Privacy PolicyPrivacy Policy
Privacy Policy
Last updated: 2026-05-30
Data controller
The data controller for SkinBoard is the project's operator, Rafał Nowak, acting as a private individual (a natural person) based in Poland. SkinBoard is run as a personal, non-incorporated project, so there is no company registration or VAT number. If you need the operator's postal address — for example to send a formal data-protection request — we will provide it on request via the contact details below. For any privacy enquiries — including access, export, correction, deletion, or objection requests — contact: support@skinboard.app, or use the Contact page on this site. If you are in the EU/EEA/UK and you are not satisfied with our response, you can lodge a complaint with your local data-protection authority. In Poland this is the Urząd Ochrony Danych Osobowych (UODO).
Overview
SkinBoard is a personal portfolio and price-tracking tool for Counter-Strike 2 items. This Privacy Policy explains what data we collect, how we use it, who we share it with, how long we keep it, and the choices and rights you have.
Data we collect
• Steam profile data shared by Steam OpenID at sign-in: Steam ID (numeric, 64-bit), display name, public avatar URL. We do not see your Steam password. • Portfolio data you create inside the app: inventory items you add, purchase prices, sale prices, trade history, market balances, and any notes or settings you save. • Contact-form submissions: when you write to us via the Contact page we receive your name, email address, message body, and IP — see "Retention" below for how long we keep these. • Technical data needed to run the service: HTTP request logs (URL, status, timing), error stack traces, and your IP address (used for rate-limiting and abuse defence).
How we use it
• To authenticate you via Steam OpenID and keep you signed in (HttpOnly session cookie + short-lived JWT). • To render your dashboards, inventory, ROI history, and price comparison views. • To answer support enquiries you send through the Contact form. • To diagnose errors, defend against abuse, and improve performance. We do not sell your data, do not run ad-targeting against it, do not share it with data brokers, and do not use it to train machine-learning models.
Sharing & sub-processors
We use a small number of service providers ("sub-processors") strictly to operate the service: • Hosting / database provider freakhosting.com — runs the application server and Postgres database (data at rest is encrypted by the disk layer). • Email / SMTP provider zoho.eu — used solely to deliver contact-form submissions to the operator. Your message body, name, and email address transit this provider. Their own privacy policy governs how long they retain message metadata. • Steam (Valve) — only as required for OpenID sign-in and to fetch public profile fields. We do not share your data for marketing or analytics. We only share when legally compelled (subpoena, court order) or strictly necessary to operate the service.
Cookies & local storage
• Authentication cookie (sb_session, HttpOnly, Secure, SameSite=Lax): set after Steam sign-in to keep you logged in. Cleared on sign-out or account deletion. JWT inside is short-lived and rotates. • Browser local storage: remembers your UI preferences (selected market, compact mode, sidebar collapse, theme). Cleared when you clear browser site data. • Cookie consent state: a single key recording whether you have acknowledged the consent banner. We do NOT use third-party analytics cookies, advertising cookies, or social-media trackers.
Retention
• Portfolio data: kept for the lifetime of your account. When you delete your account (see "Your rights"), we erase your personal data within 30 days, except where retention is required by law (e.g. accounting records). • Contact-form submissions: the message arrives in the operator's inbox via the SMTP provider. We delete inbox copies within 90 days of last activity unless the conversation is ongoing. • Server logs (HTTP requests, errors, IPs): rotated automatically; nothing older than 14 days is retained. • Database backups: encrypted and rotated daily; oldest snapshot kept up to 30 days. • Security-relevant logs (failed sign-ins, abuse signals): up to 90 days for incident investigation.
Your rights
Depending on your jurisdiction (EU/EEA/UK: GDPR; California: CCPA), you have the right to: • Access — see what data we hold about you. • Portability / export — receive your data in a machine-readable format. Use Settings → Export, which calls /api/auth/me/export and returns JSON. • Correction — correct inaccurate data (mostly self-serve through the app). • Erasure — delete your account and all personal data. Use Settings → Delete account, which calls /api/auth/me DELETE and erases your records within 30 days. • Objection / restriction — ask us to stop or pause processing. • Withdraw consent at any time. To exercise any right you can also email support@skinboard.app. We respond within 30 days.
Security
• No password storage — sign-in is delegated to Steam OpenID. • Sessions use HttpOnly + Secure + SameSite=Lax cookies; the JWT inside is short-lived (7-day window) and signed with a rotation-capable key (JWT_SECRETS list). • CSRF defence on state-changing requests via the X-Requested-With header. • Strict Content-Security-Policy, HSTS (2-year max-age, includeSubDomains), X-Frame-Options=DENY, and other modern security headers — see the network response of any page. • Database connections use TLS. Backups are encrypted at rest. • Rate-limiting on auth + contact + admin endpoints to slow credential-stuffing and brute force. • Least-privilege host roles + automated patching. • Security-relevant logs are retained for up to 90 days for incident investigation.
Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page always reflects the latest revision. Material changes are highlighted on the dashboard at next sign-in.
Questions about this document? Reach out via Contact