Legal

Privacy Policy

Last updated: April 6, 2026

GPM Bot (“we”, “us”) is a service that delivers automated Steam sales and wishlist reports to your Slack or Discord. This policy explains what data we collect, how we use it, and how we protect it.

What we collect

Account information

Your email address. We verify ownership via a one-time code (OTP) sent to that address — we do not store passwords.

Email consent timestamp

The moment you confirmed your email via OTP. This records explicit consent to receive product and transactional emails from GPM Bot, in line with our login disclaimer.

Steam API key

The Steamworks Partner API key you provide. It is encrypted at rest using AES-256-GCM and never logged or transmitted in plaintext.

Steam App IDs

The game IDs you configure for reporting.

Slack / Discord channel metadata

For each delivery channel you connect we store the incoming webhook URL (encrypted at rest with AES-256-GCM), the workspace or server identifier (Slack team ID / Discord guild ID), and the display name of the target channel (for example, #general). We do not read, access, or store the content of any Slack or Discord messages — GPM Bot is outbound-only and only POSTs your report messages.

Report preferences

Your preferred daily report time (UTC hour).

Operational logs

Report delivery status, errors, and job durations — retained to keep the service running and diagnose issues. Optionally, if enabled in a given deployment, anonymous error reports via Sentry and aggregate product metrics via PostHog.

What we do not collect

  • We do not collect payment card data.
  • We do not sell, rent, or share your data with third parties for marketing.
  • We do not store Steam financial data beyond what is needed to format and deliver your daily report.

How we use your data

  • To authenticate you and secure your account.
  • To fetch your Steam sales and wishlist data on your behalf and deliver the daily digest to your Slack or Discord.
  • To operate, debug, and improve the service.

Subprocessors

GPM Bot relies on the following third parties to operate. Each handles a specific slice of data and is governed by its own privacy policy.

Valve / Steam

We call the Steamworks Partner API using your key to fetch sales and wishlist data. Your use of that API is subject to Valve's terms.

Slack

Reports you opt to deliver to a Slack workspace are posted via an incoming webhook. Slack receives your report text and the workspace/channel identifiers you selected during install. Governed by Slack's privacy policy.

Discord

Reports you opt to deliver to a Discord server are posted via an incoming webhook. Discord receives your report text and the guild/channel identifiers you selected during install. Governed by Discord's privacy policy.

Resend

Used to send transactional email — OTP verification codes, daily reports to EMAIL delivery channels, and account notifications. Resend receives the recipient address and message contents. Governed by Resend's privacy policy.

Stripe

If you subscribe to a paid tier, Stripe handles the checkout and payment. Stripe receives your payment card details directly; GPM Bot never sees or stores card data. Governed by Stripe's privacy policy.

DigitalOcean

The VPS that hosts the application and the PostgreSQL database storing your encrypted credentials and report history. Data is stored in the region specified in our infrastructure.

Sentry (optional)

If enabled in a given deployment, Sentry receives anonymized error reports to help us fix bugs. No personal data is deliberately included in error events.

PostHog (optional)

If enabled in a given deployment, PostHog receives aggregate usage events (page views, feature usage) so we can prioritize improvements. Linked to a hashed user identifier, never to an email.

Data retention and deletion

Your data is retained for as long as your account is active. You can delete your account and all associated data at any time from Settings — encrypted keys and webhook URLs are removed immediately.

If you or a workspace admin uninstalls GPM Bot from a Slack workspace, Slack notifies us via an app_uninstalled event and we automatically delete every Slack delivery channel tied to that workspace from our database. The same cleanup runs when a Slack user revokes their access token. You do not need to take any action on our side for the data to be removed.

Security

All sensitive credentials (Steam API keys, webhook URLs) are encrypted at rest with AES-256-GCM. Connections to GPM Bot are served over HTTPS.

Your rights

You may request a copy of your data or ask us to delete it at any time by contacting us. If you are in the EU/EEA, you have additional rights under GDPR including the right to rectification and the right to lodge a complaint with your supervisory authority.

Contact

gpmbot@korova.games