GDPR Compliance

Your Rights Under the EU General Data Protection Regulation

Last Updated: January 1, 2025

This page explains how Pathway complies with the European Union's General Data Protection Regulation (GDPR) and your rights as an EU/EEA resident. Our full Privacy Policy provides additional details.

1. Data Controller Information

For the purposes of GDPR, the data controller is:

Pathway

Physical address to be added before public launch
United States

Privacy Contact: privacy@pathway.gg

DPO: Not required (small business)

2. Legal Basis for Processing

We process your personal data under the following legal bases:

Contract Performance (Art. 6(1)(b))

Processing necessary to provide our service when you subscribe:

  • Account creation and authentication
  • Campaign and character management
  • AI Dungeon Master functionality
  • Billing and subscription management

Legitimate Interests (Art. 6(1)(f))

Processing necessary for our legitimate business interests:

  • Improving our service and user experience
  • Security and fraud prevention
  • Analytics and performance monitoring
  • Customer support

Consent (Art. 6(1)(a))

Processing based on your explicit consent:

  • Marketing emails and newsletters
  • Non-essential cookies (analytics, marketing)
  • Optional feature usage tracking

You may withdraw consent at any time without affecting service access.

Legal Obligation (Art. 6(1)(c))

Processing required by law:

  • Tax and accounting records
  • Responding to legal requests
  • Compliance with financial regulations

3. Your GDPR Rights

As an EU/EEA resident, you have the following rights:

Right to Access (Art. 15)

Request a copy of all personal data we hold about you, including:

  • Account information and profile data
  • Campaign and character data
  • Session transcripts and AI interactions
  • Billing and payment history

How to exercise: Email privacy@pathway.gg with subject "GDPR Access Request"

Response time: 30 days (free, first request)

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data. You can update most information via:

  • Account settings in the web app
  • Discord profile (for username/avatar)
  • Contact support for billing details

Right to Erasure / "Right to be Forgotten" (Art. 17)

Request deletion of your personal data. We will comply except where retention is required by law.

How to exercise: Delete your account via settings or email privacy@pathway.gg

Timeline: Data deleted within 30 days (backups may persist up to 90 days)

Exceptions: We retain data if required for legal compliance, tax records (7 years), or active disputes

Right to Data Portability (Art. 20)

Receive your data in a machine-readable format (JSON) to transfer to another service.

Available exports:

  • Character sheets (JSON, PDF) - available in-app now
  • Campaign data (JSON) - available in-app for DMs now
  • Full account export (JSON) - request via email

How to exercise: Use in-app export features or email for full data package

Right to Restriction of Processing (Art. 18)

Limit how we process your data while disputing accuracy or lawfulness. Data will be stored but not processed.

Example: If you dispute the accuracy of billing records, we'll pause processing while investigating.

Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing:

  • Marketing: Unsubscribe from emails via link in footer or account settings
  • Analytics: Disable via cookie settings or Do Not Track
  • Profiling: We do not use automated decision-making or profiling

Right to Withdraw Consent (Art. 7(3))

Withdraw consent for optional processing at any time:

  • Marketing emails: Click "Unsubscribe" in any email
  • Cookies: Adjust preferences in our cookie banner or browser settings
  • Feature usage tracking: Disable in account privacy settings

Withdrawing consent does not affect your ability to use the service.

Right to Lodge a Complaint (Art. 77)

If you believe we've violated GDPR, you can file a complaint with your local Data Protection Authority (DPA):

Find Your National DPA →

We encourage you to contact us first at privacy@pathway.gg so we can address your concerns directly.

4. How to Exercise Your Rights

📧 Email Request

Send requests to privacy@pathway.gg with:

  • Subject line: "GDPR [Right Name] Request"
  • Your Discord username and user ID
  • Account email address
  • Description of your request

🔐 Identity Verification

To protect your privacy, we may ask you to verify your identity before fulfilling requests. This may involve:

  • Logging into your account to confirm ownership
  • Providing additional identifying information
  • Two-factor authentication via Discord (if enabled)

⏱️ Response Timeline

  • Standard response: 30 days from verification
  • Complex requests: Up to 60 days (we'll notify you of extension)
  • No fee for first request; reasonable fee for excessive/repetitive requests

5. International Data Transfers

Our servers are located in the United States (AWS US-East-1). When you use our service from the EU/EEA, your data is transferred outside the European Economic Area.

5.1 Transfer Safeguards

We protect your data during international transfers using:

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our service providers (AWS, Anthropic, Stripe)
  • AWS Data Processing Addendum: AWS complies with GDPR through their DPA and SCCs
  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Strict access limitations on who can access EU user data

5.2 Third-Party Processors

EU data may be processed by:

  • AWS (US): Cloud hosting - uses SCCs
  • Anthropic (US): AI processing - uses SCCs
  • Stripe (US): Payment processing - GDPR compliant
  • Discord (US): Authentication - GDPR compliant

6. Data Retention Periods

Data TypeRetention PeriodLegal Basis
Account dataWhile account active + 30 daysContract
Billing records7 years after last transactionLegal obligation (tax law)
Campaign dataWhile account active + 30 daysContract
AI interaction logs90 days (for debugging)Legitimate interest
Support tickets3 years after resolutionLegitimate interest
Marketing consentUntil withdrawnConsent

After retention periods expire, data is securely deleted unless required for legal compliance or active disputes.

7. Children's Data (Under 16)

Our service requires users to be 18 years or older. We do not knowingly collect data from children under 16 (or under 18, per our Terms).

If you believe we have inadvertently collected data from a minor, contact privacy@pathway.gg immediately, and we will delete it within 72 hours.

8. Automated Decision-Making & Profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects (Art. 22 GDPR).

AI Usage Note: Our AI Dungeon Master generates content for your game sessions, but this does not constitute "automated decision-making" under GDPR as it does not make decisions about you personally (only about fictional game scenarios).

9. Contact Our Privacy Team

For any GDPR-related questions or to exercise your rights:

Privacy Team: privacy@pathway.gg
Legal Inquiries: legal@pathway.gg

Mailing Address:
Pathway
Physical address to be added before public launch
United States

Expected response time: 30 days or less

10. Related Documents

Privacy Policy

Complete data collection and usage details

Terms of Service

Legal terms and conditions for using our service

Cookie Policy

How we use cookies and tracking technologies

Contact Us

Get in touch with our support team