ArdicGaming — Privacy Notice

This privacy notice summarizes what we collect and why. We aim to comply with applicable data protection laws, including UK GDPR and EU GDPR where applicable.

AGRP does not buy, sell, or disclose players' personal data for profit. We collect the minimum necessary to operate the Features, moderate the community, provide support, and process payments.

Where you request deletion, we may de-identify your account (remove direct/indirect identifiers) while retaining non-personal gameplay records needed to preserve the integrity of the game world. We do not keep any key or mapping that could re-identify you.

Used to identify your account and operate the Features:

• Password resets, account recovery, and e-mail changes.
• Optional newsletters/community updates (opt-out anytime).
• Fraud prevention, security alerts, and administrative notices.

Used for connection integrity, security, and moderation:

• Connection history visibility for administrators to detect unusual activity.
• Firewall/DDoS checks (e.g., via Cloudflare) during access to AGRP.
• Filtering and blocking connections flagged as malicious by the Administration.
• Account recovery verification as needed.
• VPN/Proxy detection (security). We check connecting IP addresses against an IP reputation/VPN database (e.g., IPHub or a similar provider) to deter abuse and evasion. This involves sending your IP to the provider and receiving a classification (e.g., “residential,” “hosting/VPN,” “anonymous/Tor”). Flagged connections may be automatically rejected or kicked. We use this only for security/anti-abuse; not for profiling or marketing.
• Whitelist for legitimate needs. If you have a legitimate reason to use a VPN (e.g., corporate or campus network, unstable local connectivity), you may request an exception. On approval, we may record your account ID, whitelist status, and (where relevant) allowed ASN/IP ranges and the reason provided. Whitelists are discretionary, reviewed periodically, and may be revoked if abused.
• Security logs retention. Limited, minimized security/fraud logs (including IP reputation results and timestamps) may be retained under our legitimate interests for a short period (typically 90–180 days) and are automatically purged when no longer necessary.

Legal basis: legitimate interests (service integrity, fraud/abuse prevention). Some providers may process data internationally; see Providers and International Transfers. You may contact us to contest a block or request whitelisting via our Contact Page.

We may send limited emails to addresses (including those submitted by “invite a friend” features). External addresses are not retained longer than necessary (typically no more than 24 hours for outreach actions) unless they create an account.

We use reputable providers that may process limited data as needed to deliver their services:

• OVH / So You Start (hosting): infrastructure/network operations.
• Cloudflare (security/CDN): IP processing for traffic filtering and protection.
• IP reputation/VPN detection (e.g., IPHub): receives your IP to classify VPN/proxy/hosting usage for security and anti-abuse.
• Payments (Stripe / PayPal / Payhip): transaction processing and fraud checks. We do not store card numbers.
• Email (Microsoft): transactional/support email delivery.
• Domains/DNS (GoDaddy): infrastructure/DNS management.

Some providers may process data internationally; we use appropriate safeguards (e.g., contractual protections). See International Transfers for more information.

Some of our service providers (e.g., CDN/DDoS, payments, email, IP reputation/VPN checks) may process data outside your country, including outside the UK/EEA. We only transfer what is necessary for the specific function (data minimisation), and we do not use these providers for advertising or profiling.

Safeguards we rely on (as applicable):

• Contractual protections: vendor Data Processing Agreements (DPAs) and the EU Standard Contractual Clauses (SCCs) with the UK Addendum/IDTA for UK transfers.
• Adequacy mechanisms (where available): we may rely on adequacy decisions and recognised frameworks (for example, the EU/UK mechanisms applicable to some providers) when a vendor is certified.
• Technical & organisational measures: TLS in transit, vendor encryption at rest, access controls (least-privilege), logging, and incident response.
• Purpose limitation: providers are used for hosting, security/CDN, payments, email, or IP reputation checks — not for marketing.
• Retention limits: security/fraud logs are kept only as long as necessary (typically 90–180 days), then purged; legal/accounting records are kept only as required by law.
• De-identification where feasible: where possible we use non-identifying or anonymised data (for example, only the IP address is sent to an IP reputation service).

For more about who processes what, see Providers. If you have questions about international transfers or the safeguards we rely on, contact us via our Contact Page.

Used for connection integrity, security, and moderation:

• Connection history visibility for administrators to detect unusual activity.
• Firewall/DDoS checks (e.g., via Cloudflare) during access to AGRP.
• Filtering and blocking connections flagged as malicious by the Administration.
• Account recovery verification as needed.
• Security logs retention: limited, minimized security/fraud logs may be retained under our legitimate interests for a short period (typically 90–180 days) and are automatically purged when no longer necessary.