Last updated: May 2026
This Privacy Policy describes how RaxBoard ("we", "us") collects, uses, and protects personal data when you visit raxboard.com, create an account, purchase a license, or run a RaxBoard forum that talks to our licensing service. We follow the principles of GDPR and broadly equivalent data-protection frameworks (UK GDPR, KVKK, CCPA).
Account data: name, email address, hashed password (Argon2id), 2FA secret if enabled, account creation timestamp. Payment data: Stripe customer id and invoice metadata. Card details never touch our servers — they are handled entirely by Stripe. License data: license key, bound domain, server fingerprint (hashed OS/PHP/host signals), IP at last verification, installation UUID, and the timestamps of license verify / download events. Support data: ticket subjects, ticket messages, and any attachments you upload. Telemetry: aggregated anonymous metrics about license verify volume, download counts, and SaaS error rates. No content of your forum is collected. Cookies: a single first-party session cookie for authentication and a locale-preference cookie. We do not set cross-site tracking cookies.
To deliver the service: authenticate your account, issue and verify licenses, deliver software downloads, and respond to support requests. To comply with law: invoicing, VAT reporting, fraud prevention, and answering lawful information requests. To improve the product: aggregated metrics inform reliability and roadmap, never tied to identifiable users.
Contract performance for account, license, payment, and support data. Legal obligation for invoicing and tax records. Legitimate interest for fraud prevention, security telemetry, and aggregated product analytics — balanced against your rights.
RaxBoard (controller). Stripe (payment processing). Resend (transactional email delivery). Cloudflare (edge security and DDoS protection). Hostinger (hosting infrastructure for raxboard.com). We do not sell personal data. We do not transfer it to advertising networks.
Account data: while your account is active, plus 30 days after deletion. Invoices: 10 years (legal obligation). License verify logs: 90 days, then aggregated and anonymized. Support tickets: 24 months after the ticket closes. Server-side backups: rolling 30-day retention.
Under GDPR (and equivalents), you may request: — Access: a copy of the personal data we hold about you. — Rectification: correction of inaccurate data. — Erasure: deletion of your account and associated data, subject to legal retention obligations. — Portability: a machine-readable export of your data. — Objection or restriction: limit how we use specific data. Send any request to [email protected]. We respond within 30 days.
Passwords are hashed with Argon2id. License verify and download tokens are signed with Ed25519 detached signatures. All traffic uses HTTPS with HSTS and is fronted by Cloudflare. Webhooks between the licensing service and your forum use HMAC-SHA256 with replay protection. Database backups are encrypted at rest.
Questions: [email protected]. For data-subject requests, include the email associated with your account and the specific right you are exercising.