CrashBurst — Privacy Policy

Last updated: April 2026

AESHA Technology Services Limited ("we", "us") operates CrashBurst. We respect your privacy and handle your data as described below. For who we are, see Imprint.

1. Data we collect

• Account data: username, hashed password, and (for Steam login) your Steam ID.
• Gameplay data: bets, cashouts, round IDs, wagered totals, level progress, chat messages.
• Financial data: deposit/withdrawal order IDs, crypto addresses you enter, USD amounts. We do not store payment credentials — payments are processed by Cryptomus and Malum.
• Technical data: IP address, user-agent, login timestamps. We use this for fraud prevention and rate limiting.
• Two-factor authentication: if enabled, we store your TOTP secret and hashed backup codes.

2. Why we collect it

• To operate the Service — authenticate you, track your balance, run rounds, display chat.
• To comply with anti-fraud, anti-money-laundering, and legal obligations.
• To improve the Service and debug issues.
• To communicate with you about your account, balance, or important changes.

3. Who we share data with

• Payment processors (Cryptomus, Malum): we share the minimum data required to process deposits and withdrawals.
• Infrastructure providers (Cloudflare for DDoS/CDN, Hetzner for hosting): who process technical traffic data.
• Authenticated Origin Pulls / captcha (Cloudflare Turnstile): receives your IP and a challenge token during sign-in.
• Steam: if you log in with Steam, your Steam ID is received via OpenID 2.0.
• Law enforcement: when we are legally obliged to respond to a valid request.

We do not sell your personal data. We do not serve personalised ads based on your account data. An advertising iframe (A-Ads) may appear on the Service; it does not receive your account data.

4. Data retention

We retain account, transaction, and gameplay data for as long as your account is active, plus up to 7 years afterwards to satisfy legal and anti-fraud obligations. Chat messages are retained indefinitely but may be deleted by moderators. You may request deletion of non-essential data; financial and legal records cannot be deleted until retention periods expire.

5. Security

Passwords are hashed with bcrypt. Sessions use signed, HTTP-only cookies. TOTP secrets are stored only on our server and only transmitted during initial setup. Backup codes are stored hashed. Traffic is encrypted in transit with TLS. Despite best efforts, no system is 100% secure — if you believe your account has been compromised, change your password and contact support immediately.

6. Your rights

Depending on your jurisdiction, you may have rights to access, correct, or delete your data, restrict or object to processing, data portability, and to lodge a complaint with a supervisory authority. To exercise any of these rights, email [email protected] from the email associated with your account (if any) or contact support via live chat.

7. Cookies

• Strictly necessary: session cookie (your login token). Cannot be disabled.
• Functional: theme preference, sound toggle — stored in your browser's localStorage, never sent to us.
• Third party: Cloudflare may set cookies for DDoS protection / bot detection.

8. Children

The Service is not directed at anyone under 18. If you believe a minor has created an account, contact us immediately and we will remove it.

9. International transfers

The Service is operated from Seychelles and hosted in Germany (Hetzner). By using the Service you consent to the processing of your data in these locations.

10. Changes

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the "Last updated" date. Material changes will be announced via site notice.

11. Contact

Questions about privacy: [email protected].