PRIVACY POLICY
Last updated: 2026-05-17. Version 2.0.
1. Controller (Art. 13 (1) (a) GDPR)
Christoph Barton, Vienna, Austria. Full postal address: see Impressum.
Contact for data protection requests: [email protected]
A dedicated Data Protection Officer (DPO) has not been appointed — the criteria of Art. 37 GDPR are not met (small operator, no large-scale processing of special categories).
2. Data we collect & legal basis (Art. 13 (1) (c))
| Purpose | Data | Legal basis | Retention |
|---|---|---|---|
| Account (email/password) | Email, password hash, verification token | Art. 6 (1) (b) — contract | Until deletion |
| Google / Discord OAuth login | Provider sub-ID, email, display name | Art. 6 (1) (b) — contract | Until deletion |
| Riot RSO link | PUUID, game name, tag, access/refresh token | Art. 6 (1) (b) | Until unlink/deletion |
| Login session | Session ID (httpOnly cookie), user ID | Art. 6 (1) (f) — security; § 25 (2) TDDDG | 30 days rolling |
| Public match data (you & opponents) | Match results, items, KDA, timeline events (Riot API) | Art. 6 (1) (f) — legitimate interest in providing stats tracker | Cache 14 days, aggregates indefinitely |
| AI Coach chat | Your messages, tool-call results, AI responses | Art. 6 (1) (b) — service delivery; (a) for memory | 90 days (conversation), 12 months (memory) |
| Rate-limiting / security | IP address (hashed/short-lived), user agent | Art. 6 (1) (f) — security | Max 7 days |
| Cookie consent | Choice + timestamp (localStorage) | § 25 (2) TDDDG | 12 months |
3. Third-party processors (Art. 13 (1) (e), Art. 28)
We have data processing agreements (DPA / AVV gem. Art. 28 GDPR) with all processors below:
- Cloudflare, Inc. (USA + global edge) — Hosting (Pages, Workers), CDN, D1 database, KV cache, DDoS protection. Standard Contractual Clauses + EU-US Data Privacy Framework.
- Turso (ChiselStrike, Inc.) (EU region) — libSQL user database.
- OpenAI, L.L.C. (USA) — AI Coach chat completion (model gpt-4o-mini). Your chat messages, match data and selected profile data are transmitted to OpenAI in the USA. Transfer mechanism: SCCs + DPF. OpenAI does not use API data to train models per their data usage policy.
- Anthropic, PBC (USA) — fallback / experimental AI features. SCCs + DPF.
- Riot Games, Inc. (USA) — Match-V5, Account-V1, Spectator-V5 APIs and Riot Sign-On (RSO). When linking your Riot account, your PUUID and OAuth tokens are exchanged with Riot.
- Google LLC (USA) — Google OAuth login (if used). SCCs + DPF.
- Discord, Inc. (USA) — Discord OAuth login (if used). SCCs.
4. International transfers (Art. 13 (1) (f), Art. 44-49)
Transfers to the USA (Cloudflare, OpenAI, Anthropic, Riot, Google, Discord) take place on the basis of Standard Contractual Clauses (Art. 46 (2) (c) GDPR) and, where available, the EU-US Data Privacy Framework (Art. 45 adequacy decision, 10 July 2023).
5. AI Coach — automated processing (Art. 22, Art. 13 (2) (f))
The AI Coach analyses your match data and generates recommendations using a large language model (OpenAI gpt-4o-mini). This is not an automated decision with legal effect within the meaning of Art. 22 GDPR — recommendations are advisory and do not affect any contract, ranking or legal status. Inputs to the AI are processed in the USA; do not enter sensitive personal data into the chat.
6. Match data of other players (Art. 6 (1) (f), Art. 14)
To deliver tier lists, opponent stats, OTP (one-trick) detection and matchup analysis, we process publicly available match data from the Riot API which contains other players' game names and PUUIDs. Legal basis: legitimate interest in operating a community stats tracker (Art. 6 (1) (f)). The interest is balanced by: (i) data is provided by Riot via a public API that players consent to under Riot's ToS; (ii) we store no contact data; (iii) any player may request erasure of their data from our caches by emailing [email protected].
7. Cookies & local storage (§ 25 TDDDG)
Strictly necessary (no consent): session cookie (login), cookie-consent record (localStorage), Cloudflare security cookies (__cf_bm).
Functional / Analytics / Marketing (consent required): see cookie banner. You can revoke consent at any time via the banner — open it by clearing the ggez-consent-v2 localStorage entry or by clicking the link in the page footer (coming soon).
8. Your rights (Art. 15-22, 77)
- Access (Art. 15) — request a copy of your stored data
- Rectification (Art. 16) — correct inaccurate data
- Erasure / "right to be forgotten" (Art. 17) — delete your account & data via Profile → Delete Account, or by email
- Restriction (Art. 18) — limit processing
- Data portability (Art. 20) — export your data via Profile → Export My Data (JSON)
- Objection (Art. 21) — object to processing based on legitimate interest
- Withdraw consent (Art. 7 (3)) — without affecting prior lawfulness
- Lodge a complaint with the supervisory authority (Art. 77) — Austrian Datenschutzbehörde (DSB), or in Germany the BfDI / your state authority
To exercise any right, contact [email protected]. We respond within 30 days (Art. 12 (3)).
9. Minors (Art. 8)
Our service is not directed at children under 16. If you are under 16, please use the platform only with verifiable consent of a parent/guardian. We do not knowingly collect data from children under 16 without such consent — contact us if you believe we hold such data.
10. Security (Art. 32)
TLS encryption in transit, password hashing (Argon2id), database access tokens, principle of least privilege. No system is perfectly secure — please report vulnerabilities responsibly to [email protected].
Last updated: 2026-05-17. Version 2.0.