Privacy Policy for Gentleland.gg

Effective Date: May 18, 2025

Introduction

Gentleland (“Gentleland”, “we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit or use gentleland.gg (the “Site”) or any related services including our Gentleland Aegis platform. We process personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), and related EU privacy laws. We also adhere to relevant German telemedia and telecommunications data protection laws for online services.

By using our Site or services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please refrain from using the Site. This Privacy Policy is incorporated into our Terms and Conditions, and by using the Site you consent to the practices described herein.

Data Controller and Contact Information

The “data controller” responsible for processing your personal data through gentleland.gg is:

  • Gentleland (operator of gentleland.gg).
    (We are a business registered in Germany.)
  • Registered Address: Reichsstraße 2, 14052 Berlin, Germany.
  • Email: info@gentleland.net (for privacy inquiries or to contact our data protection team).

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at the above email or mailing address.

Note: At this time, we have not appointed a Data Protection Officer (DPO) because we are not legally required to do so. However, our privacy team will be happy to assist with any data protection queries or requests.

Personal Data We Collect

We collect various types of personal data from you for different purposes. “Personal data” means any information relating to an identified or identifiable natural person. The categories of data we collect include:

1. Information You Provide to Us: These are details you knowingly give us when using our Site or services, such as:

  • Contact Information: e.g. your name, email address, and other identifiers. We collect these when you create an account, join our waitlist or newsletter, fill out forms on our Site, or communicate with us. For instance, if you sign up to be notified about our launch or subscribe to Gentleland News, you will provide your name and email.
  • Account Data: If you register for an account on Gentleland Aegis or any of our services, we may collect a username, password (stored in hashed form), and profile information (such as a display name or avatar if you choose to provide one). Any content you upload or submit within the platform (e.g. project information, messages) may also constitute personal data if it contains personal identifiers.
  • Payment and Billing Information: If you make a purchase or subscribe to a paid service through our Site, we (or our payment processor) collect information to process the transaction. This can include your name, billing address, payment method details (such as credit card number, expiration date), and transaction details. Note: Actual payment card information (card numbers, CVV) is handled directly by our payment partner (Stripe) and is not stored on our servers (see “Stripe” under Third-Party Services below). We may retain non-sensitive details like the last four digits of your card, card type, or a transaction ID for record-keeping.
  • Communications: If you contact us (e.g. via email, contact form, or support channels), we will collect the information you provide in your inquiry, which may include your name, email, and the content of your message. We will also keep a record of our correspondence.
  • Community and Profile Information: We offer community features such as integration with Discord (see details below). If you choose to join our Discord community or otherwise link your Gentleland account with third-party services, we may collect identifiers such as your Discord username or other profile IDs to manage your access. Any information you share on those platforms (for example, posts or profile details on Discord) is voluntary and may be visible to other community members.

2. Information Collected Automatically: When you use our Site or platform, we automatically collect certain data about your device and usage of the Site through cookies, log files, and other tracking technologies. This information may include:

  • Technical Data: e.g. your IP address, device type, browser type and version, operating system, screen resolution, language preferences, and similar technical information. This data is sent automatically by your browser/device as you navigate our Site. We use IP addresses to infer approximate location (city/country level) to understand where our visitors come from and to detect potential fraudulent or malicious activity.
  • Usage Data: e.g. pages or screens you view, the dates/times of your visits, the amount of time spent on pages, click-stream data (which links you click), and search queries on the Site. We also record performance data like errors or loading times to improve our service. This usage information is typically aggregated and does not directly identify you; however, it may be linked to your IP or user account if logged in.
  • Cookies and Similar Technologies: We and our analytics partners use cookies, pixels, and local storage to collect and store information when you interact with our Site. Cookies are small text files placed on your device (computer or mobile) when you visit websites. They help us recognize your browser and remember information like your preferences or login status. For instance, we use cookies to keep you logged in as you navigate through the platform, and to recall your cookie consent choices. We also use cookies and tracking scripts from third parties (such as Google Analytics) to understand how users arrive at and use our Site (see Cookies and Tracking section below for details). You have control over non-essential cookies, as described further below.

We may combine the information you provide with information collected automatically to personalize your experience and to detect and prevent fraud. We do not use any of the personal data we collect to draw automated conclusions about you beyond what is stated in this Policy, and we do not profile you in a way that produces legal effects or similarly significant effects.

3. Children’s Data: We do not knowingly collect personal data from children under 16 years of age without parental consent. Our Site is intended for general audiences and our services are aimed at users who are at least 16 (or have obtained parental consent if younger). If you are under 16, please do not provide personal information to us unless your parent or guardian has reviewed and agreed to this Policy (see Children’s Privacy section for more).

Purposes and Legal Bases for Processing

We process your personal data only for specified and legitimate purposes. For each purpose, the GDPR requires us to have a legal basis. Below, we describe the purposes for which we use your data and the corresponding legal bases under Article 6 GDPR:

  • Providing and Improving Our Services: We use your information to allow you to use the Gentleland platform and Site features, including creating and managing your user account, providing the functionalities of Gentleland Aegis (such as project management tools), and customizing your experience (for example, remembering your settings or game development interests). We also process data to maintain and improve our services – for instance, debugging performance issues or developing new features based on how users interact with the platform.
    Legal Bases: This processing is generally necessary to perform our contract with you (Art. 6(1)(b) GDPR) – for example, when you sign up for our service, we process your data to provide the service you requested. In cases where improvement or analytics activities are not strictly necessary for the contract, we rely on our legitimate interest (Art. 6(1)(f) GDPR) in ensuring our services are functional, secure, and optimized for our users. We always balance our interests with your data protection rights, and where required by law (e.g., for non-essential analytics cookies), we will seek your consent first.
  • User Registration and Account Management: To enable account creation and authentication, we process data like your email (as a login identifier) and password. We also use your email to verify your account and send important account-related communications (such as account confirmation, password reset, or notifications about critical changes to the service).
    Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR). We cannot provide an account or maintain it without processing this data.
  • Communication and Customer Support: We process your contact details and correspondence to communicate with you, answer your questions, and provide customer support. For example, if you email support or submit a query, we will use your name and email to respond, and we may use details of your issue to troubleshoot and resolve it. We might also send you service notifications (e.g., if our policies change or if there’s an update to the platform that affects you).
    Legal Bases: Our legitimate interest (Art. 6(1)(f)) in providing you with timely and effective support and ensuring customer satisfaction. In some cases, communication may be in furtherance of performing our contract with you (Art. 6(1)(b)), such as helping you use a feature you paid for. We will not send you marketing content without your consent (see next point).
  • Marketing and Newsletters: If you join our waitlist or opt-in to receive newsletters, updates, or promotional communications, we will use your email (and possibly your name) to send you those communications. This includes Gentleland News updates, announcements about new features or events, and occasional surveys or offers we think may interest the game development community.
    Legal Basis: Consent (Art. 6(1)(a) GDPR). We will only send you marketing emails if you have given us explicit consent (for example, by ticking a signup box or confirming your email in a double opt-in process). You have the right to withdraw your consent at any time. Each marketing email will include an “unsubscribe” link; clicking that will stop further emails. You can also withdraw consent by contacting us at any time. (Note: Even if you opt out of marketing, we may still send essential service or account communications as noted above, since those are not promotional.)
  • Payments and Transactions: When you make a purchase or payment through our Site (for example, if we offer premium services or crowdfunding contributions), we process your personal data to fulfill the payment and keep proper records. This includes processing payment information via Stripe, verifying that payment was successful, and recording the transaction in our systems. We may also use payment and purchase data to detect and prevent fraudulent transactions.
    Legal Bases: Performance of contract (Art. 6(1)(b)) – processing your payment is necessary to provide the service or product you are buying. Additionally, we have legal obligations (Art. 6(1)(c)) to retain certain transaction records for financial reporting, tax, and accounting (see Data Retention below for retention periods). We also rely on legitimate interest (Art. 6(1)(f)) for fraud prevention – it’s in our interest (and yours) that we ensure payments are legitimate and secure.
  • Analytics and Product Development: We analyze how users use our Site and platform to understand what is working well and what could be improved. For example, we look at aggregated data on page visits, feature usage, and user flows. We also use Google Analytics cookies (with your consent) to collect statistics about our web traffic and user demographics. This helps us make data-driven decisions to improve content, UI/UX design, and overall user satisfaction. We may generate anonymized or aggregated reports from this data (for instance, total number of visitors, or usage trends) which do not identify individuals.
    Legal Bases: For analytics involving cookies or tracking, we rely on your consent (Art. 6(1)(a)), obtained via our cookie consent banner in compliance with GDPR and the German Telemedia Data Protection Act (TTDSG). Where analytics can be done without cookies (e.g., using server logs in a privacy-friendly way) or for purely functional analysis, we rely on legitimate interests (Art. 6(1)(f)). Our legitimate interest is in improving our service quality and competitiveness; however, we will not override your rights and freedoms – for instance, if you opt out of analytics, we will respect that choice.
  • Security and Abuse Prevention: We monitor and may process personal data to maintain the security of our Site and users. This includes using things like IP addresses, activity logs, and other identifiers to detect and mitigate malicious activities (such as hacking attempts, spam, or harassment in our community). We also enforce our Terms and community guidelines, which may involve processing data to investigate potential violations (e.g., checking messages for spam or improper content).
    Legal Bases: Legitimate interests (Art. 6(1)(f)) – it is in our (and our users’) interest that our platform remains secure and trustworthy. In certain cases, we may also have a legal obligation (Art. 6(1)(c)) to report illegal activities or cooperate with law enforcement, which can involve processing or sharing data as required by law.
  • Legal Compliance and Protection: We process personal data as necessary to comply with our legal obligations, such as keeping records required by law or responding to lawful requests by authorities. We may also process data to establish, exercise, or defend legal claims. For example, if we receive a subpoena or court order, we might need to provide relevant data, or if we are involved in a legal dispute, we may retain and use data as evidence.
    Legal Bases: Compliance with a legal obligation (Art. 6(1)(c)) when the law mandates processing or retention (e.g., tax laws, court orders), and legitimate interests (Art. 6(1)(f)) when protecting our legal rights (which is recognized as a legitimate interest). If we need to process data for a purpose not described above, we will, if required, seek your consent or ensure another valid legal basis applies.

If we ever plan to use your personal data for a new purpose that is incompatible with the purposes listed above, we will update this Privacy Policy and inform you as required by law. We will also, if necessary, obtain your consent for the new processing.

Cookies and Tracking Technologies

As noted, Gentleland uses cookies and similar tracking technologies to ensure our Site functions correctly and to enhance your user experience. This section provides more detail on our use of cookies and how you can manage them.

What Are Cookies?
Cookies are small text files that websites save on your device (computer, smartphone, etc.) when you visit. They allow the website to remember your actions and preferences (such as login, language, font size, and other display preferences) over a period of time, so you don’t have to re-enter them whenever you come back to the site or browse from one page to another. Cookies can also enable tracking of your browsing across different sites and services.

In addition to cookies, we may use pixel tags (small images embedded on pages or in emails that provide insight into usage) and local storage (a browser feature for storing data locally). In this Policy, we refer to all these technologies collectively as “cookies” or “tracking technologies.”

Types of Cookies We Use:
We use the following categories of cookies on gentleland.gg:

  • Necessary Cookies: These cookies are essential for the operation of our Site and for you to be able to use its features. They enable core functionality such as user authentication, security, and network management. For instance, when you log in, a session cookie keeps you logged in as you navigate between pages. Necessary cookies also include those that remember your cookie consent preferences so we don’t ask you every time. Without these cookies, services you have asked for (like accessing secure areas or making a purchase) cannot be provided.
    Legal basis: We use necessary cookies to provide you with the service you explicitly request, so under GDPR and §25 TTDSG (Germany), no additional consent is required for these. Our legitimate interest is to ensure the website functions properly.
  • Preference Cookies: These cookies allow our Site to remember choices you make (such as your username, language, or region) and provide enhanced, more personalized features. For example, if our platform offers a dark/light theme toggle or language selection, a cookie might remember your choice so you don’t have to reset it each visit.
    Legal basis: Legitimate interest in enhancing user experience, or consent where required (some jurisdictions might treat certain preference cookies as requiring consent if they are not strictly necessary). We typically treat preference cookies similar to necessary ones since they exist to provide functionality you actively choose.
  • Analytics Cookies: We use these to collect information about how visitors use our Site. Google Analytics is the primary analytics tool we use. Analytics cookies gather data such as what pages are visited, how long users stay, how users navigate the Site, what links are clicked, and if any errors occurred. The information is aggregated and anonymized, meaning it does not directly identify you. For example, we might see that X% of users come from a certain country or that a specific article is viewed most often, but we do not know which specific user did so. This data helps us understand user behavior and improve our website content and structure.
    Legal basis: Consent. These cookies will only be set if you consent via our cookie banner or settings (GDPR and German law require opt-in consent for non-essential cookies). If you decline, your site experience won’t be affected except that we won’t have data on your visit in our analytics.
  • Marketing/Tracking Cookies: (Currently, Gentleland.gg does not use third-party advertising cookies). If in the future we integrate advertising or cross-site trackers, those would fall in this category. Such cookies would track your browsing habits across sites to show you targeted ads. They often come from third-party advertising networks. We are not using these as of the latest update of this Policy, and any change would prompt an updated consent request.
    Legal basis: Consent, if ever used.

Third-Party Cookies:
Some cookies on our Site are first-party (set by gentleland.gg domain) and others are third-party (set by external services). For example:

  • Google Analytics sets cookies (like _ga, _gid) on your browser to collect usage stats. These cookies assign a random ID to your device to distinguish users (without identifying you personally by name).
  • If we embed content from other platforms (like a YouTube video or a Discord widget), those platforms may set their own cookies. We currently link to Discord and other social media via simple links, which do not set cookies until you click them. If that changes (e.g., embedding a Discord chat on our site), we will update our cookie disclosures.

Cookie Consent and Control:
When you first visit our Site, you will see a cookie consent banner (if non-essential cookies are in use). This banner allows you to accept or decline different categories of cookies (except strictly necessary ones, which are always enabled). We will not set analytics or marketing cookies unless you opt-in. Your consent choices will be remembered for future visits (with a mechanism to re-ask you after a certain period or if our cookie usage changes materially).

If you want to change your cookie preferences later, you can do so at any time. We may provide a “Cookie Settings” link on our Site for you to update your consent. Additionally, most web browsers let you control cookies through the browser settings: you can usually refuse new cookies, delete existing ones, or have the browser ask you each time a cookie is about to be placed. Please note that blocking all cookies (especially necessary ones) may impact your ability to use certain parts of our Site (for example, you might not be able to log in or use certain features).

For more information about cookies and how to manage or disable them, you can visit external resources such as AllAboutCookies.org.

Use of Google Analytics:
We specifically use Google Analytics provided by Google Ireland Limited (for EU users) to collect analytics data. Google Analytics uses its own cookies and similar technologies to analyze how users use our Site. The information collected (usage data as described above, and truncated IP address) will be transmitted to and stored by Google on servers, which may be outside the EU (e.g., in the USA – see “International Data Transfers” section for how we protect that data).

We have taken steps to safeguard your privacy in the context of Google Analytics:

  • IP Anonymization: We have activated Google’s IP anonymization feature. This means that, within the EU/EEA, Google truncates/anonymizes the last octet of your IP address as soon as technically feasible (before storing it). The full IP address is not written to disk on Google’s servers. This reduces the granularity of location data in the analytics.
  • Data Sharing Settings: We have disabled data sharing with other Google products and services to limit how Google can use the analytics data. We also do not use User-ID or other features that could identify you across devices.
  • Retention: We have set a data retention period (e.g., 14 months) for user-level and event-level data in Google Analytics, after which it is deleted from Analytics servers.
  • Opt-Out: You are not tracked by Google Analytics if you do not consent to analytics cookies. If you have consented previously and change your mind, you can delete cookies or use our Site’s cookie settings to withdraw consent. Additionally, Google provides an opt-out browser add-on (for Chrome, Firefox, etc.) which, once installed, prevents Google Analytics from collecting information on any site: you can obtain this from Google’s site.
  • Further Information: Google’s Privacy Policy (https://policies.google.com/privacy) provides more details on how Google processes data. Google also offers information on how Analytics works and how they safeguard data (search for “Google Analytics GDPR compliance” for their documentation).

By consenting to analytics cookies on our Site, you are permitting the processing of your data by Google as described. If you choose not to consent, you can still fully use our Site – no functionality is lost except that we won’t have your usage data in our metrics.

Do-Not-Track Signals:
“Do Not Track” (DNT) is a preference you can set in your web browser to inform websites that you do not want to be tracked across different sites. Our Site honors Do Not Track signals for analytics and marketing purposes. If your browser is set to DNT, we will not load third-party analytics or marketing scripts that use cookies, unless you explicitly override this by consenting via our banner. Note that DNT may not affect essential first-party cookies or certain necessary tracking (which is only used for the current site’s functional purposes).

Disclosure of Personal Data to Third Parties

We treat your personal data with care and confidentiality. We do not sell your personal information to third parties. However, in order to run our business and provide services to you, we may need to share certain data with trusted third parties – such as service providers and partners – under strict conditions. This section describes who we share data with, what we share, and why. All such third parties are bound by contracts or legal obligations to only use your data for the purposes we specify and to protect it in line with this Policy and the GDPR.

1. Service Providers (Processors): These are third-party companies we hire to perform services on our behalf that involve processing personal data. They include:

  • Gentleland Aegis (Internal Tool): [Proprietary Service] – Gentleland Aegis is our own platform/tool that powers much of gentleland.gg’s functionality (project management, user interactions, etc.). Although not an external third party, we mention it here for clarity. Data you enter into Gentleland Aegis (e.g., your profile, project data, communication within the tool) is stored on our servers or our cloud infrastructure. Only authorized Gentleland staff and contractors have access to this data, and it is processed according to the purposes outlined in this Policy. We may use third-party hosting or cloud services to store Aegis data, but those providers act under our instructions and are covered by data processing agreements. (In summary, Aegis itself doesn’t “share” your data outside Gentleland; it’s listed to be transparent about our internal processing.)
  • Stripe (Payment Processor): We use Stripe for secure payment processing. If you make a purchase or any payment through our Site, the transaction is handled by Stripe. This means your payment details (credit/debit card number, expiration, CVV) are submitted directly to Stripe via an encrypted connection; we do not see or store that sensitive financial information (though we may store a token or reference that Stripe provides to identify your transaction). Stripe will process your payment and remit funds to us. In doing so, Stripe collects and processes personal data such as: payment card information, the name on your card, your billing address, your email (for receipt), possibly your IP and device info (for fraud detection). Stripe uses this information to process the payment, comply with regulatory obligations (e.g., anti-fraud, KYC – “Know Your Customer”), and for its internal analytics. Stripe is PCI-DSS compliant and is one of the largest payment processors globally, which means they adhere to high security standards for handling payment data.
    Relevant details: Stripe Payments Europe Limited (based in Ireland) is the Stripe entity that generally provides services to EU customers, and Stripe, Inc. (USA) may be involved as a sub-processor. Personal data may thus be transferred to the US (see International Transfers below). We have a Data Processing Agreement with Stripe incorporating Standard Contractual Clauses to safeguard such transfers. Stripe’s privacy policy is available on their website (https://stripe.com/privacy) which explains in more detail how they protect your data.
    What we share: To initiate a payment, we share information like the amount to charge, your provided payment details, and your contact info needed for the transaction. To clarify, for credit card payments, our site may either securely transmit your card info to Stripe or you might be redirected to Stripe’s checkout. Either way, Stripe obtains that data directly. After processing, Stripe shares with us a confirmation of payment and certain details like the last4 digits of your card, card type, expiration, and a payment ID or token. We use that for record-keeping (e.g., to issue refunds or receipts, and to know what you purchased).
    We share your data with Stripe in order to fulfill our contract with you (process the transaction). Stripe is contractually forbidden from using your data for any other purpose than to provide services to us (though they might be separately responsible for some aspects as a controller, for example, fraud monitoring).
  • Kit (Email Service by ConvertKit): We use Kit (formerly known as ConvertKit) as our email marketing and mailing list management service. Kit helps us manage subscribers for the Gentleland waitlist, newsletters, and other email updates. If you provide your email (and name) to subscribe to our communications, that data is stored in Kit’s systems. We may also record certain attributes in Kit, like the date of subscription, which emails you open or links you click (to measure engagement and improve our content), and your marketing preferences. Kit allows us to send bulk emails in a personalized way and handle subscriber lists (including unsubscribes and bounces).
    Relevant details: Kit is a service operated by ConvertKit LLC, a company based in the United States. Therefore, personal data (like your email) that we manage through Kit is transferred to and stored on servers in the US. We have entered into a Data Processing Agreement with ConvertKit (Kit) including EU Standard Contractual Clauses to protect these data transfers. Kit has also publicly committed to GDPR compliance and participates in privacy frameworks as applicable.
    What we share: We provide Kit with the information you submit on our signup forms – typically your email address and sometimes your name. Kit also processes email engagement data on our behalf (like whether you opened an email we sent, or which links you clicked, using tracking pixels in the emails). This helps us understand our audience and ensure we only send relevant content. We do not share any unnecessary data with Kit – for example, if you’re just a user of the platform but not a newsletter subscriber, your data is not sent to Kit by us unless you separately subscribe.
    Important: Every email sent via Kit on our behalf will contain an unsubscribe link. If you unsubscribe, Kit will record that so we don’t email you again (aside from potential one-off transactional emails, which come from our system, not Kit).
  • Google Analytics (Analytics Provider): As described in the Cookies section, we use Google Analytics to collect site usage statistics. Google acts as a processor for us in this context, meaning it processes the data only as we instruct and for our analytics purposes. Google may use some data for its own purposes as described in its privacy policy (for instance, improving its Analytics service), but in our configuration we have limited data sharing.
    What is shared: When you allow analytics, your browser will automatically send certain info to Google (via the Analytics script). This includes identifiers like cookies (_ga, etc.), your truncated IP address, and information about your activity on our Site (page URL, actions, etc.). We do not send Google any of your account data (like name or email). Google might also collect device identifiers. Google aggregates this data to give us reports. We do not receive personal data from Google that identifies you – just aggregated metrics. However, Google might have the ability to identify you across devices if, for example, you are logged into a Google account; that aspect is governed by Google’s terms, not by us.
    Sharing rationale: We use Google Analytics to understand and improve how our Site is used. The data shared is pseudonymous analytics data, not direct personal info like your name. Google Analytics will not be run without your consent. If you do consent and later opt out, no further data will be sent to Google.
  • Discord (Community Platform Integration): We have an official community on Discord (a third-party communication platform) to engage with our users (for example, for discussions, Q&A, support, or events). If you choose to join the Gentleland Discord server or use a Discord login/integration on our Site, certain data will be exchanged with Discord. This can happen in a few ways:
    • If we provide a Discord OAuth login option on our Site (allowing you to sign into Gentleland using your Discord account), then when you click that, you are redirected to Discord to authenticate. With your permission, Discord may then share with us some of your Discord profile information such as your Discord user ID, username, avatar, and the fact that your account is verified. We use this to create or link your Gentleland account. We do not receive your Discord password or any messages.
    • If you are in our Discord server, Discord Inc. will process your data independently as the platform provider. This includes anything you post on Discord (messages, images) and your Discord profile information. That data is not collected by gentleland.gg, but we (and other server members) might see it within Discord. For example, if you ask a support question on our Discord, our team may see your Discord username and whatever information you volunteer. We might keep note of the support issue to assist you, but official support requests should be via our Site or email to ensure privacy.
    • We may manage Discord roles or rewards for Gentleland users (for instance, if you are a customer or a beta tester, we might give you a special role on Discord). To do this, we could use your Discord ID internally to assign roles via Discord’s system or a bot. This is minimal data usage, linking your Gentleland user status to your Discord account.
      Important: Use of Discord is optional. If you prefer not to use it, you can still get support via other channels. If you do use Discord, remember that any information you share there may be visible to other members of the community. Discord has its own privacy policy (https://discord.com/privacy) and terms of service; we encourage you to read them. We do not control how Discord uses data about you (for example, data collected by Discord for their purposes like improving Discord or safety monitoring). We treat Discord primarily as a data controller in their own right for the personal data processed on their platform. We will of course respect your privacy in our use of Discord – for instance, we won’t take a private message you send to us on Discord and publish it elsewhere without your consent, except as needed to resolve a support issue.
      International aspect: Discord, Inc. is based in the USA, so your use of Discord will involve data transfer to the US. Discord participates in compliance frameworks and uses Standard Contractual Clauses for EU data transfers, as noted in their policy.
  • Zapier (Automation Service): We use Zapier to connect and automate workflows between various apps and services we use. Zapier is an online automation tool that acts as an intermediary – it can receive data from one service and send it to another based on triggers we configure (these automated connections are called “Zaps”). For example, we might have a Zap that says “When a new user signs up on gentleland.gg, add their email to a Notion database or send a welcome message via another service.” In doing so, Zapier will process certain personal data as it passes through their system.
    What data is involved: It depends on the integration. Typical use cases might involve data like: your email and name (to add to a mailing list or Notion entry), a Discord ID or message (to relay a notification), or form responses if you fill out a survey that we connect to another tool. We strive to minimize the data sent through Zapier – only what’s necessary for the automation. Zapier logs activity for reliability, which might include the data content in transit (temporarily).
    Role of Zapier: In GDPR terms, Zapier might be considered a processor for us because it’s handling data on our instructions, or in some cases a sub-processor to another service. We have a Data Processing Agreement with Zapier, Inc. to ensure they protect the data and use it solely for providing the automation service.
    International transfers: Zapier, Inc. is based in the United States. Data passed through Zapier may be routed through US servers. Zapier has certified to comply with EU data transfer requirements (they utilize Standard Contractual Clauses and have a commitment to GDPR as per their documentation).
    Security: Zapier employs encryption and other measures to protect data in transit. However, as with all cloud services, there’s a theoretical risk whenever data moves between apps. We evaluate the sensitivity of data before automating it via Zapier. Highly sensitive data (if any) would not be sent through multi-step automations without strong safeguards.
  • Notion (Internal Collaboration and Data Management): We utilize Notion (Notion Labs, Inc.) as an internal productivity and collaboration tool. Notion is essentially a workspace where we can create documents, databases, and to-do lists for running Gentleland’s operations. It’s possible that in the course of our internal record-keeping, some personal data about users gets stored in Notion. For example, we might maintain a Notion database of user feedback or feature requests, which could include the names or emails of users who gave feedback. Or our team might document a support workflow in Notion referencing a username. We also might draft content in Notion that eventually is published (like blog posts or this Privacy Policy).
    What data is shared: We do not actively share your data with Notion for their independent use. Notion is a tool we use to store and organize our information – they act as a data processor/storage provider. Any personal data in Notion is put there by our team for internal purposes (e.g., project management, support tracking). Examples of data that could reside there: a list of newsletter subscribers (if we were to store that as backup), a list of contest winners and their emails (for a community event), or meeting notes that include user names. This is all within our control.
    Privacy and security: Notion Labs, Inc. is US-based, so data stored in our Notion workspace may reside on US servers. They have committed to GDPR compliance and, as of 2023/2024, announced plans for EU data center options. We have a Data Processing Addendum with Notion that includes Standard Contractual Clauses for any EU-US data transfer. Notion data is encrypted at rest and in transit. Access to our Notion workspace is limited to our authorized team members, and protected by authentication (including two-factor authentication). Notion personnel do not access our content except in rare cases where they might need to for technical support or if required by law.
    Retention: We retain data in Notion as long as it’s useful for operations. If it includes personal data and is no longer needed, we delete it from Notion as part of our data retention routine.
  • Other Vendors: We may employ additional third-party services for specific functionalities, for example: web hosting/data center providers, cloud infrastructure (servers, databases, backup services), email delivery services for transactional emails, analytics tools, error tracking services, content delivery networks (CDN), etc. Rather than list every provider here, we summarize that any third-party infrastructure or software tool we use will be vetted for security and privacy. They will only get the data necessary for their function. For instance: our website might be hosted on a cloud platform (like AWS, Azure, or similar) – that means any data you submit to gentleland.gg is stored on their servers but under our control. They are not allowed to access or use it except for storage and compute tasks. If we use a tool like Sentry (error monitoring) and an error occurs during your use, some data like your user ID or device info might be captured in a log – solely to diagnose the issue. All such providers operate under contracts that include data protection clauses. If you need an exhaustive list of sub-processors, you may contact us and we can provide an updated list of key providers.

2. Business Partners and Affiliates: We do not currently share personal data with any joint venture partners, affiliates, or advertising partners for their own use. If in the future we collaborate with another company (for example, running a joint event or promotion), we would only share data with them if you have been informed and, if legally required, given your consent. Any such sharing will be clearly explained at the point of data collection or in a separate agreement.

3. Legal Disclosures: We may disclose your personal data outside our company if required by law or necessary to protect lawful interests, such as:

  • Compliance with Laws: If we receive a request from law enforcement, a court order, or any governmental authority legally empowered to obtain your information, we may provide the requested data. We will only do so after verifying the legitimacy of the request and only the minimum data necessary.
  • Enforcement of Our Rights: We may share information as needed to enforce or apply our Terms and other agreements, or to investigate potential violations. For example, if someone is found misusing our platform in a manner that violates the law or others’ rights, we might report that (along with relevant data) to the authorities.
  • Protection of Interests: If necessary, we might disclose data to protect the rights, property, or safety of Gentleland, our users, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

We will aim to notify you if we are compelled to disclose your data in this way, unless legally prohibited (e.g., some government requests cannot be disclosed to the user by law).

4. Corporate Transactions: In the event that Gentleland goes through a business transition such as a merger, acquisition by another company, sale of all or part of its assets, or financing, or in the unlikely event of bankruptcy or insolvency, user data (which may include your personal data) could be among the assets transferred to or reviewed by third parties as part of due diligence or the final transaction. In such cases, we will ensure that any party receiving your information is bound by confidentiality until this Privacy Policy can continue to apply to the data or a notice is provided to you. If a transaction results in a new entity being responsible for your personal data, we will notify you and ensure the new owner’s privacy policy is made available or your data is handled in accordance with GDPR.

Rest assured, outside of the scenarios described above, we will not share your personal data with third parties without your consent. Specifically, we do not give your data to third parties for their own marketing purposes.

International Data Transfers

Gentleland is based in Germany, but we utilize services and technology infrastructure that may reside in other countries. Your personal data may be transferred to, and processed in, countries other than the one in which you reside. In particular, many of our external service providers listed in the previous section are located outside the European Economic Area (EEA). For example, the United States is a country where several of our processors (Stripe, ConvertKit/Kit, Discord, Zapier, Notion, Google) are headquartered or have servers.

While transferring data internationally is often necessary to provide our services efficiently (e.g., using global cloud providers), we remain committed to ensuring an adequate level of protection for your information as required by the GDPR. Whenever we transfer personal data out of the EEA to a country that the European Commission has not deemed to have an “adequate” level of data protection (such as the U.S.), we implement at least one of the following safeguards:

  • Standard Contractual Clauses (SCCs): For transfers to our service providers outside the EU/EEA, we have signed the European Commission’s approved Standard Contractual Clauses in our contracts with those providershelp.kit.com. These SCCs legally require the recipient to protect your data to EU standards and give you enforceable rights. We monitor legal developments around SCCs and supplement them with additional measures as needed (see below).
  • EU-U.S. Data Privacy Framework (DPF): Where applicable, we may rely on the new EU-U.S. Data Privacy Framework. For instance, if a U.S.-based service provider is certified under the DPF (as of 2025), this means they are committed to comply with high data protection principles recognized by the EU. If our providers are part of this framework (or a UK/Swiss equivalent), we will note that as a safeguard.
  • Additional Technical Measures: We evaluate on a case-by-case basis whether further measures are needed to protect data transferred abroad. Such measures could include: end-to-end encryption of data (so the foreign service provider cannot read it unless necessary), data minimization (sending the least personal data possible), and storing data in Europe when feasible. For example, we have IP anonymization enabled for Google Analytics to limit what is sent to Google’s servers. For some services, we may also utilize EU data center regions (if offered by the provider) to localize data storage.
  • Contractual and Organizational Measures: Beyond SCCs, we ensure that our contracts with third parties obligate them to assist with GDPR compliance (like honoring data subject rights requests) and to notify us if they can no longer meet the required protections. We also carefully select reputable companies with strong security track records to minimize risk.
  • Explicit Consent or Derogations (only if necessary): In very rare situations, if none of the above mechanisms are available, we might ask for your explicit consent to a particular transfer (per GDPR Art. 49(1)(a)), after informing you of any potential risks. Alternatively, we might rely on another permitted derogation under Art. 49, such as if the transfer is necessary for the performance of a contract with you, or for the establishment, exercise or defense of legal claims. We emphasize that these cases are exceptions and our aim is to rely on robust standard mechanisms for routine transfers.

Specific Third-Country Details: Data stored in the United States (by our providers) is protected by the safeguards mentioned. The U.S. currently does not have an EU adequacy decision (aside from the new DPF for certified companies), which is why we rely on SCCs and the DPF. If any provider sub-processes data in other countries (e.g., an EU provider that uses a sub-processor in India), we ensure similar safeguards through our agreements.

You have the right to request more information about our international data transfers and the safeguards in place. If you would like to know more or obtain a copy of the relevant contractual clauses, please contact us (contact details in the last section). We may need to redact certain parts of legal documents for confidentiality, but we will provide as much information as possible.

We understand that cross-border data privacy is an evolving area, and we stay updated on legal developments (such as court rulings and regulatory guidance). Should the transfer mechanisms we rely on be invalidated or require changes, we will promptly work to comply with the updated requirements and ensure any affected data transfers are brought into compliance (potentially pausing transfers if necessary until compliance is assured).

Data Retention

We keep your personal data only for as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal or business requirements. Once your data is no longer needed, we will delete it or anonymize it. Below we outline the typical retention periods for different categories of data:

  • Account Data: If you create an account on Gentleland.gg, we will retain your account information (such as your name, email, profile info, and any content or projects you have on the platform) for as long as your account is active. You can delete your account at any time through your profile settings or by contacting us with a deletion request. If you delete your account, we will remove or anonymize personal data associated with your account within a reasonable timeframe (usually within 30 days), unless we are required to keep it for legal reasons. If your account is inactive for an extended period, we may contact you to confirm if you want to maintain it; if we receive no response, we may delete or anonymize the account after giving notice.
  • Waitlist/Newsletter Subscriptions: For users who have subscribed to our waitlist or newsletter (but perhaps do not have a full account), we will retain your contact information (e.g., email, name) until you unsubscribe or until we no longer send newsletters. If you unsubscribe or opt-out, we will promptly remove you from the active mailing list. However, we might keep your email on a suppression list (a minimal record) to ensure we respect your opt-out and don’t accidentally send you emails in the future – this is a standard practice to comply with anti-spam laws. Suppression list entries are kept indefinitely (to honor opt-outs) unless you specifically request we remove your email entirely, in which case we will do so if we have no other lawful basis to retain it.
  • Payment and Transaction Records: We retain transaction data as long as required by financial and tax regulations. In Germany, laws like the Commercial Code (HGB) and Tax Code (AO) mandate that we keep books, records, and documents (including invoices and payment records) for a period of generally 10 years from the end of the year in which they were created. Therefore, if you made a purchase or payment, the basic transaction information (e.g., invoice, amount, date, payment method, your name/email, and any billing details) will be retained for up to 10 full fiscal years. Even if you delete your account or ask for erasure, we might need to keep invoice data separately under this obligation. We securely store such records and limit access to compliance personnel only. After the retention period, we will delete or anonymize those records.
  • Support and Communications: If you contacted us via email or other channels, we may retain that correspondence and our response for a certain period. This helps us have context for any follow-up issues and improve our support. Typically, routine customer service emails are kept for 1-2 years after resolution of the issue, then deleted. In some cases, if the communication could have legal significance (e.g., a complaint, or instructions related to data protection), we might retain it longer to demonstrate compliance (up to the statute of limitations, which in Germany can be 3 years for most civil claims, or longer for specific issues).
  • Analytics Data: Data collected via Google Analytics is retained as per our settings with Google. We have set user-level and event-level data in Google Analytics to be deleted after [14 months] of inactivity (or a similar relatively short period), which means if you don’t visit again within that timeframe, your past interaction data is removed from Analytics. Aggregate reports (which contain no personal data) may be kept indefinitely since they contain no identifying info. We also periodically review our own aggregated analytics and may delete raw logs after processing them into summary form. Web server logs that include IP addresses are generally rotated and deleted within 90 days (except if needed for security analysis for longer).
  • Community Content: If you post content on our platform (for example, comments in a forum that we may add, or contributions to a collaborative space), those postings might remain visible to other users as long as that feature is active. If you delete the content or your account, we will endeavor to remove it; however, if the content has been shared or made public, we cannot always guarantee complete erasure (for instance, if someone else reposted your comment in their own content on our Site, or if it’s on Discord which is outside our control). We encourage users to avoid sharing personal data in public posts. For Discord specifically, if you leave the server or delete your Discord account, your messages may remain (attributed to a generic “Deleted User”); we generally do not scrub Discord history unless requested for a serious reason, since it’s a public conversation space.
  • Legal Hold: Notwithstanding the stated retention periods, if we are under a legal obligation to preserve data (due to litigation, government investigation, or otherwise), or if the data is needed to resolve a dispute, we will retain it for as long as instructed by the authority or as needed to protect our legal rights. During such a period, even if you request deletion, we might not be able to delete your data until the hold is lifted or the matter is resolved. We will inform you if such a situation arises if we are legally permitted to do so.

After the end of the applicable retention period, we will proceed to securely delete or irreversibly anonymize the personal data. Anonymization means we alter the data in such a way that it can no longer be linked to you (for example, aggregating it or hashing identifiers). Anonymized data may be retained for statistical purposes without further notice.

If you have any questions about our data retention practices or want to request deletion of your data, you can contact us (see Contact Information section). In cases where we can’t fully comply (due to legal requirements as explained), we will let you know the reasons.

Your Rights as a Data Subject

As an individual whose personal data is processed by Gentleland, you have certain rights under the GDPR and BDSG regarding that data. We respect and uphold these rights. Below we outline your rights and how you can exercise them:

  • Right to Access: You have the right to access the personal data we hold about you and to receive information about how we process it. This is often called a Subject Access Request. Upon request, we will provide you with a copy of your personal data undergoing processing, as well as details such as the purposes of processing, the categories of data, the recipients (or categories of recipients) to whom your data has been or will be disclosed, the envisaged retention period (or criteria to determine it), and the source of the data (if we didn’t get it directly from you). The first copy will be provided free of charge. For additional copies, we may charge a reasonable fee based on administrative costs, or we might refuse if requests are manifestly unfounded or excessive (we will explain our reasoning in such cases).
  • Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data about you. If you become aware that the information we hold is wrong (for example, you notice a typo in your name or an outdated email address), please let us know. We will promptly correct it. Many basic details can be updated by you directly (for instance, if our Site allows profile editing, you can change your info). For changes that you cannot do yourself, contact us and we’ll make the correction. We may need to verify the accuracy of the new data you provide, but our goal is to ensure we have up-to-date and accurate information.
  • Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal data in certain circumstances. This right is not absolute, but we will honor it when it applies. Situations where you can ask us to delete your data include: (a) when the data is no longer necessary for the purposes we collected or processed it; (b) if you withdraw consent on which any processing is based and we have no other legal basis to continue; (c) if you have objected to processing based on our legitimate interests and we have no overriding legitimate grounds to continue; (d) if we unlawfully processed your data; or (e) if required to erase to comply with a legal obligation. If you request erasure and one of these conditions applies, we will erase your data and also inform any third parties (processors) that are handling it to do the same, where feasible. Please note some data we may not be able to delete immediately due to legal retention obligations (e.g., past transaction records as mentioned) – in such cases, we will isolate that data and secure it until deletion is possible. Also, if your personal data has been made public by you (for example, a forum post), we will take reasonable steps to inform other controllers processing that data to erase links or copies, but complete removal from the internet might be beyond our power if others have republished it.
  • Right to Restrict Processing: You have the right to request that we limit the processing of your personal data under certain conditions. Essentially, you can ask us to put your data “on hold” without deleting it, in scenarios like: (a) you contest the accuracy of the data – in this case we’ll restrict processing until we verify accuracy or correct it; (b) the processing is unlawful and you oppose erasure, instead requesting restriction (so we keep the data but don’t use it); (c) we no longer need the data but you need it for establishing, exercising, or defending legal claims; (d) you have objected to processing (see next bullet) and we are verifying whether our legitimate grounds override yours. While processing is restricted, we will store your data but not use it (except maybe to inform you or for necessary legal reasons). If the restriction is lifted later (because e.g. issue is resolved), we’ll inform you.
  • Right to Data Portability: For data that you have provided to us and that we process by automated means on the legal basis of consent or contract, you have the right to get that data from us in a structured, commonly used, machine-readable format, and also to have us transmit it to another controller where technically feasible. In practice, this applies to things like information you gave us in your profile or during service use (not to data we derived or inferred). For example, if you provided a lot of content on our platform or profile info, and you want to switch to a competing service, you can ask for an export of your data. We would provide it likely in a format like CSV, JSON, or similar. If you request it, and if the other service supports it, we will try to directly transfer the data to the new service’s operator, but often it’s simplest to give it to you to pass on. Note that this right only covers data you provided; it doesn’t cover data we created internally (like internal analytics or security logs).
  • Right to Object: You have the right to object to certain types of processing of your personal data at any time, on grounds relating to your particular situation. The two main scenarios are:
    1. Direct Marketing: You can always object to processing of your personal data for direct marketing purposes (including any profiling related to marketing). If you object, we will cease using your data for marketing immediately. (This is straightforward in our case: if you object, we’ll stop sending you newsletters or targeted updates – though the easier way is usually to just unsubscribe or not opt-in, but an objection gives an added layer of protection).
    2. Legitimate Interests: If we are processing your data based on our legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to that processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if we need to continue processing the data for the establishment, exercise, or defense of legal claims. This means, if you object, we will stop the processing in question unless we have a strong justification to continue. For example, if you object to our processing of your data for analytics (if we were relying on legitimate interest for some basic analytics), we would likely stop, because your rights would typically override our interest in optional analysis. However, if you object to something like processing your data to maintain security logs, we might deny that request because maintaining security is a compelling interest. We will carefully assess each objection.
      If you do object, please specify which processing you’re objecting to and why, if relevant (though you don’t have to give a detailed reason for marketing objection). This will help us evaluate your request properly.
  • Right to Withdraw Consent: If we are processing any of your personal data based on your consent (Art. 6(1)(a)), you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing that was done before you withdrew consent, but it means we will stop the consent-based processing going forward. For example, if you gave consent for us to send newsletters, you can withdraw by unsubscribing and we will cease sending you newsletters. If you consented to analytics cookies, you can change your preference to withdraw that consent and we will stop collecting analytics from your device. Withdrawing consent is as easy as giving it: you can typically use the same mechanism (such as an opt-out link or toggling off in settings) or contact us. There are no penalties for withdrawing consent – it is your right. Just note that if a service can only be provided with your consent (e.g., publishing your profile in a public directory), then withdrawing consent might mean we can no longer provide that service to you.
  • Right to Lodge a Complaint: We hope to address any concerns you have directly, but we want to remind you that you also have the right to file a complaint with a data protection supervisory authority. If you believe we have infringed your data protection rights or violated data protection laws, you can complain to an EU supervisory authority, particularly in the country where you reside or work, or where you believe the violation occurred. For example, if you reside in Germany, you can contact the Data Protection Authority of your federal state (such as the Berlin Commissioner for Data Protection and Freedom of Information, if Gentleland is based in Berlin, or the Bavarian State Office for Data Protection if in Bavaria, etc.). A list of German data protection authorities and their contact info is available online (for instance, on the official BfDI website or at https://www.datenschutzkonferenz-online.de). If you reside in another EU country, you can find your authority’s contact on the EU Commission’s website. In addition, you can always contact the Lead Supervisory Authority for Gentleland, which is currently [to be determined based on our main establishment – e.g., Berliner Beauftragte für Datenschutz if in Berlin].
    Lodging a complaint will not affect any other administrative or judicial remedy you might have. You also have the right to seek a remedy through courts if you believe your rights have been breached.

How to Exercise Your Rights: To exercise any of your rights, please contact us via email at info@gentleland.net or by mail at our address provided in the Contact section. To ensure the security of your account and data, we may need to verify your identity before fulfilling certain requests (for example, by asking you to provide information that matches our records). This is to prevent unauthorized individuals from accessing or deleting your data.

We will respond to your request as soon as possible, and no later than one month from receiving it. If your request is complex or if we have received many requests, we are allowed to extend this period by up to two further months, but we will inform you within the first month if an extension is needed and the reasons why.

In general, we will comply with your request or let you know why we cannot (with legal justification). For example, if you request deletion, we will either confirm deletion or explain if certain data cannot be deleted due to legal obligations.

We do not usually charge a fee for fulfilling rights requests. However, if requests are manifestly unfounded or excessive (for instance, repetitive without good reason), the GDPR permits us to either charge a reasonable fee (based on administrative costs) or refuse the request. We will of course inform you of any such decision and your options.

Your rights under GDPR and other privacy laws are very important to us. We encourage you to exercise them as needed and promise to facilitate them to the fullest extent required.

Children’s Privacy

Protecting the privacy of minors is especially important. Gentleland.gg and its services are not directed to children under the age of 16, and we do not knowingly collect personal data from children under 16 without appropriate consent.

  • Parental Consent: In accordance with GDPR Article 8 and German laws, if you are under 16 years old, you must have your parent or legal guardian’s consent before providing any personal data to us or using our services. We will make reasonable efforts to verify that consent is given or authorized by the parent or guardian, especially in cases where we have any doubt about a user’s age. For example, if a 15-year-old wishes to sign up for a Gentleland account or the waitlist, we may require a parent to confirm consent via email or a consent form.
  • No Age Screening for Basic Browsing: Our website’s general informational pages (like blog posts or marketing content) can be browsed without providing personal data, and we do not actively prevent under-16s from viewing the site, as it is not explicit or harmful. However, they are not allowed to submit personal data (like signing up) without consent. We do not use the site to target children. The content is oriented towards game developers and a general audience, not specifically kids.
  • If We Learn of Underage Data Collection: If we inadvertently collect personal data from a child under 16 without verification of parental consent (for instance, if a child misrepresents their age and we later discover this), we will delete that data promptly. Specifically, we will erase the child’s personal information from our records and terminate the child’s account (if one exists) unless we receive and verify consent from a parent/guardian. If you believe that a child under 16 may have provided us personal data without parental consent, please contact us immediately at privacy@gentleland.gg so we can take appropriate action.
  • Users Outside the EU: We recognize that laws concerning children’s data vary by country. Our policy is to meet the strictest requirements where feasible. In the United States, for example, the Children’s Online Privacy Protection Act (COPPA) sets 13 as the age under which parental consent is required for data collection. We generally choose 16 as the cutoff globally (to meet GDPR’s higher standard), but we equally will not knowingly collect data from children under 13 in any case without parental consent. If you are in a jurisdiction where the age threshold is higher than 16, we will comply with that (for instance, some countries might set digital consent at 18). Ultimately, if you are considered a minor under your local law, please ensure that your parent or guardian is aware of and consents to your use of our services.
  • No Child-Specific Content or Profiling: We do not solicit personal information from children and do not profile children or subject them to automated decisions. We also do not offer features that would inadvertently lead to children disclosing more than necessary. Any community aspects (like Discord) are intended for professional or hobbyist discussions in game development, which typically is not of interest to young unsupervised children. We advise parents who allow their children (aged 16+ or with consent if younger) to use online services to teach them about safe online practices.

If we ever decide to intentionally target a service to children or knowingly collect data from children under 16, we will do so in compliance with all applicable laws (including obtaining verified parental consent and providing age-appropriate privacy notices). As of now, we have no such plans.

Data Security

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the personal data we process. We take many precautions to protect your data from unauthorized access, alteration, disclosure, or destruction. Here are some key aspects of our security program:

  • Encryption: All communications between your browser and our Site are secured via SSL/TLS encryption (HTTPS). This means any data you transmit to us (such as when entering personal information on forms or making payments) is encrypted in transit and cannot easily be intercepted by third parties. Internally, where feasible, we also encrypt personal data at rest – for example, sensitive database fields (like passwords, which are stored hashed, not in plaintext) and backup files are encrypted.
  • Access Control: Access to personal data within our organization is restricted on a need-to-know basis. Only employees, contractors, and agents who require access to perform their duties (e.g., customer support staff, engineers maintaining the system) get access, and even then, only to the data relevant for their role. We employ role-based access controls and each authorized person has unique credentials – sharing of accounts is forbidden. Administrative access to our systems is protected by strong authentication (including multi-factor authentication where possible). We also log administrative access and actions in order to have an audit trail of who accessed what.
  • Security Testing and Maintenance: We regularly update and patch our systems and software to address security vulnerabilities. Our development practices incorporate security checks – for instance, we sanitize inputs to prevent SQL injection, use parameterized queries, and follow secure coding guidelines. We also utilize firewalls and monitoring tools to guard our network. Regular backups are performed and stored securely (with encryption) to ensure data integrity and availability in case of a system failure. Periodically, we may conduct security audits or penetration testing, either internally or with the help of external experts, to identify and fix potential weaknesses.
  • Organizational Policies: We have a comprehensive internal privacy and security policy that all team members must follow. This includes guidelines on how to handle personal data, how to report security incidents, and confidentiality obligations. All team members are trained on the importance of data protection and are required to adhere to these policies. Those who violate our security policies may face disciplinary action, up to termination.
  • Third-Party Due Diligence: As noted, we work with third-party service providers for certain functions. Before onboarding a provider that will handle personal data, we assess their security measures and certifications. We choose reputable companies with strong security reputations. Our data processing agreements with them require that they implement appropriate security measures. We remain vigilant and if a provider suffers a breach or is found inadequate, we will reevaluate the relationship.
  • Physical Security: Although we operate as an online service (with no public-facing offices storing user data), any physical servers we use (e.g., at data centers) are housed in secure facilities with access controls. Our own devices (laptops, etc., used by staff to access systems) are encrypted and secured with strong passwords. We also maintain secure destruction practices for any physical documents or drives that may contain personal data (though almost all user data is digital for us).

Despite all these efforts, it’s important to understand that no method of transmission over the Internet, and no method of electronic storage, is 100% secure. We cannot guarantee absolute security of information. However, we strive to use commercially acceptable means to protect your personal data. You also play a role: protect your account credentials and do not share your passwords with others. If you believe your account or data might have been compromised (for example, you notice unusual activity on your account), please contact us immediately so we can help secure it.

Data Breach Procedures: In the unlikely event of a data breach that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, we have a response plan in place. Our team will promptly investigate the incident, mitigate the damage, and prevent further unauthorized access. We will assess the scope and impact of the breach. If the breach is likely to result in a high risk to your rights and freedoms (e.g., it could lead to identity theft, fraud, or significant privacy harm), we will notify you without undue delay (once we have a handle on what happened and what needs to be done). We will also notify relevant supervisory authorities (such as the German data protection authority) within 72 hours of becoming aware of the breach, if required by law. Our notification to you would include information about the nature of the breach, what data is affected, what we have done or plan to do to address it, and any steps we suggest you take to protect yourself (for instance, changing passwords if needed). We hope never to have to deal with such a scenario, but we want you to know that we are prepared and that we take it extremely seriously.

Updates to this Privacy Policy

We may modify or update this Privacy Policy from time to time in order to reflect changes in our practices, to keep up with new legal requirements, or for other operational reasons. When we make changes, we will update the “Effective Date” at the top of this Policy to indicate when the changes take effect. If the changes are material, we will also provide a more prominent notice – for example, a banner on our website or an email notification, prior to the change becoming effective (where required by law or as a courtesy to keep you informed).

We encourage you to periodically review this Policy to stay informed about how we are protecting your personal data. It’s important that you understand our current practices and your rights.

If you continue to use gentleland.gg or our services after a revised Privacy Policy has become effective, it will signify that you have read and understood the updated version. However, if we seek to process your personal data for a new purpose that requires your consent, we will obtain your consent as appropriate.

For historical reference, we will maintain archives of previous versions of this Policy (available upon request), so you can see how things have changed over time.

Contact Information

Your feedback and questions about privacy are important to us. If you have any questions, concerns, or requests regarding this Privacy Policy or the personal data we hold about you, please contact us at:

Gentleland (Data Protection Team)
Gentleland
Reichsstraße 2
14052 Berlin
Germany

Email: info@gentleland.net

Contact Form: You may also reach us through our website’s contact form at gentleland.gg/contact (if available) – please mention it’s regarding privacy.

Telephone: +49 15222879195

We will endeavor to respond to all legitimate requests or questions as quickly as possible, and at the latest within the timeframe outlined by applicable law. If you are contacting us to exercise any of your data subject rights, please clearly state your request, and remember we may need to verify your identity for security reasons.

Data Protection Authority Contact: While we encourage you to come to us first, you have the right to contact our supervisory authority for data protection directly. Our lead supervisory authority in Germany is likely the Data Protection Commissioner in the federal state where our company is registered. For example, if we are based in Berlin, you can contact:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin, Germany
Phone: +49 (0)30 13889-0
Email: mailbox@datenschutz-berlin.de
(Or find the relevant authority via BfDI Bund or the list of state DPAs)

Again, we truly value the trust you place in Gentleland. We are continuously working to keep that trust by safeguarding your privacy. Thank you for reading our Privacy Policy. If anything remains unclear, do not hesitate to reach out to us. Your privacy and data protection rights are our priority.