FiveList

Privacy Policy

We are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your information.

Effective: June 8th 2025
Last Updated: June 19th 2025

1Overview

This Privacy Policy explains how FiveList ("we", "our", or "us") collects, uses, stores, and protects information collected through our platform. We are committed to protecting your privacy and ensuring transparency.

2What We Collect

We collect only the minimum required data to provide the Service. This includes:

From Discord OAuth

  • • Discord User ID
  • • Discord Username and Avatar
  • • Discord Server ID (when relevant)

From Application Forms

  • • Custom field responses
  • • Timestamps and IP region
  • • Application status

From Payments

  • • Stripe Customer ID
  • • Transaction metadata
  • • Subscription status

We DO NOT Store

  • • Credit card numbers
  • • Billing addresses
  • • Discord passwords

3How We Use This Data

We use this data to:

  • Authenticate users via Discord
  • Display and manage submitted whitelist applications
  • Send automated updates via Discord bot
  • Deliver services (e.g. role assignment, application tracking)
  • Handle payment processing and subscription status
  • Process voluntary humanitarian aid donation requests
  • Monitor performance and security

Palestinian Aid Program Data Handling:

  • • Donation requests are processed via Discord messages and recorded for transparency
  • • We store the donation amount, charity selection, and user preference for attribution
  • • Donation confirmations and receipts are provided via Discord or email
  • • No personal information is shared with charities unless explicitly requested by the user
  • • All donation records are kept for financial compliance and transparency purposes

4Cookies and Tracking

Cookies We Use
  • • Session management
  • • UI preferences
  • • Basic analytics (traffic, bounce rate)

We do not use third-party ad trackers or fingerprinting.

4ASocial Proof Notifications

Our website displays simulated signup notifications on the landing page to demonstrate platform activity and provide social proof to potential users. These notifications operate under the following principles:

Legal Basis and Justification:

  • Legitimate Interest: We have a legitimate business interest in demonstrating platform activity and building user confidence through social proof mechanisms
  • No Personal Data: All displayed server names and subscription plans are entirely fictional and do not reference any real users, servers, or transactions
  • Industry Standard Practice: Such social proof notifications are widely accepted marketing practices across SaaS platforms
  • Transparent Implementation: This disclosure satisfies regulatory requirements for transparency in automated marketing activities

Technical Implementation:

  • • Notifications are generated client-side using predetermined fictional server names
  • • Display intervals are randomized between 10 seconds and 2 minutes to simulate organic activity
  • • No actual user data, transaction records, or server information is accessed or displayed
  • • Users can dismiss notifications at any time via the close button

User Rights and Controls:

  • • Users may close individual notifications manually
  • • Notifications only appear on the public landing page and do not persist across sessions
  • • No personal data is collected, processed, or stored in connection with these notifications
  • • The feature serves marketing purposes and does not impact user privacy or data processing

This feature complies with applicable advertising standards and consumer protection regulations. The fictional nature of the displayed information ensures no misrepresentation of actual user activity or platform usage statistics.

5Data Storage

All data is stored on Google Firebase (Cloud Firestore & Cloud Storage), located in secure global data centers. All access is encrypted via SSL/TLS.

Backups are performed regularly and access to production data is restricted to authorized team members only.

6Discord-Specific Data

We operate a Discord bot that may:

  • Send DMs to applicants
  • Read messages only in designated channels (for logging or integration)
  • Fetch your username and ID for account linking

We do not mass-read or archive conversations. Bot permissions are limited to necessary scopes.

7Payment Data via Stripe

Payments are processed through Stripe. We never store:

  • Card numbers
  • CVV codes
  • Billing addresses

Stripe operates under its own Privacy Policy.

8Data Retention

Application Data

Retained while server remains active

Inactive Servers

Deleted after 90 days of inactivity

Transaction Data

Retained indefinitely for compliance

You may request deletion of your personal data at any time.

9Your Rights (GDPR, UK GDPR & US Privacy Laws)

Company Jurisdiction

FiveList is operated by Steelzz Development, a UK company. However, we respect and comply with applicable privacy laws for users in all jurisdictions, including US state privacy laws.

🇬🇧 UK & EU Users (GDPR/UK GDPR Rights)

If you're located in the UK or EU, you have the right to:

  • ✓ Access your personal data
  • ✓ Request correction or deletion
  • ✓ Data portability
  • ✓ Withdraw consent to use
  • ✓ Object to processing
  • ✓ File a complaint with authorities

🇺🇸 US Users (State Privacy Laws)

US users may have additional rights under applicable state privacy laws, including:

California (CCPA/CPRA)

  • • Right to know what data we collect
  • • Right to delete personal information
  • • Right to opt-out of data "sales" (not applicable)
  • • Right to non-discrimination

Virginia, Colorado, etc.

  • • Right to access and delete data
  • • Right to correct inaccuracies
  • • Right to data portability
  • • Right to opt-out of targeted advertising

Note: We do not sell personal data, engage in targeted advertising, or use data for profiling. Most commercial data practices covered by US privacy laws are not applicable to our service.

How to Exercise Your Rights:
Requests can be submitted via our Discord support team athttps://discord.gg/T9bAH5erft. We will respond to verified requests within the timeframes required by applicable law (typically 30 days).

10Sharing and Disclosure

We do NOT:

  • • Sell your data
  • • Share your data with advertisers
  • • Allow unauthorized third-party access

We only share data with:

  • Our infrastructure providers (e.g. Vercel, Firebase)
  • When legally required by law enforcement or court order

11Children's Privacy

FiveList is not intended for children under 13. If we learn that we've collected data from a minor, we will delete it immediately.

12Security Measures

Technical Security

  • • HTTPS everywhere (SSL)
  • • Access-controlled databases

Operational Security

  • • Rate limiting on operations
  • • Audit logging & recovery

13Changes to This Policy

We may revise this Privacy Policy periodically. If changes are significant, we will notify users via Discord and/or banner alerts.

14Intellectual Property & Branding Disclaimers

FiveList may feature images or artwork referencing Grand Theft Auto V, including character models and environmental assets. These are used exclusively for illustrative, branding, or instructional purposes in the context of roleplay content and are not representative of any endorsement or partnership.

FiveList is not affiliated with Rockstar Games, Take-Two Interactive, or the CFX.re platform.

All referenced trademarks and copyrights remain the property of their respective owners.

15International Compliance & Cross-Border Data Transfers

UK Company Serving Global Users

FiveList is operated by Steelzz Development, a company based in England and Wales, UK. We serve users globally including in the United States and comply with applicable laws in each jurisdiction.

🇬🇧 UK/EU Compliance

  • • Full compliance with UK GDPR and Data Protection Act 2018
  • • Appropriate safeguards for international data transfers
  • • ICO registration and compliance monitoring

🇺🇸 US Law Compliance

  • • Compliance with applicable federal privacy regulations
  • • State privacy law compliance (CCPA, Virginia CDPA, Colorado CPA, etc.)
  • • COPPA compliance for users under 13 (service not intended for children)
  • • Sectoral compliance where applicable (though FiveList is not in regulated industries)

🌍 Data Infrastructure

  • • Data stored in Google Firebase with global distribution
  • • Automatic data residency and compliance features
  • • Payment data processed through Stripe (US/EU entity) with appropriate safeguards
  • • No data transfers to countries without adequate protection

Legal Basis for Processing: We process data based on legitimate interests (service provision), contract performance (subscription services), and consent (where applicable). US users benefit from the same data protection standards as UK/EU users.

16Legal Basis for Processing (GDPR Article 6)

We process personal data on the following legal bases under applicable data protection laws:

Legitimate Interests (Art. 6(1)(f))

  • • Service provision and operation
  • • Security and fraud prevention
  • • Analytics and service improvement
  • • Customer support and communication

Contract Performance (Art. 6(1)(b))

  • • Account creation and management
  • • Subscription billing and payment
  • • Discord integration services
  • • Application processing features

Consent (Art. 6(1)(a))

  • • Optional analytics cookies
  • • Marketing communications (if applicable)
  • • Non-essential Discord permissions
  • • Data sharing with third parties

Legal Compliance (Art. 6(1)(c))

  • • Tax and accounting obligations
  • • Anti-money laundering checks
  • • Response to lawful requests
  • • Data breach notifications

Balancing Test: Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request details of our balancing test assessments.

17Data Breach Notification and Security Incidents

In the event of a personal data breach, we will comply with applicable notification requirements:

🚨 Breach Response Timeline

  • Within 72 hours: Notify relevant supervisory authorities (where required)
  • Without undue delay: Notify affected individuals if high risk to rights and freedoms
  • Immediate: Take measures to contain and remedy the breach
  • Documentation: Maintain records of all breaches and response actions

🔒 Security Measures

  • • Regular security assessments and penetration testing
  • • Employee training on data protection and security
  • • Access controls and principle of least privilege
  • • Encryption of data in transit and at rest
  • • Regular backup and disaster recovery procedures

Incident Reporting:

If you become aware of any potential security vulnerability or suspected data breach, please contact us immediately through our secure Discord support channel or direct message our administrators.

18Automated Decision-Making and Profiling

Limited Automated Processing

FiveList does not engage in automated decision-making or profiling that produces legal effects or significantly affects users. All application reviews and account decisions involve human oversight.

We may use automated systems for:

  • Spam detection and content filtering (with human review)
  • Technical system monitoring and error detection
  • Basic analytics and usage statistics
  • Automated billing and subscription management

Your Rights: You have the right not to be subject to purely automated decision-making. If we implement any automated decision-making in the future, we will notify you and provide opt-out mechanisms as required by law.

19Data Protection Impact Assessments (DPIA)

We conduct Data Protection Impact Assessments for processing activities that are likely to result in high risk to individual rights and freedoms. Our current processing activities have been assessed as low to moderate risk.

DPIA Triggers We Monitor

  • • Large-scale processing of special categories
  • • Automated decision-making with legal effects
  • • Systematic monitoring of public areas
  • • Processing of vulnerable persons' data

Risk Mitigation Measures

  • • Data minimization by design
  • • Regular privacy training for staff
  • • Technical and organizational measures
  • • Regular review of processing activities

20Supervisory Authorities and Complaint Rights

If you believe we have not complied with applicable data protection laws, you have the right to lodge a complaint with the relevant supervisory authority:

🇬🇧 United Kingdom

Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

🇪🇺 European Union

Contact your national data protection authority. A full list is available at:

European Data Protection Board

🇺🇸 United States

Contact relevant state attorney general offices for privacy law violations:

California: California Attorney General

Federal: Federal Trade Commission

Complaint Resolution:

We encourage you to contact us first to resolve any concerns. However, you have the right to lodge a complaint with supervisory authorities without prejudice to any other administrative or judicial remedy.

21Contact and Data Protection Officer

For privacy-related inquiries, data subject requests, or general questions about this policy:

General Privacy Inquiries

Discord Support:
https://discord.gg/T9bAH5erft

Data Subject Requests

For GDPR/privacy law requests (access, deletion, portability), please contact us via Discord with:

  • • Your Discord username and ID
  • • Specific request type
  • • Verification of identity

Data Protection Officer (DPO):

As a small UK company, we are not required to appoint a formal DPO. However, privacy matters are handled directly by our management team and we maintain relationships with external privacy counsel for complex matters.