Privacy Policy

Last updated: April 2026

Updated to add CSV upload telemetry disclosure

The short version: we store your itch.io profile and game stats so we can show them back to you. Your credentials and earnings are encrypted at rest. We do not sell your data, share it, or store anything about your buyers.

Encryption at rest

The following fields are encrypted using AES-256-GCM before being written to our database. Each value has its own random initialization vector. The encryption key is held by the application server and is not stored in the database. If the database were compromised without the server key, these fields would be unreadable.

  • ✓Your itch.io OAuth token (stored on sign-in, used to fetch your profile)
  • ✓Your itch.io API key (used for game data sync, encrypted on save)
  • ✓All earnings and revenue figures (every game snapshot and CSV import row)

Stored in plaintext

These fields are stored unencrypted because we need them for display or support. We are being explicit about this so you know exactly what state your data is in.

  • -Your itch.io username and avatar URL (shown in the dashboard nav and settings)
  • -Your numeric itch.io user ID (used as a stable account identifier)
  • -Game titles, view counts, download counts, purchase counts (these are public stats from your itch.io pages)
  • -Your Stripe customer ID and subscription status (opaque reference IDs, not payment details)
  • -Session cookie (lt_uid) (HTTP-only, HMAC-signed, 30-day expiry)

What we do not collect

  • xInformation about anyone who bought or downloaded your games. Zero.
  • xEmail addresses, payment card details, or anything Stripe does not explicitly share (subscription status only).
  • xBrowsing behavior, analytics events, or tracking pixels.
  • xAnything from outside your itch.io account.

How we use it

Everything we collect is displayed back to you in your dashboard. We do not use your data for advertising, we do not sell it, and we do not share it with third parties except as strictly necessary to run the service (Stripe for billing, itch.io for data).

Third parties

Stripe- handles all subscription billing. When you subscribe, Stripe processes your payment and shares a customer ID and subscription status. We never see your card number. Stripe's privacy policy governs their handling of payment data.

itch.io - we pull your game data via their API using credentials you explicitly provide. We are not affiliated with itch.io.

Resend- we use Resend for all outbound email. This includes feedback submissions (your message and optional reply address) and any transactional email we send. Messages are transmitted to Resend's servers. We do not store feedback in our database.

Infrastructure - your data is stored in a self-hosted PostgreSQL database on our own hardware. We do not use third-party analytics or tracking services.

Data retention

Free tier game snapshots are deleted after 30 days of inactivity via an automated daily job. Pro tier snapshots are retained for as long as your account is active.

Data deletion

Delete your account from Settings and we delete everything immediately: your profile, game snapshots, uploaded CSV data, and credentials. Your Stripe subscription is also cancelled. We do not keep backups of deleted accounts.

Your rights

You can export or delete your data at any time. If you are in the EU or UK, you have rights under GDPR including access, rectification, and erasure. Reach out and we will sort it out promptly.

Changes to this policy

If we make meaningful changes to what we collect or how we store it, we will update the date at the top and add a change note. We will not silently expand what we collect or downgrade encryption without calling it out here.

CSV upload telemetry

CSV import is in beta. To diagnose failures, we collect the following data on each upload attempt. You can opt out in the upload modal - if you do, nothing below is recorded.

  • -File extension (whether the uploaded file ends in .csv)
  • -File size (bytes) (so we can correlate failures with large files)
  • -Header validity (whether the first 3 lines look like comma-separated data)
  • -Event and timestamp (validation_failed, upload_started, upload_completed, or upload_failed, with time)
  • -Row count (on successful import, how many rows were processed)
  • -Error detail (the error message returned by the server or browser on failure)
  • -Browser user agent and platform (OS and browser version string from your browser)
  • -IP address (captured server-side from the request; used only to correlate failure patterns)

This data is stored in our own database, is never shared, and is deleted when you delete your account. It is the only place in LootTable where we actively collect usage telemetry.

Children

We do not knowingly collect information from minors. For our purposes, we define "minor" as anyone under 16 years old. If you believe a minor has created an account, contact us and we will delete it promptly.

Contact

Questions or requests? Use the feedback form in the app or email us: