Privacy Policy — Pugs.GG

1

Who We Are

Pugs.GG is a multi-tenant Software-as-a-Service (SaaS) platform designed for Counter-Strike 2 (CS2) community management. It provides community operators ("Tenants") with tools to manage player rosters, competitive rankings, match series, pick/ban sessions, and more.

For the purposes of data protection law, Pugs.GG acts as the data controller for personal data processed through the platform. Individual Tenant communities may also act as data controllers for data they collect from their own members through the platform.

For questions about this policy or your data, contact us at: privacy@pugs.gg.

2

Data We Collect

We collect personal data in different ways depending on how you interact with our platform:

2.1 Account & Registration Data

Data	Purpose	Required?
Full name	Account identification and email personalisation	Required
Email address	Account login, transactional emails, notifications	Required
Username / nickname	Public profile identification within communities	Required
Password (hashed)	Authentication (stored using bcrypt — never in plaintext)	Required
Profile avatar / photo URL	Public profile display	Optional

2.2 Steam Account Data

If you choose to log in or link your account via Steam OpenID, we receive from Valve Corporation's Steam platform:

Steam ID (SteamID64 — a public numeric identifier)
Steam username / display name
Steam profile avatar URL

We do not receive your Steam password, payment details, or private Steam inventory data through this integration. Steam OpenID login is subject to Valve's Privacy Policy.

2.3 Gaming & Performance Data

For players participating in CS2 matches tracked on the platform, we collect gameplay statistics sent by MatchZy-integrated CS2 game servers, including:

Kill / Death / Assist (K/D/A) ratios per match
Headshot percentage (HS%)
Average Damage per Round (ADR)
Player rating scores
Win/loss records and match history
Round-level performance data

This data is used to build public player rankings and profiles within the platform. It may be visible to other members of your community.

2.4 Recruit Application Data

When you submit a recruitment application to a community on the platform, we collect:

Your nickname and email address
Your Steam profile ID
Your declared experience level
Application status and review metadata (reviewed by, reviewed at)

This data is accessible to the community's administrators and moderators for the purpose of evaluating your application.

2.5 Pick/Ban Session Data

When participating in map pick/ban draft sessions, we record all actions taken (map picks, map bans, team selections) along with participant identifiers and timestamps.

2.6 Technical & Usage Data

IP address and approximate geolocation (country/region)
Browser type and version
Operating system
Pages visited and actions performed within the platform
Login timestamps and session activity
Error logs for debugging purposes

3

How We Use Your Data

Purpose	Data Used
Account creation & authentication	Name, email, username, password, Steam ID
Service delivery (matches, rankings, pick/ban)	Gaming stats, session data, player profiles
Transactional emails (welcome, recruit decisions)	Email address, name
Recruit / community applications	Recruit form data, Steam ID, experience level
Subscription & billing management	Name, email, plan type
Security & fraud prevention	IP address, session data, login logs
Platform improvements & bug fixing	Usage data, error logs (anonymised where possible)
Legal compliance	Any data required by applicable law

We do not sell your personal data to third parties, use it for behavioural advertising, or share it for commercial purposes without your explicit consent.

4

Legal Basis for Processing (LGPD)

Under Brazil's General Data Protection Law (LGPD — Lei nº 13.709/2018), we process personal data based on the following legal grounds:

Contract performance (Art. 7, V): Processing necessary to provide the services you signed up for — account management, match tracking, ranking, etc.
Consent (Art. 7, I): For optional features such as linking your Steam account and receiving non-essential communications. You may withdraw consent at any time.
Legitimate interest (Art. 7, IX): For security monitoring, fraud prevention, and platform improvements, where our interests do not override your rights.
Legal obligation (Art. 7, II): When required by applicable Brazilian or international law (e.g., tax records, court orders).

For international users outside Brazil, we also ensure compliance with applicable local data protection regulations (e.g., GDPR for European users).

5

Third-Party Services & Data Sharing

To operate the platform, we integrate with the following trusted third-party services. We share only the minimum data required for each service to function:

Service	Purpose	Data Shared
Valve / Steam	OpenID authentication & player profile lookup	Steam ID, redirect URL
SMTP / Email provider	Transactional email delivery	Recipient name & email
Discord	Webhook notifications for match/series events (optional, Tenant-configured)	Match metadata, player nicknames
CS2 Game Servers (MatchZy)	Real-time match statistics collection via webhooks	Player Steam IDs, in-game stats
WhatsApp / Bot	Optional notification delivery (Elite plan, Tenant-configured)	Match events, configured notification data
Content Delivery Networks (CDN)	Serving fonts (Google Fonts), Bootstrap, Font Awesome	IP address (standard CDN request)

We may disclose personal data to law enforcement or government authorities when required to do so by applicable law, court order, or legal process.

Tenant communities that use the platform are responsible for complying with data protection laws for data they collect from their own players. Each Tenant has access only to data within their own isolated database.

6

Cookies & Session Data

We use cookies and server-side sessions to operate the platform. We do not use advertising or tracking cookies from third-party ad networks.

Essential cookies (cannot be disabled without breaking the platform):

Cookie / Data	Purpose	Duration
Session cookie (PHP session ID)	Maintains your authenticated login session	30 days (or until logout)
CSRF token	Security — prevents cross-site request forgery attacks	Per session, regenerated on each request
Language preference	Remembers your selected interface language	1 year
Login redirect URL	Returns you to the correct page after authentication	Per session
Auth type flag	Tracks whether you logged in via password or Steam	Per session

Sessions are stored server-side. You can delete session data by logging out of the platform. You can also clear cookies through your browser settings, though this will log you out and may affect platform functionality.

Third-party assets (Google Fonts, Bootstrap CDN, Font Awesome CDN) may set their own cookies or log IP addresses as part of standard CDN operation. Please consult their respective privacy policies.

7

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy:

Active accounts: Data is retained for the duration of the account's existence on the platform.
Inactive accounts: Accounts with no login activity for 24 months may be deactivated. We will notify you before deletion.
Cancelled subscriptions / Tenant offboarding: Tenant data (including player data) is retained for 30 days after plan cancellation, then permanently deleted unless legally required to retain it.
Recruit applications: Stored for the duration of the application process plus 12 months.
Match statistics & replays: Retained for the lifetime of the Tenant community on the platform.
Error & security logs: Retained for up to 90 days for debugging and security analysis.
Billing/tax records: Retained for 5 years as required by Brazilian tax law (Código Tributário Nacional).

8

Your Rights (LGPD / GDPR)

Under the LGPD and, where applicable, the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@pugs.gg. We will respond within 15 business days.

Access

Request a copy of all personal data we hold about you.

Correction

Request correction of inaccurate or incomplete data.

Deletion

Request deletion of your data, subject to legal retention obligations.

Portability

Receive your data in a structured, machine-readable format.

Objection

Object to processing based on legitimate interest.

Withdraw Consent

Revoke consent for optional data processing at any time.

You also have the right to lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) — Brazil's national data protection authority — at gov.br/anpd.

9

Security

We implement industry-standard technical and organisational measures to protect your personal data, including:

Password hashing: All passwords are hashed using bcrypt (PHP's PASSWORD_DEFAULT) — passwords are never stored in plaintext.
CSRF protection: All state-changing requests require a valid CSRF token to prevent cross-site request forgery.
SQL injection prevention: All database queries use PDO prepared statements with parameterised inputs.
Input sanitisation: User-supplied data is sanitised before processing and HTML-escaped before output.
Session security: Sessions have configurable timeouts and are isolated per tenant subdomain.
Data isolation: Each Tenant community operates on an isolated database — one Tenant cannot access another Tenant's data.
HTTPS: All traffic is served over HTTPS. HTTP requests are automatically upgraded.
Role-based access control: Admins, moderators, and players have separate permission levels within each community.

While we take reasonable steps to protect your data, no internet-based system is completely secure. In the event of a data breach that poses a significant risk to your rights, we will notify affected users and the ANPD within the timeframes required by law.

10

International Data Transfers

Pugs.GG primarily stores and processes data on servers located in Brazil. However, some third-party services we use (such as Steam OpenID, Google Fonts, and CDN providers) may process data outside of Brazil.

When personal data is transferred internationally, we ensure that appropriate safeguards are in place in accordance with LGPD Art. 33, such as:

Transfers to countries with an adequate level of data protection as recognised by the ANPD.
Contractual clauses ensuring compliance with LGPD standards.

11

Children's Privacy

Pugs.GG is intended for users aged 13 years and older. The platform involves competitive gaming content and community interactions that may not be appropriate for younger children.

We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us immediately at privacy@pugs.gg and we will take steps to delete the information.

For users aged 13–17, we recommend parental or guardian review of this Privacy Policy and our Terms of Service before using the platform.

12

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Notify registered users via email or an in-platform notification.
Where required by law, obtain your consent for significant changes.

Your continued use of Pugs.GG after notification of changes constitutes acceptance of the updated policy.

13

Contact & Data Protection Officer

For any questions, requests, or concerns regarding this Privacy Policy or the handling of your personal data, please contact us:

Email: privacy@pugs.gg
General contact: contact@pugs.gg or via our Contact page

Under the LGPD, you also have the right to contact the Autoridade Nacional de Proteção de Dados (ANPD) to report concerns about how your data is processed:

Website: gov.br/anpd