Skip to main content
HumanLegal

Privacy · Legal View

Privacy Policy

The formal version. Still readable, just more careful.

1. Controller

The controller of your personal data is Paul Buttle (an individual, United Kingdom), trading as VGDB. Contact: privacy@vgdb.co.

2. Personal data we process

We process the following categories of personal data:

  • Account identifiers (email, user id). Purpose: operate the service and authenticate you. Lawful basis: performance of a contract. Retention: until account deletion.
  • Profile data (username, display name, avatar, bio, optional social links). Purpose: render your public profile. Lawful basis: contract (username) and consent (optional fields). Retention: until account deletion or field clearing.
  • User-generated content (reviews, lists, articles, screenshots, collection entries, votes, reports, follows, blocks). Purpose: operate the service and display community content. Lawful basis: contract. Retention: until you delete the content or your account.
  • Steam integration data (Steam ID, public playtime). Processed only if you connect Steam. Lawful basis: consent. Retention: until you disconnect Steam or delete your account.
  • Technical data (IP address during a session, user agent). Purpose: security, rate limiting, CSP reports. Lawful basis: legitimate interest. Retention: no longer than 30 days in application logs, subject to the standard retention policies of our infrastructure providers [TODO(supabase-logs-retention): confirm exact values].
  • Product analytics data (page views, feature interactions, captured exceptions, a pseudonymous device identifier, and - for signed-in users - the user id linked to those events). Processed by PostHog Inc. via its EU instance (eu.i.posthog.com), routed through our same-origin /ingestreverse proxy. Purpose: understand which features are used, diagnose errors, and improve the Service. Lawful basis: (a) consent under UK GDPR Article 6(1)(a) and PECR Regulation 6 for browser-side capture, gated by the cookie banner's Analytics toggle; (b) legitimate interest under UK GDPR Article 6(1)(f) for server-side capture of authenticated actions (signup, login, content creation), with opt-out available via privacy@vgdb.co. Retention: subject to PostHog's default retention windows (events: 7 years; session metadata: 1 year) [TODO(posthog-retention): confirm and tighten for this project].
  • Page-view analytics data (page URLs, referrer, anonymised IP, user-agent-derived device class). Processed by Google LLC via Google Analytics 4. Lawful basis: consent. Retention: as configured in the Google Analytics property settings.
  • Cookies: see §6.

3. Sources

Directly from you. For Steam integration data, from the Steam Web API as an authenticated third-party call made on your behalf.

4. Recipients and processors

We share personal data only with processors that run infrastructure on our behalf:

  • Supabase— database, authentication, and storage.
  • Our hosting provider— serves this website.
  • PostHog Inc.— product analytics, EU instance (eu.i.posthog.com). Receives the events described in §2 via our same-origin /ingest reverse proxy. Acts as our processor under a Data Processing Addendum.
  • Google LLC (Google Analytics 4)— aggregate page-view counts. Only receives data once you opt in via the cookie banner.
  • YouTube Data API (Google LLC)— server-side queries for public channel metadata and recent uploads. No user credentials are sent. See §10.
  • Steam Web API (Valve Corporation)— queried on your behalf only if you connect Steam.

No data brokers, no advertising networks, no sale of personal data.

5. International transfers

[TODO(infrastructure-region): confirm the regions of our Supabase project and our hosting provider, and the applicable transfer safeguard. Where infrastructure is hosted outside the UK or EEA, transfers are covered by the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum. To be resolved before VGDB leaves Beta.]

6. Cookies

We use the following browser storage:

  • Session / auth cookies (Supabase). Strictly necessary. Keep you signed in.
  • Cookie-banner decision record. Strictly necessary. Stored in your browser's local storage (not an HTTP cookie) so we don't prompt you on every visit.
  • Google Analytics cookies (_ga, _ga_*). Set only with your explicit consent via the cookie banner. Used for aggregate page-view counts.
  • PostHog browser storage (a pseudonymous device id and session metadata under the ph_* keys, stored in local storage and a first-party cookie; opt-in/out flag stored under __ph_opt_in_out_<token>). Set only with your explicit consent via the cookie banner. Used for product analytics as described in §2.

Manage your consent at any time via the Cookie Preferences link in the footer.

7. Data subject rights (UK GDPR articles 15–22)

You have the right to: access your personal data; have inaccurate data rectified; have data erased; restrict processing; port your data to another service; object to processing; and withdraw any consent at any time without affecting the lawfulness of prior processing. To exercise any of these rights, email privacy@vgdb.co.

8. Automated decision-making

We do not use solely automated decision-making or profiling that produces legal effects or similarly significantly affects you.

9. Right to complain

If we fail to handle your personal data properly, you can complain to the Information Commissioner's Office (ico.org.uk). We would rather you write to us first so we can fix it.

10. YouTube API Services

This site uses YouTube API Services to display gaming-channel metadata (channel name, description, avatar, banner, subscriber count, video count, view count) and a channel's recent public uploads (title, thumbnail, duration, view count, publish date) on the Resources section. These requests are made server-side using our API key. No personal data about you is sent to YouTube through our use of the API.

By using this site you also agree to be bound by the YouTube Terms of Service and acknowledge the Google Privacy Policy. You can revoke YouTube API Services' access to your data via the Google security permissions page, though note that VGDB does not request access to your YouTube account, so there is typically nothing for you to revoke.

If you are a channel owner and would like your channel removed from the VGDB catalogue, email paul@vgdb.co. We will remove the listing within 7 days.

11. Changes to this policy

Material changes are announced in the changelog and reflected in the "Last updated" date at the foot of this page.

12. Contact

privacy@vgdb.co

Last updated: 28 April 2026