Privacy Policy

Last Updated: March 2026

This Privacy Policy describes how A-Line Services ("we", "us", or "our") collects, uses, and shares information about you when you use Hylist ("the Service"), a Hytale server listing platform. A-Line Services is based in Belgium and is subject to the General Data Protection Regulation (GDPR).

1. Data Controller

The data controller responsible for your personal data is:

A-Line Services
Belgium
Email: legal@a-line.be

2. Information We Collect

2.1 Account Information

When you sign in using Discord OAuth, we collect your Discord user ID, username, and avatar. This information is provided by Discord and is used to authenticate your account and personalize your experience. You may also optionally provide an email address through your profile notification settings; this is used solely for sending notifications you have opted in to.

Legal basis: Contract performance (Art. 6(1)(b) GDPR) - necessary to create and manage your account.

2.2 Server Listing Data

If you list a server on Hylist, we collect the information you provide, including server name, IP address, description, images, tags, and any other details you submit. This information is publicly displayed on the platform.

Legal basis: Contract performance (Art. 6(1)(b) GDPR) - necessary to provide the listing service.

2.3 Telemetry Data

For servers using our telemetry feature, we collect player join events, player country (derived from IP, not stored directly), client version, and locale. Telemetry data retention varies by subscription tier (7 to 365 days). Server owners are responsible for informing their players about this data collection.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - providing server analytics to server owners. For player data, the server owner acts as data controller and Hylist acts as data processor.

2.4 Auction & Payment Data

If you participate in auctions or purchase subscriptions, we collect bid amounts, credit balances, payment status, and transaction history. All payments are processed by Polar; we do not store full payment card details.

Legal basis: Contract performance (Art. 6(1)(b) GDPR) - necessary to process transactions and manage your account balance.

2.5 User Content

We collect content you submit to the Service, including server reviews, votes, and profile information. Reviews are subject to moderation before publication.

Legal basis: Contract performance (Art. 6(1)(b) GDPR) and legitimate interest (Art. 6(1)(f) GDPR) - providing community features and maintaining platform quality.

2.6 Analytics & Error Tracking

We use the following services to understand how the Service is used and to diagnose errors:

  • Rybbit (self-hosted at insights.a-line.be): A privacy-friendly analytics tool. It does not use cookies, does not collect personally identifiable information, and only provides aggregated page view data.
  • Sentry (EU data region, ingest.de.sentry.io): Used for error tracking and performance monitoring. Configured with sendDefaultPii: false - no personally identifiable information is sent. Error reports may include browser type, OS, and stack traces.
  • Cloudflare: Provides CDN, DDoS protection, and Turnstile CAPTCHA. Cloudflare may process IP addresses and request metadata as part of its security services.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - ensuring the security, performance, and reliability of the Service.

2.7 Cookies

Essential Cookies (no consent required)

We use the following cookies that are strictly necessary for the Service to function:

  • Session cookie: Maintains your authenticated session.
  • CSRF token: Protects against cross-site request forgery attacks.

Legal basis: These cookies are strictly necessary for the Service (Art. 6(1)(f) GDPR) and are exempt from consent requirements under the ePrivacy Directive.

Advertising Measurement Cookies (consent required)

If you consent, we use Google Ads cookies to measure the effectiveness of our advertising campaigns. These cookies help us understand which ads lead users to our site and which actions they take.

  • _gcl_au (90 days): Used by Google Ads to link ad clicks with actions on our site.
  • _gcl_aw (90 days): Stores information about ad clicks to attribute conversions.

These cookies are only set after you give explicit consent via the cookie banner. You can withdraw consent at any time by clearing your browser's local storage or cookies, after which the banner will reappear.

Legal basis: Consent (Art. 6(1)(a) GDPR). These cookies are not set unless you click "Accept" on the cookie consent banner.

3. How We Use Your Information

We use the information we collect to:

  • Authenticate your identity and manage your account
  • Display and manage server listings
  • Process auctions, bids, and payments
  • Provide telemetry analytics to server owners
  • Send opted-in Discord DM notifications (e.g., auction updates)
  • Moderate reviews and user-submitted content
  • Diagnose errors and improve Service performance
  • Detect and prevent fraud, abuse, and security issues
  • Measure advertising effectiveness (only with your consent)
  • Enforce our Terms of Service
  • Comply with legal obligations

4. Data Sharing & Sub-Processors

We do not sell your personal data. We share data only with the following sub-processors as necessary to operate the Service:

Sub-Processor Purpose Data Region
Cloudflare CDN, DDoS protection, Turnstile CAPTCHA Global (edge network)
Polar Payment processing for subscriptions and auctions EU
Discord OAuth authentication, DM notifications US (SCCs)
Sentry Error tracking and performance monitoring EU (de.sentry.io)
Rybbit Privacy-friendly analytics EU (self-hosted)
Google Advertising conversion measurement (Google Ads) US (EU-US Data Privacy Framework)

We may also share data when required by law, regulation, or legal process, or to protect the rights, property, or safety of Hylist, our users, or others.

5. International Transfers

Your data is primarily processed within the European Union. Where transfers to third countries occur:

  • Discord (US): Data is transferred under Standard Contractual Clauses (SCCs) as approved by the European Commission.
  • Cloudflare (global): Edge processing may occur outside the EU; Cloudflare adheres to SCCs and approved data processing agreements.
  • Sentry: Data is stored in the EU data region (de.sentry.io).
  • Google (US): Google participates in the EU-US Data Privacy Framework. Advertising cookies are only set with your explicit consent (Art. 6(1)(a) GDPR).

6. Your Rights (GDPR Articles 15–22)

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Obtain confirmation of whether we process your data and request a copy.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to restriction (Art. 18): Request that we limit the processing of your data.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Right to lodge a complaint: You may file a complaint with the Belgian Data Protection Authority (www.dataprotectionauthority.be).

To exercise any of these rights, please contact us at legal@a-line.be. We will respond within 30 days as required by the GDPR.

7. Data Retention

We retain different categories of data for specific periods:

  • Account data: Retained while your account is active, then deleted within 30 days of account deletion.
  • Server listing data: Retained while the listing is active; removed upon listing deletion or account deletion.
  • Auction & payment data: Retained for 2 years for legal and accounting obligations.
  • Telemetry data: Retention depends on subscription tier (Starter: 7 days, Growth: 30 days, Professional: 90 days, Enterprise: 365 days).
  • Sentry error data: Retained for approximately 90 days.
  • Rybbit analytics: Aggregated, non-personal data; no individual-level data is stored.

8. Security

We implement appropriate technical and organizational measures to protect your data, including:

  • CSRF protection on all state-changing requests
  • Discord OAuth for authentication (no passwords stored)
  • HTTPS encryption for all data in transit
  • Cloudflare WAF (Web Application Firewall) for threat protection

No method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Children's Privacy

The Service is not directed to children under 16 years of age, in accordance with the Belgian implementation of the GDPR (Art. 8(1)). We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us at legal@a-line.be so we can promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. For material changes, we may also notify you via Discord DM if you have opted in to notifications. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your data subject rights, please contact us at:

A-Line Services
Belgium
Email: legal@a-line.be
Discord: https://hylist.io/discord

You may also contact the Belgian Data Protection Authority:
www.dataprotectionauthority.be