← Back to SOS

Privacy Policy

Version 2026-04-18 · Effective April 18, 2026

1. Introduction & Data Controller

SOS Platform ("vrc.club," "we," "us," or "our") is a multi-tenant community management platform for VRChat communities. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have over your data.

We are the data controller for the personal data processed through vrc.club. If you have any questions about this policy or your data, contact us at privacy@vrc.club.

The short version: We collect only what we need to run the platform. We don't sell your data. We don't share it with advertisers. We don't track you across the internet. Your data belongs to you.

2. Legal Basis for Processing (GDPR Art. 6)

We process your personal data under the following legal bases:

Performance of Contract

When you create an account, join a community, attend events, subscribe to supporter tiers, or purchase merchandise, we process your data to fulfill our contractual obligations to you. This includes managing your account, providing community features, processing payments, and delivering merchandise.

Legitimate Interest

We process certain data based on our legitimate interest in operating a secure and functional platform. This includes rate limiting to prevent abuse (which temporarily processes IP addresses), platform monitoring, fraud prevention, and service improvement. We have assessed that these interests do not override your fundamental rights and freedoms.

Consent

We obtain your explicit consent before processing data that requires it. You provide consent when you accept our Terms of Service and this Privacy Policy during registration. You also provide separate consent when you opt into optional features such as the cross-community talent pool, VRChat account linking, or Patreon integration. You may withdraw consent at any time.

Legal Obligation

We retain certain records (such as merchandise order data and financial transaction records) as required by applicable tax and commercial laws.

3. What Data We Collect

The following table describes every category of personal data we collect, what specific data points are included, and why we collect them.

CategoryData CollectedPurpose
Discord OAuthUser ID, username, avatar URL, email address, guild membershipsAuthentication, identity, community membership verification
VRChat (optional)Username, user ID, group memberships, group rolesCommunity sync, ownership verification, in-world features
ProfileDisplay name, pronouns, timezone, languages, social links, bio, availabilityCommunity features, talent pool, profile display
StripeCustomer ID, subscription ID, subscription statusSupporter tier management (we never store card numbers)
Patreon (optional)Member ID, full name, email, pledge status, tier entitlementsSupporter management via webhooks
Merch ordersName, email, shipping address (line 1, line 2, city, state, country, ZIP)Order fulfillment via Printful
User contentPosts, comments, photos, media uploads, performance recordingsPlatform functionality, community galleries
Bot conversationsMessages sent to the Discord bot, bot responsesCommunity support, moderation review
Discord activityMonthly message counts per userCommunity engagement metrics
EventsRSVPs, performance schedules, staff assignmentsEvent management, scheduling
Instance monitoringVRChat world occupancy counts (aggregate only, NOT individual users)Event analytics (we cannot and do not track individual attendance)

4. What We Do Not Collect

  • We do not use analytics trackers or third-party tracking scripts
  • We do not collect browsing behavior outside of vrc.club
  • We do not store payment card numbers (payments are handled entirely by Stripe or Patreon)
  • We do not use cookies for advertising or cross-site tracking
  • We do not track individual VRChat user attendance at events
  • We do not sell, rent, or trade your personal data to any third party

5. Third-Party Data Processors

We share data with the following third-party services only to the extent necessary to provide our platform features. Each service acts as a data processor on our behalf.

  • Discord (discord.com) OAuth authentication provider. We request your user ID, username, avatar, email, and guild memberships to authenticate you and manage community features.
  • VRChat (vrchat.com) Group membership synchronization. Community administrators authenticate with VRChat to sync group roles and memberships. Individual user credentials are encrypted at rest and used only for this purpose.
  • Stripe (stripe.com) Payment processor for supporter subscriptions and merchandise purchases. Stripe handles all card data directly; we only store your Stripe customer ID and subscription status.
  • Patreon (patreon.com) Supporter management via OAuth and webhooks. If a community connects Patreon, we receive pledge events including member ID, tier status, and the name/email you registered with Patreon.
  • Printful (printful.com) Merchandise fulfillment. When you purchase physical merchandise, your name, shipping address, and order details are sent to Printful for production and delivery.
  • Vercel (vercel.com) Web hosting. Vercel processes request IP addresses in server logs, which are retained for 1-3 days for operational and debugging purposes.
  • Railway (railway.app) Backend hosting for our worker processes and Discord bot. Railway processes request data in runtime logs for operational purposes.
  • Upstash (upstash.com) Redis rate limiting. IP-based counters are stored temporarily with automatic expiry (typically minutes) to prevent abuse. No persistent storage of IP addresses.

We do not share your personal data with any service beyond those listed above. We do not sell or provide your data to any third party for advertising, marketing, or any purpose unrelated to operating this platform.

6. Data Retention

We retain your data for the following periods:

Data TypeRetention Period
Account & profile dataUntil you delete your account
Community membership dataUntil you leave the community or delete your account
Bot conversation logsAutomatically deleted after 12 months
Discord activity metricsAutomatically deleted after 12 months
Rate limiting countersExpire automatically within minutes (Redis TTL)
Server logs (Vercel/Railway)1-3 days (managed by hosting providers)
Merchandise order records7 years (legal/tax requirement)
Supporter subscription recordsWhile subscription is active; deleted with account
Event analytics (aggregate)Retained indefinitely (no individual user data)

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of Access (Art. 15): You can download a complete copy of all personal data we hold about you at any time. Go to your account Settings and click "Download My Data" to receive a JSON export.
  • Right to Erasure (Art. 17): You can permanently delete your account and all associated data at any time. Go to your account Settings, scroll to "Danger Zone," and click "Delete Account." This action is immediate and irreversible.
  • Right to Data Portability (Art. 20): The "Download My Data" export provides your data in a structured, commonly used, machine-readable JSON format that you can transfer to another service.
  • Right to Rectification (Art. 16): You can edit your profile information at any time through your account Settings or community dashboard. If you find data that you cannot correct yourself, contact us.
  • Right to Object (Art. 21): You have the right to object to processing of your data based on legitimate interest. Contact us at privacy@vrc.club to exercise this right.
  • Right to Restriction (Art. 18): You can request that we restrict the processing of your personal data in certain circumstances. Contact us at privacy@vrc.club.

Response time: We will respond to all data rights requests within 30 days. If we need more time due to the complexity of your request, we will notify you within the initial 30-day period.

8. Cookies & Local Storage

We use a minimal number of cookies, all of which are essential for the platform to function or to remember your preferences. We do not use any advertising, analytics, or tracking cookies.

CookieTypePurposeDuration
next-auth.session-tokenEssentialAuthentication session30 days
next-auth.callback-urlEssentialOAuth redirect handlingSession
next-auth.csrf-tokenEssentialCSRF protectionSession
sos-localeFunctionalLanguage preference1 year
OAuth state cookiesEssentialOAuth flow securityDeleted after use

We also use localStorage to remember whether you have dismissed the cookie information banner. This data never leaves your browser.

9. IP Address Processing

IP addresses are processed solely for rate limiting (abuse prevention). When you make requests to our platform, your IP address is used to maintain temporary counters in Redis that automatically expire within minutes. We do not persistently log, store, or analyze IP addresses.

Our hosting providers (Vercel and Railway) retain server logs that include IP addresses for 1-3 days as part of their standard operational infrastructure. We do not access these logs for tracking purposes.

10. Data Sharing Within Communities

Community managers can see your activity within their community, including your display name, roles, event RSVPs, supporter status, and staff assignments. They cannot see your activity in other communities unless you have opted into cross-community features such as the talent pool.

Platform administrators have access to all data across communities for the purpose of operating, maintaining, and moderating the platform.

11. International Data Transfers

Your data is stored on servers located in the United States. If you are located in the EEA, UK, or Switzerland, your personal data is transferred to the United States to provide our services. We rely on the necessity of the transfer for the performance of our contract with you (GDPR Art. 49(1)(b)) and, where applicable, the standard contractual clauses adopted by the European Commission.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • AES-256-GCM encryption for sensitive credentials stored in the database
  • HTTPS/TLS encryption for all data in transit
  • Database access restricted to authorized services only
  • OAuth 2.0 for authentication (no passwords stored)
  • Rate limiting to prevent abuse
  • Regular dependency updates and security patching

No system is 100% secure. If we discover a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, as required by GDPR Articles 33 and 34.

13. Children's Privacy

vrc.club is restricted to users aged 18 and older, as stated in our Terms of Service. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a minor, we will take steps to delete that data promptly. If you believe a minor has provided us with personal data, please contact us at privacy@vrc.club.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or platform features. When we make material changes, we will notify you through the platform and may require you to re-accept the updated policy. The version date at the top of this page indicates the most recent revision.

We encourage you to review this policy periodically. Continued use of vrc.club after changes are posted constitutes acceptance of those changes, except where re-acceptance is required.

15. Contact Us

For privacy inquiries, data access requests, or any concerns about how we handle your data:

If you are located in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

This policy applies to all users of vrc.club (SOS Platform). For questions, contact privacy@vrc.club.