Legal
Privacy Policy
Effective from 27 Jun 2026 (anti-cheat monitoring disclosure update) · Phytoventures Ltd
Contents
- Who we are
- Contact details
- Scope
- Personal data we collect
- How we collect personal data
- Purposes and lawful bases
- Legitimate interests
- Special category data
- Cookies
- Sharing personal data
- International transfers
- Retention
- Account deletion
- Data security
- Automated decision-making
- Your rights
- Complaints
- Children
- Changes
- Contact
1. Who we are
Plain English: This section tells you exactly who controls your data and which company is legally responsible for privacy decisions.
This Privacy Policy explains how Phytoventures Ltd (company number 16388003) of Belmont Suite, Chorley New Road, Horwich, Bolton, England, BL6 6HG ("Phytoventures", "we", "us", or "our") collects, uses, stores, shares, and protects personal data in connection with Roleplay Project, including our Grand Theft Auto V multiplayer roleplay server(s) operated via the FiveM / CitizenFX multiplayer framework (and historically via RAGEMP), related website(s), launcher(s), store(s), forum(s), Discord or community channels, support systems, age-verification flows, and associated services (together, the "Service").
For data protection purposes, Phytoventures Ltd is the controller of personal data processed under this Privacy Policy unless stated otherwise. We process personal data in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018"). Where we engage third-party processors (for example, the regulated identity-verification provider Didit), those parties act on our documented instructions under a written Data Processing Agreement, and any further processing they carry out as independent controllers is governed by their own privacy notices, which we link to where relevant.
Our ICO registration number is ZC041842.
2. Contact details
Plain English: This section gives the official contact points to ask questions, request your data, or raise concerns.
If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at:
Phytoventures Ltd
Belmont Suite, Chorley New Road, Horwich, Bolton, England, BL6 6HG
Data protection contact: [email protected]
General contact: [email protected]
3. Scope
Plain English: This explains where this policy applies (server, website, support and related services) and where third-party policies apply instead.
This Privacy Policy applies to personal data we collect:
- directly from you;
- automatically when you use the Service;
- from linked accounts, third-party platforms, payment providers, or community platforms you use with the Service; and
- from moderators, other users, or third parties where relevant to support, security, enforcement, fraud prevention, or legal compliance.
This Privacy Policy does not apply to third-party services that have their own privacy policies.
4. Personal data we collect
Plain English: This lists the categories of data we may hold about you, from account info to anti-cheat and moderation records.
Depending on how you use the Service, we may collect and process the following categories of personal data.
4.1 Account and identity data
- username, display name, character names, account ID, and linked platform identifiers;
- email address and login credentials;
- age-confirmation information;
- records of consent, preferences, and verification steps.
4.2 Technical and device data
- IP address;
- device identifiers and connection identifiers;
- approximate location derived from IP address;
- operating system, client version, hardware or configuration signals, crash logs, and performance diagnostics;
- session data, timestamps, connection history, and authentication data.
4.3 Gameplay and community data
- gameplay actions, inventories, progression, economy records, punishments, reports, tickets, appeals, and moderation history;
- chat logs, direct messages submitted through our systems, forum posts, support messages, and community submissions;
- voice communications where recorded, transcribed, or reported through the Service;
- screenshots, clips, reports, and evidence submitted by users or moderators.
4.4 Transaction and store data
- order history, purchased items, subscription or membership information, billing country, and transaction references;
- limited payment-related information provided by payment processors;
- fraud screening results and chargeback history.
We do not intentionally store full payment card details unless expressly stated and lawfully required. Payments are generally processed by third-party payment providers.
4.5 Security and compliance data
- anti-cheat flags, exploit detection data, ban-evasion indicators, linked-account signals, and security alerts;
- anti-cheat telemetry generated by ElectronAC, including integrity-check results and security screenshots captured from in-game sessions where reasonably necessary to investigate cheating, exploit abuse, or ban evasion;
- records of suspected fraud, abuse, unlawful conduct, or Terms violations;
- correspondence with regulators, law enforcement, insurers, legal advisers, or other authorities where relevant.
When you connect to our FiveM servers, ElectronAC may run client-integrity checks and capture security screenshots from your game session. Access to this data is restricted to authorised staff and used only for anti-cheat, moderation, enforcement, and appeal-review purposes.
4.6 Marketing and preference data
- communication preferences;
- responses to surveys, promotions, or feedback requests;
- marketing engagement information, where applicable.
5. How we collect personal data
Plain English: This explains the sources of data, such as what you submit directly, what is collected automatically, and what is received from trusted providers.
We collect personal data:
- when you register, log in, or link accounts;
- when you connect to the server or use the Service;
- when you make a purchase or donation;
- when you post content, chat, speak in recorded channels, or submit tickets or appeals;
- when you contact support;
- through cookies or similar technologies on any website, launcher, portal, or store we operate;
- from payment providers, hosting providers, analytics providers, anti-fraud tools, community tools, and other service providers; and
- from other users, moderators, or third parties who submit reports or evidence.
6. Purposes and lawful bases
Plain English: This explains why we process data and the legal basis we rely on under UK GDPR for each purpose.
We process personal data only where we have a lawful basis to do so.
6.1 To provide and administer the Service
We use personal data to create and manage accounts, authenticate users, operate the server, enable gameplay, maintain character and inventory records, deliver purchases, and provide support.
Lawful basis: performance of a contract with you; steps at your request before entering into a contract.
6.2 To secure the Service and enforce our rules
We use personal data for moderation, anti-cheat, fraud prevention, ban enforcement, detecting abuse, investigating reports, preserving evidence, and protecting users, staff, and infrastructure. This may include reviewing ElectronAC-generated screenshots and related anti-cheat telemetry where necessary to investigate suspected cheating or ban evasion.
Lawful basis: our legitimate interests in running a safe and secure service; performance of our contract; compliance with legal obligations where applicable.
6.3 To process payments and manage financial records
We use personal data to process purchases, detect fraudulent transactions, issue refunds where appropriate, maintain accounting records, and manage chargebacks or disputes.
Lawful basis: performance of a contract; compliance with legal obligations; our legitimate interests in preventing fraud and managing the business.
6.4 To communicate with you
We use personal data to send service announcements, security notices, support replies, policy updates, and administrative communications.
Lawful basis: performance of a contract; compliance with legal obligations; our legitimate interests in administering the Service.
6.5 To improve and develop the Service
We use technical, gameplay, and feedback data to diagnose issues, test features, improve balance, develop new content, monitor performance, and understand usage trends.
Lawful basis: our legitimate interests in improving and developing the Service.
6.6 To market the Service
Where permitted by law, we may use your contact details to send marketing communications about updates, events, features, offers, or related services.
Lawful basis: consent where required by law; otherwise our legitimate interests in promoting the Service.
You can opt out of marketing communications at any time.
6.7 To comply with legal obligations and defend legal claims
We may process personal data to comply with legal, regulatory, tax, accounting, and law-enforcement requirements and to establish, exercise, or defend legal claims.
Lawful basis: compliance with legal obligations; our legitimate interests in protecting our legal rights.
7. Legitimate interests
Plain English: This describes the business and safety reasons we rely on when processing under legitimate interests and confirms balancing of your rights.
Where we rely on legitimate interests, those interests generally include:
- operating and administering an online multiplayer community;
- maintaining security, anti-cheat, moderation, and fraud prevention systems;
- improving the reliability and performance of the Service;
- protecting users, staff, infrastructure, and intellectual property;
- resolving disputes and enforcing our Terms; and
- supporting ordinary business operations, record keeping, and legal risk management.
We consider and balance any potential impact on your rights before processing on this basis.
8. Special category data & age verification
Plain English: This explains how sensitive data is handled and when age verification can be required, including use of Didit.
We do not intend to collect or process special category personal data except where it is manifestly made public by you, provided voluntarily in connection with a support or safeguarding issue, or otherwise processed lawfully under applicable law.
Please do not submit unnecessary sensitive personal data to us.
8.1 Age verification through Didit
Where we have a reasonable suspicion that a user may be under 18, or where we are otherwise required to act under the Online Safety Act 2023 or guidance issued by the UK Information Commissioner's Office (including the Age Appropriate Design Code), we require you to complete an age check before continuing to use the Service. Users may also opt in to verification voluntarily at any time.
We use a regulated identity-verification provider, Didit (didit.me), to perform this check. Didit performs a one-time identity-document scan plus a passive liveness selfie on its own domain. The biometric, document-image, and document-content data is processed by Didit and is governed by the Didit Privacy Policy. Didit acts as our processor for the verification step under a written Data Processing Agreement and as an independent controller for any further processing it carries out under its own privacy notice.
What we receive and store. Phytoventures does not receive or store your identity document, photograph, biometric template, name, date of birth, identity-document number, address, or any other field extracted from your document. We receive and store only the verification session identifier, the date the verification was completed, and the final decision (approved or declined). This minimal record is what allows us to demonstrate compliance.
Lawful bases. Our processing for age verification is necessary for compliance with a legal obligation to which we are subject (UK GDPR Article 6(1)(c)) and is necessary for reasons of substantial public interest, namely safeguarding children at risk and the prevention or detection of unlawful acts (UK GDPR Article 9(2)(g) and Schedule 1, Part 2, paragraphs 6 and 10 of the Data Protection Act 2018).
No staff override. The verification flag, once raised on an account, cannot be cleared by any member of Phytoventures staff. It is cleared only by a successful approved decision from Didit. This design is deliberate and supports the integrity of our safeguarding controls.
9. Cookies and similar technologies
Plain English: This section explains how cookies/trackers are used and how consent/control works where required.
If we operate a website, store, launcher, or portal, we may use cookies or similar technologies for:
- authentication and session management;
- security and fraud prevention;
- remembering preferences;
- analytics and performance monitoring; and
- store functionality.
Where required by law, we will request your consent before using non-essential cookies or similar technologies.
10. Sharing personal data
Plain English: This tells you who data may be shared with (processors, providers, legal authorities) and why.
We may share personal data with:
10.1 Service providers and processors
Including providers of:
- hosting and infrastructure;
- content delivery and DDoS protection;
- payment processing and fraud screening;
- analytics, logging, monitoring, and diagnostics;
- email, helpdesk, and support systems;
- moderation, anti-cheat, and security tools;
- cloud storage, backup, and database services; and
- community management platforms.
These providers process personal data on our behalf under contractual controls where required.
10.2 Community and platform integrations
Where you choose to link or use third-party community or platform accounts, relevant identifiers and usage data may be shared as necessary to operate the integration. This includes the FiveM / CitizenFX multiplayer framework on which our game server runs; your connection to the game server is also subject to Cfx.re's own Terms of Service and privacy notice.
10.2a Identity-verification partner (Didit)
Where we are required to verify your age, or where you opt in voluntarily, we share a per-session technical identifier (in the form rpp_player_<internal-id>) with our verification partner Didit so they can return the decision to your account. We do not share with Didit any account credential, payment data, character data, or in-game activity. The identity document and biometric data you submit to Didit are received and processed by Didit on its own infrastructure under its own privacy notice.
10.3 Professional advisers and corporate parties
We may share personal data with legal advisers, accountants, auditors, insurers, bankers, investors, purchasers, or prospective purchasers of our business or assets, subject to appropriate safeguards.
10.4 Authorities and legal compliance
We may disclose personal data where reasonably necessary to:
- comply with a legal obligation, lawful request, court order, or regulatory requirement;
- investigate fraud, abuse, security incidents, or unlawful activity;
- protect the rights, property, or safety of Phytoventures, our users, staff, or third parties; or
- establish, exercise, or defend legal claims.
11. International transfers
Plain English: This explains what safeguards are used if data is processed outside the UK.
Some of our service providers may process personal data outside the United Kingdom.
Where we transfer personal data internationally, we will take steps required by applicable law to ensure appropriate safeguards are in place. These may include:
- transfers to countries recognised as providing an adequate level of protection; or
- approved contractual safeguards, such as the UK International Data Transfer Agreement or equivalent permitted mechanisms.
You may contact us for further information about the safeguards used for relevant transfers.
12. Retention
Plain English: This outlines how long different categories of data are normally kept.
We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including legal, accounting, dispute-resolution, security, and enforcement purposes.
Typical retention periods may include:
- Account data: for the life of the account and for up to 24 months after last activity, unless a longer period is justified.
- Transaction and accounting records: for up to 6 years after the end of the relevant financial year or longer where required by law.
- Support tickets and correspondence: typically up to 24 months after closure, unless needed for an ongoing dispute or legal issue.
- Moderation, ban, anti-cheat, and security records: for as long as reasonably necessary to protect the Service, enforce our rules, prevent repeat abuse, or defend legal claims, which may in some cases extend beyond account closure.
- Server logs, diagnostics, and technical logs: typically 30 days to 12 months, depending on purpose and operational need.
- Backup data: retained in rolling backups for a limited period, typically up to 90 days, unless required longer for disaster recovery or legal hold purposes.
- Age-verification records (held by Phytoventures): the verification session identifier, the date of completion, and the final decision (approved or declined) are retained for the lifetime of your account and for up to 6 years after account closure, as a record that we complied with our safeguarding and age-assurance obligations under the Online Safety Act 2023 and UK GDPR.
- Age-verification records (held by Didit): identity-document images, biometric data, liveness data, and underlying decision records are retained by Didit under its own retention schedule and privacy notice. You may exercise data-subject rights in relation to that data directly with Didit; see the Didit Privacy Policy.
We may retain data for longer where necessary to comply with legal obligations, resolve disputes, enforce agreements, or protect legitimate interests.
12a. Account deletion
Plain English: This explains what happens when you request deletion, what is removed, and what must be retained (for example, certain ban records).
You can request deletion of your account at any time from your portal at ucp.roleplayproject.net/settings. How the request is handled depends on whether your account is currently banned.
Un-banned accounts, 10-day waiting period
If your account is not banned at the time of the request, deletion is held in a pending state for 10 calendar days. The window exists to protect you from accidental deletion, account compromise, and coerced deletion. The 10-day timer cannot be shortened by you or by staff, this is a deliberate safety property, not a customer-service decision.
During the window you can cancel by signing back in and choosing "Cancel deletion" on the same settings page. When the window elapses, an automated job permanently removes your account and emails you a confirmation. Once finalised the account cannot be recovered; you would need to register a new one if you decide to return.
What is permanently deleted: your username, email address, password, IP address, hardware ID, serial, characters, vehicles, properties, in-game money, inventory, Bleeter posts, messages, friends, card collection, market listings, match history, applications, trusted devices, two-factor secret, and Discord link. A non-identifying anonymous shell row is retained so that historical references created by other users (for example a faction membership someone else granted you, or a chat message someone else sent) do not leave dangling pointers. That shell contains no personal data and is not user-searchable.
Banned accounts, immediate deletion with a retained ban record
If your account is banned at the time you request deletion, the deletion happens immediately and we email you to confirm. However, the following narrow set of fields is retained permanently alongside your ban record, regardless of any subsequent deletion request:
- your username;
- your email address;
- the IP address recorded against the ban;
- the hardware ID and serial recorded against the ban;
- the reason for the ban, the issuing administrator and the date.
The legal bases for this retention are:
- UK GDPR Article 6(1)(f) and Article 17(3)(e) (and the equivalent EU GDPR provisions): processing necessary for our legitimate interests in maintaining the integrity of the Service and for the establishment, exercise, or defence of legal claims;
- UK Data Protection Act 2018, Schedule 2, Part 1, paragraph 5: exemption from the right to erasure where retention is necessary for the prevention or detection of conduct that contravenes the law or our terms of service;
- Our Terms of Service: by agreeing to the ToS at registration you acknowledge that a ban issued by Phytoventures Ltd is a contractual measure we are entitled to maintain and enforce against repeat circumvention.
The retained fields exist solely to detect attempts to evade an existing ban via re-registration. They are not used for marketing, profiling, or any purpose outside enforcement. If you wish to challenge the underlying ban, you may appeal through the Discord support process; the retention is separate from the appealability of the ban itself.
Backups
Production database backups containing your data are rotated out within 30 days of finalised deletion under our standard backup-retention policy. We do not restore individual accounts from backup.
Confirmation emails
We send you an email at three points in the lifecycle, where applicable: (1) when a scheduled deletion is registered, with the exact completion timestamp; (2) when an immediate (banned-account) deletion is finalised; and (3) when a scheduled deletion runs at the end of its 10-day window.
13. Data security
Plain English: This summarizes the technical and organizational controls used to protect your data.
We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
These measures may include:
- access controls and role-based permissions;
- encryption or pseudonymisation where appropriate;
- logging and monitoring;
- backup and recovery controls;
- vendor due diligence;
- security patching and vulnerability management; and
- incident-response procedures.
No system can be guaranteed to be completely secure. You are responsible for maintaining the security of your own account credentials, devices, and connection.
14. Automated decision-making
Plain English: This explains how automated anti-cheat/security signals are used and how human review can apply.
We may use automated tools, rules, and signals to detect spam, fraud, cheating, exploit abuse, suspicious transactions, linked accounts, or other misuse.
These tools may assist moderation and security decisions. Where required by law, we will provide appropriate safeguards in relation to decisions based solely on automated processing that produce legal or similarly significant effects.
If you believe an automated process has affected you unfairly, you may contact us to request a review.
15. Your rights
Plain English: This lists your privacy rights, such as access, correction, deletion, objection, and portability.
Subject to applicable law and any relevant exemptions, you may have the right to:
- request access to your personal data;
- request correction of inaccurate or incomplete personal data;
- request erasure of personal data in certain circumstances;
- request restriction of processing in certain circumstances;
- object to processing based on legitimate interests;
- object to direct marketing;
- receive certain personal data in a portable format;
- withdraw consent where processing is based on consent; and
- complain to the Information Commissioner.
To exercise your rights, contact us using the details above. We may ask for information necessary to verify your identity before responding.
16. Complaints
Plain English: This explains how to raise a complaint with us and your right to contact the ICO.
If you have concerns about how we process your personal data, we ask that you contact us first so we can try to resolve the issue.
You also have the right to lodge a complaint with the Information Commissioner's Office if you believe your data protection rights have been infringed.
17. Children
Plain English: This confirms the service is 18+ and describes safeguarding and verification steps when needed.
The Service is for users aged 18 and over. It is not directed at, or intended for, children, and we do not knowingly collect or process personal data of children.
We operate the Service consistently with the standards in the UK Information Commissioner's Office Age Appropriate Design Code (Children's Code) and with our duties under the Online Safety Act 2023. Where we have reasonable cause to believe an account is held by a child, or where any safeguarding signal otherwise requires it, we will require the account holder to complete age verification through our partner Didit before continuing to use the Service. See section 8.1 above.
If we determine that we have collected personal data from a person under 18, we will close the relevant account and delete or restrict the personal data, except records we are required to keep for safeguarding, fraud-prevention, and legal-defence purposes.
If you believe a child has provided personal data to us inappropriately, please contact us using the details in section 19.
18. Changes to this Privacy Policy
Plain English: This section explains how updates to this policy are published and communicated.
We may update this Privacy Policy from time to time to reflect changes to the Service, technology, legal requirements, or our processing practices.
The updated version will be posted with a revised effective date. Material changes may also be notified by appropriate additional means.
19. Contact
Plain English: This gives the formal legal and company contact details for privacy and policy matters.
Phytoventures Ltd
Company number: 16388003
Address: Belmont Suite, Chorley New Road, Horwich, Bolton, England, BL6 6HG
ICO registration number: ZC041842
Data protection contact: [email protected]
General contact: [email protected]