Data and security
Privacy policy
Who processes the data
M2Promo processes data needed to run accounts, public listings, votes, Server Battle, feedback, uploads and Watch Rewards.
The production operator should keep official identity and contact details available through the website and the official contact email: [email protected].
External websites, Discord, live platforms, OAuth providers and server integrations process data under their own policies.
Data M2Promo processes
Depending on the feature used, M2Promo may process:
- Account and auth data: Supabase user id, email, username, display name, avatar, role, status and session metadata.
- Public listing data: server and streamer names, descriptions, images, links, categories, status and moderation data.
- Vote and reward data: normal vote sessions, Battle votes, Watch Rewards progress, reward code status and hashed anti-abuse identifiers.
- Owner integration data: allowed return origins, encrypted signing secrets, reward callback URLs and encrypted API tokens.
- Feedback, uploads, admin actions, audit metadata, rate-limit keys, API errors and operational/security logs.
Why M2Promo uses data
M2Promo uses data to operate the service, protect users and provide requested features:
- Accounts, login sessions, dashboards and API access.
- Server listings, streamer profiles, live status, battles, rewards and feedback.
- Rankings, public counters, owner statistics and Watch Rewards eligibility.
- Spam, fraud, duplicate vote, duplicate reward, security and impersonation prevention.
Votes, Battle and anti-abuse
Normal Vote uses signed sessions, opaque tokens and hashed cooldown identifiers. Confirmed votes can update ranking windows.
Server Battle is separate from normal votes and can use battle_voter_token, HMAC hashes, IP-derived hashes, Turnstile and rate limits.
M2Promo does not intentionally store raw IP addresses in Normal Vote or Server Battle vote records.
Hosting, security and anti-abuse providers, including Cloudflare, may still temporarily process IP addresses and technical request data.
Watch Rewards
Watch Rewards processes event, server, streamer, watch session, progress and reward code claim data.
Claimed codes may be visible to the viewer and the owner. The owner remains responsible for honouring codes in their own system.
M2Promo can use local progress storage plus watch_reward_viewer_token, viewer-token hashes and IP-derived hashes to reduce duplicate claims.
Third-party services
M2Promo uses third-party services for auth, storage, anti-abuse, hosting, links and embeds.
Those providers process data under their own policies when you log in, load embeds, click external links or use owner systems.
- Supabase: authentication, database, storage and public file URLs.
- Cloudflare Turnstile: anti-abuse checks for protected actions.
- Google and Discord OAuth, where enabled through Supabase Auth.
- YouTube, Twitch, Kick, TikTok, Discord and owner websites/API endpoints.
Retention and deletion
Retention depends on data type, operational need and whether maintenance jobs are running.
- Expired pending vote sessions are deleted after 7 days.
- Finished Battle records are rolled up and raw battle records are deleted after 30 days.
- Old server clicks and inactive watch sessions are rolled into monthly statistics and deleted after about 400 days.
- Inactive Watch Rewards events and codes are rolled up and deleted after about 24 hours when cleanup runs.
Your rights
Depending on applicable law, you may request access, correction, deletion, restriction, objection or portability.
Email [email protected] and identify the relevant account, server, streamer, Battle, reward event or URL.
M2Promo may request verification before changing sensitive data. You may also complain to the competent authority, such as ANSPDCP in Romania where applicable.
Security
M2Promo uses API guards, role and ownership checks, Supabase verification, signed upload URLs, input validation, Turnstile, rate limits, encrypted owner secrets and SSRF protections.
Reward delivery requests do not follow redirects, response previews are limited and sensitive values are redacted where handled.
No system is perfectly secure. Report vulnerabilities or abuse to [email protected].
