GDPR Compliance

Last Updated: December 13, 2025

1. Introduction

Lowland RP is committed to compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This page outlines how we comply with GDPR requirements and protect your personal data rights. GDPR applies to all individuals within the European Economic Area (EEA) and ensures that your personal data is processed lawfully, fairly, and transparently.

2. Your Rights Under GDPR

As a data subject under GDPR, you have the following fundamental rights:

  • Right of Access (Article 15): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and access to that data along with certain information.
  • Right to Rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
  • Right to Erasure / Right to be Forgotten (Article 17): You have the right to request deletion of your personal data when it is no longer necessary, you withdraw consent, or the data has been unlawfully processed.
  • Right to Restrict Processing (Article 18): You have the right to request limitation of processing of your personal data in certain circumstances.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Right to Object (Article 21): You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Rights Related to Automated Decision Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.
  • Right to Withdraw Consent (Article 7): Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

3. How to Exercise Your Rights

To exercise any of your GDPR rights, you can take the following actions:

  • Access Your Data: Log into your account and visit your profile page to view all personal data we hold about you.
  • Update Your Information: Use your account settings to update your personal information, including username, email, display name, and profile information.
  • Request Data Deletion: You can request account deletion through your account settings, which will permanently delete your personal data subject to legal retention requirements.
  • Contact Us Directly: Send a request through our Discord server or website contact form with your specific GDPR request.
  • Submit a Formal Request: For complex requests, submit a formal data subject access request (DSAR) via email with your account details and the specific rights you wish to exercise.
  • Request Data Export: Request a copy of your data in a portable format (JSON or CSV) through your account settings or by contacting us.
  • Object to Processing: If you wish to object to specific data processing activities, contact us with details of the processing you object to and the grounds for your objection.
  • Withdraw Consent: You can withdraw consent for optional data processing (such as marketing communications) through your account settings or by contacting us directly.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds as defined in GDPR Article 6: (a) Consent: When you provide explicit consent for specific processing activities, such as optional profile information or marketing communications. (b) Contract Performance: Processing necessary for the performance of a contract to which you are a party, including providing our gaming services and maintaining your account. (c) Legal Obligation: Processing required to comply with legal obligations, such as tax requirements, law enforcement requests, or regulatory compliance. (d) Legitimate Interests: Processing necessary for our legitimate interests, including server security, fraud prevention, community safety, service improvement, and business operations, provided these interests do not override your fundamental rights and freedoms.

5. Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfill the purposes outlined in our Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Account data is retained while your account is active. After account closure, we retain data for a reasonable period (typically 12 months) for legal, security, and fraud prevention purposes, after which it is securely deleted. Transaction records and logs may be retained longer as required by law. You can request immediate deletion of your data at any time, subject to legal retention requirements.

6. Data Transfers and International Processing

Your data may be transferred to and stored in locations outside the European Economic Area (EEA), including the United States. We ensure appropriate safeguards are in place to protect your data in accordance with GDPR requirements. These safeguards include: Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, and other legally recognized transfer mechanisms. Our service providers (including Turso for database hosting and Cloudflare for R2 storage) are contractually bound to protect your data and comply with GDPR requirements.

7. Data Protection Officer and Contact

For GDPR-related inquiries, data subject requests, or to exercise your rights, you can contact our data protection team through our Discord server (discord.lowlandrp.com) or via our website contact form. We will respond to your request within 30 days as required by GDPR Article 12(3). For complex requests, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for the delay within one month of receiving your request.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by GDPR Articles 33 and 34. The notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

9. Supervisory Authority and Complaints

If you are not satisfied with how we handle your personal data or respond to your GDPR requests, you have the right to lodge a complaint with your local data protection supervisory authority. For EU residents, you can find your supervisory authority at the European Data Protection Board website (edpb.europa.eu). The supervisory authority in your country will investigate your complaint and can order us to take corrective action if necessary. We are committed to resolving any concerns you may have and encourage you to contact us first so we can address your issues directly.

For GDPR-related inquiries, to exercise your rights, or to submit a data subject access request, please contact us through our Discord server (discord.lowlandrp.com) or website. We are committed to protecting your privacy and ensuring full GDPR compliance. All requests will be handled promptly and in accordance with GDPR requirements.