Privacy Policy

Last updated: May 5, 2026

1. Introduction

This Privacy Policy explains how Play My Game ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our platform. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), the ePrivacy Directive, and Romanian data protection legislation (Law 190/2018). By using our Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

Play My Game is the data controller responsible for your personal data as defined by GDPR Article 4(7).

For any data protection inquiries, you can reach us at: contact@playmygame.net

3. Information We Collect

We collect the following categories of personal data:

Account information: name, email address, Roblox username, date of birth (for age verification)
Developer information: business name (optional), transaction and payment history
Identity verification data: government-issued ID and proof of address (only when KYC verification is required for high-value redemptions or suspected fraud — see AML section in Terms of Service)
Usage data: game playtime records, task completions, reward history, app interaction data
Technical data: device type, operating system, app version, IP address (for security and fraud prevention)
Payment data: processed by Stripe — we do not store your full credit card details

We collect data that you provide directly (during registration, profile updates, verification, or support requests) and data generated through your use of the Service.

4. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

Contract performance (Art. 6(1)(b)): To provide the Service, manage your account, process rewards, and fulfill promotion packages.
Legitimate interest (Art. 6(1)(f)): To prevent fraud, ensure platform security, improve our Service, and enforce our Terms. Our legitimate interest assessment balances our need to protect the platform against any impact on your rights.
Legal obligation (Art. 6(1)(c)): To comply with anti-money laundering regulations (EU AMLD / Romanian Law 129/2019), tax, accounting, and other legal requirements. This includes KYC verification and transaction monitoring.
Consent (Art. 6(1)(a)): For optional communications such as marketing emails. You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. How We Use Your Information

We use your personal data to:

Operate and maintain the platform
Verify playtime and process reward eligibility
Process gift card redemptions
Process developer promotion package payments
Perform identity verification (KYC) where required by law or our risk policies
Monitor transactions for suspicious activity in compliance with AML regulations
Communicate with you about your account, transactions, or support requests
Detect and prevent fraud, abuse, and security threats
Comply with legal obligations
Improve the Service based on aggregated, anonymized usage patterns

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. Data Sharing & Third Parties

We share your data only with the following categories of third parties, strictly as necessary to provide the Service:

Supabase (database hosting, hosted on AWS)
Stripe (payment processing for developer purchases)
Roblox (playtime verification via game server integration — only Roblox username and playtime data)
Gift card fulfillment providers (email address for digital delivery)
Regulatory authorities (where required by law, such as suspicious transaction reports to ONPCSB under AML legislation)

All third-party processors are bound by data processing agreements (GDPR Art. 28) and are required to handle your data in accordance with applicable data protection laws. We do not share your data with advertisers or data brokers.

7. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (where some of our service providers operate). Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Art. 46(2)(c)), to protect your data in accordance with GDPR requirements.

8. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide the Service. After account deletion:

Personal profile data is deleted within 30 days
Transaction records are retained for up to 7 years for tax and legal compliance
KYC/identity verification data is retained for 5 years after the end of the business relationship, as required by AML regulations (Romanian Law 129/2019, Art. 25)
Anonymized, aggregated analytics data may be retained indefinitely
Fraud-related data may be retained to prevent repeat abuse

Inactive accounts (no login for 24 months) may be flagged for deletion with 30 days' notice via email.

9. Marketing Communications

If you opt in to marketing communications during waitlist signup or registration, we may send you emails about:

Platform launch announcements and updates
New features and improvements
Reward opportunities and promotions

Marketing emails are sent only with your explicit consent (GDPR Art. 6(1)(a)). We record the date and time of your consent as proof. Every marketing email includes an unsubscribe link. You can withdraw your consent at any time by clicking "Unsubscribe" in any email or by contacting us at contact@playmygame.net. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. Transactional emails (such as verification codes, account security alerts, and reward confirmations) are not marketing emails and are sent under contract performance (Art. 6(1)(b)) — these do not require consent and cannot be unsubscribed from while your account is active.

10. Cookies & Local Storage

Our mobile app uses local storage (AsyncStorage) solely to maintain your login session. This is a strictly necessary function and does not require consent under the ePrivacy Directive (Art. 5(3)). Our web version may use essential cookies for session management. We do not use tracking cookies, advertising cookies, or analytics cookies that track individual users across websites.

11. Children's Privacy

Our Service requires users to be at least 13 years old, in compliance with GDPR Article 8 and applicable national implementations. We verify age during registration through date of birth collection. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will delete the account and associated data promptly. Users aged 13-17 may use the Service with parental consent but cannot redeem rewards (gift cards) until age 18. Parents or guardians may contact us at any time to request information about or deletion of their child's data.

12. Your Rights Under GDPR

If you are in the European Economic Area, you have the following rights:

Right of access (Art. 15): Request a copy of your personal data
Right to rectification (Art. 16): Correct inaccurate or incomplete data
Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten") — subject to legal retention obligations
Right to restrict processing (Art. 18): Limit how we use your data
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
Right to object (Art. 21): Object to processing based on legitimate interests
Right to withdraw consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent
Right not to be subject to automated decisions (Art. 22): Request human review of decisions made solely by automated processing that significantly affect you

To exercise any of these rights, use the "Delete my account" option in the app or contact us at contact@playmygame.net. We will respond to your request within 30 days. If we need to extend this period, we will notify you within the initial 30-day period with the reasons for the delay. You also have the right to lodge a complaint with your local data protection authority.

Note: Certain data may be exempt from erasure requests where retention is required by law (e.g., AML record-keeping obligations).

13. Security Measures

We implement appropriate technical and organizational measures to protect your personal data (GDPR Art. 32), including:

Encrypted connections (HTTPS/TLS) for all data in transit
Row-level security policies on our database
Server-side validation and access controls
Secure API key management
Regular security reviews

While we strive to protect your data, no method of electronic transmission or storage is completely secure. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Articles 33 and 34.

14. Data Protection Impact Assessment

Where our processing activities are likely to result in a high risk to the rights and freedoms of individuals, we conduct Data Protection Impact Assessments (DPIAs) in accordance with GDPR Article 35. This includes processing related to fraud detection, transaction monitoring, and identity verification.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated via in-app notification at least 14 days before taking effect. The "Last updated" date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically.

16. Contact & Data Protection

For any questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:

Play My Game
Email: contact@playmygame.net

If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority. For Romanian residents, this is the ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal) — www.dataprotection.ro.