Privacy Policy

1 · Who we are

Last Control is an online game service operated by SOSW, based in Beit Dagan, Israel ("we", "us", "our"). The service is published at last-control.com and the player client at game.last-control.com. You can reach us by email at info@last-control.com.

We process personal data in accordance with the Israeli Privacy Protection Law, 5741-1981, the regulations issued under it, and the directives of the Israeli Privacy Protection Authority. For users in the United Kingdom and the European Economic Area, we additionally act as the data controller under the UK GDPR and EU GDPR for personal data described in this policy.

2 · What this policy covers

This policy applies to:

• Visitors of last-control.com and lost-control.com (our marketing sites).
• People who pre-register their email on the marketing sites.
• Players who create an account and use the player client at game.last-control.com.

It does not cover third-party services we link to (for example Discord channels reachable through our embedded widget). Those services have their own policies, which we encourage you to read.

3 · What we collect

We collect only what we need to run the service.

From pre-registration on the marketing site:

• Your email address.
• Optional referral or campaign tags from the URL (e.g. utm_source, ref).
• Approximate technical metadata (timestamp, request origin) generated by our infrastructure.

When you create or use a player account:

• Email address (required for login and account recovery).
• Display name (chosen by you; may be public to other players).
• Authentication identifiers issued by Amazon Cognito and, if you choose Google sign-in, the Google account identifier described in section 4.
• In-game state — your base, units, assignments, resources, messages, and audit history. This data is necessary to run the game world and is shown to you, not to third parties, except where the game itself surfaces public-facing information (e.g. a market listing or a leaderboard).
• Communications between you and us (for example when you email us for support).

Automatically collected by visiting the site or playing the game:

• Device, browser, IP-derived approximate location, and request logs, generated by our hosting provider (Amazon Web Services) and our CDN (Amazon CloudFront).
• Analytics events from Google Analytics (see section 8).

We do not knowingly collect special-category data (such as health, race, or political opinion). Please do not provide such data to us — including in account display names or in-game text.

4 · Google sign-in and Google data

We offer "Sign in with Google" as one way to access the player client. If you use it, Google passes us a limited set of profile information so we can create or recognise your account:

• Your Google account email address.
• A persistent Google account identifier (subject claim).
• Your basic profile (name and, if you have one, profile picture URL).

We use this information only to authenticate you, to create your player account, and to let you sign in again later. We do not sell it, and we do not use it to build advertising profiles. We do not access your Gmail, Google Drive, contacts, calendar, or any other Google product on your behalf.

You can revoke our access at any time from your Google Account permissions page. Revoking access there will prevent further sign-ins; if you also want us to delete the player account that was created, contact us using section 15.

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5 · How we use your data

We use your data to:

• Provide the service — run the game world, your account, and your in-game state.
• Authenticate you and protect your account.
• Contact pre-registered users when access opens, and respond to support requests.
• Detect and prevent abuse, fraud, and rule-breaking.
• Measure how the marketing sites and the player client are used, in aggregate, so we can improve them.
• Comply with legal obligations.

We do not sell your personal data, and we do not share it with advertising networks.

6 · Lawful basis for processing

Under the Israeli Privacy Protection Law, 5741-1981, we process your personal data on the basis of your informed consent (given when you submit your email or create an account), to perform the contract between us, to comply with our legal obligations, and to protect our and our users' legitimate interests in keeping the service secure.

If UK or EEA data-protection law also applies to you, our legal bases under the UK GDPR / EU GDPR are:

• Contract — to provide the service you signed up for (account, gameplay, support).
• Legitimate interests — to keep the service secure, prevent abuse, and understand aggregate usage.
• Consent — for the pre-registration mailing list, and for analytics in jurisdictions where consent is required.
• Legal obligation — when we are required by law to keep or disclose specific records.

You can withdraw consent at any time using section 10.

7 · Who we share data with

We do not sell your data. We share it only with the service providers we need to run the service, and only for that purpose:

• Amazon Web Services (AWS) — hosting, databases, authentication (Amazon Cognito), email delivery, and storage. Data is processed in AWS regions us-west-2 (primary) and us-east-1 (edge).
• Google LLC — Google Analytics for aggregate site usage; Google Sign-In (OAuth) when you choose that login option; Google Fonts when your browser fetches our typography.
• Discord, Inc. — only if you click the embedded community widget on our marketing site or join our Discord server through it. We do not pass any of your data to Discord ourselves; the widget is loaded by your browser when you view it.
• Professional advisers — accountants, lawyers, and similar advisers, where strictly necessary.
• Authorities — where we are required by law, court order, or to protect the safety and rights of users or the public.

If we ever sell or transfer the service to another company, we will only transfer your data on terms consistent with this policy, and we will tell you in advance.

8 · Cookies and analytics

Our marketing sites use Google Analytics (gtag.js) to count visits and understand how the sites are used. Google Analytics may set cookies on your device for this purpose. You can opt out at the source by installing the Google Analytics Opt-out Browser Add-on, or by blocking analytics in your browser.

The player client uses session cookies and local storage that are strictly necessary to keep you signed in and to remember basic UI preferences. These are not used for tracking across sites.

We do not use third-party advertising cookies, and we do not run retargeting campaigns.

9 · How long we keep data

• Pre-registration emails — until the launch cohort the address belongs to has been seated, plus a reasonable period to send you the access invitation. After that, we delete the address unless you have created a player account from it.
• Player accounts and in-game state — for as long as the account is active. If you ask us to delete your account (section 10), we delete or irreversibly anonymise your personal data within thirty (30) days, except where we are required by law to keep specific records longer.
• Server logs — typically up to 90 days, longer if needed to investigate a security incident.
• Support correspondence — for as long as needed to handle the issue and to resolve any later follow-up.

10 · Your rights

Under the Israeli Privacy Protection Law, 5741-1981, you have the right to inspect personal data held about you and to request that inaccurate, incomplete, or out-of-date data be corrected or deleted, in line with sections 13 and 14 of that Law. Depending on where you live, you may have some or all of the following additional rights:

• The right to access a copy of the data we hold about you.
• The right to correct inaccurate data.
• The right to ask us to delete your data ("right to erasure").
• The right to restrict or object to certain processing.
• The right to receive your data in a portable format.
• The right to withdraw consent (where we rely on consent).
• The right to lodge a complaint with your local data-protection authority. In Israel this is the Israeli Privacy Protection Authority; in the UK, the Information Commissioner's Office.

To exercise any of these rights, email us at info@last-control.com. We respond within thirty (30) days.

11 · Security

We protect your data with industry-standard measures: encryption in transit (TLS), encryption at rest for our databases, scoped access controls, and audit logging. No system is perfectly secure, but we treat your data with the same care we would want from a service we use ourselves. If we ever suffer a breach that affects your personal data, we will tell you and the relevant regulator without undue delay.

12 · Children

The service is intended for adults. We do not knowingly collect personal data from anyone under sixteen (16). If you believe a child has given us data, contact us and we will delete it.

13 · International transfers

We are based in Israel, and our infrastructure is operated by Amazon Web Services in the United States. If you are based outside the United States, your data will be transferred there for processing. Transfers from Israel to other jurisdictions are made in accordance with the Israeli Privacy Protection (Transfer of Data Abroad) Regulations, 5761-2001. For users in the United Kingdom and the European Economic Area, we rely on the European Commission's adequacy decision in respect of Israel and on Standard Contractual Clauses and the safeguards offered by AWS and Google for onward transfers, in line with applicable law.

14 · Changes to this policy

We update this policy when our practices change or when the law requires it. The "Effective" date at the top reflects the most recent change. For material changes, we will notify pre-registered users and active players by email before the change takes effect.

15 · How to reach us

Privacy questions, data requests, complaints, or anything else you would like to raise about this policy:

Email: info@last-control.com
Subject line that helps us route faster: [privacy].
Operator location: Beit Dagan, Israel.