Skip to main content
BootyBayBroker

Privacy Policy

Booty Bay Broker ("we," "us," or "our") operates the website bootybaybroker.com (the "Service"), a World of Warcraft Auction House price tracking and analytics platform. This Privacy Policy explains in detail what personal data we collect, why we collect it, how we use and protect it, and what rights you have regarding your information. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this policy. If you do not agree with this policy, please do not use the Service.

Version 2.3Effective: Last Updated:

Information We Collect

Account Information

When you create an account, we collect the following information:

  • Email Address -- Used for account creation, password recovery, and important service communications.
  • Username -- A display name you choose during registration, visible to other users in certain contexts.
  • Password -- Hashed using bcrypt. Your password is never stored in plaintext and cannot be recovered or viewed by anyone, including administrators.

Battle.net Account Link

If you choose to link your Blizzard Battle.net account, we store a Battle.net identifier and basic profile information provided through Blizzard's official OAuth2 flow. We never receive or store your Battle.net password.

Usage Data

We automatically collect certain information when you use the Service, including:

  • Pages visited and features used (such as which game version tabs you browse, items you search for, and price charts you view)
  • Account-level feature usage for signed-in users, such as saved preferences, favorites, alerts, session activity, and support or abuse-prevention context
  • General interaction patterns and navigation behavior
  • Browser type, version, operating system, and device information
  • Referring URLs and search terms that led you to the site
  • IP addresses (hashed using HMAC-SHA-256 with a server-side salt and anonymized for security auditing purposes only -- raw IPs are never stored and the salted hash cannot be reversed)
  • Approximate geographic region (derived from IP address for region selection, not stored)

Advertising Data (Collected by Third Parties)

When the Service is monetised through a third-party advertising partner, that partner may automatically collect certain information through cookies and similar technologies, including:

  • Your browser type, version, and language preferences
  • Device identifiers and operating system information
  • IP address (used by the advertising partner for geographic targeting and fraud prevention)
  • Pages you visit on our Service and the content you interact with
  • Ad impressions, clicks, and engagement metrics
  • Information from other websites you have visited that participate in the same advertising network, used to serve interest-based advertisements

This data is collected and processed directly by the advertising partner under that partner's own privacy policy. We do not have access to the raw advertising data they collect. See Section 5 (Advertising) for full details on how third-party advertising cookies work and how you can opt out.

Contact Form Submissions

When you use the contact form, we collect your name, email address, and message content. This information is used solely to respond to your inquiry and is not shared with third parties. An optional subject field is also collected if provided.

Information We Do NOT Collect

We do not collect the following:

  • We do not collect your Battle.net password, game credentials, or authentication tokens beyond the OAuth2 session
  • We do not collect in-game data from your WoW characters (gold, inventory, mail, guild bank)
  • We do not collect payment or financial information of any kind
  • We do not collect social media account data beyond what you voluntarily provide
  • We do not collect precise location data -- only approximate region derived from IP address for server selection, which is not stored
  • We do not install or require any addons, browser extensions, or client software
  • We do not use fingerprinting or hidden tracking techniques beyond standard cookies described in this policy

Legal Basis for Processing

We process your personal data only when we have a lawful reason to do so. Depending on the specific data and how we use it, our legal basis falls into one or more of the following categories:

Contractual Necessity

Processing that is necessary to provide the Service you requested. This includes account creation, authentication, session management, password recovery, and delivering core features such as price tracking, favorites, and alerts.

Legitimate Interest

Processing that serves our legitimate business interests, provided those interests do not override your fundamental rights and freedoms. This includes security monitoring, fraud prevention, abuse detection, rate limiting, service performance optimization, and first-party account and aggregate analytics to improve the Service.

Consent

Processing that relies on your explicit, informed consent. This includes optional Battle.net account linking, receipt of non-essential communications, and the use of non-essential analytics cookies, GA4 User-ID, Google advertising features, and advertising cookies by our third-party advertising partners where consent is required. You may withdraw your consent at any time -- for example, by unlinking your Battle.net account, adjusting your cookie preferences, opting out of personalized ads via the Digital Advertising Alliance (DAA) or the Network Advertising Initiative (NAI) opt-out tools, or deleting your account entirely.

Legal Obligation

Processing that is necessary to comply with a legal obligation to which we are subject, such as responding to lawful requests from public authorities or retaining certain records as required by applicable law.

How We Use Your Information

We use the information we collect for the following purposes:

  • Account Management -- To create, maintain, and secure your account, including login authentication, password recovery, and session management.
  • Service Delivery -- To provide personalized features such as favorites, price alerts, watchlists, and custom dashboards.
  • Service Improvement -- To analyze usage patterns, identify bugs, optimize performance, and develop new features based on how the Service is used.
  • Communications -- To send important service-related notifications such as password reset emails, security alerts, and major feature announcements. We do not send marketing emails.
  • Security -- To detect and prevent fraud, abuse, automated scraping, and other activities that threaten the integrity of the Service.
  • Advertising -- To display advertisements through our third-party advertising partners that help fund the Service and keep it free to use. The advertising partner may use data collected through advertising cookies to serve ads that are relevant to your interests. You can opt out of personalized advertising at any time (see Section 5).
  • Legal Compliance -- To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to protect our rights, privacy, safety, or property.

Cookies and Tracking Technologies

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work efficiently, remember your preferences, and provide information to site operators. We and our third-party partners use cookies and similar technologies (such as web beacons and pixel tags) to provide, secure, and improve the Service.

Below is a breakdown of every cookie and tracking technology used on the Service.

Essential Cookies (First-Party, Strictly Necessary)

These cookies are strictly necessary for the Service to function correctly. They cannot be disabled without breaking core functionality. They do not collect information for marketing purposes.

  • Session Cookie (bbb.sid) -- Maintains your login state and CSRF protection while you are signed in. This is an HttpOnly, Secure cookie that cannot be read by client-side JavaScript. It expires when your session ends or after a period of inactivity. It is regenerated on security-sensitive actions (login, password change) to prevent session fixation.
  • Preference Cookies -- Store your selected region, realm, game version, and display preferences (such as faction and sort order) so the Service remembers your choices across page loads. These are first-party cookies that do not leave your browser.

Advertising Cookies (Third-Party Advertising Partners)

When the Service is monetised through a third-party advertising partner, that partner and its sub-partners use cookies, web beacons, and similar technologies to serve ads, measure their effectiveness, and personalize the advertising experience. Typical advertising cookies carry an opaque identifier, support frequency capping, and may signal interest categories used for behavioural targeting.

For full details on how third-party advertising cookies work, how personalized and non-personalized ads differ, and how to opt out, see Section 5: Advertising.

Infrastructure Analytics (Cloudflare Edge Traffic)

We do not load the Cloudflare Web Analytics browser beacon. Cloudflare still processes standard HTTP request metadata as our DNS, CDN, and security provider so it can route traffic, cache content, mitigate abuse, and provide aggregated edge traffic reports.

  • Cloudflare edge processing may include standard request data such as IP address, user agent, requested path, referrer, timestamp, and security events.
  • We use Cloudflare's edge traffic summaries for reliability, performance, capacity planning, and abuse prevention, not advertising.
  • Cloudflare edge analytics are not the same as GA4 browser analytics and do not receive your account identifiers, favorites, search text, watchlists, or in-app preferences from us.

Analytics (Third-Party -- Google Analytics 4)

We use Google Analytics 4 (GA4) to measure aggregate traffic to the Service -- pageviews, visitor counts, country, device class, traffic sources, top pages, and engagement signals such as session duration. GA4 helps us understand which features are used and which pages need attention; it is also a requirement for the third-party advertising networks that fund the Service.

Google Analytics Advertising Features. GA4 is configured with allow_google_signals: true and allow_ad_personalization_signals: true, and is linked to Google Signals. Consent Mode keeps ad storage, ad user data, and ad personalization denied until you accept optional cookies. After Accept, this enables: (a) Demographics & Interest Reports -- Google associates your visit with the aggregated age, gender, and interest categories it has for your Google account (when you are signed in and have Web & App Activity association enabled); (b) Cross-device measurement -- Google deduplicates your visits across devices on which you are signed in to the same Google account; (c) Remarketing audiences -- eligible to be exported to a linked Google Ads account, if one is connected in the future. We do not currently have a Google Ads link, but the data is collected in a form that would make such a link possible.

Custom event parameters. GA4 also receives the following custom parameters with each event: game_version (which WoW edition you are browsing -- e.g. Retail, MoP Classic, TBC Classic), region (US or EU AH region), and user_type (anonymous or authenticated -- never any account-identifying value). No usernames, emails, Battle.net IDs, item search strings, or watchlist contents are ever sent to GA4.

BigQuery export. GA4 offers a native BigQuery Export integration. If it is enabled for our property, event-level GA4 data may be exported to a Google Cloud BigQuery dataset in our Google Cloud project via Google's standard GA4–BigQuery integration, for aggregate analysis and ad-network onboarding diligence. We do not operate a separate real-time streaming pipeline. Any exported data is subject to the same restrictions described above -- no personally identifying information is included -- and to GA4's and the dataset's retention settings.

IP anonymization remains on. We continue to set anonymize_ip: true; Google truncates visitor IPs before processing. We also send url_passthrough: true (Google passes ad click identifiers through navigation URLs when cookies are denied) and ads_data_redaction: true (Google redacts IP + device identifiers from ad-related beacons when ad_storage is denied).

Consent Mode v2. GA4 is controlled by the cookie consent banner via Consent Mode v2. Where analytics consent is required and has not yet been granted, or when you choose Essential Only, GA4 runs in "cookieless" mode -- no analytics cookies are written and only modeled, aggregated signals reach Google. Outside opt-in regions, GA4 analytics storage may be granted by default so GA4 can set cookies such as _ga and _ga_<MID> to count returning visitors. Advertising storage, advertising user data, and ad personalization remain denied unless you accept optional cookies. You can withdraw or change your choice at any time using the cookie preference controls below or by clearing site data to re-trigger the banner.

Authenticated User-ID. When you are signed in, GA4 may also receive a server-generated, non-reversible pseudonymous cross-session identifier. This value is derived with a server-side secret and sent via GA4's User-ID mechanism so Google can stitch your sessions across devices and browsers when you are signed in to both the Service and the same Google account. The value carries no email, no Battle.net handle, no username, no raw database id, and no user-typed content. When it is sent depends on your region. In opt-out jurisdictions (currently the United States) a signed-in account holder who has accepted the Terms of Service receives the User-ID by default, under the opt-out model described in Section 12, without needing to accept optional cookies. In opt-in regions (the EEA, the United Kingdom, and Switzerland) the User-ID is sent only after you grant analytics consent on the cookie banner. In every case it is suppressed when you choose Essential Only, send a Global Privacy Control signal (see Section 13), sign out, or delete your account.

We never send the following to GA4: character names, Battle.net IDs, email addresses, watchlist or favorite contents, raw item search strings, seller names, authentication tokens, or any other identifier that could re-identify you. Only canonical URL paths (without query strings), the SSR-emitted page title, the custom parameters above, and the region-gated pseudonymous User-ID for authenticated visitors (as described above) are reported.

You can withdraw GA4 analytics consent at any time by using the cookie preference controls in this section, choosing Essential Only on the cookie banner, or clearing site data in your browser to re-trigger the banner. See Section 4 Managing Cookies (below) for browser-specific instructions, and Section 10: Your Rights for how to request access, correction, or deletion of any data we hold.

Managing Cookies

Most web browsers allow you to control cookies through their settings. You can typically find these in the "Options," "Settings," or "Preferences" menu of your browser. The following links may help you understand your options:

Please note that disabling essential cookies may prevent you from using core features of the Service, such as staying logged in or saving your preferences. Blocking advertising cookies will not remove ads but will cause you to see generic, non-personalized advertisements instead.

Advertising

The Service is provided free of charge. To cover operating costs (servers, databases, API fees, and development time), we may display advertisements through one or more third-party advertising partners. This section explains how advertising on our Service works in general terms and what choices you have.

How third-party ad cookies work

Most third-party advertising networks operate on the same general mechanics. When you visit a page on our site that contains ads:

  • The advertising partner's ad-serving technology loads on the page and requests an advertisement from its ad servers.
  • The advertising partner may read existing cookies on your browser or place new cookies to determine which ads to show you and to enforce frequency capping.
  • The ads you see may be based on the content of the page you are viewing (contextual targeting), your general geographic location, and -- if you have not opted out -- your browsing history across other sites in the same advertising network (interest-based or behavioural targeting).
  • The advertising partner collects data about ad impressions, clicks, and your interaction with ads. This data is used to measure ad performance, prevent fraud, and improve the advertising experience.

Personalized vs. Non-Personalized Ads

Personalized ads (also called interest-based ads) use data collected from your browsing activity across websites to show you advertisements that are likely to be relevant to your interests. Most third-party advertising partners build an advertising profile based on the websites you visit, the apps you use, and other online activity.

Non-personalized ads are based solely on the content of the page you are currently viewing and your general geographic location. They do not use cookies for ad targeting, though they may still use cookies for frequency capping and ad fraud prevention.

If you are located in the European Economic Area (EEA) or the United Kingdom, our advertising partner is required to request your consent before serving personalized ads, in compliance with GDPR. You can change your consent choice at any time through the cookie consent banner on this site.

Your Advertising Choices

You have several options for controlling the ads you see on the Service:

  • Opt out via industry programs: Visit the Digital Advertising Alliance (DAA) AdChoices opt-out or the Network Advertising Initiative (NAI) opt-out to opt out of personalized ads from participating advertising networks. These industry-wide opt-out tools cover most major advertising partners and remain effective when our specific advertising partner changes.
  • For EU/UK users: Visit Your Online Choices to manage your preferences for online behavioral advertising.
  • Browser settings: Configure your browser to block third-party cookies, which will prevent most personalized advertising tracking. See Section 4 for browser-specific instructions.

Third-Party Services

The Service integrates with the following third-party services. Each service operates under its own privacy policy, and we encourage you to review them to understand how your data may be processed by these parties. We only share the minimum data necessary for each service to function.

  • Third-party advertising partners -- When the Service is monetised, one or more third-party advertising partners provide display advertisements on the Service. Advertising partners may collect and use data (including cookies, device identifiers, and browsing activity) as described in their respective privacy policies. As of May 17, 2026 no advertising partner is active and no advertising data is being collected; this entry will be updated to name the specific partner if and when one is engaged.
  • Cloudflare -- Provides DNS, CDN (content delivery network), DDoS protection, and aggregated edge traffic analytics. Cloudflare processes web traffic to protect and accelerate the Service but does not use this data for advertising. We do not load the Cloudflare Web Analytics browser beacon. See the Cloudflare Privacy Policy.
  • Blizzard Battle.net API -- Used to retrieve World of Warcraft game data (item metadata, auction house listings, and pricing information) and for optional Battle.net account linking via OAuth2. When you link your Battle.net account, we receive a user identifier and basic profile information. We never receive your Battle.net password. See the Blizzard Privacy Policy.
  • Resend -- Used for transactional email delivery (password resets, account verification, and security notifications). Your email address is shared with Resend solely for email delivery purposes. See the Resend Privacy Policy.
  • Railway -- Our application hosting provider. Railway hosts the servers and databases that run the Service. Data stored on Railway is subject to the Railway Privacy Policy.
  • Google Analytics 4 (GA4) -- See Section 4 for the full disclosure: GA4 receives pageviews + custom event parameters and is configured with Google Signals + ad-personalization signals, but advertising storage and personalization stay denied until optional cookies are accepted; the pseudonymous GA4 User-ID for signed-in users is region-gated (sent by default for signed-in account holders in opt-out jurisdictions such as the US, and only after consent in the EEA/UK/Switzerland) as detailed in Section 4; subject to the Google Privacy Policy.
  • Google Cloud BigQuery -- When GA4's BigQuery Export integration is enabled, it receives an export of GA4 event data for analysis and ad-network onboarding diligence. The dataset is hosted in our Google Cloud project and is subject to the Google Cloud Privacy Notice.

Data Sharing

Here is exactly how your data may be shared:

  • Third-party advertising partners -- When advertising is active, anonymized and aggregated data (such as browsing patterns and ad interaction metrics) is shared with the advertising partner for the purpose of serving and optimizing advertisements. Advertising partners do not receive your username, email address, or password.
  • Cloudflare -- Aggregated, non-identifiable analytics data is processed by Cloudflare. No personal information is shared.
  • Blizzard -- If you link your Battle.net account, authentication tokens are exchanged with Blizzard's OAuth2 service. We do not share any other account data with Blizzard.
  • Email Provider -- Your email address is shared with our transactional email provider (Resend) solely for the purpose of delivering account-related emails. Resend does not use your email address for marketing.
  • Hosting Provider -- Your data is stored on servers operated by Railway (our hosting provider). Railway processes data as a data processor on our behalf and is contractually prohibited from using your data for their own purposes.
  • Google (Analytics + Signals + BigQuery) -- GA4 events including the custom dimensions described in Section 4 are shared with Google for analytics, demographics modeling, and remarketing-eligibility where consent permits. With Google Signals on, signed-in Google users' visits may be associated with their Google profile data on Google's side (we do not receive that profile data -- only aggregated reports). Signed-in Service users may also be reported with the server-generated pseudonymous User-ID on the region-gated basis described in Section 4 (by default on Terms acceptance in opt-out jurisdictions such as the US; only after consent in the EEA/UK/Switzerland). If GA4's BigQuery Export is enabled, event-level data may also be exported to a Google Cloud BigQuery dataset in our project via Google's standard integration.
  • Legal Requirements -- We may disclose your personal information if required to do so by law, or if we believe in good faith that such action is necessary to comply with a legal obligation, protect and defend our rights or property, prevent fraud, or protect the personal safety of users or the public.
  • Business Transfer -- In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your personal information.

Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this Privacy Policy. Below is a detailed breakdown of retention periods for each category of data:

  • Account Data -- Your email address, username, and hashed password are retained for as long as your account is active. If you delete your account, this data is permanently and irreversibly removed from our database. Account deletion is processed immediately upon request.
  • Battle.net Link -- Battle.net identifiers and basic profile information are retained while the link is active. Unlinking your Battle.net account or deleting your account removes this data immediately. OAuth2 access tokens are not stored long-term.
  • User Preferences -- Favorites, price alerts, watchlists, and display preferences are retained while your account is active and permanently deleted upon account deletion. These preferences cannot be recovered after deletion.
  • Usage and Analytics Data -- Aggregated operational analytics, such as first-party JS-confirmed usage totals and Cloudflare edge traffic summaries, may be retained indefinitely when they cannot identify an individual user or app account.
  • GA4 / BigQuery Data -- GA4 user and event data is retained on Google's servers for 14 months and reset on new user activity. If GA4's BigQuery Export is enabled, the exported data is retained in our Google Cloud project subject to that dataset's retention policy. Deletion scope: when you delete your account, all application-held personal data is removed immediately (Account Data, Battle.net Link, User Preferences). GA4's server-side data continues to age out under the 14-month retention window above. You may also request deletion of the GA4 data (and any BigQuery-exported data) associated with your pseudonymous User-ID via the contact address in Section 15; we action such requests through Google's data-deletion tools.
  • Security Logs -- Hashed IP addresses (HMAC-SHA-256 with a server-side salt) and security audit logs (login attempts, rate limit violations, suspicious activity) are retained for up to 90 days to detect and investigate abuse, after which they are automatically purged.
  • Session Data -- Login session cookies expire after a period of inactivity or when you explicitly log out. Session data is persisted to the PostgreSQL database and may survive application restarts until the session expires or you log out. Expired sessions are automatically pruned.
  • Game Data -- Auction House price data, item metadata, and market statistics are retained for up to 365 days (one year) for historical analysis purposes. This data is sourced from public APIs and does not contain personal information. Older data is automatically purged through database retention policies.
  • Advertising Data -- Advertising cookies placed by third-party advertising partners have their own retention periods determined by the advertising partner (commonly 13 months for advertising cookies, though this varies by partner). We do not control the retention of data collected directly by an advertising partner. You can manage or delete these cookies through your browser settings, or opt out via the Digital Advertising Alliance (DAA) or Network Advertising Initiative (NAI) opt-out tools.

Data Security

Your personal information is protected by the following measures:

Technical Safeguards

  • Encryption in Transit -- All connections to the Service are encrypted using HTTPS/TLS. Unencrypted HTTP requests are automatically redirected to HTTPS.
  • Password Hashing -- User passwords are hashed using bcrypt, an adaptive hashing algorithm specifically designed to resist brute-force and rainbow table attacks. Passwords are never stored in plaintext.
  • Session Security -- Login sessions use secure, HttpOnly cookies with CSRF (Cross-Site Request Forgery) protection. Sessions are regenerated on authentication state changes (login, password change, email change) to prevent session fixation attacks.
  • IP Anonymization -- IP addresses stored for security auditing are hashed using HMAC-SHA-256 with a server-side salt before storage. The salted one-way hash ensures they cannot be reversed to identify individuals, even with knowledge of the hashing algorithm.
  • Rate Limiting -- API endpoints and authentication routes are protected by rate limiting to prevent brute-force attacks and abuse.

Operational Safeguards

  • Database Security -- All data is stored in encrypted databases hosted on secure infrastructure with strict access controls. Only essential systems have access to production data.
  • Account Lockout -- Repeated failed login attempts trigger temporary account lockouts to protect against credential stuffing attacks.
  • Credential Sanitization -- API keys, tokens, and sensitive credentials are scrubbed from error logs and diagnostic output to prevent accidental exposure.

Automated Decision-Making

We use automated processing for the following limited purposes:

  • Rate Limiting and Abuse Detection -- Automated systems monitor request patterns to detect and block abusive behavior (such as scraping or brute-force attacks). These systems may temporarily restrict access based on detected patterns.
  • Account Lockout -- Automated systems temporarily lock accounts after repeated failed login attempts. This is a security measure and does not involve profiling.

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Our third-party advertising partners may use automated processes to select which ads to display, but this does not affect your access to or use of the Service.

Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right of Access -- You may request a copy of the personal data we hold about you. Contact us using the details in Section 15.
  • Right to Rectification -- You can update your email address, username, and password at any time through your account settings.
  • Right to Deletion -- You can delete your account at any time through your account settings or by contacting us. Account deletion permanently removes all personal data associated with your account.
  • Right to Opt Out of Personalized Ads -- You can opt out of personalized advertising at any time by visiting the Digital Advertising Alliance (DAA) or Network Advertising Initiative (NAI) opt-out tools, by sending a Global Privacy Control (GPC) signal (which we honor as a binding opt-out — see Section 13), by adjusting the cookie consent banner on this site, or by configuring your browser to reject third-party cookies.
  • Right to Data Portability -- You may request an export of your personal data in a machine-readable format. Contact us using the details in Section 15.
  • Right to Withdraw Consent -- Where we rely on your consent for data processing (such as optional Battle.net linking or personalized advertising), you may withdraw that consent at any time by unlinking your Battle.net account, opting out of personalized ads, or deleting your account.
  • Right to Manage Cookies -- You can manage, disable, or delete cookies at any time through your browser settings. You can also opt out of personalized advertising through the links provided in Section 5 (Advertising). See Section 4 for browser-specific cookie management instructions.

To exercise any of these rights, please contact us at support@bootybaybroker.com. We will respond to all requests within 30 days.

Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect, use, or disclose personal information from children under 13 years of age, in compliance with the United States Children's Online Privacy Protection Act (COPPA) and similar laws in other jurisdictions.

We do not knowingly serve personalized advertisements to children under 13. When the Service is monetised, we require our third-party advertising partners to honour COPPA requirements, and we do not knowingly allow children under 13 to create accounts on the Service.

Google Signals limitation. Because GA4 Google Signals infers demographic categories (including approximate age) for signed-in Google users, if a user under 13 nonetheless creates an account on the Service undetected, we cannot prevent Google from associating their visit with profile data on Google's side. We do not receive that profile data directly -- only aggregated reports -- but you should be aware that Google's own Children's Privacy Policy applies to any Google-account-linked traffic that originates from a child.

If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete that information from our systems and terminate the associated account. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us immediately at support@bootybaybroker.com so we can investigate and take appropriate action.

Users between the ages of 13 and 18 may use the Service with the consent of a parent or legal guardian, as outlined in our Terms of Service. Parents or guardians of users between 13 and 18 may contact us to request access to, correction of, or deletion of their child's personal information.

International Privacy Rights

European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR). Our legal basis for processing your personal data depends on the type of data and how we use it:

  • Contractual Necessity -- Processing required to provide the Service you requested (account creation, authentication, service delivery).
  • Legitimate Interest -- Processing for security monitoring, fraud prevention, service improvement, and analytics, where our interests do not override your fundamental rights.
  • Consent -- Processing based on your explicit consent, such as optional Battle.net account linking or personalized advertising via our third-party advertising partners. You may withdraw consent at any time.

Under the GDPR, you have the right to access, rectify, erase, restrict processing of, and port your personal data. You also have the right to object to processing and to lodge a complaint with your local data protection authority. To exercise these rights, contact us at support@bootybaybroker.com.

United Kingdom (UK GDPR)

If you are in the United Kingdom, the UK GDPR and the Data Protection Act 2018 give you the same access, rectification, erasure, restriction, portability, and objection rights described above, with oversight by the Information Commissioner's Office (ICO). Non-essential analytics and advertising stay off until you opt in via the cookie banner.

Switzerland (revFADP)

If you are in Switzerland, the revised Federal Act on Data Protection (revFADP) applies, with oversight by the Federal Data Protection and Information Commissioner (FDPIC). You have rights of access, rectification, and erasure. We treat Swiss visitors with the same default-denied Consent Mode posture as the EEA/UK -- non-essential analytics and advertising stay off until you opt in via the cookie banner.

Brazil (LGPD)

If you are in Brazil, the Lei Geral de Proteção de Dados (LGPD) gives you rights of access, correction, deletion, portability, and information about data sharing, enforced by the Autoridade Nacional de Proteção de Dados (ANPD). You control non-essential analytics and advertising via the cookie banner and Global Privacy Control. Brazil is NOT part of the signed-in default-on analytics enabled for account holders in opt-out jurisdictions -- it remains opt-in via the banner.

Canada (PIPEDA)

If you are in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) gives you rights of access and correction and the ability to complain to the Office of the Privacy Commissioner of Canada (OPC). You control non-essential analytics and advertising via the cookie banner and Global Privacy Control. Canada is NOT part of the signed-in default-on analytics enabled for account holders in opt-out jurisdictions -- it remains opt-in via the banner.

Australia (Privacy Act)

If you are in Australia, the Privacy Act 1988 and the Australian Privacy Principles (APPs) give you rights of access and correction, with oversight by the Office of the Australian Information Commissioner (OAIC). You control non-essential analytics and advertising via the cookie banner and Global Privacy Control. Australia is NOT part of the signed-in default-on analytics enabled for account holders in opt-out jurisdictions -- it remains opt-in via the banner.

California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

  • Right to Know -- You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete -- You have the right to request deletion of your personal information, subject to certain legal exceptions.
  • Right to Opt Out of Sale or Sharing -- We do not sell your personal information as defined by the CCPA. However, certain advertising activities (such as personalized ads served by our third-party advertising partners) AND the GA4 + Google Signals flow (and any GA4 BigQuery Export, where enabled) described in Section 4 may constitute a "sale" or "sharing" under CCPA / CPRA definitions (when Signals is on, GA4 event data including custom dimensions is shared with Google and may be used by Google to associate visits with the visitor's Google account profile data on Google's side; where a BigQuery export is enabled it delivers event-level data into our Google Cloud project). You can opt out of personalized advertising by visiting the Digital Advertising Alliance (DAA) or Network Advertising Initiative (NAI) opt-out tools.
  • Right to Non-Discrimination -- We will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, contact us at support@bootybaybroker.com. We will verify your identity before processing any request and respond within 45 days.

Do Not Track Signals

Global Privacy Control (GPC). We honor the Global Privacy Control signal — sent by your browser or a privacy extension as the Sec-GPC request header and the navigator.globalPrivacyControl property. Whenever we detect GPC, we treat it as a binding opt-out of the sale or sharing of your personal information under the CCPA/CPRA, the Colorado Privacy Act, and the Connecticut Data Privacy Act: optional analytics and advertising are denied by default for that visit (equivalent to choosing "Essential Only"). This applies even if you previously chose "Accept" on this site — an active GPC signal overrides a stored prior acceptance, so by default we keep optional analytics and advertising denied on every visit while GPC is on. If you nonetheless click "Accept optional cookies" below while GPC is active, we honor that as your deliberate, informed choice to opt in for that session, as permitted under the CCPA. On later visits we return to the GPC-based opt-out by default; optional analytics and advertising resume only when you actively accept again or turn the GPC setting off. Choosing "Essential Only" always keeps optional analytics and advertising off.

Do Not Track (DNT). Some browsers also transmit a "Do Not Track" signal. Unlike GPC, DNT has no universally accepted standard and is not a legally recognized opt-out, so we do not separately respond to DNT. You can still exercise control using the tools described throughout this policy, including the cookie preference controls (see Section 4), opting out of personalized advertising (see Section 5), and exercising your data rights (see Section 10).

If a universal standard for DNT signals is adopted in the future, we will update this policy to describe how we respond.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or the third-party services we use. When we make changes:

  • The "Last Updated" date at the top of this page will be revised.
  • The version number will be incremented.
  • For material changes that significantly affect how we collect, use, or share your data, we will make reasonable efforts to notify registered users via email or through a prominent notice on the Service at least 30 days before the changes take effect.
  • The previous version of this Privacy Policy will remain accessible for reference upon request.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the revised policy, you must stop using the Service and may request deletion of your account and personal data.

Contact

If you have questions, concerns, or requests regarding this Privacy Policy, your personal data, or our privacy practices, contact us at the addresses below.

Response Times: We aim to acknowledge all privacy-related inquiries within 5 business days and to provide a substantive response within 30 days. For data subject requests under GDPR, we will respond within 30 days as required. For CCPA requests, we will respond within 45 days. If we need additional time, we will notify you of the extension and the reason.

If you are not satisfied with our response or believe we are processing your personal data in violation of applicable law, you have the right to lodge a complaint with your local data protection supervisory authority.

Cookie consent

We use essential cookies for site functionality. Depending on your region, analytics may run by default or only after you accept; advertising and personalization cookies require your choice. You can change your preferences at any time. Privacy Policy