Privacy Policy

Last updated: April 24, 2026

1. Data Controller

This Privacy Policy is issued by Ganduja Interactive OÜ, acting as the data controller for the Ata Games platform ("Platform").

  • Company: Ganduja Interactive OÜ
  • Registrikood: 17298251
  • Address: Ahtri tn 12, Kesklinna linnaosa, Tallinn, Harju maakond, 15551, Estonia
  • Email: legal@atagames.co

This policy complies with the EU General Data Protection Regulation (GDPR – 2016/679) and Estonian Personal Data Protection Act.

2. Data We Collect

a) Data Collected Directly From You:

  • Account information: username, email, password (hashed), display name, bio, country, avatar
  • Communications: support tickets, comments, community posts
  • Developer applications: company name, tax ID, portfolio, identity verification

b) Automatically Collected Data:

  • IP address, browser information, device details, operating system
  • Visit timestamps, viewed pages, clicked links
  • Cookies (for details see Cookie Policy)

c) Payment Data:

Credit card and payment details are not transmitted to us. All payment information is collected and processed directly by Lemon Squeezy as the Merchant of Record. We only receive transaction status, order number, and billing address.

3. Why We Process Your Data (Purposes)

  • Contract performance: Account creation, digital content delivery, library management (GDPR Art.6(1)(b))
  • Legal obligation: Tax records, invoice retention (GDPR Art.6(1)(c))
  • Legitimate interest: Fraud prevention, security, platform improvement (GDPR Art.6(1)(f))
  • Explicit consent: Marketing emails, optional cookies (GDPR Art.6(1)(a))

4. Data Sharing and Processors

Your data is shared with the following service providers (sub-processors):

Sub-processorPurposeLocation
Lemon Squeezy (a Stripe Inc. subsidiary)Payment processing, invoicing, tax collection (Merchant of Record)USA / EU
Supabase Inc.Database, authentication, file storageEU (Frankfurt)
Vercel Inc.Hosting, CDN, infrastructureUSA / Global
Google LLC (fonts)Font delivery (self-hosted alternative possible)USA / Global

Data transfers outside the EU are protected by Standard Contractual Clauses (SCCs) or adequacy decisions under Chapter V of the GDPR.

5. Data Retention Periods

  • Account data: While the account is active + 30 days after deletion (for recovery)
  • Order/invoice data: 7 years as required by Estonian tax law
  • Developer agreements: 10 years after contract termination
  • Support correspondence: 2 years
  • Log records: 90 days

6. Your Rights Under GDPR

If you reside in the EU/EEA, you have the following rights:

  • Right of access (Art.15): Request a copy of your data
  • Right to rectification (Art.16): Correct inaccurate data
  • Right to erasure / "Right to be forgotten" (Art.17)
  • Right to restrict processing (Art.18)
  • Right to data portability (Art.20): Receive your data in machine-readable format
  • Right to object (Art.21)
  • Right not to be subject to automated decision-making (Art.22)
  • Right to lodge a complaint with the supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

To exercise your rights: legal@atagames.co

7. Security

  • All communications are encrypted with HTTPS/TLS
  • Passwords are hashed with bcrypt (never stored in plain text)
  • Row-Level Security (RLS) applied in the database
  • Two-factor authentication (2FA) supported
  • Data breaches will be reported to authorities within 72 hours

8. Children's Privacy

The Platform is not designed for children under 16. If we become aware that we have collected data from a user under 16, we will promptly delete it. Parents may contact us at legal@atagames.co.

9. Policy Changes

We may update this policy. Material changes will be announced via email or on the Platform. Continued use after the updated policy is published constitutes acceptance.

10. Contact

Privacy questions: legal@atagames.co

Ganduja Interactive OÜ, Ahtri tn 12, Kesklinna linnaosa, Tallinn, Harju maakond, 15551, Estonia