Privacy Policy
ReplayLabs Privacy Policy
PRIVACY POLICY - ReplayLabs
1. Data Controller
The website is owned by SAVIN MIHNEA - Authorized Natural Person (PFA), with its professional seat in Neamt County, Savinesti locality, 191 Chimiei Street, Romania, having tax ID RO53893100 and contact email [email protected].
We act as the Data Controller for the personal data processed through ReplayLabs, and you act as the data subject, in accordance with the applicable Romanian and European legal provisions regarding personal data protection (the GDPR Regulation).
2. Scope
This Policy explains what data we collect, how we use, share, store, and protect personal data when you use ReplayLabs (the Service), and what rights you have with regard to the data collected by us.
This Policy also covers personal data belonging to other players who may appear in the replay files uploaded by you.
3. What data we collect and process
A. Account and profile data
We collect the data provided when you sign in to the website with your Google account, such as:
- email address
- display name/username as shown in the Google profile
- profile image as shown in Google
- authentication identifier, meaning the Google user ID
- timestamp and version for Terms/Policy acceptance
- configuration fields (e.g. primary player id/platform, subscription plan)
- feature-access metadata for Free weekly grading unlocks (e.g. selected replay id and weekly reset timing)
We may request reasonable information for identity verification (e.g. confirmation from the email address associated with the account, proof of access to the account, or other details necessary to prevent unauthorized requests).
B. Data provided by optionally connected platforms
- SteamID and, when available, public Steam name and avatar
- Epic Account ID and, when available, Epic display name
We do not store Steam/Epic access tokens; they are used only during the connection flow.
C. Billing, payment, and subscription data
- Billing data, subscription status, and identifiers received from Stripe (e.g. customer id/email, price id, plan metadata, billing data)
- The subscription plan on the account
We do not store full payment card data.
D. Data entered by the user
- Manually entered ranks (1v1/2v2/3v3)
- Team/group names, invitations, roles, and membership data
E. Replay uploads and file metadata
- The replay file contents
- The original filename and metadata (size/type) for validation and storage
F. Data extracted from the replay (statistics + telemetry)
- Match metadata (map/game mode/date/duration)
- Player data, unique game-platform id, username
- Per-player statistics
- Boost and positioning metrics
- Events (e.g. goals/demos/bumps)
- Frame-by-frame telemetry for players and the ball
G. Other players in replays
Replay files may include identifiers and usernames of other players. These identifiers may be personal data in context because they identify a player on the relevant platform.
H. Derived analytics
- Aggregates (e.g. averages, win rate)
- Grades/scores and analysis events
I. Technical and security data (automatic)
- IP address, browser/device data, access timestamps
- Session identifiers, CSRF/session data, rate-limiting identifiers
4. Article 13/14 transparency (other players in replays)
We obtain personal data indirectly when you upload replays that include identifiers and gameplay data of other players. Those players, as a rule, do not have a ReplayLabs account and we do not have their contact data.
Providing individual notice would involve disproportionate effort, so we rely on public notice through this Policy, published and easily accessible.
Non-user players may contact [email protected] for questions or requests.
5. Purposes and legal bases (Art. 6 GDPR)
We collect the data described in section 3 for the following purposes:
- for the performance of the contract, namely to provide the website services: creation and administration of the user account, replay upload, returning analysis for uploaded replays, teams/groups
- for managing and collecting subscriptions, as well as fulfilling legal obligations regarding fiscal and accounting records
- ensuring data security and abuse prevention, which represents a legitimate interest
- ensuring debugging and stable website operation, which represents a legitimate interest
- ensuring the accuracy of replay events (data of other players in replays who do not have an account on the website - legitimate interest, with safeguards and transparency)
We do not send marketing emails. If we do so in the future, we will ask for consent first.
6. Cookies and similar technologies
ReplayLabs uses strictly necessary cookies for operation and security. Examples: the replaylabs.sid session cookie (authentication/continuity).
We also use CSRF/session tokens stored server-side for request protection.
If enabled, Cloudflare services may set strictly necessary security cookies for bot mitigation.
We do not use non-essential cookies at this time. If we introduce them, we will request consent.
7. Sharing and processors
We do not sell personal data.
We share data with providers acting as processors, including:
- Supabase (for database and file storage)
- Railway (provides hosting/infrastructure)
- Cloudflare (DNS/CDN/security)
- Stripe (for subscription billing and payment processing)
- Google, Steam, and Epic (for authentication/connection flows initiated by the user)
We may share data where required by law or where you request it (e.g. teams/groups).
ReplayLabs is an independent service and is not affiliated with or endorsed by Epic Games, Psyonix, Steam, Valve, or any other third party mentioned in the Service.
8. International transfers
Data may be processed outside the EU/EEA depending on the locations of the providers listed in section 7.
Where necessary, transfers rely on appropriate safeguards (e.g. Standard Contractual Clauses or adequacy decisions).
You may request additional information about transfers at [email protected].
9. Retention period
- Account data is kept until account deletion.
- Connected platform identifiers are stored until unlinking or account deletion.
- Raw replay files are kept while the account is active and as long as necessary to provide the Service (including reprocessing). You may request deletion; deletion may take effect after backup rotation.
- Data derived from replay files: base statistics and metadata are kept for history; timelines, boost pickup events, analysis events, grades, and bump logs may be deleted after plan-based hot-data windows expire (currently 7 days for Free, 14 days for Starter, and 30 days for Pro, calculated from upload age).
- Free weekly grading unlock state (including selected replay id and reset timing) is stored while the account is active in order to enforce weekly limits and grant access to the unlocked replay.
- Security/operational logs are kept for limited periods (usually days to months, depending on the log type).
- Financial/accounting records are kept at least for the period required by Romanian accounting law.
Account deletion removes the account record and disconnects platform identifiers. Replay data remains for history and integrity.
Backups are kept for a limited period; deletion may take effect after backup rotation.
10. Automated processing / profiling
We use automated systems for performance analysis and statistics generation. This processing is informative/analytical and does not produce legal or similarly significant effects.
11. Security
We implement the necessary technical and organizational measures (e.g. HTTPS encryption, access controls, infrastructure security) to prevent destruction, alteration, or unauthorized access to personal data. Access to the ReplayLabs user account is based on the Google account that is accessible only to the person who owns that account.
However, no system is 100% secure.
12. Incident notification
If a personal data security incident occurs, we will handle the incident in accordance with applicable law and notify affected users when required.
13. Your rights
You may contact us at [email protected] at any time to exercise the rights described below.
The right of access to the personal data processed by ReplayLabs. In this regard, you have the right to obtain confirmation of the data we process, receive a copy of that data, and receive information about the purpose of processing, categories of processed data, recipients of the data, storage period, and the rights you have, to the extent such information has not already been provided by this Policy.
The right to rectify inaccurate, incomplete, or outdated personal data. You have the right to request rectification or completion of inaccurate personal data that we hold about you.
The right to erase personal data where it is no longer necessary or where processing is unlawful. However, in certain situations we may be unable to comply with your request, for example where we are required to keep your data for the period provided by law, for tax and accounting reasons, or for the establishment, exercise, or defense of legal claims.
The right to restrict processing in the following situations:
- you contest the accuracy of the data, for a period allowing us to verify that accuracy
- the processing is unlawful and you do not want deletion, but request restriction instead
- the data is no longer necessary for the purpose for which it was collected, but you need it to establish, exercise, or defend a legal claim
- you have exercised your right to object, and verification of whether our rights prevail is underway
We may use your data if we have your consent, to establish, exercise, or defend a legal claim, to protect the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State.
The right to data portability, at your request, to you or to another data controller, but only if we have your consent or if the processing is based on concluding or performing a contract with you and is carried out by automated means.
The right to object to the processing of personal data by ReplayLabs on the basis of legitimate interest, where, for legal reasons, your rights prevail over that interest.
We respond without undue delay and, in any case, within one month; the period may be extended by up to two months where the law allows, and we will notify you.
These rights may be limited or conditioned by applicable law; ReplayLabs does not set these limits and cannot go beyond legal requirements.
14. ReplayLabs API usage
ReplayLabs may provide an API (the API) that allows programmatic access to selected Service functionality and replay-related data.
API access is granted through unique API keys linked to user accounts. We process API key metadata and API request logs (such as key prefix, IP address, timestamps, endpoint usage, and response status) for authentication, security, abuse prevention, and service operation under legitimate interest.
API-exposed data may include replay metadata, derived statistics, analysis outputs, and identifiers contained in replay files, including data relating to other players where applicable.
API users must use this data in compliance with applicable data protection law and must not use API data for unlawful profiling, unauthorized redistribution, or re-identification beyond the intended Service purpose.
We may apply technical controls such as rate limiting and may suspend, rotate, or revoke API access/keys where necessary for security, compliance, abuse prevention, or operational reasons.
15. Changes to the policy
We may update this Policy periodically. Updated versions will be published on the website, and the Last updated date will be changed.
