1. Who's the controller?
Wild Rift Boosting (the operator of wildrift-boost.com) is the data controller for the personal information you share with us. Questions about this policy or the data we hold on you go to privacy@wildrift-boost.com.
2. What we collect
When you place an order
- Email address — provided by Stripe on checkout, used to send receipts and magic-link access to your order dashboard.
- Order details — current and desired rank, region, boost type, preferred champions and roles, any notes you leave.
- Payment metadata — Stripe payment intent ID, amount, currency. We never see or store your full card number or CVC — Stripe handles that and is PCI-DSS Level 1 certified.
- Riot account credentials (Solo boosts only) — your Riot ID and password, encrypted with AES-256-GCM the moment you submit them. Wiped 7 days after order completion.
- Discord username (optional) — so your booster can DM you.
When you apply as a booster
- Name, email, Discord, Riot ID, op.gg URL, current and peak rank, region, weekly hours, experience, motivation.
- For accepted applicants: payout method + payout details (also AES-256 encrypted at rest).
Automatically
- IP address + user agent — stored with activity logs for fraud detection and abuse prevention. Retained for 90 days.
- Cookies — see section 7 below.
3. Why we collect it (lawful basis)
- Contract — processing your order, creating your magic-link session, sending order updates.
- Legitimate interest — fraud detection (IP/device signals), platform security, analytics at an aggregate level.
- Consent — marketing emails (opt-in only), non-essential cookies.
- Legal obligation — tax and payment records we're required to keep.
4. How long we keep it
| Data | Retention |
|---|---|
| Riot account credentials | 7 days after order completion |
| 2FA auth codes | Wiped as soon as used (or after 5 minutes, whichever first) |
| Order records (for tax/refund history) | 6 years (legal requirement) |
| IP + activity logs | 90 days |
| Marketing email list | Until you unsubscribe |
| Booster application (rejected) | 6 months |
| Booster profile (accepted) | For the duration of the booster relationship + 1 year |
5. Who we share it with
We share the minimum necessary personal data with these third-party processors, each under a Data Processing Agreement:
- Stripe (payments) — email, payment metadata. Based in Ireland/USA.
- Supabase (database hosting) — all the data listed in section 2. EU or US region depending on your signup location.
- Resend (transactional email) — email address + order number.
- Discord webhook (internal admin alerts) — order number + high-level summary. No credentials or personal info beyond the Discord username you provided.
- Your assigned booster — Riot ID, encrypted password (decrypted only in their session), preferred champs/roles, any notes you left.
We do not sell your personal data. We do not share it with advertisers or data brokers.
6. Your rights (GDPR + similar)
You have the right to:
- Request a copy of everything we hold on you (data portability).
- Correct anything that's wrong.
- Delete your account and associated data (“right to be forgotten”). We'll keep order records for tax but strip personal identifiers.
- Object to specific processing (e.g. marketing).
- Withdraw consent at any time.
- Complain to your local data protection authority.
To exercise any of these, email privacy@wildrift-boost.com — we'll respond within 30 days.
7. Cookies
We use a small set of cookies, all of them essential or functional:
- Session cookie (
next-auth.session-token) — keeps you logged in. Expires in 24 hours. - Urgency timer (
wrb-urgency-end, localStorage) — tracks the visible sale countdown on the homepage so it doesn't reset on every page load.
We don't use third-party ad-targeting cookies or cross-site trackers. If that changes (e.g. we add analytics), we'll add a consent banner and update this page.
8. Children
The service is not directed at anyone under 16. If you're under 16, please ask a parent or guardian before ordering and have the payment made in their name.
9. Security
We use industry-standard encryption (TLS in transit, AES-256-GCM for sensitive data at rest), role-based access controls, and rotating backups. Despite our best efforts, no transmission over the internet is 100% secure — if we ever have a breach affecting you, we'll notify you within 72 hours as required by GDPR.
10. Changes
Material changes to this policy are announced on the homepage at least 7 days before taking effect. The “Last updated” date at the top of this page always reflects the current revision.
11. Contact
Data questions and deletion requests: privacy@wildrift-boost.com.
Everything else: support@wildrift-boost.com.