GDPR & Data Rights
Version 1.0 · Last updated: March 1, 2026
1. About GDPR and Our Approach
DeckWorld operates in full compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR"). We are committed to Privacy by Design and Privacy by Default: we implement appropriate technical and organizational measures from the outset to ensure that personal data processing meets the Regulation's requirements and protects data subject rights.
For GDPR-related inquiries, including requests to exercise your rights, please contact our Data Protection Officer:
- Email: dpo@deckworld.games
- Postal: DeckWorld Ltd., Attn: DPO, 1 Stasikratous Street, Nicosia, 1065, Cyprus
We aim to respond to all substantiated requests within 30 days of receipt.
2. Your Rights Under GDPR
Right of Access (Article 15)
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to that personal data, including a copy of the data. You may exercise this right via Profile > My Data > Download for a JSON export within 24 hours, or by emailing gdpr@deckworld.games.
Right to Rectification (Article 16)
You have the right to obtain from us the rectification of inaccurate personal data concerning you. You may correct your data directly through self-service options in your profile, or request rectification by contacting gdpr@deckworld.games. We will process rectification requests within 30 days.
Right to Erasure / "Right to be Forgotten" (Article 17)
You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the grounds in Article 17(1) applies. To exercise this right, use Profile > My Data > Delete Account. Active data is deleted within 30 days; backup copies are purged within 90 days. Exceptions apply where retention is necessary for compliance with a legal obligation, the establishment, exercise or defence of legal claims, or other lawful grounds under Article 17(3).
Right to Restriction of Processing (Article 18)
You have the right to obtain from us restriction of processing where: (a) you contest the accuracy of the personal data; (b) the processing is unlawful and you oppose erasure and request restriction instead; (c) we no longer need the data but you require it for the establishment, exercise or defence of legal claims; or (d) you have objected to processing pursuant to Article 21(1), pending verification of whether our legitimate grounds override yours.
Right to Data Portability (Article 20)
You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format, and to transmit those data to another controller. We provide your data in JSON format via your profile or upon request to gdpr@deckworld.games. We will process such requests within 30 days.
Right to Object (Article 21)
You have the right to object, on grounds relating to your particular situation, to processing based on Article 6(1)(e) (legitimate interest) or (f) (public interest), including profiling. Where personal data are processed for direct marketing purposes, you have the right to object at any time, and we will cease such processing without delay.
Right Regarding Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. DeckWorld does not make automated decisions with legal or similarly significant effects. Game matchmaking and rating calculations do not constitute such decision-making under the Regulation.
3. Additional Rights by Regional Law
Depending on your jurisdiction, additional data protection rights may apply. The following table summarizes key rights under selected regional frameworks:
| Region / Law | Key Rights | Response Timeframe |
|---|---|---|
| CCPA (California, USA) | Right to know; right to delete; right to opt-out of "Do Not Sell"; non-discrimination | 45 days |
| LGPD (Brazil) | Access; rectification; deletion; restriction; portability; withdraw consent | 15 days |
| 152-FZ (Russia) | Access; rectification; blocking; destruction; withdraw consent; complain to Roskomnadzor. Personal data of Russian users stored in the Russian Federation. | 30 days |
| PIPL (China) | Right to information; access; transfer; rectification; deletion; restriction | 15 days |
4. How to Submit a Request
Step 1: Choose Your Method
You may exercise your rights either online via Profile > My Data (when logged in) or by sending an email to gdpr@deckworld.games.
Step 2: Identity Verification
If you are logged into your account, your active session serves as sufficient verification. If you submit a request by email without logging in, we will verify your identity by sending a one-time code to your registered email address. We will not disclose personal data to any person until identity has been verified.
Step 3: Processing and Response
We will process substantiated requests within 30 days as a standard. For complex or numerous requests, we may extend this period by up to 90 days and will inform you of the extension and the reasons for the delay within 30 days of receipt.
5. Complaints and Supervisory Authorities
If you believe that our processing of your personal data infringes the GDPR or applicable law, you have the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy.
- European Union (EU/EEA): You may lodge a complaint with the data protection authority of your Member State of residence, place of work, or place of the alleged infringement. For a list of national DPAs and further information, visit the European Data Protection Board (EDPB).
- United Kingdom: Information Commissioner's Office (ICO)
- Russian Federation: Roskomnadzor
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD)
- United States (California): California Privacy Protection Agency (CPPA)
6. Technical and Organizational Measures (Art. 32)
In accordance with Article 32 of the GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These include:
- Encryption: AES-256 encryption at rest; TLS 1.3 or higher for data in transit.
- Password security: Passwords are hashed using bcrypt with individual salt.
- Access control: Least-privilege access; role-based access control; separation of duties.
- Audit logging: Access to personal data is logged; logs are retained and monitored.
- Testing: Annual penetration testing and vulnerability assessments.
- Breach notification: In the event of a personal data breach likely to result in a risk to rights and freedoms, we notify the competent supervisory authority within 72 hours (Art. 33) and affected data subjects without undue delay when the breach is likely to result in high risk (Art. 34), typically within 30 days.
- Backups: Daily backups; monthly recovery testing to ensure data restoration capability.