Skip to content
Volume72,905,972.82updated

Privacy Policy

Effective July 13, 2026, under Commonwealth of Redmont law.

This Privacy Policy explains what information GnomeStats collects, why, and your rights over it, in line with the Commonwealth of Redmont Privacy Act. GnomeStats is a read-only market site built to need almost nothing about you: browsing is anonymous, sign-in is optional, and we never require real-life information about you, including an email address.

1. We never require real-life information

Under Privacy Act s8 we do not require, and ask you not to provide, real-life personal information such as your legal name, age, address, phone number, email address, or images. Sign-in runs through Discord requesting only the basic profile: your Discord account id, username, and avatar. The sign-in scope deliberately excludes your email, so Discord never shows it to us. And where a player has posted real-life information publicly, the Privacy Act says that is no licence to republish it; we do not, anywhere on the site.

2. Browsing: we collect nothing

A signed-out page view writes nothing about you. GnomeStats runs no analytics, no tracking pixels, no fingerprinting, and no advertising trackers, and the application keeps no log of who requested which page. Rate limiting briefly holds client network addresses in server memory, for about two minutes, and never writes them to disk. Our host, Railway, carries your traffic like any hosting platform and keeps its own logs at the network edge; those never reach the application.

A watchlist kept while signed out lives in your own browser's storage. It reaches our servers only if you sign in, when it merges into your account and the local copy clears.

3. If you sign in

  • Account: your Discord account id, username, and avatar, and the role we assign you.
  • Sign-in plumbing: the technical tokens Discord issues during sign-in, and a session record that stops being valid after about a month, or when you sign out.
  • Watchlist: the items, shops, players, and firms you watch, the labels and price thresholds on your alerts, and the bookkeeping that stops an alert firing twice.
  • Webhook: if you add one, the Discord webhook URL you supplied. It is stored so alerts can be delivered, never written to our logs, and cleared the moment you remove it.

4. If you hold an API key

API keys are granted individually by an admin; there is no public signup. For a key holder we keep the key record itself (a hash of the secret plus its last four characters for display, never the full secret), daily request counts, and the time and IP address of the key's most recent use. That last-used address is the only IP address GnomeStats stores anywhere. Grant and revocation records are kept after revocation, for audit.

5. The market data we publish about players

The subject of the site is the public market, and that market names its participants. From the public Treasury API we mirror shop signs and their owners (in-game name and UUID), firm names, shop coordinates, prices, batch sizes, and stock, and we keep the history of how those change. This is information anyone on the server can read from the API or from the signs themselves, and the Privacy Act excludes freely public information and statistics-page displays from protected personal information (s4(2)). Price and stock history is kept permanently; history is what the site is for.

Labels such as casino, inactive, and off-market are computed from that public data by the methods on our Methodology page, with hand corrections where review shows the computation misread a shop; the Methodology page discloses both the tests and the override. We show no account balances and no per-person earnings: the public API does not carry them, and we ingest public sources only. If you want a listing about your shop corrected or reviewed, contact us through Discord; we correct genuine errors and review reasonable requests, whether or not the Act obliges us to.

6. Cookies

GnomeStats sets cookies only for sign-in: a session cookie (readable by the server only, expiring after about a month), a request-forgery guard, and short-lived cookies that exist just for the Discord handshake. GnomeStats itself sets no advertising or analytics cookies; the one cookie an ad frame may set is described in section 7.

7. Advertising

Pages may carry banner slots served by GnomeAds on GnomePay, our sibling service. When a banner loads, your browser fetches it from gnomepay.org directly, so GnomePay receives what any embedded image implies: your IP address and browser details, plus your timezone, which we pass so advertisers can schedule by time of day. We send nothing else, and the frame learns which site and slot it sits in, never which page you are reading. The frame may set its own cookie on gnomepay.org to cap how often you see the same ad; GnomeAds is designed without cross-site tracking, and that cookie is not used to identify you elsewhere. When ad slots are switched off, no request to GnomePay happens at all.

8. When we share information

  • Discord: the alerts you arm are posted to the webhook you chose, so their content (item and shop names, prices, thresholds, watched-seller activity) necessarily reaches Discord and that channel.
  • Railway: hosts the Service, so traffic passes through its platform.
  • GnomeCorp sibling services: can read the same public market mirror through a service API; no account data is reachable that way.
  • Authorities: we disclose information where Redmont law or DemocracyCraft server rules lawfully require it.

We do not sell personal information, and there is no analytics or data partner to share it with.

9. Why we use it (lawful bases)

We process your information on the lawful bases in Privacy Act s9: to perform our contract with you (running your account, watchlist, and alert delivery), with your consent (the webhook you chose to add), and for our legitimate interests (keeping the Service secure, rate-limited, and auditable, including the API key usage records in section 4).

10. Retention and deletion

  • Watches, alerts, and your webhook: kept until you remove them, which you can do yourself at any time.
  • Sessions: stop working after about a month or when you sign out; signing out removes the record at once, and a scheduled sweep deletes expired records within a day or two.
  • Your account: kept while you use it. Ask us on Discord and we will delete it, along with everything attached: watches, alerts, webhook, sessions, the Discord sign-in link, and any API keys you held with their usage counts.
  • API key records and usage counts: kept for audit and capacity planning while your account exists, including after a key is revoked.
  • The public market mirror: untouched by account deletion, because it never referenced your account in the first place. Its history is permanent, as section 5 explains.

11. Your rights

Under Privacy Act s6 you may be informed about how your information is handled (this Policy), access the information we hold about you, have it corrected, ask us to delete it as set out above, withdraw consent (clear your webhook, remove watches, or stop signing in), and make a complaint. Where a breach of the Act causes you quantifiable loss or harm, it lets you seek damages through civil proceedings in the Redmont courts. To exercise any of these, contact us through the Discord link below; we honour these channels for everyone who asks, whether or not the Act obliges us to in your case.

12. Security, changes, and contact

The sign-in cookie is readable by the server only. API secrets are stored as hashes and shown once, at grant. Webhook URLs are excluded from logs. The Discord scope we request is the smallest that identifies you, and access to stored data is limited to the admins who operate the Service. We may update this Policy; the current version lives at this address with its effective date, and we will note material changes on the site.

This Policy pairs with the Terms of Use. To ask about your information, or to exercise any right above, reach us on the estate Discord.