Privacy Policy

Last updated: 2026-06-04

This Privacy Policy explains how Amberlands collects, uses, and protects your personal data when you use our gaming platform. We comply with the EU General Data Protection Regulation (GDPR) and Lithuanian data protection law.

1. Who is responsible for your data

The data controller for the Amberlands platform is MB VBNetwork (legal entity code 307791342). For any question about your personal data or data protection, email us at [email protected].

2. How and why we process your data

The table below summarizes why we process your personal data, what data is involved, how long we keep it, and our legal basis under the GDPR.

PurposeData we processRetentionLegal basis
Account registration and service provisionName, email address, password, your settings, display name, avatar, linked in-game login, IP address.While your account exists. After account deletion: if you made purchases, your account data is kept for 10 years (Lithuanian accounting law - see 'How long we keep your data'); otherwise it is deleted within 30 days.Performance of a contract (GDPR Art. 6(1)(b)).
Purchases, payments and accountingAmber balance and transaction ledger, purchase history, coupon redemptions, payment-provider reference (we never store card numbers), IP address and country at the time of purchase, invoice data.Order and accounting records, including the buyer's name and email: 10 years, as required by Lithuanian accounting law. This applies even after you delete your account.Performance of a contract (Art. 6(1)(b)); legal obligation to keep accounting records (Art. 6(1)(c)); legitimate interest in preventing fraud (Art. 6(1)(f)).
In-game delivery of purchasesLinked game account and character, pending-reward queue entries, and the items or balance to be delivered.While your account exists; delivery records follow the accounting retention period above.Performance of a contract (Art. 6(1)(b)).
Support and communicationTicket contents and attachments, email address, and the history of your correspondence with us.2 years after your last message, then deleted.Performance of a contract (Art. 6(1)(b)); legitimate interest in improving the service (Art. 6(1)(f)).
Securing your account and preventing fraud and abuseIP address, session and technical log data, and audit-log entries for sensitive actions.Technical logs: up to 90 days. Audit log: 3 years.Legitimate interest (Art. 6(1)(f)).
Understanding how the service is used so we can improve it (self-hosted, cookieless usage statistics)Aggregated technical usage events (pages visited, browser type, country) - collected without cookies and not linked to your identity.Stored only in aggregated form.Legitimate interest (Art. 6(1)(f)).
Sending newsletters (only if you opt in)Email address, IP address at opt-in, what you opted into, and whether you engaged with our messages.Until you unsubscribe or withdraw consent. Deleting your account does not cancel your newsletter subscription - use the unsubscribe link in any email.Consent (Art. 6(1)(a)) - only if you opt in; you can withdraw at any time.

3. Who we share your data with

We share personal data only with carefully selected processors that help us run the service: - a payment service provider, to take and confirm your payments; - an infrastructure, content-delivery and email provider located in the United States - international transfers are safeguarded by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses; - a hosting provider, which stores the primary database inside the European Economic Area. We also disclose data to public authorities where the law requires it. We require every processor to handle your data only on our instructions and to protect it to GDPR standards.

4. How long we keep your data

We keep your account data while your account exists. What happens after you delete your account depends on whether you made purchases: • If you made purchases, your account is closed and your account and order data are kept for 10 years from your last transaction, as required by Lithuanian accounting law. This retention is a legal obligation and takes precedence over an erasure request (GDPR Art. 17(3)(b)). After this period the data is deleted. While the data is retained, you can restore your account at any time by resetting your password. • If you never made a purchase, your account and its data are deleted within 30 days and cannot be restored. If you subscribed to the newsletter, deleting your account does not cancel the subscription - it is based on your separate consent. Every newsletter contains an unsubscribe link and you can opt out at any time. Technical logs are kept for up to 90 days. Beyond these periods we keep data only where necessary to comply with a legal obligation or to establish, exercise or defend legal claims.

5. How we protect your data

We apply technical and organisational measures to keep your data safe: encryption in transit (HTTPS), hashed passwords, and scoped access controls. No website or internet transmission is ever completely secure, so we cannot guarantee absolute security. If a personal-data breach occurs that is likely to put your rights and freedoms at risk, we will notify you and the State Data Protection Inspectorate without undue delay, as required by the GDPR.

6. Cookies

We use only strictly necessary cookies to run the service: a session cookie and a security token (CSRF) that keep you logged in safely, plus preference cookies that remember your settings. Our infrastructure provider may set additional technical cookies for security and performance. We do not use advertising or third-party tracking cookies. If that ever changes, we will ask for your consent first.

7. Your rights

Under the GDPR you have the right to: access your personal data; have inaccurate or incomplete data corrected or completed; have your data erased when it is no longer needed or is processed unlawfully (except data we must keep by law - see 'How long we keep your data'); restrict the processing of your data; receive your data in an easily readable format; object to processing based on our legitimate interest, or withdraw your consent at any time; lodge a complaint with the supervisory authority (the State Data Protection Inspectorate). You can exercise most of these rights directly in your profile settings or by emailing [email protected]. We respond within one month; to protect your data we may ask you to verify your identity.

8. Where to lodge a complaint

If you believe we have infringed your rights in processing your personal data, please contact us first at [email protected] - we will try to resolve it. You also have the right to lodge a complaint with the supervisory authority, the State Data Protection Inspectorate (L. Sapiegos g. 17, LT-10312 Vilnius, www.vdai.lrv.lt).

9. Policy changes

We may update this Privacy Policy from time to time. Changes are published on this page with an updated date, and we notify you by email in advance of material changes. We recommend reviewing this page periodically. By continuing to use the service after the changes take effect, you accept the updated Privacy Policy.

10. How to contact us

If you have questions about this Privacy Policy or your personal data, email us at [email protected].