Privacy Policy
Last updated: 14 July 2026
1. Who we are
WA2GO is a community platform for sharing WeakAuras for World of Warcraft. This policy explains what personal data we process, why, and the rights you have over it.
The identity of the data controller and how to contact us are set out in our Legal Notice.
2. Data we collect
Account data: your username, email address, and a securely hashed password (we never store your password in clear text). For accounts created via Google or Discord, we store the provider, the provider email and username, and a provider identifier — never any provider password or access token.
Content you create: the WeakAuras you publish (including their versions and images), comments, and likes.
Preferences: your chosen interface language and theme.
We do not use any analytics, advertising, or third-party tracking.
3. Purposes and legal bases
Providing the service (creating and managing your account, publishing and displaying your content): performance of our Terms of Service (contract).
Recording your acceptance of the Terms and this Policy at registration: your consent, which is stored as proof (policy version and timestamp).
Keeping the platform secure and preventing abuse: our legitimate interest.
4. Cookies and local storage
We only use cookies and local storage that are strictly necessary or functional. None of them are used for analytics, advertising, or tracking, so no consent banner is required — but we disclose them all here for transparency.
wa2go_token and wa2go_refresh_token (cookies): keep you signed in. Strictly necessary.
oauth_pending_token (cookie): temporarily carries your sign-in through the Google/Discord flow. Strictly necessary.
wa2go-theme (local storage): remembers your light/dark theme choice. Functional.
wa2go-locale (cookie): remembers your language choice so pages render in the right language. Functional.
5. Service providers (sub-processors)
We rely on a small number of providers to operate the service. They process personal data only on our behalf or as strictly needed to perform an action you request:
OVH (OVH SAS) — hosting and file storage, in France. Your account data and uploaded images are stored here.
Resend (Resend, Inc., United States) — delivery of account emails (verification, password reset). Receives your email address and username. Transfers are covered by the EU–US Data Privacy Framework and appropriate contractual safeguards.
Google (Google LLC, United States) and Discord (Discord Inc., United States) — only if you choose to sign in with them. The sign-in exchange shares your identifier, email, and username with us; these providers are covered by the EU–US Data Privacy Framework.
When self-hosted SMTP is used instead of Resend, email is delivered by the mail server chosen by the operator. Our host's details are given in the Legal Notice.
6. Data retention
We keep your account data for as long as your account exists. When you delete your account, your personal data (likes, linked OAuth accounts, avatar) is erased, and content intended to remain public (WeakAuras, comments) is anonymised rather than deleted.
Your recorded consent (policy version and timestamp) is kept as long as needed to demonstrate compliance.
7. Your rights
Under the GDPR you have the right to access, rectify, erase, and export your data, to restrict or object to processing, and to withdraw consent.
You can exercise the main rights directly from your account settings: use "Download my data" to obtain a machine-readable copy (access and portability), and "Delete my account" to erase your data.
For any other request, or to lodge a complaint, contact us using the details in the Legal Notice. You also have the right to lodge a complaint with your local data protection authority (in France, the CNIL).