Data Processing Addendum
Data Processing & Subprocessor Disclosure
For legal definitions, click here
Last updated: January 24, 2026
1. Overview
This Data Processing Addendum ("DPA") supplements the Privacy Policy and describes how GlitchRealm processes personal data, the role of subprocessors, and compliance with data protection laws (GDPR, CCPA, PIPEDA).
This DPA applies to all users of GlitchRealm and is part of our commitment to transparency and data security.
2. Data Controller vs. Data Processor
For the purposes of data protection laws:
- GlitchRealm is the Data Controller: We determine the purposes and means of processing your personal data (authentication, playtime tracking, game submissions, community features)
- Subprocessors are Data Processors: Third-party services (Firebase, Supabase, Netlify) process data on our behalf under contract
3. Subprocessors
GlitchRealm uses the following third-party subprocessors to provide services:
| Subprocessor | Purpose | Data Location | Privacy Policy |
|---|---|---|---|
| Firebase (Google) | Authentication, Firestore database, Analytics, Cloud Functions, Hosting | Global (multi-region) | Firebase Privacy |
| Supabase | Image storage (game covers, avatars) | Global (CDN) | Supabase Privacy |
| Netlify | Web hosting, CDN, serverless functions | Global (CDN) | Netlify Privacy |
| Google Fonts | Web font delivery | Global (CDN) | Google Fonts Privacy |
| jsDelivr CDN | Library and asset delivery | Global (CDN) | jsDelivr Privacy |
All subprocessors are contractually bound to comply with GDPR, CCPA, and other applicable data protection laws.
4. Data Processing Activities
GlitchRealm processes the following categories of personal data:
Authentication Data
- Email address, display name, profile photo (via Firebase Auth)
- OAuth provider information (Google, Microsoft, GitHub, etc.)
- User ID (Firebase UID)
Usage Data
- Playtime tracking (game ID, session duration, timestamps)
- Page views, clicks, navigation paths (Firebase Analytics, Google Analytics)
- Device information (browser type, OS, screen resolution, IP address)
User-Generated Content
- Game submissions (title, description, screenshots, cover images, metadata)
- Reviews, ratings, comments, community posts
- Avatar images (Supabase storage)
Technical Data
- Cookies, local storage, session storage (authentication tokens, preferences)
- Error logs, crash reports, diagnostic data
5. Legal Basis for Processing
GlitchRealm processes personal data under the following legal bases (GDPR Article 6):
- Consent: You provide consent by creating an account and using the platform (withdrawable at any time)
- Contract Performance: Processing is necessary to provide the gaming platform, authentication, and community features
- Legitimate Interests: Analytics, security, fraud prevention, and service improvement (balanced against user privacy rights)
- Legal Obligations: Compliance with DMCA, copyright laws, and data protection regulations
6. Data Retention
GlitchRealm retains personal data as follows:
- Authentication Data: Retained until account deletion (or 3 years of inactivity)
- Playtime Data: Retained indefinitely for leaderboards and statistics (anonymized after account deletion)
- Game Submissions: Retained as long as the game is published (deleted upon removal request)
- Analytics Data: Aggregated and retained up to 26 months (Google Analytics default)
- Logs and Error Data: Retained for 90 days for debugging and security
Users may request early deletion by contacting privacy@glitchrealm.ca.
7. Data Security Measures
GlitchRealm implements industry-standard security measures:
- HTTPS encryption for all data transmission (TLS 1.2+)
- Firebase Authentication with OAuth 2.0 and OpenID Connect
- Firestore security rules restricting unauthorized data access
- Regular security audits and vulnerability scanning
- Supabase Row Level Security (RLS) for image storage
- Access logs and monitoring for suspicious activity
8. International Data Transfers
GlitchRealm and its subprocessors may transfer personal data internationally:
- Firebase: Data stored in Google Cloud Platform regions (multi-region, including US and EU)
- Supabase: Data stored in AWS regions (configurable; currently global CDN)
- Netlify: CDN with global edge nodes
Transfers comply with GDPR Standard Contractual Clauses (SCCs) and Privacy Shield frameworks (where applicable).
9. User Rights (GDPR, CCPA, PIPEDA)
You have the following rights regarding your personal data:
- Right to Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure (Right to be Forgotten): Delete your account and personal data
- Right to Restriction: Limit processing of your data
- Right to Data Portability: Receive your data in a machine-readable format
- Right to Object: Opt out of analytics and marketing (via cookie preferences)
- Right to Withdraw Consent: Revoke consent at any time (does not affect prior processing)
To exercise these rights, contact privacy@glitchrealm.ca or visit Delete Account.
10. Data Breach Notification
In the event of a data breach affecting personal data, GlitchRealm will:
- Notify affected users within 72 hours of discovery (GDPR requirement)
- Report the breach to relevant data protection authorities (if required by law)
- Provide details on the nature of the breach, affected data, and mitigation steps
- Offer remediation support (e.g., password reset, account security review)
11. Changes to This DPA
GlitchRealm may update this DPA to reflect changes in subprocessors, data processing activities, or legal requirements. Changes will be posted on this page with an updated "Last updated" date.
Significant changes (e.g., new subprocessors) will be communicated via email or platform notification.
12. Contact Information
For data processing inquiries or to exercise your rights:
- Data Privacy Officer: privacy@glitchrealm.ca
- Privacy Policy: Full Privacy Policy
- Legal Contact: Legal Contact Information
- Supervisory Authority: Office of the Privacy Commissioner of Canada (GDPR/PIPEDA complaints)