How GameThereAny collects, uses, and protects your information.
GameThereAny is a free game price comparison and discovery platform, operated and hosted in the EU. We are committed to protecting your privacy. This policy explains what data we collect, why, and how it is handled.
Data controller: Bora Esen (sole proprietor, Turkey), operating as GameThereAny. Contact: buzzicra@gmail.com. The service is hosted on Railway (EU region, aws-1-eu-central-1). Primary data processing occurs within the EEA.
We store the following data in our systems: • Auth users (Supabase): email address and bcrypt-hashed password. Never stored in plain text. • WishlistItem: user ID, game slug, game name, cover image URL, and the date added. Linked to your account. • ClickTelemetry: deal ID, store ID, game slug, destination URL, anonymised IP address (IPv4: last octet zeroed; IPv6: last 4 groups zeroed), user-agent string, and timestamp. Not linked to your account. Logged to measure which deals users engage with — no commission attribution. • RateLimitEvent: IP-derived hashed key and timestamp. Used to detect abuse. Cleaned up automatically within hours to days. • NewsletterSubscriber (when newsletter is active): email address, subscription date, source, and Resend contact ID. We do not collect names, phone numbers, or payment information. When you delete your account, we execute the following cascade: (1) all WishlistItem rows for your user ID are deleted; (2) your newsletter subscription is cancelled and the NewsletterSubscriber row is deleted; (3) your PostHog analytics person record is deleted via the PostHog EU API; (4) your Supabase auth row and all sessions are deleted. This is permanent and cannot be undone.
We integrate with the following third-party services: • Railway (EU, aws-1-eu-central-1) — application hosting. Processes server request data. • Supabase (EU) — authentication and PostgreSQL database. Stores user credentials, wishlist, and rate-limit data. • PostHog (EU Cloud, eu.i.posthog.com) — analytics. Receives anonymised usage data only when you consent via the cookie banner. 30-day retention. No session recording, no autocapture, Do Not Track respected. • Resend — newsletter email delivery. Receives your email address only when you subscribe. Currently offline (newsletter disabled by feature flag). • CheapShark API (US-hosted) — real-time PC game price data. No personal data is transmitted; only game identifiers are sent. • IsThereAnyDeal / ITAD API (EU-hosted) — price history data. No personal data is transmitted; only game identifiers are sent. • RAWG API (US-hosted) — game metadata, cover art, and descriptions. No personal data is transmitted. • Google Translate (unofficial public endpoint) — used to translate game descriptions into your language. Only English game description text is sent. No personal data is transmitted.
We use one category of optional cookies: analytics cookies powered by PostHog (EU Cloud). These are placed only if you click 'Accept' on the cookie banner. They collect anonymised behavioural data (page views, referrers, device type) to help us improve the site. PostHog respects the Do Not Track browser signal. No session recording or autocapture is enabled. Data is retained for 30 days. If you click 'Decline', no tracking cookies are set. To change your preference at any time, use the 'Cookie preferences' button in the page footer — declining will immediately opt you out and reset any existing analytics identity.
• Account creation and wishlist (email, hashed password, wishlist items): performance of a contract — Art. 6(1)(b). • Analytics (PostHog): consent — Art. 6(1)(a), collected only after you click 'Accept'. • Click telemetry (anonymised): legitimate interests — Art. 6(1)(f), service improvement and engagement measurement. • Newsletter (when active): consent — Art. 6(1)(a), collected at the point of subscription. • Rate limiting (hashed IP key): legitimate interests — Art. 6(1)(f), abuse prevention.
If you are in the EU or Turkey you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. To exercise erasure (Art. 17), delete your account from Profile settings. This triggers a five-step cascade: 1. All wishlist items are permanently deleted. 2. Your newsletter subscription is cancelled and the subscriber record is deleted (including deletion from Resend). 3. Your PostHog person record is deleted via the PostHog EU API. 4. Your browser's PostHog session is reset. 5. Your Supabase auth row and all active sessions are deleted. To withdraw analytics consent (Art. 7(3)), use the 'Cookie preferences' button in the page footer and decline. This immediately calls posthog.opt_out_capturing() and resets your analytics identity. For newsletter unsubscribe, use the unsubscribe button shown on the newsletter sign-up component. For other data requests, contact buzzicra@gmail.com. All requests will be responded to within 30 days.
• Supabase auth (email, password): until account deletion. • WishlistItem: until account deletion. • ClickTelemetry: retained until operational need; we plan to add a 90-day automatic deletion TTL. • RateLimitEvent: opportunistic cleanup at 2x the rate-limit window (hours to days depending on traffic). • PostHog analytics: 30 days (configured). • NewsletterSubscriber: until unsubscription or account deletion.
Our primary stack (Railway, Supabase, PostHog) is hosted in the EU. No personal data is transferred outside the EEA as part of primary processing. Third-party API calls to CheapShark (US) and RAWG (US) transmit only non-personal public identifiers (game slugs, deal IDs). No IP addresses or user data are sent to these APIs. Google Translate receives English game description text only — no personal data. These calls therefore do not constitute a transfer of personal data under GDPR.
We do not perform automated decision-making or profiling as defined under Art. 22 GDPR. Buy-signal verdicts are computed from public price data and do not involve personal data.
You have the right to lodge a complaint with your local data protection supervisory authority. EU users may contact the supervisory authority in their member state. Users in Turkey may contact the Kisisel Verileri Koruma Kurumu (KVKK). For data subject requests, contact buzzicra@gmail.com.
For privacy-related questions or requests, please contact us at buzzicra@gmail.com