Home / Privacy Policy

Privacy Policy

Last updated: January 2025

Navigate to Section

Introduction

This privacy notice explains how Kuribo Software ("we," "us," or "our") handles your information when you use vgstack, our video game library management service ("Services"). This applies when you:

  • Use our website at vgstack.app
  • Track your game collection, completion progress, and personal notes
  • Use our API for programmatic access
  • Contact us for support or feedback

If you have questions about this notice or your privacy, contact us at support@vgstack.app.

The Short Version

Here's what you need to know at a glance:

  • What we collect: Your username, email, optional display name, preferences, and game library data (titles, status, ratings, notes).
  • Edit history: We maintain a complete history of changes to your game library for your benefit.
  • No sensitive data: We don't collect payment info, health data, or other sensitive categories.
  • Third-party data: We fetch game metadata from IGDB and avatars from Gravatar. We don't buy data from brokers.
  • No tracking cookies: Our analytics (Plausible) is privacy-friendly and cookie-free.
  • Error monitoring: We use Sentry for production error tracking, which may capture request context.
  • Security: Passwords are hashed with Argon2, all connections use HTTPS.
  • Your rights: You can access, correct, delete, or export your data depending on your location.

What We Collect

Account Information

When you create an account, we collect:

  • Username (required) - Your unique identifier, shown on your public profile URL
  • Email address (required) - For login, password recovery, and service notifications
  • Display name (optional) - Shown on your profile instead of username
  • Password - Stored using Argon2 hashing; we never see or store your actual password

User Preferences

We store your settings and preferences:

  • Language preference - Your chosen display language
  • Notification settings - Email preferences for queue updates

Gemini API Keys (Optional)

If you enable the chat assistant feature, you provide your own Google Gemini API key:

  • Storage - Your API key is encrypted at rest using Fernet symmetric encryption
  • Usage - The key is only used to send requests to Google's Gemini API on your behalf
  • We never - Store your key in plaintext, share it with third parties, or use it for any purpose other than powering your chat assistant
  • Deletion - You can remove your API key at any time from your settings

Your Game Library

The core of vgstack is your game collection. We store:

  • Game titles and platforms (systems)
  • Completion status (unbeaten, beaten, completed)
  • Region (NA, PAL, Japan, etc.) and ownership details (owned, borrowed, subscription, etc.)
  • Dates you obtained, beat, or completed games
  • Whether you're currently playing each game
  • Your ratings (1-5 stars) and personal notes
  • Whether each game is public or private
  • DLC/expansion relationships to base games
  • Links to IGDB metadata for cover art

Edit History

We maintain a complete history of all changes to your game library entries. This allows you to see when games were added, modified, or marked as beaten/completed. Each historical record includes:

  • The previous and new values of changed fields
  • When the change was made
  • Who made the change (you or an automated process)

This edit history is retained for as long as you have an account and is deleted when you delete your account.

Activity Stream

As you use vgstack, we record your actions to power your activity feed:

  • Adding games to your library
  • Marking games as beaten or completed
  • Starting or stopping playing a game
  • Updating game details (recorded privately)
  • Removing games from your library
  • Importing games from external sources

Some actions (like adding, beating, or completing games) appear on your public activity feed. Others (like updates) are recorded privately for your own reference.

Import History

When you import games from external services (like Backloggery), we store:

  • When the import occurred
  • The source of the import
  • How many games were imported or skipped
  • Mapping data linking imported games to their external IDs (to prevent duplicate imports)

Pending Actions Queue

When games are added via email forwarding or other automated sources, they're placed in a pending queue for your review before being added to your library. We store:

  • The proposed game data (name, system, dates)
  • The source of the action (Nintendo email, PlayStation email, etc.)
  • Whether you confirmed or discarded the action
  • Timestamps of when actions were queued and resolved

Email Forwarding (Optional)

You can optionally enable email-based game ingestion. This feature requires you to configure your own Gemini API key in Settings. When enabled, you receive a unique forwarding address (like yourtoken@vgstack.app). Forward purchase confirmation emails to this address, and we'll use Google's Gemini AI (via your API key) to extract game purchase information and add them to your pending actions queue for your confirmation.

For forwarded emails, we store:

  • Full email content - Stored encrypted in AWS S3, automatically deleted after 30 days
  • Email message IDs - To prevent processing the same email twice (kept indefinitely)
  • Email subjects - For debugging purposes (kept indefinitely)
  • Vendor identification - Nintendo, PlayStation, or unknown
  • Games extracted count - How many games were found in each email

API Access (Optional)

If you create API keys for programmatic access, we store:

  • Your API key name (you choose this)
  • The hashed API key (we cannot see the actual key after creation)
  • When the key was created

Session Data

To keep you logged in, we use session cookies that store:

  • Your session identifier
  • CSRF protection tokens
  • Temporary state for multi-step operations

Aggregate Analytics

We use Plausible Analytics, which collects only aggregate data like page views and referrers. It uses no cookies and cannot identify you personally.

How We Use Your Information

We use your data to:

  • Run your account - Authentication, password recovery, session management
  • Provide the service - Store and display your game library, track progress, save your notes
  • Maintain edit history - Allow you to see when and how your library changed over time
  • Power your activity feed - Show your gaming milestones to yourself and (optionally) others
  • Enhance your experience - Show your Gravatar avatar, display game cover art and metadata from IGDB
  • Process email forwards - Extract game purchases from forwarded receipts
  • Communicate with you - Respond to support requests, send critical service updates
  • Improve vgstack - Understand aggregate usage patterns to make the service better
  • Keep things secure - Detect abuse, debug errors, and protect the platform

We only process your data when we have a legitimate reason: your consent, our contractual obligations to you, our legitimate business interests, or legal requirements.

Third-Party Services

vgstack connects to these external services:

Gravatar (Avatars)

Your profile picture comes from Gravatar. We send an MD5 hash of your email (not the email itself) to fetch your avatar. Automattic Privacy Policy

IGDB (Game Data)

Game covers, descriptions, and metadata come from IGDB, operated by Twitch. When you add games or we search for cover art, we query their database using game titles. We cache approved game metadata locally to reduce external requests. Twitch Privacy Notice

GitHub (Optional Login)

You can sign in with GitHub instead of email/password. If you do, we receive your GitHub user ID and email address. GitHub Privacy Statement

Plausible (Analytics)

We use Plausible for privacy-respecting analytics. It doesn't use cookies, doesn't track individuals, and is GDPR/CCPA compliant. We only see aggregate numbers like page views and referrers. Plausible Privacy Policy

Sentry (Error Monitoring)

In production, we use Sentry to track and fix errors. When an error occurs, Sentry may capture:

  • The error message and stack trace
  • Request URL and method
  • Your user ID (not your personal details)
  • Browser and device information

This data is retained for 90 days and is used solely for debugging. Sentry Privacy Policy

Amazon Web Services (Infrastructure)

Forwarded emails are stored in AWS S3, encrypted at rest using AES-256 encryption. AWS processes this data on our behalf under strict data processing agreements. Email content is automatically deleted after 30 days.

Google Gemini API (Optional Chat Feature)

If you provide your own API key to enable the chat assistant, your chat messages are processed by Google's Gemini API. We send your message content and game library context to generate responses. Your API key is stored encrypted and only used to authenticate requests on your behalf. Gemini API Terms of Service

Data Retention

We keep your data as long as you have an account. Here are the specifics:

  • Account data - Kept while active, plus a short grace period for recovery if you change your mind
  • Game library - Kept while active; when you "delete" a game, it's marked as deleted but retained until you delete your account (this allows for potential recovery)
  • Edit history - Complete history kept while active; deleted with your account
  • Activity stream - Kept to power your activity feed; deleted with your account
  • Import history - Kept indefinitely to prevent duplicate imports; deleted with your account
  • Pending actions - Kept indefinitely for your records; deleted with your account
  • Forwarded email content - Automatically deleted after 30 days
  • Email message IDs and subjects - Kept indefinitely for deduplication; deleted with your account
  • API keys - Kept until you revoke them or delete your account
  • Error logs (Sentry) - Retained for 90 days
  • Application logs - Retained for 30 days

You can delete your account at any time from your account settings. When you delete your account, we immediately and permanently delete your personal data. This includes your game library, edit history, activity stream, import records, pending actions, API keys, and email processing records. Account deletion is irreversible and cannot be undone. We may retain some anonymized or aggregate information if required by law.

Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

  • Passwords are hashed using Argon2, a modern and secure hashing algorithm
  • API keys are hashed and cannot be retrieved after creation
  • All data transmission uses HTTPS encryption
  • Forwarded emails are encrypted at rest in AWS S3
  • Access to personal data is restricted to authorized personnel only
  • Regular security reviews and updates of our systems
  • CSRF protection on all forms

However, no method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and API keys.

Minors

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. By using our Services, you represent that you are at least 18 years old.

If we become aware that we have collected personal information from someone under 18, we will take steps to delete that information promptly. If you believe we have collected information from a minor, please contact us at support@vgstack.app.

Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

General Rights

  • Access - Request a copy of the personal information we hold about you
  • Correction - Request correction of inaccurate personal information
  • Deletion - Request deletion of your personal information
  • Export - Request a portable copy of your data (available as CSV or JSON export in your settings)

European Economic Area, UK, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights including the right to object to processing, restrict processing, and lodge a complaint with your local data protection authority.

California Residents (CCPA)

California residents have the right to know what personal information is collected, request deletion, and opt-out of the sale of personal information. We do not sell personal information.

Exercising Your Rights

You can exercise most of these rights through your account settings:

  • Export your data using the CSV or JSON export feature
  • Update your profile information directly
  • Delete your account (which removes all associated data)
  • Revoke API keys you no longer need

For additional requests, please contact us at support@vgstack.app. We will respond to your request within the timeframe required by applicable law.

Updates to This Notice

We may update this privacy notice from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. The updated version will be indicated by a revised "Last updated" date at the top of this notice.

If we make material changes, we may notify you by posting a prominent notice on our website or by sending you an email. We encourage you to review this privacy notice periodically to stay informed about how we protect your information.

Contact Information

If you have questions or comments about this privacy notice or wish to exercise your privacy rights, you may contact us at:

Kuribo Software
support@vgstack.app
Terms of Service Back to Home