Privacy Policy

Last updated: 1 May 2026

Who we are
Data we collect
Why we use it
Legal bases
Sharing
Cookies & tracking
Storage & security
Retention
Your rights
International transfers
Children
Changes
Contact

1. Who we are

Blastforce Interactive (“Blastforce”, “we”) is the controller of the personal data described in this policy. We can be reached through the in-platform Support form.

2. Data we collect

You give us

Account data — nickname, email, password hash, country, optional avatar, profile description.
Identity data (KYC) — first name, last name, date of birth, country, phone number, optional city/address line. Provided once before your first deposit.
Steam data — Steam ID and trade URL that you choose to link to your account.
Payment metadata — the cryptocurrency, network, requested amount, destination wallet, invoice IDs and transaction hashes returned by Plisio. We do not store private keys, card numbers or banking credentials.
User-generated content — community posts, comments, bug reports, friend requests, P2P transfer notes.

Collected automatically

Session data — IP address, approximate location derived from IP, browser/OS user agent, timestamps of logins and devices used to log in.
Anti-cheat telemetry — while you are in a Wager or Premier match: heartbeat pings, integrity hashes, anomaly flags, process and module names relevant to fair-play detection. Anti-cheat does not run outside a match session.
Match & trading activity — matches you joined, scores, B-Coin transactions, listings created, trades sent, escrow events, notifications.
Diagnostics — error logs and crash data, capped to what is needed to debug.

From third parties

Steam Web API — public Steam profile data, inventory snapshots, trade-offer status when you use the Marketplace or sign in with Steam.
Plisio — payment status, paid amount, transaction hash, signature; necessary to credit deposits and execute withdrawals.
Faceit (optional) — if you choose to link your Faceit profile, we fetch public stats you authorise.

3. Why we use your data

Provide and maintain the Services (account, balance, matchmaking, marketplace, P2P transfers, support).
Verify your identity, age and sanctions status before processing deposits and high-value activities.
Process deposits and withdrawals via Plisio.
Detect and prevent cheating, fraud, account takeover, money laundering and terrorist financing.
Enforce these Terms, marketplace rules and match rules.
Communicate with you (transactional notifications, security alerts, support replies).
Comply with legal obligations and respond to lawful requests from authorities.

4. Legal bases (GDPR / UK GDPR)

Contract — processing needed to deliver the Services you signed up for (account, matches, payouts).
Legal obligation — KYC/AML, sanctions screening, tax and regulatory reporting where applicable.
Legitimate interests — anti-cheat, anti-fraud, security, debugging, analytics, protecting the rights of other players and our business. These interests are balanced against your privacy rights.
Consent — for optional integrations (e.g. Faceit) and any non-essential analytics or marketing communications. You can withdraw consent at any time.

5. Who we share data with

Google Firebase — authentication, Firestore database and Cloud Functions hosting, used to deliver the Services.
Plisio — cryptocurrency invoicing and payouts. Plisio receives the deposit/withdrawal amount, currency, destination address and an order reference.
Valve / Steam — Steam Web API requests for inventory and trade-offer state when you act on the Marketplace.
Cloud infrastructure — CDN and hosting providers used to serve our static assets and APIs.
Authorities — we may disclose data when required by law, valid legal process, or to protect our users, our rights or the public.
Successors — in the event of a merger, acquisition or asset sale, data may be transferred to the acquirer subject to this policy.

We do not sell your personal data.

6. Cookies & similar technologies

We use a small number of strictly-necessary cookies and equivalent storage (localStorage, sessionStorage, IndexedDB) to keep you signed in, remember your preferences and protect against CSRF. We do not run advertising trackers. If we add analytics cookies, we will request your consent first via a banner.

7. Where data is stored & security

Data is stored on Google Firebase / Google Cloud infrastructure and may be processed in the regions Google operates.
Passwords are stored only as hashes; payment credentials are never received by us.
Access to production data is limited to authorised staff and protected by role-based access control.
We use HMAC-signed webhooks (e.g. for Plisio) and validated cloud function calls to prevent forged requests.
Despite reasonable measures, no system is perfectly secure. You are responsible for keeping your credentials safe and for revoking sessions you do not recognise.

8. How long we keep data

Account data — for as long as your account exists, plus up to 12 months after closure for fraud, AML and dispute purposes.
KYC records — up to 5 years after the last transaction, where required by AML rules.
Transaction logs — up to 7 years for accounting and tax compliance where applicable.
Anti-cheat telemetry & match logs — up to 24 months unless tied to an open ban appeal or investigation.
Notifications & ephemeral logs — rotated automatically (typically 30–90 days).

9. Your rights

Depending on where you live (EEA, UK, California, Brazil and other jurisdictions with similar laws) you may have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Delete your data, subject to retention obligations.
Object to or restrict certain processing, including profiling for anti-fraud and anti-cheat purposes.
Export your data in a portable format.
Withdraw consent for optional processing.
Lodge a complaint with your local data protection authority.

Send requests through the Support form. We may need to verify your identity before responding and we aim to reply within 30 days.

10. International transfers

Your data may be processed outside your country of residence. Where required, we rely on standard contractual clauses or equivalent transfer mechanisms to protect it.

11. Children

The Services are not directed to anyone under 18. We do not knowingly collect data from children. If you believe a child has provided us data, contact Support and we will delete it.

12. Changes to this policy

If we make material changes we will update the “Last updated” date and notify you in-product or by email. Continued use of the Services after the change means you accept the updated policy.

13. Contact

For privacy questions or to exercise your rights, please use the in-platform Support form.