DonutWinDONUTWINHome

Legal

Privacy Policy

Last updated: April 24, 2026

This Privacy Policy explains what DonutWin collects about you, how we use it, who we share it with, and the choices you have. It covers the DonutWin website, games, and related services.

1. What we collect

From you directly

  • Account info: email, username, password (hashed — we never see the plaintext).
  • Minecraft username if you link one, so we can pay out withdrawals and render your avatar.
  • Support messages you send us.

Automatically

  • IP address and approximate location (country / region), used for security, rate limiting, region gating, and audit logs.
  • Device fingerprint — a hash derived from browser/device signals. Used to detect multi-accounting and referral fraud.
  • User agent (browser and OS info) and session identifiers.
  • Login timestamps, gameplay timestamps, and transaction records.

From your gameplay

  • Every wager, win, loss, deposit, and withdrawal. We retain a full ledger for audit and anti-fraud purposes.
  • Chat messages you send in global chat. These are logged and visible to moderators.

We do not collect payment card data — deposits and withdrawals move through the Minecraft bot, not a payment processor integration on our site.

2. How we use your info

  • To run the Service — authenticate you, keep your balance accurate, pay out wins and withdrawals.
  • To prevent and investigate fraud, multi-accounting, collusion, and abuse of the referral or bonus programs.
  • To comply with legal obligations and respond to lawful requests.
  • To communicate with you about your account (verification emails, withdrawal notifications, security alerts).
  • To improve the Service — understand which games are played, fix bugs, tune game math.

We do not sell your personal data. We do not use your gameplay data to target you with third-party advertising.

3. Third parties that process data for us

We share data with service providers we need to run DonutWin. Each one only gets what they need.

  • Supabase — hosts our database and authentication. Stores accounts, profiles, balances, transactions.
  • Vercel — hosts the web frontend. Sees request-level data (IP, user agent, URL).
  • Render — hosts the backend API and Minecraft bot.
  • Resend — sends transactional emails (verification, withdrawal confirmations).
  • Cloudflare Turnstile — verifies you're not a bot on signup/login.
  • minotar.net — renders Minecraft avatars from the username you provide. Your browser loads the avatar image directly from them.
  • Discord — if you connect for notifications, Discord receives the minimum needed to deliver webhook messages.

We'll share data if required by law, court order, or to protect the Service, players, or the public from real harm.

4. Cookies and local storage

We use cookies and browser storage to keep you signed in, remember UI preferences, and protect against CSRF attacks. We don't use third-party advertising cookies. An admin session cookie is set when you sign in to the admin panel (HttpOnly, Secure, SameSite=Strict) and expires after 4 hours.

5. How long we keep data

  • Account and profile data — while your account is open, and for a reasonable period after closure for audit and anti-fraud.
  • Transaction records — retained long-term for accounting, dispute resolution, and legal obligations.
  • Chat messages — retained while visible, with automatic cycling on the global chat feed. Moderation logs retained for policy enforcement.
  • Audit logs (admin actions, security events) — retained for an extended period for investigation.
  • Rate-limit and security telemetry — short-lived, cleared on rolling windows.

6. Your rights

Depending on where you live you may have the right to:

  • Request a copy of the personal data we hold about you.
  • Ask us to correct inaccurate data.
  • Ask us to delete your data, subject to our obligation to retain transaction records for anti-fraud and compliance.
  • Object to or restrict certain processing.
  • Withdraw consent where we relied on it.

Email privacy@donutwin.comwith the email address on your account. We may need to verify you before acting on the request. Some data (financial ledgers, fraud investigations) we may not be able to delete on request — we'll tell you why if that applies to you.

7. Security

We use encryption in transit (HTTPS with HSTS), encrypted storage for sensitive fields (MFA secrets), CSRF protection, rate limiting, and mandatory MFA for admin accounts performing sensitive actions. No system is 100% secure. If we become aware of a breach that affects your account, we'll notify you in line with applicable law.

8. Children

DonutWin is strictly 18+. We don't knowingly collect data from anyone under that age. If you believe a minor has registered, contact us and we'll remove the account.

9. International transfers

Our providers (Supabase, Vercel, Render, Resend, Cloudflare, Discord) may process data outside your country. By using the Service you acknowledge your data may cross borders to reach them.

10. Changes

We may update this Policy. The "Last updated" date at the top reflects the most recent change. Material changes will be announced on the site or via email.

11. Contact

Privacy questions or requests: privacy@donutwin.com. General support: the DonutWin Discord or support@donutwin.com.