Privacy Policy
This Privacy Policy explains how PlayerAnalytics, LLC, an Ohio limited liability company ("PlayerAnalytics," "we," "us," or "our"), collects, uses, shares, and protects information when you use our website at playeranalytics.org, our dashboard, our API, our Discord bot, and our Rust server plugin (collectively, the "Service").
By using the Service, you agree to the practices described here. If you do not agree, do not use the Service. This Policy is incorporated into our Terms of Service.
playeranalytics.org/s/<server-slug> that displays your in-game display name, Steam avatar, gameplay statistics, and (if you linked it) Discord username to anyone with the link — no account required. These pages are indexable by search engines and shareable on Discord and social media. Your raw Steam ID is never shown on public pages or to player-tier accounts — only the server owner and their invited admins can see Steam IDs. See Section 5.2 below for the full list.
1. Who This Policy Covers
PlayerAnalytics is used by two distinct groups, and we collect different information about each:
- Account Holders — Rust server owners and the team members they invite. Account Holders register on our website to view dashboards and manage billing.
- Rust Players — players on Rust game servers that have installed our plugin. Players generally do not register with us directly; their in-game activity is reported to us by the server they play on. A Player may optionally link a Discord account to a Steam identity through our
/linkflow.
If you are a Rust Player and you have questions about data collected from a specific server, the server owner is the controller of that data and is your first point of contact. We act as a processor on the owner's behalf when handling player gameplay data. See Section 11 ("Your Rights and Choices").
2. Information We Collect
2.1 Information You Provide When You Create an Account
When you register as an Account Holder we collect:
- Email address
- Password — stored only as a PBKDF2-SHA-256 hash with a per-account random salt. We never store passwords in clear text.
- Display name and profile fields you optionally provide.
2.2 Information from Server Owners
When you connect a Rust server to PlayerAnalytics we store:
- The server name you choose
- A server API key (stored as a SHA-256 hash; the plaintext key is shown to you once at creation)
- The timestamp the server was created and last seen reporting
2.3 Information Reported by the Rust Server Plugin
Once installed on a server, our plugin pushes the following to our API. This data is associated with the server's API key, not with any PlayerAnalytics account belonging to the player:
- Steam ID of each player on the server
- In-game display name as shown by the Rust server
- First seen / last seen timestamps
- Play sessions — join time, leave time, duration, and a quit-reason code (e.g. normal disconnect, kicked, rage-quit heuristic)
- Deaths — killer Steam ID (if any), weapon, cause, world X/Z coordinates, PvP/NPC flags, rage-quit flag
- Activity events — gathering, building, crafting, looting, and farming events with item names and quantities
- Server-wide events — wipe markers, raids detected, helicopter/bradley fights, and other server-level occurrences (no specific player attached)
- Oxide/Carbon group memberships ("VIP groups") configured by the server owner for VIP-badge display
- SkillTree level and Mercenary rank (high-water marks pulled from compatible Rust plugins, if installed)
- Aggregated server statistics — totals, retention curves, average session length, play-style category counts, current FPS
2.4 Information from Discord Linking (Optional)
If a Player chooses to link their Discord account via our /link OAuth flow we receive from Discord and store:
- Discord user ID
- Discord username
We do not receive your Discord email or password. The link is per-server and can be revoked at any time by re-running /unlink in the bot, or by the server owner from the dashboard.
2.5 Information from Steam
We may call the public Steam Web API to retrieve a player's public profile data (display name, avatar URL) using the player's Steam ID. We do not receive your Steam password or any private Steam data. Use of the Steam Web API is subject to Valve's privacy practices.
2.6 Billing Information
Payments are processed by Stripe, Inc. We receive from Stripe and store: your Stripe customer ID, subscription ID and status, subscription item ID, trial end date, and current period end date. We do not receive or store your full payment-card number, CVC, or bank-account number — Stripe holds these directly.
2.7 Information Collected Automatically
When you access the Service, we and our infrastructure provider receive standard server-log information:
- IP address, user-agent, referrer, and request metadata (used for security, abuse prevention, and rate limiting)
- A first-party session cookie (
session) used to keep you signed in. This cookie holds an opaque random session ID; the corresponding session record is stored in our database with an expiration timestamp.
We do not use third-party analytics or advertising trackers. We do not sell or share your information with advertising networks.
2.8 Short-Lived Tokens
For the Discord-linking flow and similar in-game flows we issue short-lived tokens (stored as SHA-256 hashes) that expire within minutes of issuance.
3. How We Use Information
We use the information we collect to:
- Provide the Service — render dashboards, leaderboards, Wipe Summaries, Head-to-Head comparisons, custom achievements, Discord webhooks, and related features.
- Authenticate users — verify passwords, maintain sessions, and authenticate the plugin's pushes via API keys.
- Process payments — manage subscriptions, sync per-server billing quantity with Stripe, send invoices, and recover failed payments.
- Communicate with you — send transactional emails (account verification, password resets, billing notices) from
noreply@playeranalytics.org. We do not send marketing email. - Protect the Service — detect abuse, fraud, scraping, and security incidents.
- Improve the Service — diagnose bugs, monitor performance, and improve analytics algorithms.
- Comply with law — respond to lawful requests and enforce our Terms.
4. Legal Bases for Processing (GDPR / UK GDPR)
If you are in the EEA or UK, we process your information under one or more of these legal bases:
- Contract — to provide the Service you (or the server owner) requested.
- Legitimate interests — operating, securing, and improving the Service, and pursuing limited business communications, where these interests are not overridden by your rights.
- Legal obligation — tax, accounting, and lawful-request compliance.
- Consent — where we ask for it (e.g. when you link a Discord account).
You may withdraw consent at any time without affecting the lawfulness of prior processing.
5. How We Share Information
We do not sell personal information. We share information only as follows:
5.1 With Server Owners and Their Invited Admins
A server owner, and the admin-tier members they invite, can see all gameplay data reported to them by their server — this includes Steam IDs, display names, sessions, deaths (with map coordinates), activity events, linked Discord IDs, and any other data described in Section 2.3 / 2.4. If you play on a server connected to PlayerAnalytics, the server's owner and their admins can see your activity on their server through our dashboard.
Server owners may also invite player-tier accounts. Player-tier accounts see a restricted view that mirrors the public page (see Section 5.2): raw Steam IDs of other players are not exposed to player-tier accounts, and certain admin-only data (such as map-coordinate detail) is hidden or aggregated.
5.2 Public Server Pages and Public Profiles
Every Rust server connected to PlayerAnalytics has a public landing page at https://playeranalytics.org/s/<server-slug>. These pages are publicly accessible to anyone with the URL — no account required — and are designed to be shared on Discord, social media, and search engines.
Content visible on a server's public page typically includes, for every player who has played on that server:
- Steam display name and Steam avatar
- First seen / last seen timestamps and total play time
- Per-player statistics, leaderboard rank, and play-style category
- Linked Discord username (if the player linked their account)
- VIP-group badges configured by the server owner
- SkillTree level and Mercenary rank (if reported by compatible plugins)
- Server-wide content — wipe schedule, server reviews, and server-level events
The public-page content is intentionally indexable by search engines (Google, Bing, etc.) and appears in social-media share cards (Discord, Twitter/X, Facebook). If you play on a server connected to PlayerAnalytics, treat the information listed above as public. If you want a stat or your Discord link removed, contact the server owner first; if you cannot reach them, contact us at legal@playeranalytics.org.
5.3 Service Providers ("Subprocessors")
We share information with the providers we depend on to run the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Cloudflare, Inc. | Hosting, edge network, D1 database, R2 object storage, Workers runtime, DDoS protection | All Service data |
| Stripe, Inc. | Payment processing, subscription management, customer portal | Email, billing info |
| Discord Inc. | OAuth for Steam↔Discord linking; bot interactions | Discord user ID / username |
| Valve Corporation (Steam) | Public Steam Web API lookups | Steam IDs we query |
| Resend (Resend, Inc.) | Transactional email delivery from noreply@playeranalytics.org (account verification, password resets, billing notices) |
Email address, message content |
Each provider processes data under its own privacy and security terms.
5.4 Legal and Safety
We may disclose information if we believe in good faith that disclosure is necessary to (a) comply with applicable law, legal process, or government request; (b) enforce our Terms; (c) protect the rights, property, or safety of PlayerAnalytics, our users, or others; or (d) investigate fraud or abuse.
5.5 Business Transfers
If PlayerAnalytics is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction. We will notify Account Holders of any such transfer and any choices they may have.
6. Data Storage and Location
Our infrastructure runs on Cloudflare's global edge network. Personal data may be stored and processed in multiple regions, including the United States and the European Union. Cloudflare D1 currently stores primary data in a single chosen region with read-replicas elsewhere.
By using the Service, you understand that your information may be transferred to and processed in countries other than your own. Where required, we rely on Standard Contractual Clauses and other lawful transfer mechanisms made available by our subprocessors.
7. Data Retention
We keep your information for as long as it is needed to provide the Service and for legitimate business or legal reasons, generally as follows:
- Account records — retained while your account is active. After account deletion, residual records may be kept for up to 90 days for backups, audit, and abuse-prevention purposes, then deleted or anonymized.
- Subscription / billing records — retained as required by tax and accounting law (typically 7 years).
- Gameplay data reported by the plugin — retained for the lifetime of the connected server. When a server is removed by its owner, the associated player-identifying data (Steam ID-keyed rows) is purged, although aggregate statistics may persist.
- Login sessions — expire automatically (typically within days) and are deleted on expiry.
- Short-lived linking tokens — expire within minutes and are deleted on expiry or use.
- Discord link records — kept until the player or owner removes the link; an
unlinked_attimestamp is then set and the record may be deleted on cleanup. - Server logs — short retention windows set by our infrastructure provider; typically 30 days or less.
A scheduled job runs daily at 04:00 UTC to purge churned subscriptions and other expired records.
8. Security
We protect information using technical and organizational measures including:
- HTTPS/TLS for all traffic to and from the Service
- PBKDF2-SHA-256 password hashing with per-account salts; legacy hashes are upgraded on next login
- SHA-256 hashing of server API keys and short-lived tokens — only the hash is stored
- Stripe webhook signature verification for billing events
- Strict server-side authorization — owners can only see data for their servers; members can only see servers they were invited to
- Constant-time comparison for credential and signature checks
- Cloudflare's DDoS protection, WAF, and rate limiting at the network edge
- Principle of least privilege for environment secrets
No security system is perfect. If we learn of a security incident affecting your information, we will notify you and the appropriate authorities as required by law.
9. Cookies
We use a single first-party cookie:
session— an opaque session identifier set after you log in to the dashboard. HTTP-only, Secure, andSameSite=Strict. Required to keep you signed in. Deleting it logs you out.
We do not use advertising cookies, analytics cookies, or third-party tracking cookies. Discord and Stripe may set their own cookies on their domains when you use their flows (OAuth, billing portal) — those cookies are governed by their respective policies.
10. Children's Privacy
The Service is not directed to children under 13 and we do not knowingly collect personal information from children under 13. Server owners who allow children on their Rust servers are responsible for any age-related disclosures and consents required by applicable law. If you believe a child has provided information to us, contact legal@playeranalytics.org and we will delete it.
11. Your Rights and Choices
Depending on where you live, you may have the following rights regarding your personal information:
- Access — request a copy of the information we hold about you.
- Correction — ask us to correct inaccurate information.
- Deletion — ask us to delete your information (subject to retention obligations).
- Restriction / Objection — ask us to stop or limit certain processing.
- Portability — receive your information in a portable format.
- Withdraw consent — for processing based on consent.
- Non-discrimination — we will not penalize you for exercising your rights.
How to Exercise Your Rights
- Account Holders can update most information from the dashboard, change their email/password, and delete their account directly from the dashboard.
- Rust Players generally do not have direct accounts with us. Because gameplay data is collected and controlled by the server owner, your first step is to contact the owner of the server you play on. If you cannot reach the owner, or if you need help with a Discord-link record, email legal@playeranalytics.org with your Steam ID (and Discord ID, if relevant) and a description of your request, and we will assist.
We may need to verify your identity before fulfilling a request and may decline requests as permitted by law (for example, where we have a legal obligation to retain the data).
California Residents (CCPA / CPRA)
We do not "sell" or "share" personal information as defined by the CCPA/CPRA. California residents have the rights described above and may designate an authorized agent to act on their behalf.
EU / UK Residents (GDPR / UK GDPR)
You may lodge a complaint with your local data-protection authority. We will respond to verifiable requests within statutory time limits.
12. Do Not Track
Our website does not respond to "Do Not Track" browser signals because there is no consistent industry standard for how to do so. We do not use third-party tracking that would be affected by a DNT signal.
13. Third-Party Links and Services
The Service may contain links to third-party sites (Discord invite links, Steam profile pages, Stripe-hosted billing portal, R2-hosted images, etc.). We are not responsible for the privacy practices of those sites. Review their policies before providing information.
14. Changes to This Policy
We may update this Policy from time to time. The "Last Updated" date at the top reflects the most recent change. If a change is material, we will provide reasonable advance notice (for example, by email to Account Holders or via an in-dashboard notice). Your continued use of the Service after the effective date of an updated Policy constitutes acceptance of the change.
15. Contact
Questions, requests, or complaints about this Privacy Policy or our data practices should be sent to: