Last updated: February 25, 2026
1. Introduction
We don't sell your data. Pinky promise. Actually, a legally binding one. This Privacy Policy explains how GAMOSY ("Gamosy," "we," "us," or "our") collects, uses, shares, and protects your personal data when you use our platform at www.gamosy.com (the "Platform").
This policy is written to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws. If legal documents were boss fights, this one is designed to be fair — no surprise mechanics, no hidden phases.
2. Who We Are (Data Controller)
The data controller responsible for your personal data is:
- Company: GAMOSY
- Country: Poland, European Union
- Privacy contact: privacy@gamosy.com
- General contact: info@gamosy.com
We do not currently have a Data Protection Officer (DPO). For all privacy-related inquiries, please contact us at privacy@gamosy.com.
3. What Data We Collect
Here's the full inventory — no hidden loot tables:
3.1 Account Data
When you create an account, we collect:
- Email address
- Display name
- Avatar (if provided or imported from OAuth)
- Account type (personal or team)
- Password (stored as a secure hash — we never see your actual password)
- Registration metadata (authentication provider used, registration timestamp, onboarding completion status)
3.2 OAuth Platform Data
When you connect third-party accounts (YouTube, Twitch, TikTok, Steam, Reddit), we collect:
- Platform username and profile URL
- Platform avatar
- Follower/subscriber count
- Total view count and content count
- Average views per content
- Content categories
- Platform-specific metadata (e.g., channel description, upload frequency, channel creation date) stored in a flexible format
- OAuth tokens (access token, refresh token) — for creator platform accounts (YouTube, Twitch), these are encrypted at rest using pgcrypto symmetric encryption with the key managed in Supabase Vault. For other integrations, tokens are protected by row-level security access controls.
We do not access your private messages, watch history, or any data beyond what is necessary for the Platform's features. We only ask for the minimum OAuth scopes required.
3.3 Developer Profile Data
If you register as a game developer, we additionally collect:
- Steam developer ID and username
- Publisher API key (optional, encrypted at rest using pgcrypto) — used for game ownership verification
- Verification status
3.4 Campaign & Key Data
When you create or participate in campaigns:
- Campaign details (title, description, requirements)
- Game keys (stored in KeyVault with row-level security restricting access to campaign owners and approved creators)
- Application details and status
- Content submission links
3.5 ReddMiner Data
If you use the ReddMiner feature, we additionally collect:
- Reddit account information (username, OAuth tokens, rate limit data)
- Monitored subreddits and keyword configurations you define
- Trend snapshots (Reddit post titles, scores, comment counts, velocity metrics — publicly available data)
- Keyword alerts (matched Reddit posts, subreddit names, match context)
- Scheduled post content (titles, body text, URLs, media files, scheduling preferences)
- Uploaded media files (stored in secure cloud storage for Reddit post publishing)
3.6 Billing Data
When you subscribe to a paid plan:
- Stripe customer ID
- Subscription plan and status
- Billing history (invoices, amounts)
We do not store your credit card number. All payment processing is handled by Stripe. We never see, store, or have access to your full card details. Stripe is PCI DSS Level 1 certified — the highest level of payment security.
3.7 Usage Data
We automatically collect:
- IP address
- Browser type and version
- Operating system
- Pages visited and time spent
- Referring URL
- Device information
3.8 Cookie Data
We use cookies and similar technologies as described in our Cookie Policy.
4. How We Collect Your Data
- Directly from you: When you create an account, fill out your profile, create campaigns, configure ReddMiner keywords, or contact us.
- From OAuth providers: When you connect your YouTube, Twitch, TikTok, Steam, or Reddit accounts, we receive data from those platforms via their APIs.
- Automatically: Through cookies, analytics tools, and server logs when you use the Platform.
5. Why We Process Your Data (Legal Basis)
Under GDPR, we need a legal basis for each type of processing. Here's the breakdown — think of it as a skill tree, but for legal compliance:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing the Platform (account, campaigns, keys) | Performance of contract (Art. 6(1)(b)) |
| Processing payments via Stripe | Performance of contract (Art. 6(1)(b)) |
| Syncing OAuth platform metrics | Performance of contract (Art. 6(1)(b)) |
| ReddMiner features (trend tracking, keyword alerts, scheduled posts) | Performance of contract (Art. 6(1)(b)) |
| Calculating Campaign Completion Rate (CCR) | Legitimate interest (Art. 6(1)(f)) — trust & marketplace quality |
| Preventing fraud and key resale | Legitimate interest (Art. 6(1)(f)) — platform security |
| Analytics (PostHog) and error tracking (Sentry) | Legitimate interest (Art. 6(1)(f)) — service improvement |
| Sending transactional emails (key received, etc.) | Performance of contract (Art. 6(1)(b)) |
| Sending marketing emails | Consent (Art. 6(1)(a)) — you can opt out anytime |
| Complying with legal obligations (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
6. Who We Share Your Data With
We share your data only with trusted service providers who need it to help us run the Platform. No selling. No shady data brokers. No loot box mechanics with your personal info.
| Service Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database hosting, authentication | All account and platform data | EU (Frankfurt) |
| Vercel | Application hosting, CDN | IP address, usage data | Global (US primary) |
| Stripe | Payment processing | Billing data, email | US (EU-US DPF) |
| Resend | Transactional emails | Email address, name | US |
| PostHog | Product analytics | Usage data, anonymized events | EU |
| Sentry | Error monitoring | Error logs, IP address | US |
| YouTube API | Creator metrics sync | OAuth tokens (encrypted) | US |
| Twitch API | Creator metrics sync | OAuth tokens (encrypted) | US |
| TikTok API | Creator metrics sync | OAuth tokens | US |
| Steam API | Developer verification | Steam ID, publisher key | US |
| Reddit API | ReddMiner features | OAuth tokens, post content | US |
Public Marketplace Data: If you opt to be listed in the creator or developer marketplace, certain non-sensitive profile data (username, avatar, platform metrics, verification status) will be visible to other authenticated users of the Platform.
7. International Data Transfers
Our primary database (Supabase) is hosted in the EU (Frankfurt, Germany). However, some of our service providers are located outside the EU/EEA, primarily in the United States.
For transfers to the US, we rely on:
- EU-US Data Privacy Framework (DPF): For providers certified under the DPF (Stripe, Sentry).
- Standard Contractual Clauses (SCCs): For providers not certified under the DPF.
We ensure that all transfers provide an adequate level of data protection as required by GDPR Chapter V. You can request copies of the relevant safeguards by contacting privacy@gamosy.com.
8. Data Retention
We keep your data only as long as necessary. No hoarding — we're not digital pack rats:
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| OAuth tokens | Until platform disconnected or account deleted |
| Campaign data | 3 years after campaign ends (for analytics) |
| Game keys | 3 years after distribution (audit trail) |
| ReddMiner trend snapshots | 12 months (rolling window) |
| ReddMiner keyword alerts | 6 months |
| ReddMiner scheduled posts | Until account deletion |
| ReddMiner media files | Until post published or account deleted |
| Billing data | 7 years (Polish tax law requirement) |
| Usage/analytics data | 26 months (then anonymized) |
| Server logs | 90 days |
| Error logs (Sentry) | 90 days |
After retention periods expire, data is permanently deleted or irreversibly anonymized. When you delete your account, we remove your personal data within 30 days, except for data we are legally required to retain (e.g., billing records for tax compliance).
9. Your Rights (EU/EEA Residents)
Under GDPR, you have the following rights. Think of them as your inventory of data powers:
- Right of Access (Art. 15): Request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): Correct inaccurate or incomplete data.
- Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"). Subject to legal retention requirements.
- Right to Restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON or CSV).
- Right to Object (Art. 21): Object to processing based on legitimate interest (including profiling for CCR scoring).
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent (e.g., marketing emails), you can withdraw at any time.
To exercise any of these rights, email privacy@gamosy.com. We will respond within 30 days (extendable by 60 days for complex requests, with notification). No fee is required unless requests are manifestly unfounded or excessive.
10. Your Rights (California / US Residents)
Under the California Consumer Privacy Act (CCPA) as amended by the CPRA, California residents have additional rights:
- Right to Know: Request what personal information we collect, use, disclose, and sell.
- Right to Delete: Request deletion of your personal information.
- Right to Opt-Out of Sale: We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
- Right to Correct: Request correction of inaccurate personal information.
To exercise these rights, email privacy@gamosy.com. We will verify your identity before processing your request.
Do Not Sell or Share My Personal Information: Gamosy does not sell your personal information and has not sold personal information in the preceding 12 months.
11. Children's Privacy
Gamosy is not directed at children. We do not knowingly collect personal data from:
- Children under 16 in the EU/EEA (GDPR Art. 8)
- Children under 13 in the United States (COPPA)
If we discover that we have collected personal data from a child below these ages without proper consent, we will delete that data promptly. If you believe a child has provided us with personal data, contact privacy@gamosy.com.
12. Automated Decision-Making & Profiling
Gamosy uses automated systems to calculate the Campaign Completion Rate (CCR) — a score (0-100) that tracks how reliably a creator fulfills their campaign commitments (e.g., publishing content within the agreed timeframe after receiving a game key).
How CCR works:
- CCR is calculated based on your campaign activity within Gamosy — specifically, how many campaigns you completed versus how many keys you received.
- CCR is visible to developers as a trust signal when reviewing campaign applications. It is not the sole basis for acceptance or rejection — developers make final decisions manually.
- CCR does not produce legal effects or similarly significant effects on you (GDPR Art. 22). It's a reliability indicator, not a verdict. Think of it as a reputation system — helpful context, but humans make the call.
You have the right to object to profiling under GDPR Art. 21. Contact privacy@gamosy.com to exercise this right.
13. Security
We take security seriously — like raid-night seriously. Technical and organizational measures we employ include:
- Encryption at rest: Sensitive data (OAuth tokens for creator platform accounts, publisher API keys) is encrypted using pgcrypto symmetric encryption, with the encryption key securely managed in Supabase Vault.
- Encryption in transit: All data transmitted between your browser and our servers is encrypted via TLS 1.2+.
- Row-Level Security (RLS): Database access is controlled at the row level — users can only access data they are authorized to see.
- Column-Level Security: For creator platform accounts and developer profiles, sensitive columns (OAuth tokens, encrypted API keys) are restricted at the database column level, preventing unauthorized access even for authenticated users.
- Secure authentication: Powered by Supabase Auth with support for email/password and OAuth providers.
- Regular updates: Dependencies and infrastructure are kept up to date to patch known vulnerabilities.
No system is 100% secure. If you discover a security vulnerability, please report it responsibly to info@gamosy.com. We appreciate the help — you're basically a white-hat in our dungeon.
14. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
- We will notify the relevant supervisory authority (UODO) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
- If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by GDPR Article 34.
- Notification will include the nature of the breach, likely consequences, and measures taken or proposed to address it.
15. Marketing Communications
We may send you marketing emails about new features, campaigns, or promotions — but only if you have opted in. You can opt out at any time by:
- Clicking the "unsubscribe" link in any marketing email.
- Updating your notification preferences in your account settings.
- Contacting privacy@gamosy.com.
We comply with CAN-SPAM (US), GDPR (EU), and applicable anti-spam laws. Transactional emails (account confirmations, key delivery notifications, security alerts) are not marketing and cannot be opted out of, as they are necessary for the service.
16. Complaints & Supervisory Authority
If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority.
Our lead supervisory authority is:
- UODO (Urząd Ochrony Danych Osobowych / Personal Data Protection Office)
- ul. Stawki 2, 00-193 Warsaw, Poland
- Website: https://uodo.gov.pl
EU consumers may also use the EU Online Dispute Resolution (ODR) platform: https://ec.europa.eu/consumers/odr
Of course, we'd appreciate it if you contacted us first at privacy@gamosy.com so we can try to resolve the issue directly. We promise to take every complaint seriously.
17. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify you via email or a prominent notice on the Platform at least 30 days before the changes take effect.
- Where required by law, obtain your consent for material changes to how we process your data.
We encourage you to review this policy periodically. Think of it as checking for patch notes — except for your privacy instead of game balance.
18. YouTube API Services — Additional Disclosure
Gamosy uses YouTube API Services. By connecting your YouTube account to Gamosy, you agree to be bound by the YouTube Terms of Service. In addition to our normal data handling procedures described in this Privacy Policy, your use of YouTube data is also governed by the Google Privacy Policy.
You can revoke Gamosy's access to your YouTube data at any time via the Google Security Settings page.
Achievement unlocked: "Privacy Policy Completionist." You now know more about how we handle data than most people know about their own phone settings. Questions? Reach out at privacy@gamosy.com.