Privacy Policy
This site is operated from Germany under the EU General Data Protection Regulation (GDPR / DSGVO). German law references in this document use the original article and section numbers; the GDPR articles are identical in every EU language.
1. Controller (Art. 4 No. 7 GDPR)
Jonathan Maria Kohlhas
Goethestraße 38A
64285 Darmstadt
Germany
Email: jonathan.kohlhas@gmail.com
2. Server logs
When you access this website the Apache web server automatically records the following data for technical purposes:
- IP address
- date and time of the request
- requested URL and HTTP method
- HTTP status code
- user-agent string
- referrer URL
The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in the stability, security, and debugging of the site). Logs are automatically deleted by the system-wide log-rotation tool after 14 days.
3. Third-party processing
To deliver this service we use third-party providers on whose systems data is processed in accordance with that provider's own privacy policy. The data processed consists primarily of traffic data (see "Server logs" above). Other data may be stored on the provider's systems but the providers have no direct access to it. The legal basis for this processing is Art. 6 (1) (f) GDPR — our legitimate interest, weighed against your rights and freedoms, in the functional, stable, and secure operation of the website.
We use the following provider for this purpose:
- Hetzner Online GmbH, Industriestraße 25, 91719 Gunzenhausen, Germany (Data Processing Agreement)
4. Cookies
For anonymous visitors this site sets no cookies and uses no comparable tracking technologies.
If you choose to log in via itch.io (see § 5), one strictly- necessary session cookie is set. The cookie value is a high-entropy random string; only its SHA-256 hash is stored on our server, so a database leak alone does not allow forging the cookie. The cookie expires 30 days after your last activity (sliding window), with a hard cap of 90 days from the session's creation. Strictly necessary cookies under § 25 (2) Nr. 2 TTDSG do not require consent; we set this one only because the logged-in feature would not function without it.
Beyond the session cookie there is still no web analytics, no profiling, and no re-identification of individual users.
5. Login via itch.io (OAuth)
This site offers an opt-in login via your existing itch.io account, using the OAuth 2.0 authorization-code flow with PKCE. Login is not required to search; it enables the library- search feature described in § 6.
The OAuth flow requests the following scopes:
profile:me— to read your itch.io profile (username, display name, avatar URL, profile URL).profile:owned— to read the list of games you own on itch.io.
Before any of these scopes are requested, you see an interstitial consent screen on /auth/itch/login that names the scopes, the third-country transfer (§ 8), and the special-category surface (§ 6). Clicking "Continue to itch.io" is the moment your explicit consent under Art. 49 (1) (a) GDPR is recorded.
After itch.io issues us an access token, we fetch your profile once and store the following fields locally: your itch.io numeric user ID, username, display name, avatar URL, profile URL, first-login timestamp, and last-login timestamp.
The access token itself is stored encrypted (AES-256-GCM) with a key derived from your session cookie via HKDF-SHA256. The encrypted token in our database is therefore not usable without the live cookie — a database leak alone does not yield a token that can call itch.io as you.
Legal basis: Art. 6 (1) (b) GDPR — processing necessary for the performance of a service you requested by logging in.
Retention: the session row is deleted when you log out, when you delete your account, or when your account has been inactive for 12 months. We delete our local copy of the access token whenever the session is deleted. itch.io does not document a token-revocation endpoint we can call, so the token remains valid upstream until its natural expiry; you can revoke it manually from your itch.io API keys page.
6. Owned-games library
When you are logged in, we fetch the list of games you own from itch.io's API (via the profile:owned scope) and store it persistently in our database. The list is refreshed at most every thirty minutes. We persist this data between sessions rather than refetching each time for performance reasons: a cold fetch for a large library takes several seconds of upstream API calls, and persisting the result avoids paying that cost on every visit.
When you are logged in, we also automatically import the list of itch.io bundles your account owns from itch.io's API (the same profile:owned scope) and store it persistently against your account, together with the timestamp of import. It is refreshed alongside your owned-games list. The contents of each bundle are looked up from our own bundle catalog (a crawl of public itch.io bundle pages); we do not transmit any bundle data back to itch.io.
This data may, in combination, reveal information considered "special categories of personal data" under Art. 9 GDPR, such as political opinions, philosophical convictions, or sexual orientation. itch.io bundles often have themed or charitable framing — names like Bundle for Ukraine, Indie Bundle for Abortion Funds, TTRPGs for Trans Rights in Texas, or Queer Games Bundle. Ownership of a single bundle is not the same as a declaration of affiliation, but a stored record can on its face reveal such information.
Legal basis: Art. 6 (1) (b) GDPR for the processing in general, plus Art. 9 (2) (a) GDPR — explicit consent — for the special-category aspect. Your consent for the special-category aspect is captured at the moment you choose to log in, on a screen that names the categories of information the data may reveal — including that the bundles your account owns are imported automatically.
Versioned consent: when we materially update the consent terms, every logged-in user sees a persistent banner asking them to re-confirm at /auth/itch/consent. Library features are paused for that user until they renew or delete their account.
Retention: this data is deleted when you delete your account, when itch.io's API reports you no longer own a particular game (removed on the next refresh), or automatically when your account has been inactive for 12 months. The 12-month inactivity sweep runs once a day and removes the profile row, the session, the stored game library, and any bundle assertions in a single transaction. Withdrawing the Art. 9 (2) (a) consent is equivalent to deleting the account, because the library-search feature cannot function without the data.
7. Account-bound list features and UI preferences
When you are logged in, three additional categories of data are processed against your account so the corresponding features work across devices:
- UI preferences. If you change the colour theme, motion setting, or NSFW cover-blur setting from the topbar while logged in, the chosen value is stored against your account so the preference applies on every device where you are signed in. These are minimal, non-sensitive site preferences. The corresponding localStorage entries are kept in sync so anonymous tabs in the same browser pick up the value too.
- Curated-list ownership. When you publish a curated list while logged in (or "claim" an anonymously-published list whose edit URL you saved in this browser), the list is bound to your account. The ownership link is stored as a pseudonymous identifier (HMAC-SHA256 of your local account id under the server-side HMAC key, following the same pattern as the library tables described above) so a database dump on its own cannot attribute lists to itch.io accounts. The lists themselves remain publicly accessible at their
/lists/<slug>URLs and are not personal data of yours. - Curated-list follows. When you click "Follow" on a curated list while logged in, the slug is stored against the same pseudonymous identifier so the list appears in your "Following" sidebar across devices.
Legal basis: Art. 6 (1) (b) GDPR for the UI preferences (performance of the service you requested by toggling a setting while logged in); Art. 6 (1) (a) GDPR for list ownership and follows (consent, given at the point you claim, publish-while-logged-in, or follow a list).
Retention. UI preferences and follows are deleted together with your account. Curated lists you have published survive account deletion: they remain publicly accessible at their existing URLs, but the link to your itch.io account (the access-control role grant) is removed and any shareable edit URLs you minted for those lists are revoked at the same time. If you would rather your lists disappear with your account, delete them individually from "My lists" before deleting your account. The pre-deletion screen shows the count of lists you own and follow and links to the management page.
8. Transfer to a third country (USA)
itch.io is operated by Itchio Inc., 1023 Springdale Rd. Bldg 13 Ste F, Austin, Texas 78721, USA. Logging in and refreshing your library involve transmitting personal data to Itchio Inc.:
- The OAuth authorization step transmits your IP address and user-agent to itch.io as part of the redirect to their consent page.
- Each API call to fetch your profile or your owned-games list transmits your IP address and your access token to itch.io.
Legal basis for the third-country transfer: Art. 49 (1) (b) GDPR — the transfer is necessary for the performance of the service you have requested by clicking "Log in with itch.io" and by using the library-search feature. We do not transfer your data to Itchio Inc. for any other purpose. itch.io's privacy policy is available at itch.io/docs/legal/privacy-policy.
9. Browser local storage
The site stores small amounts of data in your browser's localStorage to provide certain UX features. This data never leaves your device and is not transmitted to our server, except in two cases described below where the value is also mirrored to your account when you are logged in.
theme,motion,nsfw— your manual UI preferences (light/dark mode, reduced motion, NSFW cover-blur reveal). When you are logged in, changes are also stored against your account (see section 7) so the preferences apply on every device.lists.owned— for any curated lists you have published from this browser, the slug and the edit token, so you see an "Edit this list" button on the public page without needing to keep the edit URL handy. The edit token is the only way to modify or delete a list and is intentionally not transmitted unless you click the button.lists.followed— slugs of curated lists you have followed, so they appear in the "Following" sidebar on the curated-lists page. When you log in for the first time after following lists anonymously, these are migrated to your account (see section 7) and the localStorage copy stops being authoritative.lists.claimsImportedandlists.followsImported— sentinel flags set after we have offered to bind your anonymously-published lists to your account / silently imported your anonymous follows. Used purely to avoid re-running the migration on every visit; cleared if you log out and follow new lists anonymously.lists.<slug>.seen— for each list you visit, the set of game URLs that were on the page during your previous visit. Used purely client-side to highlight items that are new to you.lists.<slug>.reported— a marker that you have submitted a report for a particular list, used to suppress the "Report" button on subsequent visits.indexing-banner-dismissed— a flag remembering that you have dismissed the "still indexing" banner.
You can clear all of this data at any time via your browser's "Clear site data" function (or by clearing localStorage for this domain).
10. Curated lists (user-generated content)
The site lets you publish saved searches as anonymous "curated lists". When you publish a list, the title, description, topic chips, and the underlying search query are stored in our database. No account, email address, or other identifying data is required; the list is associated only with a randomly generated edit token that is shown to you once and saved in your browser's localStorage. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in operating the publication feature).
If you click "Report this list" on a list view, a salted cryptographic hash of your IP address is stored in the list_reports table together with the slug of the reported list, an optional free-text reason, and the time of the report. Reports are deduplicated per (list, IP-hash) within a 24-hour window. The salt is rotated every 24 hours and is not retained; once rotated, no one — including us — can map an old hash back to the originating IP. The legal basis for this processing is Art. 6 (1) (f) GDPR (our legitimate interest in moderating user-generated content). Report rows are kept until manual review.
11. Embedded preview images
Game preview images are served directly by itch.io's image CDN img.itch.zone. Loading a search result therefore transmits your IP address to itch.io. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in showing preview images without local caching). itch.io's privacy policy is available at itch.io/docs/legal/privacy-policy.
12. JavaScript libraries
The site uses the HTMX JavaScript library for interactive search. The library is served directly from this server; no data is transmitted to any third-party CDN.
13. Origin of game information
The game titles, descriptions, tags, and preview-image URLs shown here are sourced from itch.io. They are fetched at regular intervals from itch.io's public RSS feeds and HTML pages and cached in a local database to make the search feature possible. Only publicly available content is processed; areas excluded by robots.txt are not fetched.
14. Your rights
You have the following data-subject rights under the GDPR:
- access to data about you that is stored (Art. 15 GDPR)
- rectification of inaccurate data (Art. 16 GDPR)
- erasure (Art. 17 GDPR)
- restriction of processing (Art. 18 GDPR)
- data portability (Art. 20 GDPR)
- objection (Art. 21 GDPR)
- withdrawal of consent (Art. 7 (3) GDPR), where processing is based on Art. 9 (2) (a) — see § 6
- complaint to a supervisory authority (Art. 77 GDPR)
If you have an itch.io login on this site, you can delete your account and all data associated with it at any time from your account page at /auth/itch/account. The deletion screen asks you to type DELETE to confirm before anything happens. Deletion is immediate: your session, the profile fields we mirrored from itch.io, your stored game library, and any bundle assertions are removed in a single operation. Withdrawing the Art. 9 (2) (a) consent described in § 6 is equivalent to deleting the account, because the library-search feature cannot function without the data.
Data export (Art. 15 / Art. 20). Logged-in users can download a JSON copy of all data associated with their account at /auth/itch/account/export — profile fields, owned-games list, bundle assertions, and last-refresh timestamp. The export excludes session rows because those are security material (encrypted access token, session-id hash) and not data about you in the Art. 15 sense.
List reports. The list_reports table (§ 10) is not linked to itch.io accounts: we deliberately do not store an IP column on the session table, so we have no way to correlate a report row with the account that submitted it. List-report IP retention is governed by § 10, independently of any account-delete action.
For other requests (rectification, restriction, objection), please send an informal email to the address listed under § 1.
15. Last updated
This privacy policy was last updated in May 2026 (added account-delete + data-export self-serve endpoints, versioned consent flow, login interstitial with named Art. 49 (1) (a) and Art. 9 (2) (a) consent moments, salted-and-rotated hashing of IP addresses in list reports, and the 12-month inactivity sweep).