Privacy Policy
- Service: shock.lol
- Controller: The operator of shock.lol
- Effective date: 2026-05-27
- Last updated: 2026-05-27
1. Who is responsible for your data (Controller)
The controller of your personal data is:
- Controller: The operator of shock.lol, based in Finland
- Contact / privacy enquiries: [email protected]
2. Scope
This Policy explains what personal data we collect when you use shock.lol, why we collect it, the legal bases we rely on, who we share it with, how long we keep it, and the rights you have. It applies to visitors, registered users, and people whose profile pages are viewed publicly.
It does not apply to third-party services you connect to or link from your pages (such as Discord, Stripe, or the platforms behind your widgets), which have their own privacy policies.
3. Personal data we collect
3.1 Account data
- Unique user ID and UUID, username, and public bio handle and aliases.
- Email address.
- Password (stored only as a salted hash; we never see your plaintext password).
- Account API token (stored to authenticate API access; hidden from data exports).
- Avatar URL and a legacy Discord ID for migrated accounts.
- Account roles/permissions and account status (including bans).
- Account creation and update timestamps.
3.2 Profile / User Content
- Your bio page(s) and their configuration, socials, widgets, badges, tags, custom domains, and aliases.
- Images and files you upload and host through the Service (stored with Cloudflare R2 object storage) and their metadata.
- Marketplace template listings you publish, and likes, copies, and reports related to the marketplace.
Much of this content is, by design, public (see Section 8).
3.3 Connected-account (OAuth) data — Discord
When you connect or log in with Discord, we receive and store: your Discord user ID, username, display name, email, avatar, the granted scopes (identify, email, guilds.join), and OAuth access/refresh tokens (kept to maintain the connection and excluded from data exports). With your authorisation we may add you to our Discord server and synchronise community roles (including a "booster"/premium role).
3.4 Billing data
For paid purchases we store a billing record: Stripe customer, checkout session and payment-intent identifiers, the item (SKU/type), quantity, amount, currency, status, and any refund details. Card and payment-instrument details are handled by Stripe and are not stored by us.
3.5 Virtual-economy data
In-app balances (such as badge credits), invitations you have created or used, and daily reward-spin ("roulette") history.
3.6 Technical, session, and security data
- Sessions: user ID, user-agent string, a friendly device label, session start/last-activity times. For privacy, your IP address is not stored in raw form against your session — instead we store a one-way HMAC-SHA256 hash of the IP and a coarse network type (local/private/public). We do not derive or store your geographic location.
- Profile views: to count and de-duplicate views of a bio page, we store the bio owner's ID together with a hashed viewer IP. Raw viewer IPs are not retained.
- Audit/security logs: records of significant actions (such as logins, content changes, and staff/moderation actions), which may include the acting user's ID and IP address, used to secure the Service and investigate abuse.
- Server logs: standard application/error logs generated while operating the Service.
3.7 Communications
Notifications shown in your account, password-reset and account-related emails, and any messages you send us (for example by email).
We do not intentionally collect special-category data, and you should not place such data on public pages. We do not perform automated decision-making that produces legal or similarly significant effects on you; automated checks (such as rate limiting and abuse detection) are used only to operate and protect the Service.
4. Where the data comes from
Most data comes directly from you (registration, profile editing, uploads, purchases). Some is generated by your use of the Service (sessions, views, logs, balances). Some is received from third parties you choose to connect (Discord) or whose data your widgets display based on identifiers you provide (for example Last.fm, Steam, Twitch, YouTube, GitHub, game-stats providers, Google Fonts).
5. Why we process your data and the legal bases
| Purpose | Categories used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Create and manage your account; provide bio pages, hosting, marketplace, and core features | Account, profile, OAuth, technical/session | Performance of a contract — Art. 6(1)(b) |
| Process purchases and manage virtual items, refunds, and billing records | Billing, account, virtual-economy | Performance of a contract — Art. 6(1)(b); legal obligation (accounting) — Art. 6(1)(c) |
| Authenticate logins, manage sessions, and operate "remember me" | Account, technical/session | Performance of a contract — Art. 6(1)(b) |
| Connect Discord, add you to our server, and sync roles | OAuth/connection | Consent — Art. 6(1)(a) (you initiate and can disconnect) / contract — Art. 6(1)(b) |
| Display widgets and integrations you configure | Identifiers you provide | Performance of a contract / consent — Art. 6(1)(b)/(a) |
| Keep the Service secure; prevent fraud and abuse; moderate content; enforce Terms and bans | Technical/session, audit logs, account, content | Legitimate interests — Art. 6(1)(f); legal obligation — Art. 6(1)(c) |
| Count and de-duplicate public page views | Hashed IP, owner ID | Legitimate interests — Art. 6(1)(f) |
| Communicate service and account messages (e.g. password resets) | Account, communications | Performance of a contract — Art. 6(1)(b) |
| Comply with legal obligations and respond to lawful requests | As relevant | Legal obligation — Art. 6(1)(c) |
Where we rely on legitimate interests, our interest is operating, securing, improving, and growing a reliable Service; we have considered your rights and you may object (see Section 11). Where we rely on consent, you can withdraw it at any time without affecting prior processing.
6. Cookies and similar technologies
shock.lol uses a minimal set of strictly necessary cookies and does not currently use analytics, advertising, or third-party tracking cookies. The cookies we use include:
- a session cookie (to keep you logged in and operate the Service), and
- a "remember me" authentication cookie (set when you stay signed in).
Strictly necessary cookies do not require consent under the ePrivacy rules. If, in future, we add analytics or other non-essential cookies/trackers, we will request your consent through a cookie banner before they are set, and will update this Policy and the cookie list below.
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Session cookie | Maintain your authenticated session | Strictly necessary | 120 minutes (2 hours) |
| Remember-me cookie | Keep you signed in across visits | Strictly necessary | Up to 1 year |
| XSRF/CSRF token | Protect against cross-site request forgery | Strictly necessary | Session |
Note: third-party content embedded on pages (for example certain widgets) may set their own cookies controlled by those third parties.
7. Who we share data with (recipients and processors)
We do not sell your personal data. We share it only with service providers who act on our instructions, with third-party services you choose to connect, and where required by law. We disclose the following categories of recipients:
| Category of recipient | Purpose |
|---|---|
| Hosting and infrastructure providers | Running the application, database, and servers that store and process your data |
| Storage and content-delivery providers | Storing and serving your uploaded files and images, and routing custom domains |
| Payment service providers | Processing purchases and billing (card data is handled by the provider, not by us) |
| Communications/email providers | Sending account and transactional emails (e.g. password resets) |
| Connected-account and integration providers | Authentication and account connections you initiate (e.g. Discord), and displaying third-party content you configure |
| Operational and security tools | Error monitoring and abuse prevention |
| Authorities and professional advisers | Legal compliance, and establishing, exercising, or defending legal claims |
We require providers acting as processors to offer appropriate safeguards and to process personal data only on our instructions, under data-processing agreements. The specific providers we use can change over time.
8. Public information
By design, the following are publicly accessible to anyone, including via search engines and our public lookup API and view leaderboard: your bio handle and aliases, your public bio page(s) and their content (links, social profiles, widgets, badges, uploaded media), your public view counts, and marketplace listings you publish. You can reduce search-engine indexing using the page "no index" option. Do not publish personal or sensitive information you do not want to be public.
9. International data transfers
Some processors (for example Stripe, Cloudflare and Discord) may process data outside the European Economic Area (EEA), including in the United States. Where this happens, we rely on appropriate safeguards under GDPR Chapter V, such as the European Commission's Standard Contractual Clauses and/or, where applicable, the EU–US Data Privacy Framework, together with supplementary measures where needed. You can request more information and a copy of the relevant safeguards at [email protected].
10. How long we keep your data (retention)
We keep personal data only as long as needed for the purposes described in this Policy, or as required by law. Profile view records are stored only in hashed form and are removed automatically over time. Session records end when they expire or are revoked. Image-hosting records remain while files are active or until their configured lifetime ends. Billing and transaction records are kept for as long as accounting and tax law require (in Finland, generally six years), even after account deletion.
When you request account deletion and the request is verified, we permanently delete your personal account data and user-generated content from active systems. This process is irreversible. Records we are legally required to retain (such as accounting records), together with limited system logs and backup copies, may temporarily persist for security, integrity, or legal compliance, after which they are automatically purged. We do not retain deleted user data for business, analytical, or operational use once deletion is complete.
11. Your rights under the GDPR
Subject to the conditions in the GDPR, you have the right to:
- access your personal data and obtain a copy;
- rectify inaccurate or incomplete data;
- erasure ("right to be forgotten");
- restrict processing in certain cases;
- data portability (receive your data in a structured, machine-readable format and, where feasible, have it transmitted to another controller);
- object to processing based on legitimate interests, and to direct marketing at any time;
- withdraw consent at any time, where processing is based on consent (without affecting prior processing); and
- not be subject to solely automated decisions producing legal/similarly significant effects (we do not carry out such decision-making).
How to exercise your rights:
- You can download a machine-readable export of your account data at any time from Account → Data export (
/account/export), which produces a JSON file (access tokens are excluded for security). - For other requests — including rectification, erasure, restriction, objection, or questions — contact [email protected]. You can also request account deletion via [email protected].
We respond within one month, extendable by two further months for complex requests, and will tell you if we need an extension. We may need to verify your identity before acting.
12. Right to lodge a complaint
If you believe we have processed your personal data unlawfully, you can contact us first at [email protected]. You also have the right to lodge a complaint with the Finnish supervisory authority:
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) Postal address: PL 800, 00531 Helsinki, Finland Visiting address: Lintulahdenkuja 4, 00530 Helsinki Phone: +358 29 566 6700 · Email: [email protected] · Web: https://tietosuoja.fi
If you reside or work in another EU/EEA country, you may instead complain to your local data protection authority.
13. Security
We take appropriate technical and organisational measures to protect personal data, including: hashing passwords, not storing raw IP addresses for sessions and view counts (using one-way HMAC hashing instead), excluding secrets and OAuth tokens from data exports, rate limiting and login throttling, role-based access controls for staff, transport encryption (HTTPS), and audit logging of sensitive actions. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If a personal-data breach is likely to result in a risk to your rights, we will notify the Data Protection Ombudsman, and you where required, in line with the GDPR.
14. Children
The Service is intended for adults. You must be at least 18 years old to use it (see Section 3 of our Terms of Service). We do not knowingly collect personal data from anyone under 18. If you believe someone under 18 has provided us personal data, contact [email protected] and we will take appropriate steps to delete it.
15. Changes to this Policy
We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice (for example on the Service or by email). Your continued use of the Service after changes take effect means you acknowledge the updated Policy.
16. Contact
Questions or requests regarding this Policy or your personal data: The operator of shock.lol Contact / privacy enquiries: [email protected]