Privacy Policy

• Account data: username, email, password hash, terms-of-service acceptance timestamp.
• Security data: TOTP secrets, recovery codes, passkey/WebAuthn credentials (encrypted at rest), authentication audit logs with IP addresses and user-agent strings for security and anti-abuse.
• Session data: active session records (IP address + user-agent), used to show active sessions and allow individual revocation. Session metadata is deleted when sessions expire or are revoked.
• OAuth data: linked provider accounts (Google, GitHub, Discord) and associated provider emails.
• Alert configuration: rules, price/wear filters, StatTrak/Souvenir filters, sticker preference.
• Notifications: webhook URLs (stored encrypted) and related metadata.
• Avatar data: custom uploaded avatars and Gravatar display preferences.
• Moderation data: account restriction history (sanctions, reasons, durations). Banned email addresses may be retained to prevent re-registration after permanent restrictions.
• System logs: technical logs used to monitor performance and reliability.

• Provide the alerting service and notifications (user request).
• Security, fraud/abuse prevention, and audit trail (legitimate interest).
• Account management and support (user request).

Data is kept only as long as needed for the purposes above. Authentication and audit logs are retained for a limited period necessary for security. Alerts and rules are kept while your account is active.

Only strictly necessary technical cookies are used. No advertising, analytics, or third-party tracking cookies are present.

• Authentication cookies (access token, refresh token): HttpOnly, Secure.
• CSRF cookie: protects against cross-site request forgery attacks.
• OAuth state cookies (temporary): used during OAuth flows and cleared afterward.
• Cookie consent: stores your acknowledgement of the cookie banner.

Data is hosted in the European Union and is not sold. Webhook payloads are sent to destinations you configure. Infrastructure providers (hosting, email, notification services) act as sub-processors where applicable.

• Access, rectification, deletion, restriction, and portability of your personal data.
• Objection to processing based on legitimate interest.
• Withdraw consent (where applicable) without affecting prior processing.
• View and revoke active sessions at any time from the settings page.
• Export your personal data in machine-readable JSON format.
• Lodge a complaint with your supervisory authority (Belgian Data Protection Authority - Autorite de protection des donnees).

Note: If your account is restricted, self-service export/deletion may be unavailable. You can still exercise your GDPR rights by contacting [email protected].

For privacy requests (access, deletion, questions), contact the operator at [email protected]. This is a personal, non-commercial project operated from Belgium.