Legal

GDPR Compliance

Last updated: 16 May 2026

Our commitment

Ghosts Deal is built with privacy-by-design principles aligned with the EU and UK General Data Protection Regulation (GDPR), and with comparable standards for users in other regions. This page explains your rights and how to exercise them. Full details of what we collect and why are in our Privacy Policy.

Data controller

Ghosts Games (eenmanszaak, Netherlands) is the data controller for personal data processed through the Ghosts Deal app and ghostsdeal.com. We do not publish a street address on this website; KvK registration details are available in the public trade register. Correspondence: legal@ghostsdeal.com.

Data Protection Officer / privacy requests: dpo@ghostsdeal.com

Your rights under GDPR

Right of access

You can request a copy of the personal data we hold about you.

Right to rectification

You can ask us to correct inaccurate or incomplete information (many profile fields can also be updated in-app).

Right to erasure (“right to be forgotten”)

You can ask us to delete your account and personal data, subject to limited retention for fraud prevention, legal claims, tax, and security logs as described in our Privacy Policy.

Right to data portability

You can request your personal data in a structured, commonly used, machine-readable format where technically feasible.

Right to restrict or object to processing

You can ask us to pause certain processing — for example, while we verify whether our legitimate interest outweighs your objection (such as anti-cheat analytics).

Right to withdraw consent

Where processing relies on consent (e.g. optional marketing, certain advertising identifiers, device contacts for invites), you can withdraw consent at any time via device settings, in-app controls, or by contacting us.

Right to lodge a complaint

You may complain to your supervisory authority. Examples:

• Netherlands: Autoriteit Persoonsgegevens (AP)
• United Kingdom: Information Commissioner’s Office (ICO)
• Other EU/EEA countries: your national data protection authority (list: EDPB members).

How to exercise your rights

Email dpo@ghostsdeal.com with:

• The right you want to exercise.
• The email address registered on your Ghosts Deal account.
• Any information that helps us verify your identity.

We respond within one calendar month unless your request is complex, in which case we may extend by up to two further months and explain why.

For account deletion or data export you may also contact support@ghostsdeal.com.

Sub-processors

We use the following categories of sub-processors under Data Processing Agreements or equivalent contractual safeguards:

• Supabase, Inc. — authentication, PostgreSQL database, storage.
• Google LLC (Firebase) — Crashlytics, Cloud Messaging (push).
• Google LLC (AdMob) — in-app advertising and ad measurement.
• Apple Inc. — App Store, in-app purchase validation (iOS).
• Google LLC (Google Play) — distribution and IAP (Android).
• Vercel Inc. — website hosting and CDN for ghostsdeal.com.
• Cloud infrastructure — game API and WebSocket/real-time services.
• Email providers — transactional email (SMTP/API).

We review subprocessors for security and contractual compliance. Material changes will be reflected in our Privacy Policy.

International transfers

Personal data may be processed in the Netherlands, the EEA, the United States, and other countries where our providers operate. Transfers outside the EEA/UK use Standard Contractual Clauses, the UK International Data Transfer Addendum, or adequacy decisions, plus supplementary measures where appropriate.

Lawful bases (summary)

• Contract — operating your account, games, purchases, and support.
• Legitimate interests — security, anti-cheat, service improvement.
• Consent — optional marketing, ads where required, contacts permission.
• Legal obligation — tax, law enforcement, regulatory requests.

Security and breaches

We apply encryption in transit, access controls, and monitoring. If a personal data breach is likely to pose a risk to your rights, we will notify you and relevant supervisory authorities within 72 hours where required by GDPR. Report security issues to security@ghostsdeal.com.

Children

The Service is 18+ only. We do not knowingly process children’s data. Contact dpo@ghostsdeal.com if you believe a minor has registered.

Global users

If you are outside the EU/UK, you may still have rights under local laws (e.g. US state privacy laws, Brazil LGPD, Canada PIPEDA). See section 10 of our Privacy Policy or contact dpo@ghostsdeal.com.

Contact

Data Protection Officer — dpo@ghostsdeal.com
General privacy — Privacy Policy