Mboxer — Your Data

EVE SSO PERMISSIONS

What we request from EVE Online

Account Creation & Sign-In

Scope: none

When you sign in, Mboxer requests zero ESI scopes. We receive only your character name and character ID from EVE SSO — nothing else. This is the minimum required to identify your account.

CHARACTER LINKING

Connecting a Character

esi-skills.read_skills.v1

When you link a character for skill tracking, we request read-only access to that character's trained skills. This scope cannot modify anything in-game. You grant this per-character and can revoke it at any time.

NETWORK CONNECTIONS

External services contacted

Domain Purpose

login.eveonline.com OAuth authentication with EVE Online

esi.evetech.net EVE Swagger Interface — character search and skill data

images.evetech.net Character portrait images

Error tracking service Application error monitoring — sensitive data is scrubbed before transmission

Mboxer does not use third-party analytics, advertising networks, or tracking services.

STORED DATA

What we store

All data is stored in a database on the server. Nothing is shared with third parties. Here is exactly what we keep:

ACCOUNT

Username
Account creation date
Primary EVE character reference

CHARACTERS

Character name and portrait image
Account label and personal notes
EVE character ID
EVE authorization credentials (server-side only, never sent to your browser)
Cached skill data (server-side only, never sent to your browser)

ORGANIZATION

Activity groups (names, notes, canvas positions)
Ship doctrine certifications
Custom tags and categories
Sticky notes
Industry blueprint favorites

SESSION

One authentication cookie (secure, expires automatically)
No data stored in your browser beyond the session cookie
Session records (automatically cleaned up)

NOT COLLECTED

What we do not access

Mboxer has no ability to read or modify any of the following. These ESI scopes are never requested:

ISK balance or wallet

Assets or inventory

Mail or notifications

Contacts or standings

Market orders

Corporation or alliance roles

Location or ship fittings

Chat logs

Contracts

Planetary interaction

Fleet information

Any write access to your account

SECURITY

How we protect your data

This application undergoes regular penetration testing using source-code-aware tooling that validates real, reproducible exploits across OWASP Top 10 categories including injection, cross-site scripting, server-side request forgery, and authentication bypass.

EVE OAuth tokens are scoped to the minimum required permissions and are stored server-side only — they are never exposed to client-side code or sent to your browser.

DATA REMOVAL

How to delete your data

Disconnect EVE

Open your Roster, select a character, and click Disconnect. This revokes access with CCP's servers and clears all cached skill data for that character.

Delete a Character

Delete a character from your Roster to permanently remove their record, portrait file, group memberships, tags, ship certifications, and any EVE data.

Log Out

Logging out invalidates your session immediately. Session records are automatically cleaned up.

Delete Your Account

Permanently delete your account and all associated data from the Account page (accessible via the shield icon in the sidebar after signing in). This removes your account, all characters, portraits, activity groups, tags, sticky notes, ship certifications, industry favorites, and all active sessions. EVE OAuth tokens are revoked with CCP during deletion. This action is irreversible.

DATA EXPORT

Accessing your data

Signed-in users can export a complete copy of their data from the Account page.