Privacy Policy

Information we collect

When you sign in with Bungie. With your consent (Bungie OAuth), the app reads your Destiny 2 profile from the official Bungie.net API on a read-only basis: your characters, equipped gear, vault and inventory items, weapon/armor perks and power levels, triumph and seal records, account metrics, total play time, and your Bungie account creation date. To keep you signed in, your Bungie access and refresh tokens are stored in a secure, httpOnly session cookie in your browser. The app never sees or stores your Bungie / PSN / Xbox / Steam password.

The app only reads your Destiny data — it never equips, transfers, dismantles, modifies, or purchases anything.

Guardian lookups. When you look up another player by Bungie Name, the app queries only the information that player's privacy settings make public through Bungie's API.

Saved archives / showcases. If you save your collection (a feature that may be disabled during beta), a snapshot of the displayed items is stored on our server and made viewable at a public, shareable showcase URL.

Feedback. If you submit the feedback form, we store your message and any optional name you include.

Analytics. To understand usage, we store aggregate, non-identifying counts (page loads, sign-ins, lookups, etc.), a unique-visitor count via a cookie, and a count of unique visitor networks derived from IP addresses. IP addresses are hashed (salted SHA-256) before storage — we do not store raw IP addresses. We use no third-party trackers, advertising, or analytics SDKs.

Cookies we set: a session cookie (your Bungie tokens, httpOnly), a first-visit cookie (visitor counting), an OAuth state cookie (login security), and an operator cookie (to exclude the site owner's own visits from analytics). We do not use advertising cookies.

How we use this information

• To display your collection and build your stats, scoring, seals, and Loot Wrapped.
• To create public showcases when you choose to save one.
• To read and act on your feedback.
• To measure usage and improve the app.

We do not sell your information, show ads, or use it for marketing.

Who we share it with, and how

• Bungie, Inc. — your Destiny data comes from, and requests are sent to, the official Bungie.net API over HTTPS. Your use is also subject to Bungie's own privacy policy and terms.
• Hosting provider (Railway). — the app and its data are hosted on Railway's servers.
• Stripe. — if you make a voluntary donation, payment is handled entirely by Stripe's hosted checkout; we never receive or store your card details.
• The public. — if you save a showcase, that collection is published at a URL anyone with the link can view. We do not otherwise disclose your data to third parties.

How we protect your information

• Bungie tokens are stored in an httpOnly, Secure, SameSite cookie that JavaScript cannot read.
• API keys and secrets live only on the server, never in your browser.
• All traffic is served over HTTPS.
• IP addresses are hashed before storage; raw IPs are not kept.
• Access to your Destiny account is read-only.

No method of transmission or storage is 100% secure, but we take reasonable measures to protect your information.

Data retention and deletion

Session tokens are cleared when you sign out. To delete a saved showcase, your feedback, or any other data we hold, contact us via the in-app feedback form and we will remove it.

Children

The app is not directed to children under 13 and we do not knowingly collect their information.

Changes to this policy

We may update this policy; material changes will be reflected here with a new "last updated" date.

Contact

Questions or data requests: use the in-app Feedback form.