Legal

Privacy Policy

Last updated July 2026

We take privacy seriously. This policy explains what personal data we collect, why, how long we keep it, and your rights under UK GDPR.

1. Who is the data controller

LIMITLESS is the data controller for personal data processed through this platform. Contact us via the LIMITLESS Discord server.

2. What we collect and why

We collect the following categories of personal data:

Account data (from Discord)

Usage data

Content you submit

Watermarking

Every video stream is overlaid with a per-viewer watermark that includes your display name, email address, and IP address. This is visible only to you during playback and exists to deter piracy.

3. Cookies

We use only strictly necessary cookies — the session cookie issued by NextAuth to keep you signed in, and supporting CSRF cookies. We do not use analytics, advertising, or tracking cookies. No cookie banner is required for strictly necessary cookies under UK PECR.

4. Who we share data with

We share data only with these processors:

We do not sell or rent your personal data to anyone. We do not use it for advertising. We do not share trading P&L, journal entries, or screenshots with other members — admins can access this data solely for support, moderation, and homework review.

5. International transfers

Our processors may store data in the EU, UK, or US. Where data leaves the UK/EEA, the transfer is covered by appropriate safeguards (such as UK IDTA, Standard Contractual Clauses, or adequacy decisions).

6. How long we keep your data

7. Your rights under UK GDPR

You have the right to:

You can exercise the right to erasure immediately by visiting your /account page and clicking “Delete my account” — this removes your data from our database and storage within 30 days. For other requests, contact us via the LIMITLESS Discord server.

If you believe we have mishandled your data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We use industry-standard security: HTTPS everywhere, signed-URL access to video files with short expiry, password-less Discord OAuth (no passwords stored), session cookies marked HttpOnly + Secure + SameSite, and least-privilege admin access. No system is perfectly secure; in the event of a personal data breach affecting you, we will notify you and the ICO within 72 hours as required by UK GDPR.

9. Changes to this policy

Material changes to this policy will be announced via the platform and Discord server. Continued use after changes take effect constitutes acceptance.