Privacy Policy

Last updated: April 21, 2026

What we collect

Shadefall collects different categories of data depending on how you interact with the service.

Account data (when you sign in)

  • Discord identity: your Discord user ID, username, and avatar URL. Collected via Discord OAuth when you sign in. Used to attribute your votes, comments, and submissions.
  • Session cookie: an opaque token stored in an HTTP-only cookie (sf_session). Expires after 14 days.
  • Linked Steam accounts: if you choose to link one or more Steam accounts, each Steam ID is stored alongside your Discord ID. You may link multiple Steam accounts to a single Shadefall login.

Steam profile data (Archive)

The Archive crawler periodically fetches publicly available data from Steam profiles that have been added to the tracking queue. This includes:

  • Display name (persona) and name history
  • Avatar URLs and avatar history
  • Profile comments (author, content, timestamp)
  • Friends list (current and historical)
  • VAC/game/community ban status
  • Account creation date

All of this data is publicly visible on Steam. The Archive stores historical snapshots so that changes over time can be reviewed. Profiles are added to the tracking queue when they appear in submitted reports, are viewed in the Archive, or are discovered as friends of tracked profiles.

Demo analysis data (Hunters)

When TF2 demo files (.dem) are submitted through the Hunters pipeline, we extract:

  • Steam IDs and player names of all participants in the demo
  • Automated detection results (e.g., out-of-bounds pitch angles)
  • Map name, server address, and hostname

Legal basis under GDPR

Shadefall processes personal data under the following lawful bases defined in Article 6(1) of the General Data Protection Regulation (EU) 2016/679.

Consent — Art. 6(1)(a)

When you sign in via Discord or link a Steam account, you give explicit consent to the processing of your account data. You can withdraw consent at any time by unlinking your accounts or deleting your session.

Legitimate interest — Art. 6(1)(f)

Both Archive profile crawling and Hunters detection data are processed under Art. 6(1)(f): the processing is necessary for the legitimate interests pursued by Shadefall and the wider gaming community, provided those interests are not overridden by the data subject's fundamental rights and freedoms.

Archive crawling. The legitimate interest is preserving the integrity of multiplayer gaming communities through long-term profile tracking. The data processed is limited to what Steam already makes publicly available. Per Recital 47, the reasonable expectations of the data subject are a key factor in this balancing test: users who set their Steam profiles to public can reasonably expect third parties to access and index that data — Steam's own terms of service inform users of this possibility. The PII removal request mechanism further mitigates any disproportionate impact.

Detection data. The legitimate interest is protecting online game communities from cheating, which is structurally analogous to fraud prevention — a use case Recital 47 explicitly recognises as a legitimate interest ("the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest"). Additionally, Recital 49 establishes that processing to ensure the "authenticity, integrity and confidentiality" of networked systems constitutes a legitimate interest — cheat detection serves the same purpose for game server integrity. The data processed is minimal (Steam ID, player name, detection type, tick-level evidence from demo files) and does not include sensitive categories under Art. 9. Players participating in online multiplayer matches can reasonably expect that their in-game actions, as recorded in publicly distributed demo files, may be analysed for fair play purposes.

Why detection data is exempt from erasure

The lawful basis for processing detection data is Art. 6(1)(f), not consent. Therefore withdrawal of consent under Art. 17(1)(b) does not trigger a right to erasure for this data category. A data subject may still object under Art. 21(1), but per that article Shadefall may continue processing where it demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the data subject. Maintaining the integrity and verifiability of anti-cheat records constitutes such compelling grounds: deleting individual detection records would allow confirmed cheaters to erase evidence and re-enter clean communities, undermining the system's purpose for all other players.

As a secondary basis, Art. 17(3)(e) (exception to erasure for the establishment, exercise or defence of legal claims) may apply in cases where detection records are relevant to formal disputes over account standing, bans, or moderation decisions.

Storage limitation — Art. 5(1)(e)

The GDPR requires that personal data be kept no longer than necessary for the purposes of processing. Detection data is retained indefinitely because cheating history remains relevant for as long as the individual may participate in the affected game communities. A time-limited retention period would allow repeat offenders to "age out" their records and circumvent community protections. Sessions are automatically purged after 14 days of inactivity.

Transparency for crawled data — Art. 14

Where personal data is not obtained directly from the data subject (i.e. profiles crawled from Steam), Art. 14 requires the controller to inform the data subject of the processing. Shadefall relies on the exception in Art. 14(5)(b): providing individual notice to every crawled profile would involve disproportionate effort given the volume of publicly available profiles processed. As a mitigation measure required by Art. 14(5)(b), this privacy policy is made publicly available on the Shadefall website, and the Archive itself serves as a transparent disclosure — any user can search for their own Steam ID to see exactly what data is held.

The source of this data is the Steam Web API and public Steam Community profile pages. Categories of data collected are listed above under "Steam profile data."

PII removal requests

If you are a Steam user whose profile is tracked by the Archive, you can request removal of specific personal data:

  1. Sign in with Discord.
  2. Go to Settings and link your Steam account (you can link multiple accounts).
  3. Under PII Removal, select what you want removed (past names, avatar history, or profile comments), provide a reason, and submit your request.

A staff member will review your request. If approved, the selected data categories will be permanently deleted from our systems. You will be notified of the outcome.

What PII removal does not cover: demo files, detection results, and Hunters reports are always retained for the reasons described above. If your Steam ID appears in a submitted demo or an approved report, those records are kept permanently. This is the minimum data retention necessary for the system to function as an anti-cheat tool.

Data sharing

Shadefall publishes a machine-readable cheater list consumed by community tools (TF2 Bot Detector format and MAC client format). These lists contain only Steam IDs of players who have been confirmed as cheaters through the verdict process. No other personal data is included.

We do not sell, rent, or share your data with third parties for marketing or advertising.

Data retention

  • Sessions: automatically deleted after 14 days of inactivity.
  • Archive data: retained indefinitely unless removed via an approved PII removal request, after which the selected data categories (names, avatars, comments) are permanently deleted.
  • Detection data: retained permanently per the legitimate interest and compelling grounds analysis above.

Your rights under GDPR

If you are in the EU/EEA, you have the following rights under the GDPR:

  • Access (Art. 15): request a copy of the personal data we hold about you.
  • Rectification (Art. 16): request correction of inaccurate data.
  • Erasure (Art. 17): request deletion of your data, subject to the exceptions described above for detection records.
  • Restriction (Art. 18): request that processing be limited while a dispute is resolved.
  • Portability (Art. 20): receive your data in a structured, machine-readable format.
  • Object (Art. 21): object to processing based on legitimate interest. For Archive data, the PII removal request is the primary way to exercise this right. For detection data, objections are assessed on a case-by-case basis; Shadefall may decline where compelling legitimate grounds apply.

Contact

Questions about this policy, data requests, or exercising your GDPR rights can be directed to the project maintainers via the Shadefall Discord.

Shadefall Shadefall

Community-built TF2 tooling. Hunters runs the peer-reviewed cheater report pipeline, Archive tracks long-term Steam profile history. Two separate tools, one project.

Offerings

Community

© 2026 Shadefall. Not affiliated with Valve.

Built by the community, for the community.