Privacy & Data Policy

BetterMetrics Plus is a tool for Rust server admins. We collect only what we need to make the product work: the email you sign up with, the Discord and Steam accounts you link, the notes you write about players, and a basic log of authenticated actions on the platform. We don't sell your data, we don't use it for advertising, and we share it with no third parties except the payment, email, and identity providers listed below or where required by law.

• Account info: the email address you sign up with and the display name you set during signup.
• Discord identity (when you link it): your Discord user ID, username, global name, and avatar hash. Used to bind your license to a verified Discord account.
• Steam identity (when you link it): your Steam64 ID, Steam display name, and Steam avatar URL. Used to bind your license to a verified Steam account.
• License key: a 32-byte random string we generate for you once your Discord + Steam are linked. It's stored on the server alongside your row so we can validate the heartbeat from your extension.
• Subscription state: which tier you hold (Supporter / Patron / Insider) plus the payment processor's customer ID. Required to gate paid features.
• Notes you write: the text content of player notes you create through the extension, the BattleMetrics player ID they're attached to, and timestamps.
• Alt-check cache: when you run an alt check in the extension, we store the queried BMID, the flagged alt's BMID, shared-IP counts, and whether the alt is currently EAC/BM-banned. Visible only to you.
• Audit log: a record of authenticated state-changing actions you take (license rotated, member access granted/revoked, etc.) — kept for accountability and incident response.
• Technical data: standard request metadata (IP address via Cloudflare, timestamps) for rate limiting and abuse prevention.

• Your BattleMetrics RCON token and Steam Web API key live only in your browser's extension storage. They go directly from your machine to BattleMetrics and Steam — we never see them in transit or at rest.
• We do not track your browsing outside of the BattleMetrics RCON pages where the extension is active.
• We place no advertising or analytics cookies, and share no data with ad networks.
• We don't store passwords; sign-in is email + one-time code or Discord OAuth.

• To authenticate you and validate your license on every extension call.
• To display your notes, your alt-check history, and your linked-account status in the dashboard and extension.
• To gate paid features by checking the subscription state your payment processor reports back.
• To send transactional emails (login codes, account events) — never marketing.
• To investigate security incidents and enforce our terms (e.g. license revocation).

Nobody, except in the following limited cases:

• PayNow: our payment processor. Receives the email + tier you purchase. Subject to their own privacy terms.
• Resend: our transactional email provider. Receives your email address only when we send you a login code or account notification.
• Discord: when you click “Link Discord,” we use OAuth to receive your Discord user ID, username, avatar, and verified email. We share nothing back beyond the API calls required to grant a configured Discord role on link.
• Steam: when you click “Link Steam,” we use OpenID 2.0 to receive your Steam64 ID. We then fetch your public Steam display name and avatar URL from the Steam Community public profile endpoint.
• Cloudflare and our VPS host: infrastructure providers that process requests on our behalf under their privacy terms.
• When required by valid legal process, or to protect the safety of our users or the public.

No selling. No targeted ads. No profiling that produces legal or similarly significant effects.

Account data, license keys, and linked identities are kept as long as your account is active. Notes and alt-check cache rows are kept as long as your account exists. Authenticated action logs are kept for up to 12 months. One-time login codes are kept for up to 10 minutes after issuance. Steam OAuth state tokens are kept for up to 10 minutes per attempt and discarded on use. If you delete your account, we remove your personal data within 30 days, except where retention is required by law.

Depending on where you live (including Colorado, California, and the EU/UK), you may have the following rights:

To exercise any of these rights, reach out via our Discord server (link below) and mention the email tied to your account. We'll verify your identity and respond as soon as possible — and always within the 45-day window required by the Colorado Privacy Act.

BetterMetrics Plus is intended for use by server administrators and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact us and we'll delete it.

Session tokens are SHA-256 hashed before they touch the database, so a leaked database backup cannot be replayed as a session. License keys are 256-bit random values stored alongside your row; a leaked key on its own can't be used — the extension also requires your account to have an active Discord and Steam link and an active tier, all of which are re-checked on every API call. Every endpoint goes through authentication and per-IP rate limits, every authenticated action gets audit-logged, database access is restricted to the application backend, and all traffic is served over HTTPS. No system is perfect — if you spot a security issue, please report it via Discord and we'll respond promptly.

We set a single session cookie (bmetrics_session) to keep you signed in. It's HttpOnly, Secure, and SameSite=Lax. We don't use analytics or tracking cookies.

If we make material changes, we'll update the “Last updated” date at the top of this page and, where appropriate, notify you in the dashboard or by email.