Who we are
The controller responsible for personal data processed on gameadmaker.com and the GameAdMaker platform is:
- Scalista GmbH
- Spallartgasse 23/99, 1140 Vienna, Austria
- Email: [email protected]
We have not appointed a data protection officer, as we are not required to under Art. 37 GDPR — privacy questions go straight to the team at the address above and are answered without undue delay, at the latest within one month.
Scope & the three hats we wear
GameAdMaker is a no-code builder for playable game ads. Depending on how you meet us, our role under the GDPR differs — and so does what this policy covers:
| You are… | Our role | What applies |
|---|---|---|
| A visitor or customer of the platform | Controller | This policy, in full. |
| A player of a playable ad exported to an ad network (Meta, Moloco, TikTok) | None — the ad network and the advertiser control that data | Section 10. Our exported ads send gameplay events to the hosting network only; nothing reaches our servers. |
| A visitor of a published web campaign we host for a customer | Processor on behalf of the customer | Section 10 and the customer's own privacy notice. We do not track campaign visitors. |
Data we collect
We collect data in five buckets — nothing beyond them:
- Account data. Email address, name, and a sign-in identifier, managed through our authentication provider Clerk. If you sign in with a social provider, we receive the profile basics that provider shares.
- Billing data. Workspace plan, subscription status, and a Stripe customer reference. Full payment credentials never touch our servers — they go directly to Stripe.
- Content you create. Projects, game configurations, brand colors and copy, uploaded assets (logos, images, audio, fonts), exports, and published campaigns. Uploads may pass transiently through a media optimizer before landing in storage.
- Usage & technical data. Server request logs (including IP address), error reports with technical context, AI feature usage metadata (model, token counts — not the content), and, only with your consent, product analytics events and masked session replays (typed input is hidden in your browser before anything is sent).
- Communications. Emails you send us and transactional emails we send you (e.g. the welcome email, export-ready notifications).
We do not buy data about you, we do not enrich profiles from third-party sources, and we send no marketing emails without a separate opt-in.
Why we process it — and on what legal basis
| Purpose | Data involved | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Providing the platform — accounts, projects, editing, exports, hosting | Account, content, technical | (1)(b) — performance of contract |
| Billing, invoicing, tax compliance | Billing | (1)(b) contract · (1)(c) legal obligation |
| Transactional email (welcome, export-ready) | Email, first name | (1)(b) — performance of contract |
| AI generation features you actively trigger | Content you submit to the AI tools | (1)(b) — performance of contract |
| Security, abuse prevention, error monitoring | Technical, logs | (1)(f) — legitimate interest in a reliable, secure service |
| Product analytics | Usage events, device info | (1)(a) — your consent, revocable anytime |
| Advertising measurement & remarketing | Cookie identifiers, campaign interactions | (1)(a) — your consent, revocable anytime |
Where we rely on legitimate interests, we have balanced those interests against your rights; you can object at any time (see Section 13).
AI features
The builder includes AI assistance: extracting brand colors and assets from a URL, generating and translating ad copy, and an editor chat that adjusts your game configuration. When you use these features, the content you submit — game configs, copy, brand material — is processed by Anthropic Claude models routed through OpenRouter (both US-based; see Sections 8–9).
- AI requests are processed via API under terms that prohibit using your inputs to train the providers' models.
- We store metadata about AI usage (feature, model, token counts) for billing your AI credits — not the prompts themselves beyond your project content.
- Please don't paste personal data of third parties into AI prompts; the tools are built for brand and game content, not people data.
Analytics, Google Tag Manager & Consent Mode v2
We run Google Tag Manager as our single tag container and PostHog (EU cloud) for product analytics. Both are governed by Google Consent Mode v2 and our consent console:
- Before any Google tag loads, all consent signals —
ad_storage,ad_user_data,ad_personalization,analytics_storage— default to denied. - Until you opt in, Google tags operate cookieless and set no identifiers; PostHog is not loaded at all.
- With Analytics consent, PostHog also captures session replays — a playback of how the interface was used, which helps us see where the builder confuses people and fix it. Keyboard input and sensitive fields are masked in your browser before upload; replays are EU-hosted, reviewed only by our product team, and never shared or sold.
- If you accept, your choice is forwarded as a consent update; “Analytics” enables
analytics_storageand PostHog, “Marketing” enables the three advertising signals. - In line with Google's June 15, 2026 update,
ad_storageacts as the single authority for advertising data — we nevertheless transmit the complete v2 signal set on every default and update call. - We have enabled
ads_data_redactionandurl_passthrough, so even consent-denied measurement is redacted and cookieless.
Service providers (processors)
We share data only with providers that help us run GameAdMaker, under data processing agreements per Art. 28 GDPR:
| Provider | What for | Data touched | Location | Transfer safeguard |
|---|---|---|---|---|
| Clerk | Authentication & sessions | Email, name, sign-in metadata | USA | SCCs / EU-U.S. DPF |
| Svix | Webhook delivery for auth events | Auth event payloads (email, name) | USA | SCCs / EU-U.S. DPF |
| Turso | Primary database | Account, workspace, project records | EU | EU processing |
| Cloudflare R2 | Asset & export storage, campaign hosting | Uploaded media, exported bundles | Global network | SCCs / EU-U.S. DPF |
| Cloudinary | Transient media optimization (deleted right after processing) | Uploaded media bytes | USA / global | SCCs / EU-U.S. DPF |
| Stripe | Payments & subscriptions | Billing contact, payment metadata | USA | SCCs / EU-U.S. DPF |
| Brevo | Transactional email | Email, first name | EU | EU processing |
| Sentry | Error monitoring | Error context, technical metadata | USA | SCCs / EU-U.S. DPF |
| OpenRouter → Anthropic | AI features | Content you submit to AI tools | USA | SCCs / EU-U.S. DPF · no-training API terms |
| PostHog | Product analytics & session replays (consent only) | Usage events, device info, masked interface replays | EU | EU processing |
| Tag management, ads measurement (consent only) | Cookie identifiers, campaign interactions | EU / USA | SCCs / EU-U.S. DPF · Consent Mode v2 | |
| Railway | Application hosting & logs | Request logs incl. IP | USA | SCCs / EU-U.S. DPF |
A current sub-processor list and our Data Processing Addendum are available on request via [email protected].
International transfers
Where providers process data outside the EU/EEA (see the table above), transfers rest on the European Commission's adequacy decision for the EU-U.S. Data Privacy Framework for certified providers, and on Standard Contractual Clauses (2021/914) with supplementary measures otherwise. Copies of the relevant safeguards are available on request.
Playable ads & published campaigns
Playables built with GameAdMaker are designed to be tracking-free by themselves:
- In the editor & previews: gameplay events (
game_start,game_end,cta_click) are posted only to the editor window so you can see your funnel — they identify the session, not a person. - Exported to ad networks: the bundle runs inside the network's SDK (Meta, Moloco, TikTok). Gameplay events go to that network under its terms; nothing is sent to GameAdMaker. The advertiser and the network are the controllers there.
- Published web campaigns: we host the files and serve them — we do not set analytics cookies or track visitors. The only browser storage is the
gam:mutedsound preference and, for password-protected links, the 30-day unlock cookie scoped to that ad.
If you are an advertiser running campaigns built with GameAdMaker, you are the controller for your campaign audience — make sure your own privacy notice covers the networks you publish to.
How long we keep data
| Data | Retention |
|---|---|
| Account & workspace data | Life of the account + 30 days after deletion |
| Projects, assets, exports, published campaigns | Until you delete them, or 30 days after account closure |
| Billing & invoicing records | 7 years (§ 132 BAO — Austrian fiscal law) |
| Server & error logs | Up to 90 days |
| AI usage metadata (credits accounting) | 24 months, aggregated thereafter |
| Consent records | 3 years from your last interaction |
| Transactional email logs | 12 months |
Security
All traffic is encrypted in transit (TLS). Access to production systems is limited to authorized personnel on a need-to-know basis, credentials are scoped per service, password-gate tokens are stored hashed, and uploads are isolated per workspace. Error monitoring deliberately excludes session recording. No method of storage is 100% secure — if we ever detect a breach affecting your data, we will notify you and the supervisory authority as required by Art. 33/34 GDPR.
Your rights
Under the GDPR you can, at any time and free of charge:
- Access the personal data we hold about you (Art. 15);
- Rectify inaccurate data (Art. 16);
- Erase data — “right to be forgotten” (Art. 17);
- Restrict processing (Art. 18);
- Receive your data in a portable format (Art. 20);
- Object to processing based on legitimate interests (Art. 21);
- Withdraw consent at any time — via the cookie console — without affecting the lawfulness of processing before the withdrawal (Art. 7(3)).
To exercise any right, email [email protected]. We respond within one month. You also have the right to lodge a complaint with a supervisory authority — in Austria that is the Österreichische Datenschutzbehörde, Barichgasse 40–42, 1030 Vienna, dsb.gv.at — or with the authority of your habitual residence.
Children
GameAdMaker is a business tool and is neither directed at nor intended for children. We do not knowingly collect personal data from anyone under 16; if you believe a child has provided us data, contact us and we will delete it.
Changes to this policy
When the product or our providers change, this policy changes with them. The effective date and version at the top always reflect the current revision; for material changes we will notify you in the app or by email before they take effect, and — where the change concerns consent-based processing — ask again. Earlier versions are available on request.
Contact
Privacy questions, data requests, or just unsure about something in this document? Write to us — a human reads it.
Talk to us about your data.
We answer every privacy request within one month — usually much faster. No forms, no hotlines, no runaround.