Privacy Notice
Last updated: 3 May 2026
This Privacy Notice explains how personal data is processed on P(l)ay to Win, an academic research platform developed as part of a Master's thesis in Information Systems Management at ISCTE-IUL.
1. Data Controller
António Sérgio Veloso Nunes Simões — Master's student, ISCTE — Instituto Universitário de Lisboa.
Thesis: "Sistema de informação para a Deteção e Rating de Dark Patterns em Videojogos".
Contact: [email protected]
2. What Data Is Processed
When you sign in via Google, the platform processes:
- Email address and full name (from your Google account, via Auth0)
- Institutional affiliation and research intent (from your access request)
- Account metadata: role, access status, account creation timestamp
- Submitted content: evidence (game screenshots, descriptions, questionnaire answers), annotations, votes, and replies you contribute
- Activity logs: an audit trail of administrative actions you perform (if applicable)
- Authentication tokens: stored in your browser's localStorage to keep you signed in (handled by the Auth0 SDK)
3. Why This Data Is Processed
- To restrict access to verified researchers (legitimate interest, Art. 6(1)(f) GDPR)
- To attribute submitted research artefacts to their contributors (consent + legitimate research interest, Art. 6(1)(a) and 6(1)(f))
- To maintain the integrity of the dataset used in the Master's thesis (legitimate research interest)
- To enable academic accountability through audit logs
4. Sub-Processors
| Service | Purpose | Region |
|---|---|---|
| Auth0 (Okta) | Identity provider | EU |
| OAuth sign-in | US | |
| Railway | Hosting (database, backend, file storage) | EU (Amsterdam) |
| OpenRouter | LLM-assisted annotation of submitted content | US |
Submitted content (review text, screenshots) may be sent to OpenRouter for automated annotation. Game metadata may be fetched from RAWG (no personal data sent).
5. How Long Data Is Kept
Personal data is retained for as long as your account exists. If you delete your account or request erasure, your account is anonymised: identifiers (email, name, affiliation, research intent) are removed, while submitted research artefacts (evidence, annotations) are retained in anonymised form to preserve the integrity of the thesis dataset.
6. Your Rights
Under the GDPR you have the right to:
- Access the personal data held about you
- Rectify inaccurate data
- Erase your account and personal data ("right to be forgotten")
- Object to processing or restrict it
- Receive your data in a portable format
- Withdraw consent at any time
- Lodge a complaint with the Portuguese supervisory authority (CNPD, www.cnpd.pt)
To exercise any of these rights, email [email protected]. You can also delete your account directly from your account page.
7. Cookies and Local Storage
The platform does not use tracking or analytics cookies. The Auth0 SDK stores authentication tokens in your browser's localStorage — this is strictly necessary for the sign-in flow.
8. International Transfers
Some sub-processors (Google, Railway, OpenRouter) may process data outside the EU. Where applicable, transfers rely on Standard Contractual Clauses or adequacy decisions issued by the European Commission.
9. Changes to This Notice
This notice may be updated as the thesis project evolves. Material changes will be reflected in the "Last updated" date above; existing users will be notified by email of any changes that materially expand processing.