Privacy Policy

This Privacy Policy informs visitors, customers, and other natural persons whose personal data may be processed in the course of operating the offering reachable under the domain steamwebapi.com about the type, scope, purposes, legal basis, retention, and recipients of such processing, and about the rights they enjoy under the General Data Protection Regulation (EU Regulation 2016/679, "GDPR") and the supplementary German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). It is written, like the corresponding Imprint, as a continuous narrative because the underlying statutes require the information to be transparent, intelligible, easily accessible, and provided in clear and plain language — none of which is impaired by a prose layout. The guiding principle of the operator's data processing is data minimisation in the sense of Art. 5 (1) (c) GDPR: only those personal data are processed that are genuinely necessary to operate the service, perform the contractual obligations owed to subscribers, comply with statutory retention duties, and protect the platform from misuse. Personal data are not sold, rented, traded, exchanged, monetised through advertising profiles, or otherwise made available to unrelated third parties for purposes of their own marketing. There is no behavioural profiling, no cross-site tracking, and no automated decision-making producing legal effects in the sense of Art. 22 GDPR.

The legally responsible party (controller) within the meaning of Art. 4 (7) GDPR for all processing described below is the company identified in the Imprint reachable from every page of this website; the corresponding statutory provider information is given there in the form prescribed by § 5 DDG and is not repeated here in order to keep this document focused on data-protection matters. For all matters concerning data protection, including the exercise of the rights set out further below, electronic correspondence may be directed to info@sellrock.de, an inbox monitored during regular German business hours and treated with the priority that the statutory response deadlines (in particular Art. 12 (3) GDPR) require.

Categories of personal data processed and the purposes thereof

In the ordinary course of operating the service, the operator processes a small set of data categories, each of which is collected for a clearly delimited purpose and retained no longer than necessary for that purpose. When a visitor authenticates against the service through the Steam OpenID flow, the operator receives from Valve Corporation the visitor's public Steam ID, the public Steam display name, and the URL of the public Steam avatar; these elements together form the account record under which all further interactions are tracked. No password, private profile information, friend list, inventory data, or other non-public information from the user's Steam account is requested, transmitted, or stored as part of that authentication step.

Where a customer enters into a paid subscription, additional data necessary for the issuance of a tax-compliant invoice are processed: typically a name, an email address, a postal address, where applicable a VAT identification number, and where applicable the name of the contracting company. These data are required by §§ 14, 14a UStG and the underlying European VAT directive, must appear on the invoice itself, and are retained in accounting records for the statutory period of ten years pursuant to § 147 AO and § 257 HGB. During the active life of an account, the operator further processes operational telemetry connected to the use of the API: request counts, the endpoints called, request timestamps, the HTTP status codes returned, and the IP address from which the request originated. These elements are needed to enforce contractually agreed rate limits, to detect abusive traffic patterns, to support customers in debugging integration problems, and to bill usage-based subscription tiers. Beyond that, the underlying webserver and CDN layer transiently log standard request metadata (such as IP address, user-agent string, and request timestamp) for security and abuse-mitigation purposes; this transient log data is retained only for as long as it is operationally meaningful and is then aggregated or deleted.

Legal bases under Article 6 GDPR

Each processing operation described in this document is supported by an explicit legal basis under Art. 6 (1) GDPR. Processing required to provide the contractually agreed service — including authentication, dashboard access, API request handling, subscription management, and the issuance of invoices — is based on Art. 6 (1) (b) GDPR (performance of a contract or pre-contractual measures). Processing required to comply with statutory obligations — in particular the retention of accounting and tax records — is based on Art. 6 (1) (c) GDPR in conjunction with the relevant national statutes (§ 147 AO, § 257 HGB, § 14b UStG). Processing related to the protection of the operator's infrastructure and the prevention of fraud and abuse, including the operation of rate-limiters and anomaly detection, is based on Art. 6 (1) (f) GDPR (legitimate interest), the operator's legitimate interest being the secure, stable, and uninterrupted operation of the service for the benefit of all customers. Where processing exceptionally rests on the consent of the data subject, that consent is collected separately and may be withdrawn at any time with effect for the future, without affecting the lawfulness of processing carried out before withdrawal.

Authentication via Valve's Steam OpenID

Authentication of human users is delegated to the OpenID 2.0 service operated by Valve Corporation under the steamcommunity.com identity endpoint. In the context of this delegated authentication, the operator receives from Valve only the public attributes already mentioned (Steam ID, public display name, public avatar URL); no password is exchanged with the operator, no Steam Guard secret is exchanged, and no API token granting access to private parts of the user's Steam account is created or stored. Whether and which data Valve itself processes about its users in the context of the OpenID handshake is governed by Valve's own Steam Privacy Agreement, which the operator has no control over and does not redistribute. Use of the operator's service through the Steam OpenID flow is consequently subject to two privacy frameworks acting in parallel: that of Valve in respect of operations carried out on Valve's side, and the present document in respect of operations carried out on the operator's side.

Payment processing and billing

Payments associated with paid subscriptions are processed exclusively through external payment service providers that are PCI-DSS certified at the levels appropriate to their respective transaction volumes; the operator does not, at any point, see, store, or have access to full payment-card primary account numbers, card verification values, or other sensitive authentication data within the meaning of PCI-DSS. From the payment provider, the operator receives only the data strictly necessary to associate a successful transaction with the relevant customer account and to compose a valid invoice — typically the transaction status, the last four digits of the instrument used, the billing name and address provided by the cardholder, and a unique transaction reference for accounting purposes. Where a customer settles a subscription through cryptocurrency over an alternative channel maintained by the operator, the operator receives only the on-chain transaction reference and the email address linked to the customer account; no wallet-level information beyond the public on-chain reference is retained.

Service providers acting as processors

In order to deliver the service the operator engages a small number of carefully selected service providers acting as processors within the meaning of Art. 28 GDPR. Each such relationship is governed by a written data processing agreement that meets the requirements of Art. 28 (3) GDPR, including obligations relating to confidentiality, security, sub-processor authorisation, and data return or deletion at the end of the relationship. The categories of processors involved are: providers of cloud-based hosting infrastructure and content-delivery networks operating from data centres located within the European Union; PCI-DSS-certified payment processors as described in the preceding paragraph; providers of privacy-friendly, cookie-less product analytics that do not build behavioural profiles of individual users; and providers of customer-support and live-chat tooling for incoming inquiries. To the extent technically and economically feasible, the operator gives preference to providers headquartered and operating from within the European Economic Area; where a transfer of personal data to a third country is unavoidable, the safeguards required by Chapter V GDPR (in particular standard contractual clauses pursuant to Art. 46 (2) (c) GDPR) are put in place.

Transfers to third countries

The infrastructure on which the service runs is — by deliberate operational choice — primarily located within the European Union, and the regular operation of the service does not entail systematic transfers of personal data to third countries outside the European Economic Area. To the extent that occasional transfers nonetheless occur — for instance because a sub-processor of an EU-based provider routes traffic via global infrastructure, or because an integrated communication tool is operated from outside the EEA — such transfers are protected by the standard contractual clauses adopted by the European Commission under Art. 46 (2) (c) GDPR, supplemented where necessary by additional technical and organisational safeguards consistent with the post-Schrems II case-law of the Court of Justice of the European Union. Data subjects may, on written request directed to the contact address indicated in this document, obtain further information on the specific transfer mechanism applicable to a given processing operation.

Retention periods

Personal data are retained only for as long as necessary for the purposes for which they were collected, taking into account applicable statutory retention obligations. Account data are retained for the duration of the account plus a reasonable post-termination period during which residual contractual or pre-contractual claims may still arise; thereafter, the data are deleted or anonymised. Accounting and billing records — including invoices, payment confirmations, and the personal data necessary to establish the underlying business transaction — are retained for ten years following the end of the calendar year in which the relevant document was issued, in fulfilment of § 147 AO and § 257 HGB. API usage telemetry retained for the purposes of billing, rate-limit enforcement, and abuse mitigation is held in identifiable form for up to ninety days from the date of the underlying request and is thereafter aggregated or deleted; access logs collected at the webserver and CDN layer are retained for substantially shorter periods consistent with their purpose. Specific shorter retention periods apply to incidental categories of data and are documented internally in the operator's records of processing activities maintained pursuant to Art. 30 GDPR.

Rights of data subjects

Data subjects whose personal data are processed in the context of the service enjoy the full set of rights provided for by the General Data Protection Regulation, exercisable at any time against the controller. These include, in particular: the right of access to their personal data and to information about the processing pursuant to Art. 15 GDPR; the right to rectification of inaccurate or incomplete data pursuant to Art. 16 GDPR; the right to erasure of their data, where one of the grounds set out in Art. 17 (1) GDPR is satisfied and no statutory retention obligation prevents deletion; the right to restriction of processing pursuant to Art. 18 GDPR in the situations enumerated there; the right to data portability for data processed by automated means on the basis of consent or contract pursuant to Art. 20 GDPR; the right to object to processing carried out on the basis of Art. 6 (1) (e) or (f) GDPR pursuant to Art. 21 GDPR, with the consequences set out therein; the right to withdraw at any time, with effect for the future, any consent previously given pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR; and finally the right under Art. 77 GDPR to lodge a complaint with a supervisory authority — typically the data-protection supervisory authority of the Member State in which the data subject habitually resides, works, or where the alleged infringement took place; for the operator, the territorially competent supervisory authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) in Ansbach. Requests aimed at exercising any of the foregoing rights can be sent in writing to info@sellrock.de; the operator may, before acting on the request, ask for additional information needed to verify the requester's identity, in line with Art. 12 (6) GDPR.

Whether providing data is mandatory

The provision of personal data described in this document is neither required by statute nor by contract in the sense that any natural person would be obliged to provide them; however, certain processing operations are by their nature impossible to perform without the corresponding data. Without a Steam OpenID authentication, an account cannot be created and the dashboard cannot be used; without billing details, a paid subscription cannot be invoiced in compliance with German VAT law; and without the operational telemetry described above, rate-limit enforcement and abuse prevention cannot be performed. The decision to provide the relevant data therefore lies with the data subject, with the consequence that the corresponding part of the service can only be used to the extent that the data are made available.

Automated decision-making and profiling

No automated decision-making within the meaning of Art. 22 GDPR — that is, decisions producing legal effects concerning a data subject or similarly significantly affecting them — is carried out in the context of the service. The automated technical safeguards described in the operator's Imprint (rate-limiters, anomaly detection, API key invalidation upon suspected compromise) are operational protection measures whose effects are temporary, technical, and reversible upon human review; they do not, individually or in combination, constitute automated profiling for the purpose of evaluating personal aspects relating to a natural person within the meaning of Art. 4 (4) GDPR.

Cookies and similar technologies

The service uses only those cookies and comparable browser-storage technologies that are strictly necessary for the operation of the website and the dashboard — for instance to maintain an authenticated session, to remember a chosen language, or to preserve consent decisions. No analytics, marketing, or tracking cookies are set by default. Further details on the individual storage entries used, their purpose, and their lifetime are set out in the separately published Cookie Policy, which forms part of the present privacy framework alongside this document.

Security of processing

Appropriate technical and organisational measures within the meaning of Art. 32 GDPR are in place to ensure a level of security appropriate to the risks of the processing. All traffic between the user's client and the operator's services is protected by Transport Layer Security in current versions; access credentials are stored using salted and hashed cryptographic primitives in accordance with current industry recommendations; API keys are persisted as scoped, individually revocable tokens; production systems are accessible only over authenticated, logged, and audited administrative channels; backups are performed regularly and stored encrypted; security-relevant events are recorded for the purposes of incident response. The catalogue of measures is reviewed and adjusted on an ongoing basis to reflect the state of the art, the costs of implementation, and the actual risk profile of the processing operations involved.

Changes to this Privacy Policy

The operator reserves the right to update this Privacy Policy as the service evolves, as the interpretation of the underlying statutes by competent authorities or courts changes, or as new processing operations are introduced. The current version is always accessible at the corresponding URL on this website; the date of the last revision is shown at the top of the document. Material changes — that is, changes affecting the type, scope, purposes, or legal basis of the processing in a way that is not merely editorial — are communicated to active subscribers in advance through the channels available within the service, and where required by law are made conditional on a renewed consent of the data subject.