Data and security

Privacy policy

How M2Promo handles account, server, vote, reward, storage and security data.
This document describes the rules that apply to the M2Promo platform. For questions or requests about your account and data, use the feedback page.

Who processes the data

M2Promo processes data needed to run accounts, public listings, votes, Server Battle, feedback, uploads and Watch Rewards.

The production operator should keep official identity and contact details available through the website, feedback flow or another official contact channel.

External websites, Discord, live platforms, OAuth providers and server integrations process data under their own policies.

Data M2Promo processes

Depending on the feature used, M2Promo may process:

  • Account and auth data: Supabase user id, email, username, display name, avatar, role, status and session metadata.
  • Public listing data: server and streamer names, descriptions, images, links, categories, status and moderation data.
  • Vote and reward data: normal vote sessions, Battle votes, Watch Rewards progress, reward code status and hashed anti-abuse identifiers.
  • Owner integration data: allowed return origins, encrypted signing secrets, reward callback URLs and encrypted API tokens.
  • Feedback, uploads, admin actions, audit metadata, rate-limit keys, API errors and operational/security logs.

Why M2Promo uses data

M2Promo uses data to operate the service, protect users and provide requested features:

  • Accounts, login sessions, dashboards and API access.
  • Server listings, streamer profiles, live status, battles, rewards and feedback.
  • Rankings, public counters, owner statistics and Watch Rewards eligibility.
  • Spam, fraud, duplicate vote, duplicate reward, security and impersonation prevention.

Votes, Battle and anti-abuse

Normal Vote uses signed sessions, opaque tokens and hashed cooldown identifiers. Confirmed votes can update ranking windows.

Server Battle is separate from normal votes and can use battle_voter_token, HMAC hashes, IP-derived hashes, Turnstile and rate limits.

M2Promo does not intentionally store raw IP addresses in Normal Vote or Server Battle vote records.

Hosting, security and anti-abuse providers, including Cloudflare, may still temporarily process IP addresses and technical request data.

Watch Rewards

Watch Rewards processes event, server, streamer, watch session, progress and reward code claim data.

Claimed codes may be visible to the viewer and the owner. The owner remains responsible for honouring codes in their own system.

M2Promo can use local progress storage plus watch_reward_viewer_token, viewer-token hashes and IP-derived hashes to reduce duplicate claims.

Third-party services

M2Promo uses third-party services for auth, storage, anti-abuse, hosting, links and embeds.

Those providers process data under their own policies when you log in, load embeds, click external links or use owner systems.

  • Supabase: authentication, database, storage and public file URLs.
  • Cloudflare Turnstile: anti-abuse checks for protected actions.
  • Google and Discord OAuth, where enabled through Supabase Auth.
  • YouTube, Twitch, Kick, TikTok, Discord and owner websites/API endpoints.

Cookies and browser storage

The Cookie Policy lists auth, anti-abuse, preference, Battle, Watch Rewards and admin-preview storage.

M2Promo does not use behavioural advertising cookies. If analytics or marketing cookies are added later, consent should be collected where required.

Retention and deletion

Retention depends on data type, operational need and whether maintenance jobs are running.

  • Expired pending vote sessions are deleted after 7 days.
  • Finished Battle records are rolled up and raw battle records are deleted after 30 days.
  • Old server clicks and inactive watch sessions are rolled into monthly statistics and deleted after about 400 days.
  • Inactive Watch Rewards events and codes are rolled up and deleted after about 24 hours when cleanup runs.

Your rights

Depending on applicable law, you may request access, correction, deletion, restriction, objection or portability.

Use feedback and identify the relevant account, server, streamer, Battle, reward event or URL.

M2Promo may request verification before changing sensitive data. You may also complain to the competent authority, such as ANSPDCP in Romania where applicable.

Security

M2Promo uses API guards, role and ownership checks, Supabase verification, signed upload URLs, input validation, Turnstile, rate limits, encrypted owner secrets and SSRF protections.

Reward delivery requests do not follow redirects, response previews are limited and sensitive values are redacted where handled.

No system is perfectly secure. Report vulnerabilities or abuse through feedback.