Privacy Policy
Last updated: 8 June 2026
This policy describes how GameAwayhandles personal data. We try to keep it short and concrete — what we collect, why, who else touches it, how long we keep it, and what you can ask us to do about it. Words like “we”, “us” and “our” refer to the controller named below.
1. Who we are
GameAway is operated as a sole proprietorship (enskild firma) registered in Sweden, postal code 343 34. For everything in this policy — questions, data-subject requests, complaints — write to info@gameaway.io. We respond within 30 days, usually much sooner.
We act as the data controller for the personal data described here. The processors listed in section 4 act on our behalf under written agreements.
2. What we collect, why, and on what legal basis
2.1 Account and saved-trip data
If you create an account, we store the email address you sign up with and any trips you save (origin city, dates, the games and venues you selected). Legal basis: contract(Art. 6(1)(b) GDPR) — without it we can't deliver the account.
2.2 Contact-form submissions
When you write to us through the contact form, we receive your name, email, chosen topic, and message. We use it only to reply. Legal basis: legitimate interest (Art. 6(1)(f)) — answering a message you sent.
2.3 Email signups (when offered)
If you opt in to email updates we record your address and the timestamp of consent. Legal basis: consent (Art. 6(1)(a)). Every email we send includes an unsubscribe link and a machine-readable List-Unsubscribe header so you can opt out in one click.
2.4 Analytics and affiliate attribution (consent-gated)
We use PostHog (EU-hosted) to understand how the site is used, and Travelpayouts to attribute affiliate referrals when you click an affiliate link. These set cookies in your browser. We do notload either of them until you accept the cookie banner. If you decline, or your browser sends a “Do Not Track” signal, no analytics or attribution cookies are set. Legal basis: consent (Art. 6(1)(a) + ePrivacy Directive). You can change your choice anytime by clearing the ga_consent cookie or contacting us.
2.5 Security and abuse prevention
We rate-limit a handful of API endpoints (the contact form, signup, trip-share, and a nearby-places lookup) using a per-IP counter held briefly in a Redis cache. The store holds only a key like “contact:1.2.3.4” and a count for the duration of the rate-limit window (1 to 10 minutes), then it's evicted. Legal basis: legitimate interest in keeping the service available and not running up third-party costs.
3. Cookies and similar tech
- Essential — Supabase auth session cookies (so you stay signed in), our cookie-consent cookie (
ga_consent), standard CSRF/security protections. Set without consent because they're strictly necessary. - Analytics (consent) — PostHog identifier + session cookies. Set only after you accept the banner.
- Affiliate attribution (consent) — Travelpayouts cookies for credit attribution to GameAway when you book through a Klook link. Set only after you accept the banner.
If you accept and later change your mind: clear cookies for www.gameaway.io in your browser settings, or reset the consent cookie. PostHog will be torn down on the next page load; Travelpayouts has no JavaScript teardown hook, so any cookies it already set will remain until their expiry or you clear them manually.
4. Processors and third-party services
We share the minimum data each processor needs to do its job. None of them sell your data; all have signed Data Processing Agreements with us or operate under their published terms.
- Supabase (EU region) — auth + database for accounts, saved trips, contact-form submissions, signup records.
- Vercel (US/EU edge) — hosts the website and serves requests. Receives standard web-server data including IP address and user-agent on every request.
- PostHog (EU) — product analytics. Consent-gated.
- Travelpayouts — affiliate-attribution platform that routes Klook bookings and runs a tracking pixel. Consent-gated.
- Resend — transactional email (welcome, trip confirmation, contact reply). Receives the recipient address and message body for the email we send.
- Upstash (Redis cache) — short-lived rate-limit counters keyed by IP for the four protected endpoints (section 2.5).
- Mapbox — interactive map tiles and geocoding on venue and event pages. Receives your IP and viewport when a map is rendered.
- OpenStreetMap — alternate map-tile provider on a subset of pages. Receives your IP when a map is rendered.
- Google Places— fetches nearby restaurants/bars for some venue pages. The query string (e.g. “coffee near Wrigley Field”) plus your IP reach Google when you load the result.
- Affiliate networks we link out to — SeatGeek (tickets), Klook (hotels/experiences/cars, via Travelpayouts), ParkWhiz (parking). Clicking one takes you to their site, where their own privacy policy applies.
We may add other affiliate networks (for example Booking.com or Discover Cars) in future; if we do, we'll update this list.
5. International transfers
We prefer EU-hosted services where possible (Supabase EU, PostHog EU). Some processors are based outside the EEA (notably Vercel, Resend, Mapbox, Google, SeatGeek, Klook, ParkWhiz). When data is transferred outside the EEA we rely on the safeguards offered by each provider — typically Standard Contractual Clauses and equivalent technical measures.
6. Retention
- Account + saved trips — kept until you delete your account or ask us to delete them.
- Analytics events (PostHog) — ~14 months, then aggregated or deleted.
- Contact-form submissions — up to 24 months for follow-up reference, then deleted.
- Security / rate-limit logs— Upstash counters expire on a 1- to 10-minute window; Vercel access logs retained up to 90 days per Vercel's defaults.
- Email sender logs (Resend)— delivery metadata per Resend's defaults (typically a few months).
7. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased (the “right to be forgotten”), including full account deletion;
- receive a portable copy of the data you gave us;
- object to processing based on legitimate interest, and withdraw consent at any time (this doesn't affect the lawfulness of processing before withdrawal);
- complain to the Swedish data-protection authority Integritetsskyddsmyndigheten (IMY).
To exercise any of these, email info@gameaway.iofrom the address tied to your account (or include enough information for us to identify it). We don't charge a fee. We aim to confirm receipt within a few days and complete most requests within 30 days; complex requests may take up to 90 days, and we'll tell you if so.
8. Affiliate disclosure
Many of the “Find tickets / hotels / experiences / parking” links on the site are affiliate links. If you book or buy through them, GameAway earns a commission from the partner — at no extra cost to you and with no effect on the price you pay. We never recommend a partner because they pay better; we recommend the one that actually covers the venue or city in question.
9. Children
GameAway is not directed at children under 13. If you believe a child has provided personal data to us, contact info@gameaway.ioand we'll delete it.
10. Changes to this policy
We'll update the “last updated” date at the top when we change anything material. Significant changes — new processors, new categories of data — will get a clearer notice on the site.
Questions? Contact us or write directly to info@gameaway.io.