"Do I need a privacy policy?" and "Do I need an EULA?" come up constantly on Reddit and the Steamworks forums. The answers are different, and most advice online muddles them together.
Your game on Steam is already covered by Valve's subscriber agreement. You don't need to write a separate EULA unless you have specific reasons to (more on that below).
Your game's website is a different story. If it runs analytics, embeds YouTube trailers, or links to your Steam page, California's CalOPPA law requires a privacy policy. No revenue threshold. No minimum visitor count. Nobody is going to fine a solo dev with a landing page. But the fix takes ten minutes, it makes your site look professional to press and publishers, and it protects you if your game takes off and the stakes get higher.
The EULA Question
When someone buys your game on Steam, Valve's subscriber agreement and privacy policy govern that transaction. Steam handles the legal relationship with your players. You can add a custom third-party EULA through Steamworks, but most indie games don't need one.
Consider a custom EULA only if your game has online services with their own account system, collects player data outside of Steam (in-game analytics, crash reporting), or includes user-generated content where you need to define ownership and moderation rights. For a single-player game sold on Steam with no external services, the default agreement covers you.
Your Game's Website Is a Different Story
Your game's website is different from the game itself. You operate it. You chose the analytics provider. You embedded the YouTube trailer and the Discord widget. That makes you the data controller, and that's where privacy laws kick in.
As of 2026, 20 US states have comprehensive privacy laws. The EU's GDPR applies to any website accessible by EU residents, with fines up to €20 million or 4% of global revenue. Michele Robichaux, an attorney at Odin Law and Media who specializes in game industry legal issues, puts it plainly:
A well-crafted, legally compliant privacy policy is a necessity for any video game company that processes personal data.
You don't need to memorize every regulation. But if your website runs analytics, embeds third-party content, or collects email addresses, you need a privacy policy. If your game has a website, the answer to at least one of those is almost certainly yes.
What Your Privacy Policy Should Cover
A privacy policy isn't a legal essay. It's a straightforward disclosure of what data you collect, why, and what visitors can do about it. Here are the sections that matter:
What you collect. Be specific. "We collect anonymous usage data including page views, referring domains, browser type, device type, and geographic region" is better than "we collect some data." If you use analytics, say so. If you track outbound clicks or downloads, say so.
Third-party services. Your website almost certainly integrates with Steam. If you embed YouTube trailers, Discord widgets, or social media links, those services may collect their own data. Name them. Odin Law warns against copying another site's privacy policy because it won't reflect your actual data practices. Accuracy matters more than length.
Personal information. If you collect email addresses through a newsletter signup, contact form, or press kit download gate, you need to say what you do with them and confirm you won't share them without consent.
Visitor rights. Under GDPR and most US state privacy laws, visitors can request access to, correction of, or deletion of their personal data. Include a contact email where they can make these requests.
Data retention. How long do you keep the data? Analytics data might be retained indefinitely in aggregated form. Email addresses might be kept until someone unsubscribes. State something concrete rather than leaving it vague.
Contact information. A real email address. Not a contact form. Regulators and privacy-conscious visitors expect a direct way to reach you.
Do You Need Terms of Use Too?
Unlike privacy policies, terms of use are not legally required. No law mandates them. But they protect you in ways a privacy policy can't.
Terms of use let you:
- Limit your liability. If your website goes down or has a bug, a limitation of liability clause reduces your legal exposure. Without one, you're potentially on the hook for any damages.
- Protect your intellectual property. Your game art, screenshots, logos, and written content are your property. Terms of use establish that explicitly and set the rules for how others can use them (with a carve-out for press kit materials).
- Set behavioral expectations. If your website has multiplayer conduct rules, modding guidelines, or virtual currency policies, terms of use are where those live.
You can keep them short. A basic terms page covering acceptance, IP ownership, limitation of liability, and a contact email covers the essentials for most game websites.
What You Don't Need
A cookie banner (probably). If your website doesn't use cookies, you don't need a cookie consent banner. Many modern analytics tools (including Cloudflare Analytics Engine, Plausible, and Fathom) are cookieless. Check whether your analytics provider sets cookies before adding a banner you don't need.
A lawyer for a basic website privacy policy. For a straightforward game website that runs analytics and links to Steam, a template-based privacy policy covers the essentials. You should talk to a lawyer if you're collecting payment information, running user accounts, processing children's data (COPPA fines can reach $43,280 per violation), or operating in a heavily regulated space.
How Real Indie Studios Handle It
There's no single convention. We looked at how four well-known indie games approach their legal pages:
Stardew Valley (ConcernedApe) takes the combined approach. Their privacy policy covers "the Websites, the Game, the Forum, the Wiki, the Shop, and other online services" under one document. Their terms of use follow the same pattern. One policy, everything under one roof. This makes sense for ConcernedApe because they run a merch shop, community forum, and wiki alongside the game.
Hades (Supergiant Games) also combines. Their privacy policy covers "the Site, Apps, and any other online service locations." Website and digital services in one document.
Valheim (Iron Gate / Coffee Stain Publishing) separates them. Their website privacy policy explicitly states it covers "visitors to our website" and nothing else. Game terms and content usage guidelines live at separate URLs under Coffee Stain Publishing. This split approach works when the publisher handles game-level legal and the developer handles the website.
Hollow Knight (Team Cherry) has no visible privacy policy or terms of use on their website at all. Their FAQ states "Team Cherry does not collect or store any player data." They're a team that keeps things minimal, and their website reflects that.
Four studios, four different approaches. The common thread: studios that collect data (analytics, emails, purchases) have policies. Studios that don't, sometimes skip them entirely.
Template vs. Custom: Which Approach Fits You
For most indie game websites, a template-based privacy policy handles the job. You're disclosing analytics, naming your third-party services, providing a contact email, and covering visitor rights. That's straightforward enough to generate from a checklist of toggles.
Switch to a fully custom policy when:
- Your game collects its own data. Multiplayer accounts, in-game analytics, cloud saves. The website template won't cover game-level data collection. Follow the Stardew Valley pattern and write a combined policy.
- You sell merchandise or accept payments. Payment processing adds PCI compliance requirements and additional data handling disclosures that go beyond what a template covers.
- Your game is directed at children under 13. COPPA has strict requirements for "clearly and understandably written" privacy policies. A template might not satisfy the FTC's standards here.
- You operate in a regulated industry. Gambling mechanics, health data, or financial services all have sector-specific privacy requirements.
For everyone else, a template gets you covered. You can always switch to a custom policy later as your needs grow.
How Gamebase Helps
Gamebase now generates privacy policy and terms of use pages for your game website. Toggle them on in the editor, configure a few settings, and publish. The template fills in your game name, studio name, and contact email automatically.
If you outgrow the template, switch to custom mode. The template content becomes your starting point in a full editor where you can rewrite anything.
Both pages are hosted at /privacy and /terms on your game's site, added to your footer automatically, and included in your sitemap. Free for every game.
Build your game's website in seconds
Paste your Steam URL and get a landing page, press kit, and more. Free, no strings attached.
See a Demo