Privacy Policy
Effective date: March 17, 2026
1. Overview
DupeScan ("the Service") is a community-driven tool for identifying duplicated Dota 2 items, operated from the European Union. This policy explains what data the Service collects, how it is used, and what controls you have.
The Service does not sell, rent, or share your personal data with advertisers or data brokers. The Service uses anonymous, cookie-free analytics to collect aggregate usage data (such as page views and general device information). No personal data is collected or stored by the analytics system, and no individual visitors are identified or tracked.
2. Who Operates This Service
DupeScan is an independent project run by a single individual established in an European Union member state.
Most data-related questions and requests are handled through the in-app feedback form, which is available once you are signed in with your Steam account. Where a written record is needed — for example, a formal request to exercise the rights described in Section 13 — the operator can also be reached by email: lageliyf.nacsepud
3. Nature of Data Collected
The Service is designed to collect as little personal data as possible. The data we do store is primarily functional — it exists to make the Service work, not to build profiles or track behavior.
In practical terms: Steam only shares public-facing identifiers with third-party applications — not private account details, email addresses, or credentials. What we receive and store are public Steam identifiers (Steam ID, display name, avatar) that are already visible on your Steam profile. We use these for display purposes (e.g. showing a name and profile picture next to a result) and to distinguish between users for features like voting and submissions.
The Service does not build advertising profiles or perform any form of automated decision-making about individual users.
4. Legal Basis for Processing (GDPR Art. 6)
Under the EU General Data Protection Regulation, we rely on the following legal bases for processing personal data:
| Processing Activity | Legal Basis | Explanation |
|---|---|---|
| Authentication (Steam login) | Contract / Consent | Necessary to provide the Service you requested by signing in |
| Inventory checks and caching | Legitimate interest | Core functionality of the Service — checking items for duplication. Data used is already public on Steam |
| Community submissions and votes | Legitimate interest | Community-driven verification is the purpose of the Service. Submitter identity is stored to prevent abuse |
| Abuse prevention (IP address) | Legitimate interest | Preventing abuse, enforcing rate limits, and supporting ban enforcement. The IP last associated with your account is retained for as long as the account exists |
| Feedback form | Consent | You actively choose to submit feedback. Steam name and profile URL are attached so the operator can follow up |
| Payment processing | Contract | Necessary to process the purchases you initiate (Seeing Stone, Credit Pack, Max Watchlist Slots, Max Batch Capacity). Payment data is handled by an external processor |
| Essential cookies | Legitimate interest | Strictly necessary for authentication — no consent required under ePrivacy Directive Art. 5(3) |
| Anonymous analytics | Legitimate interest | Aggregate, anonymous usage statistics to improve the Service. No personal data is collected |
5. Data We Collect
The data we collect depends on how you interact with the Service. Below is a breakdown by category.
5a. Authenticated users (Steam login)
When you sign in via Steam, the following is retrieved from the Steam API and stored in our database:
| Data | Source | Purpose |
|---|---|---|
| Steam ID | Steam OpenID | Unique account identifier |
| Display name | Steam API | Shown in UI and leaderboard (if opted in) |
| Avatar URL | Steam API | Profile picture display |
| Role | Derived internally | Determines access level and permissions |
| Contribution count | Derived internally | Track verified submissions for role promotion |
| Last seen timestamp | Generated on login | Record last login |
| Account entitlements and preferences | Derived internally | Plan tier, contribution level, search credit balance, add-on unlocks, display preferences, leaderboard opt-in. None of these are sensitive data — they exist solely to make the Service work for your account |
| IP address | Login request | Abuse prevention, rate-limit enforcement, and ban checks. Retained against the account for as long as the account exists, and removed on account deletion |
5b. Inventory checks
When an inventory is checked (by you or by another user checking a profile), the following is cached server-side:
| Data | Purpose |
|---|---|
| Steam ID of checked profile | Identify whose inventory was checked |
| Flagged items found (item identifiers, names, images) | Display results to users |
| Timestamp of check | Cache freshness (server cache refreshes periodically) |
5c. Community submissions and votes
| Data | Purpose |
|---|---|
| Submitted item identifiers | Community dupe database |
| Submitter identity (Steam ID) | Attribution and abuse prevention |
| Vote records (which submission, vote direction) | Community verification system |
5d. Anonymous visitors
| Data | Purpose | Stored |
|---|---|---|
| IP address | Rate limiting and abuse prevention for anonymous searches | In short-lived rate-limit counters that expire automatically at the end of each window |
5e. Payments
When you purchase any of the available products (Seeing Stone, Credit Pack, Max Watchlist Slots, Max Batch Capacity), the following is stored. No card numbers, wallet addresses, or KYC data ever touch the Service — the operator never sees the wallet you pay from, only the generic order metadata returned by the external processor (see Section 8).
| Data | Purpose |
|---|---|
| Steam ID | Link the purchase to your account |
| Product purchased (Seeing Stone, Credit Pack, Max Watchlist Slots, Max Batch Capacity) | Determine what to grant on success |
| Amount in USD | Accounting and refund handling |
| Processor order / invoice / payment IDs | Reconcile webhook callbacks and trace disputes |
| Payment status | Track whether the purchase completed, failed, or is pending |
| Timestamps | Audit trail for accounting and fraud prevention |
6. Cookies
The Service uses only essential cookies required for authentication. There are no advertising or tracking cookies. The analytics solution used by the Service is fully cookie-free.
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session token | Strictly necessary | Encrypted session — keeps you signed in | Session (cleared on browser close) |
| CSRF token | Strictly necessary | Protects against cross-site request forgery | Session |
| Callback URL | Strictly necessary | Stores redirect URL during Steam login flow | Session |
Because all cookies are strictly necessary for the Service to function, no cookie consent banner is required under the ePrivacy Directive. No optional cookies are set.
7. Browser Storage
The Service uses your browser's local storage to cache recent search results on your device. This data never leaves your browser and is not transmitted to our servers.
| What | Purpose | Expiry |
|---|---|---|
| Recent search results | Instant access to previous checks without re-fetching | 7 days (auto-pruned, max 50 entries) |
You can clear this data at any time via your browser settings (Clear site data).
8. Third-Party Services
The Service relies on the following third-party providers. No data is shared beyond what is described below.
| Service | Provider | Data Shared | Purpose |
|---|---|---|---|
| Steam Web API | Valve Corporation (USA) | Steam IDs | Fetch player profiles and inventory data |
| Web3Forms | Web3Forms (USA) | Feedback message, Steam display name, Steam profile URL | Forward feedback submissions to the operator via email |
| hCaptcha | Intuition Machines Inc. (USA) | Browser challenge data | Bot protection on the feedback form |
| NOWPayments | NOWPayments (USA) | Order ID, order description, amount, currency | Process cryptocurrency payments for the purchasable products (Seeing Stone, Credit Pack, Max Watchlist Slots, Max Batch Capacity) |
| Cloudflare | Cloudflare Inc. (USA / global) | All HTTP traffic, including IP addresses | CDN, DDoS protection |
hCaptcha has its own privacy policy at hcaptcha.com/privacy.
9. When We May Disclose Your Data
Beyond the third-party services listed above, we may disclose your data in the following limited circumstances:
- Legal obligations — in response to a valid legal request (court order, subpoena, or regulatory requirement) where disclosure is required by applicable law.
- Enforcing our Terms — if we believe your actions violate our Terms of Service, or to protect the rights, safety, or integrity of the Service and its users.
- Emergencies — if we believe in good faith that disclosure is necessary to prevent imminent serious harm to a person.
In all cases, disclosure is limited to the minimum data necessary.
10. International Data Transfers
Certain third-party services used by the Service are operated by companies based in the United States:
- Valve Corporation (Steam Web API) — processes Steam IDs to return public profile and inventory data.
- Web3Forms — receives feedback messages you choose to submit.
- Intuition Machines / hCaptcha — processes browser challenge data when you submit the feedback form.
- NOWPayments — processes cryptocurrency payments when you buy any of the purchasable products (Seeing Stone, Credit Pack, Max Watchlist Slots, Max Batch Capacity).
- Cloudflare — operates the network edge that all traffic to the Service passes through.
These transfers are necessary to provide the Service (GDPR Art. 49(1)(b)) and are limited to the minimum data required. Where applicable, these providers maintain their own data protection commitments.
11. Publicly Visible Data
The purpose of the Service is to help the Dota 2 trading community identify duplicated items. To achieve this, certain data is publicly accessible:
- Community submissions (item identifiers, status, confidence scores) are visible to all visitors.
- Recently flagged items, including the Steam ID of the current owner, are listed on the site.
- The history of which Steam IDs have held a particular flagged item is viewable.
- The contributor leaderboard is opt-in only — you are hidden by default and must explicitly choose to appear.
Steam profile information (display names, avatars) shown on the Service is fetched from the Steam API and is already publicly available on any Steam profile page. The Service does not make private Steam data public.
12. Data Retention
| Data | Retention Period | Reason |
|---|---|---|
| User account data | Until deletion requested via profile page | Required for role and contribution tracking. Deleted within 30 days of request |
| IP last associated with the account | Until account deletion | Used for abuse prevention and ban enforcement. Removed when the account is deleted |
| Check results | Indefinitely | Historical record of flagged items. Not deleted when account is removed |
| Community submissions | Indefinitely | Core database of the Service. Submitter identity is anonymized on account deletion, but item records are retained |
| Submission votes | Indefinitely | Verification integrity. Anonymized on account deletion |
| IP-based rate-limit counters | Temporary (auto-expiring) | Counters used to enforce per-window limits; expire automatically after each window and are never persisted to long-term storage |
| Session cookies | Browser session | Cleared when browser closes |
| Browser local storage cache | 7 days | Auto-pruned client-side |
| Feedback (via Web3Forms) | Per Web3Forms policy | Forwarded to email, not stored by the Service |
| Payment records | For the period required by applicable tax and accounting law (typically 6–10 years depending on the member state), then deleted | Statutory bookkeeping, refund handling, and fraud prevention |
| Operational logs | Up to 90 days | Debugging and abuse investigation. The operational log layer hashes any IP it touches with an irreversible short hash before writing — raw IPs in logs are avoided. The IP that lives against your account record (above) is a separate, disclosed retention |
| Bans (IP / Steam ID) | Indefinite by default; may be time-limited at admin discretion | Abuse prevention. Removed manually or on expiry |
You may request deletion of your account data at any time (see Section 13).
13. Your Rights
Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate data. Note: display names and avatars are synced from Steam — update them on Steam and they will be reflected here. |
| Erasure | Request deletion of your account data via your profile page. Your user record and account access will be removed within 30 days. Item records you contributed to the database are anonymized but retained, as they are critical to the Service's functionality. |
| Restriction | Request that we limit how your data is processed while a concern is being resolved. |
| Data portability | Receive your data in a machine-readable structured format from your profile page. The export covers your account record, your submissions, your votes, and your purchase history. |
| Objection | Object to processing based on legitimate interest. We will cease processing unless we have compelling grounds. |
| Withdraw consent | Where processing is based on consent (e.g. feedback form), you may withdraw it at any time. This does not affect the lawfulness of prior processing. |
| Supervisory authority | Lodge a complaint with a data protection authority in the EU/EEA member state of your residence or place of work. |
To exercise any of these rights, sign in and use the in-app feedback form. The operator's email contact is also available in Section 2 if a written record is needed. We will respond within 30 days.
Controls available in the Service
- Delete account — request account deletion from your profile page. Processed within 30 days. You may cancel during this period by signing back in. After processing, re-registration with the same Steam account is permanently blocked.
- Sign out — ends your session and clears auth cookies.
- Leaderboard visibility — hidden by default. You must opt in to appear.
- Clear local data — clear your browser's site data to remove cached search history.
14. Data Security
Appropriate technical and organizational security measures are in place to protect the data the Service stores. Where the GDPR requires notification of a personal data breach, the operator follows the statutory obligations set out in Articles 33 and 34.
15. Children
The Service is not directed at children under 13 (or under 16 in jurisdictions where the GDPR age of digital consent is 16). We do not knowingly collect personal data from children. Access requires a Steam account, which itself requires users to meet Steam's minimum age requirements.
16. Changes to This Policy
This policy may be updated from time to time. Material changes will be noted at the top of this page with an updated effective date. Continued use of the Service after changes constitutes acceptance of the revised policy.
17. Contact
For privacy inquiries, data access requests, or to exercise any of your rights under the GDPR, sign in with your Steam account and use the in-app feedback form. If you specifically need a written record (for example, a formal data request from a representative), the operator can also be reached by email: lageliyf.nacsepud
We aim to respond to all requests within 30 days.