How we collect, process, share, and protect personal data.
PRIVACY POLICY
Gameye B.V.
Version 2.0 | Effective Date: 11 May 2026 | Replaces version dated 18 February 2019
Gameye B.V. ("Gameye", "we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect personal data in connection with our website, Free Trial accounts, and commercial game server orchestration services.
Gameye B.V. is a private limited company established in Rotterdam, registered with the Dutch Chamber of Commerce under number 69742987, and is the data controller for the personal data described in this policy. Our processing activities are carried out in compliance with the General Data Protection Regulation (GDPR) and applicable Dutch data protection law.
This policy applies to the following groups of individuals:
Website visitors: anyone who visits gameye.com or our administrative portal.
Free Trial users: individuals and organisations who have registered for a Gameye Free Trial account.
Commercial customers: organisations and their representatives who have entered into a Commercial Agreement with Gameye.
If you have questions about this policy or wish to exercise your data subject rights, please contact us at [email protected].
1. Data Controller
Gameye B.V. does not currently designate a Data Protection Officer, as this is not required under Article 37 of the GDPR given the nature and scale of its processing activities. All data protection queries should be directed to [email protected].
| Legal Entity | Gameye B.V. |
| Registered Address | Gameye B.V. Westerstraat 10, Unit A9712 3016 DH Rotterdam The Netherlands |
| Chamber of Commerce | 69742987 |
| Privacy Contact | [email protected] |
| Website | https://gameye.com |
2. Personal Data We Process and Why
We process different categories of personal data depending on your relationship with Gameye. The tables below set out, for each group of individuals, the data we process, the purpose, the legal basis under GDPR, and how long we retain it.
2.1 Website Visitors
| Purpose | Data Processed | Legal Basis | Retention |
|---|---|---|---|
| Website analytics and performance | IP address, browser type, device type, pages visited, session duration | Legitimate interest (Art. 6(1)(f)) — improving website performance and security | 13 months, then aggregated |
| Responding to enquiries | Name, email address, message content | Pre-contractual steps or legitimate interest (Art. 6(1)(b)/(f)) | 3 years from last contact |
| Newsletter and marketing | Name, email address, marketing preferences | Consent (Art. 6(1)(a)) | Until consent withdrawn |
| Legal compliance | Data required by applicable law | Legal obligation (Art. 6(1)(c)) | As required by law |
2.2 Free Trial Users
When you register for and use a Gameye Free Trial account, we process the following personal data:
| Purpose | Data Processed | Legal Basis | Retention |
|---|---|---|---|
| Account registration and management | Name, business email address, company name | Pre-contractual steps / contract performance (Art. 6(1)(b)) | Account data: 30 days after trial expiry or termination |
| Providing and operating the trial service | API usage data, session logs, server runtime metrics, IP address, API credentials | Contract performance (Art. 6(1)(b)) | Session and usage data: 30 days after trial expiry |
| Security and abuse prevention | API credentials, access logs, IP address | Legitimate interest (Art. 6(1)(f)) — protecting service integrity | 90 days from collection |
| Service improvement (aggregated only) | Aggregated, non-personal session performance data | Legitimate interest (Art. 6(1)(f)) | Indefinitely in aggregated form only |
| Communications about the service and commercial conversion | Name, business email address, company name | Legitimate interest (Art. 6(1)(f)) — where no marketing consent given; consent where required | 3 years from last contact, or until consent withdrawn |
Free Trial account data (including API keys, session logs, and configuration) is deleted 30 days after the expiry or termination of the trial period. You are responsible for retaining any data you require before this period ends.
2.3 Commercial Customers and Their Representatives
When your organisation enters into a Commercial Agreement with Gameye, we process personal data relating to the individuals named in that agreement and those who use the services on your organisation's behalf.
| Purpose | Data Processed | Legal Basis | Retention |
|---|---|---|---|
| Entering into and performing the Commercial Agreement | Authorised signatory name, title, email address; business contacts; invoicing email address | Contract performance (Art. 6(1)(b)) | Duration of agreement + 7 years (legal obligation, tax records) |
| Service delivery and support | Contact person names, email addresses, Slack/Discord handles, phone numbers (SLA contacts) | Contract performance (Art. 6(1)(b)) | Duration of agreement + 1 year |
| Invoicing and payment | Contact name, company name, bank account details (provider's own), invoicing email | Contract performance / legal obligation (Art. 6(1)(b)/(c)) | 7 years (Dutch tax law) |
| Service usage and telemetry | API usage logs, session metadata, server runtime metrics, IP addresses | Contract performance (Art. 6(1)(b)) | 12 months rolling |
| Security and incident management | Access logs, IP addresses, support ticket content | Legitimate interest (Art. 6(1)(f)) — service security and continuity | 12 months from incident closure |
| Marketing and customer references (where agreed) | Name, company, role | Consent (Art. 6(1)(a)) — obtained separately under Commercial Agreement §B | Until consent withdrawn |
Where Gameye processes personal data on behalf of commercial customers in connection with their end-users' game sessions, Gameye acts as a data processor (or sub-processor) within the meaning of GDPR Article 4(8). In that capacity, Gameye processes such data only on the documented instructions of the customer, as set out in the relevant data processing agreement or, where no separate agreement exists, the Commercial Agreement.
In the context of game session orchestration, the only personal data relating to end-users (players) that Gameye processes is the IP address required for session routing purposes. Gameye does not access, store, or process any other player personal data — including usernames, account identifiers, in-game behaviour, or payment data. Customers remain solely responsible for their own obligations as data controllers in respect of their players' personal data.
3. Automated Decision-Making
Gameye does not make decisions that produce legal or similarly significant effects on individuals based solely on automated processing. Automated systems are used only for technical operations such as session routing, load management, and security monitoring. No profiling of individuals is carried out for marketing or eligibility purposes.
4. Sharing Personal Data with Third Parties
4.1 When We Share
Gameye does not sell personal data. We share personal data with third parties only in the following circumstances:
Sub-processors: third parties who process data on our behalf to deliver our services, as listed in Section 4.2.
Legal obligation: where required by applicable law, court order, or regulatory authority.
Business transfer: in connection with a merger, acquisition, or sale of all or part of Gameye's business, subject to the acquiring party being bound by equivalent data protection obligations.
With your consent: where you have explicitly consented to a specific sharing arrangement.
4.2 Sub-Processors
The following sub-processors process personal data on Gameye's behalf. All sub-processors are bound by data processing agreements ensuring equivalent protection to this policy.
| Sub-Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Cloud infrastructure providers (data centre operators) | Hosting game server compute and storing service data | EEA and non-EEA regions — see §5 | Standard Contractual Clauses (where outside EEA) |
| PagerDuty | On-call incident alerting and escalation | United States | Standard Contractual Clauses |
| PostHog (self-hosted) | Product and web analytics for gameye.com and the administrative panel | Germany (Hetzner, Frankfurt — EEA) | Data processed entirely within the EEA; no international transfer |
| Apollo.io | Sales prospecting, management of commercial contact records, and identification of business visitors to gameye.com | United States | Standard Contractual Clauses |
| Google Workspace (Google LLC) | Email service delivery for all Gameye communications | United States (EU data region available) | EU–US Data Privacy Framework (adequacy decision) and Standard Contractual Clauses |
| Google Ads (Google LLC) | Conversion tracking and remarketing for marketing campaigns originating from gameye.com | United States | EU–US Data Privacy Framework and Standard Contractual Clauses |
| Ahrefs Pte. Ltd. | Aggregate website analytics and SEO performance measurement | Singapore | Standard Contractual Clauses |
| Cloudflare, Inc. | Content delivery, DDoS protection, edge runtime hosting, and cookieless web analytics | Global edge network; primary data processing in EU regions where available | Standard Contractual Clauses; ISO 27001 and SOC 2 certified |
We will notify commercial customers of any planned changes to sub-processors in accordance with the terms of the Commercial Agreement. Free Trial users and website visitors will be notified of material sub-processor changes through an update to this policy.
5. International Data Transfers
Gameye's game server orchestration service operates across multiple global regions. Where personal data is processed outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place as required by GDPR Chapter V.
Standard Contractual Clauses (SCCs): for transfers to countries without an EU adequacy decision, we rely on the European Commission's standard contractual clauses (2021/914/EU) supplemented where necessary by additional technical and organisational measures.
Adequacy decisions: where the European Commission has adopted an adequacy decision for the recipient country, we rely on that decision.
Data minimisation: we limit the personal data transferred to non-EEA regions to what is strictly necessary for the delivery of the service.
You may request a copy of the applicable transfer mechanism by contacting [email protected].
6. Cookies and Similar Technologies
Gameye uses cookies and similar technologies on its website and administrative panel. We categorise them as follows.
Strictly necessary. Required for the website and administrative panel to function correctly. These are set automatically and cannot be disabled. They include the cookie that records your consent choices and any session cookies set by the form-handling layer.
Analytics. Used to understand how visitors use gameye.com so we can improve it. We use PostHog (self-hosted in Frankfurt, EEA — described in §4.2) for product and web analytics, and Ahrefs Pte. Ltd. for aggregate website analytics. These cookies are only set when you grant consent.
Marketing. Used to measure the effectiveness of our marketing campaigns and identify business visitors to the website. We use Google Ads (Google LLC) for conversion tracking and remarketing, and Apollo.io for business visitor identification. These cookies are only set when you grant consent.
Functional (opt-in). When you grant explicit consent, PostHog session recording captures a video of your interaction with the site to help us diagnose usability issues. This category requires a separate opt-in beyond general analytics consent.
Cloudflare Web Analytics, our edge analytics tool, does not use cookies and is therefore not subject to consent.
Managing your preferences. When you visit gameye.com from a region where prior consent is required (the EEA, the United Kingdom, and Switzerland), we present a cookie banner before any non-essential cookies are set. You can change your preferences at any time using the "Cookie preferences" link in our website footer. For visitors from other regions, no cookies in the analytics, marketing, or functional categories are set unless you opt in via the same Cookie preferences link.
Why we may not show the banner to you. Outside the EEA, UK, and Switzerland, our consent management tool operates in "default deny" mode — non-essential cookies are not set unless you explicitly opt in. This satisfies the opt-out requirements of laws such as the California Consumer Privacy Act, Brazil's LGPD, and Quebec's Law 25.
7. Your Data Subject Rights
Under GDPR, you have the following rights in relation to your personal data:
Right of access (Art. 15): you may request a copy of the personal data we hold about you.
Right to rectification (Art. 16): you may request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17): you may request deletion of your personal data where there is no overriding legitimate reason for us to continue processing it.
Right to restriction (Art. 18): you may request that we limit processing of your personal data in certain circumstances.
Right to data portability (Art. 20): where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format.
Right to object (Art. 21): you may object to processing based on legitimate interest. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent (Art. 7(3)): where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
7.1 How to Exercise Your Rights
To exercise any of the above rights, please contact us at [email protected], describing your request clearly. We will respond within one month of receipt. Where requests are complex or numerous, we may extend this period by a further two months and will notify you accordingly.
We may ask you to verify your identity before processing your request. We will do this using the information already on file — we will not ask you to provide a copy of your passport, ID document, or citizen service number (BSN).
Exercising your rights is free of charge. Where requests are manifestly unfounded or excessive, we may charge a reasonable administrative fee or decline to act.
7.2 Right to Lodge a Complaint
If you believe that Gameye has not handled your personal data lawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
We encourage you to contact us at [email protected] first so that we can address your concern directly.
8. Security of Personal Data
Gameye implements appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction, commensurate with the nature of the data and applicable risks. These measures include:
encryption of data in transit (TLS) and at rest;
access controls and role-based permissions limiting access to personal data to authorised personnel;
API key management and credential rotation practices;
monitoring and alerting for security incidents via PagerDuty; and
regular review of security measures in line with the state of technology.
In the event of a personal data breach, Gameye will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware, where required by GDPR Article 33. Affected individuals will be notified where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34. Commercial customers will be notified in accordance with the terms of the Commercial Agreement (§9.8).
9. Children
Gameye's services are intended for business use by game development organisations and are not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected personal data about a child under 16, please contact us at [email protected] and we will delete that information promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or business operations. The version number and effective date at the top of this document will be updated accordingly.
Material changes will be communicated via a notice on gameye.com and, where appropriate, by email to registered account holders. Continued use of our website or services after the effective date of an updated policy constitutes acceptance of the updated terms, to the extent permitted by applicable law.
Previous versions of this policy are available upon request by contacting [email protected].
Gameye B.V. | [email protected] | https://gameye.com
