This Privacy Policy explains how TNT Studio Ltd ("we", "us", "our") collects, uses, and protects your personal information when you use our website, app, and game services (collectively, the "Service").
1. Information we collect
You provide directly
- Account data: email address, username, password (stored as bcrypt hash), display name, avatar, language preference
- Game data: in-game character, lobby character, rank, XP, total distance, games played
- Payment data: PayPal payer ID and email (we never store full card numbers — payments processed via PayPal)
- Identity verification (KYC): documents submitted only when required for high-value payouts (held encrypted, deleted on request)
- User content: posts, reels, comments, messages, profile bio, banner image
Collected automatically
- Technical data: IP address, user agent, device fingerprint (for fraud prevention), session identifiers
- Behavioural data: pages viewed, features used, match history, achievements unlocked
- Cookies: session cookie (essential), CSRF cookie (security). We do not use third-party tracking cookies.
2. How we use your information
- Provide the Service: account login, matchmaking, tournament participation, payouts
- Communicate with you: tournament results, transactional emails (password reset, prize notifications), service updates
- Security & fraud prevention: rate limiting, bot detection, suspicious-activity alerts
- Comply with legal obligations: tax reporting on payouts above thresholds, anti-money-laundering checks
- Improve the Service: aggregate analytics on which features are used (no individual profiling for advertising)
3. Legal basis (GDPR)
We process your personal data on the following bases:
| Purpose | Basis |
|---|
| Account, matchmaking, payouts | Performance of contract |
| Fraud prevention, security | Legitimate interests |
| Tax reporting, KYC | Legal obligation |
| Marketing emails | Consent (opt-in only) |
4. Sharing your data
We share data only with:
- PayPal — to process payouts and deposits
- Email service provider — to deliver transactional emails
- Hosting infrastructure — DigitalOcean / our servers in the EU
- Legal authorities — only when required by law (e.g. court order)
We never sell your personal data and never share it with advertisers.
5. Your rights (GDPR + UK)
You have the right to:
- Access your data — request a copy via Privacy & data settings or email legal@tntstudio.uk
- Rectify inaccurate data — edit your profile in app, or contact support
- Erase your data ("right to be forgotten") — delete your account in settings
- Port your data — receive it in a machine-readable JSON format
- Object to processing for direct marketing — unsubscribe in any email
- Lodge a complaint with a supervisory authority (ICO in the UK)
Use the "Export my data" button in your account settings, or email legal@tntstudio.uk. We respond to all GDPR requests within 30 days.
6. Data retention
- Account data: retained while your account is active. Deleted within 30 days of account deletion request, except where law requires longer retention (e.g. tax records: 7 years).
- Match history: retained for 24 months for ranking and anti-cheat; anonymised after.
- Audit logs: retained 90 days for security investigations.
- Backup snapshots: rotate every 30 days.
7. International transfers
Our servers are located in the European Union. Some service providers (e.g. PayPal) may transfer data outside the EEA under Standard Contractual Clauses or adequacy decisions.
8. Children
The Service is not intended for users under 13 years old (or 16 in the EEA). Cash payouts require users to be 18+. We do not knowingly collect data from minors. If you believe a child has provided us data, contact legal@tntstudio.uk.
9. Security
We use industry-standard practices: HTTPS, bcrypt password hashing, JWT bearer tokens with rotation, CSRF protection, rate limiting, encrypted database backups, audit logging on every admin action. Two-factor authentication (TOTP) is available and strongly recommended.
10. Cookies
We use only essential cookies:
| Name | Purpose | Duration |
|---|
tntstudio.sid | Session login | 30 days |
XSRF-TOKEN | CSRF protection | 1 day |
refreshToken | Session refresh | 7 days |
We do not use any third-party tracking, advertising, or analytics cookies.
11. Changes to this policy
We will notify you by email at least 30 days before material changes. The "Last updated" date at the top reflects the most recent revision.
12. Contact
Data Protection Officer: legal@tntstudio.uk
TNT Studio Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom