Privacy Policy

1. General Provisions

1.1. This Privacy Policy defines the procedures and conditions for processing personal data when using the Loot Arena platform (hereinafter — the Platform), including the LootArena mobile application for iOS and Android (hereinafter — the Application).

1.2. This Policy is developed in accordance with applicable data protection legislation, including the General Data Protection Regulation (GDPR) for users in the European Union.

1.3. This Policy is an integral part of the Service Agreement.

2. Data Controller

2.2. Depending on the nature of processing, the Data Controller may act:

• as an independent data controller;
• as a data processor acting on behalf of a Client.

3. Roles in Data Processing

3.1. With respect to Client representatives (legal entities and individual entrepreneurs), the Controller acts as an independent data controller.

3.2. With respect to User data (individuals — club visitors):

3.2.1. As a data processor on behalf of the Client — for data related to: mission execution and game mechanics; bonus accrual; visit and activity tracking; analytics provision to the Client; User interaction with a specific club. The Client in this case is the data controller and bears responsibility for lawful processing grounds.

3.2.2. As an independent data controller — for data related to: ensuring Platform functionality; information security; fraud prevention; aggregated analytics; feature development and testing; anonymized statistics; legal compliance.

4. Categories of Data Processed

4.1. Client Data (independent controller): representative's full name; organization/IE name; tax identification numbers; contact phone; email; electronic document management data; payment details; technical access data (IP, logs).

4.2. User Data: Telegram ID (user_id); name, nickname, username; phone number (if provided); visit, mission, bonus, and purchase data; technical data (IP, device, OS); age verification status (if provided by the Client or integrations).

4.3. Mobile Application User Data (additionally):

• email address — for authentication via one-time code (OTP);
• geolocation — for automatic check-in (requested with User permission);
• camera access — for QR code scanning (requested with User permission);
• device push token — for sending push notifications (requested with User permission);
• device fingerprint — for the anti-fraud system.

4.4. The Controller does not process special categories of data (biometric, medical, etc.).

4a. Mobile Application Authentication

Authentication in the mobile application is performed via email and a one-time code (OTP), as well as through Sign in with Apple (for iOS). When using Sign in with Apple, data provided by Apple is processed in accordance with their privacy policy.

5. Purposes of Processing

5.1. Clients: contract execution; accounting and tax reporting; document management; technical support; information security.

5.2. Users (depending on the role): ensuring Platform operation; identification; mission execution and bonus accrual; activity analytics; fraud prevention; feature development; aggregated statistics.

6. Legal Basis for Processing

6.1. Client data processing is based on contract performance and applicable legal requirements.

6.2. User data processing: under a commission — based on grounds provided by the Client; for independent purposes — based on contract performance, applicable law, and the legitimate interests of the Controller.

6.3. For users in the European Union, processing is based on: consent (Article 6(1)(a) GDPR); contract performance (Article 6(1)(b) GDPR); legitimate interests (Article 6(1)(f) GDPR).

7. Processing Conditions and Security Measures

7.1. Processing is carried out using automated means.

7.2. The Controller implements appropriate legal, organizational, and technical security measures.

7.3. Access to data is restricted to authorized personnel only.

7.4. The Controller may engage technical subcontractors (including hosting providers) in compliance with applicable data protection laws.

8. Data Storage and Protection

9. Data Retention and Deletion

9.1. Client data is retained for the duration of the contract and for periods required by applicable law.

9.2. User data is processed for the duration of the Client's Subscription.

9.3. In case of suspension due to non-payment, data is stored for 30 calendar days, after which it may be deleted without recovery.

9.4. The Controller may store anonymized and aggregated data indefinitely for analytics and Platform development purposes.

10. Rights of Data Subjects

Data subjects have the right to: access information about processing; request correction, restriction, or deletion of data; withdraw consent (if applicable); lodge a complaint with the relevant data protection authority.

For EU residents, additional rights under GDPR include: the right to data portability; the right to object to processing; the right not to be subject to automated decision-making.

Requests should be sent to: support@lootarena.ru

10a. Account and Data Deletion

11. Analytics and Cookies

11.1. The Platform uses analytics services (Yandex.Metrica) for collecting anonymized usage statistics.

11.2. Cookies and similar technologies may be used for the proper functioning of the Platform.

11.3. Users can disable cookies in their browser settings, though this may affect certain Platform features.

12. Changes to This Policy

12.1. The Controller reserves the right to modify this Policy.

12.2. The current version is available at: https://lootarena.ru/legal/privacy-en

Publication date: March 14, 2026
Document version: 2.0