The Site is a community companion for Old School RuneScape and RuneScape 3 player-to-player trading and is not affiliated with Jagex Ltd. It is operated independently (“we”, “us”). We do not participate in, process, or facilitate users’ trades with each other (no escrow, no transaction processing for P2P deals). We provide tools, listings views, and Discord-linked features as described on the Site.
1. Who is responsible?
The controller of personal data processed through this Site is the person or organisation operating the Site and its server. For privacy requests you may reach out via the official Grand Exchange Discord community.
2. Legal framework
We aim to comply with applicable data protection law, including the UK GDPR / EU GDPR where they apply, and to respect your rights as a data subject.
3. Data we process and why
Depending on how you use the Site, we may process the following categories of information:
3.1 Sign-in with Discord
If you use Discord OAuth, we receive information from Discord (for example your Discord user ID, username, global display name, and avatar URL) within the scopes we request (such as identify and guilds). We use this to recognise your account, show your profile where appropriate, and verify membership in the linked Discord server where features require it.
Legal bases: performance of a contract / steps at your request (providing the service you ask for); and, where applicable, legitimate interests in securing the Site and community features.
3.2 Sessions and security
We use a signed session cookie (and related server-side session data) to keep you logged in. Session lifetime is limited (currently up to fourteen days of inactivity, subject to configuration).
We may process technical data such as IP address, user agent, and request metadata for security, abuse prevention, and debugging. For signed-in members we may record connection information (such as user ID, client IP, and a VPN/proxy risk hint) in server-side audit logs to help protect accounts and investigate misuse.
VPN/proxy hints may be obtained using third-party IP information services (for example ipwho.is) solely for fraud-prevention style signals; those providers process IP addresses according to their own policies.
Legal bases: legitimate interests in securing the Site and users; legal obligations where applicable.
3.3 Data stored on our systems
Features such as reviews, listings, teams, donations display, subscriptions display, banner interactions, and administrative tools may store related records on our systems (for example Discord IDs, text you submit, timestamps, and moderation or audit logs). The exact fields depend on which features you use.
Legal bases: performance of a contract / service; legitimate interests in operating and improving the Site; consent where we ask for it; legal obligations.
3.4 Payments and external checkout
Subscription or donation links may direct you to third-party payment or storefront pages (for example external “buy” links). We do not receive your full payment card details on this Site for those flows; payment providers process such data under their own terms and privacy policies.
3.5 Hosting and infrastructure
Our hosting provider, reverse proxy, or CDN (for example Cloudflare or similar) may process connection data when you access the Site. We do not control their logging practices; please refer to their documentation.
4. Sharing and international transfers
We do not sell your personal data. We may share data with:
- Discord Inc., when you authenticate or when the Site calls Discord APIs;
- Service providers strictly needed to run the Site (hosting, DNS, email if configured);
- Authorities when required by law or to protect rights and safety.
Discord and some infrastructure providers may process data in the United States or other countries. Where GDPR applies, we rely on appropriate safeguards (such as standard contractual clauses) as required by law for transfers.
5. Retention
We keep personal data only as long as needed for the purposes above, including legal, accounting, or security requirements. Session cookies expire as described in your browser; server logs and audit entries may be rotated or deleted according to disk and operational policy. You may request deletion where applicable (see below).
6. Your rights
Depending on your location, you may have rights including: access, rectification, erasure, restriction, objection, data portability, and withdrawal of consent where processing is consent-based. You may also lodge a complaint with a supervisory authority (for example the ICO in the UK, or your local EU authority).
To exercise rights, contact us through the Discord community. We may need to verify your identity before acting on certain requests.
7. Cookies
The Site uses cookies or similar technologies required for the session cookie and normal operation. We do not rely on intrusive advertising cookies for core functionality. You can control cookies in your browser; disabling essential cookies may prevent sign-in from working.
8. Children
The Site is not directed at children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal data from children.
9. Changes
We may update this Privacy Policy from time to time. The “Last updated” date at the top will change when we do. Continued use of the Site after changes constitutes acceptance of the updated policy where permitted by law.