Privacy Policy

1. Who we are

PlayToPromote (“we”, “us”, “our”) operates the website playtopromote.com and its associated browser-based mini-games (the “Service”). The Service is operated by PlayToPromote (sole proprietor, Greece). We are based in Greece but the Service is available to users worldwide. Depending on where you live, different privacy laws apply to you:

• If you are in the European Economic Area, we are your “data controller” under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and Greek Law 4624/2019.
• If you are in the United Kingdom, the same applies under the UK GDPR and Data Protection Act 2018.
• If you are in California, the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”) applies — see Section 10.
• If you are in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or other US states with comprehensive privacy laws, equivalent rights apply — see Section 10.
• If you are in Canada, we comply with PIPEDA. If you are in Brazil, the LGPD. If you are in Australia, the Privacy Act 1988.

You can reach us at any time at jefftherobotwizard@gmail.com for any privacy-related question, request, or complaint, regardless of where you live.

2. Summary

The Service is a gaming platform where, before each match, players submit a promotional link. When a match ends, the loser’s browser is redirected to the winner’s link. To make this work we need to know who is logged in, what link they want to promote, who won the match, and whether anyone abandoned the game. We do not sell your personal data. We rely on well-known service providers (Google, Stripe) to host the underlying infrastructure.

3. Categories of personal data we collect

When you use the Service we may process the following categories of personal data:

• Account data — if you sign in with Google or GitHub, we receive your unique user ID, display name, email address, and avatar URL from the OAuth provider via Firebase Authentication. If you play anonymously, we issue an anonymous Firebase Auth ID with no personal data attached.
• Profile data — your promotional links, optional channel information, win/match statistics, ban status, Premium status, and any promo-code redemptions. Stored in Google Firestore.
• Gameplay data — match results, leaderboard entries, abandonment flags, and (for the live multiplayer games) ephemeral room state in Firebase Realtime Database.
• Technical and analytics data — IP address (used by Firebase for anti-abuse and by Google Analytics for approximate geo-location), browser type, device type, pages visited, time on page, referrer. Collected via Google Analytics 4 and Firebase Hosting logs.
• App Check / anti-abuse data — reCAPTCHA v3 tokens used by Firebase App Check to verify that requests come from a real browser. No CAPTCHA solving is shown to you; reCAPTCHA observes signals in the background.
• Advertising data — Google AdSense may read and set cookies on the browsers of free-tier users to serve and measure advertisements. We do not see your individual ad-click profile.
• Payment data (when Premium is enabled) — processed directly by Stripe, Inc. We never see your card number. We only store a Stripe customer ID, subscription status, and the date your current subscription period ends.

4. Purposes and legal basis for processing

Under Article 6 GDPR, we process your data on the following legal bases:

• Performance of a contract (Art. 6(1)(b)) — running matches, executing the loser-to-winner redirect mechanic, processing Premium payments, providing the Dashboard.
• Legitimate interests (Art. 6(1)(f)) — preventing fraud and abuse, enforcing the fair-play ban system, securing the Service, improving features via aggregated analytics. You have the right to object to processing based on legitimate interests.
• Consent (Art. 6(1)(a)) — non-essential cookies (analytics and advertising). You can withdraw consent at any time via the cookie settings in your browser or by clearing site data. Withdrawal does not affect lawfulness of previous processing.
• Legal obligation (Art. 6(1)(c)) — retaining invoicing data and responding to lawful requests from competent authorities.

5. Cookies and similar technologies

We use the following categories of cookies and local-storage entries:

Essential and anti-abuse cookies are required for the Service to function and do not require consent under the EU ePrivacy Directive. Analytics and advertising cookies are loaded only after you give consent via the cookie banner shown on first visit. You can change your choice at any time by clearing site data in your browser, which will display the banner again on next visit.

6. Recipients and third-party processors

Your data is processed on our behalf by the following providers:

• Google Ireland Limited / Google LLC — Firebase (Auth, Firestore, Realtime Database, Hosting, Analytics, Cloud Functions, App Check), Google AdSense. See Google’s privacy policy.
• Stripe, Inc. / Stripe Payments Europe Ltd — payment processing for Premium subscriptions. See Stripe’s privacy policy.
• OAuth identity providers — Google, GitHub (only if you choose to sign in with one of these).
• Sentry — optional crash reporting, configured to scrub personal identifiers.

We do not sell your personal data, and we do not share it with third parties for their own marketing purposes.

7. International transfers

Firebase, Google Analytics, Google AdSense, Stripe, and Sentry process data in the United States and other countries outside the European Economic Area. These transfers are protected by the European Commission’s Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework adequacy decision. The providers’ own privacy policies describe these safeguards in detail.

8. Retention periods

• Account data — while your account is active. After deletion, retained for up to 30 days for backup-rotation reasons, then permanently removed or anonymised.
• Gameplay history — up to 12 months, then aggregated for statistics and anonymised.
• Ban records — for the duration of the ban (24 hours for first offence); repeat-offender flags may be kept up to 12 months.
• Payment records — we retain Stripe subscription IDs and invoicing data for the period required by Greek tax law (currently 5 years).
• Analytics — Google Analytics 4 retention is set to 14 months.
• Support emails — up to 24 months from the last contact, then deleted.

9. Your rights — EU / UK / Switzerland (GDPR & UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

• Access your personal data (Art. 15 GDPR).
• Rectify inaccurate data (Art. 16 GDPR).
• Erase your data (Art. 17 GDPR), subject to legal-retention obligations.
• Restrict processing (Art. 18 GDPR).
• Data portability — receive your data in a structured, commonly-used format (Art. 20 GDPR).
• Object to processing based on legitimate interests (Art. 21 GDPR).
• Withdraw consent at any time, without affecting prior lawfulness (Art. 7(3) GDPR).
• Not be subject to a decision based solely on automated processing (Art. 22 GDPR). We do not perform such automated decision-making.

To exercise any of these rights, contact us at jefftherobotwizard@gmail.com. We respond within one month. You also have the right to lodge a complaint with your local data-protection authority: the Hellenic Data Protection Authority (www.dpa.gr), the UK Information Commissioner’s Office (ico.org.uk), the Swiss FDPIC, or the supervisory authority in your country of residence.

10. Your rights — United States (California & other states)

If you are a resident of California, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”) gives you the following rights:

• Right to Know — request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the third parties we share it with.
• Right to Delete — request deletion of personal information we have collected about you, subject to legal-retention exceptions.
• Right to Correct — request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing — see the “Do we sell or share?” note below.
• Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information for purposes that trigger this right.
• Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights.
• Right to Designate an Authorised Agent to submit a request on your behalf.

Do we “sell” or “share” personal information? We do not sell personal information for money. However, under the broad CCPA/CPRA definitions of “sale” and “sharing,” our use of Google Analytics and Google AdSense cookies for personalised advertising may be considered “sharing” of personal information. You can opt out by selecting “Reject non-essential” in the cookie banner shown on first visit, by clicking “Privacy Choices” in the footer at any time, or by enabling the Global Privacy Control (GPC) signal in your browser — we honour GPC as a valid opt-out.

We do not knowingly sell or share the personal information of consumers under 16 years of age.

Other US states. If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Indiana, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Rhode Island, or other states with comprehensive privacy laws, you have substantially similar rights (access, deletion, correction, portability, opt-out of targeted advertising, opt-out of profiling). You can exercise them through the same contact below.

Shine the Light (California Civil Code § 1798.83). We do not share personal information with third parties for their own direct-marketing purposes.

To submit a CCPA/CPRA or state-law request, email jefftherobotwizard@gmail.com with the subject line “Privacy Request” and tell us which right you wish to exercise. We may need to verify your identity by asking you to confirm information already associated with your account. We respond within 45 days, extendable once by another 45 days as permitted by law.

11. Children

The Service is not directed to children. We apply the most protective age threshold for the relevant law in your country of residence:

• European Economic Area / United Kingdom — minimum age 16 (GDPR digital-consent age).
• United States — minimum age 13 (Children’s Online Privacy Protection Act, “COPPA”). We do not knowingly collect personal information from children under 13 without verifiable parental consent.
• All other countries — minimum age 13, or any higher age required by your local law.

If you are a parent or guardian and believe your child has created an account without your consent, contact us at jefftherobotwizard@gmail.com and we will delete it without undue delay.

12. Security

We apply appropriate technical and organisational measures including: TLS encryption in transit, Firebase security rules enforced on every Firestore and Realtime Database operation, OAuth-only authentication, server-side validation of bans and promotional-link content, and reCAPTCHA-based App Check to mitigate bot abuse. No system is perfectly secure, and you use the Service at your own risk. We will notify affected users and the relevant authority within 72 hours of becoming aware of any personal-data breach that is likely to result in a risk to your rights, as required by Article 33 GDPR.

13. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date above reflects the latest revision. Material changes will be announced on the Service before they take effect. Continued use of the Service after a change indicates acceptance of the updated policy.

14. Contact