Retake Rewards

Retake Rewards

Privacy Policy

Effective 18 April 2026

This Privacy Policy explains how Retake Rewards (“we”, “us”), the operator of retake-rewards.com, collects, uses, and shares personal data when you use our rewards service (the “Service”). It is written to satisfy the UK GDPR and the EU GDPR; if you are in another jurisdiction you may have different rights under your local law.

1. Who we are

Retake Rewards is a sole-trader business operating from Scotland, United Kingdom. For the purposes of UK and EU data-protection law we are the controller of the personal data described here.

Contact us at support@retake-rewards.com for any privacy question, including to exercise your rights under this policy.

2. What we collect

a. Steam account data

When you sign in with Steam we receive, via Steam’s OpenID, your public Steam ID (SteamID64), display name, profile URL, and avatar. We do not receive your Steam password, email address, payment details, or inventory.

b. Trade information

If you submit a Steam trade URL in your settings (required to receive skin redemptions), we store that URL so we can route deliveries to your account. The trade URL is validated to confirm that the partner parameter matches your signed-in Steam account, to prevent you saving someone else’s URL.

c. Usage and device data

We automatically collect limited technical information to operate the Service and detect fraud, including:

  • IP address and approximate location derived from it;
  • user-agent, browser and operating-system information, language, and time zone;
  • pages visited, referring URL, actions taken, and timestamps;
  • whether an ad-blocker is active (this is a non-identifying signal used to gate reward earnings only).

d. Ad completion data

When you complete an offer or rewarded video, the relevant advertising network sends us a server-to-server postback containing your internal user ID, a transaction ID, the payout amount, and the offer ID. We store this so we can credit points, reconcile against network invoices, and investigate fraud.

e. Cookies and local storage

We use a small number of strictly necessary first-party cookies for session management, sign-in, and security (for example, to keep you logged in and to prevent cross-site request forgery). We do not use advertising cookies ourselves — advertising networks embedded inside our offerwall iframes may set their own cookies inside that iframe, governed by their privacy policies.

3. How we use your data

We use personal data for the following purposes and legal bases:

  • Providing the Service — authenticating you, crediting points, fulfilling skin redemptions, operating the site. Legal basis: performance of our contract with you.
  • Preventing fraud and abuse — detecting multi-accounting, VPN/proxy manipulation, ad fraud, and protecting our advertising partners and our platform. Legal basis: our legitimate interest in operating a secure service and our legal obligations to partners.
  • Compliance and record-keeping — maintaining the ledger of ad completions, redemptions, and account activity needed for accounting, tax, and dispute resolution. Legal basis: legal obligation and legitimate interest.
  • Improving the Service — aggregated analytics on how users interact with features so we can prioritise improvements. Legal basis: legitimate interest in running a sustainable product.
  • Communicating with you — responding to support requests, sending transactional notices (for example, a redemption delivery confirmation). Legal basis: performance of our contract with you.

We do not sell your personal data, do not use it for cross-site behavioural advertising, and do not combine it with data brokers or profile you for decisions with legal effect.

4. Third parties we share data with

We share personal data only with the service providers we need to run the Service. Each processes data on our behalf under an appropriate data-processing agreement.

  • Google (Firebase) — authentication, Firestore database, Cloud Functions, and hosting. Data is processed in Google Cloud facilities (including the United States).
  • Valve / Steam — OpenID authentication and trade-related operations (initiated from our server).
  • AdGem — advertising offerwall and video offers embedded in the Service, with server-to-server completion postbacks. Your internal user ID is passed to AdGem as “player_id” so they can attribute completions.
  • Additional advertising networks (as disclosed in-product) — we may add further rewarded-ad partners (for example, AyeT-Studios) in the same way AdGem operates. Any such additions are listed here when they go live.
  • Skin-delivery marketplace partner (WAXPeer) — when you redeem a skin, we pass your Steam trade URL and the requested item to our fulfilment partner so they can deliver it to your Steam inventory.

We may also disclose data to law-enforcement or regulators where we are legally required to do so, or to professional advisers (lawyers, accountants) under confidentiality where necessary to protect our rights.

5. International data transfers

Some of our service providers (notably Google/Firebase and AdGem) are based in, or process data in, the United States. Where personal data is transferred out of the UK or EEA, we rely on appropriate safeguards, including the UK’s International Data Transfer Addendum or the EU Standard Contractual Clauses, to protect your data to an equivalent standard.

6. How long we keep data

We keep your account data for as long as your account is active. After account closure we retain:

  • Steam ID, redemption history, and ad-completion records for up to 6 years to meet tax/accounting obligations and to resolve any post-closure disputes or chargebacks.
  • Fraud-investigation records for as long as reasonably necessary to protect the Service from repeat abuse.

Aggregated or fully anonymised data (which no longer identifies you) may be retained indefinitely.

7. Your rights

If the UK GDPR or EU GDPR applies to you, you have the right to:

  • access a copy of the personal data we hold about you;
  • have inaccurate data corrected;
  • have data erased (subject to our legitimate retention obligations above);
  • restrict or object to certain processing;
  • receive your data in a machine-readable format and ask us to send it to another provider (data portability); and
  • lodge a complaint with your local data-protection regulator. In the UK this is the Information Commissioner’s Office (ICO), ico.org.uk.

To exercise any of these rights, email support@retake-rewards.com. We may ask for information to verify that the request really comes from you.

8. Children

The Service is for users aged 18 and over. We do not knowingly collect personal data from children. If you believe a minor has provided us with data, email support@retake-rewards.com and we will delete it.

9. Security

We take reasonable technical and organisational measures to protect your data. Examples include TLS in transit, encrypted storage at rest on Google Cloud, server-to-server HMAC verification of ad-network postbacks, tight Firebase security rules limiting what client devices can read or write, and principle-of-least-privilege access controls on the admin tools used to operate the Service.

No system is perfectly secure. If we ever suffer a personal-data breach that is likely to result in a risk to your rights, we will notify you and the relevant regulator as required by law.

10. Changes to this policy

We may update this policy from time to time. Material changes will be posted on this page and the “Effective” date above will be updated. Please check back periodically. Continued use of the Service after an update constitutes acceptance of the revised policy.

11. Contact

For any privacy question or to exercise your rights, contact us at support@retake-rewards.com. See also our Terms of Service.