Privacy Policy
Last updated: 15 May 2026
1. Who we are
This Privacy Policy is issued by Sun Strike Gaming Ltd, a company incorporated in Cyprus (registered office: Kallipoleos 3, office 102, 1055 Nicosia, Cyprus), trading under the brand "Sunstrike Studios" (in this Policy: "we", "us", "our"). For the purposes of Regulation (EU) 2016/679 (the "GDPR"), Sun Strike Gaming Ltd is the controller of personal data processed via this website.
If you have any questions about this Policy or your personal data, contact us at support@sunstrikestudios.com. We have not appointed a designated Data Protection Officer because our processing does not meet the criteria of Article 37(1) GDPR; the contact above is the single point of contact for all data protection matters.
2. Scope of this Policy
This Policy describes how we collect, use, disclose and protect personal data when you visit sunstrikestudios.com or contact us by email, contact form, scheduled call (Calendly) or other channels referenced on the site. It does not cover third-party websites linked from our site - those operate under their own privacy policies.
3. Personal data we collect
We collect only the data we actually need to operate the website and respond to business enquiries.
3.1. Data you provide directly
- Contact form submissions: name, business email, message content and the page where the form was submitted.
- Calendar bookings (Calendly): name, email and timezone you provide when scheduling an introductory call.
- Email correspondence: any data you choose to share when emailing us at support@sunstrikestudios.com or any other Sunstrike Studios email address.
3.2. Data collected automatically
- Server logs: IP address, user-agent string, requested URL, timestamp and referrer. Used for security and abuse prevention.
- Cookies and analytics: see Section 9 below.
- Marketing attribution metadata (only when you accept cookies): the referrer URL and domain of the page that brought you to our site, UTM parameters from the URL (utm_source, utm_medium, utm_campaign, utm_content, utm_term), the first page you opened in the current session and its timestamp, a chronological list of pages visited within the session, your total visit count and first-visit date (across sessions), time spent on the site within the current session, device type (mobile/desktop/tablet inferred from the user-agent string), country (2-letter code derived server-side from your IP address by our hosting provider - we do not store the IP itself in the CRM), and your Google Analytics 4 client identifier. This data is bundled with contact-form submissions and stored in our CRM (see Section 5) so we can understand which marketing channels and pages lead to business enquiries. If you decline analytics cookies, none of this metadata is collected or transmitted.
We do not knowingly collect any special category data within the meaning of Article 9 GDPR, and we do not knowingly collect personal data from children under the age of 16.
Provision of personal data is voluntary and is not a statutory requirement. However, providing your name, email and a brief description of the project is necessary for us to respond to enquiries, prepare a quote or enter into a contract. If you choose not to provide this information, we will not be able to engage with you commercially.
4. Why we use your data and the legal bases
The table below lists each processing purpose and the legal basis we rely on under Article 6(1) GDPR.
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Responding to your enquiry submitted through the contact form, by email or via scheduled call | Pre-contractual measures at your request (Art. 6(1)(b)); legitimate interests in prompt business communication (Art. 6(1)(f)) |
| Preparing and sending project quotes, proposals or contracts | Pre-contractual measures and performance of contract (Art. 6(1)(b)) |
| Ensuring website security, preventing abuse, debugging | Legitimate interests (Art. 6(1)(f)) |
| Audience measurement and analytics | Consent (Art. 6(1)(a)) - applied only after you accept analytics cookies |
| Marketing channel attribution and conversion measurement (linking enquiries to the channel/page that brought you to the site) | Consent (Art. 6(1)(a)) - applied only after you accept analytics cookies |
| Marketing and remarketing | Consent (Art. 6(1)(a)) - applied only after you accept marketing cookies |
| Compliance with legal obligations (tax, accounting, KYC, requests from competent authorities) | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests under Article 6(1)(f) GDPR, the interests pursued are: (i) responding promptly to business enquiries, (ii) maintaining a secure and functional website, (iii) preventing fraud, abuse and unauthorised access, and (iv) defending or exercising legal claims. We have carried out a balancing test in each case and consider that these interests are not overridden by your rights and freedoms. You have the right to object at any time, on grounds relating to your particular situation, under Article 21 GDPR.
Where processing is based on consent, you may withdraw your consent at any time through the cookie banner control on the site, by adjusting your browser settings, or by emailing us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
5. Recipients of your data
We share personal data only with the categories of recipients listed below, each acting as our processor or co-controller and bound by appropriate contractual safeguards:
- Hosting and deployment provider (Vercel Inc., USA)
- Customer relationship management system (Bitrix24, operated by Bitrix Inc. / 1C-Bitrix) - stores contact-form submissions, related correspondence and marketing-attribution metadata
- Email, calendar and document services (Google Workspace, Calendly LLC)
- Web analytics, only when you have consented (Google Analytics 4)
- Search Console and webmaster tools (Google Ireland Ltd)
- Professional advisors (legal, accounting, audit) under confidentiality
- Public authorities or courts where we are legally required to disclose
We do not sell your personal data and we do not share it for any purpose not listed in this Policy.
6. International transfers
Some of our processors are located outside the European Economic Area (in particular the United States). Where personal data is transferred outside the EEA we rely on transfer mechanisms permitted by Chapter V GDPR, including:
- EU Standard Contractual Clauses 2021/914 ("SCCs");
- EU-U.S. Data Privacy Framework certifications, where applicable;
- European Commission adequacy decisions, where one applies.
You may request a copy of the relevant safeguards by emailing us at support@sunstrikestudios.com.
7. Retention
We keep your personal data only as long as necessary for the purpose for which it was collected. Indicative retention periods:
| Data | Retention |
|---|---|
| Contact form submissions and email correspondence (no resulting project) | Up to 24 months from last contact |
| Customer data (active client engagement) | Duration of contract + 7 years (statutory accounting period under Cyprus law) |
| Marketing attribution metadata stored alongside CRM records (referrer, UTM, journey, device, GA4 client_id) | Same as the underlying CRM record |
| Visit-tracking data stored locally in your browser (sessionStorage / localStorage entries under the "ss_" prefix) | Until you withdraw cookie consent, clear browser data, or until the session ends (for sessionStorage entries) |
| Server logs | Up to 90 days |
| Analytics data (aggregated / anonymised) | Up to 14 months (Google Analytics 4 default) |
After expiry of these periods, we either delete or irreversibly anonymise the data, unless a legal obligation requires longer retention or the data is needed to establish, exercise or defend a legal claim.
8. Your rights under the GDPR
You have the following rights, free of charge, in respect of your personal data:
- Right of access (Art. 15) - obtain a copy of the data we hold about you.
- Right to rectification (Art. 16) - have inaccurate or incomplete data corrected.
- Right to erasure (Art. 17) - request deletion in the cases listed in Article 17.
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) - receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21), including against direct marketing.
- Right not to be subject to automated decision-making with legal or similarly significant effects (Art. 22) - we do not currently perform such processing.
- Right to withdraw consent at any time where processing is based on consent.
To exercise any of these rights, please email support@sunstrikestudios.com. We will respond within one month of receipt, extendable by up to two further months for complex requests, in accordance with Article 12(3) GDPR. We may need to verify your identity before disclosing personal data.
You also have the right to lodge a complaint with the supervisory authority in your EU/EEA country of residence or place of work. The competent authority for our establishment is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus - https://www.dataprotection.gov.cy/.
9. Cookies and similar technologies
We use cookies and similar browser-storage technologies to make the site work, measure traffic and - with your consent - measure marketing-channel effectiveness. On your first visit a cookie banner lets you accept or decline. You can change or withdraw consent at any time by clearing the "cookie_consent" entry from your browser storage and reloading the site.
We follow Google Consent Mode v2: the Google Analytics 4 tag (property G-GC1YXYLC7R) is loaded at all times but starts with all consent categories set to "denied". Only after you accept cookies do we update the consent state to "granted" - until then, Google receives only basic cookieless pings without any user-level identifiers.
| Category | Purpose | Legal basis |
|---|---|---|
| Strictly necessary | Core site functionality, cookie consent state (localStorage key "cookie_consent"), basic security | No consent required under Article 5(3) ePrivacy Directive (necessary for the service requested) |
| Analytics | Anonymous traffic measurement via Google Analytics 4 (cookies _ga and _ga_*); marketing-attribution storage in your browser under the "ss_" prefix (visit count, first-touch UTM, current-session journey - see Section 3.2) | Consent (Art. 6(1)(a) GDPR) |
| Marketing | Remarketing pixels, ad measurement | Consent (Art. 6(1)(a) GDPR) |
10. Security and breach notification
We apply technical and organisational measures appropriate to the risk in line with Article 32 GDPR. These include TLS encryption in transit, access controls and least-privilege provisioning, regular updates of dependencies, and contractual confidentiality obligations on staff and processors. No system is 100% secure - if you become aware of a security incident affecting your data, please contact us at support@sunstrikestudios.com without delay.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus without undue delay and, where feasible, no later than 72 hours after becoming aware of it (Article 33 GDPR). Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay (Article 34 GDPR).
11. Changes to this Policy
We may update this Policy to reflect changes in our practices, the services we offer or the law. The "Last updated" date at the top will always reflect the most recent change. For material changes we will, where appropriate, display a prominent notice on the site or notify you by email.
12. Contact
Sun Strike Gaming Ltd
Kallipoleos 3, office 102, 1055 Nicosia, Cyprus
Email: support@sunstrikestudios.com