Loading...
Pursuant to the EU General Data Protection Regulation (GDPR). Last updated: 2026-05-14
The controller within the meaning of Art. 4(7) GDPR for the processing of personal data on the CHOZEN platform is:
Thomas Ehresmann
Einzelunternehmen, Geschäftsbezeichnung CHOZEN
Reichenberger Str. 25, 36039 Fulda, Deutschland
E-Mail: privacy@chozen.io
See Impressum for full contact details and phone number.
The CHOZEN Ranked Overlay (desktop app for Windows / macOS) can capture video frames of your selected window or screen and the corresponding system audio for the duration of a ranked beat battle. This is used to generate the post-match Reel that is shown back to you (and, where you choose to publish it, to other users).
Account creation and management, providing platform features, processing transactions and payouts, subscription management, facilitating license agreements between Producers and Buyers, competitive features (FL Ranked matchmaking), community features (DMs, forums, comments), gamification (XP, rank progression).
Platform security and fraud prevention, content recommendation, analytics for platform improvement, enforcement of our Terms of Service, technical infrastructure maintenance.
Non-essential cookies and tracking (see Cookie Policy), marketing communications and newsletters, screen capture by the Ranked Overlay (§2.12), publication of Reels to other users, producer email-collection (consent of the email subscriber).
Tax documentation and invoice retention (§ 147 AO, § 257 HGB), responses to lawful authority requests, copyright infringement notifications, DAC7 seller reporting.
| Data category | Retention | Basis |
|---|---|---|
| Invoice / transaction data | 10 years | § 147 AO, § 257 HGB |
| Account data | Until deletion + 30 days | Contract |
| Content (uploads) | Until removal + 30 days | Contract, cache clearance |
| Competitive data (MMR, battles) | Season + 2 years | Legitimate interest |
| Technical / server logs | 90 days | Legitimate interest (security) |
| Behavioural data | 24 months, then anonymized | Legitimate interest / consent |
| Direct messages | Until account deletion | Contract |
| Producer-collected emails | Until unsubscribe or producer deletion | Subscriber consent |
| Screen-capture frames (intermediate) | ≤ 24 h after render | Consent |
| Final Reel video | Until match deletion + 30 days | Consent |
| Consent records | Processing duration + 3 years | Accountability (Art. 5(2)) |
| Recipient | Location | Purpose | Role |
|---|---|---|---|
| Cloudflare, Inc. | US / global | Hosting, D1, R2, CDN, DDoS, bot mgmt | Processor |
| Stripe, Inc. / Stripe Payments Europe | US / IE | Payment processing, Connect payouts | Processor for transaction execution + independent controller for fraud prevention |
| PayPal (Europe) S.à r.l. | LU / US | Alternative payment processing | Independent controller |
| Google LLC | US | OAuth authentication | Independent controller |
| Resend, Inc. | US | Transactional email delivery | Processor |
| Render.com | US | Reel video rendering (screen capture) | Processor |
| Apple Inc. | US | iOS App Store distribution, IAP | Independent controller |
| Google LLC (Play) | US | Android distribution, IAP | Independent controller |
Data Processing Agreements (Art. 28 GDPR) are in place or being executed with all processors. We do not sell your personal data.
Several processors are US-based. Transfers rely on:
We use first- and third-party cookies and localStorage to ensure functionality, remember preferences, and (in future) analyze usage. Details, categories, and your consent options are documented in our Cookie Policy. Consent for non-essential storage is collected via our consent banner in compliance with TTDSG § 25 and GDPR Art. 6(1)(a).
To exercise these rights, contact privacy@chozen.io. We respond within one month of receipt (extendable by two months for complex requests, with notice).
Right to lodge a complaint (Art. 77): you may complain to a supervisory authority, in particular in the Member State of your habitual residence. The competent authority for the controller is Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI), Gustav-Stresemann-Ring 1, 65189 Wiesbaden, datenschutz.hessen.de.
10.1 Algorithmic recommendations. The Platform profiles your behavioural data to personalize feeds and the Discover feature. This is not "solely automated decision-making producing legal effects" under Art. 22(1) GDPR because the recommendations are suggestions only, do not restrict access to content, and you retain full manual control. Legal basis: Art. 6(1)(f) legitimate interest, or consent where separately obtained.
10.2 Ranked matchmaking. FL Ranked uses an Elo-style MMR system to match opponents and determine division placement. This is necessary for the performance of the competitive feature (Art. 22(2)(a)). You can contest match outcomes via the dispute mechanism.
10.3 Object to profiling. You may object to profiling under Art. 21 at any time. A non-profiling (chronological) feed alternative is available in your account settings.
The Platform is intended for users 16 and older (Art. 8(1) GDPR; § 7 TTDSG). We do not knowingly collect data from anyone under 16. If you become aware that a minor has provided us data, contact privacy@chozen.io and we will delete it promptly.
When a Producer activates email-collection on a content page, they act as independent data controller for the addresses they receive. CHOZEN acts as their processor under Art. 28 GDPR. A Data Processing Agreement will be required to be accepted by the Producer before the email-collection feature can be enabled — this acceptance flow is currently being implemented and will gate the feature once live. Subscribers may exercise their data-subject rights directly with the Producer or use the unsubscribe link in each email. CHOZEN provides the technical infrastructure (Mailchimp integration where activated) but does not determine the purposes of marketing processing.
Pursuant to Art. 35 GDPR, DPIAs are in preparation for the following processing activities where the risk profile warrants formal assessment:
Mitigating measures already implemented include data minimization, opt-out controls for profiling, short retention windows (intermediate frames ≤ 24 h; behavioural data anonymized after 24 months), and the consent gate for the screen-capture pipeline. Final DPIA documents will be available to the competent supervisory authority upon request.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we notify the competent supervisory authority within 72 hours (Art. 33) and, where the risk is high, the affected data subjects without undue delay (Art. 34). All breaches are documented internally regardless of notification obligations.
Material changes are communicated via email and a prominent notice on the platform at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision.
Privacy enquiries and data-subject requests: privacy@chozen.io.
Data Protection Officer (DPO): Under § 38 BDSG, a designated DPO is not yet mandatory for CHOZEN as a sole proprietorship with fewer than 20 persons engaged in automated processing. We will reassess as the platform scales.