CS2 GenCode

Privacy Policy

Effective May 3, 2026

The short version

We do not collect personal information — no name, email, payment, or browsing history.
The extension ships with a bundled, scoped authentication token used to talk to the dghq.app inspect server. You don't have to enter anything; it just works.
When you click Convert or !ngk, only the CS2 item data (weapon, skin, stickers, charm, wear) is transmitted. That's it.
No analytics. No cookies. No telemetry. No third parties.
Source code is open: github.com/kompound-ca/cs-extension — verify any of this for yourself.

1. Who this covers

This policy applies to the CS2 GenCode browser extension (Chrome / Chromium-based browsers) and the backend services it talks to at inspectapi.dghq.app and inspectbot.dghq.app, which together support the inspect.dghq.app Counter-Strike 2 community inspect server.

The extension is operated as a personal, hobbyist project. There is no commercial entity behind it; the server and extension exist to let community members preview and spawn skins on a private CS2 server.

2. What stays on your device

The extension's backend URLs (the inspect API and the Steam GC bot) are hardcoded into the published package — there is no user setting for them. You don't have to configure anything to use the extension.

The only value the extension stores in Chrome's storage.local on your device is an optional API key override: a textbox in the settings panel that's blank by default. Self-hosters who fork the extension and run their own backend can paste a custom key there; everyone else can leave it empty (the default).

The extension ships with a bundled authentication token used to identify it to the inspect server. This token is part of the extension package itself, not collected from you. It is intentionally limited to the small set of operations the extension performs (submit a skin payload, look up a stored code, resolve an unmasked link) and grants no administrative access to the server.

You can clear your local settings at any time by going to chrome://extensions → CS2 GenCode → Details → Site settings / storage, or by uninstalling the extension.

3. What is transmitted, and only when you ask

The extension sits idle until you take one of three actions. Each action and the exact data it sends is listed below.

3.1 Converting a CS2 inspect link or hex (popup or in-page button)

The extension decodes the link locally in your browser using the publicly available @csfloat/cs2-inspect-serializer library, then sends the decoded item data to the configured API base URL via HTTPS POST:

Weapon definition index (defindex)
Paint kit (skin) index
Pattern seed and float (wear)
Item quality (e.g. StatTrak indicator)
Up to five stickers, each with: sticker ID, render anchor (schema), wear, scale, rotation, X / Y offsets, and a few rarely-used fields (tint, wrapped, highlight)
Charm / keychain (if present): sticker ID, pattern, X / Y / Z offsets
Item style and upgrade level (legacy vs upgraded skin rendering)
Custom name tag text (if present on the item)

That payload contains no information about you: not your Steam ID, not your inventory contents, not your IP address beyond what HTTPS connections necessarily expose. Every field describes the in-game cosmetic item itself.

3.2 Resolving an unmasked inspect link (Steam marketplace / inventory link)

Steam links of the form steam://run/730//+csgo_econ_action_preview S…A…D… contain only Steam asset and owner IDs — the actual item data has to be looked up via Valve's Game Coordinator. When you paste such a link, the extension forwards only the link itself to the bot at inspectbot.dghq.app/resolve over HTTPS. The bot uses a dedicated Steam account to fetch the item and returns the same decoded data shape as 3.1.

The link contains a public Steam asset ID and, for marketplace listings, the lister's Steam community ID — both pieces of information are already public on Steam.

3.3 Reading the bundled authentication token

Both 3.1 and 3.2 send the bundled scoped token in an X-API-Key HTTPS header so the server can identify requests as coming from the extension. The token is part of the extension package itself, not user data. It is transmitted only to the configured backend URLs (see 3.1, 3.2). If you have set a custom API key override in the settings panel, that value is sent instead of the bundled token.

3.4 IP address

Like every HTTP request you make on the internet, your IP address is visible to the receiving server. Our backend uses it only to enforce a per-IP rate limit (30 requests per minute) on the bot endpoint. IP addresses are kept in transient request logs and rotated within 30 days; they are not used for analytics, sold, shared, or correlated with any account.

4. What we do not collect

To remove ambiguity, the extension and its backend services do not collect, store, or transmit:

Personal identifiers (name, email, phone, mailing address)
Payment information
Steam account credentials, inventory, or session data
Browsing history or activity outside the explicit Convert / !ngk action
Page content from sites you visit
Cookies, localStorage from other origins, or browser fingerprints
Analytics or telemetry of any kind
Third-party tracking pixels, beacons, or SDKs
Microphone, camera, geolocation, or any other device sensor
Keystrokes, clicks, or screenshots

5. Backend data retention

When you submit a converted item, the inspect API stores the item data keyed by a content hash (SHA-256 of the canonical JSON payload). The result of submitting the same item twice is the same short code — no user account, no per-user history, no link from a stored item back to the person who submitted it.

Skin records (item JSON + content-hash code) are retained indefinitely so codes remain stable. Records can be wiped on request.
Bot resolution requests are not persisted after the response is returned.
Web server access logs (timestamps, IP, request path, response code) are retained at most 30 days for abuse prevention and operational diagnostics.

We do not sell, share, or rent any data. There are no advertising partners, analytics processors, or third-party SDKs in either the extension or the backend.

6. Your rights

Because we don't store anything that links submitted item data back to you, the simplest exercise of your rights is to stop using the extension — once uninstalled, no further data is sent and there is no per-user record to delete.

If you live in a jurisdiction with data subject rights under the GDPR (EU/UK), CCPA (California), or similar regimes, you may contact us at the email address below to:

Request access to any data associated with your IP address (typically there is none beyond rate-limit logs)
Request deletion of any logs or stored items that you can identify
Object to processing or restrict processing

We aim to respond within 30 days. There is no charge.

7. Browser permissions, in plain English

The extension requests the following Chrome permissions. Each is used only for the purpose described.

activeTab: Lets the extension inject the !gen / !ngk button into a supported page when you have it open.
contextMenus: Adds the right-click "Convert inspect link to !ngk code" item when you right-click a Steam inspect link.
clipboardWrite: Lets us copy the generated !ngk <code> command and the connect inspect.dghq.app string to your clipboard when you click the relevant buttons.
storage: Lets us save the optional API key override (if you've set one) in chrome.storage.local on your computer.
Host permissions for inspectapi.dghq.app and inspectbot.dghq.app: Required so the extension can call the backend API. No other domains are contacted.
Host permissions for csfloat.com, cs2inspects.com, steamcommunity.com, store.steampowered.com, skinport.com, dmarket.com: Required so the extension can inject buttons next to inspect links on these supported sites. We never read or transmit page content beyond the inspect-link URL you click.

8. Children's privacy

The extension and its server are not directed at children under 13 (or 16 in jurisdictions where that is the relevant age). Counter-Strike 2 itself is rated for older audiences. We do not knowingly collect any information from children.

9. Security

All extension–to–backend traffic uses HTTPS with valid Let's Encrypt certificates. The shared API key is transmitted only over those encrypted connections and only to the configured endpoints.

If you discover a security issue, please email security@dghq.app.

10. Changes to this policy

If this policy materially changes, we will update the Effective date at the top of the page and announce the change in the extension's release notes on GitHub. Continuing to use the extension after such an update constitutes acceptance of the revised policy.

11. Contact

Questions, requests, or concerns? Email info@dghq.app or open an issue on GitHub.