Witch It – Privacy Policy

Data protection information of Barrel Roll Games GmbH & Co. KG

General information on the handling of your data
This data protection information provides you with information about the type, scope and purpose of the processing of personal data in relation to the use of the online game Witch It.

1. Responsible body, contact Controller within the meaning of the Data Protection Act

The controller in terms of Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is

Barrel Roll Games GmbH & Co. KG
Neustadt 1
38838 Eilenstedt

Managing directors: Tina Heitmann, Lukas Köhne, Nils Ohlig, Christoph Rienäcker

E-mail: privacy@barrelrollgames.com

2. We process the following data

The data we collect depends on which services you use and how you use them.

2.1. What data we collect from you, for what purpose and on what legal basis

We process the following data from you for the stated purpose and on the stated legal basis

  • Your IP address
    We collect this data,
    • In accordance with Art. 6 (1) point b) GDPR to fulfil our contractual obligations when communication is carried out with our servers, as well as communication directly with the platform interface of the respective provider
    • In accordance with Art. 6 (1) point f) GDPR due to our legitimate interest in securing server security in the event of an attack (e.g. denial of service)
    • In accordance with Art. 6 (1) point c) GDPR to fulfil our legal obligation, such as in the case of criminal prosecution
  • Platform identification (e.g. Steam ID, Epic Product User Id, Xbox Live ID, Playstation Network ID, etc.)
    We collect this data,
    • In accordance with Art. 6 (1) point b) GDPR for communication with the respective platform backend, e.g. to enable services related to the game, such as the assignment of quest items and matchmaking; to restrict the player if there is a violation of the terms of use are violated; For the exchange of in-game items with other players
    • In accordance with Art. 6 (1) point c) or f) GDPR due to our legitimate interest in troubleshooting; or to fulfill a legal obligation, e.g. to restrict the right to communicate in in-game chat if unlawful communication takes place (verbal harassment, insult, etc.);
  • Witch It user ID
    We collect this data,
    • In accordance with Art. 6 (1) point f) GDPR on the basis of our legitimate interest in being able to carry out a review in the event of complaints or other reports from players or to ensure a positive gaming experience.
    • To exchange in-game items with other players
  • Platform display name (if the platform provides a display name)
    We collect this data,
    • In accordance with Art. 6 (1) point b) GDPR to display the name you have chosen in the game for the duration of a match.
  • Chat service (text form, audio format)
    We collect this data in accordance with Art. 6 (1) point. b) GDPR
    • when players communicate with each other and coordinate during a match,
    • To ensure lawful communication between players if the terms of use are violated (verbal harassment, insults, etc.).
      We would like to point out that this data is provided publicly by you and can be read, copied or used by other players and made publicly accessible both by us and by third parties. We will only process this data for the purposes stated here. To ensure your privacy, you must customize the required settings to suit your needs.
  • Name, email address, other content data if you contact our customer service (pursuant to Art. 6 para. 1 b) GDPR);
  • Creating online leaderboards and enabling online matchmaking (pursuant to Art. 6 (1) point b) and f) GDPR. Our legitimate interest is to ensure a positive gaming experience;
  • Authentication (for the duration of the session) and activation of games and storage of game data, including progress (as long as the account exists) (pursuant to Art. 6 (1) point b) GDPR);
2.2 We also receive data about you from third parties

The following third parties provide us with your data:

  • Gaming distribution platform (e.g. Steam, Epic Store)
  • Console platforms
3. Transfer to third parties and third-party providers

We do not pass on your personal data that you have provided to us to third parties unless the data is required to fulfil your contract, there are legitimate interests or you have expressly consented to the transfer. Insofar as we are legally obliged to do so, we will pass on your data to government bodies and authorities authorized to receive information.

We draw your attention to the fact that, in addition to this data protection declaration, the data protection information and declarations of the locally responsible partners and their authorized institutions may also apply.

3.1. Processors / server location

We pass on your data to our processors. This is a data center that hosts the data (game server). We have concluded an order processing contract with the order processors.

The game server is operated within the EU.

In addition, you can select a dedicated server to talk to other players in the game and play together.

The dedicated servers are located both in the EU and in third countries. You can select a dedicated server (usually in your preferred geographical region) for your gaming experience (EU, USA, Asia). The geographical region is displayed in a so-called “server list”. You make the choice yourself before each game.

In addition you have the option to join matches hosted by other players (so-called “custom matches”). These servers may be located anywhere in the world.
We have no influence on the processing on these servers.

Please note: The respective level of data protection in third countries (non-EU countries) may not correspond to the European data protection standard.
The transfer of your personal data takes place exclusively on the basis of your consent, Art. 6 (1) point a) in conjunction with Art. 49 (1) GDPR.

List of processors:

  • 1&1 (Strato, IONOS)
  • Amazon AWS


We explicitly point out to you in the game that your personal data will be processed if you select a server in a third country (USA or Asia). You have the option of selecting a server in the EU. If you select a server from a third country, this is your voluntary decision. By selecting the server, you consent to your data being processed in this third country. The legal basis is Art. 6 (1) point a) GDPR in conjunction with Art. 49 (1) a) GDPR.

3.2. Law enforcement authorities

Insofar as we are legally obliged to do so, we pass on data to the law enforcement authorities. This is only done after checking the legality of this.

3.3. Third parties

Your data will be passed on to the respective platform operator. This is not a processor, as it processes your data in its own way. You can find more information on this in the privacy policy of the respective platform.
If you use a display name or chat, this data will be made available to the public.

4. Your rights in connection with data protection

You have the following rights in relation to your data:

  • In accordance with Art. 15 GDPR, you can request information about your personal data processed by us. Request access to the personal data we process about you: this right entitles you to know whether we hold personal data about you and, if we do, to obtain information on and a copy of that personal data.
  • In accordance with Art. 16 GDPR, you can immediately request the correction of incorrect or incomplete personal data stored by us;
  • In accordance with Art. 17 GDPR, you can request the deletion of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for the fulfillment of a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims;
  • In accordance with Art. 18 GDPR, you can request the restriction of the processing of your personal data if you dispute the accuracy of the data, the processing is unlawful but you refuse to delete it and we no longer need the data, but you need it for the assertion, exercise or defense of legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;
  • In accordance with Art. 20 GDPR, you have the right to data portability, i.e. to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller, provided that the processing is based on your consent or a contract with us and the processing is carried out using automated procedures. However, in the case of data transfer to another controller, you can only obtain the transfer if this is technically feasible;
  • In accordance with Art. 7 para. 3 GDPR, you can revoke your consent to us at any time. As a result, we may no longer continue the data processing that was based on this consent in the future; and
  • In accordance with Art. 77 GDPR, you have the right to complain to a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office.

The quickest, easiest and most convenient way to exercise your rights to rectification or erasure of personal data is to send us an email. The contact details can be found in section 1 of the privacy policy.

A simple message to us is sufficient for your request for information, the revocation of consent or for an objection. You will not incur any costs for exercising your rights. You can contact us using the contact information provided in section 1 of this privacy policy.

5. Right to object to processing based on our legitimate interest

a) If your personal data is processed on the basis of legitimate interests in accordance with Art. 6 (1) sentence 1 (f) GDPR, you have the right to object to the processing of your personal data at any time in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct advertising.
In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation. In the event of your justified objection, we will examine the situation and will either discontinue or adapt the data processing or point out to you our compelling reasons worthy of protection on the basis of which we will continue the processing. We will inform you of such compelling reasons.
You have the right to register a complaint with a supervisory authority at any time (e.g. the supervisory authority at your place of residence or at the registered office of our company).

b) Of course, you can object to the processing of your personal data for advertising and data analysis purposes at any time. You can inform us of your objection to advertising using the contact details given in section 1.1.

c) If you would like to exercise your right to object, simply send an e-mail to the person named in section 1.

6. Contact for questions about dataprotection

a) If you have any questions about data protection or wish to exercise rights or claims relating to your personal data, you can contact us using the contact details provided above (under section 1.1.) or via our contact form.

b) When contacting us (by e-mail), your details will be stored for the purpose of processing the enquiry and in the event that follow-up questions arise, in accordance with Art. 6 para. 1 lit. b) or f) GDPR. We process your data either on the basis of a contractual obligation or on the basis of our legitimate interest in responding to your enquiry.
We delete the data arising in this context after storage is no longer necessary or restrict processing if there are statutory retention obligations (see section 9). In the case of non-binding questions about data protection, we will retain your data for a maximum of 3 months after the end of the contact if we can be sure that the contact enquiry has really ended.

c) In the case of a data subject enquiry, your data will be stored for at least 3 years after the end of the contact. We will then check whether further storage may be necessary in exceptional cases. Otherwise, your data will be deleted. The period begins at the end of the year in which the conversation ended.
The reason for storage is that claims may be asserted during this period or it must be proven that we have answered your enquiry.

7. Data security

The security of your personal data is a very high priority for us. We therefore use technical and organisational measures to protect your data stored by us. This ensures that the provisions of the data protection laws are complied with and that loss or misuse by third parties is effectively prevented.
In particular, our employees who process personal data are bound to data secrecy and must comply with this.

8. General information on deletion and archiving periods

a) The data stored by us will be deleted as soon as it is no longer required for the intended purpose. Details on this can be found under the points of this declaration, in which the type and purpose of the respective processing of the personal data are explained.

b) Data that we are required to store due to statutory or contractual archiving obligations (e.g. for tax law reasons) will be made unavailable instead of being deleted in order to prevent its use for other purposes.
This includes, for example, storage for 6 years in accordance with Section 257 (1) HGB (for commercial books, inventories, opening balance sheets, annual financial reports, commercial letters, accounting vouchers, etc.) or storage for 10 years in accordance with Section 147 (1) AO (records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.).

9. Changes to the privacy policy

a) This privacy policy is currently valid and is dated February 2024.

b) Due to changes in the law or adjustments in data processing, it may be necessary to update this data protection information. We therefore recommend that you check this page regularly for any changes. If the change affects your consent or the provisions of the contractual relationship, these will only be made with your consent. We will contact you separately for this purpose.