Privacy Policy
Effective from: 22 stycznia 2026
Privacy Policy
SGS HUB – https://sgshub.eu
Effective Date: January 28, 2026
Version: 2.0
1. DATA CONTROLLER
1.1. The controller of personal data is SGS HUB PROSTA SPÓŁKA AKCYJNA with its registered office in Kielce, ul. Karola Olszewskiego 6, 25-663 Kielce, Poland, entered into the Register of Entrepreneurs of the National Court Register under number 0001209428, NIP (Tax ID): 9592088699, REGON: 543423042 (hereinafter: "Controller" or "SGS Hub").
1.2. Contact regarding personal data protection: privacy@sgshub.eu.
1.3. This Privacy Policy defines the rules for processing personal data in accordance with:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) - for users from the European Economic Area (EEA),
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) - for California residents,
- Children's Online Privacy Protection Act (COPPA) - for users from the United States.
2. TERRITORIAL RESTRICTION
2.1. SGS Hub Services are offered to users from the European Economic Area (EEA) and the United States of America (USA).
2.2. Services are NOT offered to residents of the United Kingdom. Persons residing in the United Kingdom may not create accounts or use SGS Hub Services.
3. SCOPE OF COLLECTED DATA
The Controller collects the following categories of personal data:
3.1. Identification data: first name, last name, username (pseudonym), email address.
3.2. Billing data: data necessary to process payments (processed by Stripe, Inc.), including billing address and postal code (used to determine tax jurisdiction).
3.3. Technical data: IP address, browser type and version, operating system, server logs, device identifiers.
3.4. Integration data: Discord, Steam, Google account identifiers (in case of login via these services).
3.5. Service usage data: transaction history, Service usage statistics, user preferences, game server data.
3.6. Communication data: content of correspondence with customer support, complaint reports.
4. PURPOSE AND LEGAL BASIS FOR PROCESSING
Personal data is processed for the following purposes:
| Purpose of Processing | Legal Basis (GDPR) | Legal Basis (USA) | | --------------------------------------------------- | ---------------------------------- | ---------------------------- | | Performance of the Service agreement | Art. 6(1)(b) | Contract Performance | | Payment processing and billing | Art. 6(1)(b) | Contract Performance | | Compliance with legal obligations (tax, accounting) | Art. 6(1)(c) | Legal Compliance | | Establishment, exercise or defense of claims | Art. 6(1)(f) (legitimate interest) | Legitimate Business Interest | | Direct marketing of own Services | Art. 6(1)(f) (legitimate interest) | Notice and Choice (Opt-out) | | Analysis and improvement of Services | Art. 6(1)(f) (legitimate interest) | Legitimate Business Interest | | Ensuring Service security | Art. 6(1)(f) (legitimate interest) | Security Interest |
5. DATA RECIPIENTS AND INTERNATIONAL TRANSFERS
5.1. Data Recipients in the EEA
Personal data may be transferred to the following categories of recipients in the European Economic Area:
- Mevspace sp. z o.o. – infrastructure hosting (Poland)
- Hetzner Online GmbH – game server hosting (Germany, Finland)
5.2. Transfers to the United States
Personal data may be transferred to partners in the United States based on the following mechanisms:
| Recipient | Purpose | Transfer Basis | | ----------------------------- | ----------------------------------- | ------------------------------------ | | Stripe, Inc. | Payment processing | EU-U.S. Data Privacy Framework (DPF) | | Google LLC | Analytics (Google Analytics), OAuth | EU-U.S. Data Privacy Framework (DPF) | | Discord, Inc. | Integration, OAuth | Standard Contractual Clauses (SCC) | | Valve Corporation (Steam) | Integration, OAuth | Standard Contractual Clauses (SCC) |
5.3. EU-U.S. Data Privacy Framework (DPF)
Data transfers to entities certified under the EU-U.S. Data Privacy Framework take place on the basis of the European Commission's adequacy decision of July 10, 2023 (Implementing Decision C(2023) 4745). The list of certified entities can be checked at: https://www.dataprivacyframework.gov.
5.4. Standard Contractual Clauses (SCC)
In the case of transfers to entities not covered by the DPF, the Controller applies Standard Contractual Clauses approved by the European Commission decision 2021/914 of June 4, 2021.
6. DATA RETENTION PERIOD
| Data Category | Retention Period | | --------------------------------- | ------------------------------------------------------------------------ | | Account-related data | For the duration of the Account existence and 3 years after its deletion | | Billing data | 5 years from the end of the tax year (legal obligation) | | Analytics data (Google Analytics) | Up to 26 months | | Server logs | Up to 12 months | | Communication data (tickets) | 3 years from case closure |
7. USER RIGHTS
7.1. Rights under GDPR (EEA Users)
Users from the European Economic Area have the following rights:
a) Right of access (Art. 15) – obtaining information about processed data and a copy of the data.
b) Right to rectification (Art. 16) – correcting incorrect or completing incomplete data.
c) Right to erasure (Art. 17, "right to be forgotten") – deletion of data when it is no longer necessary for the purposes for which it was collected.
d) Right to restriction of processing (Art. 18) – temporary suspension of data processing.
e) Right to data portability (Art. 20) – receiving data in a structured, commonly used machine-readable format.
f) Right to object (Art. 21) – objection to processing based on legitimate interest, including profiling.
g) Right to withdraw consent – at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
h) Right to lodge a complaint – to the Supervisory Authority (in Poland: Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw).
7.2. Additional Rights for California Residents (CCPA/CPRA)
Residents of California (USA) have additional rights:
a) Right to Know – obtaining information about the categories and sources of collected personal data and the purposes of its use.
b) Right to Delete – requesting deletion of personal data collected by the Controller.
c) Right to Opt-Out of Sale ("Do Not Sell My Personal Information") – SGS Hub DOES NOT SELL users' personal data within the meaning of CCPA.
d) Right to Non-Discrimination – exercising CCPA rights does not result in discrimination in terms of price or quality of Services.
7.3. Exercising Rights
To exercise the above rights, please contact the Controller:
- E-mail: privacy@sgshub.eu
- Subject: "Rights Request – [type of right]"
The Controller responds within 30 days of receiving the request (GDPR) or 45 days (CCPA), with the possibility of extension in justified cases.
8. CHILDREN'S PRIVACY (COPPA)
8.1. The SGS Hub Service is not intended for persons under 16 years of age (in the case of EEA) and under 13 years of age (in the case of USA).
8.2. The Controller does not knowingly collect personal data from children under the specified age limits.
8.3. If aware of collecting data from a person under the required age, such data will be immediately deleted.
8.4. If a parent or legal guardian learns that a child has provided personal data to the Controller, please contact us at: privacy@sgshub.eu to delete such data.
9. COOKIES AND TRACKING TECHNOLOGIES
9.1. Types of Cookies Used
| Category | Purpose | Legal Basis | Validity | | -------------- | ------------------------------------------------------ | ----------------- | ---------------------- | | Essential | Service functioning (session, authorization, security) | Art. 6(1)(f) GDPR | Session / up to 1 year | | Functional | Remembering user preferences (language, theme) | Consent | Up to 1 year | | Analytical | Google Analytics – anonymous traffic analysis | Consent | Up to 26 months |
9.2. Cookie Management
User can manage cookie settings via:
- Cookie banner displayed on the first visit to the Service,
- Web browser settings,
- Privacy preference panel available in Account settings.
9.3. Google Analytics
SGS Hub uses Google Analytics with IP anonymization enabled. More information on data processing by Google: https://policies.google.com/privacy.
10. DATA SECURITY
The Controller applies appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or destruction, including:
a) TLS 1.3 encryption for connections,
b) Encryption of sensitive data at rest (AES-256),
c) Regular backups with geographic redundancy,
d) Role-Based Access Control (RBAC),
e) 24/7 infrastructure security monitoring,
f) Regular security audits and penetration testing,
g) Security incident response procedures.
11. AUTOMATED DECISION MAKING AND PROFILING
11.1. The Controller does not make decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect the user.
11.2. Profiling techniques (e.g., server recommendations) may be used for analytical and service personalization purposes, but they do not lead to automated decisions having a significant impact on the user.
12. CHANGES TO PRIVACY POLICY
12.1. The Controller reserves the right to change this Privacy Policy in the event of changes in legal regulations, introduction of new functionalities, or changes in data processing practices.
12.2. Users will be informed about significant changes via:
-
Email notification (to the address associated with the Account),
-
Announcement in the Service,
-
with at least 14 days notice before the changes enter into force.
12.3. The current version of the Privacy Policy is always available at: https://sgshub.eu/privacy.
13. CONTACT
If you have questions regarding this Privacy Policy or personal data processing, please contact:
SGS HUB PROSTA SPÓŁKA AKCYJNA ul. Karola Olszewskiego 6 25-663 Kielce, Poland
E-mail: privacy@sgshub.eu General contact: support@sgshub.eu
SGS HUB PROSTA SPÓŁKA AKCYJNA Kielce, January 28, 2026