1. Data Controller

2. Scope of This Policy

This policy applies to our website, mobile game operations, customer support communications, and linked community touchpoints that we control.

3. Legal Bases (GDPR Article 6)

• Contract performance: Processing required to provide requested services, operate game features, and handle support requests.
• Legitimate interests: Service security, fraud prevention, diagnostics, product improvement, and analytics where these interests are balanced against user rights.
• Consent: Optional analytics/marketing processing and similar activities where consent is required by applicable law.
• Legal obligation: Retention or disclosure necessary to comply with legal, regulatory, accounting, or law-enforcement requirements.

4. Categories of Personal Data

• Technical and device data: IP address, device identifiers, browser/app version, operating system, language, diagnostic metadata
• Usage and gameplay data: Feature interactions, game progression events, session timestamps, performance metrics
• Marketing and attribution data: Campaign identifiers, referral source, conversion events, ad interaction metadata
• Support and communication data: Email address, message content, request history, issue metadata
• Transaction context data: Purchase validation metadata from platform stores (without direct card handling by us)

5. Purposes of Processing

• Operate, maintain, and secure the website and game services (Contract performance and legitimate interests)
• Measure service quality, crashes, and product performance (Legitimate interests (and consent where required))
• Run campaign attribution and marketing measurement (Consent (where required) and legitimate interests)
• Respond to support requests and legal inquiries (Contract performance and legal obligations)
• Comply with legal and regulatory requirements (Legal obligation)

6. Data Sources

• Data provided directly by users (for example, support emails)
• Data generated during website and app interactions
• Data provided by platform partners (for example, purchase confirmations)
• Data generated by approved analytics and marketing tools

7. Third-Party Vendors and Recipients

We work with selected third-party vendors for analytics, marketing attribution, platform distribution, payments, and community/media integrations.

• Google Analytics

  Category: analytics

  Role: processor

  Purpose: Website usage analytics and product performance measurement

  Policy: https://policies.google.com/privacy

• Google Ads

  Category: marketing

  Role: processor

  Purpose: Campaign attribution, conversion measurement, and marketing performance

  Policy: https://policies.google.com/privacy

• Apple App Store

  Category: payments

  Role: independent controller

  Purpose: Platform distribution and in-app purchase transaction processing

  Policy: https://www.apple.com/legal/privacy

• Google Play

  Category: payments

  Role: independent controller

  Purpose: Platform distribution and in-app purchase transaction processing

  Policy: https://policies.google.com/privacy

• Discord

  Category: community

  Role: independent controller

  Purpose: Community access via outbound invite links

  Policy: https://discord.com/privacy

• TikTok

  Category: marketing

  Role: independent controller

  Purpose: Social campaign attribution and audience engagement tracking

  Policy: https://www.tiktok.com/legal/privacy-policy

• YouTube

  Category: media

  Role: independent controller

  Purpose: Video content linking and optional embedded media interactions

  Policy: https://policies.google.com/privacy

8. International Data Transfers

Where data is transferred outside the EEA, we rely on legally recognized safeguards such as adequacy decisions, Standard Contractual Clauses, and supplementary security measures where required.

9. Data Retention

We retain personal data only for as long as necessary for the stated purposes, unless longer retention is required by law.

• Security and server logs: Typically up to 90 days, unless needed for investigations or legal compliance
• Analytics and performance records: Typically 14 to 26 months, subject to tool configuration and legal requirements
• Support communications: Up to 24 months after resolution, unless legal obligations require longer storage
• Compliance and financial records: As required by applicable accounting and legal obligations

10. Your Rights

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time where processing is based on consent
• Right to lodge a complaint with a supervisory authority

11. Children and Minors

Our services are intended for a broad audience. Where consent is legally required for minors, a parent or legal guardian must provide or authorize consent. We do not knowingly collect personal data from children in violation of applicable law.

12. Automated Decision-Making

We do not use solely automated decision-making or profiling that produces legal or similarly significant effects on individuals.

13. Security

We apply technical and organizational safeguards proportionate to risk, including access controls, encryption in transit where applicable, least-privilege access, logging, and incident handling procedures.

14. Complaints to Supervisory Authority

You have the right to lodge a complaint with: Estonian Data Protection Inspectorate. https://www.aki.ee/en

15. Policy Updates

We may update this policy from time to time to reflect legal, technical, or business changes. Material updates will be communicated through the website or in-app notices where appropriate.