SEPX Legal Center

01Overview & Controller

This Privacy Policy explains what personal information SEPX, LLC collects when you use our services, why we collect it, who we share it with, and the rights you have over it. In plain terms: we run Discord bots, we use technical signals (like your IP address and a device fingerprint) to stop people from cheating our free, ad-supported unlock system, and we never sell your personal data.

The short version

We are SEPX, LLC, the data controller for the information described here.
We collect Discord identifiers, the technical data needed to deliver and protect the SE Keys unlock system, and any content you submit to us through the Discord bots or support.
We use trusted processors such as Discord, AdMaven and Google (Gemini). We do not sell personal data.
You have rights to access, correct, delete and port your data, and to object — see Your Rights.

For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar laws, the data controller responsible for your personal information is:

Controller	SEPX, LLC
Legal form	limited liability company (LLC)
Postal address	Zachary Naone, Ehrenbergstraße 16a, Scanbox 20900, 10245 Berlin, Germany
Data protection contact	[email protected] (Attn: Data Protection)

This Policy applies to the SEPX Discord bots (such as the SE Keys access and unlock system) and the websites that support them at SECRETEXPLOITS.xyz (collectively, the "Services"). It works alongside our Cookie Policy, Terms of Service and Contact page.

General notice, not legal advice

This Privacy Policy is a general statement of our practices for all users. It is not individualised legal advice and does not create rights beyond those granted by applicable law. If you need advice about your specific situation, please consult a qualified lawyer in your jurisdiction.

02Information We Collect

We collect three kinds of information: what you give us, what we collect automatically when you use the Services, and information generated by our systems (such as access keys and fraud scores).

Information you provide to us

Discord OAuth profile. When you sign in or link your Discord account, we receive your Discord user ID, username, avatar, and — only where you grant the relevant scope — your email address.
Content you submit. Any information, requests or other content you create, upload or send to us through the Discord bots or support.
Support messages. The content of any message you send us, including your email address and anything you choose to include.
Payment information. SE Keys Premium ($14.99 USD per month) is paid in cryptocurrency. We and our cryptocurrency payment provider process blockchain transaction data — such as the wallet address, transaction hash, amount and timestamp — to confirm and attribute your payment. We do not collect or store payment-card numbers.

Information we collect automatically

Network and device data: your IP address, User-Agent string, and an approximate location derived from your IP address.
Device and browser fingerprint: canvas and JavaScript signals combined into a device/browser fingerprint, used for fraud detection and anti-bypass enforcement.
Usage and event data: timestamps, click IDs, session IDs and other session metadata.
Cookies and local storage: small identifiers stored on your device, as described in our Cookie Policy.

Information from the unlock flow and Discord

AdMaven offer signals. When you complete a third-party AdMaven content-locker offer to unlock a key, we receive completion and verification signals for that offer.
Discord guild data. Where the bot operates, your guild (server) membership, roles, and the relevant server IDs.

Information our systems generate

Access keys generated for you and role grants recorded when access is provisioned.
Fraud risk scores calculated from the signals above.
Audit logs recording security and operational events.

The table below summarises the main categories and where they come from.

Category	Examples	Source
Discord identity	User ID, username, avatar, email (if granted)	You / Discord OAuth
Content you submit	Requests and other content sent via the Discord bots or support	You
Support & payment	Support messages; crypto wallet address, transaction hash, amount	You / crypto payment provider
Network & device	IP address, User-Agent, approximate location	Automatic
Fingerprint	Canvas & JavaScript signals	Automatic
Usage	Timestamps, click IDs, session IDs, cookies	Automatic
Unlock flow	AdMaven completion signals	AdMaven
Guild data	Membership, roles, server IDs	Discord
Generated	Access keys, fraud risk scores, audit logs	Our systems

03How We Use Information

We use your information to run the Services, keep the free unlock system fair and secure, and meet our legal obligations.

Provide the unlock service. Generate one-time links, verify completion of AdMaven offers, issue access keys, and grant or remove Discord roles.
Operate the Discord bots. Run the bot features you use and handle the requests and content you send through them.
Prevent fraud and abuse. Use the device fingerprint, IP address and request velocity to detect bypass attempts, bots and abuse of our anti-bypass system (which relies on random, unguessable click IDs and HMAC-signed, expiring one-time links).
Enforce rate limits using database-backed counters to protect the Services from overload and automated abuse.
Maintain security of our systems, investigate incidents, and keep audit logs.
Provide AI features using Google Gemini — for example, drafting support answers, producing guild insights, drafting notification text, and helping score borderline fraud cases. See Automated Decision-Making.
Understand and improve the Services through aggregate analytics.
Communicate with you about support requests, service notices and changes.
Comply with law and enforce our Terms of Service and Community Guidelines.

04Legal Bases (GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases to process your personal data.

Purpose	Legal basis
Providing the unlock system, keys, roles and bot features you request	Performance of a contract (Art. 6(1)(b))
Fraud prevention, anti-bypass, security and rate limiting	Legitimate interests (Art. 6(1)(f))
Improving and securing the Services; aggregate analytics	Legitimate interests (Art. 6(1)(f))
Non-essential cookies and any marketing communications	Consent (Art. 6(1)(a))
Keeping records and responding to lawful requests	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we balance those interests against your rights and freedoms. You may object to such processing as described in Your Rights. Where we rely on consent, you may withdraw it at any time without affecting processing carried out before withdrawal.

05Cookies & Fingerprinting

We use cookies, local storage and device fingerprinting — some of it strictly necessary, some used to keep the unlock system honest.

Essential cookies keep you signed in, secure your session, and remember your progress through the unlock flow. We set our session cookies with httpOnly, secure and sameSite attributes.

Our device fingerprint (built from canvas and JavaScript signals) is used for fraud detection and anti-bypass enforcement so that a single user cannot abuse the free, ad-supported unlock system from many fake sessions. Note that third-party AdMaven offers set their own cookies and are governed by their own terms and privacy notices.

For full details and your choices, see our Cookie Policy.

06How We Share Information

We share personal data only with the service providers (processors) that help us run the Services, and only as needed. We do not sell your personal data.

Recipient	Purpose
Discord	Platform integration and OAuth login
AdMaven	Ad monetisation and content-locker offers (sets its own cookies and terms)
Google (Gemini)	AI features: support answers, guild insights, notification drafts, fraud assistance
Hosting & database providers	Infrastructure, storage and database services
Cryptocurrency payment provider	Processing crypto payments for SE Keys Premium and other paid products
Logging & security tooling	Audit logs, monitoring and abuse prevention

We do not sell personal data and we do not share it for cross-context behavioural advertising in the sense of the CCPA/CPRA. We may disclose information where required to do so by law, regulation, legal process or enforceable governmental request, or where necessary to protect the rights, property or safety of SEPX, our users or others, and to enforce our agreements.

Business transfers. If SEPX, LLC is involved in a merger, acquisition, financing, reorganisation or sale of assets, your information may be transferred as part of that transaction. We will require any successor to honour this Policy or notify you of any material change.

07International Transfers

Our operations span the United States and the European Union, so your data may be processed in more than one country.

SEPX, LLC is organised in the Delaware, USA, and our contact and mailing operations are in Berlin, Germany. Some of our processors (including those named above) are located in the United States and other countries. Where we transfer personal data out of the European Economic Area, the United Kingdom or Switzerland, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where relevant), or another lawful transfer mechanism. You may request more information about these safeguards using the contact details in Contact & Complaints.

08Data Retention

We keep personal data only for as long as we need it for the purposes described in this Policy, then delete or anonymise it.

Data	Retention
Device fingerprints	Pruned after approximately 30 days
Sessions	Purged after they expire
Access keys	Expire per-guild TTL (default 1 hour) and are threshold-purged
Role grants	Tracked until expiry
Audit logs	Retained for the operational and security period needed
Content you submit	Kept while needed to handle your request and as required by law

We may retain certain information for longer where required to comply with legal obligations, resolve disputes, prevent fraud and abuse, or enforce our agreements.

09Your Rights

Depending on where you live, you have rights over your personal data. We honour these rights for everyone, to the extent the law allows.

If the GDPR / UK GDPR applies to you

You have the right to:

Access the personal data we hold about you and obtain a copy.
Rectification of inaccurate or incomplete data.
Erasure ("the right to be forgotten") where applicable.
Restriction of processing in certain circumstances.
Data portability — to receive your data in a portable format.
Object to processing based on legitimate interests, including profiling.
Withdraw consent at any time where we rely on consent.
Lodge a complaint with a supervisory authority — for example, the Berlin Commissioner for Data Protection and Freedom of Information (the Berliner Beauftragte für Datenschutz und Informationsfreiheit, or BlnBDI).

If you are a California resident (CCPA / CPRA)

You have the right to:

Know what personal information we collect, use and disclose.
Delete personal information we hold about you, subject to exceptions.
Correct inaccurate personal information.
Opt out of the "sale" or "sharing" of personal information — note that we do not sell or share your personal information.
Non-discrimination for exercising your rights.

How to exercise your rights

Email us at [email protected] (Attn: Data Protection). We may need to verify your identity before acting on a request. Authorised agents may submit requests on your behalf where the law permits.

10Children's Privacy

The Services are not directed to young children, and we do not knowingly collect their personal data.

You must be at least 13 years old to use the Services. In the European Economic Area, where local law sets a higher digital-consent age, you must be at least 16. We do not knowingly collect personal information from children below the applicable minimum age. If you believe a child has provided us with personal data, contact us at [email protected] (Attn: Data Protection) and we will delete it promptly.

11Security

We use technical and organisational measures designed to protect your information from unauthorised access, loss or misuse.

Secrets are kept only in environment configuration, never in code or in the browser.
One-time links are HMAC-signed and expire automatically.
Database queries are parameterised to guard against injection.
Database-backed rate limiting and security headers with CORS controls.
An OAuth allow-list restricts access to admin dashboards.
Cookies are set httpOnly, secure and sameSite, and data is encrypted in transit.

No method of transmission or storage is perfectly secure. While we work hard to protect your data, we cannot guarantee absolute security.

12Automated Decision-Making

Our anti-fraud systems use automated logic to keep the free unlock service fair, but you can always ask a human to review a decision.

To prevent abuse, we calculate a fraud risk score from signals such as your device fingerprint, IP address and request velocity. A high score may automatically flag, throttle or block a session or unlock attempt. Google Gemini may assist in scoring borderline cases.

Where a decision produces legal effects or similarly significant effects on you within the meaning of Article 22 GDPR, you have the right not to be subject to a decision based solely on automated processing. You may request human review, express your point of view, and contest the decision by contacting us at [email protected] (Attn: Data Protection). A person will review your case and respond.

13Changes to this Policy

We may update this Privacy Policy from time to time as our Services and the law evolve.

When we make material changes, we will update the "Last updated" date shown at the top of this page and, where appropriate, provide additional notice through the Services. This Policy is effective as of June 6, 2026. Your continued use of the Services after an update takes effect means you accept the revised Policy.

14Contact & Complaints

If you have any questions about this Policy or how we handle your data, please get in touch.

Controller	SEPX, LLC
Data protection contact	[email protected] (Attn: Data Protection)
Postal address	Zachary Naone, Ehrenbergstraße 16a, Scanbox 20900, 10245 Berlin, Germany

You also have the right to lodge a complaint with a data protection supervisory authority. In Germany, the competent authority for SEPX is the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI). You may also contact the authority in your own country of residence or place of the alleged infringement.

For other matters, see our Contact page, Terms of Service, Cookie Policy, DMCA Policy and Refund Policy.

General notice, not legal advice

This Privacy Policy is provided for general information and does not constitute legal advice. For guidance on your particular circumstances, consult a qualified professional.