Cookies Importer privacy

What the indie.io Cookies Importer browser extension collects, where it goes, and how long it stays.

Last modified May 1, 2026

What is collected

When you click Send to Overmind in the Cookies Importer browser extension, the extension reads cookies belonging to the following domains from your local browser profile:

• .steampowered.com
• .steamcommunity.com
• .steamgames.com

The cookie of record is steamLoginSecure — the session token Steam sets when you sign in to partner.steamgames.com. Adjacent cookies (sessionid, steamCountry, etc.) are sent alongside so that subsequent server-side requests reproduce a complete browser session.

The extension does not read cookies from any other domain. It does not access browsing history, bookmarks, page contents, or any data outside the three Steam domains listed above.

Where it goes

The cookie array is POSTed over HTTPS to the indie.io application or tool subdomain that initiated the import, at that origin's /api/session/import-cookies endpoint. The destination is determined by the URL of your active browser tab at the moment you click Send, and is always an indie.io-controlled domain. Cookies are not transmitted to any third party at any point. They are not sold, shared, or syndicated.

How it is stored

Server-side, the cookie array is encrypted at rest using Fernet (AES-128 in CBC mode with HMAC-SHA256) and stored as an encrypted session file scoped to a randomly-generated session ID. The plaintext cookies exist only transiently in memory during a request, when they are needed to make API calls to Steam on your behalf.

How long it is kept

A session is valid as long as the underlying steamLoginSecure cookie remains valid on Steam's side. Steam rotates this cookie aggressively (typically within hours to days). Once invalid, the encrypted session file becomes useless and is purged on the next access. You can re-import a fresh session at any time.

Why the cookies are needed

Steam's anti-fraud system blocks credential entry from cloud-server IPs (AWS, Azure, GCP) for accounts holding Steamworks partner permissions. Server-side login is therefore not viable. Cookies captured in your residential browser session let the server make Steamworks Partner API calls as you, without re-entering credentials in our infrastructure.

Who can access the data

The indie.io Steamworks tooling is gated behind Cloudflare Access on the @indie.io Google Workspace domain. Only authenticated indie.io employees can reach the application. Encrypted session files are not human-readable; access requires the application's encryption key, which is stored in the deployment environment and is not exported from the server.

What we do NOT collect

• Your Steam username or password (you log in directly to Steam — credentials never touch indie.io)
• Browsing history outside the three Steam domains listed above
• Page contents, form inputs, or DOM data from any tab
• Personal information beyond what your steamLoginSecure cookie value implies
• Telemetry, analytics, or tracking events from the extension

Contact

Questions or removal requests: support@indie.io.

Updates and revisions

We'll update this privacy policy from time to time to reflect changes in technology, law, our business operations, or any other reason we determine is necessary or appropriate. Continued use of the extension after any such changes shall constitute your consent to such changes.