← Back to MetaBuff
Privacy Policy
Effective date: January 1, 2026 · Last updated: April 27, 2026 · Version 1.1 · GDPR Compliant
MetaBuff ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and other applicable privacy laws.
1. Data Controller
MetaBuff operates as an independent service. For GDPR purposes, the data controller is:
MetaBuff (sole-operator independent product)
Contact: hello@metabuff.dev
Data processing location: EU (Frankfurt, Germany) via Supabase
2. What Data We Collect
2.1 Account Data
| Data | Purpose | Legal Basis | Retention |
|---|
| Email address | Authentication (email login link) | Contract performance | Until account deletion |
| Display name (optional) | Dashboard personalization | Consent | Until account deletion |
| API key hash (SHA-256) | API authentication | Contract performance | Until account deletion |
| Subscription tier | Feature access control | Contract performance | Until account deletion |
2.2 Usage Data
| Data | Purpose | Legal Basis | Retention |
|---|
| API call count (per day) | Rate limiting | Contract performance | Reset daily, aggregated monthly |
| Anonymous session ID | In-tab UI state only — never sent to our servers as analytics | Strictly necessary | Session-only (tab close = gone) |
2.3 What We Do NOT Collect
- No persistent cookies (we use session-only browser storage that dies when you close the tab)
- No IP addresses stored (a coarse "IP hint" may be passed by the client during consent logging, but only if explicitly provided; we never resolve full IPs server-side)
- No device fingerprinting
- No third-party analytics or tracking pixels (no Google Analytics, no Facebook Pixel, no Plausible, no PostHog)
- No player/user data from any game platform
- No credit card data (handled entirely by Polar.sh)
3. Game Data
MetaBuff analyzes publicly available game market data (titles, prices, review counts, tags, genre information). This data is about products and markets, not about individual people. No personal data of game players is collected, stored, or processed.
4. How We Use Your Data
- Authentication: Your email is used solely to send you a login link. We never send unsolicited marketing email.
- Service delivery: Your tier and API usage are used to enforce rate limits and feature access.
- Transactional email: We may send essential service emails (login link, billing receipts forwarded by Polar, security notices, account deletion confirmations). These cannot be opted out of without closing the account.
- Marketing newsletter: Currently disabled. If we re-introduce a marketing newsletter in the future, it will be opt-in only with one-click unsubscribe.
5. Data Processors & Third Parties
| Service | Purpose | Location | Privacy / DPA |
|---|
| Supabase | Database, auth, hosting | EU (Frankfurt) | Privacy · DPA |
| Cloudflare | CDN, DNS, frontend hosting | Global (EU data routed via EU PoPs) | Privacy · DPA |
| Polar.sh | Payment processing (Merchant of Record) | US (with EU SCCs) | Privacy · DPA |
| Resend | Transactional email (login link, billing receipts) | US (with EU SCCs) | Privacy · DPA |
| GitHub | CI/CD pipeline (data scrapers, deletion cron) | US (with EU SCCs) | Privacy · DPA |
We do not sell, rent, or share your personal data with any other third parties.
6. Data Storage & Security
- All personal data is stored in Supabase's EU West (Frankfurt) region.
- Database access is protected by Row Level Security (RLS) — you can only read your own data.
- API keys are hashed with SHA-256 before storage. The raw key is never stored permanently.
- All connections use TLS 1.2+ encryption in transit.
- Consent events are logged in an append-only audit table for GDPR compliance.
7. Your Rights (GDPR)
Under the GDPR, you have the following rights:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Update your display name or email through Settings.
- Right to Erasure: Request account deletion from Settings → Danger Zone, or email hello@metabuff.dev. Your API access is revoked immediately upon request, and your data is permanently erased after a 30-day grace period (during which you may cancel the request).
- Right to Data Portability: Request your data in a machine-readable format (JSON) by emailing hello@metabuff.dev.
- Right to Restrict Processing: Contact us to limit how we use your data.
- Right to Object: Object to data processing based on legitimate interest (note: we currently rely primarily on contract performance, not legitimate interest).
- Right to Withdraw Consent: Where we rely on consent (e.g., display name), you may withdraw it at any time. This does not affect data processing prior to withdrawal.
To exercise any of these rights, email hello@metabuff.dev. We respond within 30 days.
8. Data Retention
- Account data: Retained until you delete your account (then erased after the 30-day grace period).
- API usage logs: Retained for 90 days, then automatically purged.
- Consent audit logs: Retained for the duration of the account, then erased alongside the account. We do not retain consent records for users who have been deleted.
- Hard-deletion audit trail: When an account is permanently deleted, we record only a one-way SHA-256 hash of the former email address and the deletion timestamp, for legal-defence purposes. This record contains no recoverable personal data.
9. Children's Privacy
MetaBuff is a B2B tool for game developers. We do not knowingly collect data from anyone under 16. If you believe we have data from a minor, contact us immediately.
10. International Transfers
Your personal data is stored in the EU. Some processors (Polar.sh, Resend, GitHub) operate in the US under Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms approved by the European Commission.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email to active users at least 14 days before taking effect. The "Last updated" date at the top will always reflect the most recent version.
12. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD) at aepd.es.
13. Contact
For any privacy-related questions or data requests:
Email: hello@metabuff.dev
Response time: Within 30 days
Operator information
MetaBuff is an independent product operated by a sole individual.
Contact: hello@metabuff.dev
Full operator identification is available on written request.