Privacy Policy

Booty Bay Broker ("we," "us," or "our") operates the website bootybaybroker.com (the "Service"), a World of Warcraft Auction House price tracking and analytics platform. This Privacy Policy explains in detail what personal data we collect, why we collect it, how we use and protect it, and what rights you have regarding your information. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this policy. If you do not agree with this policy, please do not use the Service.

Version 2.0 Effective: Last Updated:

Information We Collect

Account Information

When you create an account, we collect the following information:

  • Email Address -- Used for account creation, password recovery, and important service communications.
  • Username -- A display name you choose during registration, visible to other users in certain contexts.
  • Password -- Hashed using bcrypt. Your password is never stored in plaintext and cannot be recovered or viewed by anyone, including administrators.

Battle.net Account Link

If you choose to link your Blizzard Battle.net account, we store a Battle.net identifier and basic profile information provided through Blizzard's official OAuth2 flow. We never receive or store your Battle.net password.

Usage Data

We automatically collect certain information when you use the Service, including:

  • Pages visited and features used (such as which game version tabs you browse, items you search for, and price charts you view)
  • General interaction patterns and navigation behavior
  • Browser type, version, operating system, and device information
  • Referring URLs and search terms that led you to the site
  • IP addresses (hashed using HMAC-SHA-256 with a server-side salt and anonymized for security auditing purposes only -- raw IPs are never stored and the salted hash cannot be reversed)
  • Approximate geographic region (derived from IP address for region selection, not stored)

Advertising Data (Collected by Third Parties)

When you visit our Service, our advertising partner Google AdSense may automatically collect certain information through cookies and similar technologies, including:

  • Your browser type, version, and language preferences
  • Device identifiers and operating system information
  • IP address (used by Google for geographic targeting and fraud prevention)
  • Pages you visit on our Service and the content you interact with
  • Ad impressions, clicks, and engagement metrics
  • Information from other websites you have visited that participate in Google's advertising network, used to serve interest-based advertisements

This data is collected and processed directly by Google under Google's own Privacy Policy. We do not have access to the raw advertising data Google collects. See Section 5 (Advertising) for full details on how Google uses this information and how you can opt out.

Contact Form Submissions

When you use the contact form, we collect your name, email address, and message content. This information is used solely to respond to your inquiry and is not shared with third parties. An optional subject field is also collected if provided.

Information We Do NOT Collect

We do not collect the following:

  • We do not collect your Battle.net password, game credentials, or authentication tokens beyond the OAuth2 session
  • We do not collect in-game data from your WoW characters (gold, inventory, mail, guild bank)
  • We do not collect payment or financial information of any kind
  • We do not collect social media account data beyond what you voluntarily provide
  • We do not collect precise location data -- only approximate region derived from IP address for server selection, which is not stored
  • We do not install or require any addons, browser extensions, or client software
  • We do not use fingerprinting or hidden tracking techniques beyond standard cookies described in this policy

How We Use Your Information

We use the information we collect for the following purposes:

  • Account Management -- To create, maintain, and secure your account, including login authentication, password recovery, and session management.
  • Service Delivery -- To provide personalized features such as favorites, price alerts, watchlists, and custom dashboards.
  • Service Improvement -- To analyze usage patterns, identify bugs, optimize performance, and develop new features based on how the Service is used.
  • Communications -- To send important service-related notifications such as password reset emails, security alerts, and major feature announcements. We do not send marketing emails.
  • Security -- To detect and prevent fraud, abuse, automated scraping, and other activities that threaten the integrity of the Service.
  • Advertising -- To display advertisements through Google AdSense that help fund the Service and keep it free to use. Google may use data collected through advertising cookies to serve ads that are relevant to your interests. You can opt out of personalized advertising at any time (see Section 5).
  • Legal Compliance -- To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to protect our rights, privacy, safety, or property.

Cookies and Tracking Technologies

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work efficiently, remember your preferences, and provide information to site operators. We and our third-party partners use cookies and similar technologies (such as web beacons and pixel tags) to provide, secure, and improve the Service.

Below is a breakdown of every cookie and tracking technology used on the Service.

Essential Cookies (First-Party, Strictly Necessary)

These cookies are strictly necessary for the Service to function correctly. They cannot be disabled without breaking core functionality. They do not collect information for marketing purposes.

  • Session Cookie (connect.sid) -- Maintains your login state and CSRF protection while you are signed in. This is an HttpOnly, Secure cookie that cannot be read by client-side JavaScript. It expires when your session ends or after a period of inactivity. It is regenerated on security-sensitive actions (login, password change) to prevent session fixation.
  • Preference Cookies -- Store your selected region, realm, game version, and display preferences (such as faction and sort order) so the Service remembers your choices across page loads. These are first-party cookies that do not leave your browser.

Advertising Cookies (Third-Party -- Google AdSense)

This site displays advertisements served by Google AdSense (publisher ID: ca-pub-6448200357413737). Google and its advertising partners use cookies (including the DoubleClick/IDE cookie, NID, and others), web beacons, and similar technologies to serve ads, measure their effectiveness, and personalize the advertising experience.

For full details on which advertising cookies are set, how personalized and non-personalized ads work, and how to opt out, see Section 5: Advertising.

Analytics (Third-Party -- Cloudflare Web Analytics)

We use Cloudflare Web Analytics to collect anonymized, aggregated usage statistics. Cloudflare Web Analytics is a privacy-first analytics tool that:

  • Does not use cookies or track individual users
  • Does not collect personally identifiable information
  • Collects only aggregated metrics such as page views, visit counts, and referrer data
  • Complies with GDPR, CCPA, and other privacy regulations by design
  • Does not follow users across websites or build advertising profiles

Managing Cookies

Most web browsers allow you to control cookies through their settings. You can typically find these in the "Options," "Settings," or "Preferences" menu of your browser. The following links may help you understand your options:

Please note that disabling essential cookies may prevent you from using core features of the Service, such as staying logged in or saving your preferences. Blocking advertising cookies will not remove ads but will cause you to see generic, non-personalized advertisements instead.

Advertising

The Service is provided free of charge. To cover operating costs (servers, databases, API fees, and development time), we display advertisements through Google AdSense. This section explains in detail how advertising works on our Service and what choices you have.

How Google AdSense Works

Google AdSense is a program run by Google LLC that allows website publishers to serve automatic text, image, video, and interactive media advertisements on their sites. When you visit a page on our site that contains ads:

  • Google's ad-serving technology loads on the page and requests an advertisement from Google's ad servers.
  • Google may read existing cookies on your browser or place new cookies to determine which ads to show you.
  • The ads you see may be based on the content of the page you are viewing (contextual targeting), your general geographic location, and -- if you have not opted out -- your browsing history across Google's advertising network (interest-based targeting).
  • Google collects data about ad impressions, clicks, and your interaction with ads. This data is used to measure ad performance, prevent fraud, and improve the advertising experience.

Personalized vs. Non-Personalized Ads

Personalized ads (also called interest-based ads) use data collected from your browsing activity across websites to show you advertisements that are likely to be relevant to your interests. Google builds an advertising profile based on the websites you visit, the apps you use, and other online activity.

Non-personalized ads are based solely on the content of the page you are currently viewing and your general geographic location. They do not use cookies for ad targeting, though they may still use cookies for frequency capping and ad fraud prevention.

If you are located in the European Economic Area (EEA) or the United Kingdom, Google will request your consent before serving personalized ads, in compliance with GDPR. You can change your consent choice at any time.

Your Advertising Choices

You have several options for controlling the ads you see on the Service:

  • Opt out of personalized ads via Google: Visit Google Ads Settings to control what information Google uses to show you personalized ads, or to turn off personalized ads entirely.
  • Opt out via industry programs: Visit the Digital Advertising Alliance (DAA) or the Network Advertising Initiative (NAI) to opt out of personalized ads from participating companies.
  • For EU/UK users: Visit Your Online Choices to manage your preferences for online behavioral advertising.
  • Browser settings: Configure your browser to block third-party cookies, which will prevent most personalized advertising tracking. See Section 4 for browser-specific instructions.

Third-Party Services

The Service integrates with the following third-party services. Each service operates under its own privacy policy, and we encourage you to review them to understand how your data may be processed by these parties. We only share the minimum data necessary for each service to function.

  • Google AdSense -- Provides display advertisements on the Service. Google may collect and use data (including cookies, device identifiers, and browsing activity) as described in the Google Privacy Policy. See also How Google Uses Information from Sites That Use Its Services.
  • Cloudflare -- Provides DNS, CDN (content delivery network), DDoS protection, and privacy-first web analytics. Cloudflare processes web traffic to protect and accelerate the Service but does not use this data for advertising. See the Cloudflare Privacy Policy.
  • Blizzard Battle.net API -- Used to retrieve World of Warcraft game data (item metadata, auction house listings, and pricing information) and for optional Battle.net account linking via OAuth2. When you link your Battle.net account, we receive a user identifier and basic profile information. We never receive your Battle.net password. See the Blizzard Privacy Policy.
  • Resend -- Used for transactional email delivery (password resets, account verification, and security notifications). Your email address is shared with Resend solely for email delivery purposes. See the Resend Privacy Policy.
  • Railway -- Our application hosting provider. Railway hosts the servers and databases that run the Service. Data stored on Railway is subject to the Railway Privacy Policy.

Data Sharing

Here is exactly how your data may be shared:

  • Google AdSense -- Anonymized and aggregated data (such as browsing patterns and ad interaction metrics) is shared with Google for the purpose of serving and optimizing advertisements. Google does not receive your username, email address, or password.
  • Cloudflare -- Aggregated, non-identifiable analytics data is processed by Cloudflare. No personal information is shared.
  • Blizzard -- If you link your Battle.net account, authentication tokens are exchanged with Blizzard's OAuth2 service. We do not share any other account data with Blizzard.
  • Email Provider -- Your email address is shared with our transactional email provider (Resend) solely for the purpose of delivering account-related emails. Resend does not use your email address for marketing.
  • Hosting Provider -- Your data is stored on servers operated by Railway (our hosting provider). Railway processes data as a data processor on our behalf and is contractually prohibited from using your data for their own purposes.
  • Legal Requirements -- We may disclose your personal information if required to do so by law, or if we believe in good faith that such action is necessary to comply with a legal obligation, protect and defend our rights or property, prevent fraud, or protect the personal safety of users or the public.
  • Business Transfer -- In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your personal information.

Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this Privacy Policy. Below is a detailed breakdown of retention periods for each category of data:

  • Account Data -- Your email address, username, and hashed password are retained for as long as your account is active. If you delete your account, this data is permanently and irreversibly removed from our database. Account deletion is processed immediately upon request.
  • Battle.net Link -- Battle.net identifiers and basic profile information are retained while the link is active. Unlinking your Battle.net account or deleting your account removes this data immediately. OAuth2 access tokens are not stored long-term.
  • User Preferences -- Favorites, price alerts, watchlists, and display preferences are retained while your account is active and permanently deleted upon account deletion. These preferences cannot be recovered after deletion.
  • Usage and Analytics Data -- Anonymized, aggregated analytics data (collected via Cloudflare Web Analytics) may be retained indefinitely as it cannot be traced back to individual users and contains no personally identifiable information.
  • Security Logs -- Hashed IP addresses (HMAC-SHA-256 with a server-side salt) and security audit logs (login attempts, rate limit violations, suspicious activity) are retained for up to 90 days to detect and investigate abuse, after which they are automatically purged.
  • Session Data -- Login session cookies expire after a period of inactivity or when you explicitly log out. Session data is persisted to the PostgreSQL database and may survive application restarts until the session expires or you log out. Expired sessions are automatically pruned.
  • Game Data -- Auction House price data, item metadata, and market statistics are retained for up to 365 days (one year) for historical analysis purposes. This data is sourced from public APIs and does not contain personal information. Older data is automatically purged through database retention policies.
  • Advertising Data -- Advertising cookies placed by Google AdSense have their own retention periods determined by Google (typically 13 months for advertising cookies). We do not control the retention of data collected directly by Google. You can manage or delete these cookies through your browser settings or through Google Ads Settings.

Data Security

Your personal information is protected by the following measures:

Technical Safeguards

  • Encryption in Transit -- All connections to the Service are encrypted using HTTPS/TLS. Unencrypted HTTP requests are automatically redirected to HTTPS.
  • Password Hashing -- User passwords are hashed using bcrypt, an adaptive hashing algorithm specifically designed to resist brute-force and rainbow table attacks. Passwords are never stored in plaintext.
  • Session Security -- Login sessions use secure, HttpOnly cookies with CSRF (Cross-Site Request Forgery) protection. Sessions are regenerated on authentication state changes (login, password change, email change) to prevent session fixation attacks.
  • IP Anonymization -- IP addresses stored for security auditing are hashed using HMAC-SHA-256 with a server-side salt before storage. The salted one-way hash ensures they cannot be reversed to identify individuals, even with knowledge of the hashing algorithm.
  • Rate Limiting -- API endpoints and authentication routes are protected by rate limiting to prevent brute-force attacks and abuse.

Operational Safeguards

  • Database Security -- All data is stored in encrypted databases hosted on secure infrastructure with strict access controls. Only essential systems have access to production data.
  • Account Lockout -- Repeated failed login attempts trigger temporary account lockouts to protect against credential stuffing attacks.
  • Credential Sanitization -- API keys, tokens, and sensitive credentials are scrubbed from error logs and diagnostic output to prevent accidental exposure.

Automated Decision-Making

We use automated processing for the following limited purposes:

  • Rate Limiting and Abuse Detection -- Automated systems monitor request patterns to detect and block abusive behavior (such as scraping or brute-force attacks). These systems may temporarily restrict access based on detected patterns.
  • Account Lockout -- Automated systems temporarily lock accounts after repeated failed login attempts. This is a security measure and does not involve profiling.

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Google AdSense may use automated processes to select which ads to display, but this does not affect your access to or use of the Service.

Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right of Access -- You may request a copy of the personal data we hold about you. Contact us using the details in Section 15.
  • Right to Rectification -- You can update your email address, username, and password at any time through your account settings.
  • Right to Deletion -- You can delete your account at any time through your account settings or by contacting us. Account deletion permanently removes all personal data associated with your account.
  • Right to Opt Out of Personalized Ads -- You can opt out of Google's personalized advertising at any time by visiting Google Ads Settings. You may also configure your browser to reject third-party cookies.
  • Right to Data Portability -- You may request an export of your personal data in a machine-readable format. Contact us using the details in Section 15.
  • Right to Withdraw Consent -- Where we rely on your consent for data processing (such as optional Battle.net linking or personalized advertising), you may withdraw that consent at any time by unlinking your Battle.net account, opting out of personalized ads, or deleting your account.
  • Right to Manage Cookies -- You can manage, disable, or delete cookies at any time through your browser settings. You can also opt out of personalized advertising through the links provided in Section 5 (Advertising). See Section 4 for browser-specific cookie management instructions.

To exercise any of these rights, please contact us at [email protected]. We will respond to all requests within 30 days.

Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect, use, or disclose personal information from children under 13 years of age, in compliance with the United States Children's Online Privacy Protection Act (COPPA) and similar laws in other jurisdictions.

We do not knowingly serve personalized advertisements to children under 13. Google AdSense is configured to comply with COPPA requirements, and we do not knowingly allow children under 13 to create accounts on the Service.

If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete that information from our systems and terminate the associated account. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us immediately at [email protected] so we can investigate and take appropriate action.

Users between the ages of 13 and 18 may use the Service with the consent of a parent or legal guardian, as outlined in our Terms of Service. Parents or guardians of users between 13 and 18 may contact us to request access to, correction of, or deletion of their child's personal information.

International Privacy Rights

European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR). Our legal basis for processing your personal data depends on the type of data and how we use it:

  • Contractual Necessity -- Processing required to provide the Service you requested (account creation, authentication, service delivery).
  • Legitimate Interest -- Processing for security monitoring, fraud prevention, service improvement, and analytics, where our interests do not override your fundamental rights.
  • Consent -- Processing based on your explicit consent, such as optional Battle.net account linking or personalized advertising via Google AdSense. You may withdraw consent at any time.

Under the GDPR, you have the right to access, rectify, erase, restrict processing of, and port your personal data. You also have the right to object to processing and to lodge a complaint with your local data protection authority. To exercise these rights, contact us at [email protected].

California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

  • Right to Know -- You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete -- You have the right to request deletion of your personal information, subject to certain legal exceptions.
  • Right to Opt Out of Sale -- We do not sell your personal information as defined by the CCPA. However, certain advertising activities (such as personalized ads served by Google AdSense) may constitute a "sale" or "sharing" under CCPA definitions. You can opt out of personalized advertising by visiting Google Ads Settings.
  • Right to Non-Discrimination -- We will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, contact us at [email protected]. We will verify your identity before processing any request and respond within 45 days.

Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to the websites you visit. There is currently no universally accepted standard for how websites should respond to DNT signals.

We do not currently alter our data collection or use practices in response to DNT signals. However, you can exercise control over your privacy using the tools and options described throughout this Privacy Policy, including opting out of personalized advertising (see Section 5), managing cookies through your browser settings (see Section 4), and exercising your data rights (see Section 10).

If a universal standard for DNT signals is adopted in the future, we will update this policy to describe how we respond.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or the third-party services we use. When we make changes:

  • The "Last Updated" date at the top of this page will be revised.
  • The version number will be incremented.
  • For material changes that significantly affect how we collect, use, or share your data, we will make reasonable efforts to notify registered users via email or through a prominent notice on the Service at least 30 days before the changes take effect.
  • The previous version of this Privacy Policy will remain accessible for reference upon request.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the revised policy, you must stop using the Service and may request deletion of your account and personal data.

Contact

If you have questions, concerns, or requests regarding this Privacy Policy, your personal data, or our privacy practices, contact us at the addresses below.

Response Times: We aim to acknowledge all privacy-related inquiries within 5 business days and to provide a substantive response within 30 days. For data subject requests under GDPR, we will respond within 30 days as required. For CCPA requests, we will respond within 45 days. If we need additional time, we will notify you of the extension and the reason.

If you are not satisfied with our response or believe we are processing your personal data in violation of applicable law, you have the right to lodge a complaint with your local data protection supervisory authority.