Privacy policy

Steam OpenID authentication. When you sign in with Steam, we receive only public profile data: SteamID64, display name, avatar, and public URL. We never have access to your Steam password, hidden inventory items, or any private account information.

Transactions you record. Skin purchases and sales you manually add (or import via Steam history) are stored in our database, linked to your SteamID64. They serve exclusively to compute your P&L and cost basis.

Watchlist preferences. Skins flagged as favorites and price alerts live in your browser (localStorage) and, when authenticated, mirror to the server for cross-device sync.

Newsletter (optional). If you subscribe, we store your email + confirmation timestamp. Nothing else. Email delivery via Resend (transactional provider).

• Passwords, Steam API tokens, or Valve session cookies
• Banking data, government IDs, or card numbers — the site does not process payments
• Precise geolocation (we use your IP only for API rate limiting, never stored)
• Browsing history on other sites
• No Google Analytics, Facebook Pixel, TikTok Pixel, or any tracker that ties behavior to a person

We use a single essential cookie: skin_tracker_session (HTTP-only, signed via iron-session). It only stores your authenticated SteamID64 to keep the session alive across requests. Duration: 30 days or until you sign out.

No tracking, advertising, or analytics cookies are set — Plausible (described below) is fully cookieless.

We use Plausible (open-source, EU-hosted, cookieless) and Cloudflare Web Analytics (privacy-first, cookieless) for aggregate visit counts. They tell us how many people visit each page, which country (country only, no city), which browser, and which referrer site they came from. Always aggregated — never tied to an individual.

What this does NOT do: no cookies set, no browser fingerprinting, no IP retention (used only to compute a daily session hash and immediately discarded), no cross-site joining, no third-party data sale.

Added to fill the qualitative gap that aggregate analytics can't cover: while Plausible/Cloudflare tell us how many people visit, replay tools show us where they get confused or click.

PostHog and Microsoft Clarity (session replay): we record visual interaction with your session (clicks, scroll, mouse movement, page navigation). We do NOT record the contents of input fields (search, forms) — every <input> and <textarea> is masked before leaving your browser. We do NOT record audio, video, or your personal inventory. Replay retention is 30 days and is private to the Skin Trackers team.

Sentry (bug reports): uncaught JavaScript errors (e.g. a page crashes for you) are forwarded to Sentry with a stack trace + last 10s of session replay from that specific session. Session cookies and admin tokens are stripped before sending (explicit sanitization in sentry.client.config.ts).

How to opt out: install a privacy browser extension (uBlock Origin, Privacy Badger). PostHog, Clarity, and Sentry are all blocked by default lists. You lose no functionality — we just won't know if something went wrong in your session.

We do not sell, trade, or share your data with third parties for commercial purposes. The only data processors are:

• Valve — for Steam OpenID login validation (standard protocol, no additional data sent)
• Resend — for newsletter delivery, when applicable (only confirmed subscriber emails)
• Brazilian Central Bank (BCB) — public USD/BRL FX and CDI series APIs (no user data sent)
• Plausible + Cloudflare Web Analytics — cookieless aggregate analytics (Section 4)
• PostHog + Microsoft Clarity — session replay with mandatory input masking (Section 4b). PostHog hosted in the US (data residency); Clarity hosted by Microsoft. Retention 30 days each.
• Sentry — error tracking with cookie/token sanitization before send (Section 4b)

Regardless of jurisdiction, you have the right to, at any time:

• Access all data linked to your SteamID64 (visible inside the app at /inventario and /historico)
• Export your transaction base as CSV
• Delete your account and all associated data (request via /about)
• Unsubscribe from the newsletter via the link in any email we send

Response time: up to 15 business days after request, matching the strictest of the regulations we're subject to (LGPD art. 19). Detailed process available on request via /about.

Jorgin_ (Gabriel Fernandes) — author and data controller. Solo developer; the DPO role is operationally combined with maintenance.

Contact: via /about or directly through the public Steam profile steamcommunity.com/id/Jorgin_.

User data is retained while the account exists. After deletion, it is removed from the database within 7 business days, including copies in rotating backups.

Material changes to this policy are flagged by updating the "Last updated" date at the top. Changes affecting the type of data collected or shared are also communicated via email (for newsletter subscribers) and an in-app banner.