subgoal.gg Privacy Policy

Effective date: 2025-12-01


Friendly Version

subgoal.gg is designed with privacy in mind, and aims to do right by our users.
We value your privacy and minimize data collection.

For more details, please read the full policy below.



Introduction

This Privacy Policy explains how subgoal.gg ("we", "us", "our") collects, uses, stores, and shares personal data when you use our service to create and manage Twitch subgoal trackers. We are committed to collecting only the minimum data needed to provide the service and to handling that data in accordance with applicable privacy laws.


Contents

  1. Data we collect

    This table maps each type of personal data we collect to why we collect it, typical retention, recipients, and short notes.

    Data Field / Category Purpose Typical Retention Recipients / Processors Notes
    Twitch user ID (numeric) Authenticate user and associate subgoal data with an account Until account deletion (plus short buffer, e.g., 30 days to allow recovery) Internal databases, backup service; Twitch (as data source) Stored as the primary immutable identifier; prefer this over email/username.
    Twitch display name UI/display of account information Until account deletion (plus short buffer, e.g., 30 days to allow recovery) Internal services May change over time (keep as stored snapshot for display).
    Email address (provided by Twitch) Account notifications, password resets Transactional: until account deletion Email service provider Provided by Twitch; Stored for account management and security purposes.
    Subgoal data (titles, targets, progress, timestamps, metadata) Core service functionality -- store & present user-created subgoals Until user deletes account or data Internal databases, backup service Considered primary user content; exports provided on request.
    OAuth tokens (Twitch access/refresh tokens) Authenticate with Twitch and maintain session Access tokens: short-lived; Refresh tokens: only if needed, revoked on logout/account deletion Internal secure token store; Twitch Stored encrypted; rotated/revoked when user disconnects.
    Session cookies / session identifiers Maintain authenticated session in-browser Session duration (browser session or configured expiry) Internal session store Use secure, httpOnly, sameSite cookies.
    Security logs (IP address, timestamp, request metadata) Fraud/abuse detection, incident investigation, securing service Short-term (e.g., 30 days) unless required longer for investigation Internal security logs Minimise fields stored, truncate/anonymise where possible.
    Analytics (unauthenticated visitors) Not collected N/A N/A We do not track unauthenticated visitors or use cross-site tracking.
    Stripe Customer ID Link user account to Stripe payment records for Pro subscription management Until account deletion or end of subscription Internal databases; Stripe (payment processor) Stored to manage subscription status; Stripe acts as separate data controller for payment data.
    Stripe Subscription ID Track active subscription status and manage Pro features Until account deletion or end of subscription Internal databases; Stripe (payment processor) Used to verify Pro status and handle subscription changes/cancellations.
    Subscription dates (start/end) Track Pro subscription period and feature access Until account deletion Internal databases Required for subscription management and compliance with financial record-keeping laws.
    Payment information (credit card, billing address) Process subscription payments Not stored by us -- handled entirely by Stripe Stripe (PCI-compliant payment processor) We do not store or process payment card data; Stripe handles all payment information securely. See Stripe's privacy policy.
    Aggregated / anonymised metrics Service improvement (no personal identifiers) Indefinite for aggregated non-identifying metrics Internal only Only non-identifying, cannot be reasonably re-linked to individuals.

  2. Source of the data

    • Data primarily comes from you (entered into the app) or from Twitch when you sign in via Twitch OAuth.
    • Subscription and billing data is provided by Stripe when you subscribe to Pro features.

  3. How to request data export or deletion

    • In-app: authenticated users can request account export (JSON) or deletion via account settings (navigate to Account > Personal Data section).
    • By email: send a request to privacy@subgoal.gg from the email address associated with your account. We will ask you to complete a brief verification process, then we will confirm completion and provide exported file(s) or deletion confirmation.

  4. Security

    • We implement reasonable technical and organisational measures including:
      • HTTPS/TLS for all transport.
      • Secure storage of OAuth tokens and credentials.
      • Access controls and least-privilege for services.
      • Regular updates and vulnerability management.
      • Short-lived logs retention and monitoring.
    • No system is 100% secure; we continuously evaluate and improve security.

  5. Children

    • Our service is not intended for children under the age of 18. If we become aware that a child below the applicable age has created an account without parental consent, we will delete the account.
    • Twitch's own age controls and terms also apply; developers should be aware Twitch may provide restrictions.

  6. Automated decision-making and profiling

    • We do not perform automated decision-making or profiling that produces legal or similarly significant effects. If we introduce such features, they will be disclosed with opt-in consent and an explanation.

  7. Cookies and tracking

    • We do not collect data from unauthenticated visitors and do not deploy tracking for such visitors. Only standard, necessary session cookies (secure, same-site) are used for authenticated sessions.

  8. Changes to this policy

    • We may update this policy; material changes will be posted with an updated effective date and, where feasible, notified to users.

  9. Contact

    • For privacy inquiries or to exercise your rights: privacy@subgoal.gg

  10. Legal disclosures

    • We will disclose personal data to comply with legal obligations or lawful requests from public authorities where required.