BlueSTEAL — Privacy Policy

This policy applies to two distinct groups:

• Players — Bluesky users who sign in to BlueSTEAL via OAuth and actively use the game.
• Card subjects — Bluesky users whose public profiles appear as cards in the game, whether or not they have signed in.

When you sign in via Bluesky OAuth, we store:

• Your AT Protocol DID and handle, used to identify your account in the game
• Your in-game balance and transaction history (virtual currency only)
• A session token (see section 5)

We do not collect your email address, password, or any data beyond what is listed above.

For Bluesky profiles that appear as cards in the game, we store:

• The AT Protocol DID and handle, used as a game identifier
• The card's current in-game value and transaction history

We do not store profile pictures, bios, follower counts, or post content. This information is fetched in real time from the public AT Protocol network each time a card is displayed, and is never persisted on our servers.

• Players: Processing is based on contractual necessity (Art. 6.1.b GDPR) — your DID and game data are required to operate your account.
• Card subjects: Processing is based on legitimate interest (Art. 6.1.f GDPR) — limited to using a public identifier as a game token. No personal data beyond the DID/handle is stored. You may opt out at any time (see section 7).

BlueSTEAL uses one cookie:

• bs_session — a JWT session token. It is httpOnly, secure, sameSite: lax, and expires after 7 days. It is strictly necessary for authentication and is exempt from consent requirements under the ePrivacy Directive.

BlueSTEAL also uses browser storage for the following strictly functional purposes:

• localStorage — stores activity_last_seen, a timestamp used to display the activity notification badge. No personal data.
• IndexedDB / sessionStorage — used by the AT Protocol OAuth client library to manage PKCE and DPoP keys client-side. This is handled entirely by the @atproto/oauth-client-browser library and contains no personal data beyond what is required for the OAuth flow.

We use no analytics, advertising cookies, or third-party tracking scripts of any kind.

• Player account data is retained for as long as the account is active. You may request deletion at any time (see section 8).
• Card subject data (DID + game value) is retained as long as the profile is part of the game. It is deleted within 5 minutes of opt-out detection.
• Transaction history is retained for the lifetime of the game for integrity purposes.

If you do not wish to appear in BlueSTEAL, block the bluesteal.app account on Bluesky. Within 5 minutes of detection:

• Your card is removed from the game
• Your DID is added to our blocklist to prevent re-entry
• All associated game data is permanently deleted

If you are located in the European Economic Area, you have the following rights:

• Access — request a copy of the data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your data
• Restriction — request that we limit how we use your data
• Objection — object to processing based on legitimate interest
• Portability — request your data in a machine-readable format

To exercise any of these rights, contact us at hello@bluesteal.app. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection authority. In France: CNIL.

We do not sell, rent, or share your data with third parties for commercial purposes. Data may be disclosed if required by law or to comply with a valid legal request.

To operate the service, we use the following data processors, all hosted within the European Union:

• Vercel (Paris, France) — serverless function execution and content delivery
• Railway (Amsterdam, Netherlands) — background processing and cron jobs
• Upstash (Frankfurt, Germany) — Redis database storage

Session tokens are httpOnly and transmitted over HTTPS only. Our servers are hosted within the European Union. We apply standard security practices to protect stored data.

We may update this policy from time to time. The effective date at the top of this page will reflect the latest version. Continued use of BlueSTEAL after a change constitutes acceptance of the updated policy.

For any privacy-related questions or requests: hello@bluesteal.app

BlueSTEAL is an independent project, not affiliated with Bluesky Social PBC.