← Home

Privacy and Cookie Policy

Last updated: March 16, 2026

This notice describes the methods of processing the Personal Data of Users who use the GPK Games mobile application (“App”) and the website games.gpkingdom.it (“Website”), hereinafter collectively referred to as the “Service”.

Users are invited to read this notice carefully before using the Service.

1. Data Controller

Raze S.R.L.
Via IV Novembre 84, 23868 Valmadrera (LC), Italia
VAT Number / Tax Code: 04229070133
Email: [email protected]

The Data Controller has not appointed a Data Protection Officer (DPO) as the conditions set out in Art. 37 of the GDPR do not apply. For any request relating to the processing of personal data, the Data Controller may be contacted at the email address indicated above.

2. Types of Personal Data collected

2.1 Data voluntarily provided by the User

  • Registration data: name, email address and profile picture (obtained through Sign in with Apple or Google Sign-In)
  • Profile data: nickname chosen by the User

2.2 Data collected automatically

  • Usage data: information on how the User interacts with the Service (pages visited, features used, session duration)
  • Device data: model, operating system, App version, language, screen resolution
  • Identifiers: internal User ID, device identifiers, advertising identifiers (IDFA on iOS, Google Advertising ID on Android) — collected only with prior consent
  • Network data: IP address (from which an approximate geographic location at city/region level may be derived)
  • Crash and diagnostic data: error logs, stack traces, device state at the time of the error

The Service does not require access to the device’s GPS location, contacts, camera or microphone.

3. Purposes of Processing and Legal Basis

Below are the purposes for which Personal Data are processed, each with the corresponding legal basis pursuant to Art. 6 of the GDPR.

Purpose Data processed Legal basis
Registration and authentication — Create and manage the User account through Sign in with Apple or Google Sign-In Name, email, profile picture, nickname Performance of a contract (Art. 6(1)(b))
Provision of the Service — Management of the fantasy game, leagues, standings, invite friends Profile data, usage data, in-game activity data Performance of a contract (Art. 6(1)(b))
Payment and subscription management — Processing of purchases through the App Store and Google Play User ID, transaction data (managed by Apple/Google through RevenueCat) Performance of a contract (Art. 6(1)(b))
Personalised advertising — Display personalised ads through AdMob, Unity Ads and Meta Ads Advertising identifiers (IDFA/GAID), usage data, device information, IP Consent (Art. 6(1)(a))
Non-personalised advertising — Display generic ads in the absence of consent for personalisation Usage data, device information Legitimate interest (Art. 6(1)(f)) — financial sustainability of the free service
Analytics and Service improvement — Analyse usage to improve features Usage data, device data, IP (anonymised) Legitimate interest (Art. 6(1)(f)) — improvement of the Service
Crash reporting and debugging — Identify and fix technical errors Error logs, device data, application state Legitimate interest (Art. 6(1)(f)) — stability and security of the Service
Service push notifications — Updates on results, rounds, leagues Device token, notification preferences Performance of a contract (Art. 6(1)(b))
Promotional push notifications — Communications about news, offers, features Device token Consent (Art. 6(1)(a))
Legal obligations — Tax and accounting obligations relating to transactions Transaction data Legal obligation (Art. 6(1)(c))

Where processing is based on legitimate interest, the Data Controller has carried out a balancing test between its own interest and the rights of the User, ensuring that the processing does not disproportionately prejudice the freedom and fundamental rights of the User.

4. Third-Party Services

The Service uses the following third-party services, each of which may collect Personal Data in accordance with its own policy:

4.1 Authentication

4.2 Database and hosting

4.3 Payments and subscriptions

  • RevenueCat (RevenueCat Inc., USA) — User ID, transaction data, device information — RevenueCat Privacy Policy
  • Actual payments are processed by Apple App Store and Google Play Store. The Data Controller does not collect or store credit card data or other payment instruments.

4.4 Advertising

  • Google AdMob (Google LLC, USA) — advertising identifiers, usage data, device information — Google Privacy Policy
  • Unity Ads (Unity Technologies, USA) — advertising identifiers, usage data, device information — Unity Privacy Policy
  • Meta Audience Network (Meta Platforms Inc., USA) — advertising identifiers, usage data, device information — Meta Privacy Policy

Advertising SDKs collect data only after the User has given their consent through the in-app consent module (Google UMP) and, on iOS, through the App Tracking Transparency (ATT) framework. In the absence of consent, non-personalised ads are displayed.

4.5 Analytics

  • Google Analytics 4 (Google LLC, USA) — usage data, session statistics, device information — Google Privacy Policy
  • PostHog (PostHog Inc.) — usage data, in-app events — data hosted in the EUPostHog Privacy Policy

4.6 Crash reporting and error monitoring

  • Sentry (Functional Software Inc.) — error logs, device data — data hosted in the EUSentry Privacy Policy
  • Firebase Crashlytics (Google LLC, USA) — crash logs, installation identifiers, device data — Firebase Privacy Policy

4.7 Push notifications

  • Expo Notifications (650 Industries Inc., USA) — device push token — which in turn uses Apple Push Notification Service (APNs) and Firebase Cloud Messaging (FCM) — Expo Privacy Policy

4.8 Fonts (Website only)

5. Data Transfers to Third Countries

Some of the third-party services listed in the previous section are based in the United States of America. The transfer of Personal Data to the USA takes place on the basis of the following safeguards:

  • EU-US Data Privacy Framework (DPF) — for providers certified under the DPF (European Commission adequacy decision of 10 July 2023), including Google LLC, Meta Platforms Inc. and Apple Inc.
  • Standard Contractual Clauses (SCCs) — for providers not certified under the DPF, the transfer takes place on the basis of the standard contractual clauses approved by the European Commission (Implementing Decision 2021/914).

The following services host data entirely within the European Union and do not involve extra-EU transfers:

  • Supabase (Frankfurt, Germany)
  • PostHog (EU)
  • Sentry (EU)

The User may request further information on the specific safeguards adopted for international transfers by contacting the Data Controller.

6. Data Retention Period

Personal Data are retained for the time strictly necessary to fulfil the purposes for which they were collected:

Data category Retention period
Account data (name, email, nickname, profile picture) For the entire duration of the account. Deleted immediately upon account closure by the User.
In-game activity data (leagues, standings, scores) For the entire duration of the account. Deleted upon account closure.
Transaction and billing data 10 years from the transaction (tax obligation pursuant to Art. 2220 of the Italian Civil Code and Italian tax legislation)
Analytics data Aggregated and anonymised data. Google Analytics 4 raw data are retained for a maximum of 14 months.
Crash reporting data 90 days from collection
Advertising data In accordance with the policies of the respective providers (Google, Unity, Meta). The User may revoke consent at any time.
Push notification tokens Until notifications are deactivated or the account is closed

At the end of the retention period, Personal Data are deleted or irreversibly anonymised.

7. Data Subject Rights

Pursuant to Articles 15–22 of the GDPR, the User has the right to:

  • Access (Art. 15) — obtain confirmation as to whether their Personal Data are being processed and receive a copy thereof
  • Rectification (Art. 16) — obtain the correction of inaccurate Personal Data or the completion of incomplete data
  • Erasure (Art. 17, “right to be forgotten”) — obtain the deletion of their Personal Data where they are no longer necessary, where consent has been withdrawn, or where processing is unlawful
  • Restriction of processing (Art. 18) — obtain the restriction of processing where the accuracy of the data is contested, processing is unlawful, or the data are needed for the exercise of a right in legal proceedings
  • Data portability (Art. 20) — receive their Personal Data in a structured, commonly used and machine-readable format, and transmit them to another controller
  • Objection (Art. 21) — object to the processing of their Personal Data based on the legitimate interest of the Data Controller. In the case of objection to processing for direct marketing purposes, processing shall cease immediately
  • Not to be subject to automated decision-making (Art. 22) — not to be subject to a decision based solely on automated processing that produces legal effects or significantly affects the User
  • Withdrawal of consent (Art. 7(3)) — withdraw consent given at any time, without this affecting the lawfulness of processing based on consent prior to its withdrawal

How to exercise your rights

The User may exercise their rights by sending a request to the email address [email protected]. The Data Controller will respond within 30 days of receiving the request (this period may be extended by a further 60 days in the case of complex requests, subject to prior notification to the User).

To revoke consent to personalised advertising, the User may also:

  • On iOS: Settings > Privacy & Security > Tracking
  • On Android: Settings > Google > Ads > Delete advertising ID

Right to lodge a complaint

The User has the right to lodge a complaint with the competent supervisory authority:

Garante per la Protezione dei Dati Personali
Piazza Venezia 11, 00187 Roma
www.garanteprivacy.it
Email: [email protected]
PEC: [email protected]

8.1 Website (games.gpkingdom.it)

The Website exclusively uses:

  • Cloudflare technical cookies — necessary for the operation of the Website (security, performance). They do not require consent.
  • Google Fonts — loading fonts from Google servers involves the transmission of the User’s IP address to Google LLC (USA).

The Website does not use profiling cookies, third-party analytics cookies, or advertising tracking tools.

8.2 Mobile App

The App uses tracking technologies (SDKs) for the purposes described in Section 3. Before activating SDKs that collect data for personalised advertising, the App requests the User’s explicit consent through:

  • The Google UMP consent module (User Messaging Platform), compliant with the IAB TCF 2.0 framework
  • On iOS: Apple’s App Tracking Transparency (ATT) framework

The User may change their consent preferences at any time from the App or device settings.

9. Push Notifications

The App may send two types of push notifications:

  • Service notifications — relating to the operation of the game (results, rounds, league updates). These are sent on the basis of the performance of the contract.
  • Promotional notifications — relating to news, offers or new features. These are sent only with the User’s consent.

The User may disable push notifications at any time from their device settings. Disabling service notifications may affect the App user experience.

10. Minors

The Service is intended for Users aged 14 years or older, in compliance with Art. 2-quinquies of Legislative Decree 196/2003 (Italian Privacy Code).

The Data Controller does not knowingly collect Personal Data from minors under 14 years of age. Should the Data Controller become aware that it has collected data from a minor under 14 without the consent of the holder of parental responsibility, it will promptly delete such data.

Parents or legal guardians who believe that a minor has provided Personal Data without their consent may contact the Data Controller at [email protected].

11. Nature of Data Provision

The provision of registration data (name, email through Apple/Google Sign-In) is required in order to use the Service. Failure to provide such data makes it impossible to create an account and access the Service.

The provision of data for personalised advertising and promotional notifications is optional. Refusal does not affect access to the Service.

12. Data Security

The Data Controller adopts appropriate technical and organisational measures to protect Personal Data, including:

  • Encrypted communications via HTTPS/TLS protocol
  • Data at rest encrypted (encryption provided by Supabase)
  • Data access restricted to authorised personnel
  • Secure authentication through trusted providers (Apple, Google)
  • Continuous vulnerability monitoring through Sentry

13. Changes to this Policy

The Data Controller reserves the right to modify this notice at any time. Changes will be published on this page with an update to the “Last updated” date.

In the event of material changes that affect the processing of Personal Data, the Data Controller will notify Users through an in-App notification or a notice on the Website.

Continued use of the Service after the publication of changes constitutes acceptance of the updated notice.

14. Contact Information

Data Controller
Raze S.R.L. – Via IV Novembre 84, 23868 Valmadrera (LC), Italia
Email: [email protected]

15. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person.
  • User: the natural person who uses the Service.
  • Data Controller: the natural or legal person who determines the purposes and means of the processing of Personal Data.
  • Data Processor: the natural or legal person who processes Personal Data on behalf of the Data Controller.
  • Service: the GPK Games mobile application and the website games.gpkingdom.it.
  • App: the GPK Games mobile application, available on the Apple App Store and Google Play Store.
  • Website: the website games.gpkingdom.it.

This notice is drafted pursuant to Regulation (EU) 2016/679 (GDPR), Legislative Decree 196/2003 (Privacy Code, as amended by Legislative Decree 101/2018) and the Guidelines of the Garante per la Protezione dei Dati Personali.