Privacy Policy

1. Data Controller

The controller of your personal data is:

Black Wall S.L. (in formation) Madrid, Spain Email: hello@blackwall.games

Because our processing does not fall under the scope of Article 37 of the General Data Protection Regulation (GDPR), a Data Protection Officer has not been appointed. For any query about how we handle your data, please contact the email above directly.

2. Introduction

This Privacy Policy explains what personal data we collect when you use Black Wall (https://blackwall.games), why we collect it, how we use it, and what rights you have under Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD), and any other applicable legislation.

By using Black Wall, you acknowledge that you have read and understood this policy. If you do not agree, please do not use the service.

3. Data we collect

We collect the following categories of personal data:

Account data: email address, username, and any optional profile information you choose to provide (display name, biography, location, website, avatar URL).

User-generated content: decks you build and save, comments on the blog/decks/matches, match records, collection data, and any other content you publish on the platform.

AI assistant interactions (Fixer): messages you send to the Fixer chat are forwarded to Google for response generation. Chat history (your prompts and the assistant's replies) is stored in our database associated with your account so you can resume conversations across sessions. You can delete individual conversations, or all of them, from the chat interface at any time, and the account deletion flow removes all chat history.

Technical and connection data: IP address, browser user-agent, session identifiers, and access timestamps, collected automatically as part of normal server operation and security mechanisms.

Third-party authentication data: if you sign in with Google OAuth, we receive from Google your email, name, and public profile picture. We do not access your Google account for any other purpose.

4. Purposes and legal bases

We process your personal data for the following purposes and on the following legal bases:

Performance of a contract [Art. 6(1)(b) GDPR]: authenticating your account, showing your profile, saving and sharing your decks, recording your matches, signing you up to events, and providing the other core functions of the service.

Legitimate interests [Art. 6(1)(f) GDPR]: processing of technical data (IP, user-agent, logs) to keep the service secure, prevent fraud and abuse, and ensure operational reliability. We have balanced this interest against your rights and freedoms.

Consent [Art. 6(1)(a) GDPR]: setting of non-essential cookies (functional, analytics) and any other processing for which we request your express consent. You can withdraw consent at any time as easily as you gave it, without affecting the lawfulness of processing based on consent before its withdrawal.

Legal obligation [Art. 6(1)(c) GDPR]: retention of certain records where applicable law requires it (for example, audit logs to meet security obligations and cooperation with authorities).

5. Recipients and processors

To deliver the service we rely on the following processors (providers that handle data on the controller's behalf), with Data Processing Agreements signed under Art. 28 GDPR:

Supabase Inc. — database and authentication. Data is stored in the eu-west-1 region (Dublin, Ireland), inside the European Economic Area.

Vercel Inc. — hosting and CDN. Processed in EU edge regions when requests originate in Europe.

Cloudflare, Inc. — encrypted database backups (R2 Storage). EU region.

Google Ireland Limited — optional Google OAuth sign-in. We only receive email, name, and profile picture.

Google LLC — Google Gemini API for the "Fixer" AI assistant. Prompts you send to the chat are processed on Google infrastructure. See the next section for this transfer.

We do not sell or rent your personal data to third parties. We do not share your data with third parties for marketing purposes.

6. International data transfers

Processing by Google LLC (Gemini API) may involve an international transfer of data to the United States. This transfer is supported by the following safeguards:

Adequacy decision: on 10 July 2023 the European Commission adopted an adequacy decision for the EU–US Data Privacy Framework. Google LLC is certified under this framework.

Standard Contractual Clauses (SCCs): transfers are additionally covered by the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914).

For all other processors (Supabase, Vercel, Cloudflare), processing happens on servers within the EEA and therefore does not constitute an international transfer under Chapter V of the GDPR.

You can request a copy of the applicable safeguards by writing to hello@blackwall.games.

7. Retention periods

We keep your personal data for the following periods:

Account data and published content: while the account is active. Deleted within 30 days of a deletion request.

Fixer chat history: stored in your account for as long as the account is active. You can delete individual conversations at any time from the chat interface, and all chat history is purged when you delete your account. Prompts are also processed in real time by Google Gemini, which applies its own retention terms (see "Recipients").

Audit and security logs: 24 months from the event, to meet legal requirements and security obligations.

Database backups: 30-day rotation. Older backups are automatically destroyed.

Anonymised analytics: up to 26 months.

Once the retention period expires, data is deleted or irreversibly anonymised, except where legal retention applies.

8. Your GDPR rights

As a data subject you have the following rights:

Access [Art. 15 GDPR]: obtain confirmation of whether we process your data and, where so, a copy of it.

Rectification [Art. 16 GDPR]: correct inaccurate or incomplete data.

Erasure [Art. 17 GDPR] ("right to be forgotten"): request deletion of your personal data, subject to legal retention obligations.

Restriction [Art. 18 GDPR]: ask us to temporarily restrict processing while a request is verified.

Portability [Art. 20 GDPR]: receive your data in a structured, machine-readable format (e.g., JSON). You can exercise this directly from the "Export my data" page in your account, or by writing to us.

Objection [Art. 21 GDPR]: object to processing based on legitimate interests.

Withdraw consent [Art. 7(3) GDPR]: withdraw any consent you previously gave, as easily as you gave it (for example, from the cookie preferences panel).

How to exercise: email hello@blackwall.games stating which right you wish to exercise. We respond within a month (extendable to two months in complex cases). We may ask for reasonable additional information to verify your identity.

Complaint to the supervisory authority: you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), calle Jorge Juan nº 6, 28001 Madrid, www.aepd.es, or your local EU data protection authority, if you believe our processing is not compliant.

9. Minors

Black Wall is intended for users aged 18 and over. By creating an account, you declare that you are of legal age.

We do not knowingly request or process data of minors. If we detect that a user is under 18, we will suspend their account and delete their personal data immediately.

If you are a parent or legal guardian and suspect your child has created an account, please contact hello@blackwall.games and we will proceed with deletion.

10. Security

We apply reasonable technical and organisational measures to protect your personal data from unauthorised access, alteration, loss, or destruction: HTTPS encryption on all communications, password hashing via Supabase Auth, role-based access control (RLS), encrypted daily backups, optional two-factor authentication (2FA), rate limiting, and audit logging of sensitive operations.

No system is invulnerable. In the event of a personal data breach we will notify you and report to the AEPD within the timeframes required by the GDPR (72 hours where applicable).

11. California privacy rights (CCPA/CPRA)

If you reside in California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights:

Know what categories of personal information we collect and why.

Request access to your specific personal information.

Request deletion of your personal information.

Opt out of the "sale" or "sharing" of personal data. We do not sell or share personal data within the meaning of the CCPA/CPRA.

Non-discrimination for exercising these rights.

To exercise them, contact hello@blackwall.games.

12. Changes to this policy

We may update this Privacy Policy to reflect legal, operational, or product changes. We will publish the updated version on this page with a new "Last updated" date.

When changes are material (for example, new processing purposes or new processors), we will notify you reasonably in advance by email or through a prominent notice on the platform.

13. Contact

For any query, complaint, or exercise of rights related to this Privacy Policy, contact:

Black Wall S.L. (in formation) Email: hello@blackwall.games Postal address: Madrid, Spain

We respond within 30 calendar days at most.