← Back to home

Privacy Policy

Last updated: 2026-05-08

This Privacy Policy explains how CSOutpost ("we", "the Service") collects, uses, and protects your information.

1. Information we collect

• Account data: email (for email-password registration), Steam ID, Steam username, Steam avatar (Steam OpenID).
• Trade link: the public Steam trade URL you provide. Used to read your CS2 inventory and generate post text.
• Inventory snapshot: we cache a daily snapshot of your tradable CS2 items (name, price, rarity, icon URL) — read from public Steam endpoints.
• Authentication: bcrypt-hashed passwords (never plaintext); TOTP secrets and recovery codes encrypted at rest with AES-256-CBC.
• Login history: IP address, user-agent, login method, timestamp — for security audit only, visible to you in dashboard.
• Subscription / payment data: plan tier, billing email, payment provider transaction IDs (NOWPayments). We do NOT store card or wallet credentials.
• Service logs: post results (success/failure timestamps and target groups) for the bot operations you authorized.

2. How we use your information

• To operate the auto-posting service you subscribed to.
• To generate post text from your inventory and your trade link.
• To authenticate you and detect compromised sessions.
• To process subscription payments and provide receipts.
• To communicate operational notices (security alerts, plan changes, billing).

3. Data we do NOT collect or sell

• We do NOT sell or rent your data to third parties.
• We do NOT use your data for advertising or profiling outside the Service.
• We do NOT store your Steam password — login is handled by Valve via OpenID.
• We do NOT have access to private items, friends list, or chat history.

4. Third parties

• Valve / Steam — OpenID login + public inventory.
• skin.broker — item price lookup (only item names sent, no user data).
• NOWPayments — crypto payment processing (subject to their policy).
• Cloudflare — CDN + DDoS protection (request metadata).
• Mailgun / SMTP provider — outbound transactional email (verification, password reset).
• Hosting: Hetzner Cloud (EU region).

5. Cookies

We use a single first-party session cookie (csoutpost.sid) to keep you logged in. HTTP-only, Secure, SameSite=Lax. No advertising or tracking cookies.

6. Data retention

• Account data: kept while account is active. Deletion on request removes it within 30 days.
• Login history: 90 days, then automatic purge.
• Post logs: 12 months for the operational dashboard, then aggregated.
• Backups: encrypted daily, retained 7 days, then rotated.

7. Your rights

• Access and download your data — contact [email protected].
• Delete your account — contact us; complete erasure within 30 days.
• Disable 2FA, change trade link, change min-price filter — self-service in dashboard.
• EU residents: GDPR rights apply (access, rectification, erasure, portability, objection).

8. Security

HTTPS-only (Cloudflare Origin Cert). Passwords bcrypt + cost 12. TOTP secrets and bot credentials encrypted with AES-256-CBC. Bcrypt-hashed recovery codes. Daily Postgres backups encrypted to remote storage. Hetzner cloud isolation.

9. Changes to this policy

Material changes are emailed to active subscribers and noted on the page header. Last updated date above.

10. Contact

Questions: [email protected]

Terms of Service · Home