Privacy
What sign-in actually grants us
Both providers use industry-standard sign-in flows where you authenticate on the provider's own page (we never see your password) and they tell us what we're allowed to do on your behalf. We deliberately request the smallest scope each provider offers.
- Steam (OpenID 2.0). Steam's flow doesn't have OAuth-style scopes. Signing in returns one piece of information: your 17-digit Steam ID. We use that ID, plus the operator's Steam Web API key, to read three publicly-available things from your profile: your persona name and avatar, your owned-games list (with total playtime), and your achievement progress per game. If your Steam profile or game-details page is set to private, we get nothing back — sign-in still works but the dashboard stays empty until you make those public. We never receive a Steam access token; there is nothing we could "post," "modify," or "delete" on your Steam account even in principle.
-
Xbox (Microsoft OAuth 2.0).
We request exactly two scopes:
XboxLive.signinandXboxLive.offline_access. The first lets us authenticate to Xbox Live as you, so we can call Xbox Live's read-only APIs for your gamertag + avatar, your title history (the games tied to your account, with last-played dates), and per-title playtime. The second issues a long-lived refresh token so syncs don't pop up a Microsoft sign-in window every time. We do not request any Microsoft Graph scope — that means no access to your email, calendar, OneDrive, contacts, or general Microsoft account profile. We can't post messages, change settings, send friend requests, or modify your account.
What we store
Out of what each provider gives us, we persist only what's needed to consolidate your library and recommend what to play next:
- Provider account identifiers. Your Steam ID (steamid64), Xbox ID (xuid), and the gamertag/persona shown on those services. Used to fetch your library and label rows in the dashboard.
- OAuth refresh token (Xbox only). The long-lived Microsoft refresh token described above, so periodic syncs don't require you to re-authenticate. Steam doesn't issue a token; we re-verify on each sign-in. Both are wiped when you delete your account or unlink the provider.
- Game library + per-game stats. For each linked account: the list of games you own, total play time (where the provider reports it), achievement progress, and last-played dates. Per-account, so two Steam alts produce distinct rows.
- Your explicit ratings. Like / Dislike marks and "don't recommend this" flags you set on the dashboard.
- Manually-added games. Names you entered yourself, deduplicated across users by a slug of the name (so two users adding "Hollow Knight" share one canonical Game row in the leaderboard).
What we don't store
- Your Steam or Microsoft password. Sign-in goes through the provider's own page; we never see it.
- Steam Web API or Microsoft API keys belonging to anyone but the
server operator (in
.env). - Friends lists, chats, screenshots, or any other content beyond the game-library scope above.
Where it goes
All data lives in a database on the server hosting this app. The aggregate leaderboard shows totals across all users (likes / dislikes / play time / achievements) but never reveals which user contributed what. Cohort recommendations use other users' data to inform yours, but the dashboard never displays another user's identity.