1. Controller
The controller responsible for data processing is:
Özgür Ergezgin
acting under the business name Upgrade Force Systems
Kollwitzstr. 76
10435 Berlin
Germany
Email: [email protected]
The following additional email address is available for player support relating to Legends Unchained®:
[email protected]
2. General information on data processing
We process personal data only to the extent necessary to provide our websites, manage newsletter subscriptions, handle enquiries, provide user accounts, maintain account security, conduct game and support communications, provide community features or safeguard legitimate interests.
Personal data means any information relating to an identified or identifiable natural person. This may include in particular:
- name
- email address
- username
- account ID
- IP address
- technical access data
- login and security data
- voluntary profile details
- biography text
- game and ranking data
- support content
- newsletter subscription data
- information provided voluntarily
We take care to process only the data required for the relevant purpose.
3. Hosting, CDN and server logs via Cloudflare Pages
Our websites are provided through Cloudflare Pages.
The provider is:
Cloudflare, Inc.
101 Townsend St
San Francisco, CA 94107
USA
When our websites are accessed, Cloudflare may process technically necessary data. This may include in particular:
- IP address
- date and time of access
- pages and files accessed
- referrer URL
- browser type and browser version
- operating system
- device information
- technical connection data
- security and error logs
This processing takes place in order to deliver our websites technically, ensure their security and stability, detect attacks, prevent misuse and ensure reliable operation.
The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in providing our websites securely, reliably and efficiently.
Cloudflare may also process data outside the European Union or the European Economic Area, particularly in the USA. According to Cloudflare, it uses appropriate safeguards for such transfers, in particular standard contractual clauses or other transfer mechanisms provided for by law.
Further information about data processing by Cloudflare can be found in Cloudflare’s Privacy Policy:
https://www.cloudflare.com/privacypolicy/
Information about data processing on our behalf by Cloudflare can be found here:
https://www.cloudflare.com/cloudflare-customer-dpa/
We store our own server logs only to the extent technically necessary or required for security, error analysis and the prevention of misuse. The retention period depends on technical requirements, security purposes and legal obligations. Data is processed only for as long as necessary for the purposes stated.
4. Contact by email
If you contact us by email, we process the data you provide. This may include in particular:
- email address
- name, if provided
- content of the message
- time of the enquiry
- other information provided voluntarily
- technical communication data
The data is processed in order to handle and respond to your enquiry.
For general business enquiries, processing is based, depending on the content of the enquiry, on Article 6(1)(b) GDPR if the enquiry relates to a contract or pre-contractual measures, or on Article 6(1)(f) GDPR if there is a legitimate interest in handling the enquiry.
For support enquiries relating to Legends Unchained®, processing takes place in order to handle the relevant support matter, analyse errors, communicate with the user and ensure the proper operation of the game.
The data is deleted once the enquiry has been fully resolved and there are no statutory retention obligations or legitimate reasons for further storage.
5. Contact forms, where offered
Where contact forms, support forms, error reports or similar input options are offered on our websites, we process the data entered there in order to handle the relevant enquiry.
This may include in particular:
- email address
- name, if provided
- username, if provided
- account ID, if provided
- subject
- message text
- technical information
- attachments or screenshots, if provided voluntarily
- time of submission
- IP address for the prevention of misuse
The data is processed in order to handle the enquiry. Depending on the content of the enquiry, the legal basis is Article 6(1)(b) or Article 6(1)(f) GDPR.
Our legitimate interest lies in handling enquiries, analysing errors, improving our services and preventing misuse.
6. Newsletters on upgradeforcesystems.de and legendsunchained.de
Our websites may offer the option to subscribe to newsletters.
These may include the following newsletters in particular:
- studio news from Upgrade Force Systems
- information about games and projects from Upgrade Force Systems
- Legends Unchained® newsletter
- beta information
- game updates
- events
- ranking and community information
- information about new features
- reward promotions
- important game announcements
The newsletter may be integrated in particular on the “Games” subpage of upgradeforcesystems.de and on legendsunchained.de.
For newsletter subscriptions, we process in particular:
- email address
- date and time of subscription
- IP address at the time of subscription
- date and time of confirmation
- IP address at the time of confirmation
- subscription form used or source of the subscription
- selected newsletter or selected interests
- language setting
- consent wording at the time of subscription
- unsubscribe status
- technical log data used to demonstrate consent
Subscription takes place using a double opt-in procedure. This means that after entering your email address, you receive an email containing a confirmation link. Your email address is added to the active newsletter distribution list only after you confirm this link.
Processing is based on your consent under Article 6(1)(a) GDPR.
You may withdraw your consent at any time with effect for the future. You can use the unsubscribe link in every newsletter email or send us a message at [email protected].
Withdrawal does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
7. Newsletter rewards and in-game benefits
Where a game reward, bonus, gold, in-game benefit or similar promotion is offered for subscribing to the newsletter, additional data may be processed in order to verify eligibility and prevent rewards from being granted more than once.
This may include in particular:
- email address
- username
- account ID
- newsletter status
- time of newsletter subscription
- time of newsletter confirmation
- reward status
- redeemed bonus
- technical logs for the prevention of misuse
Processing takes place in order to run the relevant promotion and correctly assign the reward to the game account.
The legal basis is Article 6(1)(b) GDPR insofar as processing is necessary to run the promotion or provide the reward. Insofar as processing serves to prevent misuse, the legal basis is Article 6(1)(f) GDPR.
Our legitimate interest lies in preventing multiple subscriptions, fraud and unauthorised rewards.
Consent to receive the newsletter remains voluntary. A 50 Gold or other newsletter reward earned after successful double opt-in remains redeemable even if you unsubscribe later; rewards already granted will not be withdrawn.
8. Newsletter delivery with Resend
We use Resend for the email transport and technical delivery of our newsletters.
The provider is:
Resend (Plus Five Five, Inc.)
2261 Market Street #5039
San Francisco, CA 94114
USA
Resend is used exclusively for email transport and technical delivery and acts as our processor. We manage records of consent and recipient, subscription, confirmation and unsubscribe statuses ourselves using Supabase; Resend does not manage this data.
In this context, Resend may process the following data in particular:
- email address
- content of the email sent
- technical delivery data
- bounce information
- delivery status
- where applicable, open and click data if this feature is enabled
Open and click tracking is currently disabled.
Processing is based on your consent under Article 6(1)(a) GDPR and is also carried out for the technical delivery of the newsletter.
We have entered into a data processing agreement with Resend under Article 28 GDPR. As the provider is a US company, personal data may be processed in, accessed from or transferred to the USA. The data processing agreement and the EU Standard Contractual Clauses (EU SCCs) included in it serve as safeguards. Our selected sending region of Ireland does not necessarily exclude access from or transfers to the USA.
Further information about data processing by Resend can be found here:
Privacy Policy: https://resend.com/legal/privacy-policy
DPA: https://resend.com/legal/dpa
9. Newsletter analytics
Where newsletter analytics features are used, we may be able to determine whether a newsletter was opened and which links were clicked. This helps us improve our newsletters and make their content more relevant.
The following data may be processed in particular:
- time of opening
- time of clicking
- links clicked
- technical information about the device
- IP address
- association with the email address
Where personalised newsletter analytics features are used, this takes place only on the basis of your consent under Article 6(1)(a) GDPR.
You may withdraw your consent at any time with effect for the future, in particular by unsubscribing from the newsletter.
Where no personalised newsletter analytics are used, only technically necessary delivery information is processed, for example whether an email was delivered or rejected.
10. User accounts and registration for Legends Unchained®
Where user accounts, registrations, beta access or game accounts are offered on legendsunchained.de or within Legends Unchained®, we process the data required to create and manage the account.
This may include in particular:
- email address
- username
- account ID
- password in encrypted or hashed form
- registration date
- last login
- language and region
- account status
- roles and permissions
- voluntary profile details
- technical login data
- security and misuse logs
Passwords are not stored in plain text. They are protected using appropriate technical methods.
Processing takes place in order to create, manage and use the user account and to provide the game and community features.
The legal basis is Article 6(1)(b) GDPR insofar as processing is necessary to provide the user account and game services. Insofar as data is processed for security, the prevention of misuse and error analysis, the legal basis is Article 6(1)(f) GDPR.
11. Voluntary profile details, biography and community profile
Where user profiles, public profiles or community features are offered, players may voluntarily provide additional information about themselves.
This may include in particular:
- display name
- avatar or profile picture
- short description or biography
- favourite country
- favourite food
- age group, for example 22–31
- interests
- play style
- clan information
- voluntary public profile details
- voluntary visibility settings
Providing this information is voluntary. It is used to design the player profile, provide community features and display information voluntarily selected by the player to other players.
Where profile details are made public, they can be seen by other players and visitors. Therefore, please do not provide any information that should not be publicly visible.
Processing is based on Article 6(1)(b) GDPR insofar as the information is required to use profile or community features. Where information is entirely voluntary, processing is based on your consent under Article 6(1)(a) GDPR or on your requested use of the relevant profile feature.
You can generally change or delete voluntary profile details yourself where the feature technically allows this. Alternatively, you can contact us to request a change or deletion.
12. No sensitive data in profiles and biographies
Our profile fields, biography features and community areas are not intended to collect special categories of personal data.
Please do not enter particularly sensitive data in profiles, biography text, messages, clan descriptions or public areas, especially information about:
- health
- religion
- political opinions
- sexual orientation
- ethnic origin
- trade union membership
- genetic or biometric data
- identification document numbers
- actual home addresses
- telephone numbers
- payment data
- passwords
- private security information
If such information is nevertheless published or submitted voluntarily, we may remove or restrict it in the interests of community safety, moderation or account management.
13. Public game information and rankings
Where rankings, clan lists, PvP results or public profiles are offered, certain game-related information may be displayed publicly.
This may include in particular:
- username
- ranking position
- score
- gold from loot
- clan name
- game status
- achievements
- public profile information
- avatar or profile picture, if uploaded
- publicly shared biography information
We do not generally publish email addresses, IP addresses, passwords, 2FA data or security-related account data in public rankings.
Processing takes place in order to provide the game and competition features.
The legal basis is Article 6(1)(b) GDPR insofar as public rankings and game displays form part of the game. There is also a legitimate interest under Article 6(1)(f) GDPR in transparent and fair competition features.
14. Game-related data in Legends Unchained®
Where Legends Unchained® offers game-related features, data required to provide the game, save game progress, display rankings and manage game mechanics may be processed.
This may include in particular:
- account ID
- username
- game progress
- saved games
- ranking values
- clan membership
- duel and PvP data
- dungeon results
- missions
- minigames
- quiz results
- rewards
- in-game currency
- login and activity data
- game events
- game logs relevant to support
- sanctions for rule violations
Processing takes place in order to provide the game services, display rankings, manage progress and rewards, enforce game rules, analyse errors and prevent misuse.
The legal basis is Article 6(1)(b) GDPR insofar as processing is necessary to provide the game. For security, fairness and measures to prevent misuse, the legal basis is Article 6(1)(f) GDPR.
15. Community features, clans, posts and messages
Where community features are offered, users may create content or interact with other users.
This may include in particular:
- clan name
- clan description
- public posts
- comments
- messages
- profile text
- biography text
- images or avatars uploaded voluntarily
- reports submitted by other users
- moderation decisions
- suspensions or warnings for rule violations
Public content may be visible to other users or visitors. Private messages or non-public content are not displayed publicly, but may be processed in connection with support, reports of misuse, security checks or legal obligations.
Processing takes place in order to provide community features, moderate content, enforce rules and prevent misuse.
The legal basis is Article 6(1)(b) GDPR insofar as processing forms part of the community feature. For moderation, the protection of other users and the prevention of misuse, the legal basis is Article 6(1)(f) GDPR.
16. Login, sessions and strictly necessary cookies
Where user accounts, logins or protected areas are offered, strictly necessary cookies, session tokens or comparable technologies may be used.
Their purposes include in particular:
- keeping you logged in during a session
- ensuring login security
- preventing unauthorised access
- reducing form misuse
- storing technical settings
- storing language settings
- enabling the proper operation of the website or game account
Strictly necessary cookies and comparable technologies are used only to the extent required to operate the service.
The legal basis for the associated data processing is Article 6(1)(b) GDPR insofar as it is necessary for the performance of a contract, and Article 6(1)(f) GDPR insofar as we have a legitimate interest in a secure and functional service.
17. Two-factor authentication
Where two-factor authentication is offered or used, we process the data required to set up, use and manage two-factor authentication.
Depending on the method selected, this may include:
- account ID
- email address
- two-factor authentication status
- 2FA method used
- technical identifiers
- time of setup
- time of successful or failed 2FA checks
- recovery codes in protected form
- TOTP secret in protected form where an authenticator app is used
- telephone number where SMS-based 2FA is offered and voluntarily activated
Two-factor authentication serves to protect your account against unauthorised access.
The legal basis is Article 6(1)(b) GDPR insofar as two-factor authentication forms part of the account and security features. There is also a legitimate interest under Article 6(1)(f) GDPR in the security of user accounts, game progress, rankings, rewards and personal data.
Recovery codes and 2FA secrets are processed using technical safeguards.
18. Password recovery
If you use password recovery, we process the data required to reset the password securely.
This may include in particular:
- email address
- account ID
- password reset token
- time of the request
- IP address of the request
- browser and device information
- time of the successful password change
- security logs
Password reset tokens are valid for a limited time and are invalidated after they expire or are used.
Processing takes place in order to restore access to the account and protect the user account.
The legal basis is Article 6(1)(b) GDPR insofar as processing is necessary to manage the user account. Insofar as security logs are processed, the legal basis is Article 6(1)(f) GDPR.
19. Security logs, prevention of misuse and protection against attacks
Technical security data may be processed in order to protect our websites, user accounts and game systems.
This may include in particular:
- IP address
- login times
- failed login attempts
- device and browser information
- session information
- suspicious activity
- rate limit data
- security events
- error messages
- account suspensions
- technical audit logs
Processing takes place in order to detect and prevent attacks, fraud, spam, manipulation, unauthorised access, account misuse and technical faults.
The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in the security, stability and integrity of our systems, websites, game accounts, rankings and community features.
20. Support system and error reports
If you contact support or report an error, we process the information you provide.
This may include in particular:
- email address
- username
- account ID
- content of the support enquiry
- screenshots or attachments, if submitted
- technical description of the error
- time of the enquiry
- communication with support
- other information provided voluntarily
Processing takes place in order to handle your enquiry, analyse errors, improve the game and communicate with you.
The legal basis is Article 6(1)(b) GDPR insofar as the enquiry relates to a user account, game service or contract. Otherwise, the legal basis is Article 6(1)(f) GDPR.
Please do not submit particularly sensitive data to support unless it is required to handle your enquiry.
21. Beta registration and advance information
Where beta registration, pre-registration or a waiting list is offered, we process the data required to manage that registration.
This may include in particular:
- email address
- username, if provided
- preferred language
- region
- time of registration
- confirmation status
- technical log data
- voluntary information about participation in the game
Processing takes place in order to manage the beta registration or pre-registration, communicate about the launch, allocate access and provide information about relevant updates.
The legal basis is Article 6(1)(b) GDPR insofar as registration serves to take pre-contractual measures or provide access.
Where newsletters or promotional information are also sent, this takes place only on the basis of your consent under Article 6(1)(a) GDPR.
22. Payment services and paid content
At present, no payments are processed through our websites unless expressly stated otherwise.
If paid content, subscriptions, in-game purchases, supporter packages or other payment features are offered in the future, this Privacy Policy will be supplemented in advance.
It will then include in particular information about the payment service providers used, payment data processed, legal bases, recipients and retention periods.
23. External links
Our websites may contain links to external websites, social media profiles or other services, for example:
- YouTube
- X
- Facebook
- Instagram
- TikTok
- Discord
- Steam
- other game or community platforms
Simply visiting our websites does not transmit data to these providers through ordinary external links. Data processing by external providers begins only when you click the relevant link and open the external website.
From that point onwards, the privacy policies of the relevant provider apply.
24. No active social media plugins without notice
We currently do not use active social media plugins that transmit data to social networks as soon as our websites load, unless expressly indicated otherwise.
If embedded videos, social media feeds, tracking pixels or similar external content are used in the future, this Privacy Policy will be updated accordingly. Where consent is required, it will be obtained before activation.
25. Cookies and comparable technologies
At present, our websites use only strictly necessary cookies, session tokens or comparable technologies where required for login, security, language settings, form protection or proper operation.
We do not use non-essential cookies for advertising, tracking or personalised analytics without prior consent.
If analytics, marketing or tracking technologies are used in the future, this will take place only after appropriate information has been provided and, where required, consent has been obtained.
26. No Google Analytics, Meta Pixel or TikTok Pixel without consent
At present, the following tracking or advertising technologies are not used unless expressly stated otherwise:
- Google Analytics
- Meta Pixel
- TikTok Pixel
- Google Ads conversion tracking
- remarketing tools
- heat maps
- personalised advertising profiles
If such services are integrated in the future, this Privacy Policy will be supplemented in advance and any required consent will be obtained.
27. Recipients and processors
Personal data may be transferred to technical service providers where this is necessary to operate our websites, newsletters, game services, support features, community features or security features.
Recipients may include in particular:
- hosting and CDN providers, in particular Cloudflare
- newsletter service providers, in particular Resend (Plus Five Five, Inc.)
- email service providers
- technical infrastructure and database providers
- support and security service providers, where used
- payment service providers, if payments are offered in the future
Personal data is not disclosed for advertising purposes or sold.
Where service providers process personal data on our behalf, corresponding data processing agreements are concluded or the service provider’s relevant data processing terms are incorporated into the contract.
28. Transfers to third countries
In individual cases, personal data may be processed outside the European Union or the European Economic Area, particularly where service providers used by us are established or have technical infrastructure in third countries.
In such cases, we ensure that appropriate safeguards are in place, for example:
- adequacy decision by the European Commission
- EU standard contractual clauses
- additional safeguards
- contractual obligations of service providers
This applies in particular to internationally active infrastructure providers such as Cloudflare.
29. Retention periods
We store personal data only for as long as necessary for the relevant purpose or where statutory retention obligations apply.
For newsletter data:
Newsletter data is stored for as long as you remain subscribed to the newsletter. After you unsubscribe, the data is deleted or blocked unless further storage is required to demonstrate consent or defend against claims.
For user accounts:
Account data is generally stored for as long as the user account exists. After the account is deleted, personal data is deleted or anonymised unless legal obligations or legitimate reasons require further storage.
For voluntary profile details:
Voluntary profile details and biography text are generally stored for as long as the profile exists or until you delete the information yourself or request its deletion, unless legitimate reasons require further storage.
For support enquiries:
Support data is deleted once the enquiry has been fully resolved, unless statutory retention obligations or legitimate interests require further storage.
For security logs:
Security logs are stored only for as long as necessary to detect, investigate and prevent misuse, attacks or technical faults.
For game and ranking data:
Game-related data is stored for the duration of the user account or for as long as necessary for game operation, fairness, rankings, reward management or the traceability of game events.
30. Requirement to provide personal data
When you visit our websites, technically necessary access data is processed so that the websites can be delivered.
Subscribing to the newsletter is voluntary. However, a newsletter cannot be sent without an email address.
Creating a user account is voluntary unless it is required for particular areas of the game. Without the necessary account data, certain features, game areas or support services cannot be used.
Voluntary profile details such as a biography, favourite country, favourite food or age group are optional. The game can generally be used without this information unless it is required for a specific optional community feature.
Activating two-factor authentication is voluntary unless it is required for certain features for security reasons.
31. Automated decision-making and profiling
No automated decision-making, including profiling within the meaning of Article 22 GDPR, currently takes place.
Where automated security mechanisms are used, for example to detect unusual login attempts or prevent spam, they serve technical security purposes and do not lead to legal or similarly significant decisions without further review.
32. Underage users
Our services are not specifically directed at children under the age of 16.
If you are under 16, you should submit personal data, in particular newsletter subscriptions, user account registrations, profile details or support enquiries, only with the consent of your parent or legal guardian.
If we become aware that a child’s personal data has been processed without the required consent, we will delete that data unless there is a legal obligation to retain it.
33. Data security
We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration or disclosure.
These may include in particular:
- encrypted transmission via HTTPS
- access restrictions
- password hashing
- protection of 2FA secrets
- time-limited password reset tokens
- recovery codes
- logging of security-related events
- regular technical checks
- minimisation of access rights
- security measures against spam, brute-force attacks and misuse
34. Rights of data subjects
Within the scope of the legal requirements, data subjects have the following rights:
- right of access under Article 15 GDPR
- right to rectification under Article 16 GDPR
- right to erasure under Article 17 GDPR
- right to restriction of processing under Article 18 GDPR
- right to data portability under Article 20 GDPR
- right to object to processing under Article 21 GDPR
- right to withdraw consent under Article 7(3) GDPR
To exercise these rights, it is sufficient to send a message to:
[email protected]
35. Withdrawal of consent
Where processing is based on your consent, you may withdraw that consent at any time with effect for the future.
This applies in particular to:
- newsletter subscriptions
- voluntary marketing consent
- optional analytics features
- voluntary profile details where they are based on consent
Withdrawal does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
36. Right to object
Where personal data is processed on the basis of Article 6(1)(f) GDPR, you have the right to object to such processing at any time on grounds relating to your particular situation.
If you object, we will no longer process the personal data concerned unless we can demonstrate compelling legitimate grounds for processing or the processing serves the establishment, exercise or defence of legal claims.
37. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes data protection law.
The competent authority for Berlin in particular is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
Germany
Email: [email protected]
38. Changes to this Privacy Policy
We may amend this Privacy Policy if technical features, services used, legal requirements or organisational processes change.
The current version is available on our websites.