Personvernerklæring

At GGWP.no, operated by Riddle AS (org.nr. 922 171 874), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our esports team management platform.

We understand that privacy is important to you, especially when it comes to your team data, player information, and competitive strategies. This policy is designed to help you understand what data we collect, why we collect it, and how you can manage your information.

This Privacy Policy complies with the EU General Data Protection Regulation (GDPR) and Norwegian data protection legislation (Personopplysningsloven). We process your personal data in accordance with these regulations.

By accessing or using GGWP.no, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please do not use our platform.

We collect different types of information to provide and improve our services to you. Here's a detailed breakdown of the information we gather:

Account & Authentication Data (Managed by Clerk)

Your account authentication is handled by our trusted partner, Clerk. When you register and sign in, Clerk collects and manages:

• Email address and password (or social login credentials)
• Profile picture and display name
• Two-factor authentication settings
• Session and login history

This data is processed by Clerk under their own Privacy Policy. We receive limited information from Clerk (your user ID, email, name, and profile image) to link your account to your organization data.

Information You Provide in GGWP.no

When you use our platform features, you may provide:

• Organization Data: Organization name, logo, region, and subscription preferences
• Team Information: Team names, game titles, and roster structures
• Player Profiles: In-game names (IGN), real names, roles, contact information (Discord, phone), apparel sizes, and availability schedules
• Sensitive Player Data: Date of birth, nationality, passport details, visa status, and shipping addresses (for travel and compliance features)
• Contract & Financial Data: Salary information, contract terms, prize winnings, and asset assignments (encrypted at rest)
• Tactical Content: Strategy notes, VOD timestamps, veto sessions, and draft simulations
• Scouting Data: Prospect information, pipeline notes, and evaluation scores
• Match & Scrim Data: Schedules, results, and opponent information

Information Collected Automatically

We use analytics services to understand how our platform is used:

• Google Analytics: Page views, navigation patterns, time on site, and general usage metrics (with your cookie consent)
• Vercel Analytics: Performance metrics and page load times
• Error Logging: Technical errors to help us fix bugs and improve stability

We do not collect precise GPS location data. General geographic region may be inferred from your timezone settings or IP address by our analytics providers.

Information from Gaming Platform Integrations

If you connect external gaming accounts (optional), we may retrieve:

• Riot Games (LoL/Valorant): Riot ID, rank, match history, and performance statistics via the Riot API
• Steam/FACEIT (CS2): Steam ID, rank, and match statistics
• Other Platforms: Similar gameplay statistics from connected tracker services

These integrations require you to provide API credentials or authorize access. You can disconnect these integrations at any time from your compliance settings.

We use the information we collect for specific, legitimate purposes. Under GDPR, we must have a legal basis for each type of processing. Here's how we use your data and our legal justification:

Providing Our Services (Legal Basis: Contract Performance)

• Create and manage your organization, teams, and player profiles
• Enable roster management, scheduling, and scrim matchmaking
• Store and display tactical content (strategies, VODs, drafts)
• Track contracts, finances, and asset management
• Provide customer support and respond to your inquiries

Improving Our Platform (Legal Basis: Legitimate Interest)

• Analyze anonymized usage patterns to understand how features are used
• Identify and fix bugs, errors, and performance issues
• Develop new features based on user needs

We have conducted a legitimate interest assessment and determined these activities do not override your privacy rights, as we use aggregated and anonymized data where possible.

Security & Compliance (Legal Basis: Legal Obligation / Legitimate Interest)

• Detect and prevent fraud, abuse, and security threats
• Maintain audit logs for compliance purposes
• Generate compliance documents (visa petitions, parental consent forms)
• Respond to legal requests from authorities

Communications (Legal Basis: Contract / Consent)

• Service messages (Contract): Match reminders, contract expiry alerts, scrim proposals, and system notifications
• Marketing (Consent): Product updates and feature announcements (only with your explicit opt-in consent, which you can withdraw at any time)

Analytics (Legal Basis: Consent)

We only enable Google Analytics and similar tracking if you consent via our cookie banner. You can change your preferences at any time.

We do not sell your personal information. We only share your data in the following limited circumstances:

With Your Team & Organization

Information you add to team profiles, rosters, and schedules is shared with other members of your team or organization based on their permission levels. Our role-based access control system ensures:

• Players can only see their own profiles and team schedules
• Coaches and analysts can view tactical content and VODs
• Managers can access roster and scheduling data
• Owners and General Managers can view financial and contract data

Service Providers (Sub-processors)

We work with trusted third-party companies that help us operate our platform. These providers only access your data as necessary to perform their services and are bound by data processing agreements:

• Clerk (Authentication): User authentication, session management, and organization membership - USA (EU SCCs in place)
• Convex (Database): Primary data storage and real-time sync - USA (EU SCCs in place)
• Vercel (Hosting): Website hosting and edge delivery - Global with EU regions available
• Google Analytics: Website analytics (with your cookie consent) - USA (EU SCCs in place)
• Resend (Email): Transactional email delivery - USA (EU SCCs in place)

Sponsor Portal Access

If you enable the sponsor portal for a sponsorship contract, sponsors can view deliverable progress, EMV metrics, and content performance data you have chosen to share. Sponsors cannot access player personal data, financial details, or tactical content.

Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal processes (court orders, subpoenas, warrants)
• Government requests that meet legal requirements
• Situations where disclosure is necessary to protect rights, safety, or property

Business Transfers

If Riddle AS is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you at least 30 days in advance and explain any choices you may have regarding your information.

Scrim Marketplace

When using the scrim marketplace feature, limited information (team name, game title, region, and reliability score) is visible to other organizations to facilitate matchmaking. Player personal data is never shared through the marketplace.

Protecting your data is a top priority. We implement comprehensive security measures to safeguard your information against unauthorized access, alteration, disclosure, or destruction.

Technical Safeguards

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3
• Encryption at Rest: Sensitive data (salaries, passport numbers, contract terms) is encrypted using AES-256 before storage
• Secure Authentication: Authentication is handled by Clerk, which provides enterprise-grade security including SSO, MFA, and session management
• Role-Based Access Control: Fine-grained permissions ensure users only access data appropriate to their role (Owner, Manager, Coach, Analyst, Player)

Infrastructure Security

• Convex: Our database provider maintains SOC 2 Type II certification and provides automatic backups and point-in-time recovery
• Vercel: Our hosting platform provides DDoS protection, WAF, and automatic HTTPS for all connections
• Rate Limiting: API endpoints are rate-limited to prevent abuse

Your Role in Security

While we work hard to protect your data, security is a shared responsibility. We recommend you:

• Use a strong, unique password for your account
• Enable two-factor authentication in your Clerk account settings
• Keep your account credentials confidential
• Regularly review your organization's member list and permissions
• Log out of shared or public devices
• Report any suspicious activity to security@ggwp.no immediately

You have important rights regarding your personal data. We've made it easy for you to exercise these rights through your account settings or by contacting us.

Access Your Data

You can request a copy of the personal data we hold about you. We'll provide this information in a commonly used, machine-readable format within 30 days of your request.

Correct Your Data

If any of your personal information is inaccurate or incomplete, you can update it directly in your account settings or request that we correct it.

Delete Your Data

You can request deletion of your personal data. We will delete your information within 30 days, except where we need to retain it for legal compliance, fraud prevention, or other legitimate purposes.

Data Portability

You can export your data in a structured, commonly used format. This includes your team data, roster information, and match history.

Opt Out of Marketing

You can opt out of marketing communications at any time by clicking the unsubscribe link in our emails or updating your notification preferences in your account settings.

Manage Cookies

You can control which cookies we use through our cookie preference center. See our Cookie Policy for more details.

How to Exercise Your Rights

To exercise any of these rights, you can use the tools in your account settings or contact us at privacy@ggwp.no. We will respond to your request within 30 days.

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

Active Accounts

While your account is active, we retain your data to provide our services. You can access, update, or delete your information at any time through your account settings.

After Account Deletion

When you delete your account:

• Immediate: Your profile and personal information are removed from public view
• Within 30 days: Your personal data is permanently deleted from our active systems
• Within 90 days: Your data is removed from our backup systems

Data We May Retain Longer

We may retain certain data for extended periods when necessary for:

• Legal compliance and regulatory requirements
• Fraud prevention and security purposes
• Financial record-keeping and tax obligations
• Resolving disputes and enforcing our agreements

Anonymized Data

We may retain anonymized, aggregated data that cannot identify you indefinitely. This data helps us understand trends and improve our platform.

Riddle AS is headquartered in Norway (EEA). However, some of our service providers are based in the United States. Your information may be transferred to, stored, and processed in the USA.

Transfers to the United States

The following service providers process data in the USA:

• Clerk - Authentication and user management
• Convex - Database and real-time sync
• Vercel - Website hosting (with EU edge locations)
• Google - Analytics (with your consent)
• Resend - Email delivery

Safeguards for International Transfers

For transfers to the USA, we rely on the following legal mechanisms:

• EU-US Data Privacy Framework: Where providers are certified under the DPF, this provides an adequacy basis for transfers
• Standard Contractual Clauses (SCCs): We have SCCs in place with providers who are not DPF-certified
• Supplementary Measures: We implement additional technical measures including encryption of sensitive data before transfer

Your Rights Regarding Transfers

You have the right to request information about which service providers process your data and the safeguards in place. Contact privacy@ggwp.no for details or to request copies of relevant SCCs.

GGWP.no is designed for users who are at least 16 years old. We do not knowingly collect personal information from children under 16.

Age Verification

During registration, users must confirm they meet the minimum age requirement. We do not intentionally collect data from anyone under this age.

If We Discover Underage Users

If we become aware that we have collected personal information from a child under 16, we will take immediate steps to delete that information from our systems.

Parental Guidance

For users between 16 and 18, we recommend parental or guardian supervision when using our platform, particularly when entering into financial transactions or sharing personal information.

Contact Us

If you believe a child under 16 has provided us with personal information, please contact us immediately at privacy@ggwp.no.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We'll Notify You

When we make changes to this policy:

• We will update the "Last Updated" date at the top of this page
• For significant changes, we will provide prominent notice (such as an email notification or a banner on our platform)
• We may ask for your consent to material changes where required by law

Reviewing Changes

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our platform after changes are posted constitutes your acceptance of the updated policy.

Previous Versions

You can view previous versions of this Privacy Policy by clicking on the version number above.

We're here to help with any questions or concerns about your privacy. Don't hesitate to reach out.

Data Controller

The data controller responsible for your personal data is:

Privacy Inquiries

For questions about this Privacy Policy or how we handle your data, contact our Privacy Team:

Data Protection Authority

If you're located in the European Economic Area and believe we haven't adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. In Norway, this is the Datatilsynet (Norwegian Data Protection Authority).

You may also contact:

• Forbrukerrådet (Norwegian Consumer Council): forbrukerradet.no