PRIVACY POLICY

This Service is operated by Broken Loop, based in Germany. For privacy-related inquiries, please use our contact form.

This policy applies to all users of SkyAH and is written in accordance with the General Data Protection Regulation (GDPR, EU 2016/679).

We collect and store the following data when you register or use the Service:

— Display name — provided by your Google account, editable in Settings

— Email address — provided by Google OAuth2, used only for account identification

— Avatar information — profile image data used for display purposes

— Contact messages — the subject and message you submit through the Contact page, linked to your account

— Flip tracker entries — tracker data you create, update, or delete while using the tracker feature

— Minecraft account data — if you choose to link your Minecraft account, we store your Minecraft UUID, username, and the date of linking. To resolve your username, we make a single request to the Mojang API (api.mojang.com); Mojang's privacy policy applies to that request. Your linked UUID is used to query publicly available Hypixel auction sale records stored in our database.

— Authentication/session token — stored in your browser's localStorage to maintain your session

— Browser-side preferences — such as deal alert settings and certain terminal filter preferences stored in your browser's localStorage, and your selected theme stored in a first-party cookie

We do not currently process payment data or use advertising trackers. We use two analytics tools: a self-hosted instance of Umami Analytics (cookieless, no personal data, data stays on our servers) and, with your consent, Google Analytics 4 (anonymised visitor statistics). Server and infrastructure components may process technical connection data such as IP addresses and request metadata as part of delivering, securing, and debugging the Service. We do not use this technical data for advertising profiles or cross-site tracking.

We process your data on the following legal bases:

— Art. 6(1)(a) — your explicit consent for Google Analytics

— Art. 6(1)(b) — processing is necessary to provide the Service you have requested (account, authentication)

— Art. 6(1)(f) — our legitimate interest in operating, securing, and improving the Service (including self-hosted, cookieless Umami analytics) and handling support inquiries

Your data is used exclusively to:

— Authenticate you and maintain your session

— Display your name and avatar within the Service

— Provide account features such as the flip tracker and account management

— Respond to contact messages you submit

— Operate, secure, and troubleshoot the Service

We do not sell, rent, or share your personal data with third parties for marketing purposes.

Google LLC — we use Google OAuth2 for authentication. When you sign in, Google transmits your profile information to us. With your consent, we also use Google Analytics 4 to collect anonymised visitor statistics (page views, session counts, traffic sources). IP anonymisation is enabled. Data is transmitted to Google's servers and Google's Privacy Policy applies. You can withdraw consent at any time via the cookie banner or by removing the cookie_consent key from your browser's localStorage.

Umami Analytics — we self-host Umami on our own server to collect anonymised visitor statistics. Umami is cookieless, collects no personal data, and all data stays on our own infrastructure. No consent is required and no data is shared with third parties.

We may also rely on technical infrastructure or hosting providers acting on our behalf to operate the Service. No advertising networks or cross-site tracking services are used on this platform.

Your account data is retained for as long as your account exists. Contact messages are retained for as long as needed to review, respond to, and document the request. Flip tracker data is retained until you delete it or your account is deleted.

You may delete your account at any time from the Account Settings page. When you do, we delete your user record together with linked flip tracker entries and linked contact messages from our application database, subject to any retention required by law.

As a user within the EU, you have the following rights:

— Access — request a copy of the personal data we hold about you

— Rectification — correct inaccurate data (display name editable in Settings)

— Erasure — delete your account and all associated data via Settings

— Restriction — request we restrict processing of your data

— Portability — receive your data in a structured, machine-readable format

— Objection — object to processing based on legitimate interest

To exercise any right, contact us using the contact options made available on the website. We normally respond within one month, subject to the time limits permitted by applicable law.

You also have the right to lodge a complaint with your national data protection authority (in Germany: the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI).

SkyAH does not use tracking cookies. We use your browser's localStorage to store your authentication session token, deal alert preferences, and certain terminal filter settings. We use a first-party cookie to remember whether you selected dark mode or white mode.

Authentication/session data is sent to our backend when needed to authenticate requests. The theme cookie is sent with page requests so the site can render your selected theme. Browser-only alert and filter preferences generally remain on your device unless you actively submit related information to us.

If you accept analytics, your consent is stored in localStorage (key: cookie_consent). Google Analytics 4 is then loaded and may set its own cookies (e.g. _ga, _ga_*) for session tracking. You can withdraw consent at any time from the Settings page under "Analytics Consent".

Our self-hosted Umami analytics runs in parallel and is cookieless — it sets no cookies or persistent identifiers. No advertising cookies are set by this Service.

Some of our third-party services (Google OAuth2, Google Analytics 4) are operated by Google LLC, based in the United States. When you use Google sign-in or consent to Google Analytics, your data may be transferred to servers located outside the European Economic Area (EEA).

Google LLC is certified under the EU–U.S. Data Privacy Framework (DPF), which the European Commission has recognised as providing an adequate level of data protection (adequacy decision of 10 July 2023). This framework ensures that your data receives protection equivalent to EU standards when processed in the United States.

Where Google Analytics is used, data retention is set to 14 months for user-level data and event-level data, after which it is automatically deleted.

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent, in accordance with GDPR Article 8. If you believe a child has provided us with personal data inappropriately, please contact us immediately using the available website contact method.

We may update this Privacy Policy from time to time. The effective date at the top of this page will reflect the latest revision. Where legally required, we will provide additional notice of material changes.