At GhostKeys we take your privacy seriously. This Privacy Policy explains what personal data we collect about you, why we collect it, how we use and share it, how long we keep it, and the rights you have over your data under the EU General Data Protection Regulation (GDPR) and the Latvian Personal Data Processing Law.
1. Who we are
1.1. This Privacy Policy is issued by SIA RMPALACE, a private limited liability company registered under the laws of the Republic of Latvia ("GhostKeys", "we", "us", "our"). We operate the online store at ghostkeys.eu and related sub-domains, where we sell digital activation codes for games, gift cards and subscription services.
1.2. Our company details are:
1.2.1. Registered office: Valmieras 24, LV-3601 Ventspils, Latvia.
1.2.2. Registration number: 40203479043.
1.2.3. VAT identification number: LV40203479043.
1.2.4. Privacy contact email: privacy@ghostkeys.eu.
1.3. We are an authorised reseller of digital codes. We are not the developer, publisher or operator of the underlying games, services or platforms, and the relationship between you and those platforms is governed by their own privacy policies and terms of service.
2. Scope of this policy
2.1. This Privacy Policy applies to all individuals who access, browse or use our website, who register a user account, place an order, contact our support team, subscribe to marketing communications, leave a review or rating, or otherwise interact with us.
2.2. This Privacy Policy should be read together with our Terms and Conditions of Sale and our Cookies Policy.
2.3. Where you provide personal data about another individual (for example, when sending a gift card to a third party), you must ensure that the individual concerned is aware of this Privacy Policy and consents to the processing of their personal data as described here.
3. Data controller
3.1. In respect of personal data processed under this Privacy Policy, SIA RMPALACE acts as the "data controller" within the meaning of Article 4(7) GDPR. This means we determine the purposes and means of the processing of your personal data.
3.2. We have not appointed a designated Data Protection Officer (DPO), as our processing activities do not meet the threshold criteria of Article 37 GDPR (we do not engage in large-scale, systematic monitoring or large-scale processing of special-category data). All privacy enquiries are handled directly by the company at the contact details in section 20.
4. Personal data we collect
4.1. "Personal data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR. The categories of personal data we process depend on how you interact with our website:
4.2. Identity and contact data — your name, email address, billing address, country of residence, date of birth (where required for age-restricted Products), and any personal data you provide when contacting us. In limited circumstances (such as fraud investigation or large-value disputes), a copy of an identity document.
4.3. Account data — your username, profile picture (if any), language and currency preferences, wishlist items, order history visible in your account, and your communication preferences.
4.4. Financial data — information necessary to process payments. We do not store your full payment card number on our servers. Card details are handled directly by our PCI-DSS-compliant payment partners (PayPal and the supporting card networks). We may receive limited data such as the last four digits of the card, cardholder name, the payment authorisation reference, and the country of issuance, for fraud prevention, dispute handling and accounting.
4.5. Transaction data — details of orders you place, Codes purchased, Codes revealed (with timestamp), refunds issued, and any IG-style store credit balance.
4.6. Technical data — IP address, browser type and version, operating system, device type, time zone, language settings, and session identifier. This data is collected automatically when you interact with the website and is essential for delivering the service, preventing fraud and securing your account.
4.7. Usage data — information about how you use the website, such as the pages and Products you view, search queries, time spent on pages, click and scroll behaviour, and referral source. This data is aggregated where possible.
4.8. Marketing and communications data — your preferences for receiving marketing emails, your responses to surveys, and any reviews or ratings you submit.
4.9. Special-category data. We do not collect, and we ask that you do not provide, any special categories of personal data within the meaning of Article 9 GDPR (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health data, or data concerning sexual orientation), nor any data relating to criminal convictions and offences within the meaning of Article 10 GDPR.
4.10. Anonymous and aggregated data. We may derive aggregated or fully anonymised data from your personal data (for example, statistics on the share of users buying a particular type of Code). Such data is no longer personal data and is not subject to this Privacy Policy.
4.11. Where we are required to collect personal data by law or under our terms of sale (for example, billing data for tax invoicing), failure to provide that data may prevent us from accepting your order or delivering Codes to you. We will indicate clearly at the point of collection whether providing a particular field is mandatory or optional.
5. How we receive your data
5.1. Direct interactions. You provide most of your personal data to us directly when you create an account, place an order, contact our support team, leave a product review, fill in a form on our website, or respond to a survey or promotional offer.
5.2. Automated technologies. As you interact with our website, we automatically collect technical and usage data through cookies, server logs, and similar technologies. Further details are set out in section 10 and in our Cookies Policy.
5.3. Third-party sources. We may receive personal data about you from the following categories of third parties:
5.3.1. Payment service providers — confirmation of payment, last four digits of card, cardholder name and authorisation references from PayPal and the supporting card networks.
5.3.2. Publishers and platform operators — confirmation that a Code has been redeemed on the relevant platform, where the publisher provides such confirmation.
5.3.3. Analytics providers — aggregated technical and usage data from our analytics tooling (currently Vercel Analytics; see section 10).
5.3.4. Fraud prevention partners — risk-scoring and device-intelligence signals from our payment partners and fraud-prevention services.
5.3.5. Publicly available sources — for example, the Latvian Register of Enterprises or VIES, where you identify as a business and we need to verify your VAT number for reverse-charge invoicing.
6. Purposes and legal bases of processing
6.1. Under the GDPR, we may only process your personal data where we have a valid legal basis to do so. The table below sets out, for each processing purpose, the categories of data involved and the legal basis we rely on under Article 6(1) GDPR.
| Purpose | Data categories | Legal basis |
|---|---|---|
| Account creation and managementLetting you register, sign in, and manage your profile, preferences and saved items. | Identity & contact, Account | Performance of a contract — Art. 6(1)(b) GDPR |
| Order management and Code deliveryProcessing your order, delivering Codes, issuing invoices, handling refunds and cancellations. | Identity & contact, Financial, Transaction | Performance of a contract — Art. 6(1)(b) GDPR |
| Tax and accounting complianceIssuing tax invoices, retaining accounting records, complying with VAT obligations. | Identity & contact, Transaction, Financial | Legal obligation — Art. 6(1)(c) GDPR |
| Customer supportResponding to your queries, complaints and dispute resolution. | Identity & contact, Account, Transaction, Technical | Performance of a contract — Art. 6(1)(b) GDPR; and our legitimate interest in providing good service — Art. 6(1)(f) GDPR |
| Fraud prevention and risk assessmentDetecting suspicious orders, preventing payment fraud, identity theft and account takeover. | Identity & contact, Financial, Transaction, Technical | Legitimate interest in protecting our business and our customers from fraud — Art. 6(1)(f) GDPR |
| Information securityProtecting our systems against unauthorised access, abuse and attacks. | Technical, Account, Usage | Legitimate interest in operating a secure service — Art. 6(1)(f) GDPR |
| Service improvement and analyticsMeasuring how our website is used so we can improve performance, content and usability. | Technical, Usage | Legitimate interest in improving our service — Art. 6(1)(f) GDPR; and your consent for non-essential cookies — Art. 6(1)(a) GDPR |
| Marketing emails (opt-in)Newsletters, product launches, promotions and recommendations. | Identity & contact, Marketing & communications | Your consent — Art. 6(1)(a) GDPR |
| Legal claimsEstablishing, exercising or defending legal claims; complying with court orders. | All categories as relevant | Legal obligation — Art. 6(1)(c) GDPR; and our legitimate interest in defending our rights — Art. 6(1)(f) GDPR |
6.2. Where we rely on legitimate interests, we have carried out a balancing test to satisfy ourselves that our interest does not override your fundamental rights and freedoms. You may request information about that balancing test using the contact details in section 20.
7. How long we keep your data
7.1. We retain personal data only for as long as is necessary for the purposes described in section 6, or for any longer period required by Latvian or EU law. The default retention periods are set out in the table below.
| Processing | Retention period |
|---|---|
| Account data and personalisation | For the duration of the account; deleted within 30 days after account closure (subject to longer retention required by law for transaction records). |
| Order, payment and Code delivery records | Duration of the contractual relationship plus a further 5 years for the limitation period applicable under Latvian and EU law. |
| Accounting and tax records | 10 years from the end of the relevant financial year, in accordance with the Latvian Law on Accounting. |
| Customer support correspondence | Up to 3 years from the closure of the relevant ticket or thread, unless a longer period is necessary for legal claims. |
| Marketing emails (consent-based) | Until you withdraw consent or unsubscribe, and in any event no later than 3 years after your last interaction with us. |
| Website analytics and usage data | Aggregated where possible. Identifiable analytics data is retained for a maximum of 14 months. |
| Server, security and access logs | Up to 12 months, after which logs are deleted or fully anonymised. |
| Fraud-prevention case files | Up to 30 days by default; exceptionally up to 180 days where a documented risk assessment indicates that longer retention is necessary for the establishment, exercise or defence of legal claims. |
7.2. After expiry of the relevant retention period, your personal data is securely deleted or fully anonymised. Where deletion is technically infeasible (for example, in encrypted database backups), the data is isolated from active use and deleted at the next backup-rotation cycle.
8. Who has access to your data
8.1. We do not sell your personal data. We share it only with the categories of recipients listed below, and only to the extent necessary for the purposes set out in section 6.
8.2. Service providers (data processors) who act on our instructions under a written data-processing agreement that satisfies Article 28 GDPR. Our principal processors are:
8.2.1. Hosting and infrastructure — Vercel Inc. (United States) for the website front-end and Supabase Inc. (United States, EU region) for our database, file storage and authentication.
8.2.2. Payment processing — PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) and the supporting card-network acquirers.
8.2.3. Analytics — Vercel Analytics (United States), operated in a privacy-preserving mode that does not use cookies or persistent identifiers for cross-site tracking.
8.2.4. Transactional and marketing email — our chosen email-delivery provider, used to send order confirmations, Code-reveal receipts, and (where you have opted in) newsletters.
8.2.5. Fraud-prevention services — risk-scoring features provided by our payment partners.
8.3. Public authorities — including tax authorities, the Consumer Rights Protection Centre (Patērētāju tiesību aizsardzības centrs, PTAC), and the Latvian Data State Inspectorate (Datu valsts inspekcija), where required to do so by law.
8.4. Professional advisers — including our accountants, auditors and legal advisers, under obligations of confidentiality.
8.5. Acquirers and successors — in the event of a sale, merger, acquisition or restructuring of our business, your personal data may be transferred to the acquiring entity, which will be required to honour the commitments made in this Privacy Policy.
8.6. We do not authorise our processors to use your personal data for their own purposes, and we require them to process your data only on documented instructions from us and in accordance with the GDPR.
9. International transfers
9.1. As a Latvian-registered company, we process your personal data primarily within the European Economic Area (EEA). Some of our service providers, however, are established in the United States or have parent companies there (notably Vercel Inc. and Supabase Inc.).
9.2. Where a transfer of your personal data outside the EEA is necessary, we rely on one or more of the following safeguards under Chapter V GDPR:
9.2.1. an adequacy decision by the European Commission under Article 45 GDPR (where applicable, including the EU–US Data Privacy Framework where the recipient is certified);
9.2.2. Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR, supplemented where necessary with additional technical and organisational measures (such as encryption in transit and at rest) following the EDPB's "Recommendations 01/2020".
9.3. You may request a copy of the safeguards that apply to a specific transfer using the contact details in section 20.
11. Marketing communications and consent
Marketing emails are sent only with your explicit prior consent. You can withdraw your consent and unsubscribe at any time using the link at the bottom of every marketing email, or by contacting us directly. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
11.1. We send marketing communications (such as newsletters, promotional offers and product launches) only where you have given us your prior, informed and specific consent under Article 6(1)(a) GDPR and the Latvian Information Society Services Law.
11.2. Transactional messages — such as order confirmations, Code-delivery emails, refund notifications, security alerts, and notices about changes to our terms — are necessary for the performance of your contract with us and are sent regardless of your marketing-consent status.
11.3. You can manage your communication preferences at any time in your account settings or by writing to us at privacy@ghostkeys.eu.
12. Security of your data
12.1. We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, in line with Article 32 GDPR. These measures include:
12.1.1. encryption of data in transit (TLS 1.2+ for all traffic);
12.1.2. encryption of sensitive data at rest in our database;
12.1.3. role-based access controls and the principle of least privilege for internal access to personal data;
12.1.4. logging and monitoring of administrative access;
12.1.5. regular review of our processors' security posture.
12.2. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Latvian Data State Inspectorate within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR, and we will inform you directly where the breach is likely to result in a high risk to you, in accordance with Article 34 GDPR.
12.3. You also have a role to play in keeping your data secure: please choose a strong password, do not share your account credentials, and notify us immediately at privacy@ghostkeys.eu if you suspect that your account has been compromised.
13. Children’s data
13.1. Our website is intended for adults. We do not knowingly collect personal data from individuals under the age of 18, in line with our Terms and Conditions of Sale.
13.2. If you believe that a person under 18 has provided personal data to us without the consent of a parent or legal guardian, please contact us at privacy@ghostkeys.eu and we will take steps to delete the relevant data without undue delay.
14. Your rights under the GDPR
14.1. Subject to the conditions and exceptions set out in the GDPR, you have the following rights in respect of your personal data:
14.1.1. Right of access (Article 15 GDPR) — to obtain confirmation of whether we process personal data about you, a copy of that data, and supplementary information about the processing.
14.1.2. Right to rectification (Article 16 GDPR) — to have inaccurate or incomplete personal data about you corrected without undue delay.
14.1.3. Right to erasure ("right to be forgotten", Article 17 GDPR) — to have your personal data deleted where it is no longer necessary for the purposes for which it was collected, where you withdraw consent on which the processing is based, or where the processing is otherwise unlawful.
14.1.4. Right to restriction of processing (Article 18 GDPR) — to have the processing of your personal data temporarily suspended in certain circumstances.
14.1.5. Right to data portability (Article 20 GDPR) — to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible.
14.1.6. Right to object (Article 21 GDPR) — to object, on grounds relating to your particular situation, to processing carried out on the basis of our legitimate interests; and to object at any time, without giving reasons, to the processing of your personal data for direct-marketing purposes.
14.1.7. Right to withdraw consent (Article 7(3) GDPR) — where the processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
14.1.8. Rights in relation to automated decision-making (Article 22 GDPR) — we do not currently take any decisions concerning you that are based solely on automated processing and that produce legal effects or similarly significantly affect you. Where we introduce such processing in the future, we will inform you and provide appropriate safeguards, including the right to obtain human intervention.
15. How to exercise your rights
15.1. You can exercise any of the rights described in section 14 by writing to us at privacy@ghostkeys.eu, through our support page, or by post at the address in section 1.
15.2. We will respond to your request without undue delay and in any event within one (1) month of receiving it, in accordance with Article 12(3) GDPR. That period may be extended by a further two months where necessary, taking into account the complexity and number of requests; we will inform you of any such extension and its reasons.
15.3. Exercising your rights is free of charge. We may charge a reasonable fee, or refuse to act, where a request is manifestly unfounded or excessive (for example, repetitive requests), in accordance with Article 12(5) GDPR.
15.4. We may need to ask you for information to confirm your identity before acting on a request. This is to ensure that your personal data is not disclosed to anyone else.
16. Right to lodge a complaint
16.1. You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or alleged infringement, in accordance with Article 77 GDPR.
16.2. Our lead supervisory authority is the Latvian Data State Inspectorate (Datu valsts inspekcija):
16.2.1. Address: Elijas iela 17, Rīga, LV-1050, Latvia.
16.2.2. Website: www.dvi.gov.lv.
16.2.3. Email: pasts@dvi.gov.lv.
16.3. We would, however, appreciate the opportunity to address your concerns directly before you contact the supervisory authority. Please contact us first using the details in section 20.
17. Third-party links
17.1. Our website may contain links to third-party websites, plug-ins or applications (for example, social-media buttons, publisher pages, or external help articles). Clicking on such links may allow third parties to collect or share data about you.
17.2. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every external website you visit.
18. Keeping your data accurate
18.1. It is important that the personal data we hold about you is accurate and up to date. Please keep your account settings updated, and notify us using the contact details in section 20 if any of your personal data changes during your relationship with us.
19. Changes to this Privacy Policy
19.1. We may update this Privacy Policy from time to time, for example to reflect changes in law, in our processing activities, or in the third parties we work with. The effective date at the top of this page indicates when the policy was last updated.
19.2. Where the changes are material, we will notify registered Customers by email at least 14 days in advance of the change taking effect, and we will display a prominent notice on the website. Earlier versions of this Privacy Policy are available on request.
20. Contact us
20.1. For all privacy-related questions, requests and complaints, please contact us:
20.1.1. by email at privacy@ghostkeys.eu or, for general support, support@ghostkeys.eu;
20.1.2. through our support page;
20.1.3. by post to: SIA RMPALACE, Valmieras 24, LV-3601 Ventspils, Latvia.