Privacy Policy

We collect the data we need to run the Service and nothing more. We do not sell your data, we do not run third-party ad networks, and we encrypt at rest what we can. This Privacy Policy explains what we collect, why, how long we keep it, and what you can do about it.

2.1 Account data

Username, email address, hashed password, two-factor secret (encrypted at rest in production), Discord ID and display info if you link Discord. Avatar image you upload.

2.2 Device fingerprint (HWID)

The first time you sign in to the loader, a hardware fingerprint is stored against your account so we can enforce one-account-per-device. The fingerprint is computed from non-sensitive hardware identifiers and is not used outside Novoline.

2.3 Usage data

IP address, login timestamps, audit log entries for security-relevant actions (logins, role changes, key generation, ban events). We use this to detect abuse and to support you when you ask.

2.4 Payment data

When you top up a reseller balance with crypto, we store the invoice id, fiat amount, crypto amount, payer address, and tx hash. We do not see card or bank data — those are handled by the payment processor (currently Coinremitter for crypto).

We do not collect game telemetry, gameplay screenshots, voice or chat data, or anything from the games you launch with the loader other than what's strictly required to ship updates. We do not maintain advertising profiles. We do not run third-party analytics with personally identifying data.

• To operate, secure, and improve the Service.
• To authenticate you and to enforce account integrity.
• To send transactional messages (account, security, subscription).
• To detect, investigate, and prevent fraud and abuse.
• To comply with legal obligations.

We share data only with:

• Service providers we depend on to operate (database hosting, email delivery if/when wired up, payment processors). They are bound by data-processing agreements.
• Authorities when required by valid legal process, in which case we'll narrow our response to the minimum necessary.
• Verified resellers see the username and redemption metadata of customers who redeemed keys they sold. They never see your email, payment info, HWID, or audit log.

We do not sell your personal data.

Account data is retained while your account is active. Audit log entries are retained for security and compliance for up to 24 months. Payment records are retained as required by tax and accounting law (typically 7 years).

When you delete your account, we permanently delete your account data within 30 days, except where we are legally required to keep it.

Depending on where you live (EU/EEA, UK, California, etc.), you have rights to access, correct, delete, restrict, or port your personal data. To exercise these rights, email [email protected] from the email associated with your account.

You can also lodge a complaint with your local data protection authority.

Passwords are stored with Argon2id. Web sessions are stored as SHA-256 hashes of opaque random tokens, with sliding 30-day expiry and the ability to revoke from the admin panel. Connection to the loader uses a Noise IK protocol with mutual key authentication. We do not, and will never, ask for your password by email or in chat.

The Service is not directed to children under 16. If you believe we have inadvertently collected data from a child, contact us at [email protected] and we will delete it promptly.

We'll post material changes here and notify you by email and a banner on the dashboard at least 14 days in advance. The "Last updated" date at the top of this page reflects when the policy last changed.

Privacy questions: [email protected]. General support: [email protected].