Shape of Dreams

Privacy Policy

Last updated: April 12, 2026

1. Data Controller

Shape of Dreams Tools is an unofficial fan-made website. For any inquiries regarding your personal data, contact us at [email protected].

2. Data We Collect

When you sign in using Google or Discord, we collect:

  • Display name — used as your username on the platform
  • Email address — used for account identification
  • Profile picture — displayed on your profile and builds

When you link your Steam account, we additionally collect and store:

  • Steam ID — your unique Steam identifier
  • Steam persona name, avatar, and profile URL — displayed on your profile and on the public achievements leaderboard
  • Shape of Dreams achievement progress — number of unlocked achievements, displayed on the public leaderboard when your Steam profile is set to public

We also collect technical data for session management:

  • IP address — for security and abuse prevention
  • User agent — for session identification

3. Purpose of Processing

  • Account creation and authentication
  • Displaying your profile information
  • Attributing builds you create to your account
  • Displaying your Steam achievements on the public leaderboard (only if you link your Steam account and your Steam profile is public)
  • Maintaining session security
  • Measuring anonymous website usage (page views, referrers) to improve the service

4. Legal Basis

We process your data based on your consent, given when you sign in via an OAuth provider and accept this privacy policy. You may withdraw consent at any time by deleting your account.

5. Third-Party Services

We use the following third-party services for authentication:

  • Google OAuth — to allow sign-in with your Google account
  • Discord OAuth — to allow sign-in with your Discord account
  • Steam OpenID & Steam Web API — to allow sign-in with your Steam account and fetch your public profile and achievement progress. Your Steam ID is sent to api.steampowered.com each time your profile is synchronized.

We also use a self-hosted analytics service:

  • Umami (self-hosted, cookieless) — collects aggregated and anonymous usage data such as page views, referrers, browser type, and approximate country. No cookies are set, no personal identifier is stored, and no data is shared with third parties.

These providers may collect their own data according to their respective privacy policies. We do not share your data with any other third parties.

6. Cookies

We use a session cookie to keep you signed in. This cookie is strictly necessary for the functioning of the service and does not track your activity across other websites. No advertising cookies are used. Our analytics (Umami) runs in cookieless mode and does not set any tracking cookie on your device.

7. Data Retention

Your personal data is retained for as long as your account exists. Session data (IP address, user agent) is retained for the duration of the session. When you delete your account, all your personal data, builds, and session data are permanently deleted.

8. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data — view your profile page
  • Export your data — use the export feature in your profile settings
  • Rectify your data — edit your username in your profile settings
  • Delete your data — use the account deletion feature in your profile settings
  • Withdraw consent — by deleting your account

To exercise any of these rights, visit your profile page or contact us at [email protected].

9. Data Security

We implement security measures to protect your data, including secure authentication via OAuth providers, session-based access control, rate limiting on sensitive operations, and security headers to prevent common attacks.

10. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be reflected on this page with an updated date.