Privacy Policy

1. Information We Collect

Information You Provide

• Steam account data: Your Steam ID, display name, and profile avatar, obtained through Steam OpenID authentication when you sign in
• Email address: Provided during account setup for verification, notifications, password recovery, and promotional communications
• OAuth linked accounts: When you link Discord, Twitch, Twitter/X, YouTube, or TikTok, we receive your account ID and public profile information from those services
• Payment information: When you purchase cosmetics, payment details are processed through Stripe. We do not store credit card numbers. Stripe retains transaction records per their privacy policy
• Profile information: Custom username, profile picture, biography, linked accounts, and any comments or content you post

Information Collected Automatically

• Gameplay data: Match results, round-by-round statistics (kills, deaths, assists, ADR, rating), MMR ratings, server information, and in-game events during Empress matches
• Usage data: Pages visited, features used, timestamps, interaction patterns, and search queries within the Platform
• Technical data: IP address (for session security, rate limiting, and anti-cheat), browser type, device type, operating system, and general hardware information
• Session data: Cookie identifiers and session tokens used to maintain your logged-in state

Information We Do Not Collect

We do not collect or store: Steam passwords, credit card numbers (handled by Stripe), real names (unless voluntarily shared), data from games played outside of Empress.GG, or any information you choose not to provide.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the matchmaking service
• Calculate and display skill ratings (MMR), ranks, and leaderboards
• Match you with players of similar skill level
• Detect and prevent cheating, abuse, and violations of our Terms of Service
• Send account-related communications (email verification, ban notifications, important updates)
• Display your public profile, statistics, and match history to other users
• Analyze usage patterns to improve the Platform and user experience
• Respond to support requests and communicate with you about your account

3. Data Sharing, Third-Party Services & Disclosure

We do not sell, rent, or trade your personal data to advertisers or data brokers.

We share data with the following third-party service providers who process data on our behalf:

• Valve (Steam): Your Steam ID is shared for authentication and account linking. Steam's privacy policy governs their handling of your data
• Stripe: Payment information for cosmetic purchases. Stripe complies with PCI DSS standards and handles all credit card data. We do not store payment card information
• Discord, Twitch, Twitter/X, YouTube, TikTok: When you link these accounts, we receive your public profile ID and basic account information per each service's OAuth agreements
• Cloudflare (R2): Avatar images, profile pictures, and cosmetic assets are stored on Cloudflare R2 for CDN delivery
• Railway: Platform infrastructure hosting, database (PostgreSQL), and cache services (Redis)
• Email delivery services: Third-party email providers for verification, notifications, and communications

All service providers are contractually bound to handle your data in accordance with this Privacy Policy and applicable data protection laws. We do not control these providers' practices beyond our contractual agreements.

Other circumstances where we share data:

• Public profile: Your username, avatar, rank, match history, and statistics are visible to other Platform users and may be cached by search engines
• Leaderboards: Top-ranked players are displayed publicly along with their stats and profile information
• Legal requirements: We may disclose information if required by law, regulation, legal process (subpoena, warrant), or valid governmental request
• Safety & enforcement: We may share information with law enforcement or other users when we believe it is necessary to protect safety, prevent fraud, or enforce our Terms of Service
• Business transfers: In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice of any such change and your rights regarding your data

4. Data Retention & Storage

• Active account data: Retained for as long as your account is active (Steam ID, email, profile information, linked OAuth accounts)
• Match history & statistics: Retained indefinitely as part of the Platform's competitive historical record and leaderboard integrity. This includes public display of your stats and ranking
• MMR & ranking data: Retained indefinitely for competitive seasons and all-time leaderboards
• IP addresses & technical logs: Retained for up to 90 days for security, rate limiting, and anti-cheat detection
• Session cookies: Retained only for the duration of your active session (typically 30 days of inactivity, then cleared)
• Payment transaction records: Stripe retains records per their standard retention policy (typically 7+ years for tax and fraud purposes). We retain a reference to your purchases for cosmetic entitlements
• Support tickets & communications: Retained for 2 years or as required by law
• Deleted accounts: Upon account deletion, personal identifiers and linked OAuth accounts are removed. Anonymous match data (no player identifier) may be retained for statistical and competitive integrity purposes. Your profile becomes inaccessible, but leaderboard history showing your username may persist
• Banned accounts: All data associated with accounts terminated for violations (cheating, abuse, etc.) is retained indefinitely for enforcement, appeals, and preventing ban evasion

For GDPR and similar regulations, data deletion requests are honored to the extent permitted by law, with exceptions for competitive integrity, legal compliance, and fraud prevention.

5. Cookies, Session Management & Local Storage

Empress.GG uses cookies and local storage strictly for essential functionality and competitive integrity:

• Authentication cookies (iron-session): Secure, httpOnly session tokens to keep you logged in. These cookies cannot be accessed by JavaScript and expire after 30 days of inactivity
• Preference storage: Local storage to remember your UI preferences, theme settings, and notification settings
• Server-Sent Events (SSE): Real-time notifications use persistent connections. Your connection info may be logged for debugging and rate limiting

What we do NOT do:

• We do not use third-party tracking cookies or advertising cookies
• We do not participate in ad networks or cross-site tracking
• We do not use Google Analytics or similar external analytics services that share data with third parties
• We do not sell cookie data or use cookies for behavioral advertising

6. Data Security & Protection

We take the security of your data seriously and implement industry-standard measures to protect it:

• Encryption in transit: HTTPS/TLS encryption for all connections to the Platform
• Session security: Secure, httpOnly, SameSite cookies that cannot be accessed by scripts
• Password security: Passwords are hashed using industry-standard algorithms with cryptographic salts
• Data at rest: Sensitive data is encrypted at rest in our database (PostgreSQL)
• Access controls: Role-based access control (RBAC) for internal staff and admin systems with audit logging
• Rate limiting: IP-based and account-based rate limiting to prevent brute-force attacks and abuse
• Regular security: Regular security audits, vulnerability scanning, and timely patching of dependencies
• PCI DSS compliance: Payment processing through Stripe (PCI DSS Level 1 compliant). We never store or process credit card data

Limitation: While we implement strong security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but maintain best practices and will promptly notify affected users in the event of a confirmed data breach.

Admin panel security: The admin dashboard includes comprehensive audit logging of all administrative actions (user bans, data modifications, etc.) for transparency and accountability.

7. Your Rights & Data Subject Requests

Depending on your jurisdiction (especially GDPR and similar laws), you may have the following rights:

• Right to access: Request a copy of all personal data we hold about you, including match history and statistics
• Right to correction: Request correction of inaccurate, incomplete, or outdated data
• Right to deletion (right to be forgotten): Request deletion of your account and associated personal data (subject to legal and competitive integrity exceptions)
• Right to data portability: Request your data in a commonly used, machine-readable format (CSV, JSON, etc.) for transfer to another service
• Right to object: Object to processing of your data for marketing, profiling, or other purposes
• Right to restrict processing: Request that we limit how we use your data while a dispute is resolved
• Right to opt-out: Unsubscribe from non-essential email communications, notifications, and promotional content at any time
• Right to withdraw consent: Withdraw consent for optional data processing at any time

Exceptions: These rights may be limited if data must be retained for legal compliance, fraud prevention, competitive integrity, or enforcement of our Terms of Service.

How to submit requests:

• Submit requests through our support portal
• Email us at support@empress.gg with "Data Subject Request" in the subject line
• Provide sufficient information to identify your account

We will respond to verified requests within 30 days (or 45 days for complex requests). If you are not satisfied with our response, you may file a complaint with your local data protection authority.

8. Children's Privacy & Age Restrictions

Age requirements: Empress.GG is not intended for children under the age of 13. In the United States, the Children's Online Privacy Protection Act (COPPA) restricts collection of data from children under 13. In other jurisdictions, the age of digital consent may be higher (e.g., 16 in the EU, GDPR compliance).

For purchases of cosmetics: You must be the age of majority in your jurisdiction (typically 18 years old) or have parental consent to make purchases via Stripe.

Our practices:

• We do not knowingly collect personal information from children under 13
• We do not market to children or use data for behavioral profiling of minors
• If we become aware that a child under 13 has provided personal information, we will delete that information promptly

If you are a parent or guardian and believe your child has registered for an account or provided information to Empress.GG, please contact us immediately at support@empress.gg.

9. International Data Transfers & Global Users

Empress.GG is operated from the United States. Our infrastructure is hosted on Railway and Cloudflare, which may store and process data globally.

Data transfers: If you access the Platform from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate (EU, Asia, etc.). By using the Platform, you consent to these transfers.

GDPR and EU users: For users in the European Union, we rely on Standard Contractual Clauses (SCCs) and Adequacy Decisions to ensure adequate data protection for international transfers. Your data rights under GDPR remain in effect regardless of where data is stored.

We take steps to ensure your data receives an adequate level of protection regardless of where it is processed, including encryption and contractual safeguards with all service providers.

10. Third-Party Links & External Services

The Platform may contain links to third-party websites or services:

• Steam (Valve)
• Discord, Twitch, Twitter/X, YouTube, TikTok (OAuth linking)
• Stripe (payment processing)
• Support resources and documentation

Important: We are not responsible for the privacy practices or content of these external sites. Each service maintains its own privacy policy:

• Valve's Steam Privacy Policy governs your Steam data
• Stripe's Privacy Policy governs payment data
• Discord, Twitch, Twitter/X, YouTube, and TikTok govern their respective data

We encourage you to review the privacy policies of these external services before linking your accounts or providing personal information. We are not responsible for how these third parties handle your data.

11. Policy Updates & Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How we notify you:

• For material changes, we will notify users through the Platform (banner announcement, email notification, or in-app message)
• We will update the "Last updated" date at the top of this policy
• For significant privacy changes, we may require affirmative consent before the changes take effect

Your acceptance: Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy. If you do not agree with changes, you have the right to delete your account.

We encourage you to review this policy periodically to stay informed of how we protect your information.

12. Contact Us & Data Protection Authority

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Support portal: empress.gg/support
• Email: support@empress.gg
• Website: empress.gg

We will respond to privacy inquiries and data subject requests within 30 days.

For EU residents (GDPR): If you are not satisfied with our response to your data subject request, you have the right to lodge a complaint with your local data protection authority:

• For EU residents, contact your national Data Protection Authority (DPA)
• For UK residents, contact the Information Commissioner's Office (ICO)