Log In

Privacy Policy

brawl.games · Edition of May 8, 2026

This Policy describes which personal data BAILYK LLC collects from users of the brawl.games website, on what legal grounds and for what purposes it processes them, how long it stores them, to whom it transfers them and how users can exercise their rights. The document applies to all visitors of the website and its subdomains and, with respect to GDPR, to subjects located in the European Economic Area.

1. General Provisions

This Privacy Policy (hereinafter, the "Policy") was developed and is applied by BAILYK Limited Liability Company, registration number 214737-3301-LLC, address: Kyrgyz Republic, Bishkek, Sverdlovsky district, Ibraimova str. 278 (hereinafter, the "Operator"), as a personal data operator in accordance with the Law of the Kyrgyz Republic of April 14, 2008 No. 52-г "On Personal Data" (hereinafter, "Law 52-г").

The Policy applies to all information that the Operator may receive about visitors and users of the website https://brawl.games/ and its subdomains (hereinafter, the "Website"), including data transmitted when placing and fulfilling Orders under the Public Offer at https://brawl.games/offer.

If a personal data subject is located in the European Economic Area (hereinafter, the "EEA"), Regulation (EU) 2016/679 (the General Data Protection Regulation, GDPR) additionally applies to the processing of their personal data, to the extent and in the manner specified in Section 14 of this Policy.

The Operator ensures observance of the rights and freedoms of personal data subjects during processing, including the right to inviolability of private life, personal and family secrecy, and does not use personal data for purposes not provided by this Policy and the subject's consent.

Use of the Website means the visitor's and user's consent to the terms of this Policy and the applicable methods of personal data processing. If the visitor does not agree to the terms of the Policy, they must stop using the Website.

2. Definitions

  • Operator. BAILYK LLC, independently determining the purposes and means of processing personal data of Website Users.
  • User. Any individual using the Website, including a visitor without authorization and a User Account owner.
  • Personal Data. Any information related, directly or indirectly, to a determined or determinable User.
  • Personal Data Processing. Any action or set of actions performed with or without automated means with personal data, including collection, recording, systematization, accumulation, storage, refinement, retrieval, use, transfer, depersonalization, blocking, deletion, destruction.
  • Consent. A free, specific, informed and unambiguous expression of will of a personal data subject to the processing of their personal data, expressed in a form allowing the fact of its receipt to be confirmed.
  • Cross-border Transfer. Transfer of personal data to the territory of a foreign state to a foreign state authority, foreign individual or legal entity.
  • DSAR. A request of a personal data subject to exercise their rights, including the right of access, copy, rectification, erasure, restriction of processing, withdrawal of consent, portability, objection.
  • Law 52-г. The Law of the Kyrgyz Republic of April 14, 2008 No. 52-г "On Personal Data".
  • GDPR. Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • Authorized Body. A state body of the Kyrgyz Republic empowered to protect the rights of personal data subjects in accordance with Law 52-г; for subjects from the EEA, the relevant national data protection authority.

Other terms not defined in this Section are used in the meanings established by Law 52-г, GDPR (for the relevant subjects) and the Public Offer.

3. Categories of personal data subjects

The Operator processes personal data of the following categories of subjects:

3.1. Website visitor

Any individual using the Website without authorization in the User Account. With respect to the visitor, primarily technical and cookie data are processed.

3.2. Principal (registered user)

An individual who has been identified in the User Account and has placed or intends to place an Order under the Public Offer.

3.3. Payment recipient

An individual whose game account is being topped up, if such person is different from the Principal and their data have become known to the Operator when placing the Order.

3.4. Other persons

Persons sending the Operator inquiries, claims, DSAR requests, reviews and other messages, to the extent necessary to consider such inquiry.

4. Categories of processed personal data

4.1. Identification data

Email address, name or nickname of the User, User Account identifier.

4.2. Payment data

Masked payment instrument data (last 4 digits of the card number, BIN code, card type), transaction identifier, payment gateway token, amount, currency, operation status. The full payment card number, CVV/CVC and full account details are not collected or stored by the Operator; such data is processed directly by the payment gateway or acquiring bank in accordance with their own policies and PCI DSS standards.

4.3. Game data

Identifier of the User's game account, login or nickname in the Game, server, region, other account parameters required to fulfil the Order in the specific Game. At the User's option, temporary access data to the game account, transferred solely to fulfil the Order and deleted in the manner of Section 5.

4.4. Technical data

IP address, device identifier, browser type and version (User-Agent), screen parameters, operating system, browser fingerprint, cookie identifiers, session and Website request logs, navigation pages, referer.

4.5. Content data

Content of the User's correspondence with the Operator's support service, the User's reviews on the Website, video recordings of the digital goods activation process (provided by the User to substantiate a refund claim), screenshots and other materials voluntarily sent by the User.

4.6. Marketing data

The User's consent to receive marketing mailings, the fact of opening emails, the fact of clicks on links in emails, the unsubscribe flag.

4.7. KYC documents

In case of a KYC check under the Public Offer, a copy of an identity document, a selfie with the document, documents confirming the source of funds and the User's ownership of the payment instrument. KYC data is processed separately and with enhanced protection measures.

The Operator does not request or process special categories of personal data (racial or ethnic origin, political views, religious or philosophical beliefs, health data, biometric data within the meaning of Law 52-г), except where a biometric image may be captured in a selfie as part of a KYC procedure, in which case such image is processed solely for identification and is not used for any other purposes.

5. Purposes, legal grounds and storage periods

The list of data categories, processing purposes, legal grounds and storage periods is set out below.

Identification (email, nickname, User Account ID)

  • Purpose: creation and maintenance of the User Account, identification of the Principal, sending service notifications.
  • Legal ground: conclusion and performance of a contract (Law 52-г, GDPR Art. 6(1)(b)).
  • Storage period: 3 years from the last login to the User Account; for accounts to which measures under Section 9 of the Public Offer have been applied, 5 years.

Payment (transaction token, masked PAN, BIN, amount, currency)

  • Purpose: accounting of settlements, accounting and tax reporting, consideration of disputes with banks and payment systems.
  • Legal ground: compliance with the requirements of the law of the Kyrgyz Republic on accounting and tax records.
  • Storage period: 5 years from the date of the operation.

Game (account ID, login, server, region)

  • Purpose: fulfilment of the Order, transfer of funds to the Rights Holder, resolution of disputes about the fact of fulfilment.
  • Legal ground: performance of a contract (Law 52-г, GDPR Art. 6(1)(b)).
  • Storage period: Order fulfilment period plus 1 year.

Technical (IP, User-Agent, fingerprint, session logs)

  • Purpose: ensuring Website security, antifraud, protection against fraud and abuse, recording of disputed operations.
  • Legal ground: legitimate interest of the Operator (protection against fraud and ensuring security).
  • Storage period: 6 months; in case of fraud indicators, until completion of the relevant investigation but no more than 3 years.

Cookies and web analytics data

  • Purpose: behaviour analytics, measurement of the Website and marketing effectiveness, interface personalization.
  • Legal ground: the User's consent (for analytical and marketing cookies); legitimate interest (for strictly necessary cookies).
  • Storage period: up to 13 months from the moment a cookie is set or until withdrawal of consent, whichever occurs earlier.

Content (correspondence, reviews, activation video recordings)

  • Purpose: consideration of inquiries and claims, protection of the rights of the Operator and the User in pre-court and court proceedings.
  • Legal ground: performance of a contract; legitimate interest (defence of rights in a dispute).
  • Storage period: support correspondence, 3 years after fulfilment of the relevant Order; activation video recordings, 1 year after closure of the refund claim; reviews, until deletion by the User or the Operator.

Marketing (consent to mailing, mailing statistics)

  • Purpose: sending marketing messages, informing about news, promotions and new Services.
  • Legal ground: the User's consent.
  • Storage period: until withdrawal of consent by the User; after withdrawal, deletion within 10 business days, except for information about the fact of withdrawal.

KYC documents

  • Purpose: identification of the User, counteraction to money laundering and financing of terrorism, fulfilment of requirements of authorized bodies.
  • Legal ground: compliance with the requirements of the law of the Kyrgyz Republic; legitimate interest of the Operator.
  • Storage period: 5 years from completion of the KYC check.

Upon expiry of the relevant storage period, personal data is subject to deletion or depersonalization, except where continued storage is required by law, contract or is necessary to defend the rights of the Operator in a dispute.

6. Principles of processing

The Operator processes personal data based on the following principles:

  • lawfulness and fairness of processing;
  • limitation of processing to specific, predetermined and lawful purposes; inadmissibility of processing incompatible with the purposes of collection;
  • minimization: only data corresponding to the purposes of processing in a volume not excessive in relation to such purposes shall be processed;
  • accuracy of data and their updating as necessary;
  • limitation of the storage period in a form allowing the subject to be identified, no longer than required by the purposes of processing;
  • ensuring confidentiality and protection against unlawful or accidental access, alteration, destruction, copying and distribution;
  • transparency: providing the subject with clear information about the processing of their personal data and their rights.

The Operator does not combine databases the processing of which is performed for incompatible purposes.

7. Rights of personal data subjects

In accordance with Law 52-г, a personal data subject has the right to:

  • receive information concerning the processing of their personal data, except in cases expressly provided by law;
  • require rectification (correction) of personal data if they are incomplete, outdated or inaccurate;
  • require blocking or destruction of personal data if they were unlawfully obtained or are not necessary for the stated purpose of processing;
  • set a condition of prior consent when processing personal data for the purposes of promoting goods, works and services;
  • withdraw consent to the processing of personal data in the manner of Section 13;
  • appeal against the actions or inactions of the Operator to the authorized body for protection of the rights of personal data subjects or in court;
  • exercise other rights provided by law.

Additional rights of subjects from the EEA are provided by Section 14.

The personal data subject is obliged to provide the Operator with accurate data about themselves and to report any changes.

8. Obligations of the Operator

The Operator is obliged to:

  • process personal data in the manner established by Law 52-г and other regulatory acts;
  • provide the personal data subject, at their request, with information concerning the processing of their personal data, in the manner of Section 13;
  • respond to inquiries and requests of subjects and their legal representatives within the periods established by this Policy and the law;
  • provide the authorized body, on request, with the necessary information within 10 (ten) business days from the date of receipt of the request;
  • ensure unrestricted access to this Policy by posting it on the Website;
  • take legal, organizational and technical measures to protect personal data in accordance with Section 12;
  • cease processing and destroy personal data in cases and in the manner established by law or by the consent of the subject;
  • notify the authorized body and subjects in case of a security incident in the manner of Section 12;
  • notify the authorized body of the intention to perform cross-border transfer of personal data and obtain the necessary information from foreign recipients before the start of such transfer (Section 10).

9. Conditions for processing

Processing of personal data by the Operator is performed if at least one of the following conditions is met:

  • consent of the personal data subject to the processing of their personal data;
  • processing is necessary to perform a contract to which the subject is a party, beneficiary or surety, or to conclude a contract at the initiative of the subject;
  • processing is necessary to perform functions, duties and powers imposed on the Operator by law;
  • processing is necessary to exercise the rights and legitimate interests of the Operator or third parties, provided that the rights and freedoms of the subject are not violated;
  • processing of personal data, access to which is granted by the subject to an unlimited circle of persons or which is subject to publication or mandatory disclosure in accordance with law.

Consent to the processing of personal data is given in a form allowing the fact of its receipt to be confirmed, including by marking it in the corresponding form on the Website when placing an Order or subscribing to mailings. Consent may be withdrawn in the manner of Section 13.

10. Transfer to third parties and cross-border transfer

10.1. Categories of recipients

The Operator may transfer personal data to the following categories of third parties to the extent necessary to achieve the relevant processing purposes:

  • payment gateways, acquiring banks and payment systems, for accepting payments and processing transactions;
  • Game Rights Holders and payment intermediaries appointed by them, for topping up game accounts and purchasing digital values;
  • hosting providers and cloud infrastructure providers, for hosting and ensuring the operation of the Website;
  • email mailing providers, for sending service and marketing messages;
  • web analytics providers (Google Analytics, Yandex.Metrica), for analyzing Website use;
  • antifraud service providers, for detecting and preventing fraud;
  • engaged legal, accounting and audit consultants, to the extent necessary for the relevant services;
  • state authorities, courts and other authorized persons, in cases and in the manner provided by law.

Transfer of personal data to recipients listed in this clause is performed on the basis of a contract obliging the recipient to ensure a level of protection no lower than that established by this Policy and the law.

10.2. Cross-border transfer

Since certain recipients (including Game Rights Holders and analytics providers) may be located outside the Kyrgyz Republic, the Operator performs cross-border transfer of personal data, including to the territories of the Russian Federation, EEA states and the United States of America.

Before commencing cross-border transfer, the Operator notifies the authorized body of the Kyrgyz Republic of the intention to perform such transfer and obtains from foreign recipients information confirming the level of protection of subject rights required by Law 52-г. For transfers to which GDPR applies, the Operator uses the standard contractual clauses (SCC) approved by the European Commission and other safeguards provided by GDPR.

10.3. Prohibition of unauthorized transfer

The Operator does not transfer personal data to other third parties beyond those listed in clause 10.1, except where such transfer is provided by law, the subject's consent or is necessary to defend the Operator's rights in a dispute.

11. Cookies and analytics

11.1. Cookie classes

The Operator uses the following classes of cookies and similar technologies:

  • Strictly necessary. Provide the basic operation of the Website (User Account authorization, Order cart, session retention). Set without User consent; their disabling makes use of the Website impossible or significantly impedes it.
  • Functional. Remember the User's choice (interface language, region, display of elements). Set on the basis of User consent.
  • Analytical. Collect anonymized data on Website use (pages visited, source of transition, behaviour). Set on the basis of User consent.
  • Marketing. Allow forming advertising offers and measuring campaign effectiveness. Set on the basis of User consent.

11.2. Cookie management

The User manages consent to setting functional, analytical and marketing cookies via the cookie banner on the first visit to the Website and at any time via the cookie settings on the Website. Disabling or deleting cookies is also possible via browser tools. Disabling strictly necessary cookies may render certain Website functions unavailable.

11.3. Analytics services used

The Operator uses the web analytics systems Google Analytics and Yandex.Metrica, which set their own cookies. These services process data in accordance with their own privacy policies.

12. Security measures. Incidents

12.1. Protection measures

The Operator takes legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution and other unlawful actions, including:

  • appointment of a person responsible for organizing the processing of personal data;
  • differentiation of access rights of employees and contractors based on the principle of minimum necessary powers;
  • application of communication channel encryption (HTTPS/TLS) and encryption of backup copies containing personal data;
  • maintenance of access logs and operations on personal data;
  • regular backup, antivirus protection, security monitoring;
  • storage of KYC documents in a separate protected vault;
  • training of employees in personal data processing rules and conclusion of confidentiality undertakings with them.

12.2. Incidents

A security incident means any event that resulted or could potentially result in unlawful access to personal data, their loss, destruction, alteration or disclosure.

In the event of an incident, the Operator:

  • immediately takes measures to localize and eliminate the causes of the incident;
  • notifies the authorized body of the Kyrgyz Republic in the manner provided by law and, where GDPR applies, the relevant national data protection authority within 72 (seventy-two) hours of detection of the incident in the manner of GDPR Art. 33, if the incident is likely to entail a risk to the rights and freedoms of subjects;
  • notifies affected personal data subjects if the incident is likely to entail a high risk to their rights and freedoms (GDPR Art. 34) by means of a message to the contact email and/or notification in the User Account;
  • conducts an internal investigation and takes measures to prevent recurrence.

13. DSAR procedure. Withdrawal of consent

13.1. Submission of a request

A request to exercise the rights of a personal data subject (access, copy, rectification, erasure, restriction of processing, withdrawal of consent, portability, objection) is sent to support@brawl.games with a subject reflecting the substance of the request (for example, "DSAR, access", "Withdrawal of consent", "Data deletion"). The request must contain sufficient information to unambiguously identify the applicant and establish their connection to the data being processed (User Account email, nickname, where applicable, Order number).

13.2. Identification of the applicant

To protect the rights of subjects, the Operator is entitled to request additional information to identify the applicant and confirm that the request was submitted by the proper person. If identification is impossible, the Operator is entitled to refuse to fulfil the request, with reasons.

13.3. Response time

A response to a DSAR is sent to the applicant within 30 (thirty) calendar days from receipt of a complete and identified request. For complex or repeated requests, the period may be extended by a further 30 (thirty) calendar days, with notice to the applicant within the original period, in the manner provided by Law 52-г and (for subjects from the EEA) GDPR.

13.4. Withdrawal of consent

Consent to the processing of personal data may be withdrawn at any time by sending a notice to support@brawl.games with the subject "Withdrawal of consent to personal data processing". Within 10 (ten) business days from receipt of the notice, the Operator ceases the processing of personal data based solely on consent and deletes such data, except where continued processing is permitted on another legal ground (performance of a contract, legal requirements, defence of rights in a dispute).

13.5. Refusal to fulfil a request

The Operator is entitled to refuse to fulfil a request if it is manifestly unfounded, excessive, repeatedly submitted in an abusive manner (GDPR Art. 12(5) / corresponding provisions of Law 52-г), or where fulfilment of the request would violate the rights and legitimate interests of third parties or the Operator. The refusal is issued in writing with reasons.

13.6. Exceptions to deletion

The Operator is entitled to retain personal data after receiving a deletion request or withdrawal of consent to the extent and for the period for which retention is required to:

  • comply with the requirements of the law of the Kyrgyz Republic on accounting and tax records;
  • perform contracts concluded with the User (including processing of unfinished Orders);
  • defend the rights of the Operator in pre-court and court proceedings;
  • perform obligations in the field of counteraction to money laundering and financing of terrorism (KYC).

14. GDPR provisions for subjects from the EEA

14.1. Applicability

If a personal data subject is located in a Member State of the European Economic Area at the time of processing, GDPR applies to such processing in addition to Law 52-г. In case of conflict, the rule providing a higher level of protection of the subject's rights applies.

14.2. Controller and representative

The data controller within the meaning of GDPR Art. 4(7) in respect of the processing described in this Policy is the Operator. The Operator does not have an established representative in the EEA within the meaning of GDPR Art. 27; until such a representative is appointed, the contact person on GDPR matters is the Operator at support@brawl.games.

14.3. Legal grounds for processing

For subjects from the EEA, the Operator uses the following legal grounds for processing within the meaning of GDPR Art. 6:

  • Art. 6(1)(a), the subject's consent (for marketing mailings, analytical and marketing cookies);
  • Art. 6(1)(b), necessity to perform a contract (for placing and fulfilling Orders, maintaining the User Account);
  • Art. 6(1)(c), compliance with the Operator's legal obligations (for accounting and tax records, KYC);
  • Art. 6(1)(f), legitimate interests of the Operator (for antifraud monitoring, ensuring Website security, defence of rights in a dispute).

14.4. Additional rights of the subject

A subject from the EEA has the following rights within the meaning of GDPR Art. 15-22:

  • the right of access to their personal data and to receive a copy (Art. 15);
  • the right to rectification of inaccurate data (Art. 16);
  • the right to erasure ("right to be forgotten", Art. 17), subject to the exceptions of clause 13.6;
  • the right to restriction of processing (Art. 18);
  • the right to data portability in a structured machine-readable format (Art. 20);
  • the right to object to processing based on legitimate interest or carried out for marketing purposes (Art. 21);
  • the right not to be subject to decisions based solely on automated processing, including profiling, producing legal or similarly significant effects (Art. 22).

14.5. Complaint to a supervisory authority

A subject from the EEA is entitled to file a complaint with the data protection authority in the state of their habitual residence, place of work or place of the alleged GDPR breach (Art. 77).

14.6. Transfers to third countries

Transfers of personal data outside the EEA are performed by the Operator using the standard contractual clauses (SCC) approved by the European Commission or other safeguards provided by Chapter V of GDPR. A copy of the applicable SCC may be requested by a subject from the EEA at support@brawl.games.

15. Minors and age limit

The Website and the Services are intended for persons aged 18 (eighteen) and over. The Operator does not direct the processing of personal data to collect information from persons under 18 and does not offer the Services directly to minors.

If the Operator becomes aware that personal data has been provided by a person under 18 without proper consent of a legal representative, the Operator deletes such data within a reasonable period, except where retention is required by law. The legal representative of a minor is entitled to contact support@brawl.games with a request to delete the relevant data.

16. Amendments to this Policy

The Operator is entitled to unilaterally amend the Policy. The current version is posted at https://brawl.games/policy, indicating the edition date in the header and footer of the document. Material amendments affecting the grounds for processing or the volume of transmitted data are additionally communicated to registered Users via the User Account or by contact email. Continued use of the Website after publication of amendments means consent to the updated version of the Policy.

17. Contacts of the person responsible for processing

All issues related to the processing of personal data, including DSAR requests, withdrawals of consent, complaints and inquiries, are sent to support@brawl.games. This address is the only official channel of communication with the person responsible for organizing the processing of personal data at the Operator. Messages sent via social networks, messengers, telephone calls and other unofficial channels do not give rise to legal consequences for the Operator and may be disregarded.

18. Final provisions

This Policy is in effect indefinitely from the moment of its publication on the Website until replaced by a new version. Recognition of any provision of the Policy as invalid or unenforceable does not entail invalidity or unenforceability of the remaining provisions; such provisions remain in force. The Policy is governed by the law of the Kyrgyz Republic; for subjects from the EEA, additional safeguards provided by GDPR are preserved.

Edition of May 8, 2026. Permanent address: https://brawl.games/policy.

© 2026 BAILYK LLC. All rights reserved.