Privacy Policy
Last updated: 2026-05-22
This Privacy Policy explains what personal data we process when you use AzerothAuctions, why we process it, who we share it with, and the rights you have. It is written to comply with the European Union General Data Protection Regulation (“GDPR”) and applicable national data-protection law.
Short version
AzerothAuctions has no user accounts, no logins, no passwords, no payments, and no advertising trackers. We do not collect names, addresses, phone numbers, or any sensitive data. Your IP address is briefly visible in server logs and to Cloudflare for security and rate-limiting; aggregated, anonymous pageview statistics are collected via our self-hosted Umami instance without setting any tracking cookies. Item favourites and user preferences are stored only in your own browser (localStorage), never on our servers.
1. Who is the controller?
The controller responsible for processing your personal data within the meaning of Art. 4(7) GDPR is the operator of this Service. For the full operator identity and postal address, see the Imprint. For any privacy question or to exercise the rights described in section 9, write to [email protected].
Based on the limited scope and nature of the personal-data processing involved in operating this read-only public service, we are not required to appoint a Data Protection Officer under Art. 37 GDPR or § 38 BDSG.
2. What personal data we process
We deliberately keep personal-data processing to the minimum that is technically necessary to operate a public, read-only data service.
2.1 When you visit the website or call the API
When you load a page on azerothauctions.com or send a request to api.azerothauctions.com, the following data is processed automatically:
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| IP address (IPv4 or IPv6) | Delivering the response, rate limiting, abuse prevention, security | Art. 6(1)(f) GDPR — legitimate interest in operating and securing the Service | In server logs: no longer than 7 days, except where required to investigate a documented security incident. In the Redis abuse-prevention bucket: seconds (sliding window of approx. 60 s). |
| HTTP request metadata (method, URL path, status, timing, referrer, user-agent, request ID) | Operating, debugging, and securing the Service | Art. 6(1)(f) GDPR | Short-lived server logs (see above). |
| API key fingerprint and usage timestamp (only if you call the API with a key) | Authenticating the request, enforcing per-key rate limits | Art. 6(1)(b) GDPR — performance of the API-access agreement | Until you ask us to revoke the key or it is revoked for breach of the Terms. We store only a SHA-256 hash of the key, never the key itself. |
The website does not require you to register, log in, or provide any personal data to use it. We do not ask for your name, postal address, telephone number, date of birth, payment data, biometric data, or any other identifier beyond what is in this section.
2.2 Cookies and local browser storage
We do not use any tracking, advertising, or cross-site cookies. Specifically:
| Type | Name(s) | Purpose | Lifetime |
|---|---|---|---|
| Strictly necessary preference cookie | aa-scope | Remembers your selected region/realm so that visiting / redirects you to your last-used view. | 1 year |
| Strictly necessary preference cookie | aa-locale | Remembers the language you chose so the UI is rendered in that language on your next visit. | 1 year |
| Browser localStorage | aa-prefs, aa.favorites.v3, aa.recent-items, aa.recently_viewed, aa.snipe.v1, aa.realms.collapse-cr.v1 | UI preferences, favourites, recently-viewed items, private sniping lists, minor view toggles. This data never leaves your browser. | Until you clear browser storage. |
These cookies and localStorage keys are strictly necessary to remember your preferences. We rely on Art. 6(1)(f) GDPR (legitimate interest) and the equivalent national e-privacy provisions that exempt strictly necessary first-party preference cookies from prior consent. We do not set any cookie that requires consent under § 25 TDDDG / Art. 5(3) ePrivacy Directive.
2.3 Analytics (Umami)
To understand which features are used and to detect breakages, we run a self-hosted instance of Umami on umami.azerothauctions.com, on the same dedicated server as the rest of the Service. Umami:
- does not set cookies;
- does not track users across sites;
- does not create persistent user identifiers;
- stores aggregated pageview counts and a small set of custom UI-interaction events along with a coarse, anonymised hash that resets daily and cannot be linked to a specific person.
For custom events we deliberately strip identifying content:
- search events transmit only the length of the search query, not the query text;
- item events transmit only the public Blizzard item ID;
- realm events transmit only the public realm slug;
- filter events transmit only the names of the facets activated, never the chosen values;
- share events transmit only the count of items in a share link, never the item IDs;
- favourite events transmit the public item ID and whether the item was added or removed;
- favourite-group and PBS-snipe-list events transmit only an opaque, randomly-generated UUID, never the user-chosen name;
- rename events for groups and lists carry an empty payload — only the fact that a rename happened;
- threshold-change events on PBS-snipe entries carry only the strategy kind, never the gold amount;
- bulk-flow events carry aggregate counts only — a 1000-item paste is one event, not 1000;
- no free-text content you type into the Service is ever transmitted to the analytics layer.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in measuring, in aggregate, how the Service is used). Because Umami runs on our own server, sets no cookies, creates no persistent identifier, and never shares data with third parties, the access to terminal-equipment information stays within the technical-necessity exemption of § 25 (2) Nr. 2 TDDDG.
2.4 Error monitoring and operational metrics
We do not operate any third-party error-tracking service (Sentry, GlitchTip, Bugsnag, or similar). Software defects surface only through plain server logs (Pino → standard output, captured by the application container) and through the aggregated Umami events described in § 2.3. No client-side stack traces, breadcrumbs, or error reports are sent off-device.
For service health we additionally run a self-hosted Prometheus instance plus a self-hosted Grafana dashboard at grafana.azerothauctions.com, both on the same dedicated server. They collect only aggregated, non-personal time-series counters — request rates per HTTP route template, request latency histograms, status-code counts, Blizzard API call counts, auction-cycle duration, and process-level statistics. They do not record IP addresses, API keys, request bodies, response bodies, or any other identifier that could be linked to a person. Retention is capped at 14 days. Grafana itself is reachable only after logging in with operator credentials.
2.5 Hosting (OVH) and content delivery (Cloudflare)
The Service is hosted on a dedicated server provided by OVH GmbH (Oskar-Jäger-Straße 173/K6, 50825 Cologne, Germany) in an OVH data centre located within the European Union. Cloudflare, Inc. provides content delivery and protection against DDoS attacks. As part of routing requests, both providers temporarily process IP addresses and request metadata. They act as our processors under Art. 28 GDPR; we have appropriate Data Processing Agreements in place.
2.6 No automated decision-making, no profiling
We do not engage in any automated decision-making within the meaning of Art. 22 GDPR, and we do not build profiles of you.
2.7 No sensitive data
We do not knowingly process special categories of personal data (Art. 9 GDPR), nor data of children below the age of digital consent. Please do not transmit such data to us.
3. How we use your data
The data described above is used solely for:
- delivering the website and API responses you request;
- enforcing rate limits and protecting against abuse, fraud, scraping, and denial-of-service attacks;
- measuring aggregate usage to prioritise improvements;
- detecting and fixing software defects;
- complying with legal obligations to which we are subject.
We do not use your data for advertising, profiling, behavioural targeting, or sale to third parties. We do not currently sell, rent, or lease personal data — and we do not intend to.
4. Sources of data
All personal data we process originates from your direct interaction with the Service (HTTP requests). We do not buy, rent, or otherwise acquire personal data from third parties.
The auction-house and item data we display is not personal data — it is public game data sourced from Blizzard Entertainment’s Battle.net Web API and from public game-data dumps maintained by Wago.tools.
5. Recipients and processors
We share personal data only with the processors and service providers strictly necessary to operate the Service:
| Recipient | Role | Data they see | Country / transfer mechanism |
|---|---|---|---|
| OVH GmbH, Oskar-Jäger-Straße 173/K6, 50825 Cologne, Germany (HRB 122481; VAT ID DE245768940) | Hosting provider (dedicated server) | IP address, request metadata (only as part of network routing) | EU/EEA (OVH data centre located within the European Union) |
| Cloudflare, Inc. | CDN, DDoS protection, WAF | IP address, TLS fingerprint, request metadata | USA — EU-U.S. Data Privacy Framework adequacy decision (Cloudflare is DPF-certified); Standard Contractual Clauses as a fallback |
| Blizzard Entertainment, Inc. | Source of game data and item icons | Your IP when your browser fetches an item icon from render.worldofwarcraft.com. We do not transmit any other personal data to Blizzard. | USA — see Blizzard’s own privacy policy |
| Discord, Inc. (only if you click our Discord invite) | External community service | Whatever Discord collects when you visit their site | USA — see Discord’s own privacy policy |
We host Umami ourselves on the same OVH server, so analytics data is never sent to a third party.
We may disclose personal data to public authorities or courts where required by law, regulatory request, court order, or to protect our or others’ legal rights.
6. International transfers
Our primary infrastructure is located in the European Union. Cloudflare, Inc. is the only processor under our control that may process data outside the EU/EEA. Cloudflare is certified under the EU-U.S. Data Privacy Framework, so transfers to Cloudflare rely on the adequacy decision under Art. 45 GDPR as the primary transfer mechanism, supplemented by Standard Contractual Clauses under Art. 46(2)(c) GDPR as a fallback.
7. Retention
| Data | Retention |
|---|---|
| Server logs (IP, request metadata) | Short-lived. Logs rotate with the application container; in practice retained for less than 14 days, except where required to investigate a security incident. |
| Redis rate-limit and abuse-prevention buckets | Seconds to minutes (sliding windows). |
| API keys (only if you have one) | Until revoked. |
| Umami aggregate pageviews | Indefinitely as aggregated, non-personal counts. The daily hash resets every 24 hours and is never re-derivable. |
| Cookies / localStorage | See section 2.2. |
| Email correspondence with us | As long as necessary to handle your enquiry, plus the statutory retention periods that apply to commercial or tax-relevant correspondence. |
8. Security
We protect personal data with appropriate technical and organisational measures, including:
- TLS 1.2+ on all public endpoints, with HSTS enforced at the edge;
- a strict server hardening baseline (SSH key-only access, UFW firewall, Fail2Ban, automatic security updates);
- rate limiting and a per-IP authentication-failure bucket to deter credential-stuffing and abuse;
- separated database roles for migrations, the worker, and the public read path;
- API keys stored only as SHA-256 hashes;
- Cloudflare DDoS protection at the edge.
No system is perfectly secure. If you become aware of a vulnerability, please report it to [email protected].
9. Your rights
Under the GDPR, and subject to its conditions, you have the right to:
- access the personal data we hold about you (Art. 15);
- rectify inaccurate or incomplete data (Art. 16);
- erasure (“right to be forgotten”) of data we no longer have a legal basis to keep (Art. 17);
- restrict processing in certain situations (Art. 18);
- data portability for data you have provided to us (Art. 20);
- object to processing based on legitimate interest (Art. 21);
- withdraw consent at any time, where processing is based on consent (Art. 7(3)).
To exercise any right, write to [email protected]. We may need to verify your identity first to prevent disclosure to the wrong person — given that we do not have user accounts, this is typically done by asking you to send the request from the email address you previously used to contact us.
You also have the right to lodge a complaint with a data-protection supervisory authority. In Germany, this is the supervisory authority of the federal state in which you reside or where the alleged infringement took place.
10. Do you have to provide data?
No. You are not contractually or legally obliged to provide any personal data to us. The processing of IP address and request metadata is unavoidable for any HTTP service to function — without it, we cannot deliver a response. If you do not want any data processed at all, please refrain from using the Service.
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example when we change our infrastructure or add new functionality. The “Last updated” date at the top reflects the most recent revision. Where the change materially affects your rights, we will provide additional notice (e.g. a banner on the website) before the new version takes effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
12. Contact
For privacy-related questions, requests, or complaints, email [email protected]. For the operator’s postal address, see the Imprint.
