Logo

Legal

Privacy Policy

Last updated: May 19, 2026

Studio Blindspot Inc., trading as "Blindspot Games" ("we", "us", "our"), respects your privacy. This Privacy Policy explains what personal information we collect when you visit thehexadome.com (the "Website") or use HexaDome Tactics (the "Game", together the "Services"), why we collect it, how we use it, who we share it with, and the rights you have over your information.

Data controller: Studio Blindspot Inc., a legal person duly constituted under the laws of Quebec (Canada), trading under the "Blindspot Games" brand, having its registered office at 305 rue de Bellechasse, bureau 103, Montreal, Quebec H2S 1W9, Canada ("we", "us", "our"). You can contact us at legal@blindspot-games.com.

For the purpose of the EU General Data Protection Regulation (GDPR), the UK GDPR, the Quebec Act respecting the protection of personal information in the private sector (Law 25), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and equivalent data-protection laws, the data controller (or "person carrying on the enterprise" under Quebec Law 25) is Studio Blindspot Inc. (details above).

1. Summary

  • We collect only what is needed to operate the Services: account identifiers from Discord and Steam, your email address if you subscribe to the newsletter, and technical data such as IP address and device information.
  • We use this information to authenticate you, run tournaments, send the newsletter (if you opted in), and improve the Services.
  • We do not sell your personal information.
  • You can access, correct, export, or ask us to delete your data by contacting us. Some categories may be kept for limited periods to comply with the law or to defend our rights (for example tournament results, anti-abuse records, accounting records related to cash prizes). Details are in Section 7 "Data retention".

2. Personal information we collect

The table below gives a quick overview of the main categories of personal data we process, the purpose of each processing activity, and the legal basis we rely on. The sub-sections that follow describe each category in more detail.

Data category Purpose Legal basis
Account identifiers received from Discord and Steam (user ID, username, avatar URL, email). Authenticating you, linking your Discord and Steam profiles to a single HexaDome account. Performance of a contract (Art. 6(1)(b))
Tournament data (registrations, team names, scores, rankings, match results). Operating tournaments, displaying rankings, awarding prizes. Performance of a contract (Art. 6(1)(b))
Newsletter subscription (email address, proof of consent: timestamp, IP address, form source). Sending the newsletter you signed up for and proving valid consent if asked. Consent (Art. 6(1)(a))
Technical and usage data (IP address, user agent, pages viewed, error logs, language, timezone). Securing the Website, detecting suspicious sign-ins, debugging, measuring aggregate audience. Legitimate interests (Art. 6(1)(f))
Integrity and anti-abuse data (gameplay telemetry, account flags, sanctions history). Detecting cheating, account boosting, collusion or other behaviour that compromises competitive integrity. Legitimate interests (Art. 6(1)(f)) and performance of a contract (Art. 6(1)(b))
Support correspondence (messages and any attachments you send us). Responding to your questions and resolving issues. Performance of a contract (Art. 6(1)(b)) or legitimate interests (Art. 6(1)(f)) depending on the request
Prize-related data (collected only if you win a cash prize: full name, address, identity document where required, payment details). Verifying eligibility, paying the prize, complying with tax and accounting obligations. Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))

2.1 Account and authentication

HexaDome Tactics lets you sign in using Discord or Steam. When you do, we receive the following from the identity provider:

  • Discord: Discord user ID, username, avatar URL, email address (scopes identify and email).
  • Steam: SteamID (64-bit), public profile name and avatar (via Steam OpenID).

We store these identifiers in our database to recognise you on subsequent visits and to link your Discord and Steam profiles within a single HexaDome account. We do not receive or store your Discord or Steam password.

2.2 Tournament participation

When you register for a tournament, we process your username, team name (if applicable), tournament progression, scores, and match results. Aggregate and individual results may be displayed on public rankings within the Services.

2.3 Newsletter

If you subscribe to the HexaDome newsletter, we collect your email address along with a record of your consent (timestamp, IP address, and form source) so we can demonstrate compliance with applicable law. The newsletter is delivered by MailerLite (see Section 5 - "Who we share information with").

2.4 Technical and usage data

When you visit the Website we automatically receive:

  • IP address, user agent, referring page, language and timezone.
  • Pages viewed, navigation events, approximate time spent.
  • Crash reports and error logs (when the application encounters issues).

2.5 Communications you send us

If you contact us by email, on Discord, or through any support channel, we keep a record of the exchange and any information you provide so we can respond to you.

Under the GDPR and UK GDPR, we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): authenticating you via Discord or Steam, running your HexaDome account, registering and operating tournaments, and providing customer support.
  • Consent (Art. 6(1)(a)): sending the newsletter, deploying optional cookies (analytics, marketing) where you have accepted the cookie banner. You may withdraw consent at any time.
  • Legitimate interests (Art. 6(1)(f)): server-side processing that does not rely on cookies or persistent identifiers, including securing the Services against fraud and abuse, detecting cheating, keeping technical logs, generating aggregate server-side statistics, and improving the Services. We have weighed our interests against your rights and freedoms before relying on this basis. Client-side analytics, advertising pixels, and similar tracking technologies that rely on cookies or device identifiers are not covered by this basis; they are processed under consent (see the row above and our Cookie Policy).
  • Legal obligation (Art. 6(1)(c)): complying with data protection law, tax obligations (where prizes are paid), or responding to lawful requests from authorities.

4. How we use your information

  • Authenticate you and maintain your HexaDome account.
  • Operate tournaments, manage registrations, score matches and publish rankings.
  • Distribute cash prizes and other rewards to winners (which may require collecting additional information for tax or payment purposes at that point, with prior notice).
  • Send service messages relating to your account or tournaments you have entered.
  • Send the newsletter to users who have opted in.
  • Detect and prevent fraud, cheating, abuse, and violations of our User Agreement.
  • Diagnose technical issues, debug, and improve the Services.
  • Comply with our legal obligations and enforce our rights.

5. Who we share information with

We do not sell your personal information. We share it only with the categories of recipient listed below, and only to the extent necessary for the purposes described in this policy. All providers acting as processors on our behalf are bound by a Data Processing Agreement that requires them to process the data only on our instructions and to apply appropriate security measures.

  • Identity providers: Discord (Discord Inc., USA) and Valve / Steam (Valve Corporation, USA) when you sign in. We may also call back the Discord API to read your guild membership and roles to grant in-game and admin permissions, and the Steam Web API to verify game ownership. The data those platforms receive is governed by their own privacy policies.
  • Hosting and infrastructure: Microsoft Azure (Microsoft Ireland Operations, EU region) hosts the Website and our application backend, including its configuration store.
  • Document database hosting: an EU-hosted managed document database service stores account, tournament, and game-related data on our behalf.
  • In-memory cache and session store: a managed cache provider stores short-lived cached data and session-related state.
  • Application monitoring and error tracking: an application monitoring and error-tracking service receives crash reports, stack traces, and limited request context (IP, user agent, account ID) so we can diagnose production issues. We have configured it to drop expected cancellation and antiforgery exceptions.
  • Centralised logging: a centralised logging service hosts our server log stream (technical operations, errors, security events). Logs may contain IP addresses, user IDs, request bodies, and headers for troubleshooting purposes.
  • Email delivery: MailerLite (MailerLite Limited, EU-hosted, ISO 27001) processes newsletter subscribers on our behalf.
  • Content delivery and security: providers such as Cloudflare may process IP addresses to deliver static assets, accelerate the site, and protect it against attacks.
  • Marketing analytics and advertising (only on the marketing landing pages and only with your consent): Google (Google LLC) for Google Tag Manager, Google Analytics 4 and Google Ads, and other vendors that may be configured in our Tag Manager container (see our Cookie Policy).
  • Authorities and legal advisers: where we are required to disclose information by law, by court order, or to protect the rights, safety and security of users or the public.
  • Successors: if Blindspot Games is restructured, merged, or its assets are transferred, personal information may be transferred to the successor entity under equivalent protections.

An up-to-date list of sub-processors is available on request at legal@blindspot-games.com.

6. International data transfers

Studio Blindspot Inc. is established in Canada (Quebec). Our primary hosting region is the European Union. As a result, your personal data is processed both in Canada (by us, the controller) and in the European Union (by our hosting and database providers). Some recipients listed above also operate from the United States (notably Discord, Steam, Google services, and our application monitoring and logging providers).

Where we transfer personal data outside your country of residence, we rely on a recognised transfer mechanism, in particular:

  • for transfers from the EEA/EU: the European Commission's adequacy decision for Canada (commercial organisations) covering transfers to Canadian commercial entities subject to PIPEDA, the EU's Standard Contractual Clauses (SCCs) for transfers to providers in the United States or other non-adequate countries, and supplementary measures where required;
  • for transfers from the United Kingdom: the UK International Data Transfer Addendum or an Article 46 mechanism;
  • for transfers from Quebec: the privacy-impact assessment required by Quebec Law 25, section 17, before sending personal information outside Quebec.

7. Data retention

We keep personal information only for as long as needed for the purposes described in this policy:

  • Account data (Discord ID, Steam ID, linked profile information): for as long as your HexaDome account exists, then deleted within 30 days of account closure.
  • Inactive accounts: accounts with no sign-in for 36 consecutive months are flagged for deletion after we attempt to contact you at your last known email address.
  • Discord role and guild-membership cache: refreshed at sign-in and cached for the duration of your session, with a maximum cache lifetime of a few hours.
  • Steam game-ownership checks: result kept for a short cache window (a few hours), then re-queried on next sign-in.
  • Steam key assignments (if a key is granted to you): kept for the lifetime of the account and for up to 3 years after account closure, for fraud-prevention and accounting purposes.
  • Tournament records: rankings and match history are kept while the tournament series is active and for up to 3 years afterwards. Replays we retain are stored for up to 12 months for moderation, dispute resolution, and showcasing.
  • Anti-cheat and sanction history: kept for the lifetime of the account and for up to 5 years after account closure to prevent repeat offenders and to defend any legal claim.
  • Prize and tax records (where you have received a cash prize): kept for the period required by applicable tax and accounting law, typically up to 10 years.
  • Newsletter: while you remain subscribed and for up to 3 years after the last interaction, after which we delete your record unless you re-engage.
  • Application monitoring: crash reports and error events for up to 90 days at our error-tracking provider.
  • Centralised logs: technical and security logs for up to 30 days at our logging provider, longer where needed to investigate a specific incident.
  • Cache and session store: cached state expires automatically based on each key's TTL, typically minutes to a few hours.
  • Support correspondence: up to 3 years from the last exchange.

We may retain certain information longer where required by law (for example, accounting records related to cash prizes, records related to ongoing or threatened legal claims).

8. Security

We apply technical and organisational measures appropriate to the risk, including:

  • encryption in transit (HTTPS across the Website and our backends);
  • encryption at rest for the production database and backups;
  • restricted administrative access based on Discord role membership;
  • audit logging of administrative actions;
  • centralised configuration through Azure App Configuration, with progressive migration of secrets to Azure Key Vault and equivalent secret stores.

No system is perfectly secure. Please use a strong unique password for your linked Discord/Steam accounts and contact us immediately at legal@blindspot-games.com if you suspect a security issue or account compromise.

9. Automated decision-making and anti-cheat

HexaDome uses automated tooling to monitor competitive integrity and detect cheating, bug exploitation, account boosting, collusion, or other prohibited behaviour. This tooling may, in particular:

  • analyse gameplay telemetry (inputs, decisions, server-side game state) and account behaviour;
  • flag accounts whose behaviour matches known cheat signatures or statistical outliers;
  • apply automatic restrictions (for example, queue locks, score adjustments, or match invalidation) where the evidence is unambiguous, such as use of unauthorised third-party software detected at the network or process level.

Decisions with significant effect on you are not taken by automated means alone. Automatic flags trigger a review by a human member of our integrity team before any sanction that has a significant effect (such as permanent account termination, tournament disqualification, or forfeiture of a cash prize). You have the right under GDPR Article 22 to obtain human review of any decision based solely on automated processing that produces legal or similarly significant effects on you, to express your point of view, and to contest the decision. Use the appeal process described in our User Agreement (Section 3.3) and we will respond within the time limits set by applicable law.

10. Your rights

Subject to applicable law you have the following rights:

  • Access: receive a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate or incomplete data.
  • Erasure: ask us to delete your data ("right to be forgotten").
  • Restriction: ask us to restrict processing in certain circumstances.
  • Objection: object to processing carried out on the basis of legitimate interests.
  • Portability: receive your data in a structured, machine-readable format and have it transferred to another controller where technically feasible.
  • Withdraw consent: where processing relies on your consent, withdraw it at any time without affecting prior processing.
  • Lodge a complaint: with your local data protection authority. For users in the EU, the list of authorities is available on the European Data Protection Board website. For users in the UK, contact the Information Commissioner's Office (ico.org.uk). For users in Quebec, contact the Commission d'accès à l'information du Québec (cai.gouv.qc.ca). For users elsewhere in Canada, contact the Office of the Privacy Commissioner of Canada (priv.gc.ca).

To exercise any of these rights, email legal@blindspot-games.com. We will respond within one month of receiving a verifiable request, in line with applicable law.

11. Children

The Services are not directed to users below the age of digital consent in their country. Under EU GDPR Article 8 the default age is 16, but Member States may set it as low as 13. The table below lists the threshold for the main jurisdictions where our users are based. If you are below the applicable age, please do not create an account or provide us with any personal information.

JurisdictionMinimum age
Austria14
Belgium13
Bulgaria14
Croatia16
Cyprus14
Czech Republic15
Denmark13
Estonia13
Finland13
France15
Germany16
Greece15
Hungary16
Iceland13
Ireland16
Italy14
Latvia13
Liechtenstein16
Lithuania14
Luxembourg16
Malta13
Netherlands16
Norway13
Poland16
Portugal13
Romania16
Slovakia16
Slovenia16
Spain14
Sweden13
Switzerland16
United Kingdom13
United States (COPPA)13
Canada13
Australia16
Brazil18

We do not knowingly process personal information of users below the applicable threshold without verifiable parental consent. If you believe a child below the applicable age has provided us with personal information, contact us at legal@blindspot-games.com and we will delete it.

12. Information for parents

If you are a parent or legal guardian and you wish to authorise your child to use the Services where this is permitted by the law of your country, please contact us at legal@blindspot-games.com. We will ask you to confirm:

  • that you are the parent or legal guardian of the user concerned;
  • which account is concerned (Discord ID, Steam ID or email used at registration);
  • your consent to the processing described in this Privacy Policy.

We may request additional verification proportionate to the sensitivity of the data involved (for example, a redacted copy of an identity document showing your name only). We retain that verification only for as long as needed to record your consent and then delete it.

As parent or legal guardian, you can at any time:

  • ask to see the personal information we hold about your child;
  • ask us to correct inaccurate information;
  • withdraw your consent and request deletion of the account.

Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. To exercise any of these rights, email us from the address you used to give consent, or from another verifiable contact.

13. Cookies and tracking

We use a small number of essential cookies to keep you signed in and to secure the site, and (with your consent) optional cookies for analytics and marketing. Full details, including the cookie names, their purpose, and how to manage your choices, are set out in our Cookie Policy.

14. Changes to this policy

We may update this Privacy Policy from time to time. When changes are material we will notify you, for example by email or by posting a notice on the Website. The "Last updated" date at the top of this page reflects the most recent revision.

15. Contact

For any question about this Privacy Policy or to exercise your rights, please contact:

Studio Blindspot Inc. (trading as "Blindspot Games")
305 rue de Bellechasse, bureau 103, Montreal, Quebec H2S 1W9, Canada
Email: legal@blindspot-games.com
Website: www.blindspot-games.com

← Back to Home
User Agreement Cookie Policy