REPLAY

Replay.re ("we", "us", "our") respects your privacy and processes personal data in accordance with applicable data protection law, including Regulation (EU) 2016/679 ("GDPR").

This Privacy Policy explains how we process personal data in connection with:

• the Replay website at https://replay.re/,
• the Replay forum at https://forum.replay.re/,
• our self-hosted identity management system ("IDMS"), based on Keycloak,
• the BlackICE multiplayer modification for Cyberpunk 2077 (the "Game Client"),
• and the related (game) server infrastructure operated by us.

1. Scope of this Privacy Policy

This Privacy Policy applies to personal data processed when you:

• visit our website,
• use our forum,
• create or use an IDMS account,
• log in to or use the Game Client,
• connect to our game servers,
• use in-game or community features made available by us,
• or submit or automatically generate technical diagnostics, including crash reports.

2. Categories of personal data we process

Depending on how you use our services, we may process the following categories of personal data:

2.1 Website and forum usage data

When you access our website or forum, we may process:

• IP address,
• date and time of access,
• requested pages and resources,
• browser and device-related technical information,
• security and proxy-related request metadata,
• login-related technical data,
• necessary cookie data,
• and recent login IP addresses associated with forum access.

Traffic to our website and forum is routed through Cloudflare for delivery and security purposes.

2.2 Account and identity data

If you create or use an account through our IDMS, we may process:

• username,
• email address,
• IDMS identifier,
• authentication-related data,
• and account status information.

Our IDMS is self-hosted and operated by us.

2.3 Forum and community data

If you use our forum, we may store and process for the purpose of forum operations:

• profile information you choose to provide,
• threads, posts, replies, and similar public contributions,
• private/direct messages,
• and records necessary to administer your forum account and maintain forum integrity.

2.4 Game and server connection data

If you use the Game Client or connect to our servers, we may process:

• your IP address,
• your IDMS identifier,
• login/session metadata,
• connection and server event data,
• and technical information required to establish, maintain, and secure multiplayer functionality.

2.5 Gameplay and social feature data

Where available in the relevant version of our services, we may process data necessary to provide gameplay and social features, such as:

• player identity within the service,
• contact or social graph data,
• group or guild-related data,
• matchmaking-related data,
• presence or status information,
• communication-related data,
• and user reports or other feature-specific operational data.

We process only data that is necessary to provide the relevant feature.

2.6 Crash reports and diagnostic data

In the event of crashes, errors, or technical issues, the Game Client may automatically transmit diagnostic information to our self-hosted Sentry environment for debugging and service stability purposes. This may include:

• paths of loaded modules, which may in some cases contain the Windows user name,
• Windows build information,
• commit hash of the build that crashed,
• branch information,
• GPU version and driver information,
• client log files,
• and other hardware-related technical information, if implemented in the future.

We do not collect memory dumps through this process.

3. Purposes of processing and legal bases

We process personal data only where we have a lawful basis to do so under Article 6 GDPR.

3.1 Performance of a contract or pre-contractual measures

We process personal data where necessary to provide our services to you, including to:

• create and manage accounts,
• authenticate users through IDMS,
• provide access to the website, forum, Game Client, and game servers,
• enable multiplayer functionality,
• provide community and social features,
• and maintain your account and service settings.

The legal basis is Article 6(1)(b) GDPR.

3.2 Legitimate interests

We process personal data where necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. These interests include:

• ensuring network, platform, and account security,
• preventing misuse, abuse, fraud, and technical disruption,
• protecting the integrity and availability of our services,
• maintaining forum structure and continuity,
• investigating incidents and faults,
• logging technical events,
• and diagnosing crashes and software defects.

The legal basis is Article 6(1)(f) GDPR.

Our legitimate interests include the secure, stable, and efficient operation of the website, forum, IDMS, Game Client, and server infrastructure.

3.3 Compliance with legal obligations

Where necessary, we process personal data to comply with legal obligations to which we are subject and to exercise, or defend legal claims.

The legal basis are Article 6(1)(c) GDPR and Article 6(1)(f) GDPR.

4. Whether provision of data is required

Some personal data is necessary in order to provide our services.

In particular:

• account-related information is required to create and operate an IDMS-linked account,
• authentication data is required to log in,
• IDMS identification is required to access authenticated services,
• and IP addresses and technical connection data are required for website delivery, server communication, and multiplayer operation.

If you do not provide the data that is necessary for account creation, authentication, or technical operation, you may be unable to use some or all of our services.

5. Cookies and similar technologies

Our website and forum use strictly necessary cookies only.

These cookies are required for core functionality such as session handling, authentication, security, and technical service delivery. We do not use third-party advertising cookies and we do not use analytics cookies under this Privacy Policy.

The legal basis for such processing is Article 6(1)(b) GDPR where the cookie is necessary to provide a service you requested, and otherwise Article 6(1)(f) GDPR for the secure and functional operation of our services.

6. Recipients and categories of recipients

We do not sell personal data. We do not disclose personal data to advertising networks or unrelated third parties for their own independent marketing purposes.

We data may only be processed to the following categories of recipients where necessary:

6.1 Cloudflare

We use Cloudflare as a service provider for proxying, delivery, and security of our website and forum traffic.

Cloudflare processes request and connection data as part of that technical role.

6.2 Internal infrastructure operated by us

We operate our own infrastructure for:

• IDMS,
• game servers,
• website and forum hosting,
• and our self-hosted Sentry instance.

Our self-hosted Sentry deployment is part of our own technical infrastructure and is used solely for debugging and service reliability.

7. International transfers

Based on our service configuration, personal data processed under this Privacy Policy is hosted and processed within the EU/EEA.

We do not currently intend to transfer personal data to recipients outside the EU/EEA.

8. Retention periods

We retain personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required by law or necessary for legal claims, abuse handling, or security investigations.

Unless a longer retention period is required in a specific case, we apply the following retention schedule:

8.1 Website and server access logs

Website and server access logs are generally retained for 30 days.

Where necessary to investigate abuse, attacks, security incidents, service disruption, or legal claims, relevant log data may be retained for longer until the matter is resolved.

8.2 Account data after account deletion

Account master data is retained for as long as the account exists.

After account deletion, account master data is deleted or irreversibly anonymized from active systems within 30 days, unless retention is required by law or necessary for the establishment, exercise, or defence of legal claims.

Residual copies may remain in backups for a limited period as set out below.

8.3 Forum posts, threads, and replies

Public forum content may remain visible after account deletion where this is necessary to preserve the coherence, continuity, and integrity of discussion threads.

In such cases, we will, where appropriate and technically feasible, anonymize or disassociate the account from the content rather than continue to display it under an active account identity.

If deletion is legally required in an individual case, we will assess and implement it in accordance with applicable law.

8.4 Forum direct/private messages

Forum direct or private messages are retained until they are deleted from the relevant mailbox or until account deletion requires their removal or disassociation, unless retention is necessary for legal claims.

Following account deletion, associated private message data is removed or irreversibly disassociated from active systems within 30 days, subject to backup retention.

8.5 Authentication and login logs

Authentication, login, and related security logs are generally retained for 30 days.

This period may be extended where necessary for security incident analysis, abuse prevention, or legal claims.

8.6 Game server connection and IP logs

Game server connection logs, including IP-related connection records, are generally retained for 30 days.

This period may be extended where necessary for operational troubleshooting, abuse handling, security investigations, or legal claims.

8.7 Crash reports, Sentry events, and attached log files

Crash reports, diagnostic events, and attached log files are generally retained for 90 days.

They may be deleted earlier where no longer needed, or retained longer where necessary to analyse recurring faults, investigate security issues, or defend legal claims.

8.8 Backups

Backup copies are generally retained for 60 days on a rolling basis.

Where backup cycles or disaster recovery requirements require a limited deviation, backup retention may extend for the minimum period necessary to maintain reliable recovery capability.

9. Sources of personal data

As a rule, we collect personal data directly from you when you:

• access our services,
• create an account,
• log in via IDMS,
• post on the forum,
• send messages,
• use the Game Client,
• connect to our servers,
• or generate technical logs or crash reports through use of the software.

We may also generate technical data automatically through operation of our systems, such as connection logs, authentication logs, server event logs, and diagnostic data.

We do not collect or buy user data from unrelated third parties.

10. Automated decision-making

We do not currently use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

11. Your rights

Subject to the conditions of applicable law, you have the following rights with regard to your personal data:

• the right to obtain information about the processing of your personal data,
• the right of access to your personal data,
• the right to rectification of inaccurate or incomplete personal data,
• the right to erasure,
• the right to restriction of processing,
• the right to data portability, where applicable,
• the right to object to processing based on Article 6(1)(e) or 6(1)(f) GDPR,
• and the right not to be subject to automated decision-making within the scope provided by law.

Where processing is based on consent, you also have the right to withdraw your consent at any time with effect for the future. At present, this Privacy Policy does not rely on consent as the primary legal basis for the core services described above.

To exercise your rights, please contact: green@replay.re

12. Right to lodge a complaint

You have the right to lodge a complaint with a competent supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of your personal data violates applicable data protection law.

13. Data security

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

However, no method of electronic transmission or storage is completely secure. We therefore cannot guarantee absolute security.

14. Children and age suitability

BlackICE is not specifically directed at children. Use of the mod presupposes lawful access to the base game, Cyberpunk 2077.

We do not knowingly create a separate child-directed service under this Privacy Policy.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes.

The current version will be published on our website with the updated effective date.

16. Contact

If you have questions about this Privacy Policy or our processing of personal data, please contact:

Email: green@replay.re