We, CSTactics Lab GmbH, collect certain information from you when running our games and game websites, but only to the extent necessary. This Privacy Policy explains which personal data we handle, why we process it, how we protect it, when we delete it, and which rights you have under data protection laws.
CSTactics Lab GmbH
Sandforterstraße 65
49086 Osnabrück
If you email us, we will store your email address and, if provided, your name and telephone number so we can respond to your inquiries. We will delete all related data once we no longer require it or, in cases where legal storage obligations exist, we will restrict its processing.
If you have questions about your data protection rights or would like to exercise them, you may contact us at any time. Specifically, you have the following rights:
Der Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hannover
Unless otherwise specified, we delete your data once it is no longer needed (e.g., your email address after unsubscribing from our newsletter). Your data will also be blocked or erased if a relevant retention period has expired. Certain data may need to be retained longer for legal reasons. Naturally, you can always request details regarding any stored personal data. Data protection inquiries and other legal matters may also be retained for longer in accordance with statutory retention and limitation periods.
We only collect and process your personal data if legally permitted to do so. In addition to explicit consent, other statutory provisions may also apply. If processing is based on your consent, Art. 6(1)(a) GDPR is the legal basis. Art. 6(1)(b) GDPR applies when personal data must be processed to fulfill the user agreement. If processing is required for us to meet a legal obligation, then Art. 6(1)(c) GDPR is the basis. If processing is necessary for the legitimate interests of CSTactics Lab GmbHor a third party, and these interests do not outweigh your rights and freedoms, Art. 6(1)(f) GDPR will be the legal basis. If we rely on this “balance of interests,” you have the right to object to the processing (see details below about the right to object), provided you have valid reasons and we cannot prove compelling legitimate grounds. At the end of each data processing description, you’ll find the relevant legal basis. If we utilize contracted service providers or want to use your data for advertising, we will provide detailed information on these processes. We also name the storage criteria there. If we partner with service providers, we ensure they comply with data protection and data security requirements (Art. 28 GDPR). If a provider is located outside the EU, we ensure there are adequate safeguards as per Art. 46 GDPR to guarantee an equivalent level of data protection.
During a straightforward visit to our website, we generally do not collect personal data except for information that your browser automatically sends to allow website access:
For privacy protection, we delete or anonymize your IP address after your visit. This means we cannot trace any remaining technical data back to you, allowing only anonymized, statistical evaluations to improve our website. Temporarily storing these details is technically necessary for establishing a connection and ensuring our site displays correctly without errors. We need the IP address and the data above to serve the website properly, prevent display issues, and diagnose errors. The legal basis is our legitimate interest, as reviewed in light of the mentioned security measures (Art. 6(1)(f) GDPR).
You can create a user account on our website and log in at any time. The following information is required for registration:
We store this data permanently once you click on the activation link sent to the email address entered during sign-up. If you do not click the link, your data is deleted after two weeks. Please refrain from using real names, other persons’ names, or protected trademarks as a username. Additionally, we identify your country based on your device’s IP address so we can offer suitable payment methods.
Sometimes we provide a single-sign-on feature so that if you register for one game, you can use the same account across various game worlds within that game. The data you provide when registering is centrally stored for that purpose.
To protect your data, the information you submit is transmitted via an encrypted connection—just as it is on the rest of our site. After confirming your registration, your data remains stored until you remove individual details or your entire user account. The data requested is used to create a user account and to enable extended website functions. Registration is voluntary and can be canceled at any time, with user data being deleted. The legal basis is your consent under Art. 6(1)(a) GDPR. If registration is relevant for concluding a contract, Art. 6(1)(b) GDPR (performance of a contract) applies.
Our games include different communication options for interacting with us or other players. In some cases, we employ automated filter systems to block communications that violate Section 6 of our General Terms and Conditions—for instance, preventing spam messages or messages containing insulting, violent, obscene, racist, or otherwise offensive or promotional content.
We may keep short-term logs of communications for technical troubleshooting, ensuring system security and integrity, countering abuse or unauthorized use, and gathering non-personal usage statistics. These logs may include date, time, sender, recipient, text, and the data size. Our staff will not read private messages without your consent. However, if there is suspicion of misuse or unauthorized use (for instance, if a recipient flags a message), we reserve the right to investigate the relevant game account and examine any messages sent from it, taking further action as necessary. The legal grounds for briefly storing this data are Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Data you enter for communication is voluntary and thus based on your consent. Filter systems are used to maintain proper communication standards and safeguard third-party rights. These purposes also represent our legitimate interests in data processing (Art. 6(1)(f) GDPR).
According to the purposes described above, we share your data with the following recipients essential for delivering our services and communicating with you:
We only transfer data necessary for contract performance or where you’ve provided consent (e.g., for newsletters or via the cookie banner). If a contract is not yet in place, we occasionally transmit data based on legitimate interests—such as when you browse our site or contact us, since it is in our mutual interest to enable site access and communication.
We have data processing agreements with all external recipients to meet EU legal requirements. Depending on your location, some named service providers may transfer data to the U.S. under the EU-US Data Privacy Framework (DPF). The European Commission has issued a new adequacy decision (Art. 45 GDPR) recognizing an equivalent data protection level for DPF-certified U.S. organizations. We verify compliance with these requirements when selecting recipients. Often, we also rely on standard contractual clauses and other security measures (like robust data encryption). Our data protection officer helps ensure each service provider meets these criteria.
We understand the importance of data protection and children’s safety online. Consequently, and in accordance with relevant laws, we do not knowingly collect personally identifiable data from children under 16, nor do we specifically offer content to children under 16.