MCraft Box — MCPE mods, maps, skins & textures (unofficial fan app)
MCraft Box is an independent application for discovering, downloading, and sharing mods, maps, skins, and texture packs for Minecraft Bedrock Edition. It is not affiliated with, endorsed by, or connected to Mojang Studios or Microsoft Corporation. "Minecraft" is a trademark of Mojang Synergies AB.
"We", "us", or "our" refers to the MCraft Box team. "You" or "user" means anyone who installs or uses the app.
When you sign in with Google, we receive a verified Google identity token. From that token we store:
| Field | What it is | How it is stored |
|---|---|---|
| Google account ID | Your Google account's permanent unique identifier — an opaque string, not your email | Stored as-is; used as your primary account key |
| Display name | The display name attached to your Google account at sign-in time | Stored as plain text after a profanity-filter check; truncated to 40 characters |
| Email hash | A one-way SHA-256 hash of your email address (lowercased, trimmed) | Stored as a hex string; the raw email address is never stored |
We never see or store your raw email address. The hash cannot be reversed to recover your email; it exists solely to help us detect duplicate accounts.
Refresh tokens — a SHA-256 hash of your refresh token (the raw token is never stored), along with an optional device fingerprint string that your device sends during login, a token family ID used for replay-attack detection, and an expiry timestamp. Refresh tokens expire after 30 days.
We maintain an append-only audit log of significant admin and moderation actions (for example, content bans). This log records the actor, action type, and the affected record identifier. It cannot be modified or deleted — only appended.
| Data | Purpose |
|---|---|
| Google account ID | Unique account identification; lets you resume your account by signing in with the same Google account |
| Display name | Shown alongside your comments, ratings, community posts, and leaderboard entries |
| Email hash | Account deduplication; not used for any other purpose currently |
| Comments, ratings, community activity | Providing the community and social features of the app |
| Download events | Calculating download counters shown on mod pages; fraud prevention |
| XP events and check-ins | Running the gamification system (levels, streaks, leaderboard) |
| Refresh token hash | Authenticating your ongoing sessions; detecting stolen or replayed tokens |
| Audit log | Moderation accountability and security forensics |
The following information is public — any user of the app can see it:
The following is not visible to other users:
The app does not collect device identifiers, advertising IDs, GPS location, contacts, or other sensor data.
Standard server request logs (IP address, timestamp, HTTP method, response status) are generated by the web server infrastructure for security and operational purposes. These logs are not linked to user accounts in the application database and are subject to standard server log retention practices.
An optional device fingerprint string may be sent by the app at login time. This is a short opaque identifier used only for session management (distinguishing sessions across devices); it is stored in the refresh token record and is not used for cross-app tracking or advertising.
| Data | Retention |
|---|---|
| Active user account | Retained while the account exists |
| Comments, ratings, community content | Retained while the account exists; see Section 8 for deletion |
| XP events and check-ins | Retained while the account exists |
| Download events | Retained indefinitely (statistical; anonymized by account deletion) |
| Refresh tokens | Expire after 30 days; revoked tokens are retained with a revocation timestamp for fraud detection |
| Audit log | Retained indefinitely (append-only, immutable by design) |
You can delete your account at any time from within the app (Profile screen). When you delete your account:
[deleted].[deleted].Deletion is irreversible. XP events and download events that referenced your user ID are unlinked or retained as anonymous records for statistical integrity.
We do not collect date of birth, and we do not require age verification during sign-up.
MCraft Box is not directed at children under 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent. If we become aware that we have collected such data without consent, we will delete it promptly.
| Service | Purpose | Their privacy policy |
|---|---|---|
| Google Sign-In (Google LLC) | Authentication — you authenticate with your Google account | policies.google.com/privacy |
| Google Play Billing (future) | If paid features are introduced, payment processing will be handled entirely by Google Play; we will never receive raw card details | play.google.com/about/play-terms |
We do not sell your personal data. The current version of the app contains no third-party analytics SDKs and no advertising SDKs.
Depending on your location, you may have rights to access, correct, or delete your personal data, or to object to or restrict certain processing. To exercise these rights, contact us at [email protected]. Account deletion (Section 8) can be done directly in the app without contacting us.
If we make material changes to this policy, we will update the effective date at the top of this page and provide notice through the app before the changes take effect. Continued use of the app after changes take effect constitutes acceptance of the updated policy.
Email: [email protected]
For privacy inquiries, account deletion requests, or reports of potential data issues, please use the subject line "Privacy Request".