Data Storage and Security
Your data is stored on secure servers hosted in the European Union. We apply standard technical and organizational measures, including:
- Password hashing using the Argon2 algorithm
- HTTPS encryption for all data in transit
- CSRF protection on all forms
- Rate limiting and Cloudflare Turnstile on sensitive endpoints
- Regular security updates and monitoring
7. Data Retention
We keep personal data only as long as it serves the purpose for which it was collected. Specific retention periods:
| Data category | Retention period |
|---|---|
| Active website accounts | Until you delete the account |
| Deleted accounts (soft delete) | 30 days, then permanently erased |
| Security and authentication logs (login attempts, rate-limit events) | 90 days |
| IP addresses tied to security events | 90 days |
| Messages from the contact form | 12 months |
| Donation and payment records | 24 months (the payment provider keeps its own copy under its own terms) |
| Inactive accounts (no login activity) | Up to 24 months; after that we may notify you by email and delete the account 30 days later |
| Session cookies | Duration of the session or until logout |
We may keep anonymized or aggregated data (with no possibility of re-identification) for longer, for analytics and service-improvement purposes.
8. Third-Party Processors
We share the minimum data needed with the following processors in order to run the service:
- Cloudflare — CDN, DDoS protection, bot filtering (Turnstile), and country-level geolocation for automatic language detection. Cloudflare acts as a data processor and may see IP addresses and request metadata.
- OVH — hosting, DNS, and email (Zimbra). Server logs and mailbox contents are stored on OVH infrastructure in the European Union.
- Payment providers — when you make a donation, payment data is processed directly by the licensed payment provider you select on the checkout page. We receive back only the order ID, transaction ID, amount and status — never card numbers or bank credentials. Each payment provider publishes its own privacy policy on its website.
We do not sell your personal data to any third party, and we do not use it for behavioural advertising.
9. Your Rights
Under applicable data protection laws (including the EU GDPR) you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Request deletion of your data
- Object to or restrict certain processing
- Request portability of your data in a machine-readable format
- Withdraw consent at any time (without affecting the lawfulness of prior processing)
- Lodge a complaint with your local data protection authority
To exercise any of these rights, email support@l2afterwork.com with the subject Data Request, or use the contact form. We respond within 30 days.
10. Age Restriction
Our services are intended for users who are at least 18 years old. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered on our service, please contact us and we will delete the account.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Significant changes will be announced on this page and the last-updated date at the top will be revised.