How GameThereAny processes data in compliance with GDPR and KVKK.
This Data Processing Agreement ('DPA') outlines how GameThereAny processes data in the course of providing its game price comparison and discovery service. This DPA is designed to comply with the General Data Protection Regulation (GDPR) and Turkey's Personal Data Protection Law (KVKK — Kisisel Verilerin Korunmasi Kanunu, Law No. 6698).
Data Controller: GameThereAny, the entity that determines the purposes and means of data processing. Data Processor: Third-party services that process data on behalf of GameThereAny (e.g., hosting, analytics providers). Data Subject: Any individual whose personal data is processed. Personal Data: Any information relating to an identified or identifiable natural person, including IP addresses, device identifiers, and cookies. Processing: Any operation performed on personal data (collection, storage, use, transmission, deletion).
GameThereAny processes data solely for the purpose of operating a game price comparison and discovery website. The categories of data processed include: • Auth users (Supabase): email address and bcrypt-hashed password. • WishlistItem: user ID, game slug, game name, cover image, added date. • ClickTelemetry: deal ID, store ID, game slug, destination URL, anonymised IP (IPv4: last octet zeroed; IPv6: last 4 groups zeroed), user-agent, timestamp. Logged for engagement measurement — no commission attribution. • RateLimitEvent: IP-derived hashed key and timestamp. • NewsletterSubscriber (when active): email, subscription date, source, Resend contact ID. GameThereAny does not collect names, phone numbers, payment information, or plain-text passwords.
• Account creation and wishlist: performance of a contract — Art. 6(1)(b). • Analytics (PostHog): consent — Art. 6(1)(a), collected only after user clicks 'Accept' on the cookie banner. • Click telemetry (anonymised): legitimate interests — Art. 6(1)(f), engagement measurement. • Newsletter (when active): consent — Art. 6(1)(a). • Rate limiting (hashed IP key): legitimate interests — Art. 6(1)(f), abuse prevention.
GameThereAny engages the following sub-processors: • Railway (EU, aws-1-eu-central-1) — application hosting and content delivery. Processes server request data. • Supabase (EU) — authentication (users, sessions) and PostgreSQL database (wishlist, rate-limit events). GDPR compliant. • PostHog (EU Cloud, eu.i.posthog.com) — analytics. Processes anonymised usage data only when the user consents via the cookie banner. 30-day retention. No session recording, no autocapture. GDPR compliant. • Resend — newsletter email delivery. Processes subscriber email addresses. Currently offline (newsletter disabled). GDPR compliant. • CheapShark API (US-hosted) — real-time price data. No personal data transmitted; only game identifiers sent. • IsThereAnyDeal / ITAD API (EU-hosted) — price history data. No personal data transmitted; only game identifiers sent. • RAWG API (US-hosted) — game metadata. No personal data transmitted. • Google Translate (unofficial public endpoint) — game description translation. Only English text sent; no personal data transmitted. GameThereAny will notify users of material changes to sub-processors by updating this DPA.
Our primary processing stack (Railway, Supabase, PostHog) is hosted within the EU. No personal data is transferred outside the EEA as part of primary processing. CheapShark (US) and RAWG (US) receive only non-personal public identifiers (game slugs, deal IDs) — no IP addresses or user data. Google Translate receives English game description text only. These API calls do not constitute a transfer of personal data under GDPR.
GameThereAny implements appropriate technical and organisational measures to protect personal data, including: HTTPS/TLS encryption for all data in transit; bcrypt hashing for passwords (never stored in plain text); anonymisation of IP addresses in affiliate click logs; IP-derived hashing for rate-limit keys; access controls limiting who can access hosting, database, and analytics dashboards; and regular review of third-party service security practices. Personal data stored in our application databases includes: Supabase auth users, wishlist items, anonymised affiliate click logs, and (when active) newsletter subscriber records.
In accordance with GDPR (Articles 15-22) and KVKK (Article 11), data subjects have the right to access, rectify, erase, restrict, port, and object to processing of their personal data. For Art. 17 erasure, deleting your account from Profile settings triggers the following five-step cascade: 1. All WishlistItem rows for your user ID are permanently deleted. 2. Your newsletter subscription is cancelled; the NewsletterSubscriber row is deleted and the contact is removed from Resend. 3. Your PostHog person record is deleted via the PostHog EU API. 4. Your browser PostHog session is reset on logout. 5. Your Supabase auth row and all active sessions are permanently deleted. For analytics consent withdrawal (Art. 7(3)), use the 'Cookie preferences' button in the page footer and decline — this immediately calls posthog.opt_out_capturing() and resets your analytics identity. For newsletter unsubscribe, use the unsubscribe button on the newsletter sign-up component. For other requests, contact buzzicra@gmail.com. All requests will be responded to within 30 days.
• Supabase auth (email, hashed password): until account deletion. • WishlistItem: until account deletion. • ClickTelemetry: retained until operational need; a 90-day automatic TTL is planned. • RateLimitEvent: opportunistic cleanup at 2x the rate-limit window (hours to days). • PostHog analytics: 30 days (configured in PostHog EU Cloud). • NewsletterSubscriber: until unsubscription or account deletion.
No Data Protection Officer has been appointed under the Art. 37 small-operator exemption. The data controller serves as the point of contact for all data subject requests. For questions about this DPA, to exercise your rights, or to file a complaint, please contact us at buzzicra@gmail.com