Privacy Policy
Last updated: [DATE]
This Privacy Policy explains what personal data Bunter ("the Site", "we", "us") collects, why we collect it, and what rights you have over it. Bunter is operated from Poland and this policy is written in compliance with the EU General Data Protection Regulation (GDPR).
1. Data Controller
The data controller responsible for your personal data is:
Bunter Contact: [email protected]
If you have any questions or requests regarding your personal data, please contact us at the address above.
2. What Data We Collect and Why
2.1 Steam Account Data
When you log in using Steam OpenID, we receive and store your public Steam profile information, including:
- SteamID64 — your permanent Steam account identifier, used as your unique identifier on Bunter
- Display name (nickname) — used to identify you to other users
- Avatar image URL — displayed on your profile and in trade listings
- Country — sourced from your public Steam profile, used to help match you with nearby traders
Legal basis: Article 6(1)(b) GDPR — this data is necessary to perform the service you signed up for. Without it, we cannot operate your account or allow you to trade.
2.2 Profile Preferences and Settings
You may provide or adjust the following data through your account settings:
- Location override — you may replace or generalise your Steam country with a region (e.g. "EU") or a specific country code (e.g. "PL")
- Hide location toggle — whether your location is visible to other users
- Trading note — a freeform text note displayed on your public profile
Legal basis: Article 6(1)(b) GDPR — these are part of operating your account and participation in the trading platform.
2.3 Activity Data
We record the time of your most recent authenticated request to the Site (active_at). This is used to:
- Display a live activity indicator on your profile (e.g. "Active now" within a 15-minute window)
- Rank active traders higher in search results, so users can find trading partners who are likely to respond
Legal basis: Article 6(1)(f) GDPR — legitimate interests in providing a useful and responsive trading experience.
2.4 Trade and Listing Data
Records of your game listings, wishlists, libraries, trade offers made and received, and trade history are stored permanently. This data forms the operational record of the platform.
Legal basis: Article 6(1)(b) GDPR — this data is the core purpose of the service.
2.5 Account State Data
We store administrative data relating to your account status, including whether your account is suspended, deleted, or holds a particular role. This is used for platform governance, moderation, and fraud prevention.
Legal basis: Article 6(1)(f) GDPR — legitimate interests in maintaining a safe and fair platform.
2.6 Technical Logs
Our server infrastructure logs technical data including IP addresses, browser type, operating system, and timestamps of requests. This data is used to monitor site performance, diagnose errors, and investigate abuse.
Legal basis: Article 6(1)(f) GDPR — legitimate interests in operating and securing the Site.
3. Data Retention
| Data | Retention period |
| Profile and account data | For the lifetime of your account, erased upon deletion (see Section 6) |
| Trade and listing history | Retained indefinitely — forms the permanent operational record of the platform |
Activity timestamp (active_at) | Cleared upon account deletion |
| Account state / moderation records | Retained as long as necessary for fraud prevention |
| Technical server logs | [PLACEHOLDER — define your log rotation period, e.g. 90 days] |
Trade and listing records that reference your account are retained after deletion in anonymised form (see Section 6).
4. Who We Share Your Data With
We do not sell, rent, or share your personal data with any third parties for commercial purposes.
Your data is stored on infrastructure provided by Oracle Cloud (Frankfurt, Germany), an EU-based server host. Oracle acts as a data processor on our behalf under a Data Processing Agreement. They do not access your data for their own purposes.
No other third-party processors have access to your personal data.
5. Cookies
Bunter uses a single, strictly necessary session cookie to manage your login state. This cookie is:
- Required for the Site to function — without it, you cannot remain logged in
- Accessible only over a secure HTTPS connection
- Not used for tracking, advertising, or analytics
Because this cookie is strictly necessary for the operation of the Site, it does not require your consent under EU law. No other cookies are set by Bunter.
6. Account Deletion and Right to Erasure
You can delete your account at any time from your account settings. When you do:
- All personal fields are erased: your display name, avatar, country, location overrides, trading note, and activity timestamp are removed or replaced with anonymous placeholders
- Your account is permanently deactivated
- Your SteamID64 is retained in the form of an anonymous tombstone record. This is necessary to preserve referential integrity with trade records, and to prevent fraudulent re-registration. This constitutes our legitimate interest under Article 6(1)(f) GDPR. The retained identifier is no longer associated with any personal profile data
- Trade and listing records that reference your account remain intact, but are now linked only to the anonymous tombstone
If you want to request erasure of your SteamID64 specifically, contact us at [email protected] and we will consider your request against our fraud-prevention obligations.
7. Your Rights Under GDPR
As an EU resident, you have the following rights regarding your personal data:
- Right of access — you may request a copy of the personal data we hold about you
- Right to rectification — you may correct inaccurate data via your account settings, or by contacting us
- Right to erasure — you may delete your account as described in Section 6, or contact us with specific erasure requests
- Right to data portability — you may request your data in a machine-readable format
- Right to object — you may object to processing based on legitimate interests (Article 6(1)(f))
- Right to restriction — you may ask us to restrict processing of your data in certain circumstances
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Polish data protection authority:
Urząd Ochrony Danych Osobowych (UODO) Website: uodo.gov.pl
8. Changes to This Policy
We may update this Privacy Policy from time to time. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the Site after a change constitutes acceptance of the updated policy.
9. Contact
For any privacy-related questions or requests: [email protected]