GDPR Compliance

1. Introduction & Scope

Gridexlabs LLC ("we," "us," or "our") is committed to protecting the privacy and personal data of all users of GridexLabs, a GPS-based massively multiplayer online game built on OpenStreetMap. This GDPR Compliance page explains how we adhere to the General Data Protection Regulation (EU) 2016/679 ("GDPR") and related data protection legislation.

This policy applies to all individuals located in the European Union (EU) and the European Economic Area (EEA) who access or use the GridexLabs application, website, and related services. If you are a resident of the EU/EEA, you are afforded specific rights under the GDPR regarding your personal data, and we are dedicated to honoring those rights.

GridexLabs involves real-time GPS-based gameplay, including territory conquest, venue exploration across 17 venue types, vehicle usage, in-game economy transactions, social interactions with nearby players, and access to over 50 API endpoints. Due to the nature of these features, we process various categories of personal data as described in this document.

2. Data Controller Information

The data controller responsible for the processing of your personal data is:

As the data controller, Gridexlabs LLC determines the purposes and means of processing personal data collected through GridexLabs. We are responsible for ensuring that all data processing activities comply with the GDPR and applicable national data protection laws within the EU/EEA.

3. Legal Basis for Processing

Under the GDPR, we must have a valid legal basis for processing your personal data. We rely on the following legal bases depending on the specific processing activity:

Consent (Article 6(1)(a))

We obtain your explicit, informed, and freely given consent before processing data for purposes such as:

• Collecting and processing your GPS/location data for gameplay features including territory conquest, venue exploration, and 5km player proximity detection
• Sending you promotional communications, in-game notifications, and marketing materials
• Using cookies or similar tracking technologies on our website
• Processing any special categories of personal data, where applicable

Contract Performance (Article 6(1)(b))

Processing is necessary for the performance of the contract between you and Gridexlabs LLC when you use GridexLabs. This includes:

• Account creation and authentication via bcrypt-secured credentials
• Providing core gameplay features such as territory control, vehicle management across 10 vehicle types, shop interactions across 9 shop types, and inventory management of 70+ items
• Processing in-game economy transactions involving Cash, Gold, and Diamonds currencies
• Enabling social features including in-game messaging and player proximity detection within a 5km radius
• Maintaining gameplay state and progress through our API endpoints and Redis cache infrastructure

Legitimate Interests (Article 6(1)(f))

We may process personal data based on our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. These interests include:

• Preventing fraud, cheating, unauthorized access, and ensuring the security and integrity of GridexLabs
• Analyzing aggregated gameplay patterns and performance metrics to improve game balance and user experience
• Maintaining the stability, security, and performance of our servers and API infrastructure
• Enforcing our Terms of Service and community guidelines

Where we rely on legitimate interests, we conduct a balancing test to ensure our interests do not override your fundamental rights. You have the right to object to processing based on legitimate interests at any time.

4. Types of Data Processed

In the course of providing GridexLabs services, we collect and process the following categories of personal data:

Personal Identification Data

• Username, email address, and account credentials (passwords are hashed using bcrypt and never stored in plaintext)
• Profile information, including display name and avatar preferences
• Account registration date and account status

Location and GPS Data

• Real-time GPS coordinates used for positioning on the OpenStreetMap-based game world
• Location history related to territory conquest, venue visits across 17 venue types, and movement patterns
• Proximity data used for the 5km player detection and social interaction features
• Geographic regions and territories associated with your gameplay activity

Gameplay Data

• Territory ownership records and conquest history
• Vehicle ownership and usage data across 10 available vehicle types
• Inventory contents spanning 70+ item types and transaction logs
• In-game economy balances and transaction records for Cash, Gold, and Diamonds
• Shop interactions across 9 shop types, including purchases and sales
• Venue exploration records across 17 venue types
• Game progression, achievements, and statistics

Device and Technical Data

• Device type, operating system, and version
• IP address, browser type, and user agent string
• Session identifiers and data cached in Redis for performance optimization
• API request logs across 50+ endpoints, including timestamps and response codes
• Crash reports and diagnostic data for application stability

Communications Data

• In-game messages exchanged with other players through the messaging system
• Support correspondence and feedback submitted to Gridexlabs LLC
• Community interaction records related to social gameplay features

5. Your Rights Under GDPR

If you are located in the EU/EEA, the GDPR grants you the following rights regarding your personal data. We are committed to facilitating the exercise of these rights in a transparent and timely manner.

Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to request access to that data along with information about the purposes of processing, categories of data concerned, recipients, retention periods, and the source of the data.

Right to Rectification (Article 16)

You have the right to request the correction of inaccurate personal data and to have incomplete personal data completed. This includes updating your username, email address, profile information, or any other personal details we hold about you.

Right to Erasure (Article 17)

You have the right to request the deletion of your personal data ("right to be forgotten") when the data is no longer necessary for the purpose it was collected, you withdraw consent, you object to processing, the data was unlawfully processed, or erasure is required by law. This may include deletion of your GridexLabs account and all associated gameplay data, inventory, territory records, and transaction history.

Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing of your personal data when you contest the accuracy of the data, the processing is unlawful but you oppose erasure, we no longer need the data but you need it for legal claims, or you have objected to processing pending verification of legitimate grounds.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller. This applies to data you have provided to us that is processed based on consent or contract performance through automated means.

Right to Object (Article 21)

You have the right to object at any time to the processing of your personal data based on legitimate interests or for direct marketing purposes. Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. Where automated decisions are made in the context of GridexLabs (such as anti-cheat detection systems or automated moderation), you have the right to obtain human intervention, express your point of view, and contest the decision.

6. How to Exercise Your Rights

To exercise any of the rights described above, please contact us using the following method:

When submitting a request, please provide sufficient information to verify your identity and specify which right(s) you wish to exercise. We may ask you to verify your identity before processing your request to protect your data from unauthorized access.

We will acknowledge receipt of your request within 7 days and provide a substantive response within 30 days of receiving your verified request. If the request is particularly complex or we receive a high volume of requests, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for the delay within the initial 30-day period.

There is no fee for exercising your GDPR rights. However, if requests are manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee or refuse to act on the request, as permitted by Article 12(5) of the GDPR.

7. Data Protection Officer

Gridexlabs LLC takes data protection seriously and has designated a point of contact for all data protection matters. For any questions, concerns, or requests related to the processing of your personal data or this GDPR Compliance page, you may reach our data protection team at:

Our data protection team is responsible for monitoring compliance with the GDPR and other applicable data protection laws, advising on data protection impact assessments, cooperating with supervisory authorities, and serving as the contact point for data subjects exercising their rights.

8. Consent Management

Where we rely on your consent as the legal basis for processing, we ensure that consent is obtained in accordance with GDPR requirements:

Giving Consent

• Consent is requested through clear, affirmative actions such as checking opt-in boxes, tapping confirmation buttons, or granting device-level permissions (e.g., location access)
• Before giving consent, you are provided with clear and specific information about what data will be collected, why it is needed, and how it will be used
• Consent is requested separately for each distinct processing purpose -- for example, location data processing for gameplay is requested independently from marketing communications
• Consent is never bundled with acceptance of terms of service or other unrelated agreements
• We maintain records of when and how consent was obtained for accountability purposes

Withdrawing Consent

• You have the right to withdraw your consent at any time, and withdrawing consent is as easy as giving it
• To withdraw consent for location data processing, you may revoke location permissions through your device settings or within the GridexLabs application settings
• To withdraw consent for marketing communications, you may use the unsubscribe mechanism provided in each communication or contact us at info@gridexlabs.com
• To withdraw consent for other processing activities, contact us at info@gridexlabs.com specifying the consent you wish to withdraw
• Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal

Please note that withdrawing consent for certain processing activities (such as GPS location data) may limit or prevent your ability to use specific GridexLabs features that depend on that data, including territory conquest, venue exploration, and proximity-based social features.

9. Data Breach Notification

Gridexlabs LLC maintains robust security measures to protect your personal data, including bcrypt password hashing, secure API endpoints, and Redis-based session management. However, in the event of a personal data breach, we follow strict notification procedures in accordance with Articles 33 and 34 of the GDPR.

Notification to Supervisory Authorities

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If notification is not made within 72 hours, we will provide reasons for the delay.

The notification to the supervisory authority will include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected
• The name and contact details of our data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate any adverse effects

Notification to Data Subjects

Where a personal data breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay. This notification will be made in clear and plain language and will describe the nature of the breach, provide contact details for our data protection team, describe likely consequences, and outline the measures we have taken or propose to take.

Breach Documentation

We maintain an internal register of all personal data breaches, regardless of severity, including the facts of the breach, its effects, and the remedial actions taken. This documentation enables the supervisory authority to verify our compliance with breach notification obligations.

10. Cross-Border Data Transfers

GridexLabs is operated by Gridexlabs LLC, and your personal data may be transferred to, stored in, or processed in countries outside the European Union and the European Economic Area. We ensure that any such transfers comply with the requirements of Chapter V of the GDPR.

Safeguards for International Transfers

When transferring personal data outside the EU/EEA, we rely on one or more of the following safeguards:

• Adequacy Decisions: We may transfer data to countries that the European Commission has determined provide an adequate level of data protection under Article 45 of the GDPR
• Standard Contractual Clauses (SCCs): Where no adequacy decision exists, we use EU Commission-approved Standard Contractual Clauses under Article 46(2)(c) of the GDPR to ensure appropriate safeguards for your data
• Supplementary Measures: Where necessary, we implement additional technical and organizational measures to ensure that the level of protection required by the GDPR is maintained, including encryption in transit and at rest, access controls, and data minimization practices

We conduct transfer impact assessments to evaluate the legal framework and practices in the destination country, and we implement supplementary measures where our assessment identifies gaps in protection.

You may request information about the specific safeguards applied to the transfer of your personal data by contacting us at info@gridexlabs.com.

11. Data Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with Article 5(1)(e) of the GDPR. The specific retention periods depend on the category of data and the purpose of processing:

• Account and Profile Data: Retained for the duration of your active account plus 30 days following account deletion to allow for account recovery
• Location and GPS Data: Real-time location data is processed transiently for gameplay purposes. Historical location data related to territory conquest and venue visits is retained for the duration of your active account
• Gameplay Data: Territory records, inventory, vehicle data, shop transactions, and in-game economy records (Cash, Gold, Diamonds) are retained for the duration of your active account
• Device and Technical Data: Server logs and API request logs are retained for up to 90 days for security and diagnostic purposes. Redis cache data is transient and expires according to configured time-to-live values
• Communications Data: In-game messages are retained for the duration of your active account. Support correspondence is retained for up to 2 years following resolution
• Consent Records: Records of consent are retained for the duration of the relevant processing activity plus 3 years to demonstrate compliance

When personal data is no longer required for its original purpose and no legal obligation mandates its retention, we will securely delete or anonymize the data. Anonymized data that can no longer identify you may be retained indefinitely for analytical and statistical purposes.

12. Complaints

If you believe that our processing of your personal data infringes the GDPR or applicable data protection laws, you have the right to lodge a complaint with a supervisory authority.

Supervisory Authority

You may lodge a complaint with the data protection supervisory authority in the EU/EEA member state of your habitual residence, place of work, or the place where the alleged infringement occurred. A list of EU/EEA data protection authorities and their contact details can be found on the European Data Protection Board (EDPB) website.

Resolution Process

Before filing a complaint with a supervisory authority, we encourage you to contact us first so that we can attempt to resolve your concern directly. Please reach out to us at info@gridexlabs.com with details of your complaint. We will investigate and respond to your concern within 30 days.

Filing a complaint with a supervisory authority does not affect your right to pursue other legal remedies, including judicial proceedings against the data controller or data processor.

13. Contact

If you have any questions, concerns, or requests regarding this GDPR Compliance page, our data processing practices, or the exercise of your data protection rights, please contact us:

We are committed to working with you to resolve any data protection concerns and to ensuring that your rights under the GDPR are fully respected. We aim to respond to all inquiries within 30 days of receipt.

This GDPR Compliance page may be updated from time to time to reflect changes in our data processing practices, legal requirements, or regulatory guidance. We will notify you of any material changes by posting the updated page with a revised "Last updated" date. We encourage you to review this page periodically.