Privacy Policy

1. Introduction

At csPortfolio.gg, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and EEA consumer protection laws.

1.1 Data Controller

csPortfolio.gg is the data controller for personal information processed through our platform. We are based in Iceland (EEA member) and subject to Icelandic data protection laws and GDPR.

1.2 Contact Information

For privacy-related inquiries, contact us at:

• Email: csportfolio@csportfolio.gg
• Data Subject Requests: support@csportfolio.gg

2. What Data We Collect

2.1 Account Information

When you create an account via Steam OAuth, we collect:

• Steam ID: Your unique Steam identifier (e.g., 76561198785623822)
• Steam Username: Your public Steam display name
• Steam Avatar: Your profile picture URL from Steam
• Profile Visibility: Whether your Steam profile is public/private

Legal basis: Contractual necessity (to provide our services)

2.2 Email Address (Optional)

If you choose to verify your email, we collect:

• Email Address: For account recovery and notifications
• Verification Status: Whether your email is verified
• Notification Preferences: Your consent to receive emails

Legal basis: Consent (you opt-in to email verification)

2.3 Inventory Data

To provide portfolio tracking, we fetch and store:

• CS2 Items: Item names, quantities, wear values, StatTrak status
• Item Images: URLs to Steam CDN for item icons
• Inventory Timestamps: When your inventory was last updated

Note: We only access public inventory data available through Steam's API. If your Steam profile is private, we cannot fetch your inventory.

Legal basis: Contractual necessity (core service functionality)

2.4 Usage Analytics

We collect anonymized usage data for service improvement:

• Page Views: Which pages you visit and how often
• Feature Usage: Which features you use (portfolio, containers, analytics)
• Session Duration: How long you stay on the platform
• Browser/Device Info: Browser type, screen size (for responsive design)

Legal basis: Legitimate interest (service improvement and performance monitoring)

2.5 Payment Information

2.6 Demo Access Records

If you're granted demo access, we store:

• Demo Period: Start and end dates of your trial
• Granted By: Which admin granted you access
• Status: Whether demo is active, expired, or revoked
• Admin Notes: Any notes added by admins (e.g., "Requested via Discord")

Legal basis: Contractual necessity (subscription management)

3. How We Use Your Data

3.1 Service Provision

We use your data to:

• Display your CS2 inventory with real-time valuations
• Calculate portfolio performance and historical trends
• Track container openings and ROI calculations
• Provide personalized analytics and insights
• Manage your subscription tier and access levels

3.2 Communication

We may send emails (if you verified your email) for:

• Demo Grants: Notification when you receive demo access
• Service Updates: Important changes to features or pricing
• Security Alerts: Suspicious activity on your account
• Backup Alerts: Critical system notifications (admins only)

You can opt-out of non-essential emails through your account settings.

3.3 Service Improvement

We analyze anonymized usage data to:

• Identify and fix bugs or performance issues
• Understand which features are most valuable
• Optimize database queries and API calls
• Plan new features based on user needs

3.4 Security & Fraud Prevention

We monitor for:

• Unusual login patterns or account access
• API abuse or rate limit violations
• Fraudulent subscription activity

4. Third-Party Data Sharing

4.1 Service Providers

We share limited data with third-party services necessary for our platform:

Polar.sh (Payment Processing)

• Data Shared: Steam ID, email address (for subscription management)
• Purpose: Payment processing, subscription billing, refunds
• Privacy Policy: polar.sh/legal/privacy

Third-Party Market APIs (Price Data)

• Data Shared: Item names (no user data)
• Purpose: Fetch real-time market prices from multiple sources for GillaPrice™ algorithm
• Privacy: We only query item prices, not user-specific data

PurelyMail (Email Delivery)

• Data Shared: Email addresses (only for users who verified email)
• Purpose: Deliver transactional emails (demo grants, notifications)
• Privacy: Email content and recipient addresses are transmitted via SMTP

Steam API (Valve Corporation)

• Data Shared: Your Steam ID (when you login or refresh inventory)
• Purpose: Fetch your public inventory data and profile information
• Privacy Policy: Valve Privacy Policy

4.2 Legal Obligations

We may disclose data if required by law:

• Court orders or legal processes
• Law enforcement requests (with valid legal basis)
• Compliance with Icelandic or EEA regulations

We will notify affected users unless legally prohibited from doing so.

5. Data Retention

5.1 Active Accounts

For active accounts, we retain data as long as necessary to provide our services. We do not store data longer than required for operational, legal, or security purposes.

5.2 Demo Accounts

Demo access records are retained for audit purposes:

• Active Demos: Data retained during 30-day trial period
• Expired Demos: Audit records retained indefinitely (username, dates, admin notes)
• User Data: Inventory and analytics data may be removed if account downgrades to free_user and remains inactive for extended periods

5.3 Logs & Analytics

• Application Logs: 7-day retention (scheduler logs, error logs)
• Visitor Statistics: Anonymized aggregates retained indefinitely for trend analysis
• Security Logs: Retained for 90 days for fraud prevention

6. Your Rights (GDPR)

Under GDPR and EEA consumer protection laws, you have the following rights:

6.1 Right to Access

What it means: You can request a copy of all personal data we hold about you.

How to exercise: Email support@csportfolio.gg with subject "Data Access Request"

Response time: Within 30 days

6.2 Right to Rectification

What it means: You can correct inaccurate or incomplete data.

How to exercise: Update your profile in Settings, or email us for manual corrections

Response time: Immediate (via Settings) or within 7 days (via email)

6.3 Right to Erasure ("Right to be Forgotten")

What it means: You can request deletion of all your personal data.

How to exercise: Email support@csportfolio.gg with subject "GDPR Request - Data Erasure"

Response time: Within 30 days (as required by GDPR)

Note: Some data may be retained for legal or compliance purposes (e.g., anonymized audit logs for demo grants).

6.4 Right to Data Portability

What it means: You can export your data in a machine-readable format (JSON).

How to exercise: Coming soon via Settings → Export Data (currently email us)

Data included: Account info, inventory data, container records, demo history

Response time: Within 7 days

6.5 Right to Restrict Processing

What it means: You can request we pause processing your data (but not delete it).

How to exercise: Email support@csportfolio.gg with subject "Restrict Processing"

Effect: Your account will be suspended but data retained for later reactivation

6.6 Right to Object

What it means: You can object to data processing based on legitimate interest (e.g., analytics).

How to exercise: Email us with specific objections

Effect: We will stop the objected processing unless we have compelling legal grounds

6.7 Right to Withdraw Consent

What it means: You can withdraw consent for email notifications at any time.

How to exercise: Email support@csportfolio.gg to opt-out of notifications, or use unsubscribe links in emails

Effect: We will stop sending non-essential emails (security alerts still sent)

6.8 Right to Lodge a Complaint

What it means: You can complain to your national data protection authority if you believe we violated GDPR.

Iceland DPA: Persónuvernd (Iceland Data Protection Authority)

EU DPAs: Find your national DPA

7. Data Security

7.1 Technical Measures

We implement industry-standard security measures:

• Authentication: JWT tokens with secure expiration (24 hours)
• Database: PostgreSQL with role-based access control (read-only backup role)
• Encryption: HTTPS/TLS for all data transmission
• Backups: Encrypted database backups with 5-day retention
• Rate Limiting: 60 requests/minute per user to prevent abuse
• CORS Protection: Restricted cross-origin requests

7.2 Access Control

• Production Server: SSH key authentication only (no password login)
• Database Access: Limited to application user (csportfolio_app) with minimal privileges
• Admin Access: Restricted to god/overseer tiers for sensitive operations

7.3 Monitoring & Incident Response

• Health Checks: Automated monitoring every 15 minutes
• Error Logging: Application errors logged for debugging (no sensitive data in logs)
• Backup Alerts: Email notifications for backup failures

7.4 Data Breach Notification

In the event of a data breach:

• User Notification: Within 72 hours of discovery (via email if verified)
• Authority Notification: Iceland DPA notified within 72 hours (if high risk)
• Transparency: Public disclosure if breach affects >1000 users

8. Cookies & Tracking

8.1 Authentication Tokens

We use localStorage (not cookies) to store:

• auth_token: JWT token for authentication (expires after 24 hours)
• currency: Your preferred currency (USD, EUR, CNY)

These are essential for service functionality and do not require consent under GDPR.

8.2 No Third-Party Tracking

8.3 Session Management

Sessions are managed server-side via JWT tokens. No session cookies are set by our platform.

9. International Data Transfers

9.1 EEA-Based Hosting

Our production server is hosted in the European Union/EEA region. Personal data is stored within EEA borders and subject to GDPR protections.

9.2 Third-Party Services

Some third-party services may transfer data outside the EEA:

• Polar.sh: May process payments globally (GDPR-compliant with Standard Contractual Clauses)
• Steam API: Operated by Valve Corporation (USA) - covered by EU-US Data Privacy Framework

All third-party processors are required to maintain GDPR-equivalent protections.

10. Children's Privacy

csPortfolio.gg is not intended for users under 16 years old (GDPR age limit). We do not knowingly collect personal data from children.

If you believe a user under 16 has created an account, please contact us at support@csportfolio.gg and we will delete the account promptly.

Note: Steam's Terms of Service require users to be 13+ (USA) or 16+ (EEA). We rely on Steam's age verification.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes to our services or features
• Legal or regulatory requirements
• Improvements to data protection practices

When we make significant changes:

• We will update the "Last Updated" date at the top
• We will notify users via email (if email is verified)
• Continued use of the service constitutes acceptance of new terms

We recommend reviewing this policy periodically to stay informed of how we protect your data.

12. Contact & Data Protection Officer

For privacy-related questions, data subject requests, or complaints:

12.1 General Inquiries

• Email: csportfolio@csportfolio.gg
• Support: support@csportfolio.gg

12.2 Data Subject Requests

For GDPR requests (access, erasure, portability, etc.), email support@csportfolio.gg with:

• Subject line: "GDPR Request - [Type]" (e.g., "GDPR Request - Data Access")
• Your Steam ID or username for verification
• Detailed description of your request

Response time: Within 30 days (as required by GDPR)

12.3 Complaints

If you're unsatisfied with our response, you can lodge a complaint with:

• Iceland DPA: Persónuvernd
• Your National DPA: Find your DPA

13. Your Trust Matters

We built csPortfolio.gg to help the CS2 community track their inventories without compromising privacy. Your trust is essential to us, and we're committed to:

• Collecting only data necessary for service functionality
• Providing full transparency about data usage
• Respecting your GDPR rights
• Continuously improving our security practices

Thank you for trusting csPortfolio.gg with your data.