Imprint / privacy policy

Last updated: August 17, 2025

This Privacy Policy explains how we collect and use your personal data when you visit gamedev.wtf (the "Site"), subscribe to the newsletter, create a member account, or contact us.

1. Controller and contact

Controller:
Oliver Hermanni
Schnellweider Strasse 109
51067 Koeln
Germany

Contact for privacy matters: privacy@gamedev.wtf

2. Scope

This policy covers personal data processed through:

The public website and any logged-in member areas
Newsletter sign-up and delivery
Contact channels (for example email)
Payments and memberships (planned)

3. Categories of data, purposes, and legal bases

We process only the data necessary for each purpose.

3.1 Visiting the Site (server logs and security)

Data: IP address, date/time, requested URL, referrer, user agent, HTTP status code, bytes transferred, error logs.
Purpose: deliver web pages, maintain stability and security, troubleshoot incidents.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests in running a secure, reliable website).
Retention: up to 30 days, longer only if investigating specific incidents.

We use a cookie banner provided by TermsFeed Cookie Consent to obtain, record, and manage your choices. When you first visit the Site, the banner lets you accept all, or set preferences by category.

Essential cookies: needed to run the Site, for example session management, authentication, security, and load balancing.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests in operating a secure, reliable service) and, for logged-in members, Art. 6(1)(b) GDPR (contract).
Analytics cookies: currently none. We use Ghost’s internal, privacy-friendly analytics, which do not place third-party tracking cookies. If we introduce optional analytics cookies in the future, we will ask for your consent through the banner before setting them.
Legal basis (if introduced): Art. 6(1)(a) GDPR (consent).
Marketing or personalization cookies: none at this time. If introduced, they will only be set after your consent via the banner.
Legal basis (if introduced): Art. 6(1)(a) GDPR (consent).

Consent record: the banner stores a consent cookie in your browser to remember your choices (typically up to 12 months or until you delete cookies). You can withdraw consent at any time by reopening Cookie Settings or clearing cookies in your browser. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

Data: email address, time and IP of subscription and confirmation (proof of consent), optional name.
Purpose: send the newsletter you requested and document consent.
Legal bases: Art. 6(1)(a) GDPR (consent) for sending; Art. 6(1)(f) GDPR and Art. 5(2) GDPR for storing proof of consent.
Retention: until you unsubscribe; consent proof may be kept for up to 3 years after the last send to defend against claims.
Opt-out: use the unsubscribe link in any email or contact us.

3.4 Member accounts and paid content (planned)

Data: email, display name, hashed credentials, subscription status, invoices and payment metadata (via payment provider), support history.
Purpose: provide member features, manage subscriptions and paid content, comply with accounting and tax rules.
Legal bases: Art. 6(1)(b) GDPR (contract); Art. 6(1)(c) GDPR (legal obligations).
Retention: contract data for the duration of the membership; invoices and tax-relevant data up to 10 years (statutory retention).

3.5 Payments (planned, via Stripe)

Payment processing is handled by Stripe. We do not store full card numbers on our servers.
Legal bases: Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (legal obligations), Art. 6(1)(f) GDPR (fraud prevention).

3.6 Contacting us

Data: your email address, name, and the content of your message.
Purpose: respond to your request and manage support.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests in responding) or Art. 6(1)(b) GDPR when your request relates to a contract.
Retention: normally up to 24 months unless longer required for legal reasons.

3.7 Analytics

We use Ghost’s internal, privacy-friendly analytics for aggregate traffic insights. No third-party tracking cookies are set and no personal profiles are built.

Legal basis: Art. 6(1)(f) GDPR (legitimate interests in improving the Site).
Retention: aggregated, non-profiled metrics.

4. Recipients and processors

We use service providers that process data on our behalf under Art. 28 GDPR. They are bound by contract to confidentiality and appropriate security measures.

Hosting: Strato (Germany/EU)
Email/newsletter delivery: Mailgun (Sinch Email)
Content delivery and security (planned): Cloudflare, Inc.
Payments (planned): Stripe Payments Europe, Limited

We can provide a current list of processors on request.

5. International data transfers

Some providers may process data outside the EU/EEA.

Where this occurs, we ensure an adequate level of protection through one or more of the following:

An adequacy decision by the European Commission,
EU Standard Contractual Clauses with additional safeguards,
Participation in a valid data transfer framework where applicable.

Mailgun offers EU processing regions; certain account data may be replicated globally. Stripe Payments Europe generally processes within the EEA, with limited transfers to group companies and sub-processors under the safeguards above. Cloudflare (when enabled) may process security-related traffic globally for DDoS protection and caching under appropriate safeguards.

6. Retention

We keep personal data only as long as necessary for the purposes above and to meet legal obligations. Typical periods:

Server logs: up to 30 days
Newsletter data: until unsubscribe; proof of consent up to 3 years
Accounts and membership data: for the life of the account
Payments and invoices: up to 10 years (statutory retention)
Backups are deleted on a rolling schedule.

You have the right to:

Access your data
Correct your data
Delete your data ("right to be forgotten")
Withdraw your consent at any time
Lodge a complaint with a data protection authority

To exercise your rights, email privacy@gamedev.wtf. We may ask for verification of identity.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for North Rhine-Westphalia is:

State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW)
Kavalleriestrasse 2-4, 40213 Duesseldorf, Germany
Postfach 20 04 44, 40102 Duesseldorf, Germany
Phone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
Website: https://www.ldi.nrw.de/

8. Requirement to provide data

Providing your email address is necessary to receive the newsletter or to create a member account. Otherwise, you can browse the Site without providing personal data beyond technical logs.

9. No automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 22 GDPR).

10. Children

This Site is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided data, contact us so we can delete it.

11. Data security

We protect your data with appropriate technical and organizational measures, including TLS encryption, access controls, least-privilege administration, and regular updates.

12. Changes to this policy

We may update this policy to reflect changes to our services or legal requirements. The latest version is always available on this page. Material changes will be highlighted.

Impressum

Oliver Hermanni
Schnellweider Straße 109
51067 Köln
Deutschland/Germany
hello@gamedev.wtf