Last Updated: March 9th, 2026
This Data Processing Addendum (“DPA”) forms part of the Game License & Upload Agreement (the “Agreement”) between Kongregate, Inc. (“Kongregate”) and You.
This DPA applies when You process Personal Data on behalf of Kongregate in connection with the Kongregate Platform or any Game made available through the Kongregate Platform.
By uploading, distributing, or operating a Game on the Kongregate Platform, You agree to this DPA.
If there is any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA will control.
Kongregate may update this DPA from time to time to reflect changes in Applicable Laws or platform operations. Continued use of the Kongregate Platform after such updates constitutes acceptance of the revised DPA. You can find the latest version of the DPA in the Developer Portal.
Contents
3. Processing Instructions and Platform Data Restrictions
4. Applicability of EU and UK Data Protection Laws
5. Responsibility for Game-Level Data Collection
6. Developer Privacy Obligations
10. International Data Transfers
14. Platform Compliance and Enforcement
Annex I – Description of Processing
1. Definitions
For purposes of this DPA:
“Personal Data” means any information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable natural person, or that is otherwise defined as “personal data,” “personal information,” or a similar term under Applicable Laws relating to privacy or data protection.
“Platform Data” means any data collected through or generated by user interaction with the Game on the Kongregate Platform, including user account data, gameplay data, transaction data, analytics, and other data collected via Kongregate-controlled systems.
“Processing”, “Controller”, and “Processor” have the meanings given under applicable data protection laws.
Other capitalized terms shall have the same meaning as used in the Agreement.
2. Roles of the Parties
The parties acknowledge the following roles:
- Kongregate acts as a Controller with respect to Platform Data processed through the Kongregate Platform.
- You act as a Processor when Processing Platform Data on behalf of Kongregate for the purpose of operating the Game on the Kongregate Platform.
You may act as an independent Controller for Personal Data that:
- You collect directly from players, or
- is processed outside the Kongregate Platform.
You are solely responsible for compliance with Applicable Laws with respect to Personal Data You control independently. Nothing in this DPA creates a joint controller relationship between the parties. Each party acts as an independent Controller for Personal Data it processes independently of the other.
3. Processing Instructions and Platform Data Restrictions
You shall process Platform Data only on Kongregate’s documented instructions, including this DPA and the Agreement. To the extent Kongregate provides You with access to Platform Data through the Kongregate Platform or APIs, You may access and process such Platform Data solely as necessary to operate and support the Game on the Kongregate Platform.
You shall not:
- use Platform Data for advertising, marketing, or profiling outside the Game;
- sell, share, license, transfer or otherwise disclose Platform Data except as necessary to operate the Game on the Kongregate Platform or as required by Applicable Laws;
- combine Platform Data with external datasets for unrelated purposes, or to build cross-service user profiles;
- use Platform Data to build, improve, or train datasets, analytics systems, user profiles, or services that are not strictly necessary to operate the Game on the Kongregate Platform;
- retain Platform Data longer than necessary to operate the Game on the Kongregate Platform.
Any use of Platform Data outside the Kongregate Platform must be clearly disclosed in Your privacy policy and must comply with Applicable Laws.
4. Applicability of EU and UK Data Protection Laws
For clarity, this DPA applies to all processing of Platform Data under both:
-
EU GDPR and any related EU Data Protection Laws, including applicable Standard Contractual Clauses (SCCs); and
UK GDPR and any related UK data protection laws, including the UK International Data Transfer Agreement (UK IDTA) or any successor mechanisms.
Where applicable, references to the GDPR in this DPA shall be interpreted to include both EU GDPR and UK GDPR obligations. Platform Data transfers from the UK shall comply with the UK adequacy framework or other legally recognized transfer mechanisms.
5. Responsibility for Game-Level Data Collection
You are solely responsible for any Personal Data that the Game collects, transmits, or processes independently of the Kongregate Platform, including through:
- third-party SDKs
- analytics tools
- advertising networks
- external account systems
- customer support tools
Kongregate does not control and is not responsible for the data practices of the Game or any third-party services You integrate.
You must ensure that such data collection complies with Applicable Laws and is accurately disclosed in Your privacy policy.
6. Developer Privacy Obligations
If the Game collects Personal Data directly from players, You must:
- provide a clear and accessible privacy policy describing Your data practices;
- comply with Applicable Laws;
- obtain any required user consents.
You must also provide a valid contact email address for privacy inquiries relating to the Game, both within the Game and also on the Game description on the Kongregate Platform.
7. Data Minimization
You shall only collect, access, or process the minimum amount of Personal Data necessary to operate the Game on the Kongregate Platform.
8. Security Measures
You must implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against unauthorized access, loss, misuse, or disclosure, taking into account the nature of the data and the risks involved in Processing. These may include, where appropriate:
- encryption in transit
- role-based access controls
- secure authentication mechanisms
- logging and monitoring
- vulnerability management practices.
You must ensure that personnel authorized to access Personal Data are subject to appropriate confidentiality obligations.
9. Subprocessors
You may engage subprocessors to assist in Processing Personal Data, provided that:
- such subprocessors are subject to data protection obligations consistent with this DPA; and
- You remain fully responsible for their actions.
Subprocessors may include hosting providers, analytics providers, or customer support services.
10. International Data Transfers
Where Personal Data is transferred internationally, such transfers may rely on applicable adequacy decisions or Standard Contractual Clauses (SCCs). To ensure compliance with GDPR, UK, and Swiss data protection requirements, the parties agree as follows:
- EU/EEA Transfers: The EU Standard Contractual Clauses (Controller-to-Processor Module, Version 2.0, 4 June 2021) shall apply for transfers of EU/EEA personal data. Annexes detailing the processing activities, categories of data, technical and organizational measures, and sub-processor obligations are executed by the parties and incorporated herein by reference.
- UK Transfers: The UK International Data Transfer Agreement (IDTA, Version 2.0, as issued by the UK Information Commissioner’s Office) shall apply for transfers of UK personal data. Relevant Annexes are executed and incorporated herein by reference.
- Swiss Transfers: The Swiss Standard Contractual Clauses (as issued by the Swiss Federal Data Protection and Information Commissioner) shall apply for transfers of Swiss personal data. Relevant Annexes are executed and incorporated herein by reference.
- Binding Effect: Execution of these clauses and annexes forms an integral part of this DPA, and the obligations therein are enforceable as if fully set forth in this agreement. Any subsequent updates to the official clauses shall apply only if mutually agreed in writing.
11. Data Breach Notification
You must notify Kongregate without undue delay and no later than 48 hours after becoming aware of a Personal Data breach affecting Platform Data.
Your notification must include:
- a description of the breach;
- categories of Personal Data affected;
- estimated number of affected users;
- mitigation steps taken.
You shall cooperate with Kongregate in investigating and responding to such incidents. You shall also provide reasonable assistance to Kongregate in meeting its obligations under Applicable Laws relating to security of processing, breach notification, and regulatory compliance where such obligations relate to Platform Data processed by You.
12. Data Subject Requests
If You receive a request relating to Platform Data from a user seeking to:
- access Personal Data
- correct Personal Data
- delete Personal Data
- restrict processing
You must promptly forward the request to Kongregate unless legally prohibited. You shall reasonably assist Kongregate in responding to such requests where required.
13. Retention and Deletion
You shall retain Platform Data only for as long as necessary to operate the Game on the Kongregate Platform. Upon termination of the Agreement or upon Kongregate’s request, You must:
- delete Platform Data in Your possession; or
- return such data to Kongregate where reasonably feasible.
14. Platform Compliance and Enforcement
Kongregate may suspend, restrict, or terminate Your access to Platform Data if Kongregate reasonably believes that Your processing of Personal Data may violate:
- this DPA
- the Agreement
- Applicable Laws.
You agree to cooperate with Kongregate in investigating such issues and to promptly cease processing Platform Data upon request while the matter is reviewed.
15. Audits
Kongregate may reasonably request information demonstrating Your compliance with this DPA.
Any such request will be limited to information reasonably necessary to verify compliance with Applicable Laws.
16. Liability
Each party remains responsible for its own compliance with Applicable Laws.
Nothing in this DPA expands or limits liability beyond what is set forth in the Agreement.
Annex I – Description of Processing
Data Categories and Retention Schedule
| Data Category | Description / Examples | Retention Period | Basis / Notes |
| User Account Data | Username, email, hashed passwords, profile info | Duration of account + 12 months | For account management, security, and legal compliance |
| Gameplay Data | Game sessions, in-game actions, scores, achievements | Duration of Game operation + 12 months | Analytics, player support, fraud detection |
| Transaction Data | Purchases, virtual currency, subscription records | 7 years | Tax, accounting, and financial compliance |
| Platform Analytics Data | Aggregated usage statistics, event logs, engagement metrics | 36 months | Product improvement, platform performance |
| Support & Communication Data | Emails, support tickets, chat logs | 24 months | Customer service, dispute resolution |
| Marketing / Promotional Data | Opt-in marketing info, survey responses | Until opt-out + 12 months | Marketing purposes, consent-driven |
| Cookies & Tracking Data | Session cookies, device IDs, IP addresses | 24 months | Analytics, fraud prevention |
| Backup Data | System backups containing any of the above | 90 days | Disaster recovery only; secure deletion afterward |
| Deleted / Anonymized Data | Data anonymized or pseudonymized for analysis | Until fully anonymized | No personal identifiers retained |
| Law Enforcement Requests and Disclosures | Requestor name, agency, and contact, legal documents received, data disclosed, date and handling staff | 7 years | Legal compliance |
Categories of Data Subjects
- Kongregate users
- players of Games on the Kongregate Platform
Purpose of Processing
Processing occurs solely for the purposes determined by Kongregate in connection with operation of the Kongregate Platform, including:
- operating and supporting Games on the Kongregate Platform and enabling gameplay features provided through the Kongregate Platform
- maintaining leaderboards and achievements
- supporting platform services.
Annex II – Security Measures
You should implement security measures appropriate to the risk, including:
- encryption in transit (TLS)
- access controls
- secure credential storage
- vulnerability patching
- monitoring and logging.
Annex III – Subprocessors
You may use subprocessors such as:
- cloud hosting providers
- analytics services
- customer support tools.
You remain responsible for ensuring that subprocessors comply with Applicable Laws.
Comments
0 comments
Article is closed for comments.