voidexa (“we”, “us”) operates voidexa.com and the products listed on it. This policy explains what personal data we collect, why we collect it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act (Databeskyttelsesloven).
1. Data controller
The data controller is Jimmi Wulff, trading as voidexa, registered in Denmark under CVR 46343387, with principal place of business in Vordingborg, Denmark. Contact: contact@voidexa.com.
2. Personal data we collect
Account and profile
- Email address, display name, pilot callsign, profile picture
- Hashed password (when you use email sign-in) or provider ID (Google, Solana wallet)
- Locale preference and UI settings
Transactional
- GHAI credit balance and purchase history
- Stripe customer ID and last-4 of payment card (we do not store full card numbers)
- Shipping address for any physical products
Product usage
- Void Pro AI (formerly Void Chat) / Quantum / Trading Hub prompts and responses when you use those features
- Break Room and Universe Wall posts you publish
- Card collection, deck loadouts, and match history
- Server logs with IP address and user agent (retained for abuse prevention and security)
3. Why we process your data (lawful bases)
| Purpose | Lawful basis (GDPR art. 6) |
|---|---|
| Running your account and delivering the service you asked for | Contract (art. 6(1)(b)) |
| Processing payments and issuing invoices | Contract + legal obligation (art. 6(1)(b), (c)) |
| Security, fraud, and abuse prevention | Legitimate interest (art. 6(1)(f)) |
| Analytics cookies (optional) | Consent (art. 6(1)(a)) |
| Bookkeeping under Danish Bogføringsloven | Legal obligation (art. 6(1)(c)) |
4. Sub-processors
We use the following sub-processors. Each has its own privacy policy and a Data Processing Agreement (DPA) in place with us.
- Supabase (EU region, Frankfurt) — authentication, Postgres database, file storage
- Vercel — edge hosting and deployment of the voidexa.com frontend
- Stripe — payment processing
- Anthropic (Claude API) — AI chat, quantum debate, and automation features
- OpenAI — Void Pro AI, quantum debate
- Google (Gemini API) — quantum debate and select AI tools
- Perplexity — quantum debate research leg
Non-EU sub-processors are bound by Standard Contractual Clauses. Prompts you submit to AI sub-processors are subject to each provider’s own data-use terms. We do not send your email address or payment data to AI providers.
5. Retention
- Account data — kept until you delete your account, then purged within 30 days
- Invoices and tax records — 5 years (Danish Bogføringsloven)
- Security logs — 90 days
- Chat transcripts — kept until you delete them or close the account
- Backups — rolling 30-day encrypted backups, deleted on rotation
6. Your rights
Under the GDPR you have the right to:
- Access a copy of your data
- Correct inaccurate data
- Erase your data (“right to be forgotten”), subject to our legal retention duties
- Export your data in a portable format
- Object to processing based on legitimate interest
- Withdraw consent at any time, without affecting processing already carried out
- Lodge a complaint with Datatilsynet, the Danish Data Protection Authority (datatilsynet.dk)
To exercise any right, email contact@voidexa.com from the address on your account. We respond within 30 days.
7. Security
Data is encrypted in transit (TLS 1.2+) and at rest. Passwords are hashed with bcrypt or equivalent. Access to production systems is limited to the operator under multi-factor authentication. We will notify you and Datatilsynet within 72 hours of becoming aware of any personal-data breach likely to affect your rights.
8. Children
voidexa.com is not directed at children under 13. If you believe a child has provided us personal data, email us and we will delete it.
9. Changes to this policy
We update this policy when processing changes. Material changes are announced by email or in-app notice 14 days before taking effect. The date at the top of this page is the latest update.
10. Governing law and jurisdiction
This policy is governed by Danish law. Disputes are resolved under EU GDPR supervision, with Vordingborg retskreds as the competent venue for any civil claim not otherwise assigned to Datatilsynet.
11. Disclaimer
This document is provided as a plain-language summary and technical compliance baseline. It is not legal advice. A full solicitor review of the voidexa legal surface is in progress (tracked internally as AFS-37).