Privacy Policy
We collect the minimum we need to run a fair toplist and process payments. Voter IPs are HMAC-hashed before we ever touch them. We don't sell or rent personal data | to anyone, for any reason.
Last updated June 24, 2026
1 Who we are
VibeTopList (vibetoplist.com) is a community-run toplist for AI-assisted ("vibe-coded") indie browser games. In this policy, "we", "us", and "VibeTopList" refer to the operator of the service. For any privacy question, write to vibetoplist@gmail.com.
This policy applies to vibetoplist.com and any subdomains we operate. It does not cover third-party websites you reach by clicking out (e.g. a creator's game, a sponsored banner, or Stripe-hosted checkout pages).
2 Data we collect
Account data
When you register: a username, your email address, and a salted hash of your password (we never see your plaintext password). If you submit a game, you also give us its title, description, category, tags, optional YouTube link, optional screenshots, banner image, and the public URL of your game.
Voter & abuse-prevention data
When you cast a vote we record an HMAC-SHA256 hash of your IP address (we do not store the raw IP), a hash of your user-agent string, and the listing you voted on. Hashes let us enforce the 12-hour cooldown, rate-limit bots, and block abuse, without retaining identifying network information. Failed vote attempts (bot detection, CAPTCHA fails, rate-limit hits) are logged the same way for fraud review.
Billing data
Payments are processed by Stripe, Inc. We don't see your card details. After a successful checkout we store a Stripe session ID and the line items so we can grant the purchased Gold tier or banner slot. Stripe's own privacy policy applies to the data they collect.
Technical & log data
Our web server (nginx) records standard request logs: timestamp, request path, response status, user-agent, and IP address. Logs are kept up to 30 days for security investigation, then rotated out. We do not run third-party analytics, fingerprinting scripts, or advertising trackers on the site.
Communications
If you email us we keep that email so we can reply and refer to it later.
Transactional email we send (verification, password reset, login alerts,
receipts) is sent via Gmail SMTP from
vibetoplist@gmail.com.
3 How we use it
- Run the toplist: show listings, record votes, compute monthly rankings, archive Hall of Fame snapshots.
- Keep votes honest: enforce IP-based cooldowns and rate limits, run bot detection, verify Cloudflare Turnstile challenges, log blocked attempts for review.
- Authenticate you: sign-in sessions, verify your email, reset your password, optionally alert you to a new sign-in.
- Process payments: create Stripe checkout sessions, confirm webhooks, grant the purchased feature, send receipts.
- Power the callback API: when a creator opts in, post a signed callback to their server so they can reward voters in-game.
- Protect the service: diagnose errors, block abuse, comply with legal obligations.
4 Legal bases (EEA / UK / Swiss users)
Under the GDPR and UK GDPR, we rely on the following legal bases:
- Contract (Art. 6(1)(b)): account creation, processing your purchases, delivering the Gold/banner you bought.
- Legitimate interest (Art. 6(1)(f)): fraud prevention, security logging, hashed-IP cooldowns, error diagnostics, transactional sign-in alerts. Our interest is keeping the toplist usable and the service safe; we've balanced this against your privacy by hashing identifiers and keeping logs short.
- Legal obligation (Art. 6(1)(c)): tax records, responding to lawful requests.
- Consent (Art. 6(1)(a)): where it applies, e.g. if we ever add optional marketing. Today, we don't send marketing email.
5 Cookies
VibeTopList uses a small number of strictly-necessary cookies. We do not use advertising, analytics, or cross-site tracking cookies.
session| a signed session cookie that keeps you logged in.HttpOnly,Secure(in production),SameSite=Lax. Cleared on sign-out.csrf_token| a per-form anti-forgery token (form input, not a long-lived cookie).- Cloudflare Turnstile may set a short-lived challenge cookie when you submit a vote. See Cloudflare's policy.
6 Sharing & service providers
We share data only with the processors below, only as needed to run the service. We do not sell personal information.
| Processor | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. (US) | Checkout, webhooks, receipts | Email, purchase metadata, IP at checkout |
| Cloudflare, Inc. (US) | Turnstile CAPTCHA | IP, user-agent, challenge token |
| Google LLC (US) | Gmail SMTP | Transactional email delivery | Recipient email, message body |
| Let's Encrypt / ISRG (US) | TLS certificate issuance | Domain name (no user data) |
| VPS host (TransIP, NL) | Server hosting, nginx logs | Standard HTTP request logs |
We may also disclose data when required by law, to enforce our Terms, or to protect the rights and safety of users.
7 International transfers
Servers are hosted in the European Union (Netherlands). Some of our processors (Stripe, Cloudflare, Google) operate in the United States. When data leaves the EEA we rely on Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, where applicable, as published by each processor.
8 How long we keep data
- Account | until you ask us to delete it.
- Vote records | indefinitely (only HMAC-hashed IP + listing); needed to keep the historical leaderboard truthful.
- Vote-cooldown rows | auto-pruned after the cooldown expires (12 hours).
- Blocked-attempt audit log | up to 90 days for fraud review.
- nginx access logs | up to 30 days, then rotated.
- Billing records | retained for the period required by tax law (typically 7 years).
- Email correspondence | retained for up to 2 years.
9 Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you;
- Correct inaccurate data;
- Delete your account and personal data (note: votes you cast remain in aggregate, but the hashed identifiers can't be linked back to you after deletion);
- Restrict or object to certain processing;
- Export your data in a portable format;
- Withdraw consent where we relied on it;
- Lodge a complaint with your data-protection authority (in the Netherlands: Autoriteit Persoonsgegevens).
To exercise any of these rights, email vibetoplist@gmail.com from the address on your account. We aim to respond within 30 days. California residents may also exercise CCPA rights through the same channel; we do not sell personal information.
10 Security
Defenses we run today: HTTPS everywhere (Let's Encrypt, HSTS 1 year,
includeSubDomains), Content-Security-Policy, X-Frame-Options
SAMEORIGIN, hardened session cookies
(Secure, HttpOnly, SameSite=Lax),
CSRF tokens on every form, SQLite-backed rate limits across all workers,
magic-byte image validation with mandatory re-encode (strips polyglot
payloads and EXIF), SSRF-safe callback fetching, signed Stripe webhooks,
and HMAC-hashed voter IPs. No system is perfectly secure; we'll let you
know without undue delay if a breach affects your data.
11 Children
VibeTopList is not directed to children under 13 (or 16 in the EEA). If you believe a child has provided us personal data, contact us and we'll delete it.
12 Changes
We may update this policy as the service evolves. Material changes will be announced on the site at least 14 days before taking effect, and the "last updated" date at the top will change. Continuing to use the service after an update means you accept the revised policy.
13 Contact
Privacy questions, data requests, or breach reports: vibetoplist@gmail.com.
See also: Terms of Service.