Privacy Policy

Last updated: April 27, 2026 (extension data section added). Originally effective May 17, 2023.

showdd ("us", "we", or "our") operates showdd.io (the "Site"). This page informs you of our policies regarding the collection, use, and disclosure of non-personal information we receive from users of the Site.

By using the Site, you agree to the collection and use of non-personal information in accordance with this policy.

Information Collection and Use

Our Site does not collect personally identifiable information. However, we use third-party services, such as Google Analytics, to help us understand the usage patterns of our users.

showdd.io Sync Browser Extension

showdd.io Sync is our optional Chrome browser extension. It reads your MLB The Show inventory, program progress, and stubs balance from your authenticated session at mlb26.theshow.com and sends that data to your showdd.io account so we can power collection tracking, inventory value analysis, program progress views, and change history. Sync is user-initiated from the extension popup; there is no automatic, scheduled, or background sync. This section describes everything the extension reads, sends, and stores. The extension is separate from the website; if you do not install it, none of this applies to you.

Summary of extension data types

  • Inventory / card data: UUID, name, rarity, sellability flag, category and sub-category IDs, and quantity.
  • Program progress: program and group IDs, completion counters, league, and team slot.
  • Stubs balance: in-game virtual currency balance.
  • Sync metadata and diagnostic error reports: sync-run IDs, timestamps, chunk hashes, retry counters, error codes, and truncated stack traces sent only to showdd.io's first-party /api/extension/error endpoint.
  • Local authentication state and token storage: refresh token in chrome.storage.local, short-lived access token in chrome.storage.session, install ID and install name, displayed TheShow username, and the showdd_support_log diagnostic snapshot.

Authentication

The extension signs in to showdd.io using OAuth-style PKCE. We never see, read, or transmit your theshow.com password. After you connect, showdd.io issues the extension a long-lived refresh token (stored locally inside the extension) and short-lived access tokens (held in session memory and cleared when your browser or service worker restarts). During connect, the showdd.io connect page passes the one-time auth code to the extension via Chrome's content-script messaging APIs, restricted to www.showdd.io/connect-extension. Tokens are sent only to showdd.io over HTTPS.

Install identifier

On first run the extension generates a random UUID ("install ID") and a derived install name (for example, "showdd.io Sync on Win32 (a1b2c3)") and stores both locally. The install ID is sent with auth, sync, and error reports so we can deduplicate sync runs from multiple devices on the same account and so support reports can be matched to a specific install. The install ID is not shared with third parties and is never used for advertising.

Data the extension reads from MLB The Show

Using your existing browser cookies for mlb26.theshow.com, the extension calls TheShow.com's authenticated inventory API and parses your program progress pages. The data fetched is:

  • Inventory items (MLB cards, stadiums, equipment, sponsorships, unlockables): UUID, name, rarity, sellability flag, category and sub-category IDs, and quantity.
  • Program progress: program and group IDs, completion counters, league, and team slot.
  • Stubs balance: in-game virtual currency balance.
  • Game version (currently "26").

Your TheShow username is read from showdd.io's status endpoint after sync (so we can show it in the popup) and stored locally. The extension does not read or transmit your TheShow password, your TheShow email, payment information, friend lists, messages, or any other TheShow account field beyond the items listed above.

Data the extension sends to showdd.io

All requests go to showdd.io over HTTPS with your extension access token. Specifically:

  • Auth lifecycle: PKCE auth code, code verifier (transient, only during the connect handshake), install ID, install name, and refresh-token rotation.
  • Inventory sync runs: game version, inventory items (the fields listed above), per-chunk SHA-256 content hashes used solely to verify transfer integrity, batch sequence numbers, and synced-at timestamps.
  • Program progress: game version, programs array, parser version, and pages fetched.
  • Stubs balance: in-game virtual currency balance included with each sync payload.
  • Status checks: the game version, used to fetch the last-server-sync summary and your displayed username.
  • Error reports (only when authenticated): error code, message, stack trace, install ID, extension version, game version, current sync state, page counters, retry counters, and a diagnostic snapshot of the local support log. Error reports never include refresh tokens, access tokens, or your password.

Data stored locally inside the extension

The extension uses Chrome's storage APIs and IndexedDB. Stored locally:

  • Persistent (chrome.storage.local): refresh token, sync metadata (timestamps and item counts), the displayed TheShow username and your showdd.io account ID, game version, install ID and install name, the diagnostic support log (recent error codes, backoff timing, per-game-version content hashes, and up to 25 queued error reports), and program sync state.
  • Session-only (chrome.storage.session, cleared on browser or service-worker restart): short-lived access token and its expiry, in-flight sync progress, the cached site-status object, and the in-flight PKCE state during connection.
  • IndexedDB ("showdd_inventory"): a snapshot of your last inventory used to diff against the next sync. Replaced on each sync and cleared when you disconnect.

What the extension does not do

  • It does not run automatic background syncs, register scheduled alarms, or sync in the background. Every sync is started by you from the extension popup.
  • It does not include any third-party analytics, tracking, advertising, or telemetry SDK.
  • It does not read your browsing history, your tabs other than mlb26.theshow.com and www.showdd.io, your clipboard, your microphone, your camera, or your location.
  • It does not collect your name, address, email, age, government ID, payment information, or any health information.
  • It does not collect personal communications such as emails, texts, or chat messages.
  • It does not transmit your TheShow password. The extension never has access to it; sync relies entirely on the cookies your browser already holds for mlb26.theshow.com.
  • It does not sell, rent, or license the data it receives.

Retention, deletion, and contact

  • Refresh tokens persist locally until you disconnect or uninstall. Access tokens live only in session memory.
  • Local inventory snapshots and the support log are overwritten on each sync; they are cleared when you disconnect.
  • Server-side, your inventory, program progress, and stubs balance data are tied to your showdd.io account and retained as long as your account exists. Error reports are retained for support and debugging as needed.
  • You can disconnect at any time from the extension popup, which revokes the refresh token on the server and clears local extension state. Uninstalling the extension removes all locally stored extension data from your browser.
  • To request deletion of server-side data tied to your showdd.io account, file a request via our bug-report form or reach us in our Discord.

Google Analytics

We use Google Analytics to collect non-personal information about how our Site is used. Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Site. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.

You can opt-out of having your activity on the Site made available to Google Analytics by installing the Google Analytics opt-out browser add-on ( https://tools.google.com/dlpage/gaoptout ). The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about visit activity.

For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy

CCPA Disclosures

Under the CCPA, California residents have the right to:

  • Know what personal data is being collected about them.
  • Know whether their personal data is sold or disclosed and to whom.
  • Say no to the sale of personal data.
  • Access their personal data.
  • Request the deletion of their personal information.
  • Not be discriminated against for exercising their privacy rights.

Sale of Personal Information

showdd does not sell personal information of its users and visitors. The third-party sharing referenced above (Google Analytics for non-personal website usage data) applies to the showdd.io website only; the showdd.io Connect browser extension does not share user data with any third parties.

Changes to This Privacy Policy

This Privacy Policy is effective as of May 17th 2023 and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.

We reserve the right to update or change our Privacy Policy at any time, and you should check this Privacy Policy periodically. Your continued use of the Site after we post any modifications to the Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy.