Your GDPR Rights

For users in the European Union, European Economic Area, and United Kingdom

Last Updated: May 10, 2026

Overview

If you are located in the European Union (EU), European Economic Area (EEA), or United Kingdom (UK), the General Data Protection Regulation (GDPR) and UK GDPR provide you with specific rights regarding your personal data.

Dullfish Studio, located in Chieri, Italy, is the data controller for personal data collected through CoreShell and coreshellgame.com. This page explains your rights and how to exercise them.

Your Rights Under GDPR

Right to Access

You have the right to request a copy of all personal data we hold about you. This includes your account information, game progress, purchase history, and any other data associated with your account.

Data is provided in JSON format.

Right to Rectification

You have the right to request correction of any inaccurate personal data we hold about you. You can update your username directly in the Game. For other corrections, please contact us.

Right to Erasure

You have the right to request deletion of your personal data ("right to be forgotten"). When you request account deletion, we will permanently delete all data associated with your account. This action is immediate and irreversible.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON). You can transfer this data to another service if you wish.

Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data under certain circumstances, such as when you contest the accuracy of the data.

Right to Object

You have the right to object to certain types of processing, such as processing based on legitimate interests. However, since we only process data necessary to provide the Game, objecting may mean you cannot use the service.

Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the Game services you requested (account management, game progress, purchases)
  • Legal Obligation: Processing required to comply with laws (e.g., tax records for purchases, responding to legal requests)
  • Consent: For cookie storage on our Website (you can withdraw consent at any time)

Data We Collect

As detailed in our Privacy Policy, we collect minimal data:

  • Email address (from App Store/Play Store, encrypted with ChaCha20/AES-GCM)
  • Store identifier (hashed and encrypted)
  • Username (chosen by you)
  • Game data (progress, purchases, statistics)

We do not collect: IP addresses, precise location, device identifiers (beyond store requirements), or browsing history.

Data Retention

  • Active accounts: Data retained while you use the Game
  • Inactive accounts: Data retained for 2 years after last activity, then automatically deleted
  • Deleted accounts: Data deleted immediately upon request (irreversible)
  • Purchase records: May be retained longer for legal/tax compliance

International Transfers

Our servers are located in the European Union. Your data is processed and stored within the EU, which provides strong data protection under GDPR.

The only international data sharing occurs with:

  • Apple (USA): For App Store authentication and purchases - covered by EU-US Data Privacy Framework
  • Google (USA): For Play Store authentication and purchases - covered by EU-US Data Privacy Framework

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us through one of the following methods:

Contact Form (Preferred)

coreshellgame.com/support

Select "Data Request" or "Account Deletion" as the subject for fastest processing.

What to Include in Your Request

  • Your username or email address associated with your account
  • Which right you wish to exercise (access, deletion, etc.)
  • Any additional details relevant to your request

Response Time

We will respond to your request within 30 days. If your request is complex, we may extend this by up to 60 additional days, in which case we will inform you of the delay and the reasons for it.

Verification

To protect your privacy, we may need to verify your identity before processing certain requests. This may involve confirming details only the account holder would know.

Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority.

As we are based in Italy, our lead supervisory authority is:

Garante per la protezione dei dati personali
(Italian Data Protection Authority)
Website: www.garanteprivacy.it

You may also contact the supervisory authority in your country of residence.

Data Protection Officer

As a small studio, we are not required to appoint a Data Protection Officer under GDPR. However, all data protection inquiries are handled directly by the studio owner with full attention to your rights.

Changes to This Information

We may update this GDPR information from time to time. We will notify you of any material changes by updating the "Last Updated" date at the top of this page.