Privacy Policy

Last updated: March 12, 2026

Table of Contents

Who We Are
Data We Collect
How We Use Your Data
Legal Basis for Processing
Data Retention
Third Parties
Your Rights (GDPR)
Cookies
Security
Children's Privacy
Changes to This Policy
Contact Us

1. Who We Are

L2 Topsite ("we", "us", "our") is a Lineage 2 private server ranking and discovery platform. We operate the website accessible at this domain. We act as the data controller for personal data collected through this website.

2. Data We Collect

2.1 Data You Provide Directly

Account registration: username, email address, password (stored hashed with bcrypt)
Server listings: server name, description, website URL, rates, chronicle, contact information you choose to provide
Reviews: star rating and review text submitted under your account
Payment records: credit purchase amounts and transaction timestamps (no card data — payments are processed externally)

2.2 Data Collected Automatically

IP addresses: collected on vote submissions to enforce the 12-hour voting cooldown and prevent vote fraud
Session data: a session cookie is used to keep you logged in
Banner click logs: when you click a partner banner, we record the click event (banner ID, timestamp) for billing and statistics; no personal profile is built

2.3 OAuth Login (Optional)

If you choose to log in via Google or Discord, we receive from those providers only your public profile name and email address. We do not receive your password from those providers. Your OAuth account is linked to your L2 Topsite account by email address.

3. How We Use Your Data

Purpose	Data Used
Providing and operating the service	Account data, server listings, session
Vote fraud prevention	IP address, vote timestamp
Displaying reviews	Username, review text, rating
Processing credit transactions	User ID, credit amount, timestamp
Banner statistics for advertisers	Anonymised click counts
Service security & abuse prevention	IP address, session data
Sending service notifications	Email address (optional, if you enable notifications)

We do not sell your personal data. We do not use your data for advertising profiling.

4. Legal Basis for Processing (GDPR Art. 6)

Contract performance (Art. 6(1)(b)): processing your account data, server listings, and votes to deliver the service you signed up for
Legitimate interests (Art. 6(1)(f)): IP-based vote fraud prevention, session security, anonymous analytics
Consent (Art. 6(1)(a)): non-essential cookies (if any); OAuth sign-in

5. Data Retention

Account data: retained for as long as your account is active. Deleted within 30 days of an account deletion request.
Vote IP logs: automatically purged after 24 hours (only the cooldown window is kept).
Server listings: retained while the listing is active. Deleted with your account or on request.
Transaction records: retained for 7 years to comply with financial record-keeping obligations.
Session data: expires within 24 hours of inactivity.

6. Third Parties

Google OAuth: if used, governed by Google's Privacy Policy
Discord OAuth: if used, governed by Discord's Privacy Policy
Google Fonts / Font Awesome CDN: these load fonts and icons from external CDNs; your IP may be sent to those servers as part of the HTTP request. We load Font Awesome from Cloudflare's CDN.
Hosting provider: our server infrastructure provider processes data on our behalf under a Data Processing Agreement.

We do not share personally identifiable information with any third party for marketing purposes.

7. Your Rights (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, you have the following rights:

Right of access: request a copy of the personal data we hold about you
Right to rectification: correct inaccurate personal data
Right to erasure ("right to be forgotten"): request deletion of your data
Right to restriction of processing: ask us to limit how we process your data
Right to data portability: receive your data in a machine-readable format
Right to object: object to processing based on legitimate interests
Right to withdraw consent: where processing is based on consent, withdraw it at any time
Right to lodge a complaint: with your local data protection supervisory authority

To exercise any of these rights, contact us at the address in Section 12.

8. Cookies

We use a small number of cookies. For full details, see our Cookies Policy.

Session cookie (essential): keeps you logged in during your visit. Expires at session end or after 24 hours of inactivity.
We do not use advertising cookies or cross-site tracking cookies.

9. Security

We take appropriate technical measures to protect your data:

Passwords are hashed using bcrypt with an appropriate cost factor — we never store plaintext passwords
Database files are stored server-side and not publicly accessible
Sessions are server-side and identified by a signed cookie
We recommend using a strong, unique password and enabling 2FA on linked OAuth accounts

No system is 100% secure. In the event of a data breach affecting your rights, we will notify you as required by applicable law.

10. Children's Privacy

This service is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related requests or questions, please contact us via the dashboard or through the website's contact method. We aim to respond to all requests within 30 days.