Skip to main content

Privacy Policy

This Privacy Policy explains the type, scope, and purpose of the processing of personal data on our Platform (vrc.dj and vrc.to). We process your personal data confidentially and in accordance with the General Data Protection Regulation (GDPR / DSGVO).

The Platform is operated from Germany. GDPR-level protections therefore apply to all users worldwide, including those outside the European Economic Area (EEA).

1. Data Controller

The party responsible (Data Controller) for data processing on this website is:

Merlin Sahorn
c/o Impressumservice Dein-Impressum
Stettiner Straße 41
35410 Hungen
Germany

Email: merlin.sahorn@gmail.com

2. Hosting and Infrastructure

  • Host: This website is hosted on a virtual private server provided by Contabo GmbH (Aschauer Straße 32a, 81549 Munich, Germany). The server is physically located in a data center in Frankfurt, Germany.
  • Data Processing Agreement: We have a Data Processing Agreement (Auftragsverarbeitungsvertrag) in place with our host, ensuring that user data is processed only on our instructions and in accordance with GDPR.
  • No CDNs or Proxies: We do not route your traffic through third-party Content Delivery Networks (such as Cloudflare). Your connection stays directly between you and our Frankfurt server.
  • International Transfers: Personal data is stored and processed exclusively in Germany. We do not transfer personal data outside the EEA on our own initiative. Where you interact with optional third-party embeds (see Section 5) or with our linked Discord Server (Section 7), those providers may transfer data to their own jurisdictions under their own privacy terms.

3. Data Collected on Our Website

Server Log Files

When you visit our website, your browser automatically transmits data to our server. We implement Privacy by Design: your IP address is automatically anonymized (final octet masked for IPv4, final 64 bits truncated for IPv6) before it is ever written to our log files.

Our logs contain:

  • anonymized IP address (e.g., 192.168.1.0),
  • date and time of the server request,
  • URI accessed,
  • status codes and bytes transferred,
  • User-Agent and Referer headers (where provided by your browser).

These anonymized logs cannot be traced back to a specific individual. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technical stability of our systems).

Cookies and Local Storage

We do not use tracking, analytics, or third-party marketing cookies. We only use strictly necessary cookies required for the technical functioning of the Platform (§ 25(2) TTDSG, the German implementation of the ePrivacy Directive):

  • vrcdj_auth: a persistent token used to keep you logged in across vrc.dj and vrc.to. When you log in on one domain, a one-time nonce is generated server-side and exchanged via a redirect to set the same cookie on the sister domain. The token itself is stored only in our database and as the cookie value; it is never sent to third parties.
  • vrcdj_sid: a temporary session ID.
  • vrcdj_theme: stores your preference for light or dark mode. The preference also lives in your browser's local storage and, if you are logged in, mirrored to our database (users.theme_pref) so the choice follows your account across devices.

No cookie banner is required or displayed because we only process technically necessary cookies.

4. User Accounts and Discord OAuth

To create a profile or interact with most features, you must log in via Discord OAuth. We request only the identify scope.

We collect and store:

  • your Discord User ID,
  • your Discord username and display name (current value, updated on each login),
  • a locally cached copy of your Discord avatar (downloaded, re-encoded to webp, and refreshed on each login).

In addition, certain events snapshot your Discord username at the time the event occurs (for example, your username is stored on each Booking Request as discord_handle, so the artist sees the name you had when you contacted them, even if you change it later).

  • Purpose: account creation, proof of ownership of artist or community pages, and access control.
  • Legal Basis: Art. 6(1)(b) GDPR (processing necessary for the performance of a contract or to provide the requested service).

5. Third-Party Embeds (Livesets)

Our Platform allows users to embed livesets from third-party platforms, including YouTube, SoundCloud, Mixcloud, and HearThis.at, plus our own player solution for Mixfall (delivered via an HLS proxy on our server).

We use a two-click consent solution for iframe-based embeds. When you visit an artist's page, no connection is made to the third-party platforms by default. The external iframe loads only when you actively click on a specific embed. From that point on, the external provider may log your IP address and set their own cookies.

Optionally, you can enable "Always load embeds" in your account settings. This functions as standing consent for future page loads and can be revoked at any time.

Legal basis: Art. 6(1)(a) GDPR (consent by active click or opt-in).

Privacy information for the embedded providers:

  • YouTube (Google Ireland Limited, Ireland),
  • SoundCloud (SoundCloud Global Limited & Co. KG, Germany),
  • Mixcloud (Mixcloud Ltd, United Kingdom),
  • HearThis.at (Hearthis, Germany),
  • Mixfall (content is proxied through our server; Mixfall itself does not receive a direct connection from your browser).

6. Booking Feature

When you send or receive a Booking Request, we process the following:

  • the content of the request, date/time, event details, and timezone,
  • a snapshot of the requester's Discord username at submission time,
  • the chat history between requester and artist (when a Discord booking chat is opened),
  • the technical delivery status of Discord direct messages (we periodically check whether our booking notifications can be delivered to the artist via Discord DM, including automatic retry attempts over a 24-hour grace window).

Booking chat transcripts are exported and archived server-side before the Discord chat channel is deleted, then retained for 90 days unless a moderation case is open against the conversation.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in abuse prevention and reliable service delivery).

7. Discord Server Integration

The Platform is paired with an official Discord Server. Our self-hosted Discord bot performs several operations involving your Discord account:

  • Notifications and DMs: booking requests, expiry warnings, recovery messages, and moderation-related alerts are sent to you as Discord direct messages or posted to dedicated channels visible to you and the relevant artist.
  • Guild membership check: approximately every five minutes, the bot checks whether linked accounts are still members of the official Discord Server, and updates a corresponding flag (in_guild) on your user record. This is used to gate features that require server membership (such as bookings).
  • Role assignment on Discord: when role sync is enabled, the bot automatically assigns and removes roles on your Discord account in our server (e.g. a "Member" role on join, "Artist" or "Community Leader" roles when you own a page on the Platform, delegate roles where applicable). Roles are only managed inside our own server and never outside of it.
  • Monitor channel posts: moderation-relevant events (new accounts, failed signup attempts, ban actions, queue backlog) and aggregate activity digests (every six hours, summarizing newly created pages, tags, livesets, and users by username) are posted to a private monitor channel visible only to administrators on the Discord Server.

Legal basis: Art. 6(1)(b) GDPR (performance of the requested service, including notifications you opted in to by linking Discord), and Art. 6(1)(f) GDPR (legitimate interest in coordinated moderation across Platform and Discord Server).

Discord itself is an independent data processor; their handling of your data is governed by Discord's own privacy policy.

8. Reporting and Moderation Queue

When you submit a report about content, a profile, or another user, we collect the following:

  • your Discord User ID (if you are logged in),
  • a one-way hash (SHA-256) of your IP address, used solely for rate limiting and abuse detection; the original IP is never stored,
  • the report category and any free-text explanation you provide (up to 1,000 characters),
  • a reference to the reported entity (profile, liveset, tag, or community).
  • Purpose: to operate the moderation system, prevent abuse of the reporting function, group duplicate reports into single cases, and enforce our Community Guidelines.
  • Recipient: reports are visible only to platform administrators and moderators. The subject of a report is not informed of the reporter's identity.
  • Quarantine: content found in violation may be moved into a content "graveyard" and kept there for up to 7 days before permanent deletion, allowing review and potential restoration on appeal.
  • Retention: report records are kept alongside their associated moderation case. Reports for closed cases follow the audit log retention policy (90 days by default).
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining a safe platform and preventing abuse).

9. Behavioral and Operational Data

To deliver core features and protect the Platform from abuse, we also process limited behavioral data tied to your account:

  • Liveset listen progress: when you play a liveset using the built-in player, your position is stored so you can resume.
  • Search history: recently selected search results are stored per user to keep the search palette useful.
  • Edit presence: when you edit a page, a short-lived heartbeat record is written so we can warn other editors of a possible collision. These records are cleared every five minutes.
  • Account rank computation: a nightly job evaluates signals such as account age, public liveset count, owned pages, delegate relationships, recent moderation actions, inviter, and Discord guild membership to assign you a trust tier. The rank is used internally for invite-token caps, page limits, and similar guardrails; it is never shown on public profile pages.
  • Audit log: administrative actions (bans, content removals, role/rank changes) are recorded in an internal audit log, retained for 90 days by default.
  • Bot console logs: the Discord bot's own runtime logs are forwarded to our server and capped at 500 entries on a rolling basis. They do not contain end-user content beyond Discord IDs of users involved in delivery failures.

Legal basis: Art. 6(1)(b) GDPR for features you opted into by using them, and Art. 6(1)(f) GDPR for operational integrity, abuse prevention, and traceability.

10. ATProto and Bluesky Integration

Artists may use their vrc.dj subdomain (e.g., artist.vrc.dj) as a Bluesky handle. To support this, we expose a public /.well-known/atproto-did endpoint that publishes the subdomain-to-DID mapping. This information is publicly retrievable and is only created when the artist actively links their handle.

11. Data Retention and Deletion

We follow the principles of data minimization and storage limitation (Art. 5 GDPR).

  • Account Deletion: You can permanently delete your account at any time via your user dashboard.
  • Orphaned Data Safeguard: When you delete your account, liveset links you submitted on behalf of another artist's page are anonymized (reassigned to a "deleted user") so that the artist does not lose their page content.
  • Automated Cleanup: A daily GDPR cleanup job runs at 03:15 UTC and permanently purges:

- user data in the deletion "graveyard" older than 90 days,
- sent and failed Discord notification queue entries older than 30 days,
- expired authentication sessions.

  • Quarantined content (from the reporting system) is purged after 7 days.
  • Booking chat transcripts and audit log entries are retained for 90 days by default (administratively configurable).
  • Bot console logs are auto-pruned to the most recent 500 entries.

12. Age Restriction

Our services are not directed at individuals under the age of 16. By logging in or creating an account, you confirm that you are at least 16 years old. If we become aware that we have collected personal data from a minor without verifiable parental consent, we will delete that information immediately.

13. Your Rights (Data Subject Rights)

Because the Platform is operated from the EU, the following GDPR rights apply to all users worldwide:

  • Right of Access (Art. 15 GDPR): request information about the data we hold on you.
  • Right to Rectification (Art. 16 GDPR): update or correct your data.
  • Right to Erasure (Art. 17 GDPR): delete your account via the dashboard or request manual deletion.
  • Right to Restriction of Processing (Art. 18 GDPR).
  • Right to Data Portability (Art. 20 GDPR).
  • Right to Object (Art. 21 GDPR).

To exercise these rights, contact us at the email address in Section 1. You also have the right to lodge a complaint with the competent supervisory data protection authority (Art. 77 GDPR) if you believe your data is being processed unlawfully. For users in Germany, this is the data protection authority of Hesse (HBDI, given the controller's residence).

---

Last Updated: May 2026