Privacy Policy

We collect the minimum information needed to operate the Service. Specifically:

• Account information. When you sign in, we receive your email address. If you sign in with Discord, we also receive your Discord user ID, username, global display name, and avatar URL via OAuth.
• Order information. When you place an order, we record the products purchased, the price paid, the date, and the order status. Paddle processes the payment itself; we receive a transaction identifier from Paddle but never see your card number, CVV, or full bank details.
• Download information. Each time we issue a presigned download URL, we record which user requested which product, when, and the IP address and user agent of the request. This is used for fraud detection and customer support.
• Communication information. When you open a support ticket or reply to one, we store the message contents, timestamps, and participants. Email replies sent through Resend are logged with the recipient and a delivery status.
• Discord linkage. If you link a Discord account, we store the link between your Esko Kustomz account and your Discord ID, the time of linkage, and the roles we have granted you.
• Technical information. Our servers automatically log standard request data for every visit (IP address, user agent, request path, response code, timestamp). We do not run third-party analytics, advertising trackers, session recorders, or fingerprinting libraries.

We do not collect race, ethnicity, religion, political views, sexual orientation, biometric data, precise geolocation, contact-list data, browsing history outside our site, or any data from minors. We do not buy data from data brokers or enrich the data we have with outside sources.

We use the information described above to:

• Process orders, deliver downloads, and grant the Discord roles included with your purchase.
• Send transactional emails (order confirmations, download links, refund notices, account security alerts).
• Send marketing emails about new drops or sales, only if you have not opted out. Every marketing email contains a one-click unsubscribe link.
• Respond to your support inquiries.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Comply with legal obligations and respond to lawful requests from law enforcement.

We do not sell your personal information. We do not share it with advertisers or data brokers. We do not use it to train machine-learning models.

The Service relies on a small set of trusted third-party processors. Each one only sees the information needed to perform its function:

• Paddle processes payments. Paddle receives your name, email, billing address, and payment-method details directly. We never receive your full payment information. See Paddle's privacy policy at paddle.com/legal/privacy.
• Resend delivers our transactional and marketing emails. Resend receives the recipient email address, the message content, and delivery metadata. See resend.com/legal/privacy-policy.
• Cloudflare R2 stores product files (vehicle archives) and product imagery. Cloudflare receives the file bytes and access logs.
• Discord powers the optional Discord OAuth sign-in and the role-grant feature. When you link Discord, Discord shares your user ID, username, and avatar with us per your OAuth consent. See discord.com/privacy.
• Railway hosts the application servers and the Postgres database. Railway has access to the data we store, governed by their security and privacy commitments.

We have data-processing agreements in place with these providers where required, and we choose vendors that maintain industry-standard security practices.

We use a small number of essential cookies to operate the Service:

• A session cookie for Auth.js to keep you signed in across pages.
• A short-lived cookie for the cart and checkout flow.
• An admin-only password-gate cookie for administrative access (you will never see this as a regular customer).
• An anti-CSRF cookie for Auth.js.
• A cookie-banner-acknowledgement cookie that lets us hide the banner once you have dismissed it.

We do not use advertising, analytics, or tracking cookies. We do not share cookie data with third parties for cross-site tracking.

We share data only with the third-party processors listed above, and only as required to deliver the Service. We may also disclose information when legally required (subpoena, court order, statutory request from law enforcement) or when necessary to protect the rights, property, or safety of Esko Kustomz, our customers, or the public.

In the unlikely event of a business transfer (sale, merger, or asset acquisition), customer data may be part of the transferred assets. If that ever happens, we will notify affected users by email at least thirty days in advance, with an option to delete your account before the transfer.

We retain your information only as long as needed to deliver the Service and meet our legal obligations:

• Account data: kept while your account is active. Deleted (or anonymized) within 30 days of a deletion request.
• Order and download records: kept for at least 7 years for tax and accounting compliance, even after account deletion. We anonymize the user identifier on deletion so the records cannot be linked back to you.
• Support tickets: kept for 2 years after the ticket is closed, then permanently deleted.
• Email delivery logs (Resend): retained per Resend's retention policy (typically 30 to 90 days).
• Server access logs: retained for 30 days, then rotated and deleted.

Depending on where you live, you have some or all of the following rights over your personal information:

• Right of access. Get a copy of the personal information we hold about you. You can do this yourself at /account/security/export, which produces a JSON file containing your profile, orders, downloads, and reviews.
• Right of correction. Update inaccurate information directly in your account, or request correction by opening a ticket at /support or emailing eskokustomz@gmail.com.
• Right of erasure. Delete your account and personal information yourself at /account/security (Delete my account section). The deletion is immediate and self-serve. If you can't access the account, open a ticket at /support, message us in the Esko Kustomz Discord server, or email eskokustomz@gmail.com. Order records are anonymized rather than fully deleted, as required by tax law.
• Right of portability. Receive your data in a structured, machine-readable format (the JSON export above).
• Right to object. Object to specific uses of your information. The most common case is opting out of marketing emails, which you can do via the unsubscribe link in any marketing email or from your account.
• Right to lodge a complaint. EU residents may complain to a data-protection authority; California residents have rights under the CCPA, including the right not to be discriminated against for exercising those rights.

To exercise any of these rights, open a ticket at /support, contact us in the Esko Kustomz Discord server, or email eskokustomz@gmail.com. Email is the preferred channel for formal data-rights requests since it produces a paper trail. We will respond within 30 days.

The Service is hosted in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S., which may have data-protection laws different from those in your country. By using the Service you consent to this transfer.

The Service is not directed at children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, email eskokustomz@gmail.com and we will delete the account promptly.

We protect your information with industry-standard safeguards, including TLS encryption in transit, encrypted storage at rest, hashed and salted passwords (where applicable), HMAC-signed session cookies, two-factor authentication for administrative accounts, and rate limiting on sign-in endpoints. No system is perfectly secure, but we work hard to keep yours safe and to fix issues promptly when they arise.

If we ever experience a breach that affects your personal information, we will notify affected users without undue delay and provide guidance on protective steps.

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced via email and on the Esko Kustomz Discord. Your continued use of the Service after a change constitutes acceptance of the updated policy.

For general questions, refunds, downloads, custom builds, and the rest of day-to-day support, the on-site ticket system at /support and the Esko Kustomz Discord server are the fastest channels. For privacy-specific issues (data-rights requests, breach notifications, GDPR/CCPA matters), email eskokustomz@gmail.com so we have a written record.