DE EN
Sign in Sign up

Legal

Privacy Policy

Last updated: 27 June 2026

1. Controller

Controller under the GDPR:

Marco Vo (Noxgarrt / Fellurion)
Nürnberg, Deutschland

Email: fellurion@outlook.de

No data protection officer is appointed unless required by law.

2. Overview

Estaris is a web backend and desktop companion for League of Legends. We only process data required to operate your account, authenticate you, and connect the desktop client.

Principles:

  • No sale of personal data
  • No advertising tracking
  • No automated decisions with legal effect
  • Passwords are stored hashed only

3. Account & registration

Data collected:

  • Email address (required)
  • Password (hashed only, minimum 12 characters)
  • Language preference (de/en)
  • Registration timestamp

Purpose: Create and manage your account, sign-in, two-factor authentication (TOTP).

Legal basis: Art. 6(1)(b) GDPR (contract performance / pre-contractual steps).

Flow: On sign-up we store your details as a pending registration (max. 48 hours). Your account is created only after you click the confirmation link in the email. Expired entries are deleted.

2FA: If you enable two-factor authentication, we store an encrypted TOTP secret and hashed backup codes.

4. Service usage

Desktop client (session authorization):

  • Client label (provided by the Estaris client)
  • Hashed session and access tokens (no plaintext in the database)
  • Created, expiry, and last-used timestamps

Purpose: Secure linking of the Estaris desktop client to your account.

Legal basis: Art. 6(1)(b) GDPR.

Technical log data: When you visit the site, server and security logs (IP address, timestamp, requested URL, user agent) may be generated briefly — solely for operation, troubleshooting, and abuse prevention (login throttling, rate limits).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stability and security).

5. Riot / game data

If you link a Riot account or store a personal Riot API key, we process:

  • Riot ID (game name and tag)
  • PUUID (Riot player identifier)
  • Platform / region
  • Encrypted API key (if you use your own dev key)

Purpose: Display builds, match data, and overlay features via official Riot interfaces.

Legal basis: Art. 6(1)(b) GDPR.

Riot Games is a separate controller for data in their systems. See also Riot Games' privacy notice.

6. Cookies & local storage

We only use technically necessary cookies or session data:

  • Session cookie — keeps you signed in and stores language during your visit (httponly, secure, SameSite=Strict)
  • Remember-me cookie — optional, if you choose “Stay signed in” (max. 7 days, httponly, secure, SameSite=Strict)
  • CSRF token — protection against cross-site request forgery on forms

No analytics, marketing, or third-party tracking cookies are used.

Cloudflare Turnstile (if enabled): Login may load a captcha from Cloudflare. Technical data may be sent to Cloudflare. Legal basis: Art. 6(1)(f) GDPR (bot protection).

7. Security measures

To protect your data we use, among others:

  • HTTPS encryption (TLS)
  • Password hashing (modern algorithm via Symfony Security)
  • Mandatory two-factor authentication after first sign-in
  • Login throttling (max. 5 failed attempts)
  • CSRF protection on all state-changing forms
  • Encryption of sensitive fields (TOTP secret, API keys) in the database
  • Security HTTP headers (including X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, HSTS)

8. Recipients & processors

Data is shared only when required to operate the service:

  • Hosting / infrastructure — server, database (PostgreSQL), Redis (sessions), depending on deployment
  • Email delivery — via configured SMTP (e.g. registration confirmation)
  • Cloudflare Turnstile — optional at login (bot protection)
  • Riot Games API — when you link your Riot account to fetch public game data

Where required, processor agreements under Art. 28 GDPR are in place.

9. Retention

  • Pending registration: max. 48 hours, then deleted
  • User account: until deleted by you or us
  • API / session tokens: until revoked, expired, or account deletion
  • Server logs: rolling retention, typically days to weeks

After account deletion, personal data is deleted or anonymised unless legal retention obligations apply.

10. Your rights

You have the following rights towards the controller:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing based on legitimate interests (Art. 21 GDPR)
  • Withdraw consent (Art. 7(3) GDPR) with future effect

Contact fellurion@outlook.de. We usually respond within one month.

11. Right to complain

You may lodge a complaint with a supervisory authority — in particular in the EU member state of your residence, workplace, or the place of the alleged infringement.

In Germany, the authority of the federal state where the controller is established is responsible.

12. Changes

We update this policy when our processing or legal requirements change. The current version is always available at https://estaris.noxgarrt.net/en/legal/privacy.

For material changes we notify registered users by email or in-account notice where required.