Privacy Policy
Effective: 16 July 2026 · Last updated: 16 July 2026
The short version. This summary is not a substitute for the full text below, but nothing below contradicts it.
- To play, we need an email address, a display name, a date of birth (to check you are 13 or older) and a password. Everything else — a phone number, security questions, two-factor authentication, a linked Google / Apple / Discord / Steam login — is optional.
- Your Account display name is normally permanent. It is public, and it appears on hiscores and player profiles alongside your Characters, skills and achievements. Choose it carefully. Character names you can change yourself.
- We never see your password (we store an Argon2 hash) and we never see your card number (Stripe and PayPal take payments on their own pages).
- Analytics are off until you say yes. Google Analytics runs only on our public marketing pages, only after you accept the banner, and never on your account, sign-up, recovery or billing pages. You can change your mind at any time.
- There are no ads today. If we ever add them, we will ask first and update this policy before the first ad appears — not after.
- We do not sell your personal data, and we do not share it for cross-context behavioural advertising.
- You can download your data and delete your Account yourself, from your account settings. Deletion takes effect after 30 days, and you can cancel during that window. Some records — bans, payment records, security logs — survive deletion, and §13 explains exactly which and why.
- We are based in the United States. If you are in the UK or the EEA, your data is transferred to the USA. §11 tells you what legal safeguard covers that transfer, and is honest that it is not in place yet.
- If you are in the UK or EEA you can complain to your data protection regulator. You do not need our permission and you do not need to contact us first.
1. Who we are, and who is responsible for your data
- Pixel Glitch Studios ("we", "us", "our") is the controller of the personal data described in this policy. We trade as Pixel Glitch Studios and operate the game Isles of Calamity.
- Pixel Glitch Studios is an unincorporated sole proprietorship, not a registered company.
- You can reach us about anything in this policy at
support@islesofcalamity.com.
We send mail from
no-reply@islesofcalamity.com. - We are based in California, USA.
1.1 Our representatives in the EU and the UK
- EU representative. We have not yet appointed a representative in the EU under Article 27 GDPR. Until we do, players in the EEA should contact us directly at support@islesofcalamity.com.
- UK representative. We have not yet appointed a representative in the UK under Article 27 UK GDPR. Until we do, players in the UK should contact us directly at the same address.
- Once a representative is appointed, EEA and UK players will be able to contact them instead of us on any matter relating to the processing of your personal data. Either way, your right to contact us directly, and to complain to your supervisory authority under §14.9, is unaffected.
2. Words we use
- "the Game" means Isles of Calamity, including the downloadable game client and the game worlds.
- "the Site" means islesofcalamity.com and its subdomains.
- "Account" means your registered account with us.
- "Character" means a playable character within an Account. An Account has up to eight Character slots.
- "Membership" means paid access sold as one-time duration credits. "Membership Credits" means those credits. They stack, and nothing renews automatically.
- "you" means the person using the Game or the Site.
3. What we collect
We collect only the categories listed below. If a category is not listed here, we do not collect it.
3.1 Data you give us to create and hold an Account
- Email address. Your login identifier, and how we reach you about your Account.
- Account display name. Public. 3–18 characters, set once at registration, and normally permanent — see §14.2.
- Date of birth. Used only to enforce the minimum age in §9. It is not shown to anyone and is not used for anything else.
- Password. We store an Argon2 hash. We never store, log or transmit the password itself.
- Invite code. Registration is currently invite-only, so we record which code you used and which Account issued it.
3.2 Optional data you can add
- Phone number. Optional. If you submit one, we store it in a record kept separate from the rest of your Account, and it is intended to be confirmed by a one-time code. Phone verification is not currently operational — the confirmation code is not being delivered, so a number you submit cannot be confirmed and will sit unused. We suggest you do not add a phone number until this notice says otherwise.
- Security question answers. Optional, and stored hashed.
- Two-factor authentication secret and recovery codes. Optional. Recovery codes are stored hashed.
- Linked sign-in identities. Optional. If you link a Google, Apple, Discord or Steam account, we store the identifier that provider gives us so we can recognise you next time.
3.3 Data generated when you use the Game and the Site
- Character names, skills, experience and achievements.
Public on hiscores and on player profiles at
/p/<name>. - Market and trade activity on the Tideboard.
- Gameplay action telemetry. The game server streams action events to us: your Account identifier, the world, an event type, a value, an in-world x/y position, and a timestamp. This is what our anti-bot checks in §8.4 read.
- IP address. Recorded in sign-in history and security audit records, and used for rate limiting. An IP address is personal data and we treat it as such.
- Browser user-agent, recorded against sessions and sign-in history.
- Poll votes. If you vote in a Site poll, we set a
ioc_votercookie containing a random identifier so the same browser cannot vote twice. It carries no name and is not linked to your Account.
3.4 Data from contacting us or reporting someone
- Support tickets — the free text you write, plus an email address. You may submit a ticket without an Account.
- Player reports — what you tell us about another player. If someone reports you, what they wrote is personal data about you, and §5 explains how we handle it.
- Account recovery requests — the free text you write to prove an Account is yours.
3.5 Data we create about you
- Moderation notes and sanctions — bans and mutes, with a reason and an expiry, global or per-world.
- Name enforcement records, where staff have taken action against a display name.
- Security audit records of significant Account and staff actions.
3.6 Payment data
- We never receive your card number. Payment is taken on Stripe's or PayPal's own hosted checkout. Card numbers do not touch our servers.
- What their systems return to us, and what we store, is: the payer's email address, postal code, the last four digits of the card, the card brand, the wallet used, and the country.
3.7 Newsletter
- If you subscribe, we store your email address and your confirmation. The newsletter list is keyed by email and is separate from your Account: unsubscribing does not touch your Account, and deleting your Account does not by itself unsubscribe you.
4. Why we process it, and our lawful basis for each purpose
If you are in the UK or the EEA, we must have a lawful basis for every use of your data. Here is each one, matched to its purpose.
4.1 Performance of our contract with you (GDPR Art 6(1)(b))
- Creating and maintaining your Account and Characters, and letting you sign in.
- Running the Game, saving your progress, and operating the Tideboard.
- Publishing hiscores and player profiles. This is part of the service you sign up for, and it is why display names, Character names, skills and achievements are public.
- Selling and applying Membership Credits, and processing refunds.
- Sending service messages you need to receive — verifying your email address, confirming an email change, telling you a password was reset, warning you about unusual sign-in attempts, and confirming that your Account is scheduled for deletion. These are not marketing and you cannot unsubscribe from them while you hold an Account.
4.2 Consent (GDPR Art 6(1)(a))
- Analytics. Google Analytics loads only if you accept it. Decline and no analytics script is fetched and no analytics cookie is set.
- Newsletter. Double opt-in: you ask, we email you, and you confirm. Every newsletter carries a one-click unsubscribe.
- Your phone number, if you choose to add one.
- Linking a Google, Apple, Discord or Steam sign-in, if you choose to.
- You can withdraw consent at any time, and withdrawing is as easy as giving it. Withdrawal does not affect processing carried out before you withdrew.
4.3 Legitimate interests (GDPR Art 6(1)(f))
We rely on legitimate interests for the purposes below. §5 sets out the balancing we carried out, and §14.5 explains your right to object.
- Keeping Accounts secure — sign-in history, session records, rate limiting, and screening passwords against known breaches. Our interest, and yours, is that your Account is not stolen.
- Keeping bots and cheats out — the gameplay telemetry in §3.3 and the anti-bot checks in §8.4. Our interest is a game where rank was earned; that is also what players are here for.
- Moderation and enforcement — acting on player reports, issuing sanctions, keeping moderation notes, and stopping ban evasion.
- Enforcing the minimum age in §9, using your date of birth.
- Answering support and recovery requests.
- Establishing, exercising or defending legal claims.
4.4 Compliance with a legal obligation (GDPR Art 6(1)(c))
- Tax and accounting. We keep records of payments — amounts, dates and provider references — for as long as tax law requires. §13.3 gives the period.
- Responding to lawful requests from courts, regulators and law enforcement.
5. The balancing behind our legitimate interests
- What we want. An online game where accounts are not stolen, ranks are not botted, trades are not scams, and abuse gets dealt with. None of that works if we cannot look at sign-in patterns, gameplay telemetry and reports.
- Why we think it is necessary. We could not detect a compromised Account without sign-in history, and could not detect botting without gameplay events. There is no less intrusive way to do either that still works.
- The impact on you. This is behavioural data about how you play, and we do not pretend otherwise. It is limited to what happens inside our Game: no profiles built from your activity elsewhere, no data bought from anyone else, no advertising use, and no automated decision that sanctions you (§8.4).
- What we do about that impact. Telemetry is used for anti-cheat, moderation and improving the Game, and nothing else. Sanctions are issued by a person. IP addresses are dropped from sign-in history when an Account goes dormant (§13.2).
- The conclusion. We consider these interests are not overridden by your interests or rights, largely because the data stays in the Game and is never monetised. You can disagree: §14.5 is the right to object, and we will look at it properly. If you object, we must stop unless we can show compelling grounds that override your rights, or we need the data for legal claims.
6. Who else sees your data
We do not sell your personal data. We do not share it for cross-context behavioural advertising. The following are the only third parties that receive it, and each is here because it does a job we need done.
- Amazon Web Services — hosting, database, storage, content delivery, our web application firewall, sending our email, and our telemetry store. Data is held in the us-east-1 region in the United States. AWS processes it on our instructions.
- Stripe and PayPal — payments. They take your card details directly, as their own controllers, under their own privacy policies, and return the metadata in §3.6 to us.
- Google Analytics 4 — only on our public marketing pages, and only if you accept. Never on the account, sign-up, recovery, billing, developer or status subdomains.
- Have I Been Pwned — breached-password screening, every time a password is set. This uses k-anonymity: only the first five characters of a SHA-1 hash of the password leave our servers. Your password, your email address and your identity are never sent, and the service cannot determine what your password is.
- Google, Apple, Discord, Steam — only if you choose to link that sign-in, and only then.
- YouTube and Twitch — only on news articles that embed a video, and only for readers of those articles. Loading an embed lets that provider see your IP address and set its own cookies under its own policy.
- We may disclose data where we are legally required to, or to establish, exercise or defend legal claims.
7. Advertising
- No ads are served on the Site or in the Game. No advertising network runs here, no advertising cookie is set by us, and we earn no advertising revenue. If you have read otherwise in an older version of this policy — which claimed we used Google AdSense — that statement was untrue when it was written, and this section replaces it.
- For completeness, because you can check it yourself: we publish an
/ads.txtfile naming a Google AdSense publisher account. It is an industry file that tells ad exchanges who would be allowed to sell ad space here. It does not serve an ad, set a cookie, or collect anything about you, and nothing on the Site currently loads any ad code. - We may introduce advertising in future. If we do, then before the first ad is served we will update this policy, ask for your consent where consent is required, and publish a "Do Not Sell or Share My Personal Information" link. We will not serve an ad first and tell you afterwards.
8. How we protect it
8.1 Passwords and sign-in
- Passwords are hashed with Argon2. We cannot read your password, and neither can anyone who steals the database.
- Every password you set is screened against Have I Been Pwned using k-anonymity, so we can tell you a password is already in a public breach without ever learning the password.
- You can turn on TOTP two-factor authentication, with recovery codes. Recovery codes and security question answers are stored hashed, so we cannot read them.
- Your two-factor secret is different: by design it has to be reversible for us to check your codes, so it is stored in our database rather than hashed. It is protected by the encryption in §8.2 and by our access controls, and not by anything further. We would rather tell you that than imply a stronger guarantee than we have built.
- You can see your sign-in history and your active sessions, and revoke any session, from your account settings.
8.2 Encryption
- In transit: the Site and our API are served over
HTTPS, and plain HTTP requests are redirected to it.
Cookies we set are marked
Secureover HTTPS andSameSite=Lax. - At rest: our database and our file storage are encrypted at rest using our hosting provider's managed encryption. This protects the underlying storage; it is not the same thing as encrypting individual fields, and we do not claim to do that.
8.3 Access
- Staff access is role-limited and requires two-factor authentication, and significant staff actions are written to an audit record.
8.4 Anti-bot checks, and why they are not automated decisions
- We run heuristic checks over gameplay telemetry to spot likely botting.
- Those checks flag an Account for a human to review. They do not ban, mute or restrict anyone by themselves.
- We do not make decisions with legal or similarly significant effects about you by automated means alone. Every sanction is issued by a member of staff, with a reason, and can be appealed by contacting support.
9. Children
- You must be at least 13 to hold an Account. We ask for your date of birth at registration and the minimum age is enforced by our servers, not by an honour-system tickbox.
- The Game is not directed to children under 13 and we do not knowingly collect their personal data. If you believe someone under 13 holds an Account, tell us at support@islesofcalamity.com and we will remove it.
- If you are in the EEA: under Article 8 of the GDPR, where an online service relies on consent to process a child's data, that consent must come from the holder of parental responsibility if the child is under 16 — unless the country you live in has lowered that age, which it may do to as low as 13. Member states have set different ages, and yours may not be 13.
- We must be straight with you about a gap here. We enforce 13 everywhere. We do not currently have any mechanism to obtain or verify parental consent for a user aged 13 to 15 in an EEA country whose national age is higher than 13. Until we do, a 13-to-15-year-old in such a country should not register, and a parent or guardian who believes their child has registered should contact us and we will act on it.
- The consent-based processing in §4.2 — analytics, the newsletter, a phone number, linked sign-ins — is optional in all cases, and is the processing most affected by the point above.
10. Cookies and browser storage
Our Cookie Notice is the full account. In summary, and stated accurately:
- In localStorage, not cookies: your session token
(
ioc.session) and your analytics choice (ioc.cookieConsent). - In sessionStorage (cleared when you close the tab): two
short-lived caches — an exchange-rate cache (
ioc_fx) and the online-player count (ioc-online). - Cookies we set:
ioc_who, which holds your display name for 30 days so the navigation bar can greet you across our subdomains — it carries no token and authorises nothing;ioc_signout, which lives for 120 seconds to hand a sign-out request to the account subdomain; andioc_voter, a random identifier that stops one browser voting twice in a poll. - Cookies set only with your consent: Google Analytics
(
_ga*), on our public marketing pages only. - Clearing your browser storage will sign you out.
11. Sending your data to the United States
- We are established in the United States and our infrastructure runs in the AWS us-east-1 region in the United States. If you use the Game or the Site from the UK or the EEA, your personal data is transferred to and stored in the USA.
- The United States is not, in general, the subject of an adequacy decision by the European Commission or the UK government. A transfer therefore needs an appropriate safeguard under Chapter V of the GDPR (or the UK equivalent), or a derogation.
- We do not yet have our own transfer safeguard in place; this is under review. In the meantime, we rely on the safeguards our hosting, payment and analytics providers publish for the data they process — such as EU–US Data Privacy Framework certifications and standard contractual clauses. You can ask us about this at support@islesofcalamity.com.
- Our hosting, payment and analytics providers each operate their own transfer mechanisms for the data they process, which are described in their own privacy policies.
12. What you have to give us, and what happens if you don't
- An email address, a display name, a date of birth and a password are required to create an Account. Without them we cannot create one — this is a requirement of entering into our contract with you, not a legal requirement.
- An invite code is currently required to register. This is our own rule, and we may lift it.
- Everything in §3.2 is optional. Declining costs you nothing but the feature itself — you simply do not get two-factor protection, or SMS verification, or a linked sign-in.
- If you buy Membership Credits, our payment providers must collect what they need to take the payment, and we must keep the records in §4.4 to satisfy tax law.
13. How long we keep it
13.1 While your Account lives
- Your Account and your Characters last as long as you keep using them. We do not delete an Account for inactivity.
13.2 Dormancy: three years
- After three years with no sign-in, we automatically delete your phone number, your security question answers, and the IP addresses stored in your sign-in history, and we release your Character names so other players can take them. Your progress, your Characters and your Account are kept.
- This is reversible in the sense that matters: sign in again and the Account works. You will be asked to choose new Character names and to re-enter any details you want back. The deleted data itself is gone.
13.3 Payment records: seven years
- After seven years, we anonymise the billing metadata in §3.6 — payer email, postal code, card last four, card brand, wallet and country are erased.
- The amounts, dates and provider references are kept beyond that, because tax law and refund traceability require it (§4.4).
13.4 Deleting your Account: 30 days, then permanent
- You can request deletion from your account settings. Your Account enters a 30-day grace period, during which you can cancel and get everything back.
- After 30 days, deletion is irreversible. Your email address, display name and password are overwritten, your date of birth is erased, your phone number, security questions, recovery codes, two-factor secret, linked sign-ins, sessions and recovery requests are deleted, IP addresses are stripped from your sign-in history, and your Characters are retired and their names released.
- What survives deletion, and why. We are telling you this
plainly because "delete everything" is not what happens:
- Bans and sanctions survive. If deleting an Account erased a ban, deletion would be a ban-evasion tool.
- Payment records survive to the extent §13.3 requires, because tax law does not care that you left.
- Security audit records and moderation notes survive.
- Gameplay telemetry survives, keyed to an Account identifier that no longer resolves to your name or email.
- Support tickets survive, including the email address on them, because they are keyed by email rather than by Account.
- Deleting your Account does not unsubscribe you from the newsletter (§3.7), which is a separate list. Use the unsubscribe link.
- Deleting a Character is different from deleting an Account: a Character that has been played enters a 90-day grace period; one that has never been played is removed immediately.
13.5 Where we have not yet set a period
- We are being straight with you rather than quoting a number we do not enforce. We have not yet set a retention period for: sign-in history, security audit records, support tickets, player reports, moderation notes, and gameplay telemetry.
- Our criteria for those records are: how long we need them to keep Accounts secure, to detect and act on abuse and ban evasion, and to defend legal claims. Records tied to a sanction are kept for at least the life of that sanction.
- The periods we settle on will be published here: sign-in history kept while your account is active; stored IP addresses are removed after three years of account inactivity and on account deletion (a fixed overall cap is under review); security audit records kept for the life of the account and, where entries record enforcement or security events, beyond deletion as part of the safety record (a fixed period is under review); support tickets kept while relevant to the support history of the accounts involved (a fixed period is under review); player reports kept while relevant to the safety history of the accounts involved (a fixed period is under review); moderation notes kept as part of the account's moderation history; expired marks stop counting as active priors (a fixed period is under review); gameplay telemetry kept in aggregate; a fixed period for raw event data is under review.
14. Your rights
If you are in the UK or the EEA, the rights below are yours by law. We apply §§14.1–14.4 to everyone, wherever you live, because it would be strange not to. Exercising any of them is free, and we will respond within one month. We may ask you to verify who you are, so that we do not hand your data to someone else.
14.1 Access, and a copy of your data — self-serve
- Your account settings have a data export that downloads a JSON file immediately, with no need to ask us. It contains your Account record, your Characters, your skills and achievements, your sign-in history, your active sessions, your sanctions, which security questions you chose, your phone number, and your Membership record and ledger.
- If you want something the export does not cover, ask us.
14.2 Rectification — partly self-serve
- You can change your email address (confirmed by a link), your phone number and your password yourself, and you can rename a Character yourself.
- Your Account display name is normally permanent. There is no self-serve change and no support path to request one as a preference. Staff can grant a one-time reset, but that exists for name enforcement, not for second thoughts. We are telling you this here because Article 16 gives you the right to have inaccurate data corrected, and you deserve to know the limit before you pick a name rather than after.
- If your display name is inaccurate in a sense the law recognises — as opposed to one you have gone off — contact support and we will deal with it properly rather than pointing at this paragraph.
14.3 Erasure — self-serve
- Delete your Account from your account settings. §13.4 sets out exactly what is erased, what survives, and why. The right to erasure is not absolute: where we must keep a record for a legal obligation, or to defend legal claims, or to stop ban evasion, we keep it.
14.4 Data portability — self-serve
- The same export in §14.1 is machine-readable JSON. It covers the data you gave us and the data generated by your use of the Game, which is what the portability right reaches.
14.5 Objection — contact us
- You can object to any processing we base on legitimate interests (§4.3), on grounds relating to your particular situation. There is no button for this: email support@islesofcalamity.com and a person will handle it.
- If you object, we must stop unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or we need the data to establish, exercise or defend legal claims. If we refuse, we will tell you why, and you can take it to your supervisory authority.
- We do not process your data for direct marketing based on legitimate interests, so the absolute right to object to direct marketing does not arise. The newsletter runs on consent, and every issue has a one-click unsubscribe.
14.6 Restriction — contact us
- You can ask us to restrict processing — broadly, to park your data rather than use it — while we check its accuracy, or where processing is unlawful but you would rather we restricted it than erased it, or where you need it for a legal claim, or while we consider an objection under §14.5. There is no button for this either: email support.
14.7 Withdrawing consent — self-serve
- Analytics: "Cookie preferences" in the footer reopens the banner. Withdrawing is exactly as easy as accepting.
- Newsletter: the unsubscribe link in any issue.
- Phone number and linked sign-ins: remove them in your account settings.
14.8 Being told about a data breach
- If a breach of your personal data is likely to result in a high risk to your rights and freedoms, we will tell you without undue delay.
14.9 Complaining to a regulator — your right, not our permission
- If you are in the EEA, you have the right to lodge a complaint with the supervisory authority in the country where you live or work, or where you think the problem happened. You do not need our agreement, and you do not have to come to us first.
- If you are in the UK, that regulator is the Information Commissioner's Office, at ico.org.uk.
- We would like the chance to fix it first, but that is a request, not a condition.
15. California: CalOPPA
This section applies to everyone, but it exists because California's Online Privacy Protection Act requires it, and that law applies to us regardless of our size.
- 15.1 Categories collected, and who receives them. §3 lists every category of personally identifiable information we collect. §6 lists every third party we share it with.
- 15.2 Reviewing and changing your information. Sign in and open your account settings. You can review your data with the export in §14.1 and change your email, phone, password and Character names there. §14.2 explains what you cannot change yourself: your Account display name is normally permanent. To ask for anything else, email support@islesofcalamity.com.
- 15.3 How we tell you about changes. §17.
- 15.4 Do Not Track. We must tell you how we respond to Do Not Track signals, and the honest answer is that we do not respond to them, because there is no consensus standard for what a compliant response is. We are not being evasive: analytics on this Site are off for everyone until they press Accept, which gets you a better outcome than a DNT header would. We do not currently respond to Global Privacy Control signals either. If we ever introduce advertising (§7), we will revisit this.
- 15.5 Third parties tracking you over time and across sites. If — and only if — you accept analytics, Google Analytics may collect information about your visits to this Site over time. We do not permit any third party to collect personally identifiable information about your online activities across other websites through our Site. No advertising network operates on this Site (§7).
16. California: the CCPA/CPRA, honestly
- The California Consumer Privacy Act, as amended by the CPRA, applies to a business that meets at least one statutory threshold: annual gross revenue over 25 million dollars; buying, selling or sharing the personal information of 100,000 or more California consumers or households a year; or deriving 50 percent or more of its annual revenue from selling or sharing personal information.
- We are a very small operation and we do not believe we meet any of
those thresholds. Rather than claim a status we do not have, or deny
you rights on a technicality, we will tell you what we actually do:
- We do not sell your personal information, and never have.
- We do not share it for cross-context behavioural advertising.
- We do not use or disclose sensitive personal information for any purpose beyond what is necessary to provide the Game.
- We do not offer financial incentives in exchange for personal information, and we do not discriminate against anyone for exercising a privacy right. Delete your Account and it is deleted; we will not degrade your service for asking.
- In practice you can already do the things the CCPA is about. Whatever our threshold status, any California resident can use the export in §14.1 to know what we hold, the deletion in §14.3 to delete it, and the settings in §14.2 to correct it. We answer requests to support@islesofcalamity.com the same way for Californians as for everyone else.
- If we cross a threshold, this section becomes binding without our having to rewrite it. From the date we qualify as a business under the CCPA, California residents have the rights to know, delete, correct, opt out of sale or sharing, limit the use of sensitive personal information, and not be retaliated against; we will honour authorised agents and Global Privacy Control signals; and we will publish a "Do Not Sell or Share My Personal Information" link before any sale or sharing begins. The most likely way we would cross a threshold is by introducing advertising, and §7 already commits us to updating this policy before the first ad runs.
17. Changes to this policy
- The date at the top of this page is the effective date, and it changes every time the text does.
- If we make a material change — a new purpose, a new category of data, a new recipient, or advertising — we will tell you before it takes effect, by email to your Account address or by a notice on the Site, and we will not apply the new purpose to your data until we have.
- We will not quietly change this policy to describe something the software already does. The policy and the code change together.
18. Governing law, and rights we cannot take away from you
- Our Terms of Service are governed by the law of the State of California and applicable United States federal law.
- That does not cut down your statutory rights. If you are a consumer in the EEA or the UK, you keep the mandatory protections of the law where you live — including every right in §14 — no matter what any governing-law or limitation clause in our Terms says. Nothing in this policy or in our Terms limits your right to complain to your supervisory authority under §14.9, or to a remedy in your local courts where the law gives you one.
- If any part of this policy conflicts with a mandatory right you hold under your local law, your local law wins for that part, and the rest stands.
19. Contact
- Privacy questions, rights requests, or anything in this policy: support@islesofcalamity.com.
- Once representatives are appointed, EEA and UK players will be able to contact them instead; until then contact us directly at support@islesofcalamity.com.