Last updated: March 31, 2026

Privacy Policy

1. Data Controller

Francisco Garreta Calderón, based in Spain.

Address: Corralejo, Fuerteventura, Las Palmas, Spain
Privacy contact: contact@drawntcg.com

For any privacy-related inquiries, contact us at the email above.

2. Data We Collect

Data	Purpose	Legal Basis	Retention
Email address	Account creation, login, password reset	Contract	Until account deletion
Username	In-game identity, leaderboards, social features	Contract	Until account deletion
Password (hashed)	Authentication	Contract	Until account deletion
IP address	Security, abuse prevention, rate limiting	Legitimate interest	90 days
Game activity	Game operation, provably fair verification, leaderboards	Contract + Legitimate interest	Account data: until deletion. Battle logs: 90 days.
Device/browser info	Security, compatibility	Legitimate interest	90 days
Ad interaction data	Rewarded ad delivery (when enabled)	Consent	Per Google's retention policy

3. How We Use Your Data

Provide and operate the game service
Authenticate your identity and secure your account
Enable social features (friends, trading, challenges)
Display leaderboards and battle statistics
Process cosmetic purchases (when available)
Deliver rewarded advertisements (when enabled, with your consent)
Improve game balance and detect cheating
Comply with legal obligations

We do not sell your personal data.

Third-party processors that may receive data:

Google AdSense / AdMob (when ads are enabled) — rewarded ad delivery, subject to your consent. Retention: per Google's retention policy. Google Privacy Policy
Arsys (Spain) — server hosting (EU-based). Operates the application server, the PostgreSQL database, and the Redis cache that the Service runs on. Processes the personal data stored in the database (email, username, game activity), short-lived identifiers (IP, session token hashes) used for rate limiting, and infrastructure-level metadata (request logs) required to deliver the Service. The data itself is administered solely by the Operator (Francisco Garreta Calderón); Arsys provides infrastructure only and does not access game data.

F-A12-005 (Area 12 hostile review, 2026-04-25): the database (PostgreSQL) and cache (Redis) run on operator-managed infrastructure hosted by Arsys; they are not separate third-party processors. A future cosmetic-store payment processor will be added here when that feature ships under F-A12-016 — until then, no payment provider receives any data because no real-money purchases exist.

We may disclose data if required by law or to protect rights and safety.

5. International Transfers

Your data is stored and processed within the European Union.
If Google Ads are enabled, data may be processed by Google (US) under the EU-US Data Privacy Framework adequacy decision.
No other international transfers occur.

6. Data Retention

Account data: until you request deletion
Server logs (IP, User-Agent): 90 days
Battle history: 90 days
Pack opening proofs: until you rotate your provably fair seed
Session cookies: 7 days (auto-expire)
Account deletion: personal data erased within 30 days. Anonymized aggregate data (e.g., total card statistics) may be retained.

7. Your Rights

Right to Object (GDPR Art. 21)

You have the right to object to processing of your personal data based on legitimate interest at any time. To exercise this right, contact us at contact@drawntcg.com. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Under GDPR (EU/EEA)

Access: request a copy of your data
Rectification: correct inaccurate data
Erasure: request deletion of your account and data
Portability: receive your data in a structured, machine-readable format
Objection: object to processing based on legitimate interest
Restriction: request restricted processing while a dispute is resolved
Withdraw consent: for consent-based processing (e.g., ads), withdraw at any time

Under CCPA / CPRA (California, US)

Right to know what data is collected and how it is used
Right to delete your data
Right to opt-out of the sale of personal information (we do not sell data)
Right to non-discrimination for exercising your rights
Right to correct inaccurate personal information
Right to limit use of sensitive personal information (we do not collect sensitive PI as defined by CPRA)
Right to opt-out of automated decision-making technology (we do not use automated decision-making that produces legal or similarly significant effects)

To exercise any right, email contact@drawntcg.com. We will respond within 30 days (GDPR) or 45 days (CCPA).

8. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you may file a complaint with your local Data Protection Authority.

Spain: Agencia Española de Protección de Datos (AEPD) — www.aepd.es

8b. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34. We will also notify the relevant supervisory authority within 72 hours of becoming aware of such a breach (Article 33), providing details of the nature of the breach, the likely consequences, and the measures taken or proposed to address it.

9. Cookies

We use essential session cookies for authentication and security. Advertising cookies (for Google AdSense / AdMob) require your explicit consent — the consent banner asks you on first visit and you can update your choice anytime from Settings.

For full details, see our Cookie Policy.

10. Children

The Service is intended for users aged 16 and over.
We do not knowingly collect personal data from users under 16.
If we discover a user is under 16, we will delete their account and associated data.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
Gacha/pack outcomes use cryptographic random number generation and are not based on user profiles or behavior.

12. Changes to This Policy

We will notify you of material changes via email or in-app notification. The "Last updated" date at the top reflects the most recent revision. We review this policy at least annually.

13. Contact

Email: contact@drawntcg.com
Responsible: Francisco Garreta Calderón, Corralejo, Fuerteventura, Las Palmas, Spain

Last updated: March 31, 2026

Privacy Policy

1. Data Controller

Francisco Garreta Calderón, based in Spain.

Address: Corralejo, Fuerteventura, Las Palmas, Spain
Privacy contact: contact@drawntcg.com

For any privacy-related inquiries, contact us at the email above.

2. Data We Collect

Data	Purpose	Legal Basis	Retention
Email address	Account creation, login, password reset	Contract	Until account deletion
Username	In-game identity, leaderboards, social features	Contract	Until account deletion
Password (hashed)	Authentication	Contract	Until account deletion
IP address	Security, abuse prevention, rate limiting	Legitimate interest	90 days
Game activity	Game operation, provably fair verification, leaderboards	Contract + Legitimate interest	Account data: until deletion. Battle logs: 90 days.
Device/browser info	Security, compatibility	Legitimate interest	90 days
Ad interaction data	Rewarded ad delivery (when enabled)	Consent	Per Google's retention policy

3. How We Use Your Data

Provide and operate the game service
Authenticate your identity and secure your account
Enable social features (friends, trading, challenges)
Display leaderboards and battle statistics
Process cosmetic purchases (when available)
Deliver rewarded advertisements (when enabled, with your consent)
Improve game balance and detect cheating
Comply with legal obligations

We do not sell your personal data.

Third-party processors that may receive data:

Google AdSense / AdMob (when ads are enabled) — rewarded ad delivery, subject to your consent. Retention: per Google's retention policy. Google Privacy Policy
Arsys (Spain) — server hosting (EU-based). Operates the application server, the PostgreSQL database, and the Redis cache that the Service runs on. Processes the personal data stored in the database (email, username, game activity), short-lived identifiers (IP, session token hashes) used for rate limiting, and infrastructure-level metadata (request logs) required to deliver the Service. The data itself is administered solely by the Operator (Francisco Garreta Calderón); Arsys provides infrastructure only and does not access game data.

We may disclose data if required by law or to protect rights and safety.

5. International Transfers

Your data is stored and processed within the European Union.
If Google Ads are enabled, data may be processed by Google (US) under the EU-US Data Privacy Framework adequacy decision.
No other international transfers occur.

6. Data Retention

Account data: until you request deletion
Server logs (IP, User-Agent): 90 days
Battle history: 90 days
Pack opening proofs: until you rotate your provably fair seed
Session cookies: 7 days (auto-expire)
Account deletion: personal data erased within 30 days. Anonymized aggregate data (e.g., total card statistics) may be retained.

7. Your Rights

Right to Object (GDPR Art. 21)

Under GDPR (EU/EEA)

Access: request a copy of your data
Rectification: correct inaccurate data
Erasure: request deletion of your account and data
Portability: receive your data in a structured, machine-readable format
Objection: object to processing based on legitimate interest
Restriction: request restricted processing while a dispute is resolved
Withdraw consent: for consent-based processing (e.g., ads), withdraw at any time

Under CCPA / CPRA (California, US)

Right to know what data is collected and how it is used
Right to delete your data
Right to opt-out of the sale of personal information (we do not sell data)
Right to non-discrimination for exercising your rights
Right to correct inaccurate personal information
Right to limit use of sensitive personal information (we do not collect sensitive PI as defined by CPRA)
Right to opt-out of automated decision-making technology (we do not use automated decision-making that produces legal or similarly significant effects)

To exercise any right, email contact@drawntcg.com. We will respond within 30 days (GDPR) or 45 days (CCPA).

8. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you may file a complaint with your local Data Protection Authority.

Spain: Agencia Española de Protección de Datos (AEPD) — www.aepd.es

8b. Data Breach Notification

9. Cookies

For full details, see our Cookie Policy.

10. Children

The Service is intended for users aged 16 and over.
We do not knowingly collect personal data from users under 16.
If we discover a user is under 16, we will delete their account and associated data.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
Gacha/pack outcomes use cryptographic random number generation and are not based on user profiles or behavior.

12. Changes to This Policy

We will notify you of material changes via email or in-app notification. The "Last updated" date at the top reflects the most recent revision. We review this policy at least annually.

13. Contact

Email: contact@drawntcg.com
Responsible: Francisco Garreta Calderón, Corralejo, Fuerteventura, Las Palmas, Spain

Privacy Policy

1. Data Controller

2. Data We Collect

3. How We Use Your Data

4. Data Sharing

5. International Transfers

6. Data Retention

7. Your Rights

Under GDPR (EU/EEA)

Under CCPA / CPRA (California, US)

8. Right to Lodge a Complaint

8b. Data Breach Notification

9. Cookies

10. Children

11. Automated Decision-Making

12. Changes to This Policy

13. Contact

Privacy Policy

1. Data Controller

2. Data We Collect

3. How We Use Your Data

4. Data Sharing

5. International Transfers

6. Data Retention

7. Your Rights

Under GDPR (EU/EEA)

Under CCPA / CPRA (California, US)

8. Right to Lodge a Complaint

8b. Data Breach Notification

9. Cookies

10. Children

11. Automated Decision-Making

12. Changes to This Policy

13. Contact