Background

Policy

Privacy Policy

Effective date: 24 October 2025
Controller: Twin Beans Piotr Bilski, Paweł Bilski S.C. (trading as “Twin Beans Games”)
Registered address: ul. Mickiewicza 11/10, 42-263 Huta Stara B, Poland
VAT/NIP: 5732936620
REGON: 522481900

Website: https://www.giantflyff.com
Email: [email protected]

 

1. Scope and who we are

This Privacy Policy explains how we process personal data in connection with our websites, games and services (collectively, the “Services”), including Giant FlyFF. We process personal data only to the extent necessary to provide secure, reliable and enjoyable Services to a global player base.

Terms used herein have the meanings of Art. 4 GDPR (e.g., “processing”, “controller”, “personal data”).

 

2. Data protection contact

For any privacy requests or to exercise your rights, contact [email protected]. If we appoint a Data Protection Officer in the future, we will update this section.

 

3. Categories of data, purposes, legal bases, and retention

We process data only for specified purposes and on the bases set out below. Where we rely on consent, you may withdraw it at any time (Art. 7(3) GDPR) without affecting prior lawful processing. Where we rely on legitimate interests, we perform a balancing test to ensure your interests and rights are not overridden.

3.1 Server and security logs

  • Data: IP address, date/time, URLs visited, referrer, user-agent (browser/OS), error and performance logs.

  • Purpose: security, stability, fraud/abuse prevention, diagnostics.

  • Legal basis: Art. 6(1)(f) GDPR (legitimate interests: security & operation).

  • Retention: normally 7 days; longer where required for investigation/evidence until resolved.

3.2 Account registration and gameplay

  • Data: account/username, email, password (hashed), in-game identifiers and activity, country, timestamps, IP/device identifiers; optionally social login identifiers (e.g., Facebook/Google).

  • Purpose: create and maintain your account, provide gameplay/features, customer care, enforce Terms.

  • Legal basis: Art. 6(1)(b) GDPR (contract/performance); Art. 6(1)(f) GDPR (anti-fraud, abuse prevention).

  • Retention: for the life of the account; then retained as necessary for limitation periods to establish or defend claims.

3.3 Purchases and payments

  • Data: purchase metadata (items, amount, currency, timestamps), limited billing data necessary to reconcile transactions; we do not store full payment card details.

  • Purpose: process purchases, refunds, and accounting.

  • Legal basis: Art. 6(1)(b) (contract), Art. 6(1)(c) (legal/financial retention), Art. 6(1)(f) (fraud prevention).

  • Retention: per tax/commercial law and limitation periods.

Payment providers (independent controllers):

  • PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg)

  • Stripe Payments Europe, Ltd. (Ireland)
    When you pay with these services, they process your personal data under their own privacy notices. We transmit only what is necessary to complete the transaction.

3.4 Support and communications

  • Data: contact details (name, email), account/transaction context, message content, technical diagnostics.

  • Purpose: respond to requests and provide support.

  • Legal basis: Art. 6(1)(b) (contract) or Art. 6(1)(f) (legitimate interest in responding).

  • Retention: until matter resolved + applicable legal retention.

3.5 Newsletter and promotional emails

  • Data: email, subscription consent logs (IP, time, DOI status), optional name.

  • Purpose: send news and offers.

  • Legal basis: Art. 6(1)(a) GDPR (consent); e-communications per applicable local laws.

  • Retention: until you unsubscribe; proof-of-consent retained for up to 3 years for defense of claims.

3.6 Social features, forums, posts, ratings

  • Data: content you publish (posts, chat), timestamps, chosen display name; we also retain IP/email for abuse handling.

  • Purpose: enable community features, moderation, legal defense.

  • Legal basis: Art. 6(1)(b) (service provision), Art. 6(1)(f) (moderation/legal defense).

  • Retention: public content remains visible until you delete it or we remove it; related logs retained per security/legal needs.

3.7 Push notifications and geolocation (apps)

  • Data: device token/identifier, app and OS version, optional location (only with OS-level permission).

  • Purpose: send in-game updates and messages; location-based features if enabled.

  • Legal basis: Art. 6(1)(a) (consent); you can disable in device/app settings.

  • Retention: for as long as enabled or until opt-out.

 

4. Cookies and similar technologies (EU/EEA consent)

We use the following categories of cookies/SDKs:

  • Strictly necessary (e.g., session, load balancing, security): Art. 6(1)(f).

  • Analytics (e.g., Google Analytics): only with your consent (Art. 6(1)(a)).

  • Marketing/advertising (e.g., offer walls, ad measurement): only with your consent (Art. 6(1)(a)).

We operate a consent banner (CMP) for EU/EEA/UK that blocks non-essential tags until consent and lets you granularly manage preferences. You can change your choices anytime via a “Privacy settings / Manage consent” link in the footer.

Google Analytics. Provided by Google Ireland Limited. We enable IP masking and minimize data collection. Where GA may involve transfers outside the EEA, we rely on SCCs and additional safeguards. Analytics runs only after consent. You may also use Google’s browser add-on to opt-out.

 

5. Content delivery, hosting, and providers

  • Cloudflare, Inc. (USA) as CDN/security service. Requests to our site are proxied via Cloudflare, which may set security cookies and process basic telemetry (e.g., IP, user agent) to prevent abuse and improve performance. Legal basis: Art. 6(1)(f).

  • Hosting providers (EU or equivalent protections) for running servers and databases.
    All such providers are bound by contracts (including Standard Contractual Clauses where required) and process data only under our instructions unless they act as separate controllers (e.g., PayPal/Stripe).

 

6. International transfers

Some recipients are located outside the EEA/UK (e.g., the United States). Where this occurs, we use appropriate safeguards such as European Commission Standard Contractual Clauses (SCCs), and—where relevant—additional technical and organizational measures (encryption in transit/at rest, minimization). You may request information about these safeguards at [email protected].

 

7. Advertising, offer walls, and third-party links

We may show third-party offer walls or ads. Clicking them may take you to third-party sites, which process data under their own privacy notices. To credit rewards and prevent fraud, we may share a unique identifier (e.g., your user ID). We do not disclose your personal data to advertisers for their independent direct marketing unless you opt in.

 

8. Children

Our Services are not directed to children under 16 in the EEA/Poland and we do not knowingly collect their data. If you believe a child under the applicable age has provided data, contact us so we can delete it. In other jurisdictions, local age thresholds may apply; we choose the stricter standard where required.

 

9. Your rights

Subject to conditions of the GDPR, you have the right to access (Art. 15), rectify (Art. 16), erase (Art. 17), restrict (Art. 18), data portability (Art. 20), and object (Art. 21, including to direct marketing and related profiling). Where processing is based on consent, you may withdraw consent at any time.

We will respond within one month (extendable by up to two months for complex requests).
To exercise your rights, email [email protected].

Supervisory authority (Poland)

You also have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) in Poland.

 

10. Data retention (summary)

We keep data no longer than necessary for the purposes collected, taking into account legal obligations and limitation periods. Typical periods include: server logs 7 days, newsletter until unsubscribe (+ up to 3 years for consent logs), account data for the lifetime of the account then for claims limitation, payments per tax/commercial law.

 

11. Security

We implement appropriate technical and organizational measures to protect your data (access controls, encryption in transit, backups, minimization, monitoring). No system is 100% secure; keep your credentials confidential and log out after use. Contact [email protected] with any security concerns.

 

12. How to manage your information

  • SNS/account connections: manage permissions via the SNS (e.g., Facebook/Google) and your device OS settings.

  • Delete account: email [email protected] with subject “Delete My Account” and include your username and email. We will respond within one month. Certain records (e.g., payments/support) may be retained as required by law.

  • Push notifications and geolocation: disable in device/app settings.

  • Consent choices: use the Manage consent link in the footer.

 

13. Changes to this Policy

We may update this Policy. Material changes will be announced on giantflyff.com and/or by email/in-game notice. Please review this page periodically. The “Effective date” shows when the latest changes took effect.