Heads up! Mechanyx.GG utilizes Cookies in order to make everything work correctly.
If you'd like to read more about cookies, we invite you to check out our privacy policy

GDPR Compliance Center

The mission statement of Mechanyx.gg is "to unite players with each other and their future in eSports". Which means that we see players, creators, eSports organizations, and other users from all over the world. In order to bring the best darn-diddly eSports platform to a global audience we are required to comply with a number of data protection regulations - and none are more prominent than the European Union "General Data Protection Regulation" or "GDPR" for short.

The GDPR has been in effect since May of 2018 and while a lot of companies (with sometimes less-than-desirable intentions) breathed a collective sigh, we got hype!

The GDPR is at its core a win for online privacy and individual liberty - even if it only seems like laws surrounding personal data. Being that we live in a hyper-connected world now it's really easy for organizations to gather more data than necessary on individuals for the purposes of profiteering or selling said data for a quick buck.

GDPR seeks to curb this nefarious practice by putting into place a number of laws with the intent of protecting EU citizens against inappropriate, unlawful, or unapproved used of their data. The whole thought being that your data is your data - and GDPR is the lawful support of that statement.

Our goal with Mechanyx.gg is to consistently exceed the requirements and expectations of our users - and compliance to pivotal regulations such as GDPR is no exception. This page is intended for our user base (both here in the United States and abroad) to learn about how we approach GDPR compliance and the evolving set of checks and internal policies we design to be an example of GDPR compliance for non-EU data processors.

What are the standards?

When we set out to begin our GDPR compliance journey we did a lot of reading. And in the case of laws it's important to read primary sources and really learn how the laws work from those who wrote them.

That being the case we were happy to find a nifty guide from GDPR.eu (Which is co-funded by the European Union and regularly updated) which we will use as our checklist for the purposes of this page. The full checklist can be found here. ( external link to GDPR.eu)

It's important to realize that this checklist is not comprehensive but is still a good first step - and for the purposes of informing you about our data-processing activities we think it is a good overall view. Bear in mind there are a few points we can't fully elaborate on as doing so would expose our internal processes for protecting data to bad actors and risk. But what information we do offer is as transparent as we can possibly make it.

How we organize the checklist and our responses

What you will find below is a table with the particular GDPR checklist item, what it entails, how we meet compliance, and any relevant citations or further reading to clarify the standard. Each of these points is organized in it's own column and reads left to right.

We encourage you to not only review our responses but to also review the relevant citations for each line item to get a better context of the EU/GDPR office's thinking behind each point

The Checklist

Section 1: Lawful Basis and Transparency

GDPR Requirement Full Specification Our steps to Compliance Related Citations
Conduct an information audit to determine what information you process and who has access to it "Organizations that have at least 250 employees or conduct higher-risk data processing are required to keep an up-to-date and detailed list of their processing activities and be prepared to show that list to regulators upon request. The best way to demonstrate GDPR compliance is using a data protection impact assessment Organizations with fewer than 250 employees should also conduct an assessment because it will make complying with the GDPR's other requirements easier. In your list, you should include: the purposes of the processing, what kind of data you process, who has access to it in your organization, any third parties (and where they are located) that have access, what you're doing to protect the data (e.g. encryption), and when you plan to erase it (if possible)." Because Mechanyx.gg is a continually evolving platform and the nature of our data processing responsibilities is always changing we've made it a priority to do regular information audits on a quarterly basis AS WELL AS when when introducing new technology that could make people more interested in the nature of our data processing.

It's worth noting that as of right now Mechanyx.gg does not have 250 employees - but on the recommendation of the EU and to make compliance easier for when we do grow we have enacted regular information audits.
Art. 30 GDPR - "Records of processing activities" ( external link to GDPR.eu)

Archive of Mechanyx.gg information audits
Have a legal justification for your data processing activities "Processing of data is illegal under the GDPR unless you can justify it according to one of six conditions listed in Article 6. There are other provisions related to children and special categories of personal data in Articles 7-11. Review these provisions, choose a lawful basis for processing, and document your rationale. Note that if you choose "consent" as your lawful basis, there are extra obligations, including giving data subjects the ongoing opportunity to revoke consent. If "legitimate interests" is your lawful basis, you must be able to demonstrate you have conducted a privacy impact assessment." Mechanyx.gg seeks consent to data processing from our users by way of a automated message that is presented to the user every time they visit our site. This is common practice for companies both inside and outside the EU (you've probably clicked through one such prompt on another site).

This brings us into lawful processing under Article 6 GDPR subsection 1, point a: 'the data subject has given consent to the processing of his or her personal data for one or more specific purposes;".

GDPR also provisions certain requirements for children under the age of 16 and residing in the EU. We require all users of Mechanyx.gg who reside in the EU member states to be at least 16 years of age before using the platform. This requirement is outlined in our Privacy Policy which we encourage you to review and is required for anyone signing up for or interacting with Mechanyx.gg
Art. 6 GDPR - "Lawfulness of processing" ( external link to GDPR.eu)

Art. 7 GDPR - "Conditions for consent" ( external link to GDPR.eu)

Art. 8 GDPR - "Conditions applicable to child’s consent in relation to information society services" ( external link to GDPR.eu)

Mechanyx.gg Privacy Policy
Provide clear information about your data processing and legal justification in your privacy policy "You need to tell people that you're collecting their data and why (Article 12). You should explain how the data is processed, who has access to it, and how you're keeping it safe. This information should be included in your privacy policy and provided to data subjects at the time you collect their data. It must be presented "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."" Article 12 is one of the key pieces of GDPR and outlines the requirements for us to report what data and how it is used on Mechanyx.gg. We are required to put this information in our privacy policy - and we did just that! Click the link at the bottom of this page or in the related citations section to read through our full article 12 statement. Mechanyx.gg Privacy Policy

Mechanyx.gg Article 12 GDPR Statement

Section 2: Data Security

GDPR Requirement Full Specification Our steps to Compliance Related Citations
Take data protection into account at all time, from the moment you begin developing a product to each time you process data. "You must follow the principles of "data protection by design and by default," including implementing "appropriate technical and organizational measures" to protect data. In other words, data protection is something you now have to consider whenever you do anything with other people's personal data. You also need to make sure any processing of personal data adheres to the data protection principles outlined in Article 5. Technical measures include encryption, and organizational measures are things like limiting the amount of personal data you collect or deleting data you no longer need. The point is that it needs to be something you and your employees are always aware of." The core of this requirement is something known as "privacy by design" or "data protection by design". This is more of a design philosophy versus a task to be completed. Privacy by design is a principle here at Mechanyx that we take very seriously - and our litmus test for this requirement is "would we let our grandparents use our site?"

It seems kind of silly but a serious question to ask is with your data protection and processing standards would you allow a close family member to use your site? If not then some things need to change.

All of the features of Mechanyx.gg are built with privacy-by-design.
Art. 5 GDPR - "Principles relating to processing of personal data" ( external link to GDPR.eu)
Encrypt, pseudonymize, or anonymize personal data wherever possible "Most of the productivity tools used by businesses are now available with end-to-end encryption built in, including email, messaging, notes, and cloud storage. The GDPR requires organizations to use encryption or pseudeonymization whenever feasible." Encryption might be the most important aspect of data security - and here at Mechanyx we take it very seriously.

Mechanyx.gg leverages both encryption-at-rest and encryption-in-transit using industry standard encryption method for all data across all features and services. If you are trusting us with your data you can be assured it's encrypted and protected like it were our own personal data.
Create an internal security policy for your team members, and build awareness around data protection "Even if your technical security is strong, operational security can still be a weak link. Create a security policy that ensures your team members are knowledgeable about data security. It should include guidance about email security, passwords, two-factor authentication, device encryption, and VPNs. Employees who have access to personal data and non-technical employees should receive extra training in the requirements of the GDPR." Operational security is a culture - not a standard. Here at Mechanyx we make it a priority to embed OppSec into everything we do.

In additional to technical OppSec measures such as restrictive access control for all members of staff to ensure those who don't need to see data do not, to requiring TFA on all accounts we also regularly have discussions around the evolving OppSec landscape to make sure everyone is up to speed on how to keep things safe.
Know when to conduct a data protection impact assessment, and have a process in place to carry it out. "A data protection impact assessment (aka privacy impact assessment) is a way to help you understand how your product or service could jeopardize your customers' data, as well as how to minimize those risks. The UK Information Commissioner's Office (ICO) has a data protection impact assessment checklist on its website. The GDPR requires organizations to carry out this kind of analysis whenever they plan to use people's data in such a way that it's "likely to result in a high risk to [their] rights and freedoms." The ICO recommends just doing it anytime you're about to process personal data." Privacy Impact Assessments are to us a "not if but when" analysis where the organization takes into account the risk posed to their users when data is taken without permission.

We do these assessments internally in line with our information audits.
Art. 35 GDPR - "Data protection impact assessment" ( external link to GDPR.eu)
Have a process in place to notify the authorities and your data subjects in the event of a data breach "If there's a data breach and personal data is exposed, you are required to notify the supervisory authority in your jurisdiction within 72 hours. A list of many of the EU member states supervisory authorities can be found here. The GDPR does not specify whom you should notify if you are not an EU-based organization. For those in English-speaking non-EU countries, you may find it easiest to notify the Office of the Data Protection Commissioner in Ireland. You are also required to quickly communicate data breaches to your data subjects unless the breach is unlikely to put them at risk (for instance, if the stolen data is encrypted)." Because we are based in the United States, the GDPR does not have specific instructions on who we report to. However in the rare event of a breach we opt to take the recommended path of notifying the Office of the Data Protection Commissioner in Ireland.

In addition in the course of our post-breach analysis and research we discover the whereabouts of the offending party we pledge to notify their local authorities and keep them apprised of what we find.

As a user of Mechanyx.gg we will notify you of any suspected breaches/impacts by way of your notification panel (found when you first sign in) as well as on our various social media platforms and streams.
Art. 33 GDPR - "Notification of a personal data breach to the supervisory authority" ( external link to GDPR.eu)

Section 3: Accountability and Governance

GDPR Requirement Full Specification Our steps to Compliance Related Citations
Designate someone responsible for ensuring GDPR compliance across your organization "Another part of "data protection by design and by default" is making sure someone in your organization is accountable for GDPR compliance. This person should be empowered to evaluate data protection policies and the implementation of those policies." The person in charge of GDPR compliance within Mechanyx Codeworks (and thusly mechanyx.gg) is Andrew "Ais4Drew" Lenczy who also serves as Mechanyx's Data Protection Officer.
Sign a data processing agreement between your organization and any third parties that process personal data on your behalf. "This includes any third-party services that handle the personal data of your data subjects, including analytics software, email services, cloud servers, etc. The vast majority of services have a standard data processing agreement available on their websites for you to review. They spell out the rights and obligations of each party for GDPR compliance. You should only use third parties that are reliable and can make sufficient data protection guarantees." This provision is more internal for us to ensure our vendors are compliant - but we'd be happy to let you know who we work with specifically and where you can find their DPAs.

We use Stripe as our payment processing platform and to securely handle credit card transactions on our platform.

We use Auth0 for identity and access management and to allow you to sign in securely using your favorite social media platform. This keeps your personal information off of our severs and allows us to only have to store your username and a number of other small things.

We use Microsoft Azure for hosting and cloud functionality.

We also use Amazon Web Services for hosting and cloud functionality.

Where possible we have signed and retained digitally internal copies of each of these DPAs for our own records. In the case that the document could not be signed the documents are still reviewed and relevant objections (if any) are raised to the vendor by us.

We encourage you to read each of these DPAs to understand what data each of these vendors processes on our behalf. The link to each of the documents can be found in the Related Citations
Data Processing Addendum - Stripe ( external link to stripe.com - legacy document)

Data Processing Addendum - Auth0 ( external link to cdn.Auth0.com)

Data Processing Addendum - Amazon Web Services ( external link to d1.awsstatic.com)

Data Processing Addendum - Microsoft Azure ( external link to microsoft.com)
If your organization is outside the EU, appoint a representative within one of the EU member states "If you process data relating to people in one particular member state, you need to appoint a representative in that country who can communicate on your behalf with data protection authorities. The GDPR and its official supporting documents do not give guidance for situations where processing affects EU individuals across multiple member states. Until this requirement is interpreted, it may be prudent to designate a representative in a member state that uses your language. Some organizations, like public bodies, are not required to appoint a representative in the EU." As we are a US company and the interpretation for this clause for non-EU country is still out, we choose to interact on behalf of ourselves and report needed compliance information to the Office of the Data Protection Commissioner in Ireland as this is an English-speaking EU office.
Appoint a Data Protection Officer (if necessary) "There are three circumstances in which organizations are required to have a Data Protection Officer (DPO), but it's not a bad idea to have one even if the rule doesn't apply to you. The DPO should be an expert on data protection whose job is to monitor GDPR compliance, assess data protection risks, advise on data protection impact assessments, and cooperate with regulators." Because we are still a small company we don't have an obligation to appoint a Data Protection Officer - but we're never satisfied with just doing what's required. So we appointed a DPO anyway!

Mechanyx Codeworks's Data Protection Officer is Andrew "Ais4Drew" Lenczy.

You can reach Andrew's office by way of:

Email: Contactus@mxcw.us
Phone: +1 682 288 8322
Standard rates do apply

Section 4: Privacy Rights

GDPR Requirement Full Specification Our steps to Compliance Related Citations
It's easy for your customers to request and receive all the information you have about them. "People have the right to see what personal data you have about them and how you're using it. They also have a right to know how long you plan to store their information and the reason for keeping it that length of time. You have to send them the first copy of this information for free but can charge a reasonable fee for subsequent copies. Make sure you can verify the identity of the person requesting the data. You should be able to comply with such requests within a month." If you would like to see a copy of all the information we currently have stored for your account (and also have the ability to copy/port said data) simply visit your account settings and click on the "View Your Data" link under "GDPR Data".
It's easy for your customers to correct or update inaccurate or incomplete information "Do your best to keep data up to date by putting a data quality process in place, and make it easy for your customers to view (Article 15) and update their personal information for accuracy and completeness. Make sure you can verify the identity of the person requesting the data. You should be able to comply with requests under Article 16 within a month." Mechanyx.gg is quite modular and has a lot of features and sections of the site. The cool part is that all of these sections are data-driven by data that you give us!

To update information on your overall Mechanyx.gg account you simply need to visit the "account settings" page which is accessed by the sidebar that slides out when you click on your username in the upper right corner of the page.

To update information related to other features of Mechanyx.gg like ToTheCause, you simply need to visit that service's management page and there will be a section where you can update the data associated with that particular feature or service.
It's easy for your customers to request to have their personal data deleted "People generally have the right to ask you to delete all the personal data you have about them, and you have to honor their request within about a month. There are a five grounds on which you can deny the request, such as the exercise of freedom of speech or compliance with a legal obligation. You must also try to verify the identity of the person making the request." We take "the right to be forgotten" very seriously and have designed a comprehensive "delete account" feature that scrubs your account and all it's data.

The delete account feature can be found under account settings and is PERMANENT and IRREVERSIBLE

Some data we have to keep records of for legal compliance however. Transaction data for ToTheCause and chat logs from DMs and communities are a good example.

In the case of these privileged pieces of information your username and other data will be redacted so as to still protect your privacy and right to be forgotten.

A comprehensive list of privileged data that remains can be found in the "delete account" section of the account settings along with our reasoning for having to retain the information.
It's easy for your customers to stop processing your data "Your data subjects can request to restrict or stop processing of their data if certain grounds apply, mainly if there's some dispute about the lawfulness of the processing or the accuracy of the data. You are required to honor their request within about a month. While processing is restricted, you're still allowed to keep storing their data. You must notify the data subject before you begin processing their data again." Data processing on Mechanyx.gg happens in real time. Meaning that as your interact with the platform the needed data is processed and stored at the time of your interaction.

This means if you want us to stop processing your data all you have to do is sign out and refrain using the site until such a time as you are comfortable with us processing additional data.
It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company "This means that you should be able to send their personal data in a commonly readable format (e.g. a spreadsheet) either to them or to a third party they designate. This may seem unfair from a business standpoint in that you may have to turn over your customers' data to a competitor. But from privacy standpoint, the idea is that people own their data, not you." If you would like to see a copy of all the information we currently have stored for your account (and also have the ability to copy/port said data) simply visit your account settings and click on the "view data" link under "GDPR Data".

All data under this section is formatted in a CSV style format that will import into a number of different modern software solutions such as Microsoft Excel.

Simply copy the tables and data you need and move it to wherever you like! This data will always be available to you until you delete it individually or delete your account.
It's easy for your customers to object to you processing their data "If you're processing their data for the purposes of direct marketing, you have to stop processing it immediately for that purpose. Otherwise, you may be able to challenge their objection if you can demonstrate "compelling legitimate grounds."" We are proud to say Mechanyx.gg does not take part in the practice of selling (or otherwise making available) customer data for the purposes of direct (or any other type of) marketing.

Therefore you don't have to worry about objecting!
If you make decisions about people based on automated processes, you have a procedure to protect their rights "Some types of organizations use automated processes to help them make decisions about people that have legal or "similarly significant" effects. If you think that applies to you, you'll need to set up a procedure to ensure you are protecting their rights, freedoms, and legitimate interests. You need to make it easy for people to request human intervention, to weigh in on decisions, and to challenge decisions you've already made." Mechanyx.gg does not have any such automated systems - so no worries here!

Help us keep .gg free!

Official Mechanyx.gg dono/sub page

Let's Get Connected!

Copyright © 2024 Mechanyx Codeworks

YEE-HAW! This site is developed by programmers, creatives, and other talented peeps in the great state of Texas.