Privacy Policy

This policy explains what data OPSMG (the "Service") collects, how we use it, and the choices you have. It applies to the OPSMG website and accounts.

• Account data: email address, username, and a securely hashed (bcrypt) password; or, if you sign in with Google, your Google account ID and email.
• IP addresses: collected at signup, for each login session, and on each trade, and retained to detect and prevent multi-account abuse and market manipulation.
• Gameplay data:trades, holdings, bets, balances, achievements, cosmetics, leaderboard ranks, and season "wrapped" statistics.
• Optional profile: an avatar image you upload, and a featured title.
• Analytics & monitoring: usage analytics (Umami) and error/performance monitoring (Sentry). Sentry may record a sample of sessions (session replay), including sessions that hit an error, to help us debug.

We use strictly-necessary cookies for authentication (the session cookie), signup and OAuth flow state, your selected market, and UI/theme preferences, plus local storage for things like rules acceptance. Analytics/monitoring tools may set their own identifiers. Essential cookies are required for the Service to function.

To authenticate you and run your account; to operate the game economy; to prevent fraud, alternate accounts, and manipulation; to send verification and password-reset emails; to understand usage and debug problems; and to communicate service changes.

We process data to perform our contract with you (providing the Service), for our legitimate interests (preventing fraud/abuse via IP and device signals, and analytics), with your consent where required, and to comply with legal obligations.

We share data only with providers that help us run the Service:

• Google — sign-in (OAuth)
• Resend — transactional email (verification, password reset)
• Sentry — error monitoring and session replay
• Umami — privacy-friendly usage analytics
• Buy Me a Coffee — donations (payment handled entirely by them)
• Cloudflare & Hetzner — hosting, CDN, and edge services

Donation payments are processed by Buy Me a Coffee. We do not collect or store your payment-card details; we may receive a donor display name/email from them to assign the Supporter title.

IP, session, and trade logs are kept for fraud prevention for 24 months. Trade and holding history is retained (in anonymized form after account deletion) to preserve market integrity. Sessions and tokens are deleted on logout or expiry.

Depending on your location, you may have the right to access, correct, delete, port, restrict, or object to the processing of your personal data, and (under the CCPA) to know what we collect and to deletion. We do not sell personal information. To exercise these rights, use the in-app account deletion or contact us at [email protected].

You can delete your account from Settings. Deletion anonymizes your email, username, password, IP addresses, two-factor data, and linked Google identity, and removes your sessions, tokens, and watchlist. Your trade and holding history is preserved in anonymized form for market integrity.

The Service is not directed to children under 13, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will remove it.

We protect data with bcrypt password hashing, httpOnly session cookies, and encrypted pending-signup/OAuth tokens, among other measures. No system is perfectly secure, but we work to safeguard your information.

The Service is hosted in the United States. If you access it from outside the US, your data will be transferred to and processed in the US under appropriate safeguards.

We may update this policy from time to time. Material changes will be announced in-app or via our Discord, and the "Last updated" date above will change.

For privacy questions or to exercise your rights, contact us at [email protected] or via our community Discord.