This Privacy Policy describes how The Panel (“Extension,” “Web App,” “we,” “us”) collects, uses, stores, and shares information when you use the Chrome extension, optional userscript, or website at torn-the-panel.vercel.app to buy and sell in-game services on Torn City.
By installing or using the Extension, userscript, or Web App, you agree to this policy. If you do not agree, do not use The Panel.
1. Who we are
The Panel is a Torn City marketplace available as a browser extension and userscript injected on torn.com, and as an optional standalone web app at our public site. All clients connect to a backend hosted on Supabase to provide accounts, balances, orders, contracts, and related marketplace features. The web app does not inject into or read the Torn website DOM.
2. Information we collect
2.1 Information you provide
- Torn City API key — You enter this to sign in. It is used to verify your identity with Torn’s API and, while you have an active loss or redeeming contract, to poll Torn attack logs so the marketplace can verify fulfillment. You can remove it by signing out (clears local storage).
- Marketplace actions — Orders, contracts, redeeming requests, withdrawals, and similar actions you take through the Extension UI.
2.2 Information from Torn City
When you sign in or when contract verification runs, we may process:
- Your Torn player ID (
torn_xid) - Your in-game display name
- Game data needed for the marketplace (for example, attack/log data used only to verify loss contracts and redeeming fulfillment)
This data is obtained via Torn’s official API using your API key (or, for automated deposit crediting, a server-side key used only to read public deposit logs for the marketplace deposit account). We do not access your Torn account password.
2.3 Information stored on your device
The Extension uses Chrome’s storage permission; the
userscript and web app use browser localStorage (or
equivalent userscript storage) to save locally on your device:
- Your Torn API key (until you sign out or clear extension data)
- A short-lived session token (JWT), player ID, display name, and expiry time
This local data is not synced to other devices unless you sign in again on each device.
2.4 Information stored on our servers
Our Supabase database may store, among other things:
- Player ID and display name
- In-game marketplace balance and ledger history
- Open and historical buyer orders, loss contracts, and redeeming records
- A one-way hash (SHA-256 fingerprint) of your API key for session audit and revocation — not the full API key
- Deposit event IDs when you send in-game items to the marketplace deposit account (processed by an automated server job)
2.5 Information we do not collect
- Browsing history outside torn.com
- Keystrokes, mouse movements, or scroll tracking for analytics
- Real-world payment card or bank account numbers
- Health data, email, or private messages unrelated to the marketplace
The Extension injects UI on torn.com and reads limited page structure (for example, the chat panel) only to place its button. It does not collect or upload arbitrary page text, images, or chat content.
3. How we use information
We use collected information solely to:
- Authenticate you and maintain your session
- Operate the loss marketplace (escrow, matching, payouts, refunds)
- Verify contract fulfillment via Torn API data
- Credit in-game deposits and process withdrawals you request
- Provide realtime marketplace updates
- Prevent abuse, debug errors, and comply with law
We do not sell your personal data. We do not use your data for creditworthiness or lending. We do not use your data for advertising unrelated to the Extension’s single purpose.
4. How information is shared
We share information only as needed to run the service:
- Supabase — Hosting, database, authentication helpers, and edge functions that process API requests on our behalf.
- Torn City (api.torn.com) — API calls to verify your key, read relevant game logs, and validate marketplace activity. Torn’s own terms and privacy practices apply to data held by Torn.
- Other marketplace users — Limited public marketplace data (for example, open buy orders or redeeming listings) visible to signed-in users as part of normal marketplace operation.
- Legal requirements — If required by law or to protect rights, safety, and integrity of the service.
5. Remote code
The Extension package contains all JavaScript it runs. It does not download or execute remote scripts from third-party URLs. Network requests return data (for example JSON from our API), not executable code.
6. Retention and deletion
- Sign out — Removes your API key and session from local extension storage. Server-side profile and history may remain until you delete your account.
Session fingerprints and short-lived auth records on the server expire automatically over time.
7. Security
We use HTTPS for all Extension-to-server communication. API keys are stored locally in Chrome storage and transmitted only to our backend over TLS. On the server, we store a hash of your key for audit, not the plaintext key, except when your key is relayed in request bodies to edge functions that immediately call Torn’s API (it is not written to permanent storage in that flow).
No method of transmission or storage is 100% secure. You are responsible for keeping your Torn API key confidential and using Torn’s minimum required API key permissions.
8. Children
The Extension is not directed at children under 13. We do not knowingly collect personal information from children under 13. Torn City’s own age requirements apply.
9. International users
Our servers may be located in the United States or other regions where our hosting providers operate. By using the Extension, you understand your information may be processed in those locations.
10. Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top will change when we do. Continued use after changes means you accept the updated policy.
11. Contact
For privacy questions or requests, contact the operator of The Panel Now! in Torn City.