Privacy Policy

Geekbux Interactive ("we", "us", "our") operates Tested.gg (the "Platform"). This Privacy Policy describes how we collect, use, store, and protect your personal data when you use our Platform.

We are registered in Sweden and are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable Swedish data protection laws.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

The data controller responsible for your personal data is:

Geekbux Interactive
Country: Sweden
Website: https://tested.gg

For data protection inquiries, you may contact us using the details at the bottom of this page.

Account Data (via OAuth)

When you create an account using Google or Steam sign-in, we receive limited profile information from the OAuth provider: your display name, email address, profile picture URL, and a provider-specific user ID. We do not receive or store your password - authentication is handled entirely by the OAuth provider.

We also store your email verification status as reported by the provider and a timestamp of when you last signed in with each method.

User-Generated Content

Reviews - When you submit a review, we store your rating (1–5), optional title, and review body text. Reviews are associated with your account and displayed publicly. Each review also tracks helpful votes and report counts for moderation purposes.

Blog Comments - When you comment on blog posts, we store the comment text and associate it with your account. Comments support threading (replies to other comments).

Helpful Votes - When you vote a review as helpful, we record that association to prevent duplicate voting.

Session and Device Data

When you sign in, we create a session record that includes your user agent string (browser/device info), IP address, and a human-readable device name. This data enables the "Active Sessions" feature so you can see and revoke sessions on other devices. Sessions expire after 7 days.

Outbound Click Data

When you click an outbound link to a reviewed site (via our /go/[site] redirect), we record: the target site, the page you clicked from, and a SHA-256 hash of your IP address. We never store raw IP addresses for click tracking - only the irreversible hash.

Preferences and Consent

We store your cookie consent choices (essential, functional, analytics, marketing) and communication preferences (marketing emails, service emails, public profile visibility).

Cookie Data

We use cookies and similar technologies as described in our Cookie Policy.

We use your personal data for the following purposes:

Providing the Service - Creating and managing your account, displaying your reviews and comments, enabling helpful votes, and processing outbound affiliate clicks.

Trust and Moderation - We use an automated trust level system (New → Regular → Trusted) based on your review history to determine whether reviews require manual moderation. Moderators may review flagged content and apply account restrictions (muting or banning) with a recorded reason.

Trust Score Calculation - Aggregating anonymized review data and community signals to calculate Trust Scores for listed sites. Individual reviews contribute to aggregate scores, but Trust Scores are never based on a single user's data.

Platform Improvement - Analyzing usage patterns via Plausible Analytics (privacy-focused, no cookies, no personal data) to improve functionality, performance, and user experience.

Communication - Sending essential service notifications (account security, Terms changes). Marketing communications are only sent with your explicit opt-in consent.

Security and Fraud Prevention - Detecting and preventing fake reviews, spam, abuse, and unauthorized access. This includes rate limiting (max 3 reviews per day), minimum content length requirements, and automated spam detection.

Legal Compliance - Fulfilling our legal obligations under applicable laws and responding to lawful requests from authorities.

Under the GDPR, we process your personal data based on the following legal grounds:

Contract Performance (Art. 6(1)(b)) - Processing necessary to provide you with the Platform's services, including account management, review and comment functionality, and session management.

Legitimate Interest (Art. 6(1)(f)) - Processing necessary for our legitimate interests, including: Platform security, fraud prevention, content moderation, trust level calculation, and Trust Score calculation. We have balanced these interests against your rights and freedoms.

Consent (Art. 6(1)(a)) - Where required, we obtain your explicit consent before processing. This applies to: non-essential cookies, marketing communications, and public profile visibility. You may withdraw consent at any time.

Legal Obligation (Art. 6(1)(c)) - Processing necessary to comply with applicable laws, such as responding to lawful data requests.

We do not sell your personal data. We never have and never will.

We may share limited data with the following categories of service providers, all of whom are bound by data processing agreements:

Hosting and Infrastructure - Cloudflare (CDN, DDoS protection, Workers hosting, D1 database). Cloudflare processes requests globally but does not use your data for their own purposes beyond providing the service.

Authentication Providers - Google and Steam (OAuth sign-in). These providers process your authentication data according to their own privacy policies during the sign-in process. We only receive the profile data described above.

Analytics - Plausible Analytics, a privacy-focused service that does not use cookies, does not collect personal data, and does not track users across sites.

Legal Requirements - We may disclose your data if required by law, court order, or to protect the rights, safety, or property of Geekbux Interactive, our users, or the public.

If Geekbux Interactive is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

We use cookies and similar technologies to operate the Platform. For a detailed breakdown of each cookie we use, including its purpose and duration, please see our Cookie Policy.

In summary: we use essential cookies for authentication and security, functional cookies for your preferences (theme, language, recently viewed sites), and a marketing cookie for referral tracking. We use Plausible Analytics which does not set any cookies.

We retain your personal data only as long as necessary for the purposes described in this Privacy Policy:

Account Data - Retained for as long as your account is active. We use soft deletion - upon account deletion, your data is marked as deleted and permanently removed within 30 days.

Reviews and Comments - Published reviews and comments remain on the Platform while your account is active. Upon account deletion, reviews are anonymized (author information removed) but content may be retained for Trust Score accuracy. Comments are deleted.

Session Data - Active sessions (including device info and IP) are retained for up to 7 days or until revoked. Revoked sessions are cleaned up within 30 days.

Outbound Click Data - Click records with hashed IPs are retained for analytics purposes. Raw IP addresses are never stored.

Verification Codes - Email verification and password reset codes expire automatically and are single-use.

Security Logs - IP-based security logs (rate limiting, abuse detection) are retained for up to 90 days.

You may request deletion of your data at any time (see Your Rights below).

Under the GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15) - You can request a copy of the personal data we hold about you, including your account data, reviews, comments, votes, session history, and consent preferences.

Right to Rectification (Art. 16) - You can request correction of inaccurate or incomplete data. You can also update your display name and preferences directly in your account settings.

Right to Erasure (Art. 17) - You can request deletion of your personal data ("right to be forgotten"). We will comply unless we have a legal obligation to retain it. Reviews will be anonymized rather than deleted to maintain Trust Score integrity.

Right to Data Portability (Art. 20) - You can request your data in a structured, commonly used, machine-readable format (JSON).

Right to Restriction (Art. 18) - You can request that we restrict processing of your data in certain circumstances.

Right to Object (Art. 21) - You can object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.

Right to Withdraw Consent - Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. You can manage cookie consent via our cookie banner and communication preferences in your account settings.

To exercise any of these rights, contact us using the details at the bottom of this page. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or your local data protection authority.

The Platform is hosted on Cloudflare's global network, which means your data may be processed in countries outside the European Economic Area (EEA). Cloudflare maintains EU-adequate data protection measures and participates in approved transfer mechanisms.

Google and Steam (Valve Corporation) may also process authentication data outside the EEA during the sign-in flow, subject to their own data transfer safeguards.

We ensure that any international transfer of personal data is subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where applicable.

The Platform is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 16, we will take steps to delete that data promptly.

If you believe a child under 16 has provided us with personal data, please contact us using the details at the bottom of this page.

We implement appropriate technical and organizational measures to protect your personal data, including:

• OAuth-only authentication - We use Google and Steam OAuth exclusively, so we never store or process user passwords.
• Encrypted transmission - All data is transmitted over HTTPS/TLS.
• IP hashing - Click tracking uses SHA-256 hashed IPs, never raw addresses.
• HttpOnly cookies - Authentication tokens are stored in httpOnly cookies, inaccessible to JavaScript.
• Cloudflare protection - DDoS mitigation, WAF, and bot management.
• Soft deletion - Account deletion is reversible within a grace period before permanent removal.
• Access controls - Internal access to personal data is restricted to authorized personnel on a need-to-know basis.

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you and relevant authorities of any data breach in accordance with GDPR requirements.

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and, where appropriate, notify you via email or a prominent notice on the Platform.

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes constitutes acceptance of the updated policy.