Privacy Policy
Privacy Policy
Version: 2026-05-09
This document is a translation of the original Czech version. In the event of any discrepancy between language versions, the Czech version shall prevail.
This Privacy Policy (the "Policy") describes how duelgo s.r.o. processes the personal data of users of the duelgo Platform. The Policy forms part of the Terms and Conditions and complies with Regulation (EU) 2016/679 (GDPR) and Act No. 110/2019 Coll.
1. Data Controller
duelgo s.r.o. IČO: 23846356 Registered office: Nové sady 988/2, Staré Brno, 602 00 Brno, Czech Republic E-mail for data protection questions: info@duelgo.fun
The controller has not appointed a Data Protection Officer (DPO), as this is not mandatory given the scope and nature of the processing.
2. Whom This Policy Applies To
This Policy governs the processing of the personal data of:
a) Registered Users of the Platform (Clients who create an Account), b) Visitors to the duelgo.fun website and related pages, c) Recipients of the Operator's marketing communications, d) Persons requesting information at info@duelgo.fun.
Note: If you are a Player (a participant in a specific Duelgo) and your data is collected by the Duelgo organiser (the Client), the controller is that Client, not the Operator. In that case, contact the relevant Client. In such a relationship, the Operator is a mere processor — see DPA.
3. What Personal Data We Process
| Data category | Specific data | Source |
|---|---|---|
| Identification | First name, surname, company name, IČO, VAT ID | You upon registration/order |
| Contact | E-mail, telephone, billing address | You upon registration/order |
| Login | E-mail + verification code, or Google/Apple ID | You upon registration |
| Profile | Nickname, avatar, language, time zone | You during use |
| Operational | IP address, user-agent, login log, cookies (only necessary) | Automatically during use |
| Commercial | Data on orders, invoices, payments | Upon a paid order |
| Communication | The content of e-mails and support tickets | When you contact us |
| Marketing preferences | Consent / refusal of newsletters | Upon registration and in settings |
The Operator DOES NOT PROCESS special categories of personal data within the meaning of Article 9 GDPR (health data, biometrics, data on sexual life, etc.) in connection with the operation of the Platform itself.
4. Purposes of Processing and Legal Bases
| Purpose | Legal basis | Data | Retention period |
|---|---|---|---|
| Maintaining the Account, providing the Service | Performance of a contract (Art. 6/1/b GDPR) | Identification, contact, profile, operational | For the duration of the Account + 3 years for complaints |
| Issuing invoices and bookkeeping | Legal obligation (Art. 6/1/c GDPR; Act No. 563/1991 Coll.) | Identification, contact, commercial | 10 years from the end of the tax period |
| Handling complaints | Performance of a contract and a legal obligation | Identification, contact, communication | 3 years from the complaint |
| Platform security, fraud prevention | Legitimate interest (Art. 6/1/f GDPR) | Operational, IP address, log | 12 months |
| Improving the Service (anonymous traffic analytics via Plausible — cookieless) | Legitimate interest (Art. 6/1/f GDPR) | Aggregated traffic data (without cookies) | 24 months, then anonymisation |
| Commercial messages about our own Platform | Section 7(3) of Act No. 480/2004 Coll. (soft opt-in) + legitimate interest | Contact | Until unsubscribed |
| Commercial messages with explicit consent | Consent (Art. 6/1/a GDPR) | Contact | Until consent is withdrawn |
| Support communication | Performance of a contract / legitimate interest | Contact, communication | 3 years from the last contact |
| Fulfilment of legal obligations (bodies active in criminal proceedings, courts) | Legal obligation | As requested | For the duration of the obligation |
Legitimate interest — explanation
For purposes based on legitimate interest, we have carried out a balancing test and concluded that our interests (operation, security, improving the Service) outweigh the interests and rights of the data subjects, as the processing is necessary, proportionate, and the subjects have the right to object.
5. Recipients of Personal Data
5.1 Subprocessors (processors). For the operation of the Platform, we use processors whose current list is in Subprocessors. The main categories:
a) Hosting and database providers b) CDN and file storage providers c) E-mail infrastructure providers d) Monitoring and logging providers e) Payment gateways f) Accounting and tax advisors g) Providers of anonymous web analytics (cookieless)
5.2 Public authorities. We may transfer your data to public authorities (courts, the tax office, bodies active in criminal proceedings) where the law so requires or where proceedings require it.
5.3 No transfer for third-party marketing. We NEVER sell or transfer your personal data to third parties for their own marketing purposes.
5.4 The duelgo organiser has its own rules. The guarantee in point 5.3 applies to processing carried out by the Operator as controller — typically the data of registered Users of the Platform. If you participate in a specific duelgo (contest, betting game, poll or other activation), the controller of the personal data you provide within that duelgo is the duelgo organiser (Client/Creator), not the Operator. The Organiser has its own contest rules and its own privacy policy, which you typically agreed to upon entering the contest. These rules may differ from this Policy — the Organiser may, for example, share your data with its partners, use it for its own marketing, or transfer it to third parties if you have given it consent to do so. For details on how a specific Organiser handles your data, contact it directly.
5.5 In the event of a business transfer. In the event of a merger, acquisition or sale of the Operator's business, your data may be transferred to the acquirer. In such a case, you will be informed of the transfer in advance.
6. Transfers Outside the EU/EEA
6.1 We primarily process your data in the EU (in particular Frankfurt am Main, Germany).
6.2 Some subprocessors (e.g. Sentry for error monitoring) may process data in the United States of America. These transfers are covered by: a) standard contractual clauses (SCC) approved by the European Commission, b) or Data Privacy Framework certification (where applicable), c) and supplementary technical measures (encryption, pseudonymisation).
6.3 Current information on the country of processing of each subprocessor can be found in Subprocessors.
7. Your Rights
As a data subject, you have the following rights:
| Right | What it means |
|---|---|
| Access (Art. 15 GDPR) | To obtain confirmation of what data we process about you and a copy of that data |
| Rectification (Art. 16 GDPR) | To request the rectification of inaccurate or incomplete data |
| Erasure / "right to be forgotten" (Art. 17 GDPR) | To request the deletion of data if it is no longer needed or you have withdrawn consent |
| Restriction of processing (Art. 18 GDPR) | To request the temporary cessation of processing |
| Portability (Art. 20 GDPR) | To obtain your data in a structured, machine-readable format (JSON/CSV) |
| Objection (Art. 21 GDPR) | To object to processing based on legitimate interest |
| Withdrawal of consent (Art. 7 GDPR) | To withdraw previously granted consent at any time (this does not affect the lawfulness of processing before withdrawal) |
| Not to be subject to automated decision-making (Art. 22 GDPR) | The Operator carries out no automated decision-making with legal effects |
| To lodge a complaint | With the supervisory authority (see § 12 below) |
How to exercise your rights? Send a request to info@duelgo.fun from your registered e-mail. We will handle it within 30 days (the period may be extended by a further 60 days in complex cases, of which we will inform you).
8. Personal Data Security
We have implemented appropriate technical and organisational measures to protect your data:
a) All communication takes place over TLS 1.2+ (HTTPS). b) Passwords and tokens are stored hashed (bcrypt, scrypt) — we do not store them in readable form. c) The database is operated with access only from our application and encrypted at-rest. d) Access to personal data is granted only to authorised employees under an NDA and only to the extent necessary to perform the task. e) We keep audit logs of key operations. f) We operate monitoring of security incidents and, in the event of a personal data breach, we have a notification procedure within 72 hours under Article 33 GDPR in place.
9. Cookies
The use of cookies is described in a separate document, Cookies. In short: we use only necessary cookies for the operation of the Platform (login, gameplay, duplicate prevention). We do not use third-party tracking cookies (Google Analytics, Meta Pixel, Hotjar); for anonymous traffic statistics we use the cookieless tool Plausible, which sets no cookies — so you do not need to deal with a cookie banner.
10. Children
10.1 The Platform is primarily intended for persons aged 15 and over. Younger persons may use it only with the consent of a legal guardian under Article 8 GDPR.
10.2 If we find that we have processed the data of a child under 15 without the consent of a legal guardian, we will delete the data without delay.
10.3 If you believe that we have processed your child's data without your consent, contact us at info@duelgo.fun.
11. Changes to the Policy
11.1 We may update this Policy. We will inform registered Users of material changes by e-mail at least 30 days in advance.
11.2 The current version is always available at duelgo.fun/pravni/zasady-ochrany-udaju.
11.3 We archive previous versions and provide them on request.
12. Contact and Supervisory Authority
Data protection questions:
duelgo s.r.o. Nové sady 988/2, Staré Brno, 602 00 Brno info@duelgo.fun
Supervisory authority:
Úřad pro ochranu osobních údajů (ÚOOÚ) Pplk. Sochora 27, 170 00 Praha 7 Phone: +420 234 665 111 www.uoou.cz
You have the right to lodge a complaint with the ÚOOÚ if you believe that we are processing your data contrary to GDPR.