Privacy Policy

Last Updated: 3.5.2026

TikPlay ("we," "our," or "us") operates the TikPlay gaming platform that integrates with TikTok livestreams. This Privacy Policy explains how we collect, use, and protect your information when you use our interactive gaming services.

Data Controller

TikPlay – Cakir Emre Yunus & Güngörmüs Atakan Aytac GbR
represented by: Cakir Emre Yunus & Güngörmüs Atakan Aytac
Moltkestraße 32
95028 Hof
Germany
Email: support@tikplaygames.com

1. Information We Collect

Account Information

When you create a TikPlay account, we collect your username, email address, and profile information.

TikTok Integration Data

When you connect your TikTok account, we collect:

  • TikTok username and profile information
  • Livestream interaction data (gifts, likes, comments)
  • Viewer engagement metrics
  • Stream analytics for game performance

Gaming Data

We collect game interaction data including:

  • Game performance and scores
  • Player progression and achievements
  • Game configuration and mappings
  • Session duration and frequency

Technical Information

We automatically collect device information, IP addresses, browser type, and usage analytics to improve our services.

2. How We Use Your Information

We use your information to:

  • Provide and operate the TikPlay gaming platform
  • Connect your games with TikTok livestream interactions
  • Process TikTok gifts and convert them to in-game actions
  • Provide analytics and performance insights
  • Improve our games and platform features
  • Send important service updates and notifications
  • Ensure platform security and prevent abuse

2.1 Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

Contract Performance (Art. 6(1)(b) GDPR)

  • Account creation and management
  • Game functionality and TikTok integration
  • Subscription processing and billing

Legitimate Interest (Art. 6(1)(f) GDPR)

  • Platform security and fraud prevention
  • Analytics for service improvement
  • Technical infrastructure maintenance

Consent (Art. 6(1)(a) GDPR)

  • Marketing communications (where opted-in)
  • Non-essential cookies and tracking
  • Optional features like advanced analytics

You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

3. Information Sharing

We do not sell your personal information. We may share information in these situations:

  • TikTok Integration: Necessary data sharing with TikTok's API for livestream functionality
  • Service Providers: Third-party services that help us operate the platform
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with mergers or acquisitions

4. Data Security

We implement industry-standard security measures including:

  • Encryption of data in transit and at rest
  • Regular security audits and updates
  • Access controls and authentication systems
  • Secure cloud infrastructure (Google Cloud/Firebase, Vercel, Cloudflare)
  • Continuous error monitoring and security incident detection (Sentry)

4.1 Error Tracking and Session Replay (Sentry)

We use Sentry (Functional Software, Inc., USA) to monitor the stability and performance of our platform. When an error occurs, Sentry automatically captures diagnostic information such as the URL, stack trace, browser type, anonymized IP address, user identifier (where available) and the actions leading up to the error.

In addition, we record short session replays for a small sample of sessions (currently approximately 5%) and for 100% of sessions in which an error occurs. A session replay is a reconstruction of a user's interactions with our website. Inputs into form fields, passwords and elements containing sensitive information are masked by default and are not transmitted to Sentry.

The purpose of this processing is to identify and fix errors, improve usability and prevent abuse. The legal basis is our legitimate interest in providing a stable and secure service (Art. 6(1)(f) GDPR). For non-essential parts of this processing we rely on your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time via our cookie banner.

Session replays and error data are retained by Sentry for a maximum of 90 days and are then automatically deleted. Data is transferred to the United States; we have entered into the EU Standard Contractual Clauses with Sentry.

5. Your Rights (GDPR)

If you're in the EU/EEA, you have comprehensive rights:

  • Right of Access (Art. 15): Request copies of your personal data
  • Right to Rectification (Art. 16): Correct inaccurate data
  • Right to Erasure (Art. 17): Delete your data ("right to be forgotten")
  • Right to Restrict Processing (Art. 18): Limit how we use your data
  • Right to Data Portability (Art. 20): Receive your data in machine-readable format
  • Right to Object (Art. 21): Object to processing based on legitimate interest
  • Right to Withdraw Consent (Art. 7(3)): For consent-based processing

To exercise these rights:

  • Email: support@tikplaygames.com with subject "Data Protection Request"
  • Response time: Within 30 days (may be extended to 60 days for complex requests)
  • Free of charge (except for manifestly unfounded or excessive requests)

You also have the right to lodge a complaint with your local data protection authority.

6. Cookies and Tracking

We use different categories of cookies:

Strictly Necessary Cookies

  • User authentication and security
  • Basic platform functionality
  • Session management

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

Performance/Analytics Cookies

  • Google Analytics for usage statistics
  • Vercel Analytics for web vitals and performance metrics
  • Sentry for error tracking, performance monitoring, and limited session replay (see Section 4.1)
  • Game performance monitoring

Legal basis: Consent (Art. 6(1)(a) GDPR) - requires opt-in

Marketing Cookies

For users on the free tier, we display advertising provided by Google AdSense, including video ads via the Google IMA SDK. AdSense uses cookies and similar technologies to serve and measure ads, and may serve personalized advertising where you have consented. Premium subscribers do not see ads.

  • Google AdSense — display, banner and sidebar ads
  • Google IMA SDK — in-stream video ads
  • Google Funding Choices — consent management for ad personalization (TCF v2)
  • TikTok Pixel — measurement of page views and conversions from our TikTok marketing campaigns (cookies such as _ttp)

Legal basis: Consent (Art. 6(1)(a) GDPR, § 25 TTDSG) - requires explicit opt-in

Cookie Consent Management

When you first visit TikPlay, you'll see our cookie banner requesting your consent for non-essential cookies. You can customize your preferences at any time through the banner or browser settings. Withdrawing consent for non-essential cookies may limit some features.

7. Third-Party Services / Recipients

To operate the platform we engage the following processors and service providers. The data shared is limited to what is necessary for the respective purpose:

Platform Integration

  • TikTok (TikTok Pte. Ltd., Singapore / TikTok Inc., USA): Livestream integration, gift events, comments and viewer interactions via the TikTok API

Authentication

  • Firebase Authentication (Google Ireland Ltd., Ireland / Google LLC, USA): User account management, session tokens
  • Google Sign-In (Google Ireland Ltd., Ireland / Google LLC, USA): Optional OAuth login via your Google account

Backend, Database & Storage

  • Firebase (Firestore, Realtime Database, Cloud Functions, Cloud Storage; Google Ireland Ltd. / Google LLC, USA): Backend services, game configurations, user profiles, premium status, asset storage
  • Cloudflare R2 (Cloudflare, Inc., USA): CDN for game assets and media at cdn.tikplaygames.com
  • Vercel (Vercel Inc., USA): Hosting of the web application, edge functions, image optimization, server logs

Payments

  • Stripe (Stripe Payments Europe Ltd., Ireland / Stripe Inc., USA): Subscription processing, checkout sessions, customer portal, billing data

Analytics & Error Monitoring

  • Google Analytics / Google Tag Manager (Google Ireland Ltd. / Google LLC, USA): Aggregate usage analytics, event tracking, conversion measurement
  • Vercel Analytics (Vercel Inc., USA): Web vitals and page performance metrics
  • Sentry (Functional Software, Inc. dba Sentry, USA): Error reporting, performance traces, and limited session replay (see Section 4.1)

Marketing & Conversion Tracking

  • TikTok Pixel (TikTok Pte. Ltd., Singapore / TikTok Inc., USA / TikTok Technology Ltd., Ireland): Pixel-based measurement of page views and conversion events on tikplay.games to evaluate the performance of our marketing campaigns on TikTok and to optimise advertising audiences. Data processed includes IP address, user agent, timestamp, page URL, referrer, event type and a pixel cookie identifier (_ttp). Data may be combined by TikTok with information already held about TikTok users. The pixel is loaded only after you have given consent via our cookie banner.

Legal basis: Consent (Art. 6(1)(a) GDPR, § 25(1) TTDSG). You can withdraw consent at any time via the cookie banner.

Advertising (Free Tier Only)

  • Google AdSense (Google Ireland Ltd. / Google LLC, USA): Banner, leaderboard and sidebar advertising for free users
  • Google IMA SDK (Google Ireland Ltd. / Google LLC, USA): In-stream video advertising
  • Google Funding Choices (Google Ireland Ltd. / Google LLC, USA): Consent management platform for ad personalization (IAB TCF v2)

Premium subscribers do not see advertising and are excluded from ad-related cookies.

Game Engines & Runtime

  • Unity (Unity Technologies, USA): Rendering engine for Unity-based games
  • Three.js / Phaser: Open-source rendering libraries running locally in your browser; no data is sent to their authors

Each service has its own privacy policy governing their data practices. Where required, we have entered into Data Processing Agreements (DPAs) and Standard Contractual Clauses with these providers.

7.1 International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA):

United States

TikTok, Stripe, Google/Firebase, Vercel, Cloudflare, Sentry, Unity

  • Where the recipient is certified, transfers are protected by the EU-US Data Privacy Framework (Adequacy Decision 2023). Google LLC and Vercel Inc. are DPF-certified.
  • For all other US transfers we rely on EU Standard Contractual Clauses (SCCs) and additional technical and organizational measures (encryption in transit and at rest, access controls).
  • You acknowledge that US authorities may have access rights to data processed in the US, and that effective legal remedies may be more limited than under EU law.

Singapore, Ireland and other jurisdictions (TikTok)

For the TikTok API integration and the TikTok Pixel, personal data may be transferred to TikTok Technology Ltd. (Ireland), TikTok Pte. Ltd. (Singapore) and TikTok Inc. (USA). TikTok states that data may also be made accessible to its corporate group, including entities in China, where engineers may have remote access for technical and security purposes.

  • Transfers outside the EEA are protected by EU Standard Contractual Clauses (SCCs) and supplementary measures published by TikTok in their Privacy Policy and Project Clover documentation.
  • There is currently no adequacy decision for Singapore or China; you acknowledge that the level of data protection in these jurisdictions may be lower than in the EEA and that effective legal remedies may be limited.
  • You can withdraw your consent for the TikTok Pixel at any time via our cookie banner.

Other Countries

Currently none - Any future transfers will use appropriate safeguards (SCCs, adequacy decisions)

You have the right to request information about safeguards for international transfers.

8. Data Retention

We retain your data for specific periods based on the type of information:

  • Account Information: Until account deletion or 3 years after last login
  • Game Performance Data: 2 years after last gaming session
  • TikTok Integration Data: 1 year after disconnection of TikTok account
  • Payment/Subscription Data: 7 years (German tax law requirements)
  • Analytics Data: 26 months (Google Analytics standard)
  • Support Communications: 3 years after case closure
  • Security Logs: 6 months after incident

After these periods, data is automatically deleted or anonymized.

9. Children's Privacy

TikPlay is not directed to children. In the European Union, and specifically in Germany, the digital age of consent under Article 8 GDPR is 16 years. Users under 16 require verifiable consent from a parent or legal guardian to use TikPlay or have their personal data processed. We do not knowingly collect personal information from children under this age without such consent. If you believe a minor has provided us with personal data without proper authorisation, please contact us at support@tikplaygames.com and we will delete the data without undue delay.

10. Data Protection Officer

Based on our current processing activities and company size, we are not required to appoint a Data Protection Officer under Art. 37 GDPR.

For data protection inquiries, contact us directly at support@tikplaygames.com.

We will reassess this requirement as our business grows and will appoint a DPO if legally required.

11. Contact Us

For privacy-related questions or concerns, contact us at:

Email: support@tikplaygames.com

Website: https://tikplay.games

Operator: TikPlay – Cakir Emre Yunus & Güngörmüs Atakan Aytac GbR