Skip to content
This document was last updated on 2025-06-01 and is pending review by legal counsel. It should not be considered final legal advice.

Privacy Policy

This Privacy Policy explains what personal data we collect, why we collect it, the legal basis for doing so, who has access to it, and how long we keep it. We wrote this in plain language because transparency isn't optional for us — it's foundational.

Introduction

Roundup Games ("we", "us", "our") operates the roundup.games platform — a non-profit, open-source service that helps people find and organize local, in-person tabletop gaming sessions.

This policy applies to all users of our platform, including visitors who browse without creating an account.

Our Pledge →

Data We Collect

We only collect data that serves a clear, specific purpose. Here's what we gather and why:

Account & Profile Data

To create and maintain your account.

Name, email address, display name, profile photo (optional), bio (optional), gender (optional — special-category data under GDPR Art. 9, collected with your explicit consent), language preference.

Location Data

To suggest nearby sessions, players, and venues.

Approximate location (city/neighborhood level). You can set this manually. We store a geohash — not your exact address — unless you explicitly provide an address for an event you organize.

Gaming Preferences

To personalize session recommendations and discovery results.

Favorite game systems, vibe preferences (competitive, cooperative, etc.), avoided games, and teams you belong to.

Activity & Participation Data

To track attendance, compute reliability scores, and support community accountability.

Session sign-ups, attendance records, late cancellations, no-shows, reviews submitted, and organizer history.

Communication Data

To send messages between users and deliver notifications you've requested.

Direct messages between users, notification preferences, and email delivery records.

Invitation Data

To allow organizers to invite people to games and campaigns.

When you invite someone by email who does not have an account, we store their email address in the participant record. Invitee emails are anonymized 90 days after the game or campaign ends. Recipients can opt out of future invitations at any time via a one-click link in the invitation email.

Sensitive Data (GDPR Art. 9)

Gender is the only special-category data we collect, and only with your explicit consent.

Gender is collected as special-category personal data under GDPR Art. 9(2)(a) with your explicit, informed consent at registration. Providing gender is entirely optional. You may withdraw consent at any time from your profile settings, which will immediately remove your gender data from our records. Gender is never exposed in API responses or shared with third parties.

Technical & Usage Data

To maintain security, diagnose issues, and improve the platform.

IP address, browser type, device type, pages visited, session duration, and error logs.

Payment Data

To process subscription payments for organizer tools.

We do not store credit card details. Payment processing is handled entirely by Paddle.com, our payment provider. We receive only a transaction reference and subscription status.

Legal Bases for Processing (GDPR)

As an organization based in Germany, we process your data under the following legal bases:

Contract performance: Providing the services you signed up for (account, session management, communication).
Consent: Analytics tracking (PostHog) and optional cookie-based features. You can withdraw consent at any time.
Legitimate interest: Security, fraud prevention, and platform improvement — always balanced against your privacy rights.
Legal obligation: Data retention required by German tax and commercial law (e.g., membership and financial records).

Cookies & Tracking

We use a minimal set of cookies:

Necessary cookies: Session authentication, CSRF protection, language preference. These cannot be disabled.
Analytics cookies (PostHog): Help us understand how the platform is used so we can improve it. These are optional and only activated with your consent.

You can manage your cookie preferences at any time using the Cookie Settings link in the footer.

Third-Party Services

We share data only with service providers who help us operate the platform. Each is bound by data processing agreements:

PostHog (Analytics)

Self-hosted analytics. We use PostHog to understand feature usage and user flows. Data is pseudonymized where possible. PostHog data is processed within the EU.

Paddle (Payments)

Payment processing for subscriptions. Paddle handles all credit card data — we never see or store it. Paddle is PCI-DSS compliant and processes data in accordance with GDPR. See paddle.com/legal for their privacy policy.

Cloudflare (Infrastructure)

CDN, DDoS protection, and DNS. Cloudflare may temporarily log IP addresses for security purposes. Cloudflare is committed to GDPR compliance. See cloudflare.com/privacypolicy for details.

Nominatim (Geocoding)

Open-source geocoding by OpenStreetMap. Used to convert addresses to coordinates when organizers set event locations. Nominatim usage is governed by the OpenStreetMap Foundation's privacy policy.

Your Rights

Under the GDPR, you have the following rights regarding your personal data:

Access: Request a copy of all personal data we hold about you.
Rectification: Correct inaccurate or incomplete data.
Erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
Portability: Receive your data in a machine-readable format.
Objection: Object to processing based on legitimate interest.
Restriction: Request that we limit how we process your data.
Withdraw consent: For any processing based on consent, you can withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected].

If you believe your data rights have been violated, you have the right to lodge a complaint with a supervisory authority, such as the Bavarian State Office for Data Protection Supervision (BayLDA).

Data Retention

We keep your data only as long as necessary:

Account data: Retained while your account is active. When you delete your account, your personal data (name, email, profile photo, and other PII) is removed and replaced with anonymized identifiers. Your reviews, game participation history, and campaign contributions are preserved to maintain data integrity for other users. Non-personal operational data may be retained longer where required by law.
Activity data: Attendance records and reliability scores are retained for the lifetime of the account to maintain scoring accuracy.
Analytics data: PostHog data is retained for up to 13 months, then automatically deleted.
Legal requirements: Financial records and association membership data are retained as required by German law (typically 6–10 years).

Contact

For any questions about this Privacy Policy or your personal data, contact us:

Roundup Games

Email: [email protected]

Last updated: 2025-06-01

You're offline — some features may be unavailable
Back online