TOFFEE PAY PRIVACY POLICY

Last Updated: August 28, 2025

PURPOSE OF THIS POLICY

Galactica Games Inc., dba Toffee Pay ("Toffee Pay," "we," "our," or "us"), takes the protection of our customers' personal data seriously. This Privacy Policy is a statement of our commitment to protecting the rights and privacy of individuals in accordance with applicable Data Protection laws and regulations, including the EU General Data Protection Regulation (GDPR) where applicable.

INFORMATION WE COLLECT

Toffee Pay collects, processes, and uses personal information to provide the following services:

  • To fulfil contracts of sale to consumers who purchase products from our in-game commerce platform where Toffee Pay is deemed to be Seller/Merchant of Record.
  • To perform direct marketing to those consumers who have explicitly given their consent to such activity. Consent to receive marketing will be obtained through active opt-in from the consumer, their consent will be recorded, and consumers will have the ability to withdraw their consent easily and at any time.
  • For identity verification, fraud prevention, and compliance with anti-money laundering regulations.

Types of Personal Information

We collect the following types of personal information:

  • Contact Information: Name, email address, shipping address
  • Game Play Statistics: In-game achievements, levels completed, quests accomplished
  • Payment Information: Payment tokens and limited payment information. Note that full payment card details are processed and stored by our third-party payment gateway partners, not by Toffee Pay
  • Device Information: IP address, device type, operating system, browser type
  • Usage Data: How you interact with our Services, including browsing patterns and purchase history

Sources of Information

We collect personal information from the following sources:

  • Information you provide directly (account creation, purchases, customer support)
  • Automated collection through our Services (cookies, device data, usage analytics)
  • Third parties (payment processors, game developers, fraud prevention services)
  • Public sources (for fraud prevention and compliance verification)

Sensitive Personal Information

In certain circumstances, we may collect:

  • Financial information necessary for payment processing
  • Precise geolocation data (if location services enabled)
  • Biometric identifiers (if used for fraud prevention)

DATA PROTECTION PRINCIPLES

Toffee Pay shall perform our data protection responsibilities in accordance with the following principles:

  1. Lawfulness, fairness, and transparency: We shall obtain and process personal data lawfully, fairly, and in a transparent manner.
  2. Purpose limitation: We shall collect personal data for specific, explicit, and legitimate purposes, and not process it in a manner incompatible with those purposes.
  3. Data minimization: We shall only collect personal data that is adequate, relevant, and limited to what is necessary.
  4. Accuracy: We will ensure high levels of data accuracy, completeness, and keep data up-to-date, with a process to rectify inaccuracies when notified.
  5. Storage limitation: We will retain your personal data only for as long as necessary for the purposes for which it was collected, or until you request its deletion, subject to legal retention requirements.
  6. Integrity and confidentiality: We implement appropriate technical and organizational security measures to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage of personal data.

LEGAL BASIS FOR PROCESSING

We process your personal data under the following legal bases:

  • Contract Performance (GDPR Art. 6(1)(b)): Processing necessary to fulfill purchase contracts, shipping, and customer service obligations
  • Legitimate Interest (GDPR Art. 6(1)(f)): Fraud prevention, security monitoring, business analytics (where not overridden by your fundamental rights)
  • Legal Obligation (GDPR Art. 6(1)(c)): Tax compliance, AML/KYC verification, regulatory reporting
  • Consent (GDPR Art. 6(1)(a)): Marketing communications, non-essential cookies, data sharing with game developers beyond anonymized analytics

For residents of jurisdictions requiring explicit consent for certain processing activities, we will obtain such consent before processing.

DATA RETENTION PERIODS

We retain personal data according to the following schedule:

  • Transaction Data: 7 years from transaction date (tax and accounting requirements)
  • Account Information: Until account deletion request, or 3 years of inactivity
  • Marketing Data: Until consent withdrawal, or 2 years of inactivity
  • Fraud Prevention Data: Up to 5 years for high-risk indicators
  • Game Statistics: Anonymized after 18 months, retained indefinitely for analytics
  • Support Communications: 3 years from last contact

We conduct quarterly data retention reviews and implement automated deletion where technically feasible.

DISCLOSURE TO THIRD PARTIES

We may share your personal information with the following third parties:

  • Game Developers: We may share anonymized user data with game developers to improve the gaming experience and analyze offer effectiveness.
  • Brand Partners: We may share anonymized user data with fashion brands and other retail partners who provide products through our platform.
  • Service Providers: Payment processors, shipping companies, and customer service providers necessary to fulfil your orders and provide our services.
  • Legal Authorities: When required by law, court order, or governmental regulation.
  • Corporate Transactions: In connection with a corporate transaction, such as a merger, acquisition, or sale of assets.

We will not sell your personal information to third parties for their own marketing purposes without your explicit consent.

COOKIES AND TRACKING TECHNOLOGIES

We use the following categories of cookies and tracking technologies:

Essential Cookies (No consent required):

  • Authentication and security tokens
  • Shopping cart and checkout functionality
  • Load balancing and performance optimization

Analytics Cookies (Consent required in some jurisdictions):

  • Google Analytics (with IP anonymization)
  • Internal usage analytics and A/B testing
  • Fraud prevention and security monitoring

Marketing Cookies (Consent required):

  • Retargeting and personalized advertising
  • Social media integration pixels
  • Cross-device tracking for marketing attribution

Cookie Management:

You can manage cookie preferences through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent. Your browser-based preferences will be respected for future visits. You can set your browser to refuse all or some browser cookies or to alert you when cookies are being sent. However, if you disable or refuse cookies, some parts of our Services may be inaccessible or not function properly.

DATA SECURITY

We implement enterprise-grade security measures including:

Technical Safeguards:

  • End-to-end encryption for payment data (AES-256)
  • Encryption at rest and in transit for all personal data
  • Multi-factor authentication for administrative access
  • Regular penetration testing and vulnerability assessments
  • PCI DSS Level 1 compliance (through payment processor partners)

Organizational Safeguards:

  • Employee privacy training and confidentiality agreements
  • Role-based access controls and need-to-know principles
  • Incident response procedures and breach notification protocols
  • Annual security audits by independent third parties

Infrastructure Security:

Our Google Cloud Platform implementation includes DDoS protection, network segmentation, and SOC 2 Type II certified data centres.

While we implement industry-leading security measures, no system is completely immune to security incidents. We continuously monitor and improve our security posture.

DATA BREACHES

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.

YOUR PRIVACY RIGHTS

General Rights (All Users):

  • Right to access: Request information about personal data we hold and how it's processed
  • Right to rectification: Request correction of inaccurate or incomplete personal data
  • Right to erasure: Request deletion of personal data in certain circumstances
  • Right to restrict processing: Request limitation of processing in specific situations
  • Right to data portability: Request your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent where processing is consent-based

California Residents (CCPA/CPRA) Additional Rights:

  • Right to know categories and specific pieces of personal information collected
  • Right to know business/commercial purposes for collection
  • Right to know categories of third parties with whom we share personal information
  • Right to opt-out of "sale" or "sharing" for cross-context behavioral advertising
  • Right to correct inaccurate personal information
  • Right to limit use and disclosure of sensitive personal information
  • Right to non-discrimination for exercising privacy rights

Virginia, Colorado, Connecticut, Utah Residents:

Additional rights may apply under state privacy laws. Contact us for jurisdiction-specific information.

EEA/UK Residents:

All general rights above apply, plus the right to lodge complaints with supervisory authorities.

To exercise these rights, please contact us at support@toffeepay.com.

CHILDREN'S PRIVACY

Our Services are not intended for users under the age of 13 without parental/guardian consent. Users between 13 and 18 years may use our Services with parental or guardian consent, as required by applicable law. We do not knowingly collect personal information from children under 13 without appropriate parental consent. If you believe we have collected personal information from a child under 13 without proper consent, please contact us at support@toffeepay.com.

INTERNATIONAL DATA TRANSFERS

Toffee Pay operates globally and may transfer your personal information to jurisdictions where our brand partners and game users intersect. When we transfer personal data outside of your jurisdiction, we implement appropriate safeguards:

EEA to Third Countries:

  • Adequacy Decisions: We rely on European Commission adequacy decisions where available
  • Standard Contractual Clauses (SCCs): EU-approved SCCs with supplementary measures for countries without adequacy decisions
  • Transfer Impact Assessments: We conduct assessments for high-risk jurisdictions

US Transfers: We implement Standard Contractual Clauses with supplementary technical measures for transfers to the United States.

A complete list of recipient countries and safeguards is available upon request at support@toffeepay.com.

AUTOMATED DECISION-MAKING AND PROFILING

We use automated processing in the following circumstances:

Fraud Prevention: Automated systems analyze transaction patterns to detect fraudulent activity. This processing is necessary for our legitimate interests in preventing financial crime. 

Personalized Offers: We use algorithms to determine which product offers to display based on your gaming achievements and purchase history. This processing is based on your consent and our legitimate interests in providing relevant offers. 

Right to Contest: You have the right to contest automated decisions that significantly affect you and request human review of such decisions. 

THIRD-PARTY SERVICE PROVIDERS

We work with the following categories of processors:

Payment Processing: Authorized payment processors - for payment authorization and processing
Cloud Infrastructure: Google Cloud Platform - for hosting and data storage 
Analytics: Google Analytics - for website and app usage analytics 
Customer Support: Third-party support platforms - for customer service communications 
Shipping: Authorized shipping partners - for order fulfillment
Email Marketing: Email service providers - for marketing communications (with consent) All processors are bound by data processing agreements meeting applicable privacy law requirements.

CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Any changes to this Privacy Policy will be posted on this page with an updated "Last Updated" date. We encourage you to review this Privacy Policy periodically for any changes.

CONTACT US

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

Email: support@toffeepay.com
Website: https://toffeepay.com

Galactica Games Inc. dba Toffee Pay

© Galactica Games Inc dba Toffee Pay


Navigation

For game publishers

For brands

For shoppers

Legal

Privacy Policy

Terms of Use

© Galactica Games Inc dba Toffee Pay

Navigation

For game publishers

For brands

For shoppers

Legal

Privacy Policy

Terms of Use

© Galactica Games Inc dba Toffee Pay

Navigation

For game publishers

For brands

For shoppers

Legal

Privacy Policy

Terms of Use