Legal
Privacy Policy
This policy explains what personal data Sitaratas processes, why we use it, who receives it and what rights you have.
Effective:
1. Controller
Inuware OÜ, registry code 16544096, registered in the Estonian Commercial Register. Registered address: Kentmanni tn 22, Kesklinna district, 10116 Tallinn, Estonia. Email: hello@inuware.ee.
Inuware OÜ is the controller of the Sitaratas service and the personal-data processing described here.
2. Data we process
- Account data: verified email address, username, account identifier, account creation and update times and game-pass balance.
- Sign-in and security data: a hashed one-time verification code and its expiry, a hashed session token, session times, IP address, request time and technical log data.
- Profile data: a selected avatar or uploaded avatar image and its crop and zoom settings. Uploaded images are reprocessed and embedded metadata is removed.
- Game data: room codes and settings, participants, readiness and connection status, dealt cards, bids, plays, results, game events and the drawn signature used to confirm a finished game.
- Communications: room-chat content, sender and time and messages you send to support.
- Purchase and billing data: package, price, currency, order and payment status, refunds or disputes, Stripe transaction references, billing name, email and country and invoice data created in Merit. To process and audit payments, refunds and disputes reliably, we also retain signed Stripe event data, which may include a billing address, phone number, tax identifier, payment-method summary and fraud-prevention metadata where Stripe returns them. We do not store full payment-card numbers or security codes.
- Preference and consent data: interface language, analytics choice, policy version and the time the choice was saved.
- Consent-based analytics data described below and in the Cookies Policy.
Please do not put sensitive personal data that is not needed for the service in chat, an avatar, a signature or a support message.
3. Purposes and legal bases
- Contract and steps before a contract: creating and authenticating an account, providing rooms and games, chat and avatars, selling game passes, confirming payment, showing invoices and providing support.
- Legal obligation: keeping accounting and tax records, responding to consumer requests and complying with a lawful order from a competent authority.
- Legitimate interests: keeping the service safe and reliable, preventing fraud, abuse and attacks, investigating faults, protecting legal rights and improving the service in a proportionate way that does not override user rights.
- Consent: optional Google Analytics. Refusing consent does not restrict the game, account or purchases and you can withdraw consent at any time.
4. What other players can see
In the public-room list, visitors who are not signed in may see a room code, usernames, player count and basic room settings. Room members see each other's username, avatar, status, game actions, scores, chat messages and the signature confirmed at the end of a game. A private room is not listed publicly, but invited members see the same in-room data.
5. Service providers, recipients and international transfers
We give access only where needed to provide the service or meet a legal duty. Recipients may include authorised developers and contracted hosting, database, private file-storage, email-delivery and technical-support providers. The exact infrastructure depends on the production environment; you can request the current provider list by email.
- Stripe Payments Europe, Limited processes payment, fraud-prevention and billing data on its hosted checkout page and tells us the payment outcome.
- Merit Tarkvara AS's Merit Aktiva service processes the name, email, country, purchase description and amount needed to issue a sales invoice.
- Google Ireland Limited processes Google Analytics data only if you accept analytics.
- Data may be disclosed to a court, regulator, payment provider or another party where required by law or necessary for a dispute or fraud investigation.
If a provider processes data outside the European Economic Area, we use an applicable safeguard such as a European Commission adequacy decision or Standard Contractual Clauses and add supplementary protections where required.
Stripe Privacy Policy · Merit Privacy Notice · Google Privacy Policy
6. Google Analytics
After you consent, we use Google Analytics 4 to understand use and reliability. We send sanitised page views, account status and interface language, authentication steps, general room settings, player counts, bids, card plays, scores, chat-message length, purchase package and amount, payment state, error categories and Web Vitals. Google may add a cookie client identifier, approximate location and browser, device and session information.
Signed-in activity is connected across sessions with a stable pseudonymous User-ID made from a SHA-256 hash of the internal account ID. A purchase identifier is also pseudonymised. These remain personal data. We do not send email addresses, usernames, room codes, chat contents, verification codes, avatar images, signature drawings, payment-card data, Stripe session IDs, raw account or order IDs or raw error messages to Google.
Sitaratas denies advertising storage, advertising user data and ad personalisation through Google Consent Mode. Inuware OÜ enables production analytics only in a Google Analytics property where Google Signals, user-provided data collection, ad personalisation and Enhanced Measurement are off and event-level retention is no more than 14 months. You can change consent on the Cookies Policy page; withdrawal stops new events and removes Google Analytics cookies and optional analytics markers in every open Sitaratas tab.
7. Retention
- An email verification code normally expires after 10 minutes and is deleted after successful use. A login session and its essential authentication cookie last up to 30 days unless you sign out or the session is revoked earlier.
- We keep the analytics choice in your browser until you change it, clear browser data or we ask again. Google Analytics cookies have a default lifetime of up to two years, although a browser may shorten it.
- We keep account, profile, game, signature and chat data while the account is active and afterwards only for as long as needed to operate the service, maintain safety, protect other players' rights, resolve a dispute or fulfil a deletion request. When no longer needed, it is deleted or anonymised.
- We retain purchase, payment-event, refund, dispute, invoice, ledger and tax records for at least seven years from the end of the relevant financial year, or longer where law or an active dispute requires it. The broader Stripe event contents are minimised after successful processing; a failed event's contents are kept only as long as needed for retry, investigation or a dispute.
- Security and technical logs and support correspondence are retained for as long as needed to resolve the issue and protect legal rights, then deleted or anonymised.
8. Your rights
Depending on the circumstances, you can request access to and a copy of your data, correction, deletion, restriction and portability in a machine-readable form. You can object to processing based on legitimate interests and withdraw consent at any time. Withdrawal does not affect processing that was lawful before it.
Email hello@inuware.ee. We may verify your identity before disclosing or changing data. We normally respond within one month. We may be unable to fully delete data that must be kept for accounting, legal claims or other users' rights.
If you believe your data is processed unlawfully, you can complain to the Estonian Data Protection Inspectorate (Tatari 39, 10134 Tallinn, info@aki.ee) or the supervisory authority where you usually live.
Send us a privacy request · Estonian Data Protection Inspectorate
9. Security and minors
We use reasonable technical and organisational measures including hashed session tokens, secure authentication cookies, private avatar storage, access controls, input validation and redaction of sensitive log fields. No internet service can promise complete security.
Sitaratas is not directed to children who cannot enter a valid contract themselves. A minor should use the service, especially paid purchases, only with a parent or guardian's permission. Contact us if you believe a child supplied data without required permission.
10. Changes
We may update this policy when the service, providers or legal requirements change. We will publish the dated version here and give notice of a material change in the service or another suitable way. If a change affects analytics consent, we will ask again where required.