Privacy Policy
Last updated: November 9, 2025
This Privacy Policy explains how Infinity Technologies SA ("Infinity", "we", "us" or "our") collects and processes personal data when you use wzstats.gg, battlefieldmeta.gg, the Warzone Meta app and the BF6 Meta app (the "Services"). It applies to all users. If you do not agree, please do not use the Services.
Controller: Infinity Technologies SA, a company incorporated in Belgium (0721.487.879).
Contacts: privacy requests and questions at [email protected] and [email protected].
Supervisory authority: Belgium Data Protection Authority (APD/GBA).
No DPO has been appointed.
What data we process
We process the following categories of data, as applicable:
- Account: email address, password hash stored by Firebase Auth, optional username if present.
- Subscriptions and payments: identifiers and tokens from Stripe and PayPal, billing country, VAT information, transaction history. For in‑app purchases, Apple App Store and Google Play collect and process payment data in their own systems.
- Device and technical: IP address, user agent, device and OS information, crash logs and diagnostics via Crashlytics, limited security logs.
- Product usage: pages viewed, clicks, time on page, viewed builds and saved favorites; content-level signals such as which weapon/weapon level pages are opened, which builds are consulted, and which playstyle filters or categories are explored. These are used for analytics and editorial improvements and are processed in aggregated or de-identified form (we do not attach your name or email to these viewing events). Collected via Google Analytics on web and via app/store analytics in the apps.
- Marketing: email marketing preferences, open and click tracking via Brevo.
- UGC: public loadouts submitted on wzstats.gg only. No other UGC is collected.
- Support: no dedicated ticketing system at this time. If you email us, we process the content of your message and related metadata.
- Push notifications: we do not store FCM or APNS tokens at this time.
- Camo tracker: only the status you mark as unlocked for camos in the app or on the site.
- No profiling or automated decisions that produce legal or similar significant effects.
Why we process data - legal bases
We use your data for the purposes below. Each purpose has a legal basis under GDPR.
- Account and SSO: create and manage your account and single sign‑on across our Services - contract.
- Subscriptions, billing, fraud prevention: collect payments, manage renewals, handle dunning and fraud signals - contract and legitimate interests (anti abuse and security).
- Security and reliability: prevent abuse, rate‑limit, detect incidents, keep logs - legitimate interests.
- Essential analytics - aggregated and non-profiling: strictly necessary operational measurement that does not rely on non-essential cookies/SDKs (for example, service health metrics and security logs) - legitimate interests. We do not create individual behavioral profiles or make automated decisions based on these signals.
- Non essential analytics, marketing and personalization: only with your consent via our consent module on web and via SDK opt-in in apps. This includes Google Analytics on web and Firebase Analytics in apps. These tools do not start unless you consent, and you may withdraw consent at any time in the CMP or by emailing [email protected] or [email protected].
- Email marketing: collected on the basis of a separate opt-in that we may request at sign-up or later (for example, via in-product settings or a dedicated prompt) and revocable at any time via the unsubscribe link or by emailing [email protected] or [email protected]. Where permitted, we may also rely on the soft opt-in exception for existing customers for similar products/services, with a clear opt-out at the point of collection - consent (or soft opt-in where allowed).
- Push marketing: only if you enable notifications in app settings - consent.
- UGC publication and moderation: host and display public loadouts on wzstats.gg and enforce rules - contract and legitimate interests.
- Legal compliance: tax and accounting, responses to lawful requests - legal obligation.
Cookies and SDKs - consent management
Consent module
We use a consent management platform (CMP) to collect and store your choices for cookies and mobile SDKs. On your first visit, we display a banner with Accept, Reject and Customize options of equal prominence. Non essential cookies and SDKs are not activated until you give consent (for example, Google Analytics on web and Firebase Analytics in apps). We do not rely on implied consent from continued browsing. Your choices are recorded and can be changed at any time in the CMP. You may also email [email protected] or [email protected] and we will apply your choice.
Global Privacy Control (GPC) and Do Not Track
We honor the Global Privacy Control (GPC) signal on the web for non essential purposes. When GPC is present, non essential cookies and SDKs are treated as rejected by default unless and until you choose otherwise. We do not act on browser Do Not Track (DNT) signals.
Scope of your choices
Your choices apply per device and per context (web/app). You can change them at any time in the consent module.
Interaction with the No Ads plan
The No Ads plan removes ads and advertising measurement across the Websites and Apps for your account. It does not automatically disable other non essential analytics or marketing tools, which remain subject to your consent. We also display an in‑product reminder (for example, in the No Ads banner or Help page) that explains this difference and links to the consent module where you can manage non essential cookies and SDKs.
Cookies and SDK inventory
For each tool, include cookie/SDK names, first/third-party, exact duration, purpose, provider policy link, and whether it fires only after consent.
| Category | Provider | Purpose | Lifetime | Policy | Consent? |
|---|---|---|---|---|---|
| Essential | - | - | - | - | n/a |
| Analytics | Google Analytics | Web usage measurement | 6–13 months | Privacy Policy | Yes (web) |
| Advertising | Venatus | Ad delivery & measurement | 6–13 months | Privacy Policy | Yes |
| Marketing email | Brevo | Open & click tracking | 6–13 months | Privacy Policy | Yes |
| Apps - Analytics | Firebase Analytics | App usage analytics | 6–13 months | Privacy & Security | Yes (apps) |
| Apps - Crash | Crashlytics | Crash diagnostics | 6–13 months | Privacy & Security | No (essential) |
Default retention ranges: Essential session to 12 months max. Analytics 6 to 13 months. Marketing 6 to 13 months.
Processors and sharing
We use trusted processors to operate the Services. We do not sell personal data and we do not share with game publishers or data brokers.
- Firebase - authentication, hosting, database.
- Stripe and PayPal - payments processing.
- Brevo - marketing emails.
- Google Analytics - web analytics.
- Venatus - advertising partner where ads are active.
- Crashlytics - crash reporting and diagnostics.
We have data processing agreements in place with all processors. When processors are outside the EEA, we rely on Standard Contractual Clauses and implement appropriate technical and organizational measures.
International transfers
Locations: EU and outside the EU (e.g., United States) via processors such as Firebase, Stripe, PayPal and Google Analytics.
Safeguards: where a provider is certified under the EU–US Data Privacy Framework (DPF) we rely on that certification; otherwise we use Standard Contractual Clauses (SCCs), together with encryption in transit and at rest where available, access controls, minimization and periodic reviews.
Provider specifics: for example, some Google services (Google Analytics / Firebase) may rely on DPF if certified; otherwise SCCs + TIA apply. Payment providers (Stripe, PayPal) may also participate in DPF; consult their privacy pages. We will link the relevant certification pages where applicable.
Assessments: Transfer impact assessments where appropriate.
Retention
We keep data only as long as necessary for each purpose.
- Inactive accounts: 24 months.
- Billing and accounting: 10 years.
- Security logs: 6 to 12 months.
- Marketing relationships: up to 3 years after last interaction or until you unsubscribe.
- Cookies and SDK data: 6 to 13 months depending on category.
- Deletion on request: we delete within 90 days including backups, subject to legal retention.
Your rights
Under GDPR you can request: access, rectification, erasure, restriction, portability, and objection in the cases provided by law.
How to exercise: write to [email protected] or [email protected] from the email tied to your account.
Identity verification: we may ask you to sign in to your account to confirm identity. If you contact us from another email, we may request reasonable proof.
Response time: we answer within one month, extendable where lawful.
Portability: we can provide a JSON or CSV export limited to your personal data provided or observed. We do not expose internal schemas.
Right to object: you can object to processing based on legitimate interests where the law provides that right. We currently do not offer a separate toggle for essential analytics beyond the CMP settings.
Withdraw consent: you can withdraw your consent at any time by using in-product controls (CMP or unsubscribe links) or by emailing [email protected] or [email protected].
Object to legitimate interests processing: you can object by emailing [email protected] or [email protected]. We will assess your request and stop processing unless we demonstrate compelling legitimate grounds or where processing is needed for legal claims.
Right to complain: you can lodge a complaint with the APD/GBA in Belgium or with your local authority.
Children
The Services are not directed to children under 13. You must be 18+ to purchase a subscription, and minors may use the Services only under adult supervision. We do not knowingly collect data from children. If we learn that a child's data was collected, we will delete it and may disable the account. Report any concern at [email protected].
Security
Access controls for staff and systems. Encryption in transit and at rest where available. Logging and monitoring of systems and access. Staff multi factor authentication for internal tools. Periodic testing on a best effort basis. Incident response: internal process in place; authority notified within 72 hours where required; affected users informed when the risk is high.
App stores and third parties
If you purchase a subscription through Apple App Store or Google Play, their terms and refund policies apply in addition to this Policy. We do not share personal data with app stores beyond what they collect directly through their SDKs and purchase flows.
UGC and IP complaints
Public loadouts on wzstats.gg are published under our Terms. We may remove content that is unlawful or violates our rules at our discretion. For IP complaints, contact [email protected] with: your contact details, identification of the work, the URL on our Services, and a good‑faith statement of rights. We may forward your notice to the uploader and, where appropriate, restore content if the claim is resolved.
Changes to this Policy
Minor updates that do not materially affect your rights take effect on publication.
Material changes take effect no earlier than 15 days after we notify you by email and in‑app. If you do not agree, you can cancel your subscription before the effective date.
We display the Last updated date and keep prior versions internally.
Contact Us
If you have any questions about our policy, or your personal information, you can contact us by email at [email protected] or [email protected] or by post at the following address:
Infinity Technologies SAAvenue des Métallurgistes, 8A
1490 Court-Saint-Etienne (Belgium)