Legal
Privacy Policy
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data-protection laws is:
<PLACEHOLDER: first and last name>
<PLACEHOLDER: street and number>
<PLACEHOLDER: postal code and city>
<PLACEHOLDER: country>
Email: contact@avanatro.com
A data protection officer has not been appointed; no obligation to appoint one exists.
2. General notes on data processing
2.1 Scope of personal data processing
Users' personal data is collected and used only to the extent necessary to provide a functional website together with its content and services. Any processing beyond that takes place only with the user's consent or on another legal basis pursuant to Art. 6 GDPR.
2.2 Legal bases
Where the consent of the data subject is obtained for the processing of personal data, Art. 6(1)(a) GDPR serves as the legal basis.
For processing necessary for the performance of a contract or for taking steps prior to entering into a contract, Art. 6(1)(b) GDPR serves as the legal basis.
Where processing is necessary to safeguard a legitimate interest and that interest is not overridden by the interests, fundamental rights and freedoms of the data subject, Art. 6(1)(f) GDPR serves as the legal basis.
2.3 Data erasure and storage duration
Personal data is erased or blocked as soon as the purpose of storage ceases to apply. Longer storage may take place where required by statutory retention obligations.
3. Hosting
The website is hosted by IONOS SE, Elgendorfer Strasse 57, 56410 Montabaur, Germany. The servers are located in Germany. A data processing agreement pursuant to Art. 28 GDPR is in place with the provider.
Each time the website is accessed, technical data is recorded in server log files (see Section 4).
4. Provision of the website and server log files
4.1 Description and scope
Each time the website is accessed, the system automatically records data and information from the requesting device. The following data is collected:
- IP address of the requesting device
- Date and time of access
- Requested URL or filename
- Amount of data transferred
- HTTP status code
- Browser and operating system in use (user agent)
- Previously visited page (referrer), if transmitted
This data is stored in the server's log files. It is not combined with other personal data sources held by the controller.
4.2 Legal basis
The legal basis is Art. 6(1)(f) GDPR. The legitimate interest lies in the technical provision of the website, its stability, security against attacks, and error diagnosis.
4.3 Storage duration
Log files are deleted no later than 30 days after collection unless they need to be retained longer for evidentiary purposes in connection with a specific security-relevant incident.
5. Contact
5.1 Contact form
The website offers a contact form for direct messaging. The following mandatory and optional fields are processed:
- Name (mandatory)
- Email address (optional)
- Message body (mandatory)
- Timestamp of submission
The submitted data is stored on the server in order to process the inquiry and, where applicable, send a reply. No data is passed on to third parties.
5.2 Contact by email
When contact is made by email at contact@avanatro.com, the data transmitted (sender address, subject, message content and any additional voluntarily provided information) is stored in order to process the inquiry and keep it available for any follow-up communication.
5.3 Legal basis and storage duration
The legal basis is Art. 6(1)(f) GDPR (legitimate interest in answering inquiries) or Art. 6(1)(b) GDPR where the inquiry concerns the conclusion or performance of a contract.
Incoming messages and email correspondence are deleted once their purpose has ceased and no statutory retention obligations apply.
6. Reach measurement
No reach measurement is in place. The website does not operate a page-view counter and does not aggregate per-path usage statistics. The only request-level records that exist are the server log files described in Section 4, which are deleted no later than 30 days after collection.
No analytics scripts, tracking pixels, fingerprinting techniques or session-correlation cookies are loaded on any page of this website.
7. Cookies and comparable technologies
The website only uses strictly necessary cookies where required for the operation of individual functions (e.g. session cookies for access protection of restricted areas, see Section 10).
No analytics, tracking or advertising cookies are used. There is no integration with third parties for marketing or reach-measurement purposes.
The legal basis for strictly necessary cookies is Art. 6(1)(f) GDPR together with § 25(2)(2) TTDSG or the corresponding provision in the user's country of residence.
When pages under /minigames/ are accessed, an affiliate banner from a third-party provider is embedded. That third-party provider sets a strictly necessary bot-detection cookie on its own domain. This is not a tracking or advertising cookie on the present website. Details in Section 8.4.
8. Mini-games and public leaderboards
Under the path /minigames/ interactive mini-games with public leaderboards are offered (including "SteamHilo").
8.1 Scope of processing
- A pseudonym (display name) voluntarily entered by the user
- Score achieved
- Timestamp of the entry
- Shortened or hashed IP address to prevent spam and duplicate submissions
The pseudonym is displayed together with the score in a publicly visible leaderboard. The user is informed of this before submission. Entering a real name, email address or other identifying information in the pseudonym field is not required and is expressly discouraged.
8.2 Legal basis
The legal basis is the consent of the user pursuant to Art. 6(1)(a) GDPR, given by actively submitting the entry, together with Art. 6(1)(f) GDPR for spam prevention.
8.3 Storage duration and erasure
Leaderboard entries are stored until revocation. Users may request the deletion of their entry at any time by stating the pseudonym and approximate submission time via email at contact@avanatro.com.
8.4 Affiliate banner (Instant Gaming)
On the overview page at /minigames/ (in the footer area) as well as on the game-over screen of the individual games, an affiliate banner from the provider Instant Gaming is embedded.
Provider: Eclypsia SAS, 13 Boulevard du Maréchal Joffre, 92340 Bourg-la-Reine, France.
Data processing when the banner is loaded:
- HTTP request to
instant-gaming.comto retrieve the banner content; the IP address and user agent are transmitted to the provider in the process. - A Cloudflare bot-detection cookie (
__cf_bm) is set on the third-party domaininstant-gaming.com(lifetime approximately 30 minutes, technically required for bot detection, not a tracking cookie). - NO user profiling, NO linking with other data points of this website, NO advertising personalisation.
- When the banner is clicked: transmission of the affiliate code ("Avanatro") to the provider, so that any resulting order is credited to the operator of this website as a referral.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing free content on an economically viable basis and in the provider's bot-protection function).
Note: The banner can be blocked by standard browser mechanisms (uBlock Origin, Brave Shields, Firefox Tracking Protection) without impairing the playability of the games.
9. Project Galaxy Protocol
Under avanatro.com a publicly readable milestone protocol is maintained. The entries published there are curated exclusively by the controller and contain no personal data of third parties. A MariaDB database is used in the background; processing of personal data of visitors beyond the server log files described in Section 4 does not take place during simple read access.
10. Access-restricted areas
Some areas of the website (in particular under /projekte/priv/ and downstream paths) are protected by an authentication gate. Access is granted by means of a password communicated individually to the respective client.
10.1 Scope of processing
- Password entered (not stored permanently; used exclusively for authentication verification)
- Session cookie to maintain the sign-in during the visit
- Server log files in accordance with Section 4
10.2 Legal basis and storage duration
The legal basis is Art. 6(1)(f) GDPR (legitimate interest in protecting non-public content). The session cookie is deleted when the browser is closed.
11. Payment processing in protected applications
In some protected application areas (in particular the YumYum subsystem under /yumyum/) chargeable transactions can be triggered. In those cases payment processing is handled by the external service provider Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
When a payment transaction is triggered, the data required for the payment (in particular payment amount, currency, transaction ID and the payment details entered by the user in the Stripe payment interface) is exchanged directly between the user's browser and Stripe. Full card or account information is never processed or stored on the servers of this website; only the transaction reference issued by Stripe is retained.
The legal basis is Art. 6(1)(b) GDPR (performance of a contract). Further information on data processing by Stripe is available at stripe.com/privacy.
12. External content and links
The website may contain references to external websites. The controller has no influence over the content or the data-protection practices of these external offerings. It is therefore recommended to read the privacy notices of the respective linked providers.
With the exception of the affiliate banner described in Section 8.4 (Instant Gaming, exclusively on the /minigames/ subpages) the website loads no external fonts, analytics tools, advertising networks, social-media plugins or embedded third-party content.
13. Transfers to third countries
Personal data is not actively transferred to third countries outside the EU/EEA, apart from payment processing through Stripe (see Section 11, registered office Ireland/EU; group with registered office in the United States). Transmission of the IP address from the user's country of access to the servers in the hosting data centre is technically unavoidable.
14. Rights of data subjects
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
- Access to the personal data concerning you (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure of the data concerning you ("right to be forgotten", Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection to the processing (Art. 21 GDPR)
- Withdrawal of given consent with effect for the future (Art. 7(3) GDPR)
An informal message to contact@avanatro.com is sufficient to exercise these rights.
15. Right to lodge a complaint with the supervisory authority
You have the right to lodge a complaint with a data-protection supervisory authority about the processing of your personal data — in particular with the supervisory authority of the EU Member State of your habitual residence, your place of work or the place of the alleged infringement (Art. 77 GDPR).
A list of the German supervisory authorities is available at bfdi.bund.de.
16. Currency and changes to this Privacy Policy
This Privacy Policy has the status indicated above. Further development of the website or changes in legal or regulatory requirements may make it necessary to amend this statement. The current version of the Privacy Policy can be retrieved on the website at any time.