Privacy Policy
Effective: July 1, 2026
What we store
- Account data: your email address, a salted hash of your password (scrypt - we cannot recover the password), and session records.
- Steam data: your SteamID64, Steam login name, persona name, avatar URL, your list of owned games (app IDs, names, playtime), and a Steam refresh token encrypted at rest with AES-256-GCM under a key derived per-user from a master key stored separately from the database.
- Service data: plan and hours balance, idling job status, feature settings, reviews you write, support tickets, and payment records (plan, amount, Stripe session ID - never card numbers; those go only to Stripe).
- Security data: signup IP and an audit log of security-relevant actions, retained 90 days.
What we never store
- Your Steam password. It is used once, in memory, to complete Steam's login handshake on our worker, then discarded. With the resulting refresh token we never need it again.
- Your Steam Guard codes (single-use, discarded immediately).
- Card numbers or bank details (handled entirely by Stripe).
- Your Steam friends list, chat history, or inventory contents.
What we do with it
Run the service you signed up for: authenticate you, idle the games you chose, meter hours, process purchases, answer support tickets, and send transactional email (verification, resets, hour-exhaustion notices). We do not sell your data, do not share it with advertisers, and do not send marketing email unless you opt in.
Analytics & cookies
We use privacy-respecting product analytics (PostHog) to understand feature usage; no data is shared with ad networks. Cookies are limited to your session cookie, your language preference, and analytics. We don't run third-party advertising cookies.
Your rights (GDPR & equivalents)
- Export: request a machine-readable copy of your data via a support ticket; we deliver within 30 days.
- Deletion: delete your account yourself from Dashboard → Settings - immediate, one click plus confirmation. This deletes your profile, encrypted tokens, settings, and reviews. Payment records are retained only as long as tax law requires.
- Correction & objection: contact us and we'll fix or restrict processing where the law provides.
Retention & breach notice
Data is kept while your account exists and deleted with it (audit logs after 90 days, payment records per statutory retention). If a breach affects your data we will notify you by email without undue delay and within any legally mandated window.
Processors
We use vetted processors: Vercel (hosting), Neon (database), Hetzner (idling servers), Upstash (queues), Stripe (payments), Resend (email), PostHog (analytics), Cloudflare (CDN & bot protection). Each processes only what its role requires.
Contact
Privacy questions: open a ticket or email privacy@freesteamidler.com.