Who we are
MCAuth ("we", "us") is a Minecraft OAuth2 authentication service available at mc-auth.net. We act as the data controller for personal data processed through this service.
What we collect
Account data
When you register, we collect your email address and a bcrypt hash of your password. We never store your password in plaintext.
Application data
When you create an OAuth2 application, we store the application name, redirect URI, and a bcrypt hash of your client secret.
Minecraft authentication data
When a player authenticates through MCAuth, we temporarily store their Minecraft UUID and username during the auth session. This data is used to return a verified identity to your application and is not retained beyond the session.
Session data
We use a signed, HTTP-only, secure cookie to maintain your login session. No session data is stored server-side — the cookie contains only your user ID and expiry, signed with an HMAC key.
Why we collect it
We collect this data to provide the MCAuth service. The legal basis is contract performance (Article 6(1)(b) GDPR) — we need this data to operate the authentication service you have signed up for.
How long we keep it
We retain your account data for as long as your account exists. You can delete your account at any time from your account settings, which permanently removes all associated data including your applications and auth history.
Expired Minecraft auth codes and completed auth sessions may be retained briefly for operational integrity before being purged.
Third parties
- Cloudflare — we use Cloudflare for DNS, TLS termination, and DDoS protection. Cloudflare may process request metadata (IP addresses, headers) in accordance with their privacy policy.
- Mojang / Microsoft — when a player authenticates, their Minecraft session is verified against Mojang's session servers. We receive the player's UUID and username from this service.
We do not sell, rent, or share your personal data with any other third parties.
Your rights
Under GDPR you have the following rights regarding your personal data:
- Right of access — you can download a copy of all data we hold about you from your account settings.
- Right to erasure — you can permanently delete your account and all associated data from your account settings.
- Right to rectification — contact us to correct inaccurate data.
- Right to portability — your data export is provided in machine-readable JSON format.
- Right to object — you may object to processing by deleting your account.
Contact
For any privacy-related requests or questions, please contact us at [email protected].
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.