1. Controller (Art. 13(1)(a) GDPR)

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Email: moin@arcforge.lol

2. Overview of Data Processing

We process personal data only to the extent necessary to provide a functional website and our services. The collection and use of personal data takes place only with your consent or where permitted by law.

Types of data processed

• Inventory data (e.g. name, email address)
• Usage data (e.g. pages visited, access times)
• Meta/communication data (e.g. IP addresses, browser information)
• Game data from Riot Games (summoner names, ranks, match statistics)
• Guide content data (e.g. guide titles, descriptions, build cards, rune setups, optional social links like Twitch, X or Threads)
• Community interaction data (e.g. guide votes and favorites)

Categories of data subjects

• Website visitors
• Registered users
• Participants in EloRace competitions
• Guide creators and viewers

Recipients of personal data

• Hetzner Online GmbH (hosting provider, server located in Germany)
• Riot Games, Inc. (Riot API and Data Dragon CDN, located in USA — see section 7)
• Let's Encrypt / ISRG (TLS certificate issuance)

Legal bases

We process personal data based on the following legal grounds under Art. 6(1) GDPR:

• Consent (Art. 6(1)(a) GDPR) — where you have given consent for a specific purpose (e.g. linking your Riot Games account).
• Contract performance (Art. 6(1)(b) GDPR) — where processing is necessary for the performance of a contract or pre-contractual measures (e.g. account registration, session management, transactional emails).
• Legitimate interests (Art. 6(1)(f) GDPR) — where processing is necessary for the purposes of legitimate interests pursued by us (e.g. security, analytics, abuse prevention), provided that your interests or fundamental rights do not override those interests.

Automated decision-making

We do not use automated decision-making or profiling as defined in Art. 22 GDPR.

3. Hosting & Server Log Files

This website is hosted on servers provided by:

We have entered into an order processing agreement (Auftragsverarbeitungsvertrag) with Hetzner. For more information, see Hetzner's privacy policy.

When you access our website, the web server automatically collects and stores information in server log files that your browser transmits. This includes:

• IP address of the requesting device
• Date and time of the request
• Requested URL and referrer URL
• Browser type and version
• Operating system
• Amount of data transferred

This data is collected to ensure the security and stability of our service and to detect and prevent abuse. The log data is not merged with other data sources.

All application data, databases, and server infrastructure are hosted exclusively in Germany.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and stable operation of the website).
Retention: Server log files are automatically rotated with the container lifecycle and are not retained longer than 14 days.

4. SSL/TLS Encryption

This website uses SSL/TLS encryption for security reasons and to protect the transmission of personal data and other confidential content. All connections are served exclusively over HTTPS. TLS certificates are automatically issued and renewed by Let's Encrypt (ISRG).

5. Cookies & Session Management

This website uses only technically necessary cookies for authentication and to store your cookie preferences. No marketing cookies and no third-party tracking cookies are set.

Since these cookies are strictly necessary for the operation of the service, no consent is required under § 25(2) no. 2 TDDDG (German Telecommunications Digital Services Data Protection Act).

Legal basis: Art. 6(1)(b) GDPR (session/authentication) and Art. 6(1)(f) GDPR (storing your cookie preference for compliance and user choice).

You can change your cookie preferences at any time via the Cookie Settings link in the footer.

6. Account Registration & Management

You can create an account on our website. Registration is voluntary, but required to use the full functionality of the service (e.g. creating and participating in EloRace competitions, creating private/public guides, and using guide votes/favorites). When you register, we collect the following data:

• Email address — for authentication, account verification, and transactional emails
• Username — publicly visible identifier (3–20 characters)
• Password — stored exclusively as a bcrypt hash; the plaintext password is never stored
• Display name (optional) — an alternative name shown in leaderboards

For email verification and password reset, we generate time-limited tokens (valid for 1 hour) that are stored in the database and automatically invalidated after use or expiration.

If you use the Guides tool, guide content you create (including optional text fields such as description and social links like Twitch, X or Threads) is stored in your account context. Public guides and associated aggregate interactions (votes, favorites) are visible to other users according to the selected visibility.

Legal basis: Art. 6(1)(b) GDPR (necessary for the performance of the service contract).
Retention: Account data is stored until you delete your account.
Deletion: You can delete your account at any time from your profile settings. This permanently removes all your personal data, including races and guides you own and their associated data (cascade delete). This action is irreversible.

7. Riot Games Integration (Third-Country Transfer)

To provide EloRace and game-related visuals in Guides, we integrate with the Riot Games API. Linking your League of Legends account is entirely voluntary and based on your explicit consent. It is required to participate in EloRace competitions, but not to use any other part of the platform. When you link your account, the following data is retrieved from Riot Games and stored:

• PUUID (universal player identifier)
• Summoner name and tag
• Summoner level and profile icon ID
• Ranked data (tier, rank, league points, wins, losses)

This data is periodically refreshed via the Riot Games API to keep EloRace leaderboards up to date. Ranked data of race participants is publicly visible on race leaderboard pages.

Data Dragon CDN

Profile icons and game assets are loaded from Riot Games' Data Dragon CDN (ddragon.leagueoflegends.com). When your browser requests these images (e.g. on EloRace and Guides pages), your IP address is transmitted to Riot Games' servers.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing game-related visual assets required for the functionality of EloRace and Guides).

Third-country transfer

Riot Games, Inc. is based in Los Angeles, California, USA. Depending on the feature used, personal data may be transmitted to servers in the USA: PUUID and related ranked data when linking your Riot account (API), and IP address when loading Data Dragon assets in the browser (CDN). There is currently no EU adequacy decision covering Riot Games, Inc.

Legal basis (API): Art. 6(1)(a) GDPR (consent) and Art. 49(1)(a) GDPR (explicit consent to the proposed third-country transfer, after having been informed of the possible risks). API transfer only occurs when you actively choose to link your Riot Games account. You can withdraw your consent at any time by unlinking your Riot account in your profile settings.
Legal basis (Data Dragon CDN): Art. 6(1)(f) GDPR (legitimate interest in serving game assets needed for display in EloRace and Guides).
Please be aware that the USA may not provide the same level of data protection as the EU/EEA. In particular, US authorities may have access to data under surveillance laws without equivalent legal remedies for EU citizens.

For more information, see Riot Games' Privacy Notice.

Retention: Riot data is stored in your user profile until you unlink your account. Ranked snapshots within races are retained for the duration of the race.
Withdrawal: You can withdraw your consent and unlink your Riot account at any time from your profile settings. Unlinking removes all Riot-related data from your user profile. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal. Ranked data already captured in completed races remains stored for the integrity of finished competitions.

8. Email Communication

We send transactional emails for the following purposes:

• Email address verification after registration
• Password reset links
• Email change confirmation and notification to the previous address
• Welcome message after successful verification

We do not send marketing emails, newsletters, or promotional content. All emails are sent via our self-hosted mail server operated on Hetzner infrastructure in Germany. No email data is shared with third-party email service providers.

Legal basis: Art. 6(1)(b) GDPR (necessary for the performance of the service contract).

9. Web Analytics (Umami)

We use Umami, an open-source, privacy-focused web analytics tool. Umami is self-hosted on the same infrastructure as this website (Hetzner, Germany). No data is sent to any third party.

Umami collects the following anonymized data:

• Page views and referring URLs
• Browser type and screen resolution
• Operating system
• Country (derived from IP at request time, but IP addresses are not stored)

Umami does not use cookies and does not store IP addresses or persistent identifiers. It processes usage data in anonymized form and does not enable tracking of individual users across sessions. Since no information is stored on or read from your device, no consent is required under § 25(2) no. 2 TDDDG. Even so, we only load Umami after your opt-in in Cookie Settings.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest is understanding aggregated website usage to improve the service. Since Umami is cookieless, does not process personal data, and does not enable user tracking, your interests are not overridden.

10. Error Tracking (GlitchTip)

We use GlitchTip, an open-source error tracking tool, to detect and diagnose application errors. GlitchTip is self-hosted on our own server in Germany (Hetzner Online GmbH) — no data is transmitted to third parties or outside of the EU.

When an application error occurs, the following technical data may be collected:

• Error message and stack trace
• Browser type, operating system, and device category
• URL where the error occurred

We explicitly do not collect IP addresses, email addresses, usernames, or other personally identifiable information through GlitchTip. The SDK is configured with sendDefaultPii: false to prevent any personal data from being transmitted.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest is maintaining service stability and quickly resolving technical errors to ensure a reliable user experience.
Retention: Error data is automatically deleted after 90 days.

11. Rate Limiting & Abuse Prevention

To protect our service from abuse, we implement IP-based rate limiting on API endpoints. Your IP address is temporarily stored in memory only (not written to disk or database) and is automatically purged every 5 minutes. The IP address is only used to count requests and is not linked to any user account.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and availability of our service).
Retention: Maximum 5 minutes (in-memory only).

12. Your Rights Under the GDPR

You have the following rights regarding your personal data. To exercise any of these rights, please contact us at moin@arcforge.lol.

• Right of access (Art. 15 GDPR) — You may request information about whether and which personal data we process about you.
• Right to rectification (Art. 16 GDPR) — You may request the correction of inaccurate data. You can also update your name, display name, and email address directly in your account settings.
• Right to erasure (Art. 17 GDPR) — You may request deletion of your data. You can also delete your entire account from your profile settings at any time, which permanently removes all associated data.
• Right to restriction of processing (Art. 18 GDPR) — You may request restriction of processing under certain conditions.
• Right to data portability (Art. 20 GDPR) — You may request to receive your data in a structured, commonly used, and machine-readable format.
• Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

14. Right to Lodge a Complaint (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

The supervisory authority responsible for us is:

15. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in our data practices or legal requirements. The current version is always available at this URL. We encourage you to review this page periodically. The date of the last update is shown at the top of this page.