GDPR Compliance

1. Introduction to GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, in the European Union (EU). At Great Lakes Play Game, we are committed to complying with GDPR requirements and protecting the privacy rights of all our users, particularly those located in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland.

This GDPR Compliance page provides specific information about how we process personal data in accordance with GDPR principles, your rights under GDPR, and how you can exercise those rights. This page should be read in conjunction with our Privacy Policy, which provides comprehensive information about our data processing practices.

2. Data Controller Information

For the purposes of GDPR, Great Lakes Play Game acts as the data controller for the personal data we collect and process through our website. Our contact details are:

3. Legal Basis for Processing Personal Data

Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

3.1 Consent

In some cases, we process your personal data based on your consent. For example, when you:

• Accept our cookie policy for non-essential cookies
• Opt-in to receive marketing communications
• Voluntarily provide optional information
• Participate in surveys or feedback requests

When we rely on consent, you have the right to withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

3.2 Contractual Necessity

We process certain personal data because it is necessary for the performance of our contract with you (our Terms and Conditions). This includes:

• Creating and managing your account
• Providing access to our gaming platform
• Processing your game data and maintaining leaderboards
• Responding to your support requests
• Delivering the services you have requested

3.3 Legitimate Interests

We process some personal data based on our legitimate interests or those of third parties, provided these interests are not overridden by your rights and freedoms. Our legitimate interests include:

• Protecting our platform and users from fraud and security threats
• Improving and optimizing our services
• Conducting analytics to understand user behavior
• Developing new features and games
• Maintaining business operations and compliance

3.4 Legal Obligations

We process personal data when necessary to comply with legal obligations, such as:

• Age verification requirements (18+ compliance)
• Responding to lawful requests from authorities
• Maintaining records for tax and accounting purposes
• Complying with anti-money laundering regulations

4. Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

4.1 Right to Access (Article 15)

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to access that data. You can request:

• A copy of your personal data we hold
• Information about how we use your data
• Details about data retention periods
• Information about data recipients
• Information about automated decision-making (if applicable)

We will provide the first copy of your data free of charge. Additional copies may be subject to a reasonable administrative fee.

4.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and to have incomplete personal data completed. You can update most of your information through your account settings or by contacting us directly.

4.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required to comply with a legal obligation

Please note that we may retain certain information when we have a legal obligation or legitimate interest to do so, such as for fraud prevention or compliance purposes.

4.4 Right to Restriction of Processing (Article 18)

You have the right to restrict processing of your personal data in certain circumstances, such as when:

• You contest the accuracy of the data (during verification)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification of legitimate grounds)

4.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. This right applies when:

• Processing is based on consent or contract
• Processing is carried out by automated means

4.6 Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

4.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. We do not currently engage in automated decision-making that produces such effects.

4.8 Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time. This can be done by:

• Adjusting your account settings
• Clicking unsubscribe links in emails
• Contacting us at privacy@greatlakesplaygame.com

5. How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at:

• Email: privacy@greatlakesplaygame.com
• Subject line: "GDPR Rights Request"

Please include in your request:

• Your full name and email address associated with your account
• The specific right(s) you wish to exercise
• Any relevant details or information
• Proof of identity (we may request this to verify your identity)

We will respond to your request without undue delay and within one month of receipt. In complex cases, we may extend this period by two additional months and will inform you of the extension and reasons.

6. Data Protection Principles

We adhere to the following GDPR data protection principles:

6.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We provide clear information about our data processing activities through this policy and our Privacy Policy.

6.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.

6.3 Data Minimization

We collect only the personal data that is adequate, relevant, and necessary for the purposes for which it is processed.

6.4 Accuracy

We take reasonable steps to ensure that personal data is accurate and kept up to date. Inaccurate data is erased or rectified without delay.

6.5 Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

6.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure the security of personal data, protecting it against unauthorized or unlawful processing and accidental loss, destruction, or damage.

6.7 Accountability

We are responsible for and can demonstrate compliance with the GDPR data protection principles.

7. International Data Transfers

As we are based in Canada, your personal data may be transferred outside the EEA. We ensure that such transfers are protected by appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Binding Corporate Rules (where relevant)
• Your explicit consent for specific transfers

Canada has been recognized by the European Commission as providing adequate protection for personal data transferred from the EU under certain circumstances (specifically for organizations subject to PIPEDA).

8. Data Protection Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption: SSL-256 encryption for data in transit and encryption for sensitive data at rest
• Access Controls: Role-based access controls and authentication mechanisms
• Pseudonymization: Where appropriate, we pseudonymize personal data
• Regular Testing: Security assessments, penetration testing, and vulnerability scans
• Staff Training: Regular data protection and security training for employees
• Incident Response: Procedures for detecting, reporting, and investigating security incidents
• Backup and Recovery: Regular backups and disaster recovery procedures

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Provide information about the nature of the breach, likely consequences, and measures taken to address it

10. Children's Data

Our Site is not directed at children under 18, and we do not knowingly collect data from children. If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information.

11. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any analytics or profiling we conduct is for aggregate statistical purposes and does not result in automated decisions about individuals.

12. Data Retention

We retain personal data for different periods depending on the purpose:

• Account Data: Retained while your account is active and for up to 2 years after account closure
• Marketing Data: Retained until you withdraw consent or object to processing
• Transaction Logs: Retained for 5 years for compliance and fraud prevention
• Support Inquiries: Retained for 3 years
• Legal Compliance Data: Retained as required by applicable law

13. Third-Party Data Processors

We engage third-party service providers who process personal data on our behalf. We ensure that all processors:

• Provide sufficient guarantees regarding data protection
• Process data only on our documented instructions
• Maintain confidentiality of personal data
• Implement appropriate security measures
• Comply with GDPR requirements

We have Data Processing Agreements in place with all relevant processors.

14. Supervisory Authority

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR.

You can find your local supervisory authority at:

• EEA: https://edpb.europa.eu/about-edpb/board/members_en
• UK: Information Commissioner's Office (ICO) - https://ico.org.uk/
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC)

However, we encourage you to contact us first so we can address your concerns directly.

15. Updates to This GDPR Policy

We may update this GDPR Compliance page from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on this page and updating the "Last Updated" date.

16. Contact Us

For any questions, concerns, or requests related to GDPR compliance or your data protection rights, please contact us at: