This Privacy Policy (“Policy”) explains how gameglyph.shop (“Website”, “we”, “us”, “our”) processes personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR), ePrivacy Directive, PSD2, and the requirements of European banks and payment service providers (PSPs).

Controller / Merchant of Record: .
Processor (technical service provider): .
Supervisory Authority: Andmekaitse Inspektsioon (info@aki.ee, Tatari 39, 10134 Tallinn, Estonia).

We process the following categories of personal data:

• Identity and contact information: name, email, billing address, country.
• Account details: username, hashed password, preferences.
• Transaction data: payment IDs, purchase history, VAT information, PSP metadata (no card numbers stored).
• Device and log data: IP address, user agent, event logs.
• Support interactions: messages, attachments, correspondence.
• Marketing and analytics: cookie identifiers, consent records.
• Fraud-prevention signals: risk scores, device fingerprints.

We process data for the following purposes under lawful bases of GDPR:

• Account creation and contract performance – Art. 6(1)(b).
• Payments and accounting compliance – Art. 6(1)(c).
• Fraud prevention, AML/KYC checks – Art. 6(1)(f).
• Marketing and analytics (with consent) – Art. 6(1)(a).
• Legal defense and compliance – Art. 6(1)(f).

Payments are processed under Directive (EU) 2015/2366 (PSD2) and comply with Strong Customer Authentication (SCA) and 3‑D Secure requirements. We may perform Anti-Money Laundering (AML) and Know Your Customer (KYC) checks in cooperation with our Payment Service Providers (PSPs). Fraud detection may involve automated and manual review prior to delivery of digital goods.

Where data is transferred outside the European Economic Area (EEA), we rely on the EU–US Data Privacy Framework (DPF) for certified providers. For non-certified providers, Standard Contractual Clauses (SCCs) and supplementary measures are applied in accordance with the Schrems II decision.

Personal data is retained only for as long as necessary to fulfil the purposes stated in this Policy or as required by law:

• Accounting records: 7 years (Estonian Accounting Act).
• Support and communication: 24 months after ticket closure.
• Access logs and security data: 12 months.
• Marketing consents: until withdrawal or 24 months of inactivity.

If you purchase digital content that is defective or non-conforming, you are entitled to remedies under Directive (EU) 2019/770, including repair, replacement, price reduction, or refund. These rights apply regardless of any withdrawal waiver for digital content under Directive 2011/83/EU.

Our cookie banner follows IAB TCF 2.2 standards and provides equal options to ‘Accept all’ or ‘Reject all’. Non-essential cookies are set only after consent. Consent logs (ID, timestamp, version) are retained for 12 months for audit purposes.

You have the right to access, rectify, erase, restrict processing, and port your data. You may withdraw consent or object to processing, including marketing, at any time. Requests can be submitted to help@gameglyph.shop. We will respond within 30 days.

We implement encryption in transit (TLS 1.3), pseudonymization, access control, and audit logs. A Data Protection Impact Assessment (DPIA) is performed for payment and fraud-prevention processing activities.

We do not intentionally process data of children under 16. Automated decision-making is not used to make decisions with legal or significant effects without human involvement.

For privacy inquiries, contact help@gameglyph.shop.
If you are unsatisfied with our response, you may file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, Tatari 39, 10134 Tallinn, info@aki.ee).

We may update this Policy to reflect changes in law, PSP requirements, or our practices. The latest version is always available at https://gameglyph.shop/privacy-policy.