Privacy Policy

This Privacy Policy describes how SkinTrackr UG (i.G.) ("SkinTrackr", "we", "us") collects, uses, and shares personal data when you use skintrackr.io and the related services (the "Service"). We are the data controller within the meaning of the EU General Data Protection Regulation (GDPR).

1. Who we are

SkinTrackr UG (i.G.) is a company being incorporated in Germany. You can reach us at arthur@skintrackr.io for any privacy-related request.

2. What data we collect

• Account data: email address and Clerk user ID created when you sign up. We never see or store your password — authentication is handled by Clerk.
• Profile preferences: display name, preferred currency, theme, and notification settings.
• Portfolio data: the skins, prices, quantities, and notes you voluntarily enter into your portfolio and watchlists.
• Subscription data: tier (Free, Lite, Pro), billing cycle, and subscription status. Payment details (card numbers, billing address) are processed and stored by Stripe — we only receive a customer ID and a status flag.
• Steam account link (optional): if you connect your Steam account, we store your public Steam ID. We do not access your Steam inventory, friends list, or private profile data.
• Technical data: IP address, user agent, request timestamps, and basic request metadata used for rate limiting, abuse prevention, and debugging.
• Communications: emails you send us and our replies.

3. Why we process your data (legal basis)

• Service operation (Art. 6(1)(b) GDPR — contract performance):account management, authentication, portfolio storage, price calculations, subscription billing, and alert delivery.
• Legitimate interest (Art. 6(1)(f) GDPR): security monitoring, rate limiting, fraud prevention, debugging, and improving the Service. Our interest is in running a secure, reliable product; this is balanced against your interest in minimal data processing.
• Legal obligation (Art. 6(1)(c) GDPR): tax records, invoice retention, and responding to lawful authority requests.
• Consent (Art. 6(1)(a) GDPR): optional analytics cookies and marketing emails, where applicable. You can withdraw consent at any time.

4. Third-party processors

We rely on the following processors to operate the Service. Each is bound by a Data Processing Agreement under Art. 28 GDPR.

• Clerk (Clerk.com, Inc., USA) — authentication, identity, session management. Standard Contractual Clauses apply for international transfers.
• Stripe (Stripe Payments Europe, Ltd., Ireland) — subscription billing and payment processing.
• Steam / Valve (Valve Corporation, USA) — only invoked if you explicitly connect your Steam account via OpenID. Only public profile data is read.
• Resend (or an equivalent transactional email provider) — delivering account emails and price alerts.
• Vercel (Vercel, Inc., USA) — hosting the frontend and serverless functions. Region: Frankfurt (fra1) where possible.
• Supabase (Supabase, Inc.) — managed PostgreSQL database hosting in the EU.
• Inngest (Inngest, Inc., USA) — background job orchestration for price refreshes and alert dispatch.
• PostHog — product analytics (only loaded after you accept analytics cookies).
• Sentry — error monitoring and crash reporting (IP addresses are truncated; PII scrubbing is enabled).
• Skinport, CSFloat and similar marketplace APIs — outbound requests only. We send no personal data; we only fetch public price information.

5. Cookies

By default we set only essential cookies needed for authentication and security (e.g. Clerk session cookies, CSRF tokens). Optional analytics cookies (PostHog) are only loaded after you give consent through our cookie banner. You can withdraw consent at any time via the "Cookies" link in the footer.

6. How long we keep your data

• Account data: for as long as your subscription or free account is active, plus 90 days after cancellation to handle reactivations and refunds.
• Billing records: 10 years, as required by German tax law (§ 147 AO).
• Server logs: 30 days, then deleted or anonymised.
• Support emails: up to 2 years from the last interaction.

7. Your rights

Under GDPR, you have the right to:

• access the personal data we hold about you (Art. 15);
• have inaccurate data corrected (Art. 16);
• request deletion of your data (Art. 17 — "right to be forgotten");
• restrict processing (Art. 18);
• receive your data in a portable format (Art. 20);
• object to processing based on legitimate interest (Art. 21);
• withdraw consent at any time, without affecting prior lawful processing.

To exercise any of these rights, email arthur@skintrackr.io. We will respond within one month.

You also have the right to lodge a complaint with a supervisory authority. In Germany, that is the Federal Commissioner for Data Protection and Freedom of Information (BfDI). You may also contact your local state Data Protection Authority or the authority in the EU country where you live or work.

8. International transfers

Where data is transferred outside the EU/EEA (mainly to US-based processors such as Clerk, Stripe, Vercel, Sentry, PostHog), we rely on Standard Contractual Clauses approved by the European Commission and on the EU-US Data Privacy Framework where applicable.

9. Security

We use TLS encryption for all traffic, hash and salt all credentials via Clerk, restrict database access via least-privilege roles, and monitor for anomalies. No system is perfectly secure; we encourage you to use a strong unique password and enable multi-factor authentication on your Clerk account.

10. Children

The Service is not intended for users under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision.

12. Contact

SkinTrackr UG (i.G.)
Email: arthur@skintrackr.io