Skip to content
Gamosy
Sign Up

Privacy Policy

Our privacy policy and how we use your data

Last updated: April 17, 2026

1. Introduction

We don't sell your data. Pinky promise. Actually, a legally binding one. This Privacy Policy explains how GAMOSY ("Gamosy," "we," "us," or "our") collects, uses, shares, and protects your personal data when you use our platform at www.gamosy.com (the "Platform"), including our integrated tools and services such as Gamosy Social Publisher, Gamosy KeyVault, and Gamosy ReddMiner.

This policy is written to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws. If legal documents were boss fights, this one is designed to be fair — no surprise mechanics, no hidden phases.

2. Who We Are (Data Controller)

The data controller responsible for your personal data is:

We do not currently have a Data Protection Officer (DPO). For all privacy-related inquiries, please contact us at privacy@gamosy.com.

3. What Data We Collect

Here's the full inventory — no hidden loot tables:

3.1 Account Data

When you create an account, we collect:

  • Email address
  • Display name
  • Avatar (if provided or imported from OAuth)
  • Account type (personal or team)
  • Password (stored as a secure hash — we never see your actual password)
  • Registration metadata (authentication provider used, registration timestamp, onboarding completion status)

3.2 OAuth Platform Data

When you connect third-party accounts — including via Gamosy Social Publisher (X/Twitter, LinkedIn, Facebook, Instagram, Threads, Pinterest, TikTok, YouTube, Discord, Reddit, Bluesky, Telegram, Mastodon, Tumblr, WordPress, Slack, Microsoft Teams, VK, Weibo) and other integrations (Twitch, Steam) — we collect:

  • Platform username and profile URL
  • Platform avatar
  • Follower/subscriber count
  • Total view count and content count
  • Average views per content
  • Content categories
  • Platform-specific metadata (e.g., channel description, upload frequency, channel creation date) stored in a flexible format
  • OAuth tokens (access token, refresh token) — for creator platform accounts (YouTube, Twitch), these are encrypted at rest using pgcrypto symmetric encryption with the key managed in Supabase Vault. For other integrations, tokens are protected by row-level security access controls.

We do not access your private messages, watch history, or any data beyond what is necessary for the Platform's features. We only ask for the minimum OAuth scopes required.

3.3 Developer Profile Data

If you register as a game developer, we additionally collect:

  • Steam developer ID and username
  • Publisher API key (optional, encrypted at rest using pgcrypto) — used for game ownership verification
  • Verification status

3.4 Campaign & Key Data

When you create or participate in campaigns:

  • Campaign details (title, description, requirements)
  • Game keys (stored in KeyVault with row-level security restricting access to campaign owners and approved creators)
  • Application details and status
  • Content submission links

3.5 ReddMiner Data

If you use the ReddMiner feature, we additionally collect:

  • Reddit account information (username, OAuth tokens, rate limit data)
  • Monitored subreddits and keyword configurations you define
  • Trend snapshots (Reddit post titles, scores, comment counts, velocity metrics — publicly available data)
  • Keyword alerts (matched Reddit posts, subreddit names, match context)
  • Scheduled post content (titles, body text, URLs, media files, scheduling preferences)
  • Uploaded media files (stored in secure cloud storage for Reddit post publishing)

3.6 Billing Data

When you subscribe to a paid plan:

  • Stripe customer ID
  • Subscription plan and status
  • Billing history (invoices, amounts)

We do not store your credit card number. All payment processing is handled by Stripe. We never see, store, or have access to your full card details. Stripe is PCI DSS Level 1 certified — the highest level of payment security.

3.7 Usage Data

We automatically collect:

  • IP address
  • Browser type and version
  • Operating system
  • Pages visited and time spent
  • Referring URL
  • Device information

3.8 Cookie Data

We use cookies and similar technologies as described in our Cookie Policy.

4. How We Collect Your Data

  • Directly from you: When you create an account, fill out your profile, create campaigns, configure ReddMiner keywords, or contact us.
  • From OAuth providers and API integrations: When you connect your social accounts (including YouTube, Twitch, TikTok, Steam, Reddit, X/Twitter, LinkedIn, Facebook, Instagram, Threads, Pinterest, Bluesky, Discord, Telegram, Mastodon, Tumblr, Slack, Microsoft Teams, VK, Weibo, and WordPress), we receive data from those platforms via their APIs.
  • Automatically: Through cookies, analytics tools, and server logs when you use the Platform.

5. Why We Process Your Data (Legal Basis)

Under GDPR, we need a legal basis for each type of processing. Here's the breakdown — think of it as a skill tree, but for legal compliance:

PurposeLegal Basis (GDPR Art. 6)
Providing the Platform (account, campaigns, keys)Performance of contract (Art. 6(1)(b))
Processing payments via StripePerformance of contract (Art. 6(1)(b))
Syncing OAuth platform metricsPerformance of contract (Art. 6(1)(b))
ReddMiner features (trend tracking, keyword alerts, scheduled posts)Performance of contract (Art. 6(1)(b))
Calculating Campaign Completion Rate (CCR)Legitimate interest (Art. 6(1)(f)) — trust & marketplace quality
Preventing fraud and key resaleLegitimate interest (Art. 6(1)(f)) — platform security
Analytics (Google Analytics 4 on marketing pages, PostHog inside the authenticated app) and error tracking (Sentry)Legitimate interest (Art. 6(1)(f)) — service improvement
Sending transactional emails (key received, etc.)Performance of contract (Art. 6(1)(b))
Sending marketing emailsConsent (Art. 6(1)(a)) — you can opt out anytime
Complying with legal obligations (tax, accounting)Legal obligation (Art. 6(1)(c))

6. Who We Share Your Data With

We share your data only with trusted service providers who need it to help us run the Platform. No selling. No shady data brokers. No loot box mechanics with your personal info.

Service ProviderPurposeData SharedLocation
SupabaseDatabase hosting, authenticationAll account and platform dataEU (Frankfurt)
VercelApplication hosting, CDNIP address, usage dataGlobal (US primary)
StripePayment processingBilling data, emailUS (EU-US DPF)
ResendTransactional emailsEmail address, nameUS
PostHogProduct analytics (authenticated app, /home)Usage data, anonymized eventsEU
Google LLC (Google Analytics 4)Marketing analytics (public pages only)Anonymized IP, pseudonymous device ID, page views; no advertising signalsUS (EU-US DPF + SCCs)
SentryError monitoringError logs, IP addressUS
YouTube APICreator metrics syncOAuth tokens (encrypted)US
Twitch APICreator metrics syncOAuth tokens (encrypted)US
TikTok APICreator metrics syncOAuth tokensUS
Steam APIDeveloper verificationSteam ID, publisher keyUS
Reddit APIReddMiner featuresOAuth tokens, post contentUS

Public Marketplace Data: If you opt to be listed in the creator or developer marketplace, certain non-sensitive profile data (username, avatar, platform metrics, verification status) will be visible to other authenticated users of the Platform.

7. International Data Transfers

Our primary database (Supabase) is hosted in the EU (Frankfurt, Germany). However, some of our service providers are located outside the EU/EEA, primarily in the United States.

For transfers to the US, we rely on:

  • EU-US Data Privacy Framework (DPF): For providers certified under the DPF (Stripe, Sentry).
  • Standard Contractual Clauses (SCCs): For providers not certified under the DPF.

We ensure that all transfers provide an adequate level of data protection as required by GDPR Chapter V. You can request copies of the relevant safeguards by contacting privacy@gamosy.com.

8. Data Retention

We keep your data only as long as necessary. No hoarding — we're not digital pack rats:

Data CategoryRetention Period
Account dataUntil account deletion + 30 days
OAuth tokensUntil platform disconnected or account deleted
Campaign data3 years after campaign ends (for analytics)
Game keys3 years after distribution (audit trail)
ReddMiner trend snapshots12 months (rolling window)
ReddMiner keyword alerts6 months
ReddMiner scheduled postsUntil account deletion
ReddMiner media filesUntil post published or account deleted
Billing data7 years (Polish tax law requirement)
Usage/analytics data26 months (then anonymized)
Server logs90 days
Error logs (Sentry)90 days

After retention periods expire, data is permanently deleted or irreversibly anonymized. When you delete your account, we remove your personal data within 30 days, except for data we are legally required to retain (e.g., billing records for tax compliance).

9. Your Rights (EU/EEA Residents)

Under GDPR, you have the following rights. Think of them as your inventory of data powers:

  • Right of Access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"). Subject to legal retention requirements.
  • Right to Restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON or CSV).
  • Right to Object (Art. 21): Object to processing based on legitimate interest (including profiling for CCR scoring).
  • Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent (e.g., marketing emails), you can withdraw at any time.

To exercise any of these rights, email privacy@gamosy.com. We will respond within 30 days (extendable by 60 days for complex requests, with notification). No fee is required unless requests are manifestly unfounded or excessive.

10. Your Rights (California / US Residents)

Under the California Consumer Privacy Act (CCPA) as amended by the CPRA, California residents have additional rights:

  • Right to Know: Request what personal information we collect, use, disclose, and sell.
  • Right to Delete: Request deletion of your personal information.
  • Right to Opt-Out of Sale: We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • Right to Correct: Request correction of inaccurate personal information.

To exercise these rights, email privacy@gamosy.com. We will verify your identity before processing your request.

Do Not Sell or Share My Personal Information: Gamosy does not sell your personal information and has not sold personal information in the preceding 12 months.

11. Children's Privacy

Gamosy is not directed at children. We do not knowingly collect personal data from:

  • Children under 16 in the EU/EEA (GDPR Art. 8)
  • Children under 13 in the United States (COPPA)

If we discover that we have collected personal data from a child below these ages without proper consent, we will delete that data promptly. If you believe a child has provided us with personal data, contact privacy@gamosy.com.

12. Automated Decision-Making & Profiling

Gamosy uses automated systems to calculate the Campaign Completion Rate (CCR) — a score (0-100) that tracks how reliably a creator fulfills their campaign commitments (e.g., publishing content within the agreed timeframe after receiving a game key).

How CCR works:

  • CCR is calculated based on your campaign activity within Gamosy — specifically, how many campaigns you completed versus how many keys you received.
  • CCR is visible to developers as a trust signal when reviewing campaign applications. It is not the sole basis for acceptance or rejection — developers make final decisions manually.
  • CCR does not produce legal effects or similarly significant effects on you (GDPR Art. 22). It's a reliability indicator, not a verdict. Think of it as a reputation system — helpful context, but humans make the call.

You have the right to object to profiling under GDPR Art. 21. Contact privacy@gamosy.com to exercise this right.

13. Security

We take security seriously — like raid-night seriously. Technical and organizational measures we employ include:

  • Encryption at rest: Sensitive data (OAuth tokens for creator platform accounts, publisher API keys) is encrypted using pgcrypto symmetric encryption, with the encryption key securely managed in Supabase Vault.
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted via TLS 1.2+.
  • Row-Level Security (RLS): Database access is controlled at the row level — users can only access data they are authorized to see.
  • Column-Level Security: For creator platform accounts and developer profiles, sensitive columns (OAuth tokens, encrypted API keys) are restricted at the database column level, preventing unauthorized access even for authenticated users.
  • Secure authentication: Powered by Supabase Auth with support for email/password and OAuth providers.
  • Regular updates: Dependencies and infrastructure are kept up to date to patch known vulnerabilities.

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to info@gamosy.com. We appreciate the help — you're basically a white-hat in our dungeon.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

  • We will notify the relevant supervisory authority (UODO) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
  • If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by GDPR Article 34.
  • Notification will include the nature of the breach, likely consequences, and measures taken or proposed to address it.

15. Marketing Communications

We may send you marketing emails about new features, campaigns, or promotions — but only if you have opted in. You can opt out at any time by:

  • Clicking the "unsubscribe" link in any marketing email.
  • Updating your notification preferences in your account settings.
  • Contacting privacy@gamosy.com.

We comply with CAN-SPAM (US), GDPR (EU), and applicable anti-spam laws. Transactional emails (account confirmations, key delivery notifications, security alerts) are not marketing and cannot be opted out of, as they are necessary for the service.

16. Complaints & Supervisory Authority

If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority.

Our lead supervisory authority is:

  • UODO (Urząd Ochrony Danych Osobowych / Personal Data Protection Office)
  • ul. Stawki 2, 00-193 Warsaw, Poland
  • Website: https://uodo.gov.pl

EU consumers may also use the EU Online Dispute Resolution (ODR) platform: https://ec.europa.eu/consumers/odr

Of course, we'd appreciate it if you contacted us first at privacy@gamosy.com so we can try to resolve the issue directly. We promise to take every complaint seriously.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Notify you via email or a prominent notice on the Platform at least 30 days before the changes take effect.
  • Where required by law, obtain your consent for material changes to how we process your data.

We encourage you to review this policy periodically. Think of it as checking for patch notes — except for your privacy instead of game balance.

18. YouTube API Services — Additional Disclosure

Gamosy uses YouTube API Services. By connecting your YouTube account to Gamosy, you agree to be bound by the YouTube Terms of Service. In addition to our normal data handling procedures described in this Privacy Policy, your use of YouTube data is also governed by the Google Privacy Policy.

You can revoke Gamosy's access to your YouTube data at any time via the Google Security Settings page.

19. Gamosy Social Publisher — Additional Disclosure

Gamosy Social Publisher is an integrated feature of the Gamosy platform that allows game developers to create, schedule, and publish social media content across multiple platforms simultaneously. When using Gamosy Social Publisher, the following additional data practices apply:

19.1 BYOK (Bring Your Own Keys) Model

Gamosy Social Publisher uses a Bring Your Own Keys model. This means you provide your own API credentials (Client ID, Client Secret, API keys) from each social media platform. Gamosy stores these credentials securely in your account and uses them exclusively to publish content on your behalf. We do not share your API credentials with any third party.

19.2 Social Platform Connections

Gamosy Social Publisher supports connecting to: X (Twitter), LinkedIn, Facebook, Instagram, Threads, Pinterest, TikTok, YouTube, Discord, Reddit, Bluesky, Telegram, Mastodon, Tumblr, Slack, Microsoft Teams, VK, Weibo, and WordPress. When you connect a platform via OAuth or provide API credentials (BYOK model), we collect and store:

  • OAuth access tokens and refresh tokens
  • Platform user identity (username, user ID, profile picture)
  • Token expiration timestamps

We use these tokens solely to publish content you create or approve, refresh expired tokens, and display your connected account identity in the Gamosy dashboard. We do not read your private messages, browse your feed, or access data beyond the minimum OAuth scopes required for publishing.

19.3 AI Content Generation

Gamosy Social Publisher uses AI (Anthropic Claude) to generate social media post suggestions based on your game data and input. Your game information (name, genre, reviews, player counts) and any text you provide are sent to the AI service for content generation. We do not use your content to train AI models. Generated content is stored in your Gamosy account and is not shared with other users.

19.4 TikTok Content Posting API

When publishing to TikTok via Gamosy Social Publisher, we use TikTok's Content Posting API with the FILE_UPLOAD method. Video files are uploaded directly from our servers to TikTok on your behalf. We comply with TikTok's Terms of Service and TikTok's Privacy Policy. You can revoke Gamosy's access to your TikTok account at any time from TikTok's app settings.

19.5 Data Deletion

You can disconnect any social media platform from Gamosy Social Publisher at any time. Upon disconnection, we delete your stored OAuth tokens and platform credentials. Published posts remain on the respective social media platforms and must be deleted directly from those platforms.

Achievement unlocked: "Privacy Policy Completionist." You now know more about how we handle data than most people know about their own phone settings. Questions? Reach out at privacy@gamosy.com.