What is GDPR?

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

When did GDPR go into effect

May 25th 2018.

What kind of data does collect?

  • Game developers – our users who track the performance of their game(s) with
  • Players – the players of games tracked with

What is personal data?

According to GDPR, personal data is:

“Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.”

This means that not only is personally identifiable information like the user’s name, email address, or device ID (IDFA/GAID) personal data, but any data we can associate with one person, even if we cannot identify that person in the real world.

The most important consequence of this is that any data associated with one individual (or an ID referring to one individual, even if it is a randomly generated ID) is personal data – including actions they have taken in a game, such as starting the tutorial, picking a character, beginning or ending a session.

What is our status under GDPR?

Because we both store, process, and enable game developers to use the data we collect (i.e. via segmentation, A/B tests, etc.) we are both a data processor and a data controller under GDPR.

Are we allowed to collect this data?

Yes, as long as the user (game developer or player) has consented to their data being collected and used for analytics and marketing purposes.

How do we get consent to collect this data?

The way we obtain consent differs by the type of audience.

  • For game developers we will ask for consent when they sign up or log into the service – this will be in the form of accepting our new privacy policy and terms of service which detail the types of data we collect and the ways they are used. This consent must be provided on an opt-in basis.
  • For players the game developers must ask for consent when the game opens, before any data has been sent to us (or to other data controllers and processors). The consent they ask for from their players must include that their data will be used for analytics and marketing purposes. Most game developers should also have publicly available privacy policies and terms of service that can be reviewed by users.

Under GDPR, consent is: “Consent must be freely given, specific, informed and unambiguous. Informed consent means that you must be given information about the processing of your personal data”.

Why do we need consent for marketing purposes from players?

Consent for marketing purposes is essential to power some features – such as website features, development, and advertising.

How do we verify that we have consent?

  • For game developers continuing to use services powered by will constitute as acceptance of our new terms of service and privacy policy.
  • For players we will audit game developers on a regular basis. The exact process of the audit will be put in place and its goal will be to determine if the game developer has made sufficient effort to ensure that the data collected is obtained with consent. If we experience a data breach, we will be open and honest about it in a formal announcement.

Do we store records of consent?

  • For players No game account may be created without consent, as it is required in order to participate in our services. The web account creation and confirmation dates certify the acceptance of these terms.

What happens when a game developer fails their audit?

If a game developer is selected for an audit and we find that they do not collect consent, we will provide a term of 30 days for them to remediate the situation, before blacklisting them. At the end of the 30 days we will check in with the developer to see if appropriate measures have been implemented. If the game developer requests an extension of term, this can be provided (dependent on review), up to a total of 30 days.

Can we transfer personal data outside of EU territories?

Yes, if appropriate safe guards are in place. Our data resides in closed-circuit dedicated servers which meet both GPDR and PIPEDA specifications.

Do we have any restrictions on data retention?

According to GDPR, data must be stored for as little time as possible, and individuals must be clearly informed for how long their data will be retained.
GDPR specifies:
“You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.). Your company/organisation should establish time limits to erase or review the data stored. By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.). Your company/organisation must also ensure that the data held is accurate and kept up-to-date.”

When will we remove data?

In our new privacy policy which will be updated March 20, 2021, we will have clearly specified the period for which the data will be retained.

For player data the retention period will be at most 36 months after we receive the request – we will endeavor to expedite this process.

The removal of requested raw data older than 36 months will start Jan 1, 2022.

For game developer’s data – the interval may vary depending on whether the account is still active.

Want your data deleted? Use this form.