Privacy Policy

BetterFlipper (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our desktop CS2 inventory manager application (“BetterFlipper Inventory Manager”), our web dashboard at betterflipper.com (“Web Panel”), and any related services (collectively, the “Service”).

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address, an optional display name, and a hashed password. We never store your password in plain text — it is salted and hashed using bcrypt before storage.

1.2 Steam Integration Data

When you connect your Steam account through the BetterFlipper Inventory Manager desktop application, we access your Steam inventory data including item names, wear/floats, stickers, and trade status. We also collect your Steam trade URL if you provide it for trading features. We do not store your Steam login credentials — authentication is handled locally by the desktop application using Steam's official session system.

1.3 Usage & Technical Data

We collect standard technical information required to operate the Service:

• IP address (used for rate limiting, abuse prevention, and session security)
• Browser user agent and screen resolution
• Operating system and platform
• Timezone and language preferences
• Device fingerprint (FingerprintJS visitor ID) for multi-account abuse detection
• Desktop app version and hardware identifier
• API request logs, page visits, and feature usage

1.4 Payment Information

All payments are processed through Stripe, our third-party payment processor. We do not store your full credit card number, CVC, or billing address on our servers. Stripe provides us with a customer ID, payment method fingerprint, and transaction metadata. Stripe's use of your personal information is governed by their own Privacy Policy at stripe.com/privacy.

2. How We Use Your Information

We use the collected information for the following purposes:

• To provide, maintain, and improve the Service
• To authenticate your identity and manage your account
• To process payments and manage subscriptions
• To enforce our Terms of Service and prevent abuse (including multi-accounting detection)
• To send service-related communications (account alerts, payment confirmations, subscription expiry notices)
• To provide technical support and respond to inquiries
• To comply with legal obligations and resolve disputes
• To analyze usage patterns and improve features (using aggregated, anonymized data)

3. Data Storage & Security

Your account data is stored in an encrypted SQLite database on our secure servers in the European Union. External market pricing data used by the Service is cached in a MongoDB instance.

3.1 Security measures we apply

• All passwords are hashed using bcrypt
• JWT sessions are encrypted with a server-side secret
• API endpoints are protected by origin/referer checks and API key authentication
• Rate limiting on authentication and registration endpoints
• Cloudflare Turnstile CAPTCHA on registration
• Payment processing exclusively through Stripe (PCI DSS Level 1)
• TLS encryption on all browser ↔ server connections

4. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with the Service. If you delete your account, we will remove your personal information within 30 days. We may retain anonymized, aggregated data for analytical purposes indefinitely.

Payment transaction records are retained for the period required by applicable tax and accounting regulations (typically 5–7 years).

5. Data Sharing & Third Parties

We do not sell your personal data. We share information only with the following processors, each bound by appropriate data-protection terms:

We may also disclose your data to law enforcement or regulatory bodies if required by law, court order, or to protect our legal rights.

6. Cookies

Our Web Panel uses essential cookies only for session management (NextAuth JWT session cookie) and security (CSRF tokens). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. See our Cookies Policy for full details.

7. Your Rights (GDPR & equivalents)

Depending on your jurisdiction, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (“right to be forgotten”)
• Restrict or object to processing of your data
• Data portability — receiving your data in a structured, machine-readable format
• Withdraw consent at any time (where processing is based on consent)
• Lodge a complaint with your national data-protection authority

8. International Data Transfers

Our servers are located in the European Union (Germany). Some of our processors (Stripe, Cloudflare, FingerprintJS) operate in the United States. Where data leaves the EU/EEA, we rely on Standard Contractual Clauses approved by the European Commission.

9. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal data, we will delete it immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our website. Continued use of the Service after changes constitutes acceptance of the updated policy.