Privacy Policy

1. Who We Are

VNGD (“we,” “us,” “our”) is a community management platform operated by Vanguard for the purpose of coordinating our Star Citizen gaming organization. This privacy policy explains how we collect, use, store, and protect your personal data when you use the VNGD platform.

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Personal Data We Collect

2.1 Account & Identity

When you register, we collect your email address, RSI (Roberts Space Industries) handle, Discord username, region, and timezone. Your email is used for authentication and account recovery. Your RSI handle and Discord username are used for identity verification within the organization.

2.2 Profile & Membership

As a member, we maintain your rank, unit assignments, security clearance level, standing status, and last online timestamp. This data is necessary for organizational management and operational planning.

2.3 Activity Data

We record event attendance, course enrollments and progress, financial transactions (in-game economy), fleet assignments, recognition (kudos and awards), and promotion history. This data supports our organizational operations and member progression tracking.

2.4 Analytics Data (PostHog)

With your consent, we use PostHog, a product analytics platform, to collect anonymized usage data about how visitors and members interact with the platform. This includes pages visited, features used, browser type, device type, approximate geographic region (derived from IP, not stored), and interaction patterns such as clicks and navigation flows. This data helps us understand which features are most valuable and where the user experience can be improved.

PostHog analytics are strictly opt-in. No analytics data is collected until you explicitly consent via the cookie consent banner. You can change your preference at any time through your privacy settings (authenticated members) or by clearing your browser cookies (all visitors).

2.5 Technical Data

We collect hashed IP addresses (not raw IPs), browser user agent strings, and session identifiers for security, rate limiting, and consent verification purposes. Access logs are maintained for security audit purposes and are automatically deleted after 90 days.

3. How We Use Your Data

We process your personal data for the following purposes:

• Account operation — Authentication, session management, and account security (Lawful basis: Contract)
• Organizational management — Unit assignments, rank progression, chain of command, event coordination (Lawful basis: Legitimate interest)
• Learning management — Course enrollment, progress tracking, certification (Lawful basis: Contract)
• Financial tracking — In-game economy transactions and wallet management (Lawful basis: Legitimate interest)
• Analytics & improvement — Understanding platform usage patterns to improve features and user experience (Lawful basis: Consent)
• Security & compliance — Access logging, rate limiting, abuse prevention (Lawful basis: Legitimate interest)
• Communications — Organization announcements and operational notifications (Lawful basis: Legitimate interest / Consent for marketing)

4. Third-Party Data Sharing

We share limited data with the following third-party services:

• Hetzner — Server hosting provider (EU-based). Processes data as a data processor under our instructions.
• Cloudflare — CDN and security services. Processes traffic data for DDoS protection and performance optimization.
• Bunny CDN — Media storage. Stores uploaded profile images and organizational media.
• PostHog — Product analytics (US/EU-hosted). Receives anonymized usage data only when you have consented to analytics tracking. PostHog processes pageview events, feature usage, and interaction data to generate aggregated insights. No personally identifiable information is sent to PostHog without consent. PostHog’s privacy policy is available at posthog.com/privacy.
• Roberts Space Industries (RSI) — We verify RSI handles during registration. No personal data is sent beyond the handle itself.
• Discord — Discord usernames are used for identity correlation. Role synchronization may share rank information with Discord via bot integration.

We do not sell your personal data. We do not share your data with advertisers.

5. Cookies & Analytics

5.1 Strictly Necessary Cookies

These cookies are required for the platform to function and cannot be disabled.

• payload-token — Authentication session cookie. Set when you log in, cleared on logout. Contains an encrypted session identifier.
• vngd_analytics_consent — Records your analytics consent preference (“granted” or “denied”). Persists for 365 days. Contains no personal data.

5.2 Analytics Cookies (Opt-In Only)

These cookies are only set if you click “Accept Analytics” on the consent banner. They are used by PostHog to track anonymized usage patterns.

• ph_* — PostHog session and device identifiers. Used to understand how the platform is used in aggregate. These cookies contain randomly generated identifiers that are not linked to your personal identity unless you are logged in and have consented.

You can withdraw analytics consent at any time. Authenticated members can do so through Dashboard → Settings → Privacy. All visitors can revoke consent by clearing browser cookies, which will cause the consent banner to reappear on your next visit.

5.3 Do Not Track

We respect the Do Not Track (DNT) browser setting. If your browser sends a DNT signal, PostHog analytics will not be activated regardless of cookie consent status.

6. Data Retention

We retain your data for the following periods:

• Account and profile data: Until you request deletion
• Session data: 30 days from last activity
• Access logs: 90 days, then automatically deleted
• Rejected applications: 1 year, then automatically deleted
• Form submissions: 2 years, then automatically deleted
• Consent records: Retained indefinitely for compliance audit
• Analytics data (PostHog): Retained per PostHog’s data retention settings, configured to auto-delete after 12 months
• Financial records: Anonymized on account deletion, structure preserved

7. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of Access (Article 15) — You can request a copy of all personal data we hold about you. Use the “Download My Data” feature in your privacy settings.
• Right to Rectification (Article 16) — You can correct inaccurate personal data through your profile settings or by contacting an administrator.
• Right to Erasure (Article 17) — You can request deletion of your account and personal data. Use the “Delete My Account” feature in your privacy settings. A 14-day cooling period applies.
• Right to Data Portability (Article 20) — You can export your data in a structured, machine-readable format (JSON).
• Right to Object (Article 21) — You can object to processing based on legitimate interest. Contact an administrator to exercise this right.
• Right to Withdraw Consent — You can withdraw optional consents (analytics, marketing) at any time through your privacy settings or by clearing browser cookies. Withdrawing required consents requires account deletion.

To exercise any of these rights, navigate to Dashboard → Settings → Privacy or contact an organization administrator.

8. How We Protect Your Data

We implement appropriate technical and organizational measures to protect your personal data, including: encrypted connections (HTTPS/TLS), password hashing using industry-standard algorithms, role-based and attribute-based access control, field-level security clearance restrictions, IP address hashing for consent records, rate limiting to prevent abuse, and regular security audits of access patterns.

9. Changes to This Policy

We may update this privacy policy from time to time. Material changes (new data categories, new third-party sharing, changes to lawful basis) will increment the major version number and require re-consent via an in-app banner. Minor clarifications will increment the minor version and do not require re-consent.

10. Contact & Complaints

If you have questions about this privacy policy or wish to exercise your data subject rights, please contact an organization administrator through the platform or via our Discord server.

You also have the right to lodge a complaint with a supervisory authority in your country of residence if you believe your data protection rights have been violated.