Legal

Bandaloop Games GmbH ("Bandaloop", "we", "us") is committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, how long we keep it, and what your rights are under the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

1. Controller

The data controller responsible for processing your personal data is:

Bandaloop Games GmbH
Argentinierstraße 39/3, 1st floor
1040 Vienna, Austria
Email: office@bandaloop.at
Phone: +43 1 40602520

2. Data collected when you visit our website

When you access bandaloop.at, our hosting provider automatically logs technical data necessary to deliver the website, including:

• IP address (truncated or anonymized where technically possible)
• Browser type and version
• Operating system
• Referrer URL and pages visited
• Date and time of the request

This data is processed on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in operating a secure and functioning website. Server logs are retained for a maximum of 30 days unless retention is required to investigate a security incident.

3. Cookies and similar technologies

Our website uses only strictly necessary cookies required for core functionality, such as the session cookie that keeps administrators signed in. We do not set advertising or cross-site tracking cookies. If we ever introduce optional analytics or marketing cookies, we will request your consent first via a cookie banner and update this policy accordingly.

4. Newsletter and release updates

If you sign up to receive newsletters or release updates, we store the email address you provide together with a record of your consent and the time of sign-up. This data is processed on the basis of your consent (Art. 6(1)(a) GDPR). You can unsubscribe at any time by using the link contained in every newsletter email, or by writing to office@bandaloop.at. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

5. Contact by email

If you contact us by email, the information you provide (name, email address, the content of your message, and any attachments) is processed solely for the purpose of responding to your enquiry. The legal basis is our legitimate interest in answering correspondence (Art. 6(1)(f) GDPR) and, where the contact relates to a prospective or existing contract, Art. 6(1)(b) GDPR. We delete enquiries once they are no longer required to handle your matter, unless statutory retention obligations apply.

6. Game and session services

When you play a Bandaloop game online, our session servers process the following data to make multiplayer functionality possible:

• A randomly generated player identifier (not linked to your real identity)
• Your IP address and connection port, used for matchmaking and NAT relay
• Lobby and session metadata you provide, such as a display name

This data is held only in memory for the duration of your session and is automatically deleted shortly after you leave a lobby or stop sending heartbeats. We may retain aggregated, non-identifying statistics such as concurrent player counts for capacity planning. The legal basis is performance of the service you are requesting (Art. 6(1)(b) GDPR).

7. Third-party processors

We rely on a small number of carefully selected service providers to operate our website, email, and game infrastructure. These processors act on our instructions under written data processing agreements as required by Art. 28 GDPR. We do not sell, rent, or otherwise commercially transfer personal data to third parties.

8. International data transfers

Our infrastructure is hosted within the European Economic Area where possible. Where a processor operates outside the EEA, transfers take place only on the basis of an adequacy decision of the European Commission or under appropriate safeguards such as the European Commission's Standard Contractual Clauses, together with supplementary measures where required.

9. Data retention

We retain personal data only for as long as necessary for the purposes set out in this policy or to comply with legal obligations. Server logs are kept for up to 30 days; newsletter data is kept until you unsubscribe; in-game session data is deleted automatically. Where statutory retention obligations (for example tax law) apply, the data is restricted from further processing for the duration of the retention period.

10. Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you (Art. 15)
• Have inaccurate data corrected (Art. 16)
• Have your data erased where applicable (Art. 17)
• Restrict processing of your data (Art. 18)
• Receive your data in a portable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time, without affecting the lawfulness of past processing

To exercise any of these rights, please contact us at office@bandaloop.at. You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde, www.dsb.gv.at) if you believe our processing of your data infringes the GDPR.

11. Children

Our website and corporate services are not directed at children under the age of 16. If a game we operate is suitable for younger audiences, age-appropriate notices and parental-consent flows will be provided in the game itself. We do not knowingly collect personal data from children outside of those contexts.

12. Changes to this policy

We may update this policy from time to time to reflect changes to our services, the way we process data, or legal requirements. The current version is always available at bandaloop.at/legal. Where changes are material, we will highlight them on the website or notify newsletter subscribers in advance.

By using Bandaloop services you agree to lawful use, to avoid harassment, and to respect our creative work, trademarks, and community guidelines.

For press requests or asset downloads, please contact press@bandaloop.at. We are happy to support coverage with logos, screenshots, and studio information.