Privacy Policy

Last updated: 16 April 2025
Effective date: 16 April 2025

This Privacy Policy explains how the Merlis team ("we", "us", "our", or "Merlis") collects, uses, stores, shares and protects personal data of players and visitors ("you", "user") of the Merlis game and related websites (together, the "Service"). It is written to comply with Regulation (EU) 2016/679 ("GDPR") and applicable national implementations.

1. Data Controller

The data controller responsible for processing your personal data is the operator of the Merlis Service.
Contact: [email protected]

2. Personal Data We Collect

We collect only data that is necessary to provide and secure the Service:

• Account data: username (login), hashed password, email address, referral token, registration date, IP address used at sign-up.
• Optional profile data: real name, phone number, social ID — only if you choose to provide them.
• Gameplay data: in-game character data, login history, purchases, vote and reward history, anti-cheat events.
• Technical data: IP address, browser user-agent, device identifiers, cookies, session tokens, log files.
• Communication data: support tickets, emails, messages you send to us.
• Marketing data: your consent status for newsletters and promotional emails, including opt-in/opt-out timestamps.

3. Purposes & Legal Bases of Processing

We process your personal data on the following legal bases under Article 6 GDPR:

• Performance of a contract (Art. 6(1)(b)) — to create your account, authenticate you, deliver the Service, process in-game purchases, and provide customer support.
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, anti-fraud and law-enforcement requirements.
• Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent cheating and abuse, debug, and improve the game. Our interests are balanced against your rights and freedoms.
• Consent (Art. 6(1)(a)) — for non-essential cookies and for sending you marketing emails (newsletters, promotional offers, in-game event announcements). You may withdraw your consent at any time without affecting prior lawful processing.

4. Email Marketing

If — and only if — you tick the dedicated marketing-consent checkbox during registration or in your account settings, we will use your email address to send you:

• game updates, patch notes and new content announcements;
• special events, promotions, discount codes and giveaways;
• account-related re-engagement emails (e.g. inactive-player offers).

This consent is separate from the registration itself and is fully optional. You can withdraw it at any time by:

• clicking the "Unsubscribe" link at the bottom of any marketing email;
• changing the marketing preference in your user panel; or
• emailing [email protected].

Transactional emails (password resets, security alerts, payment receipts, terms updates) are not marketing and will continue to be sent regardless of your marketing-consent status, because they are necessary to operate your account.

5. Cookies & Similar Technologies

We use strictly-necessary cookies for session management, security and CSRF protection (no consent required under Art. 5(3) of the ePrivacy Directive). We may use analytics or advertising cookies only after you give explicit consent through the cookie banner. You can manage your preferences at any time.

6. Data Recipients

We do not sell your personal data. We may share it with:

• hosting, CDN and email-delivery providers acting as our processors under a Data Processing Agreement (Art. 28 GDPR);
• payment service providers (e.g. PayWant, Kabasakal, Epinpay) when you make a purchase;
• anti-cheat and anti-fraud providers;
• competent public authorities where we are legally required to do so.

7. International Transfers

Where personal data is transferred outside the European Economic Area, we rely on adequacy decisions or on the European Commission's Standard Contractual Clauses (Art. 46 GDPR) and apply additional safeguards where appropriate.

8. Retention

• Account data: kept for as long as your account is active, then deleted or anonymised within 12 months of account closure, unless a longer retention period is required by law.
• Payment records: retained for up to 10 years for tax and accounting purposes.
• Server logs and IP addresses: retained for up to 12 months for security and abuse-prevention.
• Marketing-consent records: retained until you withdraw consent, plus 3 years as proof of consent.

9. Your Rights Under GDPR

You have the right to:

• access your personal data (Art. 15);
• rectify inaccurate data (Art. 16);
• erase your data — "right to be forgotten" (Art. 17);
• restrict processing (Art. 18);
• data portability (Art. 20);
• object to processing based on legitimate interests or for direct marketing (Art. 21);
• withdraw your consent at any time (Art. 7(3));
• lodge a complaint with your local data-protection supervisory authority (Art. 77).

To exercise any of these rights, email us at [email protected]. We will respond within one month.

10. Security

We apply appropriate technical and organisational measures to protect your personal data, including password hashing, TLS encryption in transit, restricted access controls, and regular security reviews. However, no system is 100% secure, and we cannot guarantee absolute security.

11. Children

The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so that we can delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest version. Material changes will be communicated through the Service or by email.

13. Contact

For any privacy-related question, request or complaint, contact us at [email protected].