Privacy Policy

1. Age Restriction and Children's Privacy

The Service is intended exclusively for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. This policy is consistent with the Children's Online Privacy Protection Act (COPPA), which governs the collection of personal information from children under 13.

If you are under 18 years of age, you may not use the Service. If we discover that we have inadvertently collected personal information from a person under 18, we will delete that information as quickly as possible. If you believe we may have any information from or about a minor, please contact us immediately at info@chartis.gg.

2. Information We Collect

2.1 Information You Provide Indirectly (via Discord OAuth)

To nominate or vote, you must authenticate using your Discord account. When you authorize Discord OAuth, we receive and store:

• Your Discord User ID — a unique numeric identifier assigned to your Discord account. We use this solely to prevent duplicate nominations and votes per category. We do not collect your Discord username, email address, avatar, or any other Discord profile data.

2.2 Nomination Submissions

When you submit a nomination, you provide the following information:

• The map/island name or code of the UEFN experience you are nominating (for Map Award categories);
• The creator name or handle of the person you are nominating (for Creator Award categories); and
• The award category you are nominating them for.

This nomination content (map/island name or creator name, plus category) is stored in our database without any link to your identity. Like voting, we use a one-way cryptographic hash — derived from your Discord User ID and the award category — to prevent duplicate nominations. The hash is stored in a completely separate table and cannot be used to identify you or retrieve the nomination content you submitted.

Nomination tallies (aggregate counts of how many nominations a particular map or creator has received in a given category) may be visible to the public during the nomination period. Individual nominations are not attributed to specific users and are not publicly disclosed.

2.3 Voting Data

When you cast a vote, we store:

• Your vote selection (which nominee you chose in each category), stored in a database table with no user identifier attached to it.
• A one-way cryptographic hash derived from your Discord User ID and the award category, stored in a separate table, used exclusively to prevent duplicate votes. This hash is mathematically irreversible — it is impossible to recover your Discord User ID from it.

These two pieces of data (vote selection and hash) are stored in separate tables with no shared identifier between them. Even with full database access, it is technically impossible to determine who voted for which nominee.

When you change your vote, your previous vote record is permanently deleted and replaced with your new selection. We do not retain vote history or audit logs linking you to prior votes.

2.4 Automatically Collected Information

When you visit the Service, we and our third-party service providers may automatically collect certain technical information, including:

• IP address and approximate geographic location (country/region);
• Browser type and version;
• Operating system;
• Pages visited, time spent on pages, and navigation paths;
• Referring URL; and
• Date and time of access.

This information is collected through server logs and Google Analytics (GA4) and is used in aggregate and anonymized form to understand how users interact with the Service, improve functionality, and ensure security. Google Analytics data is collected with IP anonymization enabled.

2.5 Information We Do Not Collect

We do not collect:

• Your real name, email address, phone number, or physical address;
• Payment information of any kind;
• Sensitive personal data such as health information, financial data, or government ID numbers;
• Social media profiles other than the Discord User ID described above; or
• Precise geolocation data.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Authentication — to verify your identity via Discord and allow you to participate in nominations and voting.
• Fraud Prevention — the one-way hash prevents any single user from submitting duplicate nominations or votes.
• Service Operation — to display award categories, manage the nomination and voting process, and announce results.
• Analytics — to understand aggregate usage patterns and improve the Service.
• Security — to detect and prevent unauthorized access, abuse, or other harmful activities.
• Legal Compliance — to comply with applicable laws and respond to lawful requests from public authorities.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We share information only in the following limited circumstances:

4.1 Service Providers

We share data with trusted third-party vendors who help us operate the Service, subject to appropriate confidentiality and data processing obligations:

• Supabase— our database hosting provider. Your Discord User ID and one-way hashes are stored on Supabase's infrastructure.
• Google Analytics — we share anonymized, aggregated usage data with Google Analytics (GA4) to analyze Service usage. Google's Privacy Policy governs how Google uses this data.

4.2 Third-Party Authentication Provider

Discord receives information about your authentication request in accordance with Discord's OAuth 2.0 flow. We recommend reviewing Discord's Privacy Policy.

4.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request — for example, in response to a court order, subpoena, or government investigation.

4.4 Business Transfers

If Chartis gg, inc. is involved in a merger, acquisition, asset sale, or similar transaction, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

4.5 Protection of Rights

We may disclose information to protect and defend the rights or property of Chartis gg, inc., to prevent or investigate possible wrongdoing in connection with the Service, or to protect the personal safety of users of the Service.

5. Cookies and Tracking Technologies

The Service uses the following tracking technologies:

5.1 Session Cookies

We use session cookies and local storage tokens to maintain your authenticated state after you log in via Discord. These are deleted when you close your browser session or explicitly sign out.

5.2 Google Analytics Cookies and Consent (GDPR)

Google Analytics (GA4) sets cookies (e.g., _ga, _ga_XXXXXXXX) to distinguish users and sessions for analytics purposes. These cookies persist for up to 2 years. We have configured Google Analytics with IP anonymization enabled.

For users located in the European Economic Area (EEA), Switzerland, or the United Kingdom: Google Analytics cookies are not set until you affirmatively consent via our cookie consent notice displayed when you first visit the Service. You may withdraw consent at any time by clicking the “Cookie Preferences” link in the footer of the site or by following the opt-out instructions below.

You can opt out of Google Analytics tracking globally by installing the Google Analytics Opt-out Browser Add-on. You may also control cookies through your browser settings, though disabling all cookies may affect Service functionality.

5.3 Do Not Track

Our Service does not currently respond to “Do Not Track” browser signals because there is no industry-wide standard for handling these signals. We will continue to monitor the development of such standards.

6. Third-Party Services

The Service integrates with the following third-party services. We encourage you to review their privacy policies:

• Discord (Authentication): https://discord.com/privacy
• Supabase (Data Storage): https://supabase.com/privacy
• Google Analytics GA4 (Analytics): https://policies.google.com/privacy
• Fortnite Data API (Public Island Metrics, read-only): https://www.epicgames.com/site/en-US/privacypolicy

We are not responsible for the privacy practices of these third-party services.

7. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law:

• Discord User ID — retained for the duration of the award cycle (approximately through June 2026) and deleted within 90 days after winners are announced, unless we are required to retain it longer for legal purposes.
• One-way hashes — retained for the same period as the Discord User ID above.
• Nomination content (map/island name or creator name, plus category) — retained through the review and voting phases and deleted within 90 days after winners are announced, except where retained in anonymized aggregate form for historical records.
• Vote selections — if you change your vote, the prior vote record is permanently deleted and overwritten with your new selection. No vote history is retained. Final vote selections are retained in anonymized, aggregated form indefinitely for historical award records, as this data cannot be linked to any individual.
• Google Analytics data— subject to Google's retention policies (default 26 months).
• Server logs — retained for up to 90 days for security and debugging purposes.

You may request deletion of your personal information at any time by contacting us at info@chartis.gg. See Section 9 for more information about your rights.

8. Data Security

We implement industry-standard technical and organizational measures to protect your information against unauthorized access, disclosure, alteration, or destruction. These measures include:

• HTTPS encryption for all data transmitted between your browser and our servers;
• Cryptographic anonymization of voting data, such that votes cannot be linked to individual users;
• Access controls limiting who can access our database;
• Supabase's infrastructure-level security measures; and
• Regular reviews of our data handling practices.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

9. Your Privacy Rights

Depending on where you live, you may have certain rights regarding your personal information. We honor these rights regardless of your location.

We will respond to verifiable requests within 45 days of receipt. If we need additional time (up to 45 more days), we will inform you in writing. For deletion requests, we will confirm completion or explain any applicable exception within 45 days. We do not charge a fee for responding to requests unless they are manifestly unfounded or excessive (in which case we will notify you of any fee before proceeding). We may ask you to verify your identity before processing your request.

We will never discriminate against you for exercising any of the rights listed above.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

10.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

• Identifiers — Discord User ID (collected for authentication).
• Internet or Other Electronic Network Activity Information — browsing behavior on the Service, collected via Google Analytics.
• Inferences — aggregate analytics data derived from your Service usage.

10.2 Purposes for Collection

We collect the above information for the operational purposes described in Section 3 of this Policy.

10.3 Sale or Sharing of Personal Information

We do not sell your personal information. We also do not share your personal information with third parties for cross-context behavioral advertising purposes, except as described below.

We share limited usage data (page views, session data) with Google Analytics (GA4) to analyze Service performance. While we do not believe this constitutes “sharing” under CCPA/CPRA because it is used solely for our internal analytics and not for targeted advertising, we provide the following opt-out method out of an abundance of caution:

• Opt-Out of Analytics Data Sharing — you may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on, or by submitting a request to info@chartis.gg.

To submit a formal “Do Not Sell or Share My Personal Information” request under CCPA, contact us at info@chartis.gg. We will process such requests within 15 business days.

10.4 Sensitive Personal Information

We do not collect sensitive personal information as defined by the CPRA (e.g., Social Security numbers, financial account information, health information, precise geolocation data, or biometric data).

10.5 How to Submit a CCPA Request

California residents may exercise their rights described in Section 9 above by contacting us at info@chartis.gg. We will verify your identity prior to responding. You may also designate an authorized agent to make a request on your behalf, subject to written authorization and identity verification.

11. European Economic Area and UK Privacy Rights (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA), Switzerland, or the United Kingdom, your personal information is subject to the General Data Protection Regulation (GDPR) or UK GDPR, as applicable. Chartis gg, inc. is the data controller for purposes of the GDPR.

11.1 Legal Bases for Processing

We process your personal information on the following legal bases:

• Contractual Necessity (Art. 6(1)(b) GDPR) — processing your Discord User ID is necessary to perform the Service (i.e., to authenticate you and prevent duplicate votes).
• Legitimate Interests (Art. 6(1)(f) GDPR) — we process usage analytics data (via Google Analytics) and server logs to improve Service security and performance. This processing is proportionate and does not override your fundamental rights.
• Legal Obligation (Art. 6(1)(c) GDPR) — we may process your data to comply with applicable legal obligations.

11.2 International Data Transfers

Chartis gg, inc. is based in the United States. If you access the Service from the EEA, Switzerland, or the UK, your personal information will be transferred to and processed in the United States, which may not offer the same level of data protection as your home jurisdiction.

We rely on the following transfer mechanisms where applicable:

• For Google Analytics— Google LLC participates in the EU-U.S. Data Privacy Framework (DPF), certified as of July 2023. We rely on Google's DPF certification as the lawful transfer mechanism. We monitor DPF status and will update our transfer mechanisms if the DPF is invalidated.
• For Supabase— we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission (June 2021 versions) as the lawful transfer mechanism. We have completed a Transfer Impact Assessment (TIA) confirming that Supabase's technical and organizational measures provide adequate protection for EEA/UK personal data in the United States.

11.3 Data Protection Rights

In addition to the rights listed in Section 9, EEA/UK residents have the right to lodge a complaint with their local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

11.4 Data Protection Officer

We do not currently have a designated Data Protection Officer, as we are not required to appoint one under Article 37 GDPR based on the nature and scale of our data processing activities. For all GDPR-related inquiries, please contact us at info@chartis.gg.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last Updated” date at the top of this document. We encourage you to review this Policy periodically. Material changes will be communicated by posting a prominent notice on the Service. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 10 business days.