Privacy Policy

1. Introduction

This Privacy Policy describes how the Minecraft Server Dashboard software ("Software"), developed by RealmPilot ("Company", "we", "us", "our"), handles information when you ("User", "you") install and use the Software.

We are committed to transparency about data practices. This policy is designed to comply with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and other applicable privacy regulations.

The key principle: The Software runs entirely on your machine. We do not collect, receive, store, process, or have access to any of your data.

2. Data Controller

Because the Software operates entirely on your local infrastructure with no data transmitted to RealmPilot, you (the User) are the sole data controller for all personal data processed by the Software. RealmPilot does not act as a data controller or data processor in relation to any personal data handled by the Software.

If you operate the Software on a Minecraft server with other players, you may have obligations under applicable data protection laws regarding the personal data of those players. It is your responsibility to comply with such obligations.

3. Information the Software Processes Locally

The Software processes the following categories of information exclusively on your local machine or server. None of this data is transmitted to RealmPilot.

3.1 Minecraft Player Data

• Player usernames and UUIDs — Read from server files (usercache.json, whitelist.json, banned-players.json, playerdata/, stats/).
• Player statistics — Parsed from Minecraft's per-player JSON stat files (playtime, kills, deaths, blocks mined, items crafted, distances traveled, and other gameplay metrics).
• Player inventory and equipment — Read from NBT data files for display purposes.
• Advancement progress — Read from server advancement JSON files.
• Chat messages — Parsed from the server log file (server.log / latest.log) for display in the dashboard's chat viewer.

3.2 Dashboard User Accounts

• Usernames — Created by the server administrator within the dashboard.
• Password hashes — Stored using bcrypt (or SHA-256 as an insecure fallback if bcrypt is unavailable). Plaintext passwords are never stored.
• Session tokens — Temporary session identifiers stored in server-side Flask sessions. Sessions expire after 30 minutes of inactivity.
• User roles — Admin or viewer role assignments.

3.3 Server Information

• Server configuration — Read from server.properties and related configuration files.
• Server logs — Parsed for player join/leave events, chat messages, errors, and crash reports.
• Performance metrics — CPU usage, memory usage, disk usage, and TPS (ticks per second), sampled from the host operating system.
• Mod metadata — Mod names, IDs, and versions read from installed JAR files.
• World data — World name, dimensions, seed (if accessible), and folder size.

3.4 Network Information

• IP addresses — The Software processes connecting clients' IP addresses for login rate limiting (brute-force protection) and API rate limiting. These IP addresses are held in memory only and are not written to disk. They are cleared when the Software restarts.
• No persistent IP logging. The Software does not maintain a persistent log of visitor IP addresses.

3.5 Activity Logs

• Dashboard activity log — Records of administrative actions (backups created, server started/stopped, settings changed, player actions) stored locally in a JSON file. This log is limited to the most recent 200 entries and is stored only on your machine.

4. Information We Do NOT Collect

To be explicit:

• We do not collect any personal information from you or your players.
• We do not operate any servers, APIs, databases, or cloud services that receive data from the Software.
• We do not embed any analytics, telemetry, tracking scripts, advertising SDKs, pixels, beacons, or fingerprinting technology in the Software.
• We do not collect usage statistics, crash reports, error logs, or diagnostic data.
• We do not collect email addresses, names, payment information, or contact details through the Software.
• We do not sell, rent, trade, or otherwise transfer any personal information to third parties because we do not have access to any personal information.
• We have no ability to access, view, retrieve, or process any data stored on your machine by the Software.

5. Third-Party Services

The Software may communicate with the following third-party services only when initiated by user action or explicit user configuration:

5.1 Mojang / Microsoft API

• What: The Software may send player UUIDs to the Mojang session server API to resolve player skin URLs for display purposes.
• When: When viewing player profiles or skin renders in the dashboard.
• Data sent: Player UUID (a public Minecraft identifier).
• Their policy: Microsoft Privacy Statement

5.2 Modrinth API

• What: The Software may query the Modrinth API to check for mod updates.
• When: When the user clicks "Check for Updates" on the Mods page.
• Data sent: Mod IDs, game version, and loader type.
• Their policy: Modrinth Privacy Policy

5.3 Discord (Webhooks and Bot API)

• What: If the user configures Discord notifications, the Software sends event messages to the specified Discord webhook URL. If the user configures a Discord bot, the Software connects to Discord's gateway.
• When: Only when the user has explicitly configured a webhook URL or bot token in the dashboard settings.
• Data sent: Server status events, player join/leave notifications, chat messages (if chat forwarding is enabled), backup status, performance alerts, and other configured notification types.
• Their policy: Discord Privacy Policy

5.4 Amazon Web Services / S3-Compatible Storage

• What: If the user configures cloud backup, the Software uploads world backup ZIP files to the specified S3-compatible storage endpoint.
• When: Only when the user has explicitly configured S3 credentials and enabled cloud backup.
• Data sent: World backup ZIP files containing Minecraft world data.
• Their policy: AWS Privacy Notice (or the policy of your chosen S3-compatible provider)

5.5 CDN-Hosted Libraries

• What: The dashboard's web interface loads the skinview3d library from a third-party CDN (jsDelivr/npm CDN) for 3D Minecraft skin rendering.
• When: When a user's browser loads the player profile page.
• Data sent: Standard HTTP request headers (IP address, user-agent) from the browser to the CDN.
• Their policy: jsDelivr Privacy Policy

5.6 Version Update Check

• What: The Software may check for available updates by querying a public GitHub API endpoint.
• When: When the user navigates to the Settings page or manually triggers an update check.
• Data sent: The current Software version string. No personally identifiable information is transmitted.
• Their policy: GitHub Privacy Statement

We have no control over the privacy practices of third-party services. We encourage you to review their respective privacy policies before enabling integrations.

6. Data Storage and Security

6.1 Local Storage

All data is stored on your machine in the following locations within your server directory:

• Configuration files (.dashboard_*.json) — Dashboard settings, user accounts, schedule configuration.
• Backup files (backups/*.zip) — World backup archives.
• Log files (dashboard.log, dashboard-errors.log) — Operational logs.
• Activity file (.dashboard_activity.json) — Recent dashboard events.

6.2 Security Measures

The Software implements the following security measures:

• Password hashing — User passwords are hashed using bcrypt with a randomly generated salt. Plaintext passwords are never stored.
• Automatic hash upgrade — Legacy SHA-256 password hashes are automatically upgraded to bcrypt on next successful login.
• File permissions — Sensitive configuration files are set to owner-only read/write permissions (chmod 600) on Unix systems.
• Rate limiting — Login attempts are limited to 5 per IP address, with a 5-minute lockout after exceeding the limit. API endpoints are rate-limited to 30 requests per minute per IP.
• Session management — Sessions expire after 30 minutes of inactivity. Session cookies are configured with secure attributes when HTTPS is detected.
• Security headers — The Software sets Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers.
• Path traversal protection — File access endpoints validate paths to prevent directory traversal attacks.
• CSRF protection — Sensitive operations require authenticated sessions and use anti-CSRF patterns.
• Input sanitization — RCON commands and user inputs are sanitized to prevent injection attacks.

6.3 Your Security Responsibilities

You are responsible for:

• Securing the machine on which the Software runs.
• Configuring firewall rules and network access controls.
• Enabling HTTPS if the dashboard is accessible over the internet (the Software does not provide TLS termination; use a reverse proxy).
• Changing the default admin password on first login (the Software will prompt you to do so).
• Keeping your operating system, Python installation, and dependencies up to date.
• Securing any credentials you configure (Discord tokens, S3 keys, RCON passwords).

7. Data Retention

Because all data is stored locally on your machine, data retention is entirely under your control.

• Configuration files — Persist until you delete them or uninstall the Software.
• Backup files — Automatically pruned based on your configured retention policy (default: keep last 5). You may delete backups at any time through the dashboard or by removing files from the backups/ directory.
• Activity logs — Limited to the most recent 200 entries. Older entries are automatically removed.
• Error logs — Rotating log files with a maximum size of 5 MB and 2 backup files.
• Rate-limit data — Held in memory only; cleared on Software restart.
• Session data — Held in memory only; cleared on Software restart or after 30 minutes of inactivity.

To delete all data generated by the Software, remove all .dashboard_* files, the backups/ directory, and any log files from your server directory.

8. Children's Privacy

The Software is a server administration tool and is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children.

If you operate a Minecraft server with players who may be under the age of 13, you are responsible for complying with applicable child protection laws, including the Children's Online Privacy Protection Act (COPPA) and equivalent regulations in your jurisdiction.

9. International Users

The Software is distributed internationally and does not transfer data across borders because it does not collect or receive any data. All data processing occurs locally on your machine, in whatever jurisdiction your machine is located.

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data protection laws, you retain full control over all personal data processed by the Software. As the data controller, you are responsible for ensuring your use of the Software complies with applicable data protection regulations, including GDPR.

10. Your Rights

Because we do not collect or have access to any of your data, traditional data subject rights (access, rectification, deletion, portability, objection) are exercised directly by you on your own machine:

• Access: You can view all data stored by the Software by reading the JSON configuration files and backup archives in your server directory.
• Rectification: You can modify any data by editing the relevant JSON files or using the dashboard interface.
• Deletion: You can delete any or all data at any time by removing files from your server directory.
• Portability: All data is stored in standard, open formats (JSON, ZIP) that can be read by any compatible software.
• Restriction / Objection: You can stop any data processing by stopping the Software.

If you believe we have inadvertently collected personal data through any channel (e.g., support communications), contact us and we will promptly address your request.

11. Marketplace and Purchase Data

The Software is sold through third-party marketplaces (e.g., BuiltByBit, Gumroad). When you purchase the Software, the marketplace collects your payment and account information in accordance with their own privacy policies. We may receive limited transaction information from the marketplace (e.g., a transaction ID or username) for the purpose of license verification and customer support. We do not receive or store your payment card details.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will indicate so by updating the "Last Updated" date at the top of this document. The updated policy will be included in subsequent releases of the Software.

We encourage you to review this Privacy Policy periodically. Your continued use of the Software after any changes constitutes acceptance of the updated policy.

13. Contact

For questions or concerns about this Privacy Policy:

• Website: https://realmpilot.pro

By using the Minecraft Server Dashboard, you acknowledge that you have read and understood this Privacy Policy.