Owlsignal is operated by Zisomedia (sole proprietorship registered in the Netherlands), trading as Owlsignal. We provide gameplay analytics tooling to game developers ("customers"). This notice covers how we handle data on owlsignal.dev and through the Owlsignal SDKs.
For the players whose anonymous gameplay events flow through Owlsignal, our customers (game studios) are the data controllers — they own the relationship with their players and decide what to measure. Owlsignal (Zisomedia) acts as a data processor on their behalf, governed by the Data Processing Agreement at /dpa.
For our customers themselves (the people who sign in to a dashboard and pay invoices), Owlsignal is the controller. That data is the subject of sections 2–5 below.
biome).location.pathname, without query strings or hashes), the
active scene name in Unity, or the equivalent on iOS/Android. The SDKs auto-attach
this so the dashboard can answer "where in the app did this happen?" without
per-call instrumentation. Customers can configure a sanitizer to collapse dynamic
segments (/users/12345 → /users/[id]) or disable
auto-capture entirely; both knobs sit in the SDK Initialize call.We deliberately do not collect: real names, email addresses, phone numbers, IP addresses (stripped at intake before persistence), precise location, social identifiers, or any value our customers tell us is sensitive. If a customer attempts to send PII as event data — or via the screen path — we treat that as their breach of the DPA, not a feature. As a server-side defence we strip query strings and fragments from the screen value before persistence even when an SDK forgets to.
eu-central-1 (Frankfurt,
Germany). Data at rest stays in the EU.fra1 (Frankfurt). The Vercel control plane (build logs, observability) runs in the United
States; this means request metadata and build artefacts may transit US infrastructure.
Vercel signs the EU Standard Contractual Clauses; we accept those terms via Vercel's
DPA.| Data | Retention |
|---|---|
| Raw player events | 90 days, then automatically deleted by a daily purge job. |
| Aggregate counts (DAU, funnels, retention) | Indefinite — anonymous, not tied to any individual player. |
| Customer account data | Until you delete your account, then within 30 days. |
| Invoices & tax records | 7 years (Dutch tax law requirement). |
We use the following processors. Material changes are announced 30 days in advance.
| Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Postgres database, authentication, file storage | EU (Frankfurt) |
| Vercel, Inc. | Application hosting, function execution | EU (Frankfurt) — control plane in US |
| Mollie B.V. | Payment processing, subscription billing | EU (Amsterdam) |
| Sendinblue SAS (Brevo) | Transactional email | EU (Paris / AWS Frankfurt) |
| Anthropic, PBC | AI-assisted funnel suggestions (only when the customer clicks "AI suggest") | US/EU (under SCCs); customer prompts only, no event data |
Under the GDPR you can request access, correction, deletion, portability, or restriction of your personal data, and object to processing. Email privacy@owlsignal.dev from the address on your account; we respond within 30 days.
For end-users in our customers' games: contact the studio directly. They control your data; we process it on their instructions and will assist them with any verified request. The Owlsignal SDK exposes a telemetry opt-out flag — when a player toggles it, the SDK stops sending events to us. We can't detect opt-out server-side because the data is anonymous; that contract is enforced client-side in the game.
TLS 1.2+ in transit. Passwords hashed by Supabase Auth (bcrypt with per-row salt). API keys are stored as peppered SHA-256 digests, never in plaintext. Tenant isolation is enforced both at the application layer (every query is tenant-scoped) and at the database layer (Postgres Row-Level Security policies). We will notify affected customers of a confirmed personal-data breach within 72 hours.
Privacy questions: privacy@owlsignal.dev. If you believe we've mishandled your data and are not satisfied with our response, you can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.