Skip to main content
HumanLegal

Privacy — Legal View

Privacy Policy

The formal version. Still readable, just more careful.

1. Controller

The controller of your personal data is Paul Buttle (an individual, United Kingdom), trading as VGDB. Contact: privacy@vgdb.co.

2. Personal data we process

We process the following categories of personal data:

  • Account identifiers (email, user id) — purpose: operate the service and authenticate you. Lawful basis: performance of a contract. Retention: until account deletion.
  • Profile data (username, display name, avatar, bio, optional social links) — purpose: render your public profile. Lawful basis: contract (username) and consent (optional fields). Retention: until account deletion or field clearing.
  • User-generated content (reviews, lists, articles, screenshots, collection entries, votes, reports, follows, blocks) — purpose: operate the service and display community content. Lawful basis: contract. Retention: until you delete the content or your account.
  • Steam integration data (Steam ID, public playtime) — processed only if you connect Steam. Lawful basis: consent. Retention: until you disconnect Steam or delete your account.
  • Technical data (IP address during a session, user agent) — purpose: security, rate limiting, CSP reports. Lawful basis: legitimate interest. Retention: no longer than 30 days in application logs, subject to the standard retention policies of our infrastructure providers [TODO(supabase-logs-retention): confirm exact values].
  • Cookies — see §6.

3. Sources

Directly from you. For Steam integration data, from the Steam Web API as an authenticated third-party call made on your behalf.

4. Recipients and processors

We share personal data only with processors that run infrastructure on our behalf: Supabase (database, authentication, storage) and our hosting provider (serves this website). No data brokers, no advertising networks, no sale of personal data.

5. International transfers

[TODO(infrastructure-region): confirm the regions of our Supabase project and our hosting provider, and the applicable transfer safeguard. Where infrastructure is hosted outside the UK or EEA, transfers are covered by the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum. To be resolved before VGDB leaves Alpha.]

6. Cookies

We use the following browser storage:

  • Session / auth cookies (Supabase) — strictly necessary. Keep you signed in.
  • Cookie-banner decision record— strictly necessary. Stored in your browser's local storage (not an HTTP cookie) so we don't prompt you on every visit.
  • Google Analytics cookies (_ga, _ga_*) — set only with your explicit consent via the cookie banner. Used for aggregate page-view counts.

Manage your consent at any time via the Cookie Preferences link in the footer.

7. Data subject rights (UK GDPR articles 15–22)

You have the right to: access your personal data; have inaccurate data rectified; have data erased; restrict processing; port your data to another service; object to processing; and withdraw any consent at any time without affecting the lawfulness of prior processing. To exercise any of these rights, email privacy@vgdb.co.

8. Automated decision-making

We do not use solely automated decision-making or profiling that produces legal effects or similarly significantly affects you.

9. Right to complain

If we fail to handle your personal data properly, you can complain to the Information Commissioner's Office (ico.org.uk). We would rather you write to us first so we can fix it.

10. Changes to this policy

Material changes are announced in the changelog and reflected in the "Last updated" date at the foot of this page.

11. Contact

privacy@vgdb.co

Last updated: 24 April 2026