Privacy Policy

This Privacy Policy explains how Individual Entrepreneur DANIIL SAVINYKH, legal form: Individual Entrepreneur, identification number 345827171, registered in Georgia, processes personal data for international Loot Arena services.

For Customer account, billing, tax, legal, security, support, website and product analytics data, Loot Arena usually acts as an independent controller because we decide the purposes and means of that processing.

For club guest, employee, administrator, mission, reward, payroll, visit, purchase, deposit and integration data processed inside a Customer workspace, the Customer is usually the controller and Loot Arena acts as processor, processing data on the Customer's documented instructions.

Loot Arena may also act as an independent controller for limited purposes required to operate and protect the platform, including account authentication, fraud prevention, abuse detection, security monitoring, service analytics, legal compliance, billing records and aggregated product improvement.

Depending on configuration and integrations, we may process:

• Customer and business contact data: name, role, company or sole proprietor details, country, city, club name, email, phone, messenger handle, billing details and tax information;
• account and access data: login identifiers, administrator roles, access permissions, authentication events, support history and administrator actions;
• club guest data: guest identifiers, Telegram ID or messenger identifiers, username, display name, phone, email where provided, loyalty status, mission activity, rewards, visits, purchases, deposits and club activity imported from Customer systems;
• mobile app data: email for OTP login, Sign in with Apple identifiers where used, geolocation with permission, camera access for QR scanning with permission, push token and device fingerprint for anti-fraud and security;
• employee and operations data: staff identifiers, roles, checklist records, operational tasks, payroll-support inputs and manager actions where configured by the Customer;
• technical data: IP address, device, browser, operating system, logs, session events, cookies, local storage, crash data and security events;
• payment data: billing identifiers, subscription status, invoice data, tax data and payment status. Full card data is processed by payment providers such as Paddle and is not stored by Loot Arena;
• communications: support messages, onboarding notes, email delivery events, messenger communications and legal notices.

We do not intentionally require special category data such as biometric or medical data. Customers must not upload special category data, government identifiers, payment card data or children's data unless they have confirmed that processing is lawful and appropriate safeguards are in place.

We process personal data to:

• provide, configure, maintain and improve the Loot Arena service;
• create accounts, authenticate users and manage access rights;
• operate loyalty missions, rewards, CRM, analytics, operational workflows, mobile app features and integrations at the Customer direction;
• support geolocation check-ins, QR scanning, push notifications and anti-fraud controls where enabled and permitted;
• process subscriptions, invoices, taxes, refunds, disputes, chargebacks and accounting records;
• provide onboarding, support, troubleshooting and service communications;
• detect fraud, abuse, security incidents, unauthorised access and prohibited use;
• comply with legal, tax, accounting, regulatory, sanctions and payment processor obligations;
• produce aggregated or anonymised analytics and improve product reliability and performance.

Where GDPR, UK GDPR, Georgian data protection law or similar laws apply, our legal bases may include performance of a contract, legitimate interests, legal obligations, consent where required, and processing on the Customer's instructions as processor.

Legitimate interests may include service security, abuse prevention, product improvement, support, business communications, fraud prevention and enforcement of legal claims, balanced against the rights of affected individuals.

The Customer is responsible for determining and documenting the legal basis for guest, employee and club data it controls, including any consent or notice required for loyalty programs, messaging, rewards, analytics, employee workflows, geolocation, push notifications and minors.

The Loot Arena mobile application may request access to device features only where needed for product functionality:

• email and OTP login are used to authenticate a user;
• Sign in with Apple may be used on iOS according to Apple rules and Apple privacy notices;
• geolocation may be used for check-ins, location-based missions and anti-fraud, only with device permission where required;
• camera access may be used for QR code scanning, only with device permission;
• push tokens may be used to send mission, reward, club event and service notifications where allowed;
• device fingerprint and technical identifiers may be used to prevent multi-accounting, abuse and security incidents.

Users can control device permissions through their device settings. Disabling a permission may limit related features.

International payments may be processed by Paddle as merchant of record or authorised reseller. Paddle may process buyer identity, payment, tax, invoice, refund, fraud and compliance information under its own terms and privacy notices. Loot Arena receives limited payment status, subscription and invoice information needed to activate, support and account for the service.

We may use cookies, local storage and similar technologies for security, language preferences, authentication, analytics, performance measurement and product improvement. You can control cookies in your browser settings, but disabling them may affect parts of the service.

We may use analytics tools to understand website and product usage. Where required by law, optional analytics or marketing cookies will be used only after consent.

We may share personal data with infrastructure, hosting, database, email, analytics, support, security, payment, accounting, legal, tax and integration providers where necessary to operate Loot Arena. These providers are required to process data under appropriate confidentiality, security and data protection obligations.

We may also disclose data where required by law, court order, regulator, payment processor, card network, law enforcement request, tax authority, professional adviser or to protect legal rights, security and service integrity.

Data may be processed in Georgia and other countries where we, Customers or providers operate. Where required, we use appropriate safeguards for international transfers, such as contractual commitments, data processing agreements, standard contractual clauses, transfer impact assessments, adequacy decisions or other legally recognised mechanisms.

The Customer is responsible for ensuring that its transfer of guest, employee and venue data to Loot Arena is lawful in the Customer's country and that required notices, consents or safeguards are in place.

We retain personal data only as long as reasonably necessary for the relevant purpose:

• Customer account and subscription records: for the subscription term and then as needed for legal, tax, accounting and dispute purposes;
• billing, invoice and tax records: for retention periods required by applicable law and payment processors;
• Customer workspace data: during the active subscription and typically up to 30 days after termination, suspension or non-payment, unless export, dispute, security, backup or legal reasons require longer retention;
• account deletion requests from end users: processed within a reasonable period and normally within 30 days, subject to legal retention, security, backup and Customer-controller obligations;
• security logs: for a limited period needed to protect the service, investigate abuse and maintain audit trails;
• support communications: for as long as needed to resolve requests, maintain service history and protect legal rights;
• aggregated or anonymised data: may be retained without time limit where it no longer identifies individuals.

Measures may include access controls, authentication, logging, encryption in transit where appropriate, backups, least-privilege access, operational security procedures and incident response workflows.

No online service can guarantee absolute security. Customers must configure access carefully, protect credentials, train administrators and notify us promptly of suspected incidents.

Depending on applicable law, individuals may have rights to access, correct, delete, restrict, object to processing, data portability, withdraw consent and lodge a complaint with a supervisory authority.

Requests relating to Customer-controlled guest, employee or club data should normally be directed to the relevant club operator as controller. If we receive such a request directly, we may forward it to the Customer or ask the requester to contact the Customer, unless applicable law requires us to respond directly.

Requests can be sent to [email protected].

Loot Arena is provided to business customers and is not intended to be purchased directly by children. Gaming lounges may have guests who are minors. The Customer is responsible for age rules, parental or guardian consent, venue laws, notices and any age verification requirements in the countries where it operates.

This section applies where Loot Arena processes personal data as processor on behalf of the Customer. It is intended to satisfy processor contract requirements under GDPR Article 28 and similar laws, and the processor agreement requirements of Georgian data protection law.

Subject matter: provision of Loot Arena SaaS, integrations, support, hosting, analytics and related services.

Duration: the subscription term and any post-termination retention period described in this Policy.

Nature and purpose: hosting, storing, organising, retrieving, analysing, transmitting, securing and deleting Customer-controlled data to provide the service.

Categories of data subjects: Customer administrators, employees, contractors, club guests, loyalty users and support contacts.

Categories of data: the categories listed in Section 3, as configured or provided by the Customer.

Customer instructions: the Customer instructs Loot Arena to process Customer-controlled data to provide and support the service, comply with the Terms and follow lawful written instructions.

• Loot Arena will process Customer-controlled personal data only on documented Customer instructions unless required by law.
• Loot Arena will ensure that personnel authorised to process personal data are subject to confidentiality obligations.
• Loot Arena will implement reasonable security measures appropriate to the service and risk.
• Loot Arena may use subprocessors for hosting, infrastructure, analytics, email, support, security, payment and integration services. The Customer gives general authorisation for such subprocessors, provided they are bound by appropriate data protection obligations.
• Loot Arena remains responsible for subprocessors to the extent required by applicable law and its agreements with the Customer.
• Loot Arena will reasonably assist the Customer with data subject requests, security obligations, breach handling, deletion/export and data protection assessments, taking into account the nature of processing and information available to Loot Arena.
• Loot Arena will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer-controlled data, where legally required.
• At termination, Loot Arena will delete, anonymise or return Customer-controlled data according to the Terms, this Policy and legal retention requirements.
• Loot Arena will provide reasonable information needed to demonstrate compliance with this DPA. Audits must be reasonable, pre-agreed, confidential, limited to relevant systems and may not compromise other customers, security or trade secrets.

We may update this Privacy Policy to reflect product, legal, operational, security or provider changes. The current version is published on this page.

Last updated: May 26, 2026.