Privacy Policy
Last updated: May 2026
1. Controller
The responsible party within the meaning of the General Data Protection Regulation (GDPR) is:
Moritz Kohm
c/o Impressumservice Dein-Impressum
Stettiner Str. 41
35410 Hungen
Germany
Email: info@msk-scripts.de
2. Overview of Data Processing
This website operates two distinct services, each with its own data processing:
a) MSK Scripts Shop — for purchasing FiveM resources and Discord bots via Tebex.
b) MSK Ticket Bot Transcript Service — an optional hosted service for users who self-host the MSK Ticket Bot. It stores ticket transcripts online and provides public links. Users authenticate via GitHub and Discord OAuth to obtain an API key.
c) Hosted Bot Management — an optional fully managed hosting service for Premium and Premium+ customers. The bot runs on MSK Scripts' servers; the customer manages it via the web dashboard.
Data collected by the Shop
- CFX.re / FiveM username and user ID — required to authenticate your account and deliver purchased resources via the FiveM Asset Escrow system
- Discord ID — required for packages that include Discord role assignment
- IP address — collected automatically when creating a shopping basket; transmitted to Tebex for fraud prevention
- Shopping basket data — stored locally in your browser (localStorage)
- Technical log data — web server access logs including IP address, browser type, date and time
Data collected by the Ticket Bot Transcript Service
- GitHub username — collected via GitHub OAuth during the verification process to confirm identity and sponsorship status
- Discord user ID — collected via Discord OAuth during the verification process
- Discord server (guild) ID — linked to your API key to identify which server transcripts belong to
- Subscription tier — determined by your GitHub Sponsors status (Basic, Premium, Premium+)
- API key — a randomly generated token stored in our database and used to authenticate transcript uploads from your bot
- Custom domain (optional, Premium only) — stored if you configure a custom domain for transcript delivery
- Ticket transcript content — HTML files generated by the bot and uploaded to our server; stored for 30–90 days depending on tier
- Ticket attachments (Premium only) — files sent in the ticket that are downloaded and stored alongside the transcript
- Rate limiting data — request counts per API key per hour to prevent abuse; stored temporarily
- GitHub sponsorship data — received via GitHub Sponsors webhook (sponsor GitHub username and tier); processed to activate or update your subscription
Data collected by the Hosted Bot Management Service
- Bot configuration files —
config.jsoncandsnippets.jsoncare stored on our server as part of providing the service .envfile — contains sensitive credentials provided by the customer (e.g. Discord bot token, MSK API key); stored on our server and required to operate the bot- PM2 log output — live log data generated by the bot process; not persistently stored beyond the running log buffer accessible via the dashboard
- Discord server (guild) ID — used to identify the hosted bot instance; linked to the existing Transcript Service account
Data we do NOT collect
- We do not collect or process payment data for the shop. All payment processing is handled exclusively by Tebex Limited.
- We do not use tracking cookies, analytics services, or advertising technologies.
- We do not read or store the content of Discord messages beyond what the bot owner explicitly uploads as a transcript.
3. Legal Basis for Processing
We process personal data on the following legal bases under GDPR:
| Processing activity | Legal basis |
|---|---|
| Shop purchases, basket, delivery | Art. 6(1)(b) GDPR — contract performance |
| Web server logs, fraud prevention | Art. 6(1)(f) GDPR — legitimate interests |
| Transcript Service — account creation (verify flow) | Art. 6(1)(b) GDPR — contract performance |
| Transcript Service — storing transcripts and attachments | Art. 6(1)(b) GDPR — contract performance |
| Transcript Service — GitHub Sponsors webhook | Art. 6(1)(b) GDPR — contract performance |
| Rate limiting | Art. 6(1)(f) GDPR — legitimate interests (preventing abuse) |
| Hosted Bot Management — storing config files and credentials | Art. 6(1)(b) GDPR — contract performance |
| Hosted Bot Management — bot process logs | Art. 6(1)(b) GDPR — contract performance |
4. Cookies and Local Storage
Session Cookies (Ticket Bot Transcript Service)
During the verification process at www.msk-scripts.de/verify, we use httpOnly session cookies to maintain state across the multi-step OAuth flow. These cookies are:
| Cookie name | Purpose | Duration |
|---|---|---|
msk_oauth_state | CSRF protection during OAuth flow | 10 minutes |
msk_verify_session | Stores verified GitHub username and Discord guild list during the verify flow | 1 hour |
msk_dashboard_session | Authenticates you to the dashboard after completing verification | 30 days |
All session cookies are:
- httpOnly — not accessible via JavaScript
- Secure — transmitted over HTTPS only
- SameSite=Lax — protected against cross-site request forgery
Legal basis: Art. 6(1)(b) GDPR — these cookies are technically necessary to provide the verification service.
Local Storage (Shop — Shopping Cart)
We use your browser's localStorage to save your shopping cart basket identifier. This data never leaves your browser and is not transmitted to our servers.
Legal basis: Art. 6(1)(b) GDPR — technically necessary for the shopping cart.
Session Storage (Shop — Authentication)
We use sessionStorage to temporarily store FiveM and Discord authentication state during the Tebex checkout flow. This data is automatically deleted when you close your browser tab.
Tracking and Analytics
This website uses no tracking cookies, analytics tools (e.g. Google Analytics), or advertising technologies. No cookie consent banner is required as no non-essential cookies are set.
5. Ticket Bot Transcript Service — Detailed Processing
5.1 Verification and Account Creation
When you register for the Transcript Service at www.msk-scripts.de/verify, the following steps involve data processing:
GitHub OAuth: You are redirected to GitHub to authorize our application. After authorization, GitHub returns your GitHub username to us. We store this in a signed session cookie temporarily and, upon completion of the verify flow, permanently in our database to link your account and check your sponsorship status.
Discord OAuth: You are redirected to Discord to authorize our application. After authorization, Discord returns your Discord user ID and a list of servers where you have Administrator permissions (server names, IDs, and icons). Server names and icons are used only to display the selection interface and are not stored. Your Discord user ID and the selected server (guild) ID are stored in our database.
Data stored in our database upon successful verification:
| Field | Description | Retention |
|---|---|---|
guild_id | Your Discord server ID | Until account deletion |
api_key | Randomly generated authentication token | Until regenerated or account deleted |
tier | Subscription tier (basic/premium/premium_plus) | Until account deletion |
github_username | Your GitHub username | Until account deletion |
discord_user_id | Your Discord user ID | Until account deletion |
custom_domain | Custom domain (if configured) | Until removed |
domain_status | Status of the custom domain | Until account deletion |
5.2 Transcript Storage
When a ticket is closed on a self-hosted bot with a valid API key, the bot uploads the generated HTML transcript to our server. We store:
- The HTML file of the transcript on our server's filesystem
- Metadata in our database: upload timestamp, file size, expiry date, guild reference
Transcripts are automatically deleted after the retention period applicable to your tier (30, 60, or 90 days). Transcripts are publicly accessible via their unique URL (containing a random UUID), but are not indexed or linked from anywhere.
5.3 Attachment Storage (Premium)
For Premium and Premium+ users, file attachments sent in tickets (images, PDFs, etc.) are downloaded from Discord's CDN and stored on our server alongside the transcript. These files are deleted together with the transcript at expiry.
5.4 GitHub Sponsors Webhook
We operate a webhook endpoint that receives events from GitHub Sponsors when you start, change, or cancel a sponsorship. The event contains your GitHub username and monthly amount. We process this to activate, upgrade, or downgrade your subscription tier automatically.
Data processed: GitHub username, sponsorship tier (derived from monthly amount), action (created/cancelled/tier_changed).
This data is processed under Art. 6(1)(b) GDPR as it is necessary to deliver the service you subscribed to.
5.6 Hosted Bot Management
For Premium and Premium+ customers who use the Hosted Bot Management service, the following data is stored on our servers under a directory associated with your Discord server (guild) ID:
| Data | Description | Retention |
|---|---|---|
config.jsonc | Bot configuration (ticket types, roles, settings) | Until hosting is terminated |
snippets.jsonc | Canned responses (if configured) | Until hosting is terminated |
.env | Bot credentials (Discord token, API keys) | Until hosting is terminated |
| Bot log output | Runtime output of the bot process; accessible live via the dashboard | Not persistently stored — log buffer only |
Sensitive credentials: The .env file may contain your Discord bot token and other API keys. This file is stored on our server and is required to operate the bot. MSK Scripts personnel may access this file for maintenance and support purposes. You are responsible for ensuring that any credentials stored therein are not compromised.
Legal basis: Art. 6(1)(b) GDPR — processing is necessary for the performance of the hosting contract.
Access control: The configuration files are accessible only to the service operator (MSK Scripts) and to you via the authenticated dashboard at www.msk-scripts.de/dashboard.
Upon termination of the hosting arrangement, all files in your bot's directory (including the .env file) are deleted from our servers within 14 days.
5.7 Custom Domain (Premium)
If you configure a custom domain, we store your domain name in our database. When you activate the domain:
- An Apache2 VirtualHost configuration is created on our server
- A Let's Encrypt SSL certificate is obtained via Certbot; your admin email (
info@msk-scripts.de) is submitted to Let's Encrypt for certificate notifications
Your domain name may appear in Certificate Transparency logs as a result of the SSL certificate issuance. This is a standard part of the public Web PKI infrastructure.
6. Payment Processing (Tebex — Shop)
All shop purchases are processed by Tebex Limited, 201 Haverstock Hill, Second Floor, London, NW3 4QG, United Kingdom.
Tebex acts as the merchant of record and is solely responsible for payment processing. The following data is transmitted to Tebex when creating a basket: your IP address, CFX.re / FiveM username and user ID (after authentication), and your Discord ID (for applicable packages).
7. Transcript Service Subscription (GitHub Sponsors)
The Premium and Premium+ subscription for the Ticket Bot Transcript Service is processed via GitHub Sponsors (GitHub, Inc., 88 Colin P Kelly Jr St, San Francisco, CA 94107, USA).
GitHub Sponsors handles all payment processing, invoicing, and refunds for the subscription. By sponsoring, you also agree to GitHub's privacy policy: docs.github.com/site-policy/privacy-policies
We receive only your GitHub username and sponsorship tier via webhook — no payment data.
8. Authentication via CFX.re / FiveM (Shop)
To purchase shop packages, you authenticate with your CFX.re account via the Tebex identity service. Your FiveM username and user ID are returned and stored temporarily in your browser's localStorage for the duration of your session.
9. Authentication via Discord (Shop)
For packages requiring Discord role delivery, your Discord ID is collected via Tebex's identity service and passed to Tebex as part of the purchase. It is not permanently stored on our servers.
10. Web Server Logs
Our server automatically records access logs containing: IP address, date and time of access, URL requested, HTTP status code, browser/client type. These logs are used for security and operational purposes and are retained for a maximum of 14 days.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in operating and securing the website.
11. Discord Online Count
Our homepage displays the current number of online members in our Discord server, retrieved from the Discord API and cached for 60 seconds. No personal data is transmitted.
12. Data Retention
| Data | Retention Period |
|---|---|
| Server access logs | 14 days |
| Shop basket (localStorage) | Until cleared by user or basket expiry |
| Shop FiveM/Discord auth (sessionStorage) | Until browser tab is closed |
| OAuth state cookie | 10 minutes |
| Verify session cookie | 1 hour |
| Dashboard session cookie | 30 days |
| Ticket Bot account data (guild_id, api_key, github_username, discord_user_id, tier) | Until deletion requested |
| Rate limiting data | 1 hour (rolling window) |
| Transcript HTML files | 30 days (Basic) / 60 days (Premium) / 90 days (Premium+) |
| Attachment files | Same as transcript |
| GitHub sponsorship data | Until account deletion |
Hosted bot config files (config.jsonc, snippets.jsonc, .env) | Until hosting is terminated + 14 days |
| Hosted bot log output | Not persistently stored (live buffer only) |
13. Data Transfers Outside the EU/EEA
Tebex Limited (UK): The UK has been granted an adequacy decision by the European Commission. Transfers to Tebex are considered safe under GDPR.
GitHub, Inc. (USA): GitHub Sponsors and OAuth services are operated by GitHub. Transfers are covered by GitHub's Standard Contractual Clauses. See: github.com/site-policy
Our web server and all transcript/attachment data are stored within the European Union.
14. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of access (Art. 15 GDPR) — Request information about data we hold about you
- Right to rectification (Art. 16 GDPR) — Request correction of inaccurate data
- Right to erasure (Art. 17 GDPR) — Request deletion of your data
- Right to restriction (Art. 18 GDPR) — Request restriction of processing
- Right to data portability (Art. 20 GDPR) — Receive your data in a machine-readable format
- Right to object (Art. 21 GDPR) — Object to processing based on legitimate interests
- Right to lodge a complaint — with the competent supervisory authority (in Germany: your state's Landesbeauftragter für Datenschutz)
To exercise any of these rights, please contact: info@msk-scripts.de
We will respond within 30 days.
15. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy to reflect changes in our services or applicable law. The current version is always available at this URL. The date at the top indicates when it was last updated.