Cookie Policy

This Cookie Policy supplements the operator's Privacy Policy and informs visitors and users of the offering reachable under the domain steamwebapi.com about the types of cookies and comparable browser-based storage technologies that are used in connection with the Service, the purposes for which they are deployed, the legal basis on which they are deployed, the duration for which the corresponding entries are retained on the user's device, and the options available to the user to influence the use of such technologies. It is, like the Privacy Policy itself, drafted as continuous prose because the underlying statutes — in particular § 25 of the German Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, "TTDSG") and Articles 13 and 14 of the General Data Protection Regulation (GDPR) — require the information to be transparent, intelligible, and easily accessible, all of which is satisfied by a flowing-text presentation. The operator's general data-protection contact applies equally to questions regarding cookies and comparable technologies; correspondence may be directed to info@sellrock.de. The full statutory provider information of the controller responsible for the processing operations described below is set out in the Imprint, which is reachable from every page of this website and not repeated in the present document.

Cookies and comparable technologies

Cookies in the technical sense are small textual entries that a website causes the user's browser to store on the user's terminal device, typically with a defined name, a value, an expiry, and a scope of validity that determines under which domain or path the entry is read back on subsequent requests. Comparable technologies for the purposes of this document include, in particular, the data stored in the so-called Web Storage facilities of modern browsers (sessionStorage and localStorage) and the entries written into IndexedDB databases that are scoped to a particular origin. Although the underlying mechanisms differ, all of these technologies have in common that they store information on the user's device under the control of the website's origin, and the German legislator therefore subjects them to a unified regulatory regime in § 25 TTDSG. The operator uses a small number of strictly purpose-bound entries within these mechanisms; behavioural advertising cookies, cross-site tracking cookies, fingerprinting techniques, third-party advertising pixels, and comparable technologies whose purpose is the construction of an advertising profile of the user are not employed.

Categories of entries actually used by the operator

The entries actually used by the operator can be grouped into two categories, both of which are strictly necessary to operate the Service in the form in which it is offered. The first category comprises an authenticated-session identifier, by default named PHPSESSID, that is set by the operator's application server to associate the sequence of HTTP requests originating from a single browser with a single authenticated session; without this entry, an authenticated user would have to re-authenticate against the Steam OpenID flow on every navigation step, which would render the dashboard unusable. The session identifier is set as an HttpOnly, Secure cookie scoped to the operator's domain and is removed by the browser at the latest when the browser session ends, unless the underlying server session has already expired beforehand. The second category comprises a long-lived authentication token, by default named REMEMBERME, that is set only if the user has deliberately opted into the "stay signed in" option; this token allows the dashboard to recognise an authenticated user across browser restarts for a period of up to thirty days, after which it expires automatically. The user may at any time invalidate the long-lived token by signing out of the dashboard or by clearing the cookies for this domain in their browser settings.

Legal basis for the use of these technologies

The setting and reading of the strictly necessary entries described in the preceding paragraph relies on § 25 (2) (2) TTDSG, which exempts technologies that are strictly necessary for the provision of a telemedia service expressly requested by the user from the consent requirement that would otherwise apply under § 25 (1) TTDSG. To the extent that the operations described above involve the processing of personal data within the meaning of Art. 4 (1) GDPR — which is, in part, the case for the session identifier and the remember-me token — that processing is based on Art. 6 (1) (b) GDPR (performance of a contract or pre-contractual measures) and on Art. 6 (1) (f) GDPR (legitimate interest of the operator in the secure and stable provision of the Service). No optional, marketing- or analytics-related entries are set without prior, explicit, freely given, specific, informed, and unambiguous consent within the meaning of Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TTDSG; should the operator deploy a privacy-friendly, cookie-less analytics solution that does not write entries on the user's device and does not construct identifiable profiles, no consent is required for that solution either, but its deployment is in any event covered by the present document.

Third-party entries in connection with Steam authentication

Authentication of human users relies on the Steam OpenID flow operated by Valve Corporation under the steamcommunity.com identity endpoint. During this authentication step, the user's browser is briefly redirected to a Valve-controlled origin; in that context, Valve may, on its own responsibility, set cookies and comparable entries scoped to that origin, the use of which is governed exclusively by Valve's own privacy and cookie regimes and over which the operator has no influence. The operator does not embed any pixels, beacons, embedded videos, or comparable third-party content that would itself set cookies under a third-party origin while the user is browsing pages served from the operator's own domain.

Disabling, deleting, and managing entries

Modern web browsers offer extensive controls that allow users to view, delete, block, or selectively manage cookies and comparable storage entries on a per-origin basis; users wishing to consult or modify the entries currently stored for the operator's domain are encouraged to use the relevant pages within their browser's privacy or settings menus. Disabling the strictly necessary entries identified above will, however, prevent the dashboard from establishing or maintaining an authenticated session and will accordingly render the authenticated portions of the Service unusable; this is a technical consequence of the architecture of the Service and not a sanction imposed by the operator.

Changes to this Cookie Policy

The operator reserves the right to amend this Cookie Policy in line with technical, organisational, or legal developments affecting the use of cookies and comparable technologies in the context of the Service. Material amendments — meaning amendments that go beyond purely editorial or clarifying adjustments — are notified to active subscribers through the channels available within the Service in advance of their effective date, and where the law requires it, are made conditional on a renewed consent. Questions regarding this Cookie Policy may be directed to info@sellrock.de.