Privacy Policy

Last updated: February 22, 2026

1. Introduction

MinecraftPal (minecraftpal.com) is an analytics and discovery platform for the Minecraft Marketplace. This Privacy Policy explains what information we collect, how we use it, and how we protect it.

By using MinecraftPal, you agree to the collection and use of information as described in this policy. See also our Terms of Service.

2. Information We Collect

Account Information

When you register, we collect your username, email address, and password. Passwords are hashed using bcrypt and are never stored in plain text. We also record your account creation date and role.

Discord OAuth

If you register or log in via Discord, we receive and store your Discord user ID, username, email address, and avatar URL from Discord's OAuth service.

Microsoft/Xbox Data

If you choose to link your Microsoft account, we collect your Xbox User ID (XUID), OAuth tokens, gamertag, gamerpic URL, gamerscore, account tier, and tenure level. If your Xbox profile is public, we may also access your real name, location, and bio as provided by the Xbox Live API.

Purchase Data

When you sync your Minecraft purchases, we store the Marketplace product IDs you own, the source of each entitlement, raw entitlement data, and first/last seen timestamps.

Technical Data

We process IP addresses for rate limiting purposes. This data is held in memory only, is automatically purged, and is never persisted to our database.

3. How We Use Your Information

Authentication: To verify your identity and manage your session
Xbox profile display: To show your gamertag, gamerpic, and profile information on your account page
Purchase syncing: To match your Minecraft Marketplace purchases with our catalog
Rate limiting: To protect our service from abuse using in-memory IP tracking
Moderation: To enable administrators to manage accounts and enforce our Terms of Service

4. Cookies

MinecraftPal uses a single cookie: authjs.session-token. This is an HTTP-only, secure cookie containing a JSON Web Token (JWT) for session management. It expires after 7 days.

We do not use any analytics, advertising, or third-party tracking cookies.

5. Third-Party Services

MinecraftPal interacts with the following third-party services:

Microsoft/Xbox Live OAuth: For account linking and Xbox profile data
Discord OAuth: For account registration and login
PlayFab API: For retrieving Minecraft Marketplace catalog data
Minecraft Services API: For retrieving purchase entitlements

We do not use any third-party analytics or advertising services.

6. Data Storage & Security

Your data is stored in a PostgreSQL database. We protect your data through:

Bcrypt hashing for all passwords
HTTPS encryption for all traffic
Security headers including Content Security Policy and X-Frame-Options via middleware
JWT-based session tokens (HTTP-only, secure cookies)

7. Data Retention & Deletion

Account data is retained for as long as your account is active.
Microsoft/Xbox data is instantly and permanently deleted when you disconnect your Microsoft account. This includes all Xbox profile information and owned product records, removed in a single transactional operation.
Rate limit data is held in memory only and automatically purged.
Full account deletion is available upon request by contacting us through the website.

8. Children's Privacy

MinecraftPal requires users to be at least 13 years old to create an account. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by updating the "Last updated" date at the top of this page. Continued use of MinecraftPal after changes constitutes acceptance of the updated policy.

10. Contact

If you have questions about this Privacy Policy or your data, please contact us through the website.