Privacy Notice

Last updated: April 4, 2026

Controller

Klaus-E. Klingner
c/o IP-Management #6585
Ludwig-Erhard-Str. 18
20459 Hamburg, Germany
Email: support@wizardscastle.de

Personal Data We Process

• Account data: username, email address, and authentication details (hashed password, JWT tokens).
• Game data: character profiles, run history, scores, and save states tied to your account.
• Purchase data: transaction IDs, purchased item records, and delivery status. We do not store full payment card details — these are handled by Stripe.
• Usage data: server logs, IP address, and device information captured when you access the service for security and troubleshooting.
• Support data: information you provide when contacting us for help.

Purposes and Legal Bases

We process personal data on the following legal bases under Art. 6 GDPR:

• Performance of a contract (Art. 6(1)(b)) — to create and operate user accounts, process purchases, and deliver in-game items.
• Legal obligations (Art. 6(1)(c)) — for record keeping, tax, and security requirements.
• Legitimate interests (Art. 6(1)(f)) — to secure the platform, prevent abuse (anti-cheat), and improve the game. Our interests do not override your fundamental rights and freedoms.
• Consent (Art. 6(1)(a)) — for optional communications; you may withdraw consent at any time.

Storage Duration

• Active accounts: Account data, characters, and game history are retained for the duration of your active account.
• Deleted accounts: Upon account deletion, personal data is permanently removed within 30 days, except where legally required to retain (e.g., payment records for tax compliance).
• Server logs: Access logs and security logs are retained for 90 days for security monitoring and troubleshooting.
• Backups: Automated backups are retained for 30 days on a rolling schedule.
• Payment records: Transaction records required for tax and accounting purposes are retained for 10 years as mandated by German tax law.
• Inactive accounts: Accounts with no login activity for 3 years may be flagged for deletion with 60 days advance notice via email.

Cookies & Tracking Technologies

The Game uses only essential cookies and tokens that are strictly necessary for the service to function. We do not use tracking, analytics, or advertising cookies.

Essential Technologies (Required for Operation)

• JWT Access Token: Short-lived token (15 min) used to authenticate API requests. Stored in memory only.
• Refresh Token: Long-lived token (30 days) used to renew authentication. Stored securely via the Electron keychain or browser storage.

No Optional Cookies

We do not use any optional, functional, or tracking cookies. All authentication is handled via bearer tokens rather than cookies.

Processors & Transfers

We work with trusted third-party processors under data processing agreements (DPAs) that meet GDPR requirements. All data is stored within the European Union.

Infrastructure & Hosting

Server4You GmbH
Hessen-Homburg-Platz 1
63452 Hanau, Germany
Purpose: Web hosting, server infrastructure
Data Processed: All website data, user accounts, content
Location: Germany (EU)
Safeguards: DPA Signed

Business Correspondence

IMPRESSUMPRIVATSCHUTZ GmbH
Ludwig-Erhard-Str. 18
20459 Hamburg, Germany
Purpose: Secure and reliable postal address service
Data Processed: Postal mail sent to us
Location: Germany (EU)
Safeguards: DPA Signed

Payment Processing

When you purchase in-game items, payment processing is handled by Stripe, Inc., a certified PCI-DSS Level 1 payment service provider. Stripe processes your payment information (credit card details, billing address) directly and securely. We do not store your full payment card details on our servers.

Stripe operates under its own privacy policy and data processing agreements that comply with GDPR requirements. For more information about how Stripe handles your data, please visit Stripe's Privacy Policy.

We receive only transaction confirmations and limited payment metadata (such as the last four digits of your card and transaction ID) necessary to fulfill your purchase and deliver in-game items.

Your Rights

Under the GDPR you have the following rights:

• Access to your personal data and information about processing (Art. 15 GDPR).
• Rectification of inaccurate data (Art. 16 GDPR).
• Erasure ("right to be forgotten") where statutory grounds apply (Art. 17 GDPR).
• Restriction of processing (Art. 18 GDPR).
• Data portability in a structured, commonly used format (Art. 20 GDPR).
• Objection to processing based on legitimate interests (Art. 21 GDPR).
• Right to lodge a complaint with your local supervisory authority.

Security

We apply technical and organizational measures such as encrypted connections (HTTPS), access controls, logging, prepared database statements, and regular software updates to protect your data from unauthorized disclosure or loss.

Contact for Privacy Questions

For privacy inquiries or to exercise your rights, contact us at support@wizardscastle.de or by mail at the address stated above. Please include sufficient information to identify your account so we can respond promptly.