Gielinor Gains Privacy Policy

1. Introduction

Welcome to Gielinor Gains, a website for Old School RuneScape trading and market information. This Privacy Policy outlines how we collect, use, disclose, and protect your personal information when you access or use our website. By accessing or using Gielinor Gains, you agree to the terms of this Privacy Policy.

If you do not agree with any part of this Privacy Policy, you must not access or use our website.

2. Information We Collect

2.1. Information You Provide

  • Account Information: When you use our email authentication system, we collect your email address to create and manage your account.
  • Bookmark Data: When you use our bookmark feature, we store your bookmark selections and preferences, including the item IDs and timestamps of when items were bookmarked.
  • Login Attempt Records: To prevent abuse, we store a SHA-256 hash of your email when a sign-in request is made. This rate-limit key expires after one hour.

2.2. Information Collected Automatically

  • Session Data: We collect basic information about your browsing session to maintain your login state through secure cookies.
  • Browser Storage (UI): We use your browser's local storage for specific UI functionality, such as highlighting the sign-in button when needed.
  • IP Address (Rate Limiting): Your IP address is temporarily logged when accessing our API or sign-in routes to enforce rate limits and prevent abuse. Entries expire within minutes.
  • Anonymous Analytics Data: We utilize PostHog, a product analytics platform, to collect anonymous data about how users interact with our website (e.g., pages visited, features used, session duration). This helps us understand usage patterns and improve the site. PostHog does not track users across different websites or apps.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Authentication: To provide secure email-based authentication via magic links that expire after use.
  • Bookmark Functionality: To store and retrieve your bookmarked items (limited to 16 bookmarks per user).
  • Service Provision: To operate and maintain our website and services.
  • Security: To protect against unauthorized access and maintain data integrity.
  • Website Improvement: To analyze anonymous usage data collected via PostHog to understand user behavior, monitor performance, and enhance website features and user experience.

4. Cookies and Local Storage

Our site uses the following technologies:

  • Authentication Cookies: Essential cookies used by NextAuth.js to maintain your login session. These cookies last for 30 days unless you log out.
  • Local Storage (UI): We use your browser's local storage for UI state management, such as tracking when to highlight the sign-in button.
  • Browser Storage (Analytics): PostHog uses your browser's local storage or cookies to store anonymous identifiers (like a distinct user ID, session ID, device ID) and configuration details necessary for its analytics function on our site only.

You can configure your browser to refuse cookies or clear local storage. Refusing authentication cookies may limit your ability to log in. Clearing analytics storage may impact the accuracy of our usage statistics but should not affect core site functionality.

5. Information Storage

Your data is stored securely:

  • User Email & Bookmark Data: Stored in our Redis database (hosted by Upstash) located in the US/EU.
  • Analytics Data Storage: Anonymous analytics data is collected and stored by our service provider, PostHog, on their infrastructure (typically US or EU).

We rely on the security measures of our data storage providers (Upstash for account/bookmark data, PostHog for analytics data).

6. Data Retention

We retain your information as follows:

  • Account Data (Email) & Bookmark Data: Retained while your account is active or bookmarks are present. Authentication sessions expire after 30 days of inactivity.
  • Anonymous Analytics Data: Retained according to PostHog's policies or our configuration with them.
  • Invalid Data Cleanup: Our system automatically removes invalid bookmark data.
  • Rate Limit Logs: IP addresses and hashed emails used for rate limiting are stored for up to one hour before automatic deletion.

When you request account deletion, your personal information (email, bookmarks) will be permanently removed from our direct systems within 30 days. Anonymous analytics data is not linked to your personal information and may persist.

7. Email Usage

We send emails only for:

  • Authentication purposes (magic link sign-in)
  • Account-related notifications

These emails are sent via Resend. We do not send marketing emails or share your email address with third parties for marketing.

8. Disclosure of Your Information

We do not sell, rent, or trade your personal information. We may share information only in the following circumstances:

  • Service Providers: We use third-party services:
    • Upstash Redis: For secure data storage (email, bookmarks)
    • Resend: For sending authentication emails
    • NextAuth.js: For authentication management
    • PostHog: For product analytics (processes anonymous usage data)
  • Legal Requirements: If required by law or to protect our rights, privacy, safety, or property.

9. Security

We implement reasonable security measures:

  • Data validation and sanitization (Zod)
  • Password-less magic link authentication
  • JWT for session management
  • Automatic cleanup of invalid data

However, no method of transmission or storage is 100% secure. We also rely on the security practices of our service providers.

10. International Data Transfers

Your information (account data, analytics data) may be transferred to and processed in countries outside your residence (e.g., US/EU) by us or our service providers. By using our services, you acknowledge this transfer. We ensure appropriate safeguards are in place.

11. Your Rights and Choices

Regarding your personal information (email, bookmarks):

  • Access & Correction: Access/manage bookmarks when logged in.
  • Deletion: Remove bookmarks, log out, or request account deletion via contact form.
  • Analytics Control: You can clear cookies and local storage in your browser settings to remove analytics identifiers stored by PostHog for our site.

To exercise these rights or ask questions, please contact us.

12. Children's Privacy

Not intended for children under 13. We do not knowingly collect their data.

13. Data Breach Notification

In the event of a data breach compromising your personal information under our control, we will:

  • Notify affected users via email within 72 hours
  • Provide details about the breach and our response
  • Offer guidance on protection

For breaches affecting service providers, we rely on their notification processes.

14. Changes to This Privacy Policy

We may update this policy. Check the "Last Updated" date. Continued use implies acceptance.

15. Contact Us

Solo project. For privacy matters: log out, clear browser data, or use the form below.

Last Updated: June 10, 2025