Compliance & GDPR
Deadlock Live Events is operated in compliance with the EU General Data Protection Regulation (GDPR). This page documents our data handling practices, retention schedules, subprocessors, and the tools available to you as a data subject or data controller.
Data residency
All match event data is processed and stored within the European Union. The Centrifugo broker is self-hosted in the same EU region as the rest of the platform, so channel history never leaves the EU. Postgres databases are hosted in EU data centres. No personal data or match event data is transferred outside the EEA without an adequate safeguard (Standard Contractual Clauses or equivalent).
Retention
The canonical retention schedule lives in the Privacy Policy § 9 and the DPA Annex I. The summary below mirrors those documents.
| Data category | Retention period |
|---|---|
| Match event data (Centrifugo channels) | 168 hours after the last event on the channel |
| Account and billing records | Duration of contract, then 6 years (Irish accounting / tax records) |
| Subscription records (audit log) | 6 years from the audited event for tax and dispute purposes, then purged automatically |
| Operational telemetry | 30-day rolling window |
| Stripe billing data | Governed by Stripe's retention policy; not controlled by us |
Subprocessors
The authoritative list of subprocessors — with legal entity names, registered addresses, purposes, storage regions, and transfer mechanisms — is maintained at /legal/subprocessors.
We notify customers at least 30 calendar days before adding or replacing a subprocessor; see the Subprocessor list for details and to subscribe to notifications.
Data Subject Requests (DSR)
Two API endpoints are available for GDPR data subject requests. Both authenticate with the
X-Api-Key header — the same credential used for every other Management API call.
Export
POST /api/v1/account/export returns 202 Accepted synchronously with a single-shot,
24-hour pre-signed download URL — there is no polling step. See
API Reference → Export Account Data for the full
request/response schema.
Deletion
POST /api/v1/account/delete initiates GDPR Article 17 account deletion: the account is
soft-deleted, the email address is anonymised, and the audit log is purged after the
legally required retention window. This action is irreversible. See
API Reference → Delete Account for the full
request/response schema. Stripe billing data is subject to Stripe's own retention
obligations.
A UI for both actions is available at /dashboard/account.
Data Processing Agreement
A Data Processing Agreement (DPA) is available for download at /legal/dpa. The DPA governs the processing of any personal data that passes through the platform on your behalf and satisfies Article 28 GDPR requirements for controller–processor relationships.
If you require a countersigned DPA or have specific contractual requirements, contact us via the address on the DPA document.