Privacy Policy

1. Introduction

Steamdle ("we," "us," or "our") is a Steam-based guessing game that uses publicly available data from the Steam Web API to power its gameplay. This Privacy Policy explains what information we process, how we use it, who we share it with, and the rights you have over your data.

By using Steamdle, you agree to the practices described in this policy. If you do not agree, please discontinue use of the service.

Data Controller: Nathan Campolina — nathancampolina.r@gmail.com

2. Information We Collect

2.1 Steam Authentication (via Steam OpenID)

When you choose to log in, you are redirected to Steam's own website to authenticate. This process is handled entirely by Valve's Steam OpenID service — Steamdle never sees, receives, or stores your Steam username, password, or any login credentials.

Upon successful authentication on Steam's website, Steam returns a single piece of information to Steamdle: your Steam ID. The Steam ID is a publicly visible identifier — it is the same ID that appears in your Steam profile URL and is visible to anyone on the internet.

This Steam ID is stored in an encrypted, server-signed session cookie in your browser using Iron Session (see Section 5). It is not stored in any database or persistent server-side storage operated by Steamdle.

2.2 Steam Profile & Game Data (via Steam Web API)

Once authenticated, Steamdle uses your Steam ID to query the Steam Web API on your behalf. The Steam Web API returns only publicly available profile information, specifically:

• Display name and profile avatar
• Public game library (titles and playtime visible on your public Steam profile)

This data is fetched on demand to power gameplay and is not persisted in any server-side database. If your Steam profile is set to private, this data will not be accessible and certain game features may not function.

2.3 Gameplay Data

Your in-game guesses, scores, and session state are stored locally in your browser (using browser storage mechanisms such as localStorage or sessionStorage). This data never leaves your device and is not transmitted to or stored by Steamdle's servers.

2.4 Analytics Data (PostHog)

We use PostHog for product analytics to understand how Steamdle is used and to improve the experience. The data PostHog collects depends on whether you are logged in:

• Before login: PostHog operates in cookieless, in-memory mode only. No data is written to your browser or persisted between sessions. Anonymous event data (e.g. pages visited, interactions) may be sent to PostHog but cannot be linked to you across sessions.
• After login: PostHog uses your Steam ID as a persistent Distinct ID to associate analytics events with your account across sessions. This allows us to understand how logged-in users interact with the game over time. PostHog may also collect browser type, operating system, device type, and pseudonymized IP address.

2.5 Infrastructure Data (Vercel)

Steamdle is hosted on Vercel, which processes standard request metadata (e.g. IP addresses, request logs) as part of delivering the service. Vercel acts as a data processor on our behalf. See vercel.com/legal/privacy-policy for details.

3. How We Use Your Information

We use the information described above for the following purposes:

• To authenticate you via Steam OpenID and identify your session
• To fetch your public Steam profile and game library data to power gameplay
• To analyze product usage and improve Steamdle (via PostHog)
• To detect and prevent abuse

We do not use your data for advertising and we do not sell it to third parties.

4. How We Share Your Information

We share data only with the following third-party service providers:

• Vercel Inc.— hosting and infrastructure, United States. Processes request metadata to deliver the service. Governed by Vercel's Data Processing Agreement.
• PostHog Inc. — product analytics. After login, your Steam ID is sent to PostHog as a Distinct ID to associate analytics events with your account. PostHog may store this data in the US or EU. See posthog.com/privacy.
• Valve Corporation— authentication is handled by Steam's OpenID service on Valve's own servers. Game and profile data is retrieved from the Steam Web API. We do not send your personal data to Valve beyond the standard OpenID authentication flow.

We do not sell, rent, or share your personal data with any other third parties for their own purposes.

5. Cookies & Browser Storage

5.1 Session Cookie (Iron Session)

After you log in, Steamdle sets one cookie in your browser: an encrypted, server-signed session cookie managed by Iron Session. This cookie contains only your Steam ID and is used solely to keep you authenticated between page loads.

This cookie is set only after you actively choose to log in. It is removed when you log out or when it expires.

5.2 PostHog Analytics

Before login, PostHog runs in cookieless, memory-only mode. It does not write any cookies or use localStorage. Any analytics events collected in this state are anonymous and cannot be linked to you across sessions or page loads.

After login, PostHog may use cookies or localStorage to persist your Steam ID as a Distinct ID and associate your analytics events across sessions. You can opt out of this by contacting us or by clearing your browser's cookies and storage for this site.

5.3 Browser Storage (Gameplay)

Your gameplay data (guesses, scores, session state) is stored in your browser's localStorage or sessionStorage. This data never leaves your device. You can clear it at any time through your browser's settings.

6. Data Retention

Steamdle does not operate a backend database. We do not store your personal data on our servers beyond the following:

• Session cookie — persists in your browser until you log out or the cookie expires. Cleared automatically on logout.
• PostHog — analytics data including your Steam ID as Distinct ID is retained by PostHog according to their own retention policies. You may request deletion of your PostHog data by contacting us (see Section 8).
• Vercel infrastructure logs — retained according to Vercel's standard log retention periods.
• Browser storage — gameplay data stored in your browser is retained until you clear it yourself via your browser settings.

7. Data Security

We take reasonable technical measures to protect your data, including:

• HTTPS / TLS encryption for all data in transit
• Iron Session's encrypted and server-signed cookie for session management
• No persistent storage of personal data in any database operated by Steamdle

No system is completely secure. We cannot guarantee the absolute security of data processed by third-party providers (Vercel, PostHog) and are not liable for unauthorized access beyond our reasonable control.

8. Your Rights

You have the following rights regarding your personal data:

• Access — request information about what data we or our processors hold about you
• Deletion — request deletion of your data, including your PostHog analytics profile
• Portability — request your data in a machine-readable format
• Objection / Restriction — ask us to stop or limit certain processing

To exercise any of these rights, or to request deletion of your PostHog analytics data specifically, contact us at: nathancampolina.r@gmail.com.

If you are located in Brazil, you have additional rights under the Lei Geral de Proteção de Dados (LGPD), including the right to lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

If you are located in the EU/EEA, you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local data protection supervisory authority.

9. Children's Privacy

Steamdle is not directed at children under the age of 13 (or 16 in the EU/EEA). We do not knowingly process personal data from children. If you believe a child has used Steamdle and their data has been processed, please contact us and we will take prompt action.

10. Steam Services Compliance

10.1 Two Separate Steam Services

Steamdle uses two distinct Steam services, which should not be confused:

• Steam OpenID— used for authentication only. The login process takes place on Steam's own website. Steamdle receives only your Steam ID upon successful login. No credentials are ever shared with or stored by Steamdle.
• Steam Web API — used after authentication to retrieve your public profile and game library data. This is a separate service from OpenID. All data returned by the Steam Web API is limited to information you have made publicly visible on your Steam profile.

10.2 Steam Data Storage Location

Steam Data retrieved via the Steam Web API is processed on infrastructure operated by Vercel Inc., defaulting to the iad1 region (Washington D.C., United States). Vercel's edge network (on AWS, Azure, and GCP) may cache content globally. Steam Data is not stored in any persistent database operated by Steamdle.

10.3 Steam Data Disclaimer

As required by the Steam Web API Terms of Use, Steam Data is provided to you on an "as is," "with all faults," and "as available" basis. Valve Corporation, Steam game publishers and developers, and their suppliers make no representations or warranties of any kind, express or implied, regarding Steam Data, including without limitation any warranties of merchantability, fitness for a particular purpose, accuracy, or non-infringement.

In no event will Valve or its suppliers be liable for any indirect, consequential, special, incidental, or punitive damages arising out of your use of Steam Data retrieved through Steamdle, even if advised of the possibility of such damages.

Steamdle is not endorsed by or affiliated with Valve Corporation or Steam.

11. Third-Party Links & Services

Steamdle may link to third-party services such as Steam store pages. This Privacy Policy does not apply to those services. We encourage you to review the privacy policies of any third-party sites you visit.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of Steamdle after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or data requests regarding this Privacy Policy, please contact: