Privacy Policy

The controller responsible for processing your personal data is:

• Controller: SIA "NORA RN"
• Registration number: 40003750781
• Address: Riga, Starta iela 1, LV-1026, Latvia
• Email: ghettogames@ghetto.lv

This Privacy Policy applies to the Ghetto Games organizer website, the Ghetto Games mobile app, and the backend systems that support account management, tournament operations, notifications, payments, and related service functions.

One privacy policy applies to both the website and the mobile app.

We process the following categories of personal data:

• account and identity data, such as your email address, name, surname, account ID, authentication provider, provider account ID, and profile image;
• profile and player data, such as date of birth, country, gender, avatar, player stats, followed tournaments, and team membership information;
• authentication and security data, such as session tokens, last login time, and email verification records;
• device and app data needed to deliver app functionality, including mobile push notification token and notification permission status;
• communications and notification data, including in-app notifications, push notification content and metadata, read status, and support communications;
• tournament and participation data, including registrations, invitations, teams, rankings, and related activity records;
• payment and transaction data, including payment status, amount, currency, and payment processor identifiers.

• directly from you when you create an account, complete your profile, register for tournaments, join teams, contact us, or otherwise use the Services;
• from identity providers when you choose Google or Apple sign-in;
• from your device or browser when needed for authentication, session handling, and push notifications;
• from organizers, admins, teammates, or other users when this is part of tournament or team features;
• from payment providers when payments are initiated, confirmed, refunded, or fail.

Under GDPR, we rely on the following legal bases where applicable:

• performance of a contract or steps at your request before entering a contract, including account creation, authentication, profile management, tournament participation, team features, payments, and core service delivery;
• legitimate interests, including security, fraud prevention, debugging, support, service integrity, and service-related notifications;
• consent, when required by law, including optional push notifications and any future non-essential cookies or tracking technologies;
• compliance with legal obligations, including accounting, tax, consumer-protection, and lawful disclosure requirements.

The website uses technical mechanisms necessary for operation, including session-related and interface-state storage. The current implementation uses cookies for sign-in or session functionality and certain interface preferences.

We do not use non-essential cookies or advertising technologies. We request consent before using non-essential cookies or similar technologies when the law requires consent.

The mobile app uses secure device storage and local storage to keep session and app state on your device.

If you enable notifications in the mobile app, we process your device push token and send you push notifications related to your account and activity, including team and tournament events.

Push notifications are optional at the device-permission level. You can disable them in your device settings at any time.

Payments connected to the Services are handled using Stripe. We store limited payment-related metadata needed to initiate, track, and reconcile payments, such as payment status, amount, currency, and processor identifiers.

Where available, you may choose Apple Pay as a payment method. Apple Pay payments are processed through Stripe and Apple Pay. We may receive and store payment-related metadata needed to process and reconcile the transaction, such as payment status, amount, currency, order identifiers, payment processor identifiers, and limited billing or contact information provided through the payment flow.

We do not receive or store your actual Apple Pay card number or full payment card number. Apple Pay and Stripe process payment credentials according to their own privacy and security terms.

We do not store full payment card numbers in our own systems.

We share personal data with:

• service providers that help us operate the Services, including authentication, email delivery, push-notification, and payment providers;
• Google or Apple when you choose those sign-in methods;
• Mailgun for transactional email delivery;
• Stripe for payment processing;
• Expo and providers involved in push-notification delivery;
• tournament organizers, admins, teammates, and other users where necessary for tournament, ranking, invitation, or team functionality;
• advisers, auditors, insurers, legal counsel, authorities, or other third parties when required by law or necessary to protect our legal interests;
• a buyer, successor, or affiliate in connection with a merger, acquisition, restructuring, or sale of assets, subject to applicable safeguards.

The main named external providers are:

• Stripe
• Apple Pay
• Mailgun
• Expo
• Google
• Apple

Your personal data is processed in countries outside the European Economic Area if our providers or infrastructure operate there.

When personal data is transferred outside the EEA, we rely on an applicable GDPR transfer mechanism, including where appropriate an adequacy decision, Standard Contractual Clauses, or another lawful safeguard.

We retain personal data only for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, maintain security, and protect our legitimate interests.

Retention periods depend on operational need, legal obligations, security, dispute resolution, and recordkeeping requirements.

Under GDPR, you have the following rights, subject to applicable law:

• request access to your personal data;
• request correction of inaccurate or incomplete personal data;
• request deletion of your personal data;
• request restriction of processing;
• object to processing based on legitimate interests;
• receive your personal data in a structured, commonly used, machine-readable format and request portability where applicable;
• withdraw consent where processing is based on consent;
• lodge a complaint with a competent data protection authority.

To exercise your rights, including deletion requests, contact ghettogames@ghetto.lv.

The Services are not intended for children under the age of 16.

You must be at least 16 years old to create an account and use the Services. If you are under 16, you must not create an account or submit personal data through the Services.

If we learn that personal data has been collected from a child under 16 in violation of this policy or applicable law, we delete or restrict that data as required by law.

We use technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

The Services integrate with or link to third-party services. When you interact with those services, their own privacy policies and terms apply.

This is particularly relevant for authentication providers, payment providers, email providers, and app-platform services.

We update this policy when needed and change the "Last updated" date.

For questions or to exercise your rights, contact:

• Email: ghettogames@ghetto.lv
• Postal address: Riga, Starta iela 1, LV-1026, Latvia

You also have the right to lodge a complaint with the supervisory authority in the EU or EEA country where you live, work, or where you believe an infringement has occurred.