Legal

Privacy Policy

Last updated: April 2026

1. Data Controller

The entity responsible for processing your personal data under the General Data Protection Regulation (GDPR) is:

AUTH.GAMES

Business address available on request

Germany

E-Mail: privacy@auth.games

2. Data We Collect

We process the following personal data:

Account data: Name, email address, password (encrypted)
Technical data: IP address, browser type, device info, timestamps
Usage data: Login events, OAuth authorizations, API accesses
Company data (company accounts): Company name, contact person

3. Purpose of Processing

We process your data exclusively for the following purposes:

Provision of the identity and authentication service
Management of your user account
Execution of OAuth 2.0 / OIDC authorization flows
Security monitoring and fraud prevention (Audit Logs)
Fulfillment of legal obligations

4. Legal Basis

Processing is based on Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interests). Where consent is required, processing is based on Art. 6(1)(a) GDPR.

5. Data Storage & Deletion

Your data is stored only as long as necessary. After account deletion, personal data is removed within 30 days, unless legal retention obligations apply.

11. Data Retention Periods

We retain your data only as long as legally required or operationally necessary:

Account data: deleted within 30 days of account deletion
Billing invoices: retained for 10 years (statutory tax obligation)
Audit logs: retained for 90 days, then deleted
Session tokens: deleted upon expiry
OAuth consent records: deleted upon account deletion or consent revocation
Two-factor backup codes: deleted upon account deletion

6. Data Sharing

Personal data is only shared where necessary for contract performance, you have consented, or a legal obligation exists. Third-party OAuth apps only receive data you agreed to during the authorization flow.

12. Sub-processors & Third Parties

We engage the following sub-processors who may process your personal data on our behalf:

Stripe, Inc. (USA) — payment processing and billing
Vercel, Inc. (USA) — platform hosting, analytics, and performance monitoring
PostgreSQL cloud database provider — encrypted database hosting

13. International Data Transfers

Some of our sub-processors (Stripe, Vercel) are based in the United States. Data transfers to these providers are carried out on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR, ensuring an adequate level of data protection.

7. Your Rights

You have the right to:

Access your stored data (Art. 15 GDPR)
Correct inaccurate data (Art. 16 GDPR)
Delete your data (Art. 17 GDPR)
Restrict processing (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Object to processing (Art. 21 GDPR)

To exercise your rights, contact: privacy@auth.games

8. Cookies & Local Storage

AUTH.GAMES uses essential cookies for sessions and preferences. With your consent, we additionally use analytics cookies (Vercel Analytics, Google Analytics) to understand platform usage. You can manage your cookie preferences at any time via the Cookie Settings button.

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority.

10. Changes to This Policy

We reserve the right to update this privacy policy. The current version is always available at /privacy. You will be notified of significant changes by email.