Privacy Policy

01   Who We Are

ROCKVAST B.V. i.o. is the data controller responsible for the personal data described in this policy. We are registered in the Netherlands and our principal place of business is in the Netherlands.

Our data protection contact can be reached at the address listed at the bottom of this document. Where required by the GDPR, we may appoint a Data Protection Officer (DPO); any such appointment will be reflected in an updated version of this policy.

02   Data We Collect

We may collect the following categories of personal data, depending on how you interact with us:

• Identity data — name, job title, company name, location
• Contact data — email address, postal address, phone number
• Communication data — messages you send us via forms, email, or social media
• Professional data — portfolio, studio background, and pitch materials submitted by development studios seeking funding, production and associated publishing services
• Usage data — IP address, browser type, pages visited, referral source, and time spent on our website (collected via cookies and analytics tools)
• Marketing preferences — your consent status and communication preferences

We do not collect special category data (such as health data, ethnicity, or biometric data) and we do not knowingly collect data from persons under 16 years of age.

03   How We Use Your Data

We use personal data for the following purposes:

• Responding to enquiries and managing business relationships with studios, investors, and partners
• Evaluating funding applications and partnership proposals from game development studios
• Operating and improving our website and digital presence
• Sending newsletters, industry updates, or event invitations where you have opted in
• Complying with legal and regulatory obligations under Dutch and EU law
• Fraud prevention and information security

We will not use your data for automated decision-making or profiling that produces significant legal effects.

04   Legal Basis for Processing

We rely on the following GDPR legal bases depending on the processing activity:

• Legitimate interests (Art. 6(1)(f)) — operating our business, responding to enquiries, and website analytics
• Contractual necessity (Art. 6(1)(b)) — where processing is required to enter into or perform a contract with you or your organisation
• Consent (Art. 6(1)(a)) — for marketing communications and non-essential cookies; you may withdraw consent at any time
• Legal obligation (Art. 6(1)(c)) — where we are required to process data by applicable Dutch or EU law

05   Data Sharing & Transfers

We do not sell personal data. We may share data with trusted third parties in the following circumstances:

• Service providers — hosting, analytics, CRM, and email platforms acting as processors under data processing agreements
• Professional advisors — lawyers, accountants, and auditors under professional confidentiality obligations
• Investors or co-publishers — on a need-to-know basis and subject to confidentiality, in the course of evaluating studio partnerships
• Legal authorities — where required by law or to protect our rights

Where we transfer data outside the European Economic Area (EEA), we rely on adequacy decisions or Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection.

06   Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this policy, or as required by law:

• Enquiry and contact data — Up to 2 years from last contact
• Studio pitch and partnership data — Up to 5 years following the conclusion of an evaluation process
• Financial and contractual records — 7 years as required by Dutch fiscal legislation
• Marketing data — Until you withdraw consent or unsubscribe
• Website analytics data — Up to 13 months in aggregated or anonymised form

07   Cookies

Our website uses cookies and similar technologies. Essential cookies are placed without consent as they are strictly necessary for the website to function. We seek your consent before placing analytics or marketing cookies.

• Essential cookies — session management, security, and load balancing
• Analytics cookies — understanding how visitors use our site (e.g. Google Analytics with IP anonymisation enabled)
• Preference cookies — remembering your language and display settings

You can manage or withdraw your cookie consent at any time via the cookie banner on our website, or by adjusting your browser settings.

08   Your Rights

Under the GDPR, you have the following rights in relation to your personal data:

• Access — Request a copy of the personal data we hold about you
• Rectification — Ask us to correct inaccurate or incomplete data
• Erasure — Request deletion of your data where there is no legitimate reason to retain it
• Restriction — Ask us to limit how we process your data in certain circumstances
• Portability — Receive your data in a structured, machine-readable format
• Objection — Object to processing based on legitimate interests or for direct marketing

To exercise any of these rights, contact us at the address below. We will respond within one month. You will not be charged a fee. We may need to verify your identity before processing your request.

09   Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. These include access controls, encryption in transit, and regular security reviews.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours and, where required, inform affected individuals without undue delay.

10   Contact & Complaints

For questions about this policy or to exercise your rights, please contact us:

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch supervisory authority: