Privacy & personal data
Who is responsible for your data?
This website (www.gamma-fivem.com) is published and maintained by Gamma, an independent creator known under the pseudonym "Le Raton", operating under the GAMMA brand. Non-commercial activity or solo micro-activity (FiveM content creator).
Contact: Discord discord.gg/yzwwf6Z72J — the official channel for any request related to your personal data, exercise of rights, or GDPR enquiry.
What data is collected?
2.1 · Browsing the site (without logging in)
- Functional cookies:
gamma-locale(preferred language, 1 year) — only if you switch languages. No consent required (strictly necessary cookie). - Vercel logs: IP address, user-agent, visited URL, HTTP status code. Kept ~30 days by Vercel (our host) for security and abuse prevention. Legal basis: legitimate interest (GDPR art. 6.1.f).
- No tracking: no Google Analytics, no Meta Pixel, no advertising cookies, no third-party tracking scripts.
2.2 · If you leave a review
- Nickname (required, public).
- Role / context (optional, public).
- Rating (1-5 stars, public).
- Review text (public, after moderation within 24h).
- Private feedback (optional, visible only to Gamma in back-office).
- IP address (Supabase side, anti-spam and rate-limiting), kept 30 days.
Legal basis: consent (GDPR art. 6.1.a), given by active form submission.
2.3 · If you access admin via Discord OAuth
- Discord ID (numerical).
- Discord username.
- HMAC-signed session cookies (
__Host-gamma_session,__Host-gamma_csrf) — 4-hour duration.
Server-side only, not shared with third parties. Legal basis: legitimate interest (GDPR art. 6.1.f) for admin security.
Purposes of processing
- Displaying and administering the GAMMA portfolio.
- Allowing clients/visitors to leave verified reviews.
- Securing admin access (authentication + CSRF).
- Measuring service availability (aggregated server logs).
- No advertising use, no profiling, no resale.
Retention periods
- Published reviews: while the project exists (or until deletion request).
- Private feedback: 1 year, then deleted.
- Vercel logs: ~30 days (Vercel policy).
- Session cookies: 4 hours.
- Language cookie: 1 year.
Recipients & processors
Your data may be processed by the following technical sub-processors:
- Vercel Inc. (hosting, CDN, logs) — privacy policy. Data hosted in EU regions (
iad1/fra1). - Supabase Inc. (database for projects & reviews) — privacy policy.
- Discord Inc. (only if you log in via OAuth) — privacy policy.
- DeepL SE (automatic portfolio translation, no personal data) — privacy policy.
- Google LLC (Search Console — SEO performance, no user data transmitted) — privacy policy.
No personal data is sold, rented or exchanged with third parties for commercial purposes.
Transfers outside the EU
Vercel, Supabase, Discord and Google are US companies. Transfers are governed by the European Commission's Standard Contractual Clauses and, for certified operators, by the EU–US Data Privacy Framework. See each policy for details.
Your rights
Under GDPR articles 15-22 you have rights of:
- Access to data concerning you.
- Rectification of inaccurate data.
- Erasure ("right to be forgotten").
- Restriction of processing.
- Objection to processing.
- Portability (receive your data in a structured format).
- Withdrawal of consent at any time, no retroactive effect.
To exercise these rights, message us on Discord discord.gg/yzwwf6Z72J (DM Gamma). Reply within 30 days max.
Cookies
Only strictly necessary or functional cookies (no advertising / no third-party tracking):
gamma-locale— language preference (1 year).__Host-gamma_session— HMAC-signed admin session (4h, HttpOnly, Secure, SameSite=Lax).__Host-gamma_csrf— CSRF double-submit (4h, Secure, SameSite=Strict).__Host-gamma_oauth_state/__Host-gamma_oauth_dest— anti-CSRF for Discord OAuth (10 min, deleted after use).
No GDPR consent banner required (CNIL guidance).
Security
- Strict HTTPS (HSTS, max-age 2 years, preload).
__Host-cookies withSecure,HttpOnly,SameSite.- HMAC-SHA256 sessions signed with strong 256-bit secret.
- CSRF double-submit (header + cookie).
- Strict Content Security Policy, anti-XSS via DOMPurify.
- Sanitisation and rate-limiting on Supabase.
Complaints
Although the data controller is established in France, you may lodge a complaint with your local supervisory authority or directly with the French CNIL (Commission Nationale Informatique et Libertés), 3 Place de Fontenoy, 75007 Paris.
Changes
This document may be amended at any time to remain compliant. The date above shows the latest update. Substantial changes (new processing, new sub-processor) will be announced on Discord.
← Back to portfolio