In short: This DPA describes the roles, responsibilities, and safeguards that apply when personal data is processed in connection with Royal Flush Poker, and supplements our Privacy Policy.
1. Scope and Roles
This DPA forms part of and is governed by the agreement between Galadriel Labs and you or your organization ("Counterparty") regarding the Royal Flush Poker application (the "App"). It applies to the processing of personal data subject to applicable data protection laws, including the EU/UK GDPR where relevant. The parties acknowledge that, for most end-user data, Galadriel Labs acts as a controller, and that third-party providers may act as independent controllers or processors as described below.
2. Definitions
"Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings given in applicable data protection law. "Sub-processor" means any third party engaged to process Personal Data.
3. Nature and Purpose of Processing
- Subject matter: provision and operation of the App.
- Duration: for the period the App is used, plus any legally required retention period.
- Categories of data subjects: end users of the App.
- Categories of personal data: profile identifiers (display name, avatar), gameplay progress, purchase entitlements, advertising identifiers (where ads are enabled), and support correspondence.
4. Obligations
- Process Personal Data only for the documented purposes described in the Privacy Policy and this DPA;
- Implement appropriate technical and organizational security measures;
- Ensure personnel are bound by appropriate confidentiality obligations;
- Assist, to the extent reasonable, with data subject requests and required impact assessments.
5. Sub-processors
The App relies on the following third parties, who process data under their own terms and safeguards:
- Google LLC — Play Services, Play Games Services (cloud save), and Play Billing (purchases).
- Google AdMob — optional rewarded advertising.
We will maintain a current list of sub-processors and provide reasonable notice of material changes.
6. International Transfers
Where Personal Data is transferred outside its country of origin, such transfers rely on the safeguards offered by the relevant providers (for example, Standard Contractual Clauses) and applicable legal mechanisms.
7. Data Subject Rights
We will provide reasonable assistance to enable responses to data subject requests to access, correct, delete, or port Personal Data. End users can exercise deletion rights via our Account & Data Deletion page.
8. Security Incidents
We will take reasonable steps to detect and respond to personal data breaches and to provide notice where required by applicable law and without undue delay.
9. Deletion and Return of Data
Upon request or upon termination, Personal Data will be deleted or returned in accordance with the Privacy Policy and applicable law, except where retention is required by law.
10. Governing Law
This DPA is governed by the laws of New York. For questions, contact contact@royalflushpoker.app.