Privacy Policy
Last updated: February 1, 2026
1. Introduction
Welcome to MilkyWay Market. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service at milkyway.market.
Data Controller: Matheus Costa, individual operator, based in Brazil.
Contact: mathewcst@c3d.gg
MilkyWay Market is a community project providing real-time market tracking for Milky Way Idle. We're not a corporation—just one person building something useful for the community. That said, we take your privacy seriously and comply with applicable data protection laws, including Brazil's LGPD and the EU's GDPR.
Important: All infrastructure and third-party services are hosted in the United States. By using this service, your data is processed and stored in the US regardless of your location.
2. Data We Collect
a) Account Information (via Discord OAuth)
When you choose to log in, we collect:
- Discord username
- Email address
- Avatar URL
- Discord ID
Legal basis: Consent (you choose to log in) and legitimate interest (account management).
b) Session Data (automatically for authenticated users)
For security and abuse prevention, we store in our database:
- IP address — stored per session
- User agent string — stored per session
- Session tokens and expiry timestamps
Legal basis: Legitimate interest (security, abuse prevention).
c) OAuth Tokens
- Discord OAuth tokens stored in our database for authentication
- Tokens are secured and used only for authentication purposes
- Tokens expire and refresh automatically per OAuth standards
d) Game Data (voluntarily synced)
If you actively sync your game data, we collect:
- Character name, level, and ID
- Inventory data
- Skills and progression
- Market preferences
This is game data, not personally identifiable on its own. When synced, it's linked to your user account and deleted via cascade when you delete your account.
Legal basis: Consent (you choose to sync).
e) Market Data (not personal data)
- Collected from the game's public API at approximately 1-hour intervals
- Contains no user-identifiable information
- Stored as a proprietary historical dataset
This is aggregate game market data and is not considered personal data.
f) Client-Side Data (your device only)
Stored locally on your device:
- Language preferences
- Consent settings
- UI preferences
This data is not transmitted to our servers unless you explicitly sync. Clear it via your browser settings.
3. Third-Party Services
We use the following third-party services:
Cloudflare
Proxies all traffic to our service. Cloudflare processes IP addresses and may set cookies (__cf_bm, cf_clearance) for bot detection and DDoS protection.
Umami
Privacy-focused analytics that runs without requiring consent.
- No cookies used
- No personal data collected
- No cross-site tracking
- All data is aggregated and anonymous
- Legal basis: Exempt under ePrivacy Directive (cookieless) and GDPR (no personal data)
Sentry
Error tracking for debugging and stability.
- Captures: stack traces, error messages, browser/device info
- By default: Does NOT collect user identity
- Optional: You can enable enhanced tracking in Privacy Settings (shield icon, bottom-right) to help us debug issues faster
- Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - essential for service operation and security
NitroAds / NitroPay
Advertisement delivery to keep the service free.
NitroPay includes an IAB-registered Consent Management Platform (CMP ID 242) that:
- Automatically shows a consent banner to EU users
- Complies with TCF 2.2 (Transparency and Consent Framework)
- Does not appear for non-EU users
NitroAds:
- Sets third-party cookies and tracking pixels
- Collects device info, IP address, browsing behavior, and ad interactions
EU residents: NitroPay shows a consent banner automatically. Click the privacy button (shield icon, bottom-right) to manage preferences anytime.
California residents: Click the privacy button → "Do Not Sell My Personal Information"
You can also manage ad preferences via browser settings or industry opt-out tools like YourAdChoices or NAI Opt-Out.
Discord
OAuth provider for authentication. When you log in, Discord shares your username, email, avatar, and ID per the OAuth consent flow.
4. Cookies & Storage Summary
| Type | Source | Purpose | Consent Required? |
|---|---|---|---|
| Auth tokens | Our site | Session management | No (essential) |
| Preferences | localStorage | UI settings | No (functional) |
| Bot protection | Cloudflare | Security, DDoS protection | No (essential) |
| Advertising | NitroAds | Ad delivery/targeting | Yes (EU only) |
| Analytics | Umami | Usage statistics | No (cookieless) |
Note: Umami uses no cookies. Sentry captures errors without cookies or PII.
5. How We Use Your Data
We use your data to:
- Provide and maintain the service
- Authenticate and manage your account
- Detect and prevent abuse (using session IP and user agent)
- Personalize your experience
- Improve the service through analytics (with your consent)
- Serve advertisements to keep the service free
We do NOT:
- Sell your personal data
- Profile you for automated decision-making
- Use your data for purposes beyond what's described here
Ad targeting is handled entirely by NitroAds based on their own data collection.
6. Legal Basis for Processing (LGPD / GDPR)
We process your data under the following legal bases:
- Consent: Account creation, game data sync, advertising (EU users)
- Legitimate interest: Session security, abuse prevention, service operation
- Legal obligation: Responding to lawful requests from authorities
This policy applies to users under both LGPD (Brazil) and GDPR (EU). We aim to meet the requirements of both frameworks.
7. Data Sharing & Third Parties
- We share data with the third-party services listed above only as necessary to operate the service
- We do not sell, rent, or trade your personal data
- We may disclose information if required by law or to protect the service from abuse
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Retained while active; immediately and permanently deleted on account deletion (cascade delete) |
| Session data | Retained for session duration; cleaned periodically; deleted with account |
| Game/character data | Deleted when you unlink or delete your account |
| Client-side data | Remains on your device until you clear it |
| Analytics data | Aggregated/anonymized per service policy; not linked to your identity |
| Error tracking | Per Sentry retention (typically 90 days) |
| Market data | Retained indefinitely (proprietary dataset, not personal data) |
| Ad-related data | Governed by NitroAds policies |
9. Your Rights
Under LGPD and GDPR, you have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your account and all associated data (self-service available, or contact us)
- Data portability (export your data)
- Withdraw consent (by deleting your account or adjusting settings)
- Object to processing based on legitimate interest
- Lodge a complaint with ANPD (Brazil's National Data Protection Authority) or your local data protection authority
To exercise your rights: Email mathewcst@c3d.gg
We will respond within 15 days as required by LGPD.
10. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights:
Right to Know
Request disclosure of personal information collected, sources, purposes, and third parties we share with.
Right to Delete
Delete your account via settings or contact us at mathewcst@c3d.gg.
Right to Opt-Out of Sale
We work with NitroPay for advertising. To opt out of the sale of personal information:
- Click the privacy button (shield icon, bottom-right) → "Do Not Sell My Personal Information"
- Use YourAdChoices
- Use NAI Opt-Out
Non-Discrimination
We will not discriminate against you for exercising your CCPA rights.
11. Data Security
We implement reasonable security measures:
- All connections encrypted via HTTPS (Cloudflare)
- OAuth tokens stored securely
- Session management with expiring tokens
- Database hosted on Railway with standard security practices
However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
In case of a data breach: We will notify affected users and relevant authorities as required by law.
12. International Data Transfers
- Operator location: Brazil
- Infrastructure location: United States (all services)
Your data is processed and stored in the United States regardless of where you access the service from.
- EU users: Transfers are covered by standard contractual clauses from our service providers
- Brazilian users: We comply with LGPD international transfer requirements
By using this service, you acknowledge and consent to US data processing.
13. Children's Privacy
- Authenticated features require age 13+ (Discord's minimum age, per COPPA)
- We do not knowingly collect data from children under 13
- If we learn we have collected data from a child under 13, we will delete it promptly
Anonymous browsing (without logging in) has no age restriction, as we don't collect personal data from anonymous users. However, third-party ads may set cookies.
14. Policy Updates
- We may update this policy as the service evolves
- Material changes will be communicated via the app or email (if we have your email)
- Continued use after changes constitutes acceptance
- Previous versions available upon request
15. Contact
Privacy questions, data requests, exercise your rights: mathewcst@c3d.gg
Game-related issues: Please contact Milky Way Idle directly—we are not affiliated with the game developers.
This Privacy Policy should be read alongside our Terms of Service.
Thank you for being part of the MilkyWay Market community.