Privacy

Last updated 2026-05-19

skins.sulej.net is a hobby project I run on my own hardware for the osu! Swiss Community. This page lists what the server stores about you and why.

What I collect

• osu! identity. When you log in with osu!, I receive your osu! id, username, country, and current rank via the official osu! OAuth flow. Stored in Postgres. I do not see your osu! password.
• Session cookies. osc_session (random opaque token, mapped server-side to your osu! id) and osc_csrf (anti-forgery token). HttpOnly, 30-day expiry, scoped to skins.sulej.net and beta.skins.sulej.net.
• Skins you upload. The .osk contents plus metadata (skin name, your description, your tag assignments). They live in a per-user git repo at git.sulej.net/osc/<your_osu_id>_skins, with binary assets in Garage S3. They are public by design.
• "Pick" assignments. Which skin you chose for each mod combination, used by oscbot when rendering replays.
• CI build logs. Output from generating your skin previews, stored in Postgres and Garage for the life of each tagged release.
• Edge protection logs. CrowdSec and Anubis see standard request metadata (IP, user-agent, path) for abuse detection. Short retention.

Third parties

• osu! OAuth (osu.ppy.sh), only during login. They see that you authorized osc-skins, I see the profile fields above.
• jsdelivr CDN, only when you open /api/docs. The Swagger UI page pulls its CSS/JS bundle from jsdelivr.net. The rest of the site has no external CDN dependency.

Retention and deletion

Your skin repo, picks, and uploaded content stay until you (or an admin) delete them. Sessions expire after 30 days of inactivity. Want everything wiped? DM me on Discord. Manual but fast.

Sharing

I don't sell, trade, or send anything to ad networks. Public skin pages and the community list are obviously public by design.

Contact

Privacy questions, data export, or account deletion: DM me on the osu! Swiss community Discord.