Privacy Policy

Last updated: February 2026

GameSentry ("we", "us", or "our") operates the game server management platform at gamesentry.gg. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Platform. We are committed to transparency and compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Lei Geral de Proteção de Dados (LGPD), and other applicable data protection laws.

Data Controller

GameSentry is the data controller for personal data collected directly from Platform users (account holders). For player data collected from game servers, the Organization (server owner) is the data controller and GameSentry acts as a data processor on their behalf. Contact: [email protected]

Information We Collect

We collect different types of data depending on how you interact with our Platform:

Account Data

  • Steam ID, display name, and avatar (provided through Steam OpenID authentication)
  • Account preferences, language settings, and notification choices
  • Organization memberships and roles

Server Data (via RCON & SFTP)

  • Server configuration, performance metrics (FPS, entity count, memory), and status information
  • Chat messages and RCON command logs sent and received through the Platform
  • Server files accessed through SFTP for backup and configuration management

Player Data (from Game Servers)

  • Steam ID, display name, avatar, and public Steam profile information
  • IP addresses, encrypted with AES-256-GCM before storage
  • Connection timestamps, session duration, and ping
  • Game statistics (kills, deaths, resources) when available through server plugins
  • Steam account metadata: account age, game ownership, playtime hours, VAC ban status, Steam level
  • Name history across monitored servers

Payment Data

  • Billing information is processed exclusively by Stripe, Inc. We store only: subscription tier, payment status, transaction IDs, and invoice references. We never store your full credit card number.

Technical Data

  • Browser type, device information, and operating system
  • Pages visited, features used, and interaction patterns
  • Authentication tokens and session identifiers (stored in HttpOnly secure cookies)

How We Use Your Information

We use the information we collect for the following purposes:

  • To provide and maintain game server management services, including real-time monitoring, RCON command execution, player tracking, and automation
  • To detect and prevent abuse, including VPN/proxy detection, alt account identification, and VAC ban monitoring
  • To display server information in the public server browser for game discovery
  • To send notifications you have configured, including Discord webhooks and server status alerts
  • To process payments and manage subscriptions through Stripe
  • To improve and develop the Platform based on aggregated usage analytics

Server Owner & Organization Data

When an Organization provides RCON or SFTP credentials to GameSentry:

  • RCON Data: We maintain a persistent connection to your server and process all data accessible through that connection, including player connections, chat messages, game events, and administrative commands. This data is stored and made available to your Organization members based on their assigned permissions.
  • SFTP Data: We access server files only for the purposes you configure: backups, configuration management, and plugin deployment. File contents are encrypted in transit and at rest.
  • RCON and SFTP credentials are encrypted at rest using AES-256-GCM and are never exposed through our API or displayed in the user interface after initial configuration.

Player Data (Third-Party Data Subjects)

We collect data about players who connect to servers monitored by GameSentry. These players may not have a GameSentry account and have not directly consented to our data processing.

  • Legal Basis: Player data is processed under the legitimate interest of the Organization (server owner) for server administration, security, and abuse prevention. Organizations are the data controllers for this data.
  • Data Minimization: We only collect data that is necessary for server administration purposes. IP addresses are encrypted immediately upon collection.
  • Player Rights: Players can exercise their data protection rights by contacting the server Organization directly, or by emailing GameSentry at [email protected]. We will respond to valid requests within 30 days.
  • Steam profile data (public information) is cached temporarily and refreshed periodically. Expired data is automatically cleaned up.

Data Security

We implement robust security measures to protect your data:

  • All player IP addresses are encrypted using AES-256-GCM with random nonce and authentication tag before storage
  • RCON passwords and SFTP credentials are encrypted at rest and never exposed through the API
  • All data transmission uses TLS 1.3 encryption
  • JWT authentication with HttpOnly secure refresh cookies and RSA signing
  • SteamIDs and IP addresses are automatically redacted from production application logs
  • Role-based access control ensures Organization members only see data they are authorized to access

Data Sharing & Third Parties

We share data with the following categories of recipients:

  • Organization Members — Server data and player information is shared with Organization members based on their assigned role and permissions.
  • Cross-Organization Sharing — If enabled by the Organization, certain data (bans, player notes, name history) may be shared with other Organizations on the Platform. This is configurable and off by default.
  • Sub-Processors — We use carefully selected third-party services to provide our Platform, including services for payment processing, player authentication, security checks, geolocation, messaging integrations, and game metadata. All sub-processors are contractually bound to protect your data and comply with applicable privacy regulations.
  • Law Enforcement — We may disclose personal data if required by law, court order, or to protect the rights, property, or safety of GameSentry, our users, or others.

International Data Transfers

GameSentry operates servers in the European Union. When data is transferred outside the EU/EEA (e.g., to third-party services based in the United States), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or the service provider’s adequacy certification.

Data Retention

We retain data for the following periods:

  • Player session data: Based on Organization subscription tier — Free (24 hours), Starter (7 days), Pro (30 days), Enterprise (365 days)
  • Encrypted IP addresses: Same retention periods as session data
  • Steam profile data: Cached for 30 days, then refreshed or deleted for inactive players
  • Account data: Retained while your account is active. Deleted or anonymized within 30 days of account deletion.
  • Financial records: Retained for 7 years as required by tax and accounting regulations
  • Audit logs: Retained for 12 months, then anonymized

Cookies & Local Storage

We use minimal cookies for essential platform functionality:

  • Authentication refresh tokens are stored in HttpOnly secure cookies (essential, cannot be disabled)
  • Session state is stored in memory, not in localStorage, for security
  • Cookie consent preferences are stored in localStorage
  • We do not use third-party tracking cookies, advertising cookies, or analytics cookies. We do not use Google Analytics, Facebook Pixel, or similar tracking services.

Automated Decision-Making

GameSentry uses automated processing in the following areas. Under GDPR Article 22, you have the right to contest automated decisions:

  • VPN/Proxy Detection — IP addresses are checked against IPQualityScore databases. Server administrators configure the response: notify only (default), auto-kick, or auto-ban. All automated actions are logged in an audit trail.
  • Threat Assessment — Players are assigned a threat level based on VAC ban history, account age, and behavioral factors. This score is visible only to server administrators and does not automatically result in any action.
  • To contest an automated decision, contact the server administrator or email [email protected].

Your Rights

Depending on your jurisdiction, you have the following data protection rights:

GDPR Rights (EU/EEA)

  • Right of Access (Art. 15) — Request a copy of all personal data we hold about you. Use the "Export My Data" feature in account settings.
  • Right to Rectification (Art. 16) — Request correction of inaccurate data
  • Right to Erasure (Art. 17) — Request deletion of your personal data. Use "Delete Account" in account settings.
  • Right to Data Portability (Art. 20) — Receive your data in a machine-readable JSON format
  • Right to Object (Art. 21) — Object to processing based on legitimate interest
  • Right to Restrict Processing (Art. 18) — Request limitation of processing
  • Right to lodge a complaint with your local Data Protection Authority

CCPA Rights (California)

  • Right to Know — Request disclosure of data collected about you
  • Right to Delete — Request deletion of your personal information
  • Right to Non-Discrimination — We will not discriminate against you for exercising your rights
  • We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

LGPD Rights (Brazil)

  • Confirmation of processing, access to data, correction of incomplete/inaccurate data, anonymization/blocking/deletion of unnecessary data, data portability, deletion of data processed with consent, information about shared data, and the right to revoke consent.

Children’s Privacy

GameSentry is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child under 16 has provided personal data through our Platform, please contact us at [email protected] and we will promptly delete the data.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify you of material changes via email, Discord, and in-app notification at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the Policy was last revised.