CYGMA

Join CYGMA

Privacy Policy

Introduction

CYGMA (Cyprus Game Makers Association) Limited (“CYGMA” or “we”) is a non-profit organization registered in Cyprus. CYGMA is a company limited by guarantee without share capital (meaning it operates on a not-for-profit basis), established to promote and support the game development industry in Cyprus. We are committed to protecting your personal data in compliance with the EU General Data Protection Regulation (“GDPR”) and applicable local laws. This Privacy Policy explains what personal data we collect (particularly through our membership registration form and website), how we use and protect it, and your rights regarding this data. By interacting with us – for example, by applying for membership through our Wild Apricot platform or visiting our website – you acknowledge and agree to the practices described in this Privacy Policy.

Data Controller and Contact Information

For the purposes of data protection law, the data controller is CYGMA (Cyprus Game Makers Association) Limited, a non-profit association registered in Cyprus (Registration No. HE 486303). Our registered office is at 1 Lampousas Street, 1095 Nicosia, Cyprus. If you have any questions or requests regarding your personal data, you can contact us at info@cygma.com or by mail at the above address.

Personal Data We Collect

We collect personal data that you provide directly to us when you apply for or maintain membership in CYGMA, as well as data generated in the course of your membership. This includes:

  • Contact Information: Your name and email address (both required for membership registration), and optionally your telephone number or other contact details you choose to provide. This allows us to identify you and communicate with you.
  • Professional/Organizational Information: The company or organization you are affiliated with (especially since CYGMA’s members are typically game development companies or institutions) and your job title or role. We use this to verify membership eligibility and to understand our membership demographics (e.g., whether you represent a game studio, academic institution, etc.).
  • Postal Address: Your mailing or business address, if requested during registration or provided by you (for example, some membership forms include an address field for contact or billing purposes). This may be used for official correspondence, billing, or record-keeping.
  • Membership Details: Information related to your membership in the association, such as the type/category of membership you have selected, your membership start date and renewal/expiration date, membership ID, and status (e.g., active, pending approval, lapsed). We generate and maintain this data to administer your membership (for example, tracking when fees are due or if membership is active).
  • Payment Information: If a membership fee is required, we (through our third-party payment processor) collect payment details to process your membership dues. This may include billing name, payment method, and transaction information. Note: Credit card details (card number, CVC, etc.) are not stored on our systems; when you pay online, your card information is transmitted directly and securely to our payment provider (Stripe) via the Wild Apricot platform. We receive a payment confirmation and basic details like the last four digits of your card or transaction ID, but full card data is never received or retained by CYGMA.
  • Additional Information You Provide: Any other personal information you choose to give us. For example, our membership form may include custom fields or free-form text boxes for information such as your company’s registration number, years in operation, or notes to administrators. You might also provide information when contacting us (via email, website forms, or otherwise) with inquiries or when participating in CYGMA events or surveys. We will collect and record such information as needed to fulfill the purposes for which you provided it.

We do not intentionally collect any special categories of personal data (such as data about race, health, or religious beliefs) through the membership process, nor do we seek to collect information about individuals under 18, as our membership is intended for adult professionals and organizations. Please refrain from submitting any sensitive personal data unless necessary, and do not register minors as members. If we discover that we have inadvertently collected sensitive data or data from a minor, we will delete it promptly.

Purpose and Legal Basis for Processing

We only use your personal data for specific, explicit purposes and where we have a lawful basis under GDPR to do so. The purposes for which CYGMA processes your personal data, and the corresponding legal bases, include:

  • Membership Application and Administration: We use the information you provide on the membership form to process your application, verify your eligibility (e.g. confirming your affiliation with the games industry in Cyprus), and register you as a member of the association. We will also use your data to maintain an up-to-date register of members and to manage your membership account (e.g. keeping track of membership status and renewals). Legal basis: This is necessary for the performance of a contract (the membership agreement between you/your company and CYGMA) or in anticipation of such a contract at your request (GDPR Art. 6(1)(b)). In cases where the member is a legal entity and you are the contact person, our legal basis may also be our legitimate interest (GDPR Art. 6(1)(f)) in communicating with and managing our relationship with the member organization via its representative.
  • Providing Membership Benefits and Services: We process your contact and professional information to inform you of and provide association benefits, such as invitations to events, industry news updates, networking opportunities, committee participation, or resources available to members. We will send you communications that are necessary for membership, including notices of general meetings, updates on CYGMA’s activities, and renewal reminders. Legal basis: Performance of our contract with you (if communications are intrinsically related to your membership) and/or CYGMA’s legitimate interests in fulfilling its non-profit mission to engage with its members (Art. 6(1)(f)). We consider such communications part of the service to members, and we will not send you unrelated marketing without your consent.
  • Processing Payments and Accounting: When you pay membership fees or make any donations or sponsorship contributions, we process your payment information to collect and record these payments. Legal basis: Performance of a contract (Art. 6(1)(b)) – we must process payments to provide membership – and compliance with legal obligations (Art. 6(1)(c)), as we are required to maintain proper financial records for accounting and tax purposes. For example, Cyprus law may require us to keep records of income (including membership dues) and issue receipts.
  • Administration and Improvement of Our Services: Internally, we may use membership data to analyze our membership base (e.g. number of members, types of organizations, industry statistics) and improve our outreach or services. For instance, we might aggregate information to report the number of game studios versus academic institutions in our membership, or to identify common interests for future events. Legal basis: Legitimate interests (Art. 6(1)(f)) – specifically, our interest in evaluating and enhancing our non-profit services and ensuring we meet our organizational objectives. Any reporting of aggregated industry data will not include personally identifiable information without consent; we only use personal data internally for analysis or anonymize it for broader reporting.
  • Legal Compliance and Risk Management: We may process personal data when necessary to comply with our legal obligations or to protect our legal rights. This includes: fulfilling duties under the Cypriot Companies Law (for example, maintaining a membership register as required for companies limited by guarantee), complying with lawful requests from authorities, and enforcing our Memorandum & Articles of Association and membership terms. We may also perform due diligence such as sanctions screening on prospective or current members, since our constitutional documents bar membership for entities involved in certain prohibited activities and automatically terminate membership if a member becomes subject to sanctions. Legal basis: Compliance with a legal obligation (Art. 6(1)(c)) where applicable (e.g., responding to government inquiries or financial regulations) and legitimate interests (Art. 6(1)(f)) in ensuring our membership criteria and rules are upheld (for example, verifying that a potential member is not on a sanctions list, to protect the association’s reputation and comply with law).
  • Optional Communications/Marketing: If you are not a member but have subscribed to updates (for example, signing up on our website to receive news) or if we ever wish to use your details (such as name or company logo) in CYGMA promotional materials, we will do so only with your explicit consent (Art. 6(1)(a)). In such cases, you have the right to withdraw consent at any time, and we will honor your choice. (Note: As of now, CYGMA’s communications are primarily directed to members and stakeholders; we do not engage in broad marketing campaigns, and we do not sell or rent personal data to third parties for marketing.)

If we intend to process your personal data for any purpose that is incompatible with the original purposes above, we will inform you and, if required, obtain your consent or provide an opportunity to object.

Disclosure of Personal Data to Third Parties

CYGMA treats your personal data with care and confidentiality. We do not sell your personal information to any third parties. We only share your data in the following contexts, and always under appropriate safeguards:

  • Wild Apricot Membership Platform: We use Wild Apricot as our third-party membership management software to host the membership application forms and maintain our membership database. When you submit your information to join CYGMA, such data is collected and stored on Wild Apricot’s secure platform on our behalf. Wild Apricot acts as a “data processor” for CYGMA, meaning it processes personal data solely in accordance with our documented instructions and does not use such information for its own independent purposes. Wild Apricot’s servers may be located outside the European Economic Area, including in the United States, and therefore your personal data may be subject to international transfers (see International Data Transfers below for further safeguards). Wild Apricot adheres to high data protection and security standards, implements appropriate technical and organisational measures to protect personal data, and enters into data processing agreements in compliance with GDPR requirements to ensure lawful and secure processing.
  • Payment Processing (Stripe): We use Stripe as our payment processor to handle membership fee transactions. When you pay online, your payment details are submitted directly to Stripe via an embedded form on the Wild Apricot platform. CYGMA does not receive or store your full credit card information. Stripe processes the payment and returns to us a confirmation or token indicating the payment was successful. Stripe is a well-established, PCI-DSS compliant payment provider; it implements industry-standard security measures to protect your payment data. We receive from Stripe only the information needed to record and verify your payment (such as your name, the date/time of transaction, amount, and a transaction ID or last four digits of your card) and for accounting. Stripe may process your data outside the EEA (e.g., in the US or other countries) but is obligated to protect it according to GDPR standards (Stripe’s global services include safeguards like standard contractual clauses and/or participation in the Data Privacy Framework). For more details on how Stripe handles personal data, you can refer to Stripe’s privacy policy on their website.
  • Email and IT Service Providers: To communicate with our members and operate our website, we may use third-party service providers. For example, if we send emails to our members, they might be transmitted through an email service platform, or if you fill out a contact form on our website, that might be managed through our website hosting service. Similarly, if we use cloud storage or document collaboration tools for administrative purposes, some member information might pass through those systems. We will ensure that any such providers are bound by confidentiality and data protection obligations. They will only use your data as necessary to provide services to us (for instance, to deliver an email or host our database).
  • Advisors and Auditors: On occasion, we might need to share relevant data with professional advisors (such as legal counsel or accountants) or auditors. For example, our financial auditor may review membership fee records which contain personal identifiers (names and payment amounts), or a lawyer might be consulted regarding a compliance matter involving member data. In all cases, these parties are obligated to respect the confidentiality of your information and to use it only for the purpose of providing services to CYGMA or as required by law.
  • Compliance with Law: We may disclose personal data to government authorities, regulators, courts, or law enforcement if required to do so by law or if such disclosure is reasonably necessary to (i) comply with a legal obligation, (ii) respond to valid legal process (e.g., a subpoena or court order), or (iii) protect the rights, property, or safety of CYGMA, our members, or the public. For instance, if the Cyprus Registrar of Companies or another authority requests our membership register as part of a regulatory process, we would be compelled to provide the necessary information. Similarly, if we are investigating a violation of our bylaws or suspect illegal activity, we might share data with our legal advisors or law enforcement.
  • Organizational Transitions: In the unlikely event that CYGMA undergoes a significant organizational change, such as merging with another non-profit association or transferring our operations to a successor entity (for example, if CYGMA’s functions are moved to a new umbrella organization with a similar mission), your personal data may be transferred to that successor organization. If this happens, we will ensure the new owner/controller has equivalent privacy measures in place and will inform you of the change. (Note: As a non-profit, CYGMA will not be “sold”, and our constitutional documents mandate that if the organization is dissolved, any remaining assets go to another non-profit with similar purposes. In any scenario, the handling of member data would remain subject to the protections of this Privacy Policy and applicable law.)

No Unauthorized Sharing: We will never share your personal information with third parties for their own marketing or commercial uses. All third parties who process personal data on our behalf (such as Wild Apricot or Stripe) are carefully vetted for GDPR compliance and required to sign agreements ensuring your data is protected. We remain responsible for the handling of your personal data by any service providers working on our instructions.

International Data Transfers

As mentioned above, some of the tools and services we use may process your personal data outside the European Union. In particular, our membership database on Wild Apricot is hosted on servers located in Canada, and our payment processor Stripe, as well as potentially other service providers, may process data in additional jurisdictions, including the United States.

Whenever we transfer your personal data outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards may include:

  • Relying on adequacy decisions adopted by the European Commission. For example, Canada is recognised by the European Commission as providing an adequate level of data protection for personal data transferred from the EEA.
  • Entering into European Commission-approved Standard Contractual Clauses (SCCs) with service providers where required, ensuring that personal data remains protected to EU standards irrespective of the location of processing.
  • Implementing supplementary technical and organisational measures, such as encryption in transit and at rest, access control mechanisms, and contractual commitments to data security and confidentiality.

You may contact us for further information regarding the safeguards applied to international data transfers or to obtain copies of relevant contractual protections.

Data Retention

We will retain your personal data only for as long as is necessary to fulfill the purposes we collected it for, including for satisfying any legal, accounting, or reporting requirements. In general:

  • Membership Data: If you become a member, we will retain your personal information for the duration of your membership in CYGMA so that we can manage your account and provide services. If your membership ends (for example, you resign or do not renew), we will mark your record as inactive. We may retain your contact and membership history for a certain period after you are no longer a member, typically up to 5 years, in case you decide to rejoin or have questions about past membership, and to meet legal obligations. We will not keep your data for longer than necessary – for instance, if you request erasure of your data after leaving, and we have no legal requirement to keep it, we will delete it as described in “Your Rights” below.
  • Rejected Applications: If you apply for membership but your application is not accepted (e.g., because eligibility criteria were not met or the membership cap was reached), we generally will not retain your personal data long-term. We will notify you of the outcome and delete your application data within a reasonable time (e.g. within a few months), unless you give us permission to retain your details to contact you about future opportunities or unless we are required to keep it for legal reasons.
  • Payment and Financial Records: We retain records of membership fee payments and related financial transactions for a longer period as required by law. Accounting and tax regulations in Cyprus may require us to keep transaction records and supporting documentation for 7 years or more. Therefore, information such as your name, the amount and date of payments, and invoices/receipts will be kept at least for that period. However, any sensitive payment details (like credit card numbers) are not stored by us, as noted above.
  • Communications: If you correspond with us (for example, via email or through a contact form), we may retain those communications for as long as necessary to address your request and keep necessary records. Emails and contact form submissions that contain routine inquiries may be periodically deleted once addressed, whereas any that need to be kept for legal or reference purposes will be stored securely as long as needed.
  • Website Usage Data: If our website collects any personal data (such as analytics data or cookies with identifiers), we will retain such data per our Cookie Policy or until it has fulfilled its purpose. For example, analytics data may be retained in aggregate form (without personal identifiers) for trend analysis, and any personal-level web logs are typically rotated or deleted within a short timeframe unless used for security monitoring.

After the applicable retention periods above, or upon your valid request for erasure, we will either securely delete or anonymize your personal data. In the event that we anonymize data (so that it can no longer be associated with you), we may continue to use that information without further notice to you.

Please note that in some cases we may retain certain information for longer if required to do so by law. For example, if there is ongoing litigation or an investigation relating to that data, we would retain the information until the issue is resolved. We also keep backups of our electronic data; thus, your data may remain in backup storage for a short period even after deletion, but we have processes to purge or destroy backups securely in due course.

Data Security

We take the security of your personal data very seriously and implement appropriate technical and organizational measures to safeguard it. These measures include:

  • Secure Hosting and Transmission: All membership data is stored on Wild Apricot’s secure servers, and all interactions with the Wild Apricot membership portal occur over encrypted HTTPS connections. This means that when you enter personal information or make a payment, the data is encrypted in transit, preventing eavesdropping. Wild Apricot also employs robust security measures for data at rest and utilizes reputable cloud infrastructure (e.g., MongoDB Atlas and Meteor Galaxy) with strong protections.
  • Payment Security: Payments made through our platform are processed by Stripe, which is a PCI-DSS Level 1 compliant service provider. Your sensitive payment information (like credit card numbers) never passes through our servers and is handled directly by Stripe’s secure system. This significantly reduces any risk of payment data breaches on our side.
  • Access Control: Access to member data is restricted to authorized persons in our organization who need to process it for the purposes described (for example, CYGMA’s board members or administrative staff responsible for member relations and finance). All such persons are made aware of their confidentiality and data protection obligations. Our Wild Apricot admin account is protected with strong authentication measures, and we follow best practices (including the use of two-factor authentication where available) to prevent unauthorized access to the membership database.
  • Organizational Measures: We have internal policies and training in place to ensure that personal data is handled carefully. We limit any downloads or exports of membership data to only what is necessary, and when we do export data (e.g., for a meeting attendance list), we handle it securely and delete local copies when no longer needed. Wild Apricot also allows us to export and delete data as required, meaning we have control over removing data from the platform if needed (such as honoring a deletion request).
  • Monitoring and Updates: We keep our systems and software up-to-date with security patches. We also monitor for any indications of suspicious activity. In the event of any data breach or security incident affecting your personal data, we have a procedure to notify affected individuals and the relevant authorities as required by GDPR.
  • No Unnecessary Data: We adhere to the principle of data minimization. We only collect personal data that we actually need for the stated purposes, which helps reduce the security risk. For example, we do not collect national identification numbers, nor personal financial account details, nor any special sensitive data from members, since such details are not necessary for our membership purposes. By limiting what we store, we limit what could be exposed in the unlikely case of a breach.

While we strive to protect your information, please note that no method of transmission over the internet or electronic storage is completely secure. However, we continuously review and enhance our security practices to meet or exceed industry standards and to address new threats as they arise.

Your Rights Under GDPR

As an individual whose personal data we process, you have several rights under the GDPR. CYGMA respects these rights and has processes to ensure you can exercise them. Your principal data protection rights are:

  • Right of Access: You have the right to request confirmation of whether we are processing personal data about you, and if so, to obtain a copy of the personal data we hold about you, as well as information about how we use it. This allows you to understand and verify that we are processing your information lawfully.
  • Right to Rectification: If any of your personal data that we have is inaccurate or incomplete, you have the right to have it corrected or updated without undue delay. For example, if your email address or affiliation changes, you can inform us and we will update our records. We also encourage you to keep your membership information current; you may be able to edit certain profile details through the member portal, or you can contact us for assistance.
  • Right to Erasure: Also known as the “right to be forgotten,” this right entitles you to request the deletion of your personal data when there is no compelling reason for us to keep it. You can request that we erase your data, for instance, if you are no longer a member and you want all your personal details removed from our records. We will honor such requests provided we do not have an overriding legal obligation or legitimate reason to retain the data (for example, we might need to keep some payment records to satisfy financial regulations). Through our membership platform, we are able to permanently delete your member record if needed.
  • Right to Restrict Processing: You have the right to ask us to suspend the processing of your personal data in certain circumstances – for example, if you contest the accuracy of the data or have objected to our processing (see below), while we review your request. If processing is restricted, we can still store your data but will not use it until the issue is resolved (aside from maintaining the restriction).
  • Right to Data Portability: For data that you have provided to us and that we process by automated means on the basis of consent or contract, you have the right to request a copy in a structured, commonly used, machine-readable format (for example, a CSV file), and you can ask that we transfer this data directly to another data controller where technically feasible. In plain terms, this could apply if you provided us information and we are processing it under contract – you could ask for an export of the data to send to another service. We will assist with such requests to the extent applicable.
  • Right to Object: You have the right to object to our processing of your personal data when that processing is based on our legitimate interests (Art. 6(1)(f)), including profiling based on those interests. You also have an absolute right to object to any direct marketing we send you. In practice, we do not currently engage in profiling and we limit marketing to members (which is considered part of our member service), but if you ever receive communications from us that you prefer not to, you can opt out at any time and we will stop sending them. If you lodge an objection to processing that is not related to direct marketing (for example, if you object to us using your data for statistical purposes under legitimate interest), we will review your objection and unless we have a compelling legitimate ground to continue processing (or a legal obligation), we will cease the processing in question.
  • Right to Withdraw Consent: In cases where we rely on your consent to process your data (currently, this would mainly be if we send non-essential communications to non-members, or use your information in a way that requires consent), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted based on consent before its withdrawal. If you withdraw consent for a service that requires it, we will stop that processing and, if no other legal basis applies, we will delete the relevant data. For example, if you had given consent for us to list your personal testimonial on our website, you can ask us to remove it.

To exercise any of your rights, please contact us at info@cygma.com with your request. We may need to verify your identity to ensure we do not disclose or alter data to the wrong person. We will respond to your requests as soon as possible and no later than one month from receiving a valid request, extendable by another two months for complex requests (we will inform you if an extension is needed). There is no fee for exercising your rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request (providing our reasons).

Finally, if you believe that we have not handled your personal data properly or you have concerns about how we have processed your data, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus (the Cypriot supervisory authority for data protection). The Commissioner’s office can be contacted via their website (www.dataprotection.gov.cy) or email (commissioner@dataprotection.gov.cy). We encourage you to contact us first to see if we can address your concerns directly, as we are committed to resolving any privacy issues in a timely and satisfactory manner.

Updates to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we update the policy, we will revise the “last updated” date at the bottom of this page. If any changes are significant, we will provide a more prominent notice (such as by email to members or a notice on our website or member portal). We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

Your continued membership in CYGMA or use of our services after any updates constitutes acceptance of the revised Privacy Policy. However, if we make any material changes to the purposes for which we process your personal data, we will seek your consent where required by law.

Contact Us

If you have any questions, requests, or concerns regarding this Privacy Policy or your personal data, please do not hesitate to contact us:

Cyprus Game Makers Association (CYGMA)

Email: info@cygma.com

Postal Address: 1 Lampousas Street, 1095 Nicosia, Cyprus (Attn: General Manager)

Website: https://cygma.eu/

We are here to help and will respond to your inquiry as soon as possible. Your privacy is important to us, and we welcome your feedback.

Last updated: January 26, 2026