Legal

Privacy Policy

Last updated: April 10, 2026

GPM Bot (“we”, “us”) is a service that delivers automated Steam sales and wishlist reports to your Slack or Discord. This policy explains what data we collect, how we use it, and how we protect it.

What we collect

Account information

Your email address. We verify ownership via a one-time code (OTP) sent to that address — we do not store passwords.

Email consent timestamp

The moment you confirmed your email via OTP. This records explicit consent to receive product and transactional emails from GPM Bot, in line with our login disclaimer.

Steam API key

The Steamworks Partner API key you provide. It is encrypted at rest using AES-256-GCM and never logged or transmitted in plaintext.

Steam App IDs

The game IDs you configure for reporting.

Slack / Discord channel metadata

For each delivery channel you connect we store the incoming webhook URL (encrypted at rest with AES-256-GCM), the workspace or server identifier (Slack team ID / Discord guild ID), and the display name of the target channel (for example, #general). We do not read, access, or store the content of any Slack or Discord messages — GPM Bot is outbound-only and only POSTs your report messages.

Report preferences

Your preferred daily report time (UTC hour).

Operational logs

Report delivery status, errors, and job durations — retained to keep the service running and diagnose issues. Optionally, if enabled in a given deployment, anonymous error reports via Sentry and aggregate product metrics via PostHog.

What we do not collect

  • We do not collect payment card data.
  • We do not sell, rent, or share your data with third parties for marketing.
  • We do not store Steam financial data beyond what is needed to format and deliver your daily report.

How we use your data

  • To authenticate you and secure your account.
  • To fetch your Steam sales and wishlist data on your behalf and deliver the daily digest to your Slack or Discord.
  • To operate, debug, and improve the service.

Subprocessors

GPM Bot relies on the following third parties to operate. Each handles a specific slice of data and is governed by its own privacy policy.

Valve / Steam

We call the Steamworks Partner API using your key to fetch sales and wishlist data. Your use of that API is subject to Valve's terms.

Slack

Reports you opt to deliver to a Slack workspace are posted via an incoming webhook. Slack receives your report text and the workspace/channel identifiers you selected during install. Governed by Slack's privacy policy.

Discord

Reports you opt to deliver to a Discord server are posted via an incoming webhook. Discord receives your report text and the guild/channel identifiers you selected during install. Governed by Discord's privacy policy.

Resend

Used to send transactional email — OTP verification codes, daily reports to EMAIL delivery channels, and account notifications. Resend receives the recipient address and message contents. Governed by Resend's privacy policy.

Stripe

If you subscribe to a paid tier, Stripe handles the checkout and payment. Stripe receives your payment card details directly; GPM Bot never sees or stores card data. Governed by Stripe's privacy policy.

Railway

The platform that hosts the application and the PostgreSQL database storing your encrypted credentials and report history. Data is stored in the region specified in our infrastructure.

Cloudflare R2

Custom bot avatar images are stored in Cloudflare R2 object storage. R2 receives the image file you upload; no other personal data is sent. Governed by Cloudflare's privacy policy.

Umami

If enabled, Umami collects anonymous page-view analytics (page URL, referrer, browser, country) to help us understand usage patterns. Umami does not use cookies and does not collect personal data. Self-hosted instance or Umami Cloud, governed by Umami's privacy policy.

Sentry (optional)

If enabled in a given deployment, Sentry receives anonymized error reports to help us fix bugs. Personal data is scrubbed from events before transmission via a custom beforeSend filter.

PostHog (optional)

If enabled in a given deployment, PostHog (EU instance) receives aggregate usage events (page views, feature usage) so we can prioritize improvements. Linked to a hashed user identifier, never to an email. Session recording is disabled by default and is only enabled temporarily for debugging with explicit admin consent.

Data retention and deletion

Your data is retained for as long as your account is active. You can delete your account and all associated data at any time from Settings — encrypted keys and webhook URLs are removed immediately.

If you or a workspace admin uninstalls GPM Bot from a Slack workspace, Slack notifies us via an app_uninstalled event and we automatically delete every Slack delivery channel tied to that workspace from our database. The same cleanup runs when a Slack user revokes their access token. You do not need to take any action on our side for the data to be removed.

Security

All sensitive credentials (Steam API keys, webhook URLs) are encrypted at rest with AES-256-GCM. Connections to GPM Bot are served over HTTPS.

Your rights

You may request a copy of your data or ask us to delete it at any time by contacting us. If you are in the EU/EEA, you have additional rights under GDPR including the right to rectification and the right to lodge a complaint with your supervisory authority.

Cookies & tracking

GPM Bot sets a session cookie (HttpOnly, SameSite=Lax, Secure in production) when you log in. This cookie is essential for authentication and cannot be disabled without losing access to the app.

Umami collects anonymous page-view analytics without cookies. PostHog (EU instance) may set a first-party cookie for session attribution; session recording is disabled by default.

We do not use any third-party advertising or tracking cookies.

Slack OAuth scopes

When you install GPM Bot to a Slack workspace, we request the following bot scopes:

  • channels:read, groups:read — to list available channels for the routing UI
  • chat:write, chat:write.public — to post report messages
  • chat:write.customize — to display a custom bot name and avatar on report messages

We do not request any identity or message-reading scopes. GPM Bot is outbound-only.

Age requirements

GPM Bot is intended for use by game developers and publishers who hold a Steamworks Partner account. You must be at least 16 years old (or the age of digital consent in your jurisdiction) to create an account. If you are under 18 you must have your parent or legal guardian's consent to use this service. We do not knowingly collect data from anyone under 16. If we learn that a user is under 16, we will promptly delete their account and all associated data.

Data portability

Under GDPR Article 20 you have the right to receive a copy of your data in a structured, commonly used, machine-readable format. To request an export, email gpmbot@korova.games. We will respond within 30 days with a JSON file containing your account profile, tracked apps, report history, and delivery channel metadata. Encrypted fields (Steam API keys, webhook URLs) are excluded from exports for security.

Data Processing Agreement

If your organization requires a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs), please contact us at gpmbot@korova.games. We will provide a signed DPA within 10 business days at no additional cost.

Data retention schedule

Active accounts: data is retained for as long as your account is active. Deleted accounts: all data is removed from the production database immediately upon account deletion; database backups are rotated on a 7-day cycle and fully purged within 14 days of deletion. OTP verification codes expire within 15 minutes and are automatically cleaned up by a scheduled job within 24 hours. Rate-limit counters are purged hourly.

Contact

gpmbot@korova.games