This page explains what STS2 Runs stores today and how that data is used.
When you sign in with Steam, we store your Steam-linked account data: your Steam ID (`steam_id`), display name, avatar URL, and an internal numeric user ID used by our database.
After login, we create a session token and store it in a cookie so the site can keep you signed in. Sessions are currently configured to last about 30 days unless you log out or the session is otherwise cleared.
When you upload a run, we store the raw `.run` JSON data in compressed form, along with metadata and derived gameplay facts/statistics used to render run pages, user pages, community views, and leaderboard-style summaries.
Like most web services, STS2 Runs also processes operational data needed to run the site, including request logs and in-memory runtime state such as upload rate-limiting counters and cached community/stat responses.
We use this data for authentication/session management, rendering profiles and run/community statistics, abuse prevention (including upload rate limiting and duplicate upload detection), and day-to-day service operation/debugging.
User profiles, leaderboards/community views, and run statistics are public. Run detail and bulk run API endpoints are also publicly accessible as currently implemented, so uploaded run content should be treated as public data.
Authentication uses Steam OpenID, and profile metadata may be fetched from the Steam Web API. STS2 Runs also loads owner-run Umami analytics from `analytics.kesslersarena.com`; it is used for anonymized, basic aggregate usage reporting (for example, rough country-level counts), not for ad targeting.
Session records are kept for about 30 days. Uploaded runs remain stored until you delete all of your runs. There is currently no self-serve account deletion endpoint/route; if you need deletion help, please use the contact page.
Current controls include secure session cookie settings (`HttpOnly`, `Secure`, `SameSite=Lax`), upload integrity and validation checks (hash verification, JSON parsing/validation, and size limits), and access checks on authenticated endpoints.
For privacy questions or deletion assistance, please use the contact page.
