Privacy Policy

This Privacy Policy explains how Creator Assistant ("we", "us", or "our") collects, uses, discloses, stores, and protects personal data when you use the Creator Assistant Assistant services, including our websites, setup pages, dashboards, APIs, webhook endpoints, Discord bot, verification flows, Liened Downloads, collaborator sharing flows, Unity runtime integration, and related features (collectively, the "Service").

Who is responsible for your data

Creator Assistant is the data controller when we process data for our own purposes-for example, to operate the Service, secure our systems, enforce our Terms, or communicate with you. When a Creator or server operator configures the Service for their community, they may act as an independent controller for decisions about how verification, roles, or downloads are set up. When we process data to provide the Service on behalf of a Creator (e.g., verifying purchases, assigning roles, routing webhooks), we act as a processor for that Creator, and they remain responsible for their own privacy notices and lawful basis toward their end users.

This Privacy Policy should be read together with our Terms of Service. If you do not agree with this Privacy Policy, do not use the Service.

This Privacy Policy applies to people who interact with the Service, including:

• creators, sellers, studios, collaborators, moderators, and community operators who install or configure the Service
• Discord server owners, administrators, and staff members who manage verification, downloads, settings, moderation, or analytics
• end users who link accounts, submit license keys, verify purchases, receive Discord roles, or access protected downloads
• developers or operators who access our APIs, setup pages, or webhook endpoints

In some cases, a Creator or community operator may act as the primary decision maker for how the Service is configured in their server. In those cases, that Creator or operator may have separate privacy obligations to their own community.

2.1 Data you provide directly

• account linking and setup information
• license keys, license claims, or other verification inputs
• provider credentials such as API keys, access tokens, refresh tokens, webhook secrets, and setup tokens
• product mappings, role rules, settings, moderation inputs, and download route configuration
• support messages, feedback, and communications you send to us

2.2 Data we receive from connected providers

• Discord data such as user IDs, guild IDs, role IDs, channel IDs, usernames, display names, and profile metadata
• Gumroad data such as product IDs, order IDs, sale identifiers, customer identifiers, timestamps, refund status, and related purchase records
• Jinxxy data such as store identifiers, product identifiers, sale records, license references, and webhook payload data

2.3 Data generated through use of the Service

• verification session records, OAuth state records, entitlement records, and subject identity records
• event logs, audit logs, security logs, sync logs, and troubleshooting records
• analytics and operational metrics such as command usage, setup progress, and workflow outcomes
• download route and download artifact metadata for Liened Downloads
• Unity runtime assertion and installation-related records when that feature is enabled

• when you install, connect, configure, or use the Service
• when you authenticate with Discord, Gumroad, or Jinxxy
• when providers send us webhooks or API responses
• when Creators trigger manual sync, backfill, moderation, or download management actions
• when end users run verification commands, complete connect flows, or request protected downloads
• when Unity installations request runtime assertions or related validation data

We use data to operate, secure, improve, and support the Service. This includes using data to:

• install, authenticate, and maintain provider connections
• complete verification flows and purchase or license matching
• create, update, revoke, or sync entitlements and Discord roles
• deliver and protect Liened Downloads
• support collaborator sharing flows and shared-store verification
• issue Unity runtime assertions and validate Unity integrations
• maintain audit trails, detect abuse, investigate suspicious activity, and enforce Service policies
• measure reliability, debug errors, and improve features
• communicate about the Service, support requests, incidents, updates, or legal notices

Liened Downloads is designed to protect qualifying attachments in Discord while keeping creators in control of their own communities.

• we may process source message metadata, author IDs, channel IDs, role requirements, and file metadata
• we may create private forwarded delivery or review records inside Discord to support protected delivery workflows
• we store file metadata and Discord message references needed to operate the feature
• we do not intentionally store protected file contents in our own external storage as part of the standard Liened Downloads flow
• download access is checked against the role requirements configured by the Creator

Creators remain responsible for how they configure download routes, who can access review channels, and whether their communities receive the notices required for their own use cases.

Some Service features require sensitive credentials or verification inputs. Depending on the feature, we may process:

• OAuth access tokens and refresh tokens
• API keys and webhook secrets
• license keys or hashed versions of license keys
• session cookies, CSRF-related values, setup tokens, and one-time invite tokens

We use these values only as needed to operate the related feature, maintain the connection, validate requests, or enforce security.

If a Creator uses collaborator sharing, we may process invite tokens, collaborator account information, shared store identifiers, API key access status, webhook routing information, and related audit records.

We use this data only to support the collaborator relationship requested by the Creator and Collaborator, operate the selected integration mode, and keep appropriate records of that connection.

If a Creator enables manual licenses or Unity runtime assertions, we may process hashed license keys, entitlement records, device or installation-related identifiers, assertion records, and related validation metadata.

We use this information only to validate access, enforce Creator-defined license rules, issue runtime assertions, and investigate abuse or fraud related to those features.

Our setup pages, connect flows, and dashboards use cookies and similar storage. We use only first-party cookies; we do not set third-party advertising cookies. The following categories apply:

• Essential / strictly necessary: Session cookies for authentication, CSRF tokens, and state needed for OAuth, setup, and verification flows. These are required for the Service to function. Duration: session or short-lived (typically up to 24 hours).
• Security / session: Cookies that maintain login state, protect against forgery, and keep connect or verification flows working. Duration: session or a few hours.
• Analytics: We currently do not use analytics cookies. If we add analytics in the future, we will disclose the provider and purpose and update this section.

We do not use support chat widgets or embedded third-party tools that set cookies on our setup pages. If we add such tools in the future, we will update this section.

How to manage cookies: Your browser settings let you block or clear cookies. Blocking essential or session cookies will prevent setup, connect, and verification flows from working. Where consent is required by law, we will obtain it before setting non-essential cookies.

We may share or disclose data in the following circumstances:

• with Connected Providers (Discord, Gumroad, Jinxxy) when needed to complete the feature you requested
• with service providers that help us operate the Service, including: cloud hosting and database providers (e.g., Convex), authentication providers, infrastructure and CDN providers, and analytics or monitoring tools where we use them
• with a Creator, Admin, or server operator when the Service is being used on their behalf and the disclosure is necessary for that workflow
• to comply with law, legal process, or lawful requests from public authorities
• to protect the rights, property, security, or integrity of the Service, our users, or others
• in connection with a merger, acquisition, financing, reorganization, or sale of assets

We do not sell personal data in exchange for money. For a list of subprocessors, email us at contact@yucp.club.

Where required by law, we rely on one or more legal bases to process personal data, including:

• performance of a contract or steps requested before entering one
• our legitimate interests in operating, securing, and improving the Service
• consent, where a feature or jurisdiction requires it
• compliance with legal obligations

The Service may use infrastructure, providers, or support operations located in more than one country. As a result, your data may be transferred to or processed in jurisdictions other than your own.

Where required by law, we use appropriate transfer mechanisms, which may include: adequacy decisions (where the destination country is recognized as providing adequate protection), standard contractual clauses (SCCs) approved by the European Commission or equivalent authorities, and supplementary measures where necessary. You may request details of the safeguards we use for specific transfers by contacting us.

We retain data for as long as needed to operate the Service, maintain security, support legitimate business records, comply with law, resolve disputes, enforce our agreements, and preserve backup or audit integrity.

Retention varies by data type. The following are indicative ranges; actual periods may differ:

• Security and operational logs: Typically 30–90 days, unless needed longer for incident investigation or legal hold
• OAuth tokens, session records, setup tokens: Until disconnect or expiry; session data is typically cleared within 24 hours of logout or token expiry
• Connection and verification records: While the related feature is active; after disconnect, we may retain for up to 12 months for dispute resolution and fraud prevention
• Audit and event logs: Typically 12–24 months for security and compliance
• Hashed license records, entitlement history, moderation records: Retained where needed for enforcement or fraud prevention; may persist after account closure
• Backup copies: May persist for up to 90 days after deletion before being purged; some backups may be retained longer for disaster recovery
• Webhook payloads and processing records: Typically 30–90 days for troubleshooting and reconciliation

We use reasonable technical and organizational safeguards designed to protect the Service and the data we process. These measures may include access controls, encryption or hashing where appropriate, scoped credentials, audit trails, and abuse prevention measures.

No system is perfectly secure, and we cannot guarantee absolute security.

14.1 Security incidents

If a security incident occurs that affects your personal data, we will provide notice where required by law and where operationally feasible. We will describe the nature of the incident, the data affected, and the steps we are taking. Contact us if you have concerns about a potential incident.

Depending on where you live, you may have rights relating to your personal data, such as rights to:

• request access to certain personal data we hold about you
• request correction of inaccurate or incomplete data
• request deletion of certain data, subject to legal and operational limits
• request restriction of certain processing
• object to certain processing
• request data portability where applicable
• withdraw consent where processing depends on consent

15.1 How to submit a request

Send your request to contact@yucp.club with the subject line "Privacy Request." Include your Discord user ID, the server or tenant involved (if applicable), and a clear description of the right you wish to exercise. For access or portability requests, we may ask you to verify your identity (e.g., by confirming control of the linked Discord account or providing additional information we can match to our records). We typically respond within 30 days. If we need more time or cannot fulfill a request, we will explain why.

15.2 Directing requests to Creators

Some requests may need to be directed to the Creator or server operator who configured the Service for their community-for example, when the data was processed on their behalf or when they control access decisions. We will tell you if your request should go to a Creator instead.

15.3 EEA, UK, and U.S. state rights

EEA and UK: If you are in the European Economic Area or the United Kingdom, you have rights under the GDPR (and UK GDPR), including access, rectification, erasure, restriction, portability, and objection. If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

U.S. state privacy laws: If you are a resident of California, Virginia, Colorado, Connecticut, or other U.S. states with comprehensive privacy laws, you may have additional rights, such as the right to know, delete, correct, opt out of certain sales or sharing, and non-discrimination. We do not sell personal data. To exercise these rights, use the process in 15.1 above.

The Service is not directed to children under 13 or under the age required by applicable local law in your jurisdiction, whichever is higher. If you believe a child has provided personal data in violation of applicable law, contact us and we will review the request.

The Service depends on third-party platforms and providers, including Discord, Gumroad, Jinxxy, Unity, infrastructure providers, hosting providers, and analytics or support tools. Their privacy practices are governed by their own terms and policies.

We are not responsible for the privacy or security practices of third-party services.

We may update this Privacy Policy from time to time. If we make a material change, we may provide notice through the Service, by email, through a setup page, in a dashboard, or by other reasonable means. The updated Privacy Policy will become effective on the stated effective date.