Legal Documents

Vespla Services & Extensions

This page describes how we handle your data and under which terms you may use our services:

Human Verification

IP Security

Privacy Policy

How we collect, use and protect your information

Last updated: 4 December 2025

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Vespla Studios

Where we process personal data on behalf of a Developer, we may act as a processor. In such cases, the specific roles and responsibilities will be defined in a separate data processing agreement.

2. Categories of Data, Purposes and Legal Bases

Depending on the verification method chosen, we process the following categories of personal data in connection with the use of the Service:

2.1 General Usage Data

The following data may be processed when the Service is used:

technical log data (e.g. date and time of request, HTTP status, IP information which may be anonymized)
data for error analysis and security (e.g. log entries, internal IDs)

Purposes:

provision of the Service
ensuring stability and security
error analysis and detection of misuse

Legal bases:

Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures, in particular with Developers)
Art. 6(1)(f) GDPR (legitimate interest in operating a secure and stable Service)

2.2 Captcha Verification

The following data may be processed when using captcha verification:

captcha input data
technical data (e.g. browser or device information)
result of the captcha verification (passed / failed)

Purposes:

checking that the Service is used by a human user
protection against automated attacks and abuse (bots, spam)

Legal bases:

Art. 6(1)(f) GDPR (legitimate interest in protecting our systems and the Service)
Art. 6(1)(b) GDPR (where necessary to perform contractual obligations towards Developers)

2.3 IP Verification (only for verified Developers)

The following data may be processed when using IP verification:

user's IP address
randomly generated code internally linked to the IP address

We store only the random code in the Verification Token status; the IP address itself is accessible only within our internal systems.

Purposes:

performing IP-based verification for the respective Developer
detecting misuse and ensuring security

Legal bases:

Art. 6(1)(a) GDPR (user's consent to the processing of the IP address for verification)
Art. 6(1)(f) GDPR (legitimate interest in secure verification and prevention of abuse)

Consent is obtained before IP verification starts and may be withdrawn at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

2.4 E-mail Verification

The following data may be processed when using e-mail verification:

user's e-mail address
verification code
status (verification successful / not successful)

Mandatory use:

the e-mail address is used to send a verification code and to validate it

Optional disclosure to Developer:

with the user's explicit consent, the e-mail address is stored in the Verification Token status and made available to the Developer
without consent, only the successful completion of the verification is stored; the e-mail address is not stored in the token status

Purposes:

performance of e-mail-based verification
optional disclosure of the e-mail address to the Developer (e.g. to link user accounts)

Legal bases:

Art. 6(1)(b) GDPR (performance of the e-mail verification as part of the Service)
Art. 6(1)(a) GDPR (consent to storing and disclosing the e-mail address to the Developer)

2.5 Discord and Roblox OAuth Login

The following data may be processed when using Discord or Roblox OAuth login:

OAuth provider (e.g. Discord, Roblox)
account ID with the respective platform (e.g. Discord ID, Roblox ID)
technical tokens or information that are necessary for handling the OAuth session (processed only temporarily)

We store only the account ID of the respective service in the Verification Token status.

Purposes:

performing verification via the relevant third-party account
allowing the Developer to associate a user with a third-party account

Legal bases:

Art. 6(1)(b) GDPR (performance of OAuth-based verification)
Art. 6(1)(f) GDPR (legitimate interest in secure and standardized verification)

The use of the third-party platforms (Discord, Roblox etc.) is subject to the respective providers' own privacy policies.

3. Storage Periods

Verification Tokens and their associated data are stored for a maximum of 10 days. After this period, the data are permanently deleted or anonymized, unless statutory retention obligations provide otherwise.

Log data for security and error analysis are usually stored for a shorter, technically necessary period but may be retained longer in justified individual cases (e.g. for investigation of attacks).

4. Recipients and Data Transfers

Access to Verification Tokens and their status is granted to:

the Developer who created the token
the Provider and any service providers (e.g. hosting providers) engaged by the Provider

Data are only disclosed to other third parties:

where necessary to fulfill contractual obligations
where required by law (e.g. to authorities)
where the user has expressly consented

Developers are responsible for any further processing of data they retrieve (e.g. e-mail address, account ID). Please refer to the Developers' own privacy policies.

5. Transfers to Third Countries

Personal data may be transferred to countries outside the EU/EEA (third countries), in particular:

where we use hosting or IT service providers located in such countries
where third-party providers such as Discord or Roblox are located in third countries

In such cases, we ensure that:

either an adequacy decision by the European Commission exists
appropriate safeguards are in place (e.g. standard contractual clauses)
a legally permissible derogation under Art. 49 GDPR applies

6. Rights of Data Subjects

Data subjects have the following rights under the GDPR, subject to the applicable conditions and limitations in the law:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR), in particular to processing based on Art. 6(1)(f) GDPR (legitimate interests)
Right to withdraw consent at any time (Art. 7(3) GDPR), with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

To exercise these rights, users may contact us at:

[contact details / e-mail]

7. Right to Lodge a Complaint

Data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement, if they believe that the processing of personal data concerning them infringes the GDPR.

8. Security

We implement appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, disclosure, alteration or destruction. Such measures include, for example:

access restrictions to systems
encryption of communication (where appropriate)
internal policies on data security

9. Automated Decision-Making / Profiling

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR that produces legal effects concerning users or similarly significantly affects them.

10. Amendments to this Privacy Policy

We may amend this Privacy Policy if legal or technical conditions change or if we introduce new features to the Service. The version of the Privacy Policy published at the time of use shall apply.

Terms of Service

Rules for using our verification services

Last updated: 5 December 2025

1. Scope and Provider

These Terms of Service govern the use of the verification service (the "Service") provided by:

Vespla Studios

The Service is intended for:

Developers, who generate and access verification tokens via the Provider's API ("Verification Tokens")
End Users, who complete verification via the Service

Any deviating terms and conditions shall only apply if expressly agreed in writing by the Provider.

2. Description of the Service

The Provider offers a technical infrastructure enabling Developers to create Verification Tokens.

A Verification Token may include the following verification methods:

Captcha verification (to check if a user is not a bot)
IP verification (available only to verified Developers)
E-mail verification
Discord OAuth login
Roblox OAuth login

2.1 Token Creation and Callback URL

When creating a Verification Token, a Developer may:

Specify a callback URL, to which the user will be redirected after successful verification
Choose the type(s) of verification to be used

2.2 Information to End Users

Before starting the verification process, the user is informed that:

which verification methods are used
which data will be processed
whether certain data (e.g. e-mail address) will be made available to the Developer
after successful verification, the user will be redirected to the Developer's callback URL

2.3 Data Stored in the Verification Token

The data generated in the course of verification are stored in the status of the Verification Token as follows:

Captcha: Only the information that the verification was successfully completed is stored.
IP verification: The IP address is internally linked to a randomly generated code. Only this code is stored in the Verification Token status; the IP address itself is not publicly available and is only accessible within the internal system.
E-mail verification:
- A verification code is sent to the user's e-mail address, which must be entered on the Provider's website.
- The user may optionally consent to having their e-mail address stored in the Verification Token status and made available to the Developer. If the user does not consent, the e-mail address will not be stored in the token status; verification can still be completed successfully.
Discord / Roblox login: Only the respective account ID (e.g. Discord ID, Roblox ID) is stored in the Verification Token status.

2.4 Storage Duration

All Verification Tokens and related data are stored for a maximum of 10 days. After this period, the token data are permanently deleted, unless statutory retention obligations require otherwise.

2.5 Access to Verification Token Data

Access to the status of a Verification Token and the related data is granted only to:

the Developer who created the token
the Provider, as necessary to operate and maintain the Service

3. Developer Accounts, API Keys and Verified Developers

Developers may create an account or otherwise obtain access to the Provider's API. API keys are generated to authenticate access to the Service.

3.1 Verification of API Keys

Each API key may be submitted by the Developer for verification. The Provider reviews the Developer and the intended use of the Service. After successful review, the API key may be flagged as "verified".

3.2 Access to Advanced Features

Only verified API keys gain access to certain advanced features, in particular:

use of the IP verification method.

3.3 Developer Obligations regarding API Keys

The Developer is obliged to:

keep its API keys confidential and protect them against unauthorized access
prevent misuse by third parties and immediately notify the Provider of any suspected misuse
use the API only in accordance with applicable law and these Terms of Service

4. Responsibilities and Obligations of Developers

The Developer is solely responsible for integrating the Service into its own applications and systems.

4.1 Data Protection Responsibilities

In particular, the Developer shall:

provide its end users with appropriate data protection information (e.g. in the Developer's own privacy policy)
enter into a data processing agreement (DPA) with the Provider where required by the GDPR or other applicable data protection laws
ensure that data subjects' rights (e.g. access, deletion) are respected within the Developer's own area of responsibility

4.2 Prohibited Uses

The Developer may not use the Service for unlawful purposes or in ways that infringe the rights of third parties, such as:

unlawful tracking or profiling
misuse of IP addresses
misuse of OAuth data
any other data processing that violates applicable laws

4.3 Transfer and Use of API Keys

Without the Provider's prior written consent, the Developer may not sell, sublicense or otherwise provide API keys to third parties, except to the extent technically required for operating its own application.

5. Use by End Users

End Users typically use the Service to verify themselves towards a Developer. The respective Developer remains the primary contact for the End User.

Use of the Service by End Users is generally free of charge, unless stated otherwise.

5.1 End User Obligations

End Users shall:

provide truthful information during verification
not misuse access credentials (e.g. e-mail, OAuth accounts)
not attempt to circumvent security mechanisms (e.g. captchas)

6. Availability and Changes to the Service

The Provider strives to keep the Service available at all times. However, unless expressly agreed otherwise, no specific availability or performance is guaranteed.

6.1 Temporary Restrictions

The Provider may temporarily restrict or interrupt the Service (e.g. for maintenance, updates, or security reasons).

6.2 Modifications and Further Development

The Provider may further develop and modify the Service, including features, interfaces and technical requirements, provided that such changes are reasonable for Developers and End Users.

7. Liability

7.1 Unlimited Liability

The Provider's liability is unlimited for:

death, personal injury or damage to health
intent or gross negligence
breach of a guarantee

7.2 Limited Liability for Slight Negligence

In cases of slight negligence, the Provider is liable only for breach of a material contractual obligation, i.e. an obligation whose fulfillment is essential for proper performance of the contract and on whose fulfillment the contracting party regularly relies. In such cases, liability is limited to the foreseeable, typical damage.

7.3 Exclusion of Further Liability

Any further liability of the Provider is excluded. Mandatory statutory liability (e.g. under product liability laws) remains unaffected.

7.4 Indemnification by Developers

The Developer shall indemnify the Provider against all claims by third parties arising from:

unlawful use of the Service by the Developer
unlawful use of the Service by users of the Developer's application

to the extent such use is attributable to the Developer (e.g. infringements of data protection law or personality rights).

8. Data Protection

Information on the processing of personal data within the Service is provided in the Provider's Privacy Policy.

8.1 Data Processing Agreement

Where the Provider processes personal data on behalf of the Developer (e.g. verification data), the parties shall conclude an appropriate data processing agreement (DPA), if and to the extent required by law.

9. Term and Termination

The use of the Service by Developers is generally for an indefinite term.

9.1 Termination by Developers

Developers may terminate use at any time with immediate effect by:

deleting their account or API keys
ceasing to use the Service

9.2 Termination by the Provider

The Provider may terminate provision of the Service or individual API keys for cause with immediate effect, particularly in cases of:

breach of these Terms of Service
misuse of the API (e.g. attacks, unlawful data use)
orders by authorities or courts

10. Amendments to the Terms of Service

10.1 Reasons for Amendments

The Provider may amend these Terms of Service for good reason (e.g. changes in law, expansion of the Service, security requirements), provided that such amendments are reasonable for Developers and End Users.

10.2 Information and Acceptance

Developers will be informed of planned amendments in an appropriate manner (e.g. by e-mail or via the dashboard).

If the Developer does not object within a reasonable period or continues to use the Service, the amended terms shall be deemed accepted.

10.3 Version Applicable to End Users

For End Users, the version of the Terms of Service published at the time of use shall apply.

11. Governing Law and Jurisdiction

These Terms of Service shall be governed by the laws of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).

If the Developer is a merchant or a legal entity under public law, the exclusive place of jurisdiction for all disputes arising from or in connection with these Terms of Service shall be the Provider's registered office, Germany.

Important: This template is for informational and illustrative purposes only and does not constitute legal advice. Laws and regulations differ between countries and may change over time. You should have these documents reviewed and adapted by a qualified legal professional to ensure that they fully comply with the requirements applicable to your specific situation and jurisdiction.