About This Policy
This Privacy Policy explains how PointArt Games collects, uses and protects your personal data. It is designed to comply with both the EU General Data Protection Regulation (GDPR, Regulation 2016/679) for users in the European Economic Area and the United Kingdom, and the Turkish Personal Data Protection Law No. 6698 (KVKK) for users in Turkey. Where the two frameworks differ, the stricter rule applies. Turkish residents may also refer to our KVKK Aydınlatma Metni for the statutory disclosures required by KVKK Art. 10.
1. Data Controller
PointArt Games ("we", "us") is operated by an independent developer based in the Republic of Türkiye and acts as the data controller for the personal data collected through this platform. The primary contact channel for all data-controller requests and legal notices is [email protected]. We have not appointed a Data Protection Officer (DPO), as this is not required for projects of this size under GDPR Art. 37.
2. Categories of Personal Data We Collect
- Account data: username, email address, display name, hashed password.
- Authentication data: email verification tokens, session identifiers.
- Game data: game sessions, scores, turn history, portfolio choices, achievements.
- Technical data: IP address, browser user-agent, locale preference, the essential session cookie (PHPSESSID).
- Marketing preferences: your explicit opt-in (or absence of opt-in) to receive marketing emails.
- Visit attribution: UTM parameters (utm_source, utm_medium, utm_campaign) present in the URL, the HTTP Referer your browser sends, and the landing page URL — captured once per browser session in a server-side row to measure which marketing channels bring traffic and conversions. No IP address, no third-party cookie, no device fingerprint. Retained for up to 12 months and then deleted.
- Legal/audit data: timestamps and IP addresses for Terms, Privacy and KVKK acceptance; gameplay disclaimer acceptance.
3. Purposes of Processing and Lawful Basis (GDPR Art. 6)
| Purpose | Data used | Lawful basis |
|---|---|---|
| Creating and maintaining your account | Account, authentication | Contract (Art. 6(1)(b)) |
| Authenticating you and managing your session | Account, technical | Contract (Art. 6(1)(b)) |
| Saving your game progress | Game data | Contract (Art. 6(1)(b)) |
| Sending email verification messages | Email, verification tokens | Contract (Art. 6(1)(b)) |
| Sending marketing/announcement emails about new projects | Email, marketing preferences | Consent (Art. 6(1)(a)) — opt-in only |
| Platform security, abuse prevention, rate-limiting | Technical, IP | Legitimate interests (Art. 6(1)(f)) |
| Recording legal acceptance for audit purposes | Legal/audit | Legal obligation (Art. 6(1)(c)) and KVKK Art. 5(2)(ç) |
| Measuring which marketing channels bring traffic and signups | Visit attribution | Legitimate interests (Art. 6(1)(f)) |
4. How We Collect Data
Personal data is collected:
- Directly from you when you fill in the registration form, log in, change account settings or contact us.
- Automatically while you play (game sessions, scores, achievements) and from server logs (IP address, browser user-agent, request timestamps).
Collection takes place wholly or partially through automated means in electronic form.
5. Recipients and Data Sharing
We do not sell, rent or share your personal data with third parties for advertising, marketing or analytics purposes. We do not run third-party advertising, tracking pixels, or analytics scripts on this platform.
Limited categories of recipients may process data on our behalf strictly to operate the service:
- Our hosting provider (currently within Turkey — see §6).
- The SMTP service used to deliver verification and (opt-in only) marketing emails.
These recipients act as data processors and are bound by confidentiality and data-protection obligations.
6. International Transfers
Your personal data is currently stored on servers located within the borders of Turkey. If a future change of infrastructure provider results in personal data being transferred outside Turkey or outside the EEA, you will be separately informed and, where required by KVKK Art. 9 or GDPR Chapter V, we will obtain your explicit consent and rely on appropriate safeguards such as Standard Contractual Clauses or an adequacy decision.
7. Data Retention
- Account, game and technical data: retained until you request deletion of your account.
- Marketing preferences: retained for as long as your opt-in is active. Once you unsubscribe, only the fact and timestamp of withdrawal are kept, as proof of compliance.
- Legal/audit data (acceptance logs): retained for the period required by applicable law (typically up to 10 years under the Turkish Code of Obligations) so we can prove that consent was lawfully obtained.
- Rate-limit cache (per-IP request hit timestamps used to throttle abuse): retained for up to 30 days, then deleted.
- Visit attribution rows (UTM, referrer, landing page): retained for up to 12 months from the date of the visit, then deleted.
Effect of a deletion request. When you ask us to delete your account, we erase your account, game and technical data. However, in line with GDPR Art. 17(3)(b)/(e) and KVKK Art. 7, the legal/audit acceptance log entries linking your former user ID to a version of each accepted document are retained — in pseudonymised or access-restricted form where possible — for the legal retention period stated above, so we can demonstrate that valid consent was obtained at the time you used the service. After the retention period expires, those records are erased as well.
8. Your Rights
Under GDPR Articles 15-22 and KVKK Article 11 you have the right to:
- Access the personal data we hold about you and obtain a copy (GDPR Art. 15 / KVKK m. 11).
- Rectify inaccurate or incomplete data (GDPR Art. 16 / KVKK m. 11).
- Erase your data ("right to be forgotten") where the legal basis for processing no longer applies (GDPR Art. 17 / KVKK m. 7).
- Restrict processing in certain cases (GDPR Art. 18).
- Object to processing based on legitimate interests, including for direct marketing (GDPR Art. 21 / KVKK m. 11).
- Data portability: receive your data in a structured, commonly used, machine-readable format (GDPR Art. 20).
- Withdraw consent at any time, without affecting the lawfulness of past processing (GDPR Art. 7(3)). Withdrawing your marketing opt-in is a one-click action via the unsubscribe link in any marketing email.
- Lodge a complaint with a supervisory authority (see §13).
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (GDPR Art. 12(3)) or within the period stipulated by KVKK for Turkish residents. Turkish residents may also submit applications by registered electronic mail (KEP) or with a secure electronic signature, in accordance with the "Communiqué on the Procedures and Principles of Application to the Data Controller".
9. Children's Privacy
This platform is not directed at children. We do not knowingly collect personal data from anyone under 16 years of age. If you are under 16, you may not register or use this service. If we learn that we have collected personal data from a child under 16 without verified parental consent, we will delete that data promptly. Parents or guardians who believe their child has provided personal data may contact us at the email above.
10. Automated Decision-Making and Profiling
We do not carry out any automated decision-making, including profiling, that produces legal effects or similarly significant effects on you within the meaning of GDPR Art. 22. Game outcomes are deterministic responses to your in-game choices and are not used to make decisions about you outside the game.
11. Security
We use industry-standard measures including bcrypt password hashing, CSRF protection, rate limiting, encrypted sessions, and prepared SQL statements. No system is perfectly secure; we recommend using a unique password for your account.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the platform or, where appropriate, by email. Continued use after the effective date constitutes acceptance of the updated policy.
13. Governing Law and Jurisdiction
This Privacy Policy and any dispute or claim arising out of or in connection with it (including non-contractual disputes) shall be governed by and construed in accordance with the laws of the Republic of Türkiye, without regard to its conflict-of-law provisions. The İzmir Courts and Enforcement Offices (İzmir Mahkemeleri ve İcra Müdürlükleri), Republic of Türkiye, shall have exclusive jurisdiction over any such dispute. This clause does not affect mandatory consumer-protection or data-protection rights granted to you by the laws of your country of residence — in particular, your right to lodge a complaint with your local supervisory authority as set out in §14 below remains fully available to you.
14. Supervisory Authorities
You have the right to lodge a complaint with a data protection supervisory authority:
- Turkey: Kişisel Verileri Koruma Kurumu (KVKK) — kvkk.gov.tr
- EU/EEA: the supervisory authority of the member state where you live or work. A list is maintained by the European Data Protection Board at edpb.europa.eu.
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk.
15. Contact
For any privacy-related inquiry, including the exercise of your rights under GDPR or KVKK: [email protected]