Privacy Policy

The protection of your personal data is an important concern for us at Loot4All. In this privacy policy, we provide comprehensive information about the processing of personal data on our giveaway platform "Loot4All" ( https://loot4all.org ). We process your data exclusively based on legal regulations, particularly the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

Table of contents

1. Definitions

In this privacy policy, we use certain terms that are defined in the sense of the GDPR. To avoid misunderstandings, we explain some of these terms here:

  • Personal Data: All information relating to an identified or identifiable natural person (e.g., name, email address, IP address).
  • Processing: Any operation related to personal data, such as collecting, storing, transmitting, or deleting.
  • Controller: The natural or legal person who decides on the purposes and means of processing personal data.
  • Consent: A voluntary, informed, and unequivocal expression of will by which the data subject declares their agreement to the processing of their personal data.
  • Third Countries: Countries outside the European Economic Area (EEA) where there may not be an equivalent level of data protection as in the EU.
  • IP Address: A unique address assigned to a device on the internet that allows it to be identified and communicated with.
  • Cookies: Small text files stored by a website on a user's device that may contain information about their use of the website.
  • Content Delivery Network (CDN): A network of servers used to quickly deliver content to users worldwide. In our case, Cloudflare is used as a CDN.
  • Logfiles: Files in which activities on a server are logged. These files contain information such as IP addresses, access times, and visited pages.
  • Social Media Accounts: User accounts on social networks like X (formerly Twitter), Instagram, or Discord that can be used for registration or participation in giveaways.

2. Controller

The controller for data processing on this website in terms of the GDPR is:

Lucas Dittmann
Straße der Einheit 18
04567 Kitzscher
Germany

Contact Person: Lucas Dittmann
Email: [email protected]

The controller decides on the purposes and means of processing your personal data. If you have any questions or concerns regarding data protection, you can contact the above-mentioned contact person at any time.

3. Collected Data and Purpose of Processing

3.1 Registration and Account Creation

To participate in giveaways on our platform, registration is required. During this process, we collect the following personal data:

  • Username: This is used to identify your account and is not publicly displayed on our platform.
  • Email Address: This is used to send you important information about your account, such as confirmation emails or notifications about giveaways.

The processing of this data is carried out to fulfill the usage contract between you and Loot4All in accordance with Article 6(1)(b) of the GDPR.

IP Address: Your IP address is not stored by our system but is temporarily recorded in the log files of our web server. This storage is for security reasons and to detect cases of misuse (legitimate interest according to Article 6(1)(f) of the GDPR). However, if you register via a third-party provider (e.g., social media platforms), your IP address will be forwarded to the respective provider.

3.2 Processing of Server Log Files

Our website collects a range of general data and information with each access by users or automated systems:

  • Browser type and version
  • Operating system of the accessing system
  • Referrer URL
  • Date and time of access
  • IP address
  • Internet service provider of the accessing system

This information is needed to provide necessary information to law enforcement authorities in the event of a cyber attack.

The anonymized log file data is stored separately from any personal data provided by an affected person and serves to protect against misuse and ensure an optimal level of protection for the processed personal data.

3.3 Use of Social Media for Registration

In addition to traditional email registration, we also offer you the option to register with Loot4All via social media platforms. In this process, you will be redirected to the respective platform where you can log in with your credentials. We support the following social media platforms:

When you register via one of these social media platforms, we receive certain information from the respective provider such as your username or email address. The processing of this data is based on your consent according to Article 6(1)(a) of the GDPR.

Automatic Linking of Social Media Account: When you register via a social media platform, your social media account is automatically linked to your Loot4All account. This linking allows you to participate in certain giveaways later and fulfill participation conditions (e.g., by following a social media account). The linking can only be removed by request via support ticket or email.

3.4 Linking Social Media Accounts

You have the option to link your Loot4All account with your social media accounts (X (formerly Twitter), Discord, Twitch, and Steam). This linking is intended to fulfill certain participation conditions in giveaways (e.g., following an account or liking a post).

The linking can only be removed by request via support ticket or email. This serves to protect against manipulation through multiple account creations and multiple entries in giveaways (legitimate interest according to Article 6(1)(f) GDPR).

3.5 Data Exchange from Social Media Accounts without Direct Linking

For certain participation conditions related to social media platforms like Instagram, TikTok, or Google (YouTube), it is not necessary to directly link your social media account with your Loot4All account. Instead, you are simply redirected to the respective website where you perform actions such as following an account or liking a post—without a direct link between your Loot4All account and the respective social media account. During this process, certain information such as your IP address may be transmitted to the respective platform (Article 6(1)(a) GDPR), as this transmission occurs within the scope of your voluntary access to these websites. Affected social media platforms include Instagram, TikTok, and Google (YouTube).

3.6 Support Ticket System

We offer a support ticket system to assist you as quickly as possible with questions or issues and to manually distribute prizes if necessary (e.g., when automatic prize distribution is not possible).

In this process, we process the following data:

  • Your name or username
  • Your email address
  • The content of your inquiry
  • Your uploaded files

The processing of this data is carried out to fulfill the contract in accordance with Article 6(1)(b) GDPR.

Once a support ticket reaches the status "closed," it is automatically deleted with all its content (messages and files) after a period of 30 days.

3.7 Participation in Giveaways

To participate in our giveaways and collect "entries" (i.e., tickets for the giveaway), you must fulfill certain participation conditions. These conditions may include the following actions:

  • Following one or more social media accounts (e.g., X, Instagram, TikTok)
  • Liking posts (e.g., X, Instagram, TikTok)
  • Reposting posts (e.g., X, TikTok)
  • Commenting on posts (e.g., X, Instagram, TikTok)
  • Joining one or more Discord servers (e.g., Discord)
  • Adding games to your wishlist or library (e.g., Steam)
  • Following a game for updates (e.g., Steam)
  • Following a curator (e.g., Steam)
  • Joining a group (e.g., Steam)
  • Visiting websites
  • Subscribing to our newsletters (more information under " 3.8 Newsletter ")

Participation conditions vary depending on the giveaway and are transparently displayed on our platform.

The processing of your personal data within the framework of participating in giveaways is based on your consent according to Article 6(1)(a) GDPR.

3.8 Newsletter

If you wish to subscribe to our newsletter, we require your email address and your explicit consent for sending the newsletter according to Article 6(1)(a) GDPR. The newsletter is sent exclusively based on your consent, which you give us through the registration process. Your email address is used solely for sending the newsletter and is not shared with third parties.

As part of the registration process, we use the double opt-in procedure. This means that after signing up, you receive a confirmation email asking you to confirm your registration. Only after this confirmation will your email address be added to the mailing list. This ensures that no one can unauthorizedly register your email address for the newsletter. Unconfirmed registrations are automatically deleted after 60 days to ensure no unnecessary data is stored.

You can unsubscribe from the newsletter at any time—either by clicking on the corresponding link in each newsletter email or by sending us an email message. After unsubscribing, your email address will be removed from the mailing list and will no longer be used for sending newsletters. Your data will be stored as long as you are subscribed to the newsletter. Once you unsubscribe, we will promptly delete your data unless there are statutory retention obligations.

3.9 Newsletter Tracking

In addition, we use tracking technologies within our newsletter to analyze the usage and effectiveness of our newsletters. This is done through so-called tracking pixels or similar technologies embedded in the sent emails. These technologies allow us to determine if and when an email was opened and which links in the email were clicked.

The data collected through tracking includes:

  • Time of opening the email
  • IP address of the device that opened the email
  • Clicks on links contained in the email

This information helps us tailor our content better to your interests and improve the relevance of our newsletters. The processing of this data is based on your consent according to Article 6(1)(a) GDPR.

If you do not agree to newsletter tracking, you can prevent it by unsubscribing from the newsletter. This can be done either by clicking on the corresponding link in each newsletter email or by sending us an email.

4. Use of Cloudflare as CDN and Captcha

To enhance the security and performance of our website, we use the Content Delivery Network (CDN) and Captcha from Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107 USA (Article 6(1)(f) GDPR). Cloudflare temporarily stores your IP address in so-called log files to detect attacks and misuse attempts and to ensure fast delivery of our content worldwide. The use of Cloudflare is based on our legitimate interest in securely providing our services.

Purpose of data processing:

  • Ensuring fast delivery of the website (Article 6(1)(f) GDPR).
  • Protection against DDoS attacks (Distributed Denial of Service) and other cyberattacks (Article 6(1)(f) GDPR).
  • Optimization of load times through load distribution (Article 6(1)(f) GDPR).

Type and scope of processed data:

  • Your IP address is temporarily stored to determine the nearest server for content delivery.
  • Information about your browser type, operating system, referrer URL (the previously visited page), date and time of access, and other technical information is recorded in so-called log files (Article 6(1)(f) GDPR).

Storage duration:

  • Cloudflare generally stores your IP address for short periods, usually less than 24 hours.
  • In exceptional cases, such as security alerts or attacks on the system, Cloudflare may store this data for up to 7 days.

For more information, please refer to Cloudflare's privacy policy.

4.1 Captcha System

Additionally, we use Cloudflare's invisible captcha system (Turnstile) to ensure that our website visitors are real humans and not automated bots (Article 6(1)(f) GDPR). This system checks various signals in the background, such as mouse movements or time spent on the page, without requiring users to actively solve a captcha.

Purpose of data processing:

  • Protection against automated attacks (e.g., by bots) (Article 6(1)(f) GDPR).
  • Ensuring smooth use of our website by real users (Article 6(1)(f) GDPR).

Type and scope of processed data:

  • Cloudflare Turnstile collects personal data such as IP address, user agent (information about the used browser), browser characteristics, as well as technical information like mouse movements or time spent on the page (Article 6(1)(f) GDPR).
  • For users with Apple devices, Turnstile can validate the device using Private Access Tokens without collecting personal data like IP addresses (Article 6(1)(f) GDPR).

Storage duration:

  • The collected data is deleted within 24 hours in most cases.
  • In exceptional cases, such as when security alerts are triggered, Cloudflare may store the data for up to 7 days.

For more information, please refer to Cloudflare's privacy policy.

5. Cookies

Our website uses only technically necessary cookies to provide basic functions, such as storing your session while using our platform. These cookies are essential for the operation of the website and are therefore set without your explicit consent (Article 6(1)(f) GDPR). We do not use analytics or tracking cookies.

5.1 Technically Necessary Cookies

These cookies are required to ensure the basic functions of the website. These include:

  • Session Cookies: These store temporary information, such as your session while using our platform, and are automatically deleted after 14 days.
  • Cloudflare Captcha Cookies: As part of Cloudflare's captcha system (Turnstile), cookies are set to ensure that our users are real humans and not automated bots. These cookies include:
    • cf_clearance: Stores proof that the captcha challenge has been passed.
    • __cf_bm: Used to identify and counteract automated traffic (bots).

The use of these cookies is based on our legitimate interest in securely and smoothly providing our services (Article 6(1)(f) GDPR).

5.2 Storage Duration

  • Session cookies are stored for a period of 14 days and then automatically deleted.
  • Cloudflare captcha cookies are generally stored for a short period to ensure you do not have to repeatedly undergo a challenge.

5.3 Storage Duration

Since only technically necessary cookies are used, no additional consent is required. However, you can disable or delete the storage of cookies through your browser settings. Please note that this may affect the functionality of the website.

6. Disclosure of Data to Third Parties

Your personal data will only be disclosed to third parties under specific circumstances, ensuring compliance with data protection regulations:

  • Contract Fulfillment: We may share your data with third parties when it is necessary to fulfill contractual obligations, such as with service providers who assist in delivering our services.
  • Consent: If you have explicitly consented to the sharing of your data, we will disclose it accordingly. This includes instances where you register via social media platforms or participate in certain activities that require data sharing (see Section 8: Social Media Integration).
  • Legal Requirements: We may also disclose your personal data if required by law or to protect the rights, property, or safety of our company, our users, or others.

For example, if you choose to log in through a social media account, we may share certain information with the social media provider to facilitate this process. In all cases, we ensure that any third parties receiving your data are obligated to handle it in accordance with applicable data protection laws and only for the purposes specified by us.

7. Statistics

For statistical purposes, we collect and store the following general user data:

  • Country Code (determined via IP address using the locally hosted GeoLite2 database)
  • Access Time (date and time)
  • Browser Information: Browser type, operating system, device type

When is this Data Collected?

  • When participating in a giveaway (fulfillment of any first participation condition) – the unique ID of the competition is saved. This ID is general and not user-specific.
  • When any condition of participation is fulfilled, both the unique ID of the promotion and the unique ID of the condition of participation are stored. These IDs are also general and not user-specific.

GeoLite2 Database

The GeoLite2 ( https://www.maxmind.com/en/home ) database is used to determine the user's country code based on their IP address. It is a widely used tool for geolocation services that helps us understand where our users are accessing our services from without identifying individual users.

The GeoLite2 database is provided by MaxMind and is used under their license. It is important to note that all rights related to this database are owned by MaxMind. For more information on their licensing terms and conditions, please refer to MaxMind's official documentation.

This data collection helps us analyze user behavior and improve our services while ensuring compliance with privacy regulations.

8. Storage Duration

We store your personal data only as long as it is necessary to fulfill the respective purpose or as legally required:

  • Support Tickets: Are automatically deleted with all contents (messages, files) 30 days after they reach the status "closed."
  • Giveaways: After a giveaway ends, the associated data is stored for up to an additional 60 days and then deleted.
  • Newsletter Data: These are stored until you withdraw your consent.

9. Rights of Data Subjects

As a data subject, you have the following rights regarding your personal data:

  • Right of Access: You have the right to know what personal data we process about you (Article 15 GDPR).
  • Right to Rectification: You can request the correction of inaccurate or incomplete data (Article 16 GDPR).
  • Right to Erasure ("Right to be Forgotten"): Under certain conditions, you have the right to have your stored personal data deleted (Article 17 GDPR).
  • Right to Restriction of Processing: You can request the restriction of processing your personal data under certain conditions (Article 18 GDPR).
  • Right to Object: You have the right to object to the processing of your personal data (Article 21 GDPR).
  • Right to Withdraw Consent: If the processing of your personal data is based on consent, you can withdraw this consent at any time with effect for the future (Article 7(3) GDPR).

To exercise these rights, you can contact us at [email protected] .

10. Data Security

We place great importance on protecting your personal data and employ a variety of technical and organizational measures to safeguard it from unauthorized access, loss, or manipulation. These measures include, for example, encryption of data transmissions via SSL/TLS, regular updates of our security protocols, and the use of firewalls and other protective mechanisms to secure our systems against external attacks. Our security precautions are continuously reviewed and adapted to the current state of technology to ensure the highest possible level of protection.

11. Transfer to Third Countries

In certain cases, it may be necessary to transfer personal data to service providers or partner companies outside the European Economic Area (EEA). These third countries may not offer an equivalent level of data protection as the European Union. To ensure an adequate level of protection for your data, such transfers only occur under appropriate safeguards in accordance with Article 46 GDPR.

11.1 Affected Third Countries and Providers

Service providers to whom data may be transferred include, in particular:

  • Cloudflare Inc. (USA): Cloudflare is used as a Content Delivery Network (CDN) and captcha provider to ensure the performance and security of our platform.
  • Social Media Platforms: During registration or participation in giveaways, personal data may be transferred to platforms such as X (formerly Twitter), Discord, Twitch, Steam, TikTok, or Google (YouTube).

11.2 Additional Protective Measures

In addition to contractual arrangements, we implement technical and organizational measures to protect your data during transfers to third countries. These include:

  • Encryption of data transmission,
  • Minimization of transmitted data to what is necessary,
  • Regular security audits of our service providers.

11.3 Risks in Data Transfer

Despite these measures, there is a risk that local authorities in third countries may access your personal data without notifying you or allowing you legal recourse. However, we strive to minimize these risks by selecting trusted partners and implementing robust security measures.

12. Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data violates the provisions of the General Data Protection Regulation (GDPR), you have the right to lodge a complaint with a competent supervisory authority in accordance with Article 77 GDPR. This right exists independently of other administrative or judicial remedies and can be exercised particularly if you believe that your rights related to the protection of your personal data have been violated.

13. Overview of Third-Party Providers and Their Privacy Policies

Below is an overview of all third-party providers whose services are used on our platform, along with the corresponding links to their privacy policies. These third-party providers process personal data according to their own privacy policies:

14. Changes to This Privacy Policy

We reserve the right to modify or update this privacy policy—for example, in response to changes in legal requirements or technical developments on our platform.

This privacy policy was last updated on December 1, 2024.