1. Introduction

Antistatic Studios Inc. (“we,” “our,” or “us”) is the data controller under the GDPR for personal data processed when you use Phantom Line, a video game available on the Epic Games Store. We do not operate our own data collection servers. All data processing is carried out by third-party service providers acting as data processors or independent controllers, as described in this policy.

​

Phantom Line does not require you to create an account with us or provide personal details directly. All data collection occurs through the third-party services described below when you use online features such as co-op matchmaking, friends lists, and crash reporting.

​

This Privacy Policy explains what data is processed, by whom, why, and what rights you have regarding that data.

​

2. Data Controller and Representatives

2.1. Data Controller

For the purposes of the EU General Data Protection Regulation (GDPR), the data controller — the entity that determines the purposes and means of processing your personal data — is:

 

Antistatic Studios Inc.

Contact: contact@antistaticstudios.com

 

We do not have a designated Data Protection Officer (DPO). All privacy inquiries are handled directly by our legal team at the email address above.

​

2.2. EU Establishment

Antistatic Studios Inc. processes personal data of users in the European Union in the context of the activities of its EU establishment, PL 0451 Sp. z o.o., with its registered office in Kraków, Poland. PL 0451 Sp. z o.o. is the entity through which Antistatic Studios Inc. conducts its European Union operations relating to Phantom Line, and constitutes an establishment within the meaning of Article 3(1) of the GDPR. Accordingly, the GDPR applies in full to the processing of personal data carried out in the context of the activities of that establishment. The competent lead supervisory authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO), Warsaw, Poland. Data subjects residing in the European Union may contact PL 0451 Sp. z o.o. directly on all matters relating to the processing of their personal data by Antistatic Studios Inc.

​

PL 0451 Spółka z ograniczoną odpowiedzialnością

Rynek Główny 34/15
31-010 Kraków, Poland

NIP:6762712009

Email: contact@antistaticstudios.com

​

​

3. Third-Party Services and Data Processing

We do not operate data storage infrastructure. The following third-party services process personal data in connection with Phantom Line. A data processor acts on our behalf under our instructions; an independent controller determines its own processing purposes. Formal Data Processing Agreements (Art. 28 GDPR) are in place or will be executed with all processors prior to commercial launch.

​

3.1. Epic Online Services

Epic Online Services (“EOS”), operated by Epic Games, Inc. (“Epic Games”), provides account authentication, online matchmaking, and social features such as friends lists and game invitations.

 

Data protection role: Epic Games acts as an independent controller for data it collects in connection with your Epic Games account (account creation, login credentials, purchase history). For matchmaking and lobby services provided through EOS APIs, Epic acts as a data processor on our behalf.

 

Data processed:

Epic Games account information (as part of authentication)

Matchmaking and lobby session data

Friends list and social graph information

Game purchase and entitlement data (managed by Epic as independent controller)

 

Purpose: To enable you to log in, find matches, play with friends, and access online game features.

 

Retention: Epic retains data in accordance with its own privacy policy. Account data is generally retained for the lifetime of your Epic account.

 

Legal basis (GDPR): Performance of a contract (Art. 6(1)(b)) — these services are necessary to deliver the online features of the game you purchased.

 

Privacy Policy: https://www.epicgames.com/site/en-US/privacypolicy

 

Note: Epic Games also handles all payment processing for purchases made through the Epic Games Store, acting as an independent controller for payment data. Antistatic Studios does not receive or process any payment information.

​

3.2. Microsoft PlayFab

PlayFab, operated by Microsoft Corporation, serves as our backend infrastructure for multiplayer and online features. All persistent data required to operate these features is stored in PlayFab.

 

Data protection role: Microsoft acts as a data processor on our behalf for data stored and processed through PlayFab. Microsoft’s Online Services Terms include a Data Protection Addendum that governs how data is processed on behalf of customers. We retain administrative access to PlayFab’s dashboards to manage the service, respond to data subject requests, and fulfill our obligations as data controller.

 

Account and Identity Data

Platform identifiers (e.g., Steam ID) for authentication and cross-platform account linking

Display names from your connected platform, used to identify you to other players during co-op sessions

 

Social Data

Your publicly visible friends list from connected platforms, cached to enable friend invitations and co-op session joining. Only friends whose privacy settings allow public visibility are retrieved.

 

Session and Matchmaking Data

Lobby and session IDs generated during multiplayer matchmaking

Session timestamps (creation, join, and end times)

Connection metadata required to establish and maintain co-op gameplay

 

Login Data: Each time you sign in to online services, PlayFab automatically records a login event as part of its standard platform functionality. This includes:

Login timestamp (date and time of each sign-in)

Platform used to authenticate (e.g., Steam)

IP address at the time of login

Approximate city-level location, inferred from your IP address

Country and region, inferred from your IP address

 

This login data is used for account security, fraud prevention, DDoS protection, and operational diagnostics. We do not use this data for marketing, advertising, profiling, or any purpose beyond the operation and security of multiplayer services.

 

Regional Data for Matchmaking

Your country or sub-region, derived from login data, used to improve matchmaking quality

 

Purpose: To operate multiplayer features, authenticate players, enable social features, ensure account security, and prevent fraud.

 

Retention: PlayFab retains data for the duration of your account’s existence on the platform. Login event data may be retained for up to 90 days for security and diagnostic purposes, in accordance with Microsoft’s data retention policies.

 

Legal basis (GDPR): Performance of a contract (Art. 6(1)(b)) for multiplayer functionality; Legitimate interests (Art. 6(1)(f)) for account security, fraud prevention, and DDoS protection.

 

Privacy Policy: https://privacy.microsoft.com/privacystatement

​

3.3. Sentry (Crash and Error Reporting)

Sentry, operated by Functional Software, Inc., helps us monitor game stability and diagnose crashes. When an error or crash occurs, Sentry collects technical diagnostic data so we can identify and fix issues.

 

Data protection role: Functional Software acts as a data processor on our behalf. Sentry’s terms of service include data processing provisions governing how crash and error data is handled.

​

Important privacy safeguards:

sendDefaultPii is disabled — this means Sentry does not transmit personally identifiable information such as usernames, email addresses, or user IDs.

Prevent Storing IP Addresses is enabled — your IP address is not stored by Sentry, even if it is visible in the network connection during transmission.

​

Data collected by Sentry:

Crash reports (minidumps): a snapshot of the application’s memory state at the time of a crash, including stack traces and thread states. Raw minidumps are processed and then deleted — they are not stored.

Error messages and stack traces describing what went wrong and where in the code

Breadcrumbs: a trail of application events leading up to a crash (state transitions, system events) — these do not contain user-identifiable information

Device information: operating system, CPU model, GPU model, driver version, available RAM

Application version and build identifier

A randomly generated device ID, unique per installation. This is not a hardware identifier and cannot be used to identify you personally or across different applications.

​

Purpose: To detect, diagnose, and fix crashes and errors, improving game stability for all players.

​

Retention: Sentry retains error event data for 90 days by default. Raw minidumps are processed and immediately deleted.

​

Legal basis (GDPR): Legitimate interests (Art. 6(1)(f)) — maintaining software quality and fixing bugs is in our legitimate interest and benefits all players.

​

Privacy Policy: https://sentry.io/privacy/

​

3.4. Discord Rich Presence

We integrate Discord Rich Presence to display your in-game activity status on your Discord profile (e.g., “Playing Phantom Line — In Co-op Session”).

 

Data protection role: Discord Rich Presence operates via local inter-process communication (IPC) between the game and the Discord client on your device. No data is sent to Antistatic Studios. Once the activity data reaches Discord’s client, Discord Inc. processes it as an independent controller under its own privacy policy.

 

You can disable Rich Presence in Discord’s settings at any time.

 

Data involved: Game activity status, session duration, party size — all communicated locally.

 

Purpose: To show your friends on Discord what you’re playing.

 

Retention: No data is stored by us. Discord’s retention applies per their policy.

 

Legal basis (GDPR): Legitimate interests (Art. 6(1)(f)) — enhancing social experience for players who use Discord.

 

Privacy Policy: https://discord.com/privacy

​

3.5. Steam (Valve Corporation)

If you connect your Steam account to play Phantom Line, certain data is accessed via Steam’s APIs to enable authentication and social features.

 

Data protection role: Valve Corporation acts as an independent controller for your Steam account and the data associated with it. When we access data through Steam’s APIs (such as your Steam ID, display name, and public friends list), that data is subsequently stored in PlayFab where Microsoft acts as our data processor.

 

Data accessed via Steam APIs:

Steam ID (unique account identifier)

Display name

Public friends list (only friends whose privacy settings allow public visibility)

 

Purpose: Authentication and social features (friends list, co-op invitations).

 

Retention: Data accessed from Steam is stored in PlayFab for as long as your account exists. Subject to both Valve’s and Microsoft’s retention policies.

 

Legal basis (GDPR): Performance of a contract (Art. 6(1)(b)) for authentication; Legitimate interests (Art. 6(1)(f)) for social features.

 

Privacy Policy: https://store.steampowered.com/privacy_agreement/

 

4. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), every instance of personal data processing must have a lawful basis. The following legal bases apply to the data processing described in this policy:

​

4.1. Performance of a Contract (Art. 6(1)(b))

When you purchase and play Phantom Line with online features, certain data processing is necessary to deliver the services you expect. This includes authentication through EOS and Steam, multiplayer matchmaking and session management through PlayFab, and social features such as friends lists. Without this processing, we could not provide the online gameplay experience.

​

4.2. Legitimate Interests (Art. 6(1)(f))

Some data processing is based on our legitimate interests, balanced against your rights and freedoms. This includes:

Crash and error reporting through Sentry (to maintain and improve game quality)

Login data collection by PlayFab (for account security, fraud prevention, and DDoS protection)

Discord Rich Presence (to enhance social features for players)

Cached friends list data (to enable smoother social interactions)

 

Legitimate Interest Assessment: We have conducted a Legitimate Interest Assessment (LIA) — also known as a balancing test — for each of these processing activities. In each case, we have concluded that our legitimate interests are not overridden by your fundamental rights and freedoms. These assessments consider the nature of the data processed, the reasonable expectations of players, the benefits to players and to us, and the safeguards we have put in place (such as disabling PII collection in Sentry and limiting data use to operational purposes).
 

You have the right to object to processing based on legitimate interests (see Section 5).

​

4.3. Legal Obligation (Art. 6(1)(c))

In limited circumstances, data may need to be retained or disclosed to comply with legal obligations, such as responding to lawful requests from authorities or fulfilling tax and accounting requirements. This applies to our third-party service providers insofar as they may be required by law to retain certain records.

​

5. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

Right of Access (Art. 15) — You can request a copy of the personal data we process about you and information about how it is used.

Right to Rectification (Art. 16) — You can ask us to correct any inaccurate or incomplete personal data.

Right to Erasure (Art. 17) — You can request the deletion of your personal data where there is no compelling reason for its continued processing.

Right to Restrict Processing (Art. 18) — You can request that we limit how your data is processed in certain circumstances.

Right to Data Portability (Art. 20) — You can request to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object (Art. 21) — You can object to the processing of your personal data based on our legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds.

Right to Withdraw Consent (Art. 7) — Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

 

How to exercise your rights:

Send your request to contact@antistaticstudios.com or contact our EU Establishment (see Section 2.2). Please describe your request clearly so we can identify you and respond appropriately. We will respond within 30 days of receiving your request. If we need more time (up to an additional 60 days for complex requests), we will inform you of the extension and the reasons for it.

​

Because data processing involves multiple service providers with different data protection roles, the process for fulfilling your request depends on the data and provider involved:

For data held by our processors (PlayFab, Sentry), we will instruct them to fulfill your request.

For data held by independent controllers (Epic Games, Valve, Discord), we will direct you to the relevant provider or coordinate on your behalf where possible.

 

Impact on game services: Please be aware that exercising certain rights may affect your ability to use Phantom Line’s online features. For example, if you request erasure or restriction of data that is necessary for authentication, matchmaking, or session management, we may no longer be able to provide those online services to you. We will always inform you of any such consequences before processing your request, so you can make an informed decision.

 

Limitations on certain rights: Some rights are subject to legal exceptions. For instance, the right to erasure does not apply where processing is necessary for the performance of a contract (Art. 17(3)(b) GDPR). If you object to processing based on our legitimate interests (Art. 21), we may continue processing if we can demonstrate compelling legitimate grounds, such as the security of your account and our infrastructure (consistent with GDPR Recital 49). We will explain the applicable legal basis in our response to your request.

​

Right to lodge a complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

​

6. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”) grants you the following rights over your personal information. Categories of personal information collected by our third-party providers include: identifiers (such as Steam IDs, platform display names, IP addresses), internet or similar network activity (such as login timestamps, session data, crash reports), and geolocation data (approximate city and country derived from IP address).

​

6.3. Your California Privacy Rights

Right to Know (§1798.100) — You have the right to request that we disclose the categories and specific pieces of personal information collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom it is shared.

​

Right to Delete (§1798.105) — You have the right to request deletion of your personal information. Because data is held by third-party providers, we will coordinate with them to process your request.

 

Right to Correct (§1798.106) — You have the right to request correction of inaccurate personal information.

 

Right to Opt-Out of Sale or Sharing (§1798.120) — We do not currently sell or share your personal information as defined by the CCPA/CPRA (see Section 6.3). Should this ever change, we will update this policy and provide a clear opt-out mechanism.

 

Right to Limit Sensitive Personal Information (§1798.121) — You have the right to limit the use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.

 

Right to Non-Discrimination (§1798.125) — We will not discriminate against you for exercising any of your CCPA rights.

​

6.2. Sale and Sharing of Personal Information

Antistatic Studios does not currently sell your personal information, nor do we “share” it for cross-context behavioral advertising as defined under the CPRA. We do not receive monetary or other valuable consideration in exchange for personal information. Our third-party service providers process data solely to provide the game’s online features, not for advertising or sale to third parties.

​

We do not currently use analytics tools, behavioral telemetry, or cross-context advertising that would constitute “sharing” under the CPRA. If we introduce any such tools in the future, we will update this policy, provide notice to users, and implement the required opt-out mechanisms before any such processing begins.

​

6.3. How to Submit a Request

To exercise your CCPA rights, contact us at contact@antistaticstudios.com. You may also designate an authorized agent to submit requests on your behalf. We will verify your identity before processing your request by asking you to confirm information associated with your account (such as your platform username or Steam ID). We will respond within 45 days of receiving a verifiable request, with the possibility of a 45-day extension if necessary.

​

If you have concerns about how your CCPA rights are being handled, you may contact the California Attorney General at https://oag.ca.gov/contact/consumer-complaint-against-business-or-company.

​

7. International Data Transfers

Phantom Line is available globally, and the third-party services we use may process data in various countries, including the United States.

Microsoft PlayFab may transfer and store data in Microsoft data centers located outside the European Economic Area (EEA), including in the United States. Microsoft relies on Standard Contractual Clauses (SCCs) and other approved transfer mechanisms to ensure adequate protection of personal data transferred from the EEA.

Epic Games may process data in the United States and other jurisdictions. Epic relies on SCCs and other lawful transfer mechanisms for data originating from the EEA.

Sentry processes data in the United States. Functional Software, Inc. uses SCCs to safeguard international data transfers.

Valve (Steam) processes data in the United States. Valve relies on SCCs for international transfers of data from the EEA.

​

By using Phantom Line’s online features, you acknowledge that your data may be transferred to and processed in countries outside your country of residence. These transfers are protected by appropriate safeguards as required by applicable data protection laws.

​

8. Data Security

As the data controller, Antistatic Studios is responsible for ensuring that personal data is processed securely. While we do not operate our own data storage infrastructure, we carefully select service providers that maintain industry-standard security measures, we ensure that their terms of service include appropriate data processing provisions, and we retain administrative access to manage and protect your data:

Microsoft (PlayFab) employs enterprise-grade security including encryption at rest and in transit, network security controls, and regular security audits.

Epic Games maintains robust security infrastructure for its online services platform.

Sentry uses encryption and access controls to protect error reporting data.

​

While no system can guarantee absolute security, we select service providers that demonstrate strong commitments to data protection and we regularly review our integrations to ensure they meet our standards.

​

9. Data Breach Notification

In the event of a personal data breach that affects your data, we will take the following steps in accordance with applicable law:

GDPR (Art. 33 and 34):

If we become aware of a breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals directly without undue delay, describing the nature of the breach, the likely consequences, and the measures taken or proposed to address it.

 

CCPA/CPRA:

If a breach involves unencrypted or unredacted personal information of California residents, we will notify affected individuals as required under California Civil Code §1798.82.

 

Our obligations to you:

The data processing provisions in our service agreements with processors (PlayFab, Sentry) require them to notify us promptly of any security incidents affecting data processed on our behalf.

Independent controllers (Epic Games, Valve, Discord) are responsible for their own breach notification obligations under applicable law.

We will coordinate with all relevant service providers to investigate and remediate any incidents, and will communicate transparently with affected users.

 

If you become aware of a potential security incident involving Phantom Line, please contact us immediately at contact@antistaticstudios.com

​

10. Cookies and Tracking Technologies

Phantom Line does not use cookies or tracking technologies. The game itself does not place cookies on your device or employ any tracking pixels, web beacons, or similar technologies.

​

Discord Rich Presence communicates locally between the game and your Discord client via local IPC. It does not use cookies and does not send data to our servers.

​

If you access the Epic Games Store or other platform storefronts to purchase Phantom Line, those platforms may use their own cookies and tracking technologies. Please refer to their respective privacy policies for details.

​

11. Children and Minors

Phantom Line may be played by persons under the age of 18. We take the protection of minors’ data seriously and provide the following information about how applicable laws are addressed:

COPPA (U.S.):

The Children’s Online Privacy Protection Act applies to the online collection of personal information from children under 13. Epic Games, as the platform operator, implements COPPA compliance mechanisms on the Epic Games Store, including parental controls and age-gating. Because Phantom Line does not independently collect personal information from children, and all data collection occurs through platform services, the platform’s COPPA compliance mechanisms serve as the primary safeguard.

 

GDPR (EU/EEA):

Under the GDPR, the processing of personal data of children requires particular attention. For users under 16 (or the applicable age in their member state), parental or guardian consent is generally required for processing based on consent. Phantom Line’s data processing relies primarily on contract performance (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) rather than consent. However, we acknowledge that the ability of minors to enter into contracts may vary under national laws of EU member states. Platform-level account creation and age verification are managed by Epic Games and Steam, which bear primary responsibility for ensuring that their account creation processes comply with applicable age-of-consent requirements.

 

CCPA (CA):

We do not sell the personal information of minors under 16. Even if no sale occurs, we note this obligation for transparency.

 

If you are a parent or guardian and believe your child’s data has been collected or processed inappropriately in connection with Phantom Line, please contact us at contact@antistaticstudios.com and we will work with the relevant service provider to investigate and address your concerns promptly.

​

12. Contact and Support

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have any privacy-related concerns, you can reach us through the following channels:

 

Data Controller:

Antistatic Studios Inc.

Email: contact@antistaticstudios.com

 

EU Establishment:

PL 0451 Spółka z ograniczoną odpowiedzialnością
Email: contact@antistaticstudios.com

 

For GDPR complaints: You may contact your local supervisory authority. A list of EU/EEA data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

 

For CCPA complaints: You may contact the California Attorney General’s office at https://oag.ca.gov.

​

13. Policy Updates and Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we integrate, or applicable laws. When we make changes, we will update the "Last Updated" date at the top of this document. For significant changes that materially affect your rights or how your data is handled — including the introduction of new third-party services, changes to data processing roles, or the adoption of analytics or advertising technologies — we will make reasonable efforts to notify you through available channels, which may include an in-game notice, an announcement on the game's store page (Epic Games Store or Steam), a post on our official community channels (such as Discord or social media), or a combination of these methods. We recognize that we do not collect your email address or maintain direct contact information, and therefore cannot notify you individually by email. We encourage you to review this Privacy Policy periodically. If you disagree with any changes to this policy, you may stop using Phantom Line's online features and contact us at contact@antistaticstudios.com to request erasure of your data in accordance with your rights under applicable law (see Sections 5 and 6).

​