NEWMU LIMITED
(game-flex.com / “Game Flex”, effective 16 July 2025)
1. Who We Are
The data-controller for all personal data processed via game-flex.com is NEWMU LIMITED, 5 Topham St, London EC1R 5HH, United Kingdom (Company No. 14895264).
Contact for privacy matters: info@game-flex.com
2. What Data We Collect
| Category | Examples | Source | Lawful Basis (UK-GDPR Art. 6) |
| Account Data | Name, e-mail, age confirmation (16+) | User-provided | Contract |
| Transaction Data | Order IDs, skins purchased, Riot ID, Wallet balance, currencies (USD, EUR, AUD, GBP, CAD) | User / internal systems | Contract, Legal Obligation |
| Payment Data | Card BIN, last 4 digits, Stripe payment token, 3-DS status | Stripe | Legitimate Interest (fraud control) |
| Analytics & Usage | IP, device ID, pages visited, clicks | Google Analytics / Meta Pixel scripts | Consent (cookie banner) |
| Marketing Preferences | Newsletter opt-in, influencer codes | User-provided | Consent |
| KYC / AML (only if crypto on-ramp enabled) | Government ID image, selfie, proof-of-address | User / SumSub | Legal Obligation |
3. How & Why We Use Your Data
- Account creation & fulfilment – to deliver digital skins instantly to your Riot ID and manage your Wallet.
- Payments – to process, confirm and reconcile card or e-wallet transactions via Stripe.
- Fraud prevention – real-time risk scoring; manual review of anomalous trades.
- Customer support – to respond to tickets (09:00-18:00 GMT, Mon-Fri).
- Analytics & A/B testing – to improve UI, pricing slider and conversion funnel; cookies set only after opt-in via the banner offering “Customise / Reject All / Accept All”.
- Targeted advertising – to show skins you are likely to value, based on edition tier and past spend; performed only with consent.
- Legal & compliance – to meet HMRC bookkeeping duties and UK/eu consumer-law requirements.
4. Sharing & Disclosure
| Recipient | Purpose | Safeguard |
| Stripe Payments UK Ltd | Card processing, SCA | UK Binding Corporate Rules |
| Riot Games, Inc. | Execution of in-game trades (Riot ID visibility) | Standard Contractual Clauses (SCC 2021) |
| Cloud hosting (Hostinger EU) | Site & DB hosting | EU-located data-centre |
| Analytics / Ad partners (Google, Meta) | Site statistics & personalised ads | Consent-based; IP anonymisation enabled |
| KYC vendor (SumSub) | ID verification for crypto top-ups (future feature) | SCC + ISO 27001 |
We never sell personal data. Law-enforcement disclosures are made only on valid legal requests.
5. International Transfers
Where data leave the UK/EU (e.g., Riot Games servers in the US), we rely on SCCs or equivalent UK IDTA addenda, coupled with encryption in transit and at rest.
6. Data Retention
| Data Set | Retention Period |
| Account & transaction records | 7 years after last purchase (tax audit) |
| Wallet inactivity logs | 24 months, then anonymised |
| Support tickets | 24 months from closure |
| Marketing consents | Until withdrawn or 24 months after last interaction |
| KYC files | 5 years post-relationship (AML regs) |
| Analytics cookies | 13 months (Google Analytics default) |
7. Security Measures
- TLS 1.3 across all endpoints.
- Bcrypt-hashed passwords + mandatory 2FA for staff dashboards.
- Daily off-site, encrypted backups.
- Quarterly OWASP penetration tests.
8. Automated Decision-Making & Profiling
Dynamic price recommendations (e.g., highlighting Deluxe vs Ultra skins) and fraud-risk scores are produced algorithmically. No decision with legal or similarly significant effect is made solely by automated means; a human analyst reviews any flagged orders before rejection.
9. Your Rights (UK-GDPR / EU-GDPR)
- Access – get a copy of your data.
- Rectification – correct inaccurate fields.
- Erasure – “right to be forgotten” where no overriding legal grounds.
- Restriction – pause processing while a dispute is resolved.
- Portability – receive Riot-ID inventory and Wallet history in CSV.
- Object – stop processing based on legitimate interests or direct marketing.
- Withdraw consent – opt out of cookies or e-mails at any time.
Requests are actioned within 30 days; e-mail info@game-flex.com to exercise. If unsatisfied, you may lodge a complaint with the Information Commissioner’s Office (ICO), UK.
10. Children
Game Flex is not intended for users under 16. We do not knowingly process children’s data. If we learn that we have inadvertently collected such data, we will delete it promptly.
11. Cookies & Similar Technologies
Our separate Cookie Policy details cookie types, durations and opt-out mechanics. Analytics/advertising cookies load only after affirmative consent via the banner.
12. Links to Third-Party Sites
External links (e.g., esports influencers, social media) have their own privacy notices; we are not responsible for their practices.
13. Changes to This Policy
We may update this notice to reflect legal, technical or business changes. Material changes will be highlighted on-site and, where appropriate, notified by e-mail 14 days before they take effect.
14. Contact & Complaints
Questions, comments or complaints?
Data Protection Lead
NEWMU LIMITED – 5 Topham St, London EC1R 5HH, UK
E-mail: info@game-flex.com
If we fail to resolve your concern, you may contact the ICO (ico.org.uk).