Privacy policy

Steam OpenID authentication. When you log in with Steam, we receive only public profile data: SteamID64, display name, avatar, and public URL. We never have access to your Steam password, hidden inventory items, or any private account information.

Transactions you record. Skin purchases and sales you manually add (or import via Steam history) are stored in the database linked to your SteamID64. They are used exclusively to compute your P&L and cost basis.

Watchlist preferences. Skins marked as favorites and price alerts live in your browser (localStorage) and, when authenticated, are mirrored on the server for cross-device sync.

Newsletter (optional). If you subscribe to the newsletter, we store your email + confirmation timestamp. Nothing else. Processed via Resend (transactional email provider).

• Passwords, Steam API tokens, or Valve sessions
• Banking data, government IDs, card numbers — the site does not process payments
• Precise geolocation (we use IP only for API rate limiting, without storing it)
• Browsing history on other sites
• No Google Analytics, Facebook Pixel, TikTok Pixel, or any tracker that ties behavior to a real person

We use a single essential cookie: skin_tracker_session (HTTP-only, signed via iron-session). It only stores your authenticated SteamID64 to keep the session active across requests. Duration: 30 days, or until you log out.

No tracking, advertising, or analytics cookies are set — Plausible (described below) is 100% cookieless.

We use Plausible, an open-source analytics tool hosted in the European Union, cookieless and with no personal data. It tells us how many people visit each page, from which country (country only, not city), which browser they use, and which site they came from (referrer). All aggregated — never tied to a specific person.

What it does NOT do: does not set cookies, does not use browser fingerprinting, does not retain your IP (used only to compute the daily session hash, then immediately discarded), does not cross-reference other sites, does not sell anything to third parties.

The custom events we track are product-only — for example, "someone subscribed to the newsletter" (without saying who) or "someone clicked an external Steam link". These help us understand which content works and which doesn't.

Added on 2026-04-29 to close the qualitative gap left by Plausible: while Plausible tells us HOW MANY visit, PostHog shows us WHERE they get confused or click.

PostHog (session replay): we record the visual interaction of your session (clicks, scroll, mouse movement, page navigation). We do NOT record the content of input fields (search, forms) — every <input> and <textarea> is masked before leaving your browser. We do NOT record audio, video, or your personal inventory. Replay has 30-day retention and is private to the Skin Trackers team.

Sentry (bug reports): unhandled JavaScript errors (e.g. a page crashes for you) are sent to Sentry with stack trace + the last 10s of session replay for that specific session. Session cookies and admin tokens are stripped before sending (explicit sanitization in sentry.client.config.ts). The floating "Report feedback" button lets you send a bug or suggestion proactively — email/name are optional.

How to opt out: install a privacy browser extension (uBlock Origin, Privacy Badger). Both PostHog and Sentry are blocked on the default lists. You lose no site functionality — we just won't know if something broke during your session.

We do not sell, trade, or share your data with third parties for commercial purposes. The only data processors are:

• Valve — for OpenID login validation (standard protocol, no additional data sent)
• Resend — for sending the newsletter, when applicable (only confirmed subscriber emails)
• Banco Central do Brasil — public USD/BRL FX API and CDI series (no user data sent)
• Plausible — aggregated, cookieless analytics with no personal data (see section 4)
• PostHog — session replay + heatmaps with mandatory input masking (see section 4b). Hosted in the US (data residency) — we use the community-edition free tier. 30-day retention.
• Sentry — error tracking + bug-report widget with cookie/token sanitization before sending (see section 4b)

Skin Trackers offers an optional Chrome extension that helps sync Steam Market history and contribute historical price backfill for the STI indices. The extension is 100% optional — the site works normally without it.

What the extension does in YOUR browser:

• Reads your Steam session cookies (only in the context of steamcommunity.com, never cross-site) to access authenticated endpoints like transaction history and public price history.
• Performs local fetches of Steam data using your session (just like you browsing manually).
• Sends the processed result (public prices, NEVER your cookies) to the Skin Tracker server via authenticated token.

What does NOT happen:

• The Skin Trackers server never receives your Steam cookies — they stay in your browser.
• The extension never reads data from other sites (Gmail, banking, etc.) — scope restricted to steamcommunity.com and skintrackers.com via host_permissions in Manifest V3.
• No scraping runs without explicit human action — every operation requires a click + consent modal before starting.

Risk transfer (important): when authorizing history backfill (the "Contribute history" button in the extension popup), you use your Steam account to make requests to Valve. Valve may, in rare cases, apply a 24h cooldown if it detects abnormal volume — this risk falls on your account, not on Skin Trackers. We recommend using a real primary Steam account (not throwaway) and respecting the human-paced 4s gap between requests configured in the extension.

Right not to use: you can uninstall the extension at any time (Chrome → Extensions → Skin Trackers → Remove). Already-contributed data remains in our DB because it is public market data (Steam prices), not personal data. To delete personal data linked to your SteamID64, see Section 6 (LGPD).

Steam terms (SSA §5C): section 5C of the Steam Subscriber Agreement prohibits "automated systems for accessing Services". We argue fair use based on (a) explicit human trigger, (b) human-paced rate (≥4s), (c) endpoint public to logged-in users, (d) no resale of data. This analysis is our interpretation — not a final legal decision. In case of disagreement from Valve, the operation will be discontinued immediately.

You have the right, at any time, to:

• Access all data associated with your SteamID64 (available within the app itself, in /inventory and /history)
• Export your transaction base in CSV
• Delete your account and all associated data (request via /about)
• Unsubscribe from the newsletter via the link in any email sent

Response time: up to 15 business days after the request, per LGPD art. 19. Detailed process available on request via /about.

Jorgin_ — author of Skin Tracker and party responsible for processing personal data (Encarregado, per LGPD art. 41).

Contact: via /about (form + verifiable Steam links), or directly via the public profile steamcommunity.com/id/Jorgin_.

As a solo-dev product without corporate structure, the DPO combines operations + compliance functions. Requests are handled personally by the author within the legal deadline. If the product grows and requires a dedicated officer, the change will be communicated by email + banner.

Your user data is retained while the account exists. After deletion, it is removed from the database within 7 business days — including copies in rotating backups.

Material changes to this policy are signaled by the "Last updated" date at the top. Changes to the type of data collected or shared are also communicated by email (to newsletter subscribers) and an in-app banner.