Privacy

Controller — 09Clicks c/o GAM, Pappelallee 64, 10437 Berlin, Germany. Contact: kontakt@09clicks.de.

Categories of personal data we process — Account data (email, hashed password, optional display name); session data (login cookie / NextAuth session token); order data (game/RAM/slots, billing reference, Stripe customer & subscription IDs); server-operations data (Pterodactyl user ID, server identifiers, IP allocations); support data (anything you send us by email or via the panel ticket form); technical request data (IP address, user agent, timestamps in server logs).

Purposes & legal bases (Art. 6 GDPR) — (1) Account creation & login: contract performance, Art. 6(1)(b). (2) Order processing & game-server provisioning: contract performance, Art. 6(1)(b). (3) Billing & invoicing via Stripe: contract performance, Art. 6(1)(b) and legal obligation, Art. 6(1)(c) (German tax/commercial law). (4) Transactional emails (verification, password reset, order confirmation, payment-failure warnings): contract performance, Art. 6(1)(b). (5) Newsletter (only if you double-opt-in): consent, Art. 6(1)(a) — revocable any time. (6) Security & abuse defence (server logs, rate limits): legitimate interest, Art. 6(1)(f). (7) Compliance with legal retention obligations: Art. 6(1)(c).

Subprocessors we use — (a) Stripe Payments Europe Ltd. (Ireland) for card / SEPA / payment processing & invoice storage. Data processing agreement: stripe.com/legal/dpa. (b) Vercel Inc. (USA, EU data residency option active) for website hosting and serverless function execution. DPA: vercel.com/legal/dpa. (c) Resend (Yann Studio, Inc., USA) for transactional email delivery. DPA: resend.com/legal/dpa. (d) Hetzner Online GmbH (Germany) for the dedicated server hosting the Pterodactyl game panel and your game server data. (e) Neon, Inc. (USA, EU region selected) for the application Postgres database. We have data processing agreements (DPAs) in place with each subprocessor pursuant to Art. 28 GDPR. Where US providers are involved, transfers rely on the EU-U.S. Data Privacy Framework and / or Standard Contractual Clauses.

Cookies & local storage — We only set strictly necessary cookies / storage items: a session cookie for the customer panel (NextAuth, expires after sign-out or 30 days), a CSRF protection token, and language preference. We do not use analytics, advertising or third-party tracking cookies, so no cookie banner is required (§ 25 (2) TTDSG / Recital 30 GDPR).

Retention — Account data: as long as the account exists plus 6 months. Order data, invoices and tax records: 10 years (§ 147 AO, § 257 HGB). Server logs: 14 days, then automatic rotation. Email logs at Resend: 30 days. Cancelled-subscription server backups: deleted after the 7-day grace period (see /legal/withdrawal). Newsletter subscribers: until you unsubscribe.

Your rights under the GDPR — Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and the right to object (Art. 21). Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. To exercise any right, email kontakt@09clicks.de — we respond within the statutory time limits (usually within one month).

Right to lodge a complaint — You may lodge a complaint with a supervisory authority, in particular in your country of habitual residence, place of work, or place of the alleged infringement. The supervisory authority for our establishment is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit), Friedrichstr. 219, 10969 Berlin, mailbox@datenschutz-berlin.de.