Privacy Policy

Last updated: February 1, 2026


1. Introduction

Welcome to MilkyWay Market. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service at milkyway.market.

Data Controller: Matheus Costa, individual operator, based in Brazil.

Contact: mathewcst@c3d.gg

MilkyWay Market is a community project providing real-time market tracking for Milky Way Idle. We're not a corporation—just one person building something useful for the community. That said, we take your privacy seriously and comply with applicable data protection laws, including Brazil's LGPD and the EU's GDPR.

Important: All infrastructure and third-party services are hosted in the United States. By using this service, your data is processed and stored in the US regardless of your location.


2. Data We Collect

a) Account Information (via Discord OAuth)

When you choose to log in, we collect:

  • Discord username
  • Email address
  • Avatar URL
  • Discord ID

Legal basis: Consent (you choose to log in) and legitimate interest (account management).

b) Session Data (automatically for authenticated users)

For security and abuse prevention, we store in our database:

  • IP address — stored per session
  • User agent string — stored per session
  • Session tokens and expiry timestamps

Legal basis: Legitimate interest (security, abuse prevention).

c) OAuth Tokens

  • Discord OAuth tokens stored in our database for authentication
  • Tokens are secured and used only for authentication purposes
  • Tokens expire and refresh automatically per OAuth standards

d) Game Data (voluntarily synced)

If you actively sync your game data, we collect:

  • Character name, level, and ID
  • Inventory data
  • Skills and progression
  • Market preferences

This is game data, not personally identifiable on its own. When synced, it's linked to your user account and deleted via cascade when you delete your account.

Legal basis: Consent (you choose to sync).

e) Market Data (not personal data)

  • Collected from the game's public API at approximately 1-hour intervals
  • Contains no user-identifiable information
  • Stored as a proprietary historical dataset

This is aggregate game market data and is not considered personal data.

f) Client-Side Data (your device only)

Stored locally on your device:

  • Language preferences
  • Consent settings
  • UI preferences

This data is not transmitted to our servers unless you explicitly sync. Clear it via your browser settings.


3. Third-Party Services

We use the following third-party services:

Cloudflare

Proxies all traffic to our service. Cloudflare processes IP addresses and may set cookies (__cf_bm, cf_clearance) for bot detection and DDoS protection.

Cloudflare Privacy Policy

Umami

Privacy-focused analytics that runs without requiring consent.

  • No cookies used
  • No personal data collected
  • No cross-site tracking
  • All data is aggregated and anonymous
  • Legal basis: Exempt under ePrivacy Directive (cookieless) and GDPR (no personal data)

Umami Privacy Policy

Sentry

Error tracking for debugging and stability.

  • Captures: stack traces, error messages, browser/device info
  • By default: Does NOT collect user identity
  • Optional: You can enable enhanced tracking in Privacy Settings (shield icon, bottom-right) to help us debug issues faster
  • Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - essential for service operation and security

Sentry Privacy Policy

NitroAds / NitroPay

Advertisement delivery to keep the service free.

NitroPay includes an IAB-registered Consent Management Platform (CMP ID 242) that:

  • Automatically shows a consent banner to EU users
  • Complies with TCF 2.2 (Transparency and Consent Framework)
  • Does not appear for non-EU users

NitroAds:

  • Sets third-party cookies and tracking pixels
  • Collects device info, IP address, browsing behavior, and ad interactions

EU residents: NitroPay shows a consent banner automatically. Click the privacy button (shield icon, bottom-right) to manage preferences anytime.

California residents: Click the privacy button → "Do Not Sell My Personal Information"

You can also manage ad preferences via browser settings or industry opt-out tools like YourAdChoices or NAI Opt-Out.

NitroPay Privacy Policy

Discord

OAuth provider for authentication. When you log in, Discord shares your username, email, avatar, and ID per the OAuth consent flow.

Discord Privacy Policy


4. Cookies & Storage Summary

TypeSourcePurposeConsent Required?
Auth tokensOur siteSession managementNo (essential)
PreferenceslocalStorageUI settingsNo (functional)
Bot protectionCloudflareSecurity, DDoS protectionNo (essential)
AdvertisingNitroAdsAd delivery/targetingYes (EU only)
AnalyticsUmamiUsage statisticsNo (cookieless)

Note: Umami uses no cookies. Sentry captures errors without cookies or PII.


5. How We Use Your Data

We use your data to:

  • Provide and maintain the service
  • Authenticate and manage your account
  • Detect and prevent abuse (using session IP and user agent)
  • Personalize your experience
  • Improve the service through analytics (with your consent)
  • Serve advertisements to keep the service free

We do NOT:

  • Sell your personal data
  • Profile you for automated decision-making
  • Use your data for purposes beyond what's described here

Ad targeting is handled entirely by NitroAds based on their own data collection.


6. Legal Basis for Processing (LGPD / GDPR)

We process your data under the following legal bases:

  • Consent: Account creation, game data sync, advertising (EU users)
  • Legitimate interest: Session security, abuse prevention, service operation
  • Legal obligation: Responding to lawful requests from authorities

This policy applies to users under both LGPD (Brazil) and GDPR (EU). We aim to meet the requirements of both frameworks.


7. Data Sharing & Third Parties

  • We share data with the third-party services listed above only as necessary to operate the service
  • We do not sell, rent, or trade your personal data
  • We may disclose information if required by law or to protect the service from abuse

8. Data Retention

Data TypeRetention Period
Account dataRetained while active; immediately and permanently deleted on account deletion (cascade delete)
Session dataRetained for session duration; cleaned periodically; deleted with account
Game/character dataDeleted when you unlink or delete your account
Client-side dataRemains on your device until you clear it
Analytics dataAggregated/anonymized per service policy; not linked to your identity
Error trackingPer Sentry retention (typically 90 days)
Market dataRetained indefinitely (proprietary dataset, not personal data)
Ad-related dataGoverned by NitroAds policies

9. Your Rights

Under LGPD and GDPR, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and all associated data (self-service available, or contact us)
  • Data portability (export your data)
  • Withdraw consent (by deleting your account or adjusting settings)
  • Object to processing based on legitimate interest
  • Lodge a complaint with ANPD (Brazil's National Data Protection Authority) or your local data protection authority

To exercise your rights: Email mathewcst@c3d.gg

We will respond within 15 days as required by LGPD.


10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

Right to Know

Request disclosure of personal information collected, sources, purposes, and third parties we share with.

Right to Delete

Delete your account via settings or contact us at mathewcst@c3d.gg.

Right to Opt-Out of Sale

We work with NitroPay for advertising. To opt out of the sale of personal information:

  • Click the privacy button (shield icon, bottom-right) → "Do Not Sell My Personal Information"
  • Use YourAdChoices
  • Use NAI Opt-Out

Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.


11. Data Security

We implement reasonable security measures:

  • All connections encrypted via HTTPS (Cloudflare)
  • OAuth tokens stored securely
  • Session management with expiring tokens
  • Database hosted on Railway with standard security practices

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

In case of a data breach: We will notify affected users and relevant authorities as required by law.


12. International Data Transfers

  • Operator location: Brazil
  • Infrastructure location: United States (all services)

Your data is processed and stored in the United States regardless of where you access the service from.

  • EU users: Transfers are covered by standard contractual clauses from our service providers
  • Brazilian users: We comply with LGPD international transfer requirements

By using this service, you acknowledge and consent to US data processing.


13. Children's Privacy

  • Authenticated features require age 13+ (Discord's minimum age, per COPPA)
  • We do not knowingly collect data from children under 13
  • If we learn we have collected data from a child under 13, we will delete it promptly

Anonymous browsing (without logging in) has no age restriction, as we don't collect personal data from anonymous users. However, third-party ads may set cookies.


14. Policy Updates

  • We may update this policy as the service evolves
  • Material changes will be communicated via the app or email (if we have your email)
  • Continued use after changes constitutes acceptance
  • Previous versions available upon request

15. Contact

Privacy questions, data requests, exercise your rights: mathewcst@c3d.gg

Game-related issues: Please contact Milky Way Idle directly—we are not affiliated with the game developers.


This Privacy Policy should be read alongside our Terms of Service.

Thank you for being part of the MilkyWay Market community.