Legal
Data Processing Agreement
Last updated: July 6, 2026
1. Parties and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between GameOn ("Processor", "we") and the business customer holding the account ("Controller", "you"). It applies automatically whenever you use GameOn to run games in which your employees, colleagues or event participants ("players") take part, and governs our processing of players' personal data on your behalf under Article 28 GDPR.
For your own account data (your email, login and billing details) we act as an independent controller — that processing is described in our Privacy Policy.
2. Subject Matter, Nature and Purpose
We process player personal data solely to provide the GameOn service: letting players join games, play missions, submit answers and photos, appear on leaderboards, and generating result reports for you. Processing lasts for the duration of your subscription plus the retention periods in Section 7.
3. Categories of Data and Data Subjects
- Data subjects: players participating in your games (typically your employees or event guests).
- Personal data: team names and player display names, game answers and scores, photos and video stills submitted for photo missions, and technical data (IP address, browser type) generated by use of the service.
- No special categories of data are required by the service. You agree not to instruct players to submit sensitive data (e.g. health information) in answers or photos.
4. Our Obligations as Processor
- Process player data only to provide the service and on your documented instructions, unless required otherwise by EU or Member State law.
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational measures (Article 32): encryption in transit (HTTPS), row-level security and per-tenant isolation in the database, hashed passwords, access controls, and audit-reviewed code.
- Assist you, taking into account the nature of the processing, in responding to data subject requests (access, erasure, portability) and in meeting your obligations under Articles 32–36.
- Notify you without undue delay after becoming aware of a personal data breach affecting your players' data, with the information reasonably required for your own notification obligations.
- Delete or return all player personal data at the end of the provision of services (see Section 7), unless EU or Member State law requires storage.
- Make available the information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits conducted by you or an auditor you mandate, upon reasonable written notice and at most once per year, at your expense.
5. Sub-processors
You give general authorisation to the following sub-processors. We will inform account holders of intended changes (via email or in-app notice) at least 30 days in advance, giving you the opportunity to object.
- Supabase Inc. — database, authentication and file storage (EU-hosted project; some support access from the USA under SCCs).
- Vercel Inc. — application hosting and CDN (USA, SCCs).
- Stripe Inc. — payment processing for your subscription (USA, SCCs; acts primarily as an independent controller for payment data).
- Anthropic PBC — AI features: text entered in the support chat and content submitted to AI photo rating or AI game generation (USA, SCCs).
- Resend — transactional email to account holders (USA, SCCs).
Each sub-processor is bound by data protection obligations materially equivalent to this DPA. Transfers outside the EU/EEA are protected by the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.
6. Your Obligations as Controller
You are responsible for having a lawful basis for the processing (for workplace events, typically legitimate interest), for informing your players that GameOn is used and where they can read about the processing, and for the content of the missions you create. You warrant that your instructions to us comply with applicable law.
7. Retention and Deletion
- Player photos: deleted automatically 30 days after the game ends (enforced by a daily job).
- Game data (teams, scores, answers): retained while your account exists so you can access historical reports.
- Account deletion: the "Delete account" function in the app permanently erases your account and all associated player data. Data export is available via "Export my data".
8. Liability and Term
Liability under this DPA follows the limitation of liability in the Terms of Service. This DPA applies for as long as we process player personal data on your behalf and automatically terminates when all such data has been deleted.
9. Contact
Data protection questions and breach notifications: hello@playgameon.app. If your procurement process requires a countersigned copy of this DPA, contact us and we will provide one.