gencross.hairgencross.hair
Legal

Privacy Policy

Last updated: 2026-03-31 · Applies to https://gencross.hair

1. Data Controller

gencross.hair ("we", "us", "our") operates the website available at https://gencross.hair. As data controller within the meaning of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable French data protection law (Loi Informatique et Libertés), we are responsible for the processing of your personal data described in this policy.

Contact: privacy@gencross.hair

2. Data We Collect

We collect the following categories of personal data, depending on how you use the service:

CategoryData collectedPurposeLegal basisRetention
AccountDisplay name, email address, profile picture URL, email verification statusCreate and manage your account; authenticate youContract (Art. 6.1.b)Until account deletion
AuthenticationOAuth provider ID & tokens (access, refresh, ID token), scopes, token expirySign in via third-party provider (e.g. Discord, Google)Contract (Art. 6.1.b)Until account deletion or token expiry
SessionsSession token, IP address, user-agent string, session expiryKeep you logged in; detect suspicious sessionsLegitimate interest (Art. 6.1.f) — securityUntil session expiry or logout
Profile pictureImage file you upload as your avatarDisplay your profile picture across the serviceContract (Art. 6.1.b)Until you replace it or delete your account; previous versions are overwritten immediately on upload
ContentCrosshair configurations (code, name, public/private flag), likesStore and display crosshairs you create or likeContract (Art. 6.1.b)Until you delete the crosshair or your account
Analytics (planned)Anonymised page views, events, referring URL, country-level locationUnderstand how the service is used and improve itConsent (Art. 6.1.a) or Legitimate interest depending on implementationUp to 26 months
Advertising (planned)Cookie identifiers, browsing behaviour on-siteDisplay relevant ads and measure ad performanceConsent (Art. 6.1.a)Per ad network policy (typically 13 months)

We do not collect sensitive categories of data (Art. 9 GDPR), payment card data, or data from children under 16.

3. How Data Is Collected

  • Directly from you — when you create an account, sign in, create or name a crosshair, or upload a profile picture.
  • From OAuth providers — your provider shares your public profile (name, email, avatar) when you choose to sign in with them.
  • Automatically — your browser sends your IP address and user-agent with every request; we store these for active sessions only.
  • From analytics tools (planned) — a JavaScript snippet will collect anonymised usage events if you consent via our cookie banner.

4. Cookies & Local Storage

We currently use strictly necessary cookies only — a session cookie to keep you authenticated. This cookie is essential for the service to function and does not require your consent.

When we introduce analytics and advertising, we will display a consent banner before setting any non-essential cookies. You will be able to accept, refuse, or configure your preferences at any time. The following cookie categories are planned:

  • Analytics cookies — measure traffic and usage patterns (e.g. Plausible, Umami, or Google Analytics).
  • Advertising cookies — allow ad networks to serve relevant ads and measure conversions (e.g. Google AdSense).

You can manage or withdraw consent at any time via the cookie preferences link in the site footer (available once the banner is deployed).

5. Third-Party Services

We share data with the following sub-processors:

  • OAuth providers (Discord, Google, etc.) — receive a redirect from your browser when you choose to sign in. We receive only what your provider shares based on the scopes you authorise.
  • Cloudinary — stores pro player images and user-uploaded profile pictures on CDN servers. Profile pictures are stored under a path that includes your user ID.
  • Database host — hosts the PostgreSQL database containing user and content data. Data is stored in the EU.
  • Analytics provider (planned) — will receive anonymised usage events.
  • Advertising networks (planned) — will receive cookie identifiers and on-site browsing signals after consent.

We do not sell your personal data to any third party.

6. International Transfers

We aim to keep your data within the European Economic Area (EEA). Where a sub-processor transfers data outside the EEA (e.g. some US-based cloud infrastructure), we ensure appropriate safeguards are in place — Standard Contractual Clauses (SCCs) per Art. 46 GDPR or an adequacy decision per Art. 45 GDPR.

7. Your Rights

Under GDPR you have the following rights, exercisable free of charge by emailing privacy@gencross.hair:

  • Right of access (Art. 15) — obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — have inaccurate data corrected.
  • Right to erasure (Art. 17) — request deletion of your account and associated data. You can also do this directly from your profile settings.
  • Right to restriction (Art. 18) — ask us to pause processing while a dispute is resolved.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent (Art. 7.3) — withdraw any consent you have given at any time without affecting prior processing.
  • Right to lodge a complaint — with your national supervisory authority. In France: CNIL (cnil.fr).

We will respond to requests within 30 days. We may ask you to verify your identity before processing the request.

8. Security

We apply industry-standard technical and organisational measures to protect your data: HTTPS/TLS encryption in transit, hashed session tokens, access controls limiting database access to the application. OAuth tokens are stored encrypted at rest.

No method of transmission over the internet is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR) and you directly where required (Art. 34 GDPR).

9. Data Retention

  • Account data — retained until you delete your account. After deletion, data is purged within 30 days except where legal retention obligations apply.
  • Public crosshairs — deleted immediately upon your request or account deletion.
  • Session data — deleted on logout or when the session expires (typically 30 days of inactivity).
  • Server logs — retained for up to 90 days for security and debugging purposes.

10. Changes to This Policy

We may update this policy to reflect changes in our practices or applicable law. We will notify registered users by email and update the "Last updated" date above. Continued use of the service after the effective date constitutes acceptance of the revised policy.

Questions or requests

Email us at privacy@gencross.hair. We will respond within 30 days.