Legal & Compliance

GDPR Compliance

Last Updated: October 2024 | Effective Date: October 2024

TinDev Studios is committed to full compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws. This page explains your rights under GDPR and how we ensure compliance.

1. About GDPR

The General Data Protection Regulation (GDPR) is a comprehensive regulation in European Union law on data protection and privacy that took effect on May 25, 2018. It applies to:

• All individuals (data subjects) in the EU/EEA

• Organizations processing EU/EEA resident data

• Non-EU companies offering services to EU residents

GDPR mandates that organizations handle personal data with care, transparency, and respect for individuals' rights.

2. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

Right of Access

You have the right to access your personal data and receive a copy in a structured, commonly used, machine-readable format (Article 15).

Right to Rectification

You can request correction of inaccurate or incomplete personal data (Article 16).

Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data under certain circumstances, such as when data is no longer necessary or processing is unlawful (Article 17).

Right to Restrict Processing

You can request that we limit how we process your data while we verify its accuracy or assess your objection (Article 18).

Right to Data Portability

You can receive your personal data in a structured, commonly used format and transmit it to another organization without hindrance (Article 20).

Right to Object

You can object to processing for marketing, profiling, and certain other purposes, including our legitimate interests (Article 21).

Rights Related to Automated Decision-Making

You have rights regarding decisions made purely by automated means that produce legal or similarly significant effects (Article 22).

Right to Lodge a Complaint

You can file a complaint with your local data protection authority if you believe we've violated your GDPR rights.

3. Legal Basis for Processing

GDPR requires that we have a legal basis for processing your personal data. We process data based on:

Consent

You have explicitly consented to processing (e.g., marketing emails, analytics). You can withdraw consent at any time.

Contract Performance

Processing is necessary to perform a contract you've entered into with us (e.g., service delivery, payment processing).

Legal Obligation

We must process data to comply with legal obligations (e.g., tax law, anti-fraud regulations).

Vital Interests

Processing is necessary to protect your vital interests or those of another person.

Public Task

Processing is necessary for a task carried out in the public interest or official authority.

Legitimate Interests

Processing is necessary for our legitimate interests (e.g., fraud prevention, website optimization, customer service) and does not override your rights.

4. Our Data Protection Officer (DPO)

TinDev Studios has appointed a dedicated Data Protection Officer (DPO) to oversee our GDPR compliance and serve as the point of contact for data protection inquiries.

Data Protection Officer
Email: dpo@tindevstudios.com
Mailing Address: TinDev Studios, Inc., Legal Department
Response Time: Within 10 business days

You can contact our DPO for:

  • Data protection inquiries and concerns
  • Exercising your GDPR rights
  • Reporting potential data breaches
  • Data protection policy clarifications

5. Data Processing Agreements (DPA)

For customers processing personal data with us, we provide Data Processing Agreements (DPA) that comply with GDPR Article 28. DPAs outline:

• Scope of data processing and subjects

• Duration of processing

• Nature and purpose of processing

• Types of personal data and data subjects

• Security measures and data protection responsibilities

• Sub-processor authorization and agreements

To request a DPA, contact our DPO at dpo@tindevstudios.com

6. International Data Transfers

If your data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): Legal framework approved by the European Commission

Binding Corporate Rules (BCRs): Approved policies for transfers within our organization

Adequacy Decisions: Relying on formal EU adequacy findings

Explicit Consent: Your informed consent to specific transfers

We conduct Data Transfer Impact Assessments (TIAs) to ensure your rights are protected when data is transferred internationally.

7. Data Retention & Deletion

We follow the data minimization principle and retain personal data only for as long as necessary. Retention periods include:

Account Data: Retained while your account is active + 90 days after deletion

Transaction Data: Retained for 7 years for legal/tax requirements

Support/Communications: Retained for 3 years for dispute resolution

Marketing Data: Retained until you unsubscribe or 2 years of inactivity

Analytics Data: Retained for 24-26 months

Legal Holds: Data retained if subject to litigation or investigation

When you request deletion, we securely erase data within 30 days, unless legal obligations require retention.

8. Data Breach Notification

In the event of a personal data breach, GDPR requires:

Authority Notification: Notify relevant data protection authorities without undue delay, or within 72 hours if there is risk

Individual Notification: Inform affected data subjects without undue delay if there is high risk to their rights

Documentation: Maintain records of all breaches for regulatory purposes

Our security team monitors for potential breaches 24/7. If a breach affects your data, we will notify you promptly with details about the incident and recommended actions.

9. Privacy by Design & Default

We implement privacy by design principles across all our processes:

• Data minimization: Collect only necessary data

• Purpose limitation: Use data only for stated purposes

• Encryption: Protect data in transit and at rest

• Access controls: Limit data access to authorized personnel

• Regular audits: Conduct privacy impact assessments (DPIAs)

• Transparency: Provide clear privacy information

• Accountability: Demonstrate compliance and maintain records

10. Exercising Your Rights

To exercise any of your GDPR rights, submit a request to:

Email: privacy@tindevstudios.com
Subject Line: "[GDPR Right] - [Your Name]"
Response Time: Within 30 days (45 days for complex requests)

Please include:

• Your full name and contact information

• Description of the data you're requesting

• Specific right(s) you're exercising

• Any relevant account details or dates

• Copy of ID for verification (for certain requests)

We will not charge a fee unless your request is manifestly unfounded or excessive.

11. Right to Lodge a Complaint

If you believe we've violated your GDPR rights, you have the right to lodge a complaint with your local data protection authority. However, we encourage you to contact us first so we can address your concerns.

Data Protection Authorities by Country:

• Belgium: https://www.autoriteprotectiondonnees.be
• France: https://www.cnil.fr
• Germany: https://www.bfdi.bund.de
• UK: https://ico.org.uk
• EU DPA List: https://edpb.europa.eu/about-edpb/board/members_en

12. Contact Us

For any GDPR-related questions or concerns:

Data Protection Officer

dpo@tindevstudios.com

Privacy Team

privacy@tindevstudios.com

Legal Department

legal@tindevstudios.com

We aim to respond to all GDPR inquiries within 10 business days.

This GDPR Compliance document is effective as of October 2024 and was last updated on October 2024. We regularly review and update our GDPR practices to ensure ongoing compliance with regulations.