When you connect Steam to Lootify, here is what changes hands.
Steam tells us your profile name, your avatar, your country, your owned games, your total playtime, and — if your profile is public — your recent activity and achievements. That's the data Steam exposes through its Web API to any service you authorize. It's the same data your friends can see when they open your profile.
That's the data we keep. Not because we want all of it, but because the matching engine needs to know what you play. You can't generate a meaningful gamer profile without knowing what's in someone's library.
Here is what we don't see, ever.
Your password. Steam's sign-in flow — OpenID — is designed so that your password is entered on Steam's site, not ours. We never see it. We never store it. We never could, even if we wanted to. If a Lootify operator opened our database, the column for "Steam password" doesn't exist.
Your purchase history with prices. The API doesn't expose what you paid, when, or on what card. We don't see refunds. We don't see wishlists. We don't see your Steam wallet balance.
Your friends list. We don't see who you play with, who you talk to, or who is in your network. We do not request friend-list access on connect.
Your chats. Steam DMs, group chats, voice chats — none of it is in scope of what Lootify can access, and we don't ask for it.
Your data outside Steam. Riot, Xbox, PlayStation, Epic — if you haven't connected those accounts, we don't see them. When you do connect them, the same principle applies: we see what their public APIs expose, and we tell you exactly what that is before you click connect.
We store what we keep in databases hosted in the United States. We do not sell raw Steam data to third parties — the Steam Web API terms wouldn't allow that even if we wanted to, which we don't. What we do sell, eventually, to brands and developers is the data Lootify generates: which segments engaged with which offers, what redemption rates look like across player archetypes, which games people actually claimed when given a choice. That data is ours, generated on our surface, and it's the only data we monetize.
You can disconnect Steam at any time, and your data leaves with you. We don't keep a shadow copy. There is a button for this. It works.
If you want the long version, there's a privacy policy. It says the same thing this article says, with more lawyers in it. The reason this article exists is that nobody reads privacy policies, and trust isn't a legal document — it's the consistency between what we say in public and what we do in the database.
We'd rather be the site that wrote this article than the site that needed to.