Background image for the Dead by Stats website

Privacy Policy

How we protect your data and privacy

At Dead by Stats, we take your privacy seriously. This policy outlines how we collect, use, and protect your information when you use our platform. Please read this document carefully to understand our practices regarding your personal data.

Published: 20.12.2021 | Last updated: 19.05.2025

1. Data Controller

The data controller responsible for your personal data is:

Filip Krzyżanowski
Address: near Krotoszyn, Poland
Email: [email protected]

As a natural person, I am the data controller responsible for processing personal data on the Dead by Stats website ("we", "our", "us").

You can contact me via email or through our contact form:
https://deadbystats.eu/contact


2. Legal Basis

We process your personal data under:

  • The General Data Protection Regulation (GDPR),
  • The Polish Personal Data Protection Act of May 10, 2018.


Under GDPR, we must have a legal reason ("legal basis") for processing your data — for example, because you gave your consent, or because we need it to provide you with a service you requested.
The most common legal bases we rely on are:

  • Consent – you’ve given clear permission for us to process your data for a specific purpose (e.g. analytics, ads).
  • Contractual necessity – we need the data to fulfill our agreement with you (e.g. user account, saving progress).
  • Legitimate interest – we have a legitimate interest in improving our services, ensuring website security, or providing optional features, as long as these interests are not overridden by your rights and freedoms.
  • Legitimate interest (Art. 6(1)(f) GDPR) – for Cloudflare services related to website protection, performance optimization, and user verification through Turnstile. Our legitimate interest includes ensuring website security, protecting against bots and DDoS attacks, and providing a smooth website experience for genuine users.


3. Age Requirements

We recommend that users be at least 18 years old due to the nature of Dead by Daylight (PEGI 18+).

Our service relies on Steam authentication, which requires users to be at least 13 years old to have an account. By using our service through Steam login, you confirm that you meet Steam's minimum age requirements.

For users aged 13-17 who access content related to this PEGI 18+ game, we recommend parental supervision and consent. In accordance with Article 8 of the GDPR and Polish law, we treat users aged 13-17 as minors.

We do not knowingly collect personal data from children under the age of 13. If we become aware of such collection, we will delete the data.

4. What Data We Collect

We may collect the following personal data:

  • Steam ID (ID64 and custom profile URL)
  • Steam username and display name
  • Dead by Daylight stats and achievements
  • Optional email address (for alternate login and password reset). This data is only collected if provided and is stored securely.


Your Steam ID is considered personal data because it can be linked to your Steam account and online identity, making it possible to identify or profile you indirectly.

We may also collect public profile data from Steam, including:

  • Avatar
  • Playtime statistics
  • Public match history
  • Profile visibility status


Technical data collected includes:

  • Website usage data via Google Analytics 4:
    •   Page visits, time spent, click data
    •   Browser type, OS, device
  • User agent and IP address (processed by Sentry and/or hosting provider in server logs)
  • Cookies and advertising data via Google AdSense (only with consent)


Technical data collected by Cloudflare and Cloudflare Turnstile:

  • IP address (for geolocation and abuse detection)
  • User agent information (browser and device details)
  • Cookies necessary for Turnstile functionality
  • User interaction metadata with the website
  • Browser-specific data used to distinguish humans from bots
  • Request timestamps and traffic metadata

These data are used to distinguish genuine users from bots without requiring traditional CAPTCHA puzzles, to protect the website from DDoS attacks, and to optimize website performance.


We only use necessary cookies that are essential for the website to function, such as for session management, login authentication, or basic interface behavior. These cookies do not require your consent under the ePrivacy Directive.
Google AdSense cookies are used solely for displaying ads. We do not knowingly enable personalized ad tracking unless the user gives explicit consent via the cookie banner. However, Google may still perform certain contextual or behavioral ad optimizations in accordance with their privacy policy.

Server logs maintained by our hosting provider and error monitoring service (Sentry) may include your IP address, browser type, operating system, device identifiers, referrer URLs, and timestamps. These are used for security, debugging, and service performance purposes. The legal basis for this processing is our legitimate interest (Art. 6(1)(f) GDPR).

We do not collect or process any special categories of personal data as defined in Article 9 of the GDPR (such as information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning your sex life or sexual orientation).

While we do not intentionally collect or process special categories of personal data as defined in Article 9 GDPR, some public Steam profile data (e.g., usernames or avatars) may unintentionally reveal sensitive personal information. We do not process such data for profiling or decision-making purposes.

5. How We Collect Your Data

We collect your data when you:

  • Log in via Steam OAuth
  • Provide an email address for login or password reset
  • Interact with the website after accepting cookies
  • Interact with Cloudflare Turnstile verification mechanisms when displayed
  • View content while your Steam profile is public

Some features (like "Save My Progress") require login.

We may also collect data from public Steam profiles when a user or visitor provides a Steam ID or profile link — even if they do not log in. Data access is limited to what is publicly available on Steam.

If you wish to delete your Dead by Stats account, you can do so directly from the user settings page while logged in. This will initiate the deletion process described in the Data Retention section.

6. Why We Process Your Data (Purposes and Legal Bases)

We use your personal data for the following purposes:

To create and manage your user account
Legal basis: Consent (Art. 6(1)(a) GDPR)

To generate and display your Dead by Daylight stats and profile
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

To save your daily game progress and visualize it in charts
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)
Frequency: Steam data is refreshed once per day

To display your ranking on public leaderboards

  • Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
  • Our interest: Providing competitive features that enhance user experience, enable goal-setting, and create community engagement
  • Legitimate interest assessment:
    • Purpose: Leaderboards are standard in gaming communities and essential for competitive play
    • Necessity: Only public Steam information is used, limited to what's required for functionality
    • Balance: User rights are protected because:
      • Only already-public information is displayed
      • No additional profiling is performed
      • Users can object at any time
      • The processing is within reasonable expectations of users
      • The privacy impact is minimal as data is already publicly available
      • Users benefit from community participation and gameplay motivation

Leaderboard data is visible to all users and includes only public Steam information. Users may object to the display of their profile by contacting us at [email protected]. We will honor all legitimate objections in accordance with Art. 21 GDPR.

To monitor errors and ensure stability (e.g., via Sentry)

  • Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
  • Our interest: Service integrity and error resolution


To conduct analytics (Google Analytics 4)

  • Legal basis: Consent (Art. 6(1)(a) GDPR)


To serve non-personalized ads (Google AdSense)

  • Legal basis: Consent (required under ePrivacy Directive)


To serve personalized ads (Google AdSense)  

  • Legal basis: Consent (Art. 6(1)(a) GDPR)  
  • Our interest: Generating revenue to support service operations  
  • You can decline personalized ads via cookie settings at any time.


We do not send marketing communications and do not require marketing opt-ins.

7. Cookies and Tracking

We use only essential ("necessary") cookies that are required for the website to function properly. These include:

  • Session cookies (e.g., for login and session continuity)
  • Security tokens (e.g., for CSRF protection)
  • Basic interface or language preference settings (if applicable)

Cloudflare necessary cookies:

  • cf_clearance — cookie used to identify trusted users
  • __cf_bm — cookie used to manage bot traffic and malicious attacks
  • _cfuvid — cookie used to identify unique sessions

Cloudflare Turnstile may also use cookies to verify users. These are classified as necessary cookies for website functionality and do not require user consent under the ePrivacy Directive.


These cookies are strictly necessary and do not require user consent under the ePrivacy Directive.

If you consent to analytics or advertising cookies via our cookie banner, additional cookies may be set by third-party providers such as:

  • Google Analytics 4 – for anonymous website traffic analysis
  • Google AdSense – for displaying advertisements (with or without personalization, based on your consent)


Cookies are only stored after your explicit consent, which is managed via our in-house cookie consent modal shown upon your first visit. Our in-house cookie consent modal allows you to make granular choices (e.g., analytics vs. ads) and blocks non-essential cookies by default until you provide explicit consent.

We store your consent preferences locally in your browser using cookies. These preferences are retained for 6 months, after which you will be prompted to renew your consent. This shorter retention period ensures your consent remains current and relevant to our data processing activities. Your consent preferences are not transmitted to any external servers or databases.

We chose a 6-month period because it:

  • Aligns with evolving best practices for consent management
  • Provides a reasonable balance between user experience and privacy protection
  • Ensures you can regularly review and update your preferences


Consent is registered via our in-house consent modal and is based on the time and category of cookies you accept (e.g., analytics, advertising). You can change or withdraw your consent at any time without waiting for the renewal period by visiting:
https://deadbystats.eu/cookie-policy

Alternatively, you can adjust cookie settings directly in your browser. Instructions are available at:
https://www.aboutcookies.org/how-to-control-cookies/

More details can be found in our Cookie Policy:
https://deadbystats.eu/cookie-policy


8. Profiling and Automated Decision-Making

We do not make automated decisions that produce legal or similarly significant effects on users.

However, limited profiling may occur if you consent to personalized advertising via Google AdSense. This may include ad targeting based on your browsing behavior and Steam profile activity. We do not build user profiles or make decisions based on your activity. Ad personalization is based solely on your consent via the cookie settings. These processes do not significantly affect your rights or freedoms and are based solely on your consent.

If you do not wish to be subject to this profiling, you can decline personalized ad consent in the cookie settings.

Users have the right to object to any profiling based on their personal data. This includes the right to withdraw consent for personalized ads at any time via the cookie settings panel.


9. International Data Transfers

Your data may be processed outside the European Economic Area (EEA) by services like Google (United States), particularly through services such as Google Analytics, Google AdSense, and Google Tag Manager.

Cloudflare may also process data outside the European Economic Area (EEA). Cloudflare participates in the EU-US Data Privacy Framework and implements Standard Contractual Clauses (SCCs) approved by the European Commission, which provide appropriate safeguards for international data transfers in accordance with GDPR.

Following the Court of Justice of the European Union's "Schrems II" decision (C-311/18), we have implemented a comprehensive approach to international transfers:

To safeguard your data, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Detailed Transfer Impact Assessments (TIAs) for each data processor operating outside the EEA
  • Regular reviews of our processors' compliance with EU data protection standards

Supplementary technical measures we implement include:

  • Data minimization: Limiting the personal data transferred to only what is strictly necessary
  • Pseudonymization: Where possible, we pseudonymize data before transfer (e.g., IP anonymization in Google Analytics)
  • Encryption: Ensuring data is encrypted both in transit and at rest
  • User controls: Providing clear opt-out mechanisms for all non-essential data processing

Organizational supplementary measures include:

  • Vendor assessment: Regular evaluation of our data processors' privacy practices
  • Transparency: Clear documentation of all international transfers
  • Contractual safeguards: Enhanced DPAs with specific provisions for data subject rights
  • Response plan: Procedures to handle access requests from non-EU authorities

These safeguards are implemented by both us and our third-party providers (e.g., Google, Sentry) as data processors, who are contractually bound to adhere to these standards through Data Processing Agreements (DPAs).

We regularly reassess our international transfer mechanisms to ensure continued compliance with evolving data protection requirements and case law.

10. Data Retention

We retain your data as follows:

  • As long as your account is active
  • If you do not log in for 12 months, your account is considered inactive. We store the last login date (not Steam activity) to determine this status
  • After 12 months of inactivity, we may delete your data after showing a message or sending an email

If you delete your account manually:

  • Your data is removed from active systems within 24 hours
  • It is fully erased within 5 days, including from backups

Backups are retained securely for up to 5 days, and never used for any purpose other than recovery.

Analytics data (Google Analytics 4) is retained for up to 14 months, in accordance with Google's data retention policy.
Error tracking data (Sentry) may be retained for up to 90 days for diagnostic purposes.
Cookie data is retained until consent is withdrawn or cookies are deleted from your browser.

We follow the principle of data minimization, meaning we do not store personal data longer than necessary for the purposes outlined in this policy.


11. Data Security

We take appropriate technical and organizational security measures, including:

  • HTTPS (TLS) encryption
  • Secure authentication and limited data access
  • Daily backups and disaster recovery
  • Regular vulnerability assessments
  • Monitoring and logging of access to critical systems

Access to personal data is restricted according to the principle of least privilege, meaning only those who need access to perform their tasks can access your data.

In the event of a personal data breach that poses a risk to your rights or freedoms, we will notify you and the appropriate supervisory authority without undue delay, as required by Articles 33 and 34 of the GDPR.


12. Your Rights

You have the following rights under GDPR:

  • Access – View a copy of your personal data
  • Rectification – Correct any inaccurate data
  • Erasure – Request deletion of your account and data
  • Restriction – Request temporary suspension of processing
  • Data Portability – Receive your data in a portable format
  • Object – Object to data processing based on our legitimate interests
  • Withdraw Consent – Withdraw your cookie or login-related consent at any time
  • Complain – File a complaint with a supervisory authority

You can exercise your rights by emailing [email protected]
or using the contact form: https://deadbystats.eu/contact

To ensure that your request is legitimate and to protect your data, we may ask you to verify your identity. This may include confirming your email address or verifying your login via Steam.

We aim to respond to all legitimate requests within one month. If your request is particularly complex or if you have made multiple requests, it may take us up to two additional months — in such cases, we will notify you.

Responses are usually sent electronically unless you request another format. If your request concerns data portability, we will provide your data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV).

Requests are free of charge unless they are manifestly unfounded, excessive, or repetitive (Article 12(5) GDPR).

If your request concerns data collected by third-party services (such as Google Analytics or AdSense), you may also choose to contact these providers directly using the links in section 13.

13. Third-Party Processors

We work with trusted third-party service providers that process personal data on our behalf. Below we specify each processor and exactly what data they receive:

Contabo — Hosting provider (servers located in Germany, EU)


Mailtrap — SMTP service provider for sending transactional emails

  • Data shared: Email addresses, usernames (for password resets or notifications)
  • Purpose: Sending transactional emails only to users who provided email addresses
  • Privacy Policy: https://mailtrap.io/privacy-policy/


Google Analytics 4 — Website analytics (only after consent)

  • Data shared: Anonymous usage data, IP addresses (anonymized), user agent data, page views
  • Purpose: Website usage analysis and performance monitoring
  • Privacy Policy: https://policies.google.com/privacy


Google AdSense — Display of advertisements (only after consent)

  • Data shared: Cookie identifiers, IP addresses, browsing behavior data
  • Purpose: Ad delivery and limited profiling (only with explicit consent)
  • Privacy Policy: https://policies.google.com/privacy


Google Tag Manager — Managing loading of Analytics and Ads scripts

  • Data shared: No direct data collection, but facilitates loading of other Google services
  • Purpose: Script management for other Google services
  • Privacy Policy: https://policies.google.com/privacy


Sentry — Application error monitoring and reporting

  • Data shared: Error logs, user agent information, IP addresses, action timestamps
  • Purpose: Diagnostic monitoring and error resolution
  • Privacy Policy: https://sentry.io/privacy/


Steam API — Accessing publicly available user data


Cloudflare — CDN and security service provider

  • Data shared: IP addresses, browser data, technical cookies, traffic metadata 
  • Purpose: DDoS protection, performance optimization, user verification (Turnstile) 
  • Privacy Policy: https://www.cloudflare.com/privacypolicy/


All third parties comply with GDPR requirements and have signed appropriate data processing agreements where necessary. We regularly review their data protection practices to ensure continued compliance.

Where possible, we implement additional safeguards such as data anonymization or pseudonymization before sharing with processors.


14. Supervisory Authority

If you believe your data rights have been violated, you may contact:

Polish Data Protection Authority (UODO)
Website: https://uodo.gov.pl
Email: [email protected]

If you reside outside Poland, you may also contact your local data protection authority within the European Economic Area (EEA) to exercise your rights.

15. Policy Updates

We may update this Privacy Policy from time to time.
Significant changes will be announced via:

  • A notification on our website, and
  • An updated date at the top of this document

If we change how we process data or the legal basis for it, we will request new consent where required.

If we plan to collect additional categories of data or change the purposes for which we process your personal data, we will inform you in advance and, where required, obtain your renewed consent.

16. Contact

If you have any questions about this Privacy Policy, please contact us at:


17. Cloudflare Turnstile

Our website uses Cloudflare Turnstile, which is a privacy-friendly alternative to traditional CAPTCHA systems. Turnstile analyzes user behavior and interactions with the website to determine if they are human, without requiring users to solve difficult puzzles.

Turnstile processes data such as IP address, browser and device information, and interaction metadata, but does so in a way designed to minimize privacy impact. Unlike some CAPTCHA systems, Turnstile does not require users to identify images or solve complex tasks.

The legal basis for Turnstile's data processing is our legitimate interest (Art. 6(1)(f) GDPR) in ensuring website security and protection against automated spam and bots.

How Turnstile works:

  • It runs invisible challenges in the background to distinguish between humans and automated bots
  • It analyzes browser-specific data and user interactions with the page
  • It maintains a privacy-centric approach by not collecting unnecessary personal data
  • It provides a seamless user experience without disrupting normal website interaction

Turnstile data processing is covered by Cloudflare's privacy policy and data protection commitments, including their adherence to the EU-US Data Privacy Framework and implementation of Standard Contractual Clauses for international data transfers.

You can learn more about Cloudflare's approach to privacy at: https://www.cloudflare.com/privacypolicy/

Have questions about our Privacy Policy?

If you have any questions or concerns about how we handle your data, our team is ready to help you.

Support us!