We do not collect any special or sensitive categories of personal data, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health or concerning a natural person’s sex life or sexual orientation, unless one of the exceptions of Article 9 GDPR apply. If at any time, you feel that this type of information has been requested of you, or been collected from you, by the Service please notify us immediately.
As described in our Terms of Service, you may not use our Services if you are under the age of 13; or, if you are between the ages of 13 and 16, you are below the age of consent in your legal jurisdiction and you do not have the consent of the holder of your parental responsibility. We do not intend to collect or process data from minors falling into these categories.
The last substantive update to this document (excluding formatting changes, typo fixes, etc.) was on 2019-03-20.
Data that we share with Third-Parties and why
One of our goals in the creation of this service is to understand the games we support and their metagames. We consider it in our legitimate interests to collect and process your data, for example to: provide you with game analysis and statistics tools; and, to contribute that data back to the community in various ways such as blog posts, APIs, and interactive features. Some of these features are monetized in order to help us keep some services free and to ensure the continued development of the many free tools we provide to the gaming community.
As part of our operations and in order to provide you with our services, we sometimes need to share data with third-parties. The list of third-parties we may share data with, why we share data with them, how they use the data, as well as resources on their own privacy policies and compliance information, is available here (we do not endorse nor take any responsibility for the content on or information contained within the third parties’ resources):
Email verification and Consent to collect and process data
Upon signing up with our Service, we ask that you share your email address with us. We will verify that you own this email address by first sending you a verification email.
This address may be used for account and billing related notifications. Furthermore, the billing email is automatically shared with Stripe, our Payment gateway. Your email may be deleted from Stripe by deleting your account with us.
Upon signup or during your usage of the Service, you will also be asked whether you consent, or opt-in, to our collection and processing of your personal data for providing the Service and/or marketing emails and other push notifications (you may opt in or out of any of these marketing choices at any time from the Email section of the relevant Account Settings page). It should be understood that consenting to our collection and processing of your personal data may include transmission of the personal data across international borders, profiling and/or user behavior prediction using the personal data (especially where it involves deck construction, play strategies, and other Gameplay Related Data, as defined in the Terms of Service, analysis).
Regardless of policy, we respect your inbox and we will take great care not to send you unnecessary or unsolicited emails.
When opting to make a purchase with us, you implicitly share some information with us that we may store indefinitely for legal and tax compliance purposes.
The type of data received and stored depends on the Payment Provider you use. However, in no case does our Service ever get access to or store any data considered sensitive by The Payment Card Industry Data Security Standard (“PCI-DSS” or “PCI”), such as full payment card number. See below for more information about PCI-DSS. Furthermore, at no point during payment is your information transferred over an insecure connection. As of May 2018, all connections to our Service are encrypted and require TLS version 1.2 or higher.
For PayPal users
Upon making a purchase with PayPal, the following personal information is shared with us from the PayPal account used:
- First and Last name
- Email address
- Shipping address (as configured on PayPal)
For Stripe users
For all payment methods except PayPal, we use Stripe, a secure payment provider, trusted by thousands of online businesses. When you input payment information on our Service, you are sending it directly to Stripe; our Service does not ever see or store your full credit card number or any information considered sensitive by PCI-DSS.
Thanks to the help of our payment gateways, our Service complies with PCI-DSS. For more information on PCI Compliance, please see the following resources:
- PCI Security Standards Council website
- PCI Compliance Guide
- Stripe PCI Compliance information
- PayPal PCI Compliance information
Usage tracking and telemetry
Our servers log requests across our web pages and APIs for security, auditing and debugging purposes. All server logs are destroyed within 14 days, unless exceptional circumstances (such as legal or security reasons) require us to keep them longer.
We use Google Analytics to understand how our users use the website. All data is anonymous. We also use our own internal tracking tooling. Data tracked using our own tools is not sent to a third party, as we process that data ourselves. Further information regarding Google Analytics is available here: https://hearthsim.net/legal/third-parties.html
If you are concerned with usage tracking on the internet, we recommend the EFF’s Privacy Badger browser extension.
The apps we provide as part of the Service also send usage tracking telemetry data to our own servers. Such telemetry helps us understand how our users use the software.
Hearthstone Deck Tracker & Untapped.gg Companion
Hearthstone Deck Tracker, HSTracker, Arcane Tracker and the Untapped.gg Companion are our official upload clients. Whenever you play a game with one of these products running, the game’s log and other Gameplay Related Data is automatically uploaded to us. You may opt-out of this data collection and processing by uninstalling these Services.
Pixel tags are invisible tags placed on certain pages of our Sites. A pixel tag triggers a cookie when you visit a Site. A cookie is a small piece of data sent from the Site to your web browser and may be stored on your computer’s hard drive. Cookies allow us to recognize your computer while you are on our Sites and it helps us customize your online experience with us and make it more convenient for you. Cookies have many uses, including allowing more efficient log-ins, auto-completing information, tracking interest, traffic or hits, tracking transaction histories and preserving information between your sessions with us. The information collected from cookies may also be used by us to improve the functionality of our Sites to provide better service to you.
(a) https://support.google.com/chrome/answer/95647?hl=en (Chrome);
(b) https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);
(c) https://help.opera.com/en/latest/security-and-privacy/ (Opera);
(d) https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
(e) https://support.apple.com/kb/PH21411 (Safari); and
(f) https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy (Edge).
Blocking all cookies will have a negative impact upon the usability of many websites, including ours.
If you block cookies, you will not be able to use all the features on our Sites.
Data that Third-Parties share with us and why
We offer solutions to sign in and/or authenticate using third party services. This is colloquially known as “social authentication” or “OAuth login”.
You may elect to connect certain third parties to your HSReplay.net, Untapped.gg, or HearthSim account. Upon doing so, you authorize the third party to share some of your account data with us. This type of authentication is secure and we never gain access to the corresponding account’s password.
You may manage those connections and subsequently delete any data that the third party in question shared with us by removing the account connection from the Connected Accounts section of the Account settings dashboard for the relevant Site.
- Blizzard Account ID
- BattleTag (if one exists)
- Discord account ID, username and account email
- Discord avatar ID
- Twitch account ID, username, display name, account email and creation date
- Twitch account “bio” (if one exists)
- Twitch avatar URL (hosted by Twitch)
How you can verify or view your information
Pursuant to the Right of Rectification under Article 16 GDPR, you may check your information to verify, update, or correct it, and to have any obsolete information removed. If you created an account with our Service or with one of our Sites, you can access and change your online account profile yourself by accessing your Account Management page specified in the Account creation section above.
Account and data deletion
You may delete your account from the Delete account section of the Account settings dashboard for the relevant Site, or by contacting customer support. Deleting your Account according to this section ensures your Right to Erasure under Article 17 GDPR.
Upon doing so, your account will be immediately deleted and you will no longer be able to log into it. Logging back into the relevant Site will require creating a new account.
Except as noted below, all account data is irreversibly wiped once the account is deleted. Gameplay Related Data (card collections or other data related to gameplay) are detached from the account and will only be reachable via their URLs or any page listing them.
Deleting your account or Gameplay Related Data DOES NOT remove or reset the following data:
- “Global” or aggregated statistical data (anonymized game records used across the entire player base) or anonymized individual data.
- Any data, information or records we are legally obligated to keep.