How Doventis OÜ (StormWick) gathers, uses and safeguards your personal data. Aligned with the EU General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act.

Last updated: 27 June 2026 · Effective: 27 June 2026

1. Introduction

This Privacy Policy sets out the way in which Doventis OÜ, the operator of the website stormwick.com (referred to here as “StormWick”, “we”, “us” or “our”), handles the personal data of site visitors, registered members and customers (“you”, “your”). We run an exclusively digital store, offering game keys, activation codes, downloadable in-game content, software and prepaid gift cards for the leading gaming platforms. We do not deal in physical goods of any kind.

Your information is handled responsibly: we gather only what is necessary to operate the store and deliver what you have bought, and we never sell it on to advertisers or data brokers. We have made this document deliberately thorough so that you can decide with confidence. Should any point remain unclear, please get in touch — our details appear at the foot of this page.

2. Who we are (data controller)

For the purposes of the GDPR, the data controller answerable for the processing of your personal data is:

We have not formally designated a Data Protection Officer, since the nature of our processing does not make this mandatory under Article 37 GDPR. Even so, a dedicated team manages every privacy request and replies within the deadlines described below.

3. Personal data we collect

The categories of data we hold vary according to how you engage with StormWick.

3.1 Data you give us directly

  • Account data — your e-mail address, a password (kept only as a salted hash, never in readable form) and a display name.
  • Billing data — your first and last name, billing address, country, postal code and, where the payment method calls for it, a telephone number.
  • Order data — the items you have bought, the order value, invoices, and the e-mail address that game keys are sent to.
  • Communications — whatever you write to us via our contact form, live chat, e-mail or any other support channel, along with the details we need in order to reply.
  • Marketing preferences — the choices you make about newsletters, promotional e-mails and wishlist alerts.

3.2 Data we gather automatically

  • Device and connection data — your IP address, the type and version of your browser, your operating system, screen resolution, language, referring URL and time zone.
  • Usage data — the pages you open, the products you look at, the searches you run on the site, what you add to your cart or wishlist, how long you spend on a page, and your clicks and scrolling, captured through first-party analytics.
  • Cookies and comparable technologies — refer to Section 6 below for the complete list and the choices available to you.
  • Security logs — unsuccessful sign-in attempts, irregular checkout behaviour and anti-fraud indicators supplied by our payment partners.

3.3 Data we obtain from third parties

  • Payment service providers pass on the outcome of a transaction (approved or declined), a token standing in for your card, and any anti-fraud signals. Your full card number, CVV and PIN never reach us.
  • Key suppliers and publishers may pass on details about a particular key (such as its region or redemption status) while we look into a support enquiry.
  • Authentication providers (where you choose to sign in using a third-party account) pass on the e-mail address and basic profile details you have authorised.

We do not intentionally collect special categories of personal data — for instance information about health, religion, political views or biometric identifiers. If you choose to disclose such information to us of your own accord, for example within a support enquiry, we will limit how we use it and erase it as soon as it is no longer required.

4. Why we use your data (purposes)

The data outlined above is put to the following uses, and no others:

  • Selling and delivering products. Handling your orders, taking the agreed payment, and completing your purchase by sending the chosen game key or gift card code to your e-mail and to your account dashboard.
  • Customer accounts. Setting up and running your StormWick account, confirming your identity when you log in, and allowing you to download invoices again and revisit codes from earlier orders.
  • Customer support. Responding to your queries, looking into and resolving problems with orders, and arranging replacements or refunds where these are warranted.
  • Fraud prevention and security. Spotting and stopping fraudulent transactions, attempts to take over accounts, refund abuse and other security matters. This involves sharing a minimum of data with our payment processors for anti-fraud scoring.
  • Legal compliance. Retaining invoices and tax records as Estonian and EU law require, and replying to lawful requests from regulators or courts.
  • Improving the service. Reviewing aggregated and anonymised information about how the store is used, so that we can correct faults, boost performance, build better pages and put forward more relevant offers.
  • Marketing — only where you have agreed. Sending newsletters and promotional e-mails, presenting tailored offers, and letting you know when a product is back in stock or discounted. You may withdraw your agreement whenever you wish, using the link included in every marketing e-mail.

5. Legal basis for processing

The GDPR requires us to identify a lawful basis for each processing activity. The bases we rely upon are as follows:

  • Performance of a contract (Art. 6(1)(b) GDPR) — for processing orders, delivering purchases, managing accounts and handling refunds.
  • Legitimate interests (Art. 6(1)(f) GDPR) — for preventing fraud, keeping our infrastructure secure, running basic first-party analytics and responding to support enquiries. Wherever we depend on legitimate interests, we have weighed them against your rights and freedoms; you are free to object at any time (see Section 11).
  • Legal obligation (Art. 6(1)(c) GDPR) — for maintaining accounting records and meeting our tax obligations.
  • Your consent (Art. 6(1)(a) GDPR) — for non-essential cookies, marketing messages and any optional features that request it. You may withdraw consent at any point, and doing so does not affect the lawfulness of any processing already carried out.

6. Cookies and similar technologies

We make use of a small set of first-party and third-party cookies to keep the store functioning, to retain your preferences, and — only where you have opted in — to gauge how the site is used.

A complete inventory of cookies, together with each one’s purpose and duration, appears in our separate Cookies Policy. You can revise your selections whenever you like through the “Cookie settings” link in the footer.

7. Sharing with third parties

We do not sell personal data. We disclose it only to carefully chosen service providers who assist us in operating the store, and only as far as is strictly necessary.

  • Payment processors — to authorise and settle card payments. For fraud-prevention purposes they act as independent controllers and hold PCI DSS certification.
  • Hosting and infrastructure providers — to host the website and its database (with servers located within the European Union).
  • E-mail and communication providers — to dispatch transactional e-mails (order confirmations, delivery of keys, password resets) and, where you have consented, marketing e-mails.
  • Key suppliers and publishers — solely to the degree needed to look into a specific support enquiry that concerns your order (for example, confirming that a key has not been redeemed).
  • Analytics providers — for aggregated, privacy-respecting statistics, where you have given consent for non-essential cookies.
  • Professional advisors — accountants, lawyers and auditors who are bound by duties of professional confidentiality.
  • Public authorities — where the law compels us to hand over data (for example to tax authorities or in response to a court order).

Every processor operates under a written data processing agreement and handles your data strictly in line with our documented instructions.

8. International data transfers

Our aim is to keep all personal data within the European Economic Area (EEA). When a service provider sits outside the EEA, we move data only if one of the safeguards set out in Chapter V GDPR applies — most often the European Commission’s Standard Contractual Clauses (SCCs), reinforced by technical measures such as encryption both in transit and at rest. We can provide a copy of the safeguards relied on for any particular transfer upon request.

9. How long we keep your data

We hold personal data only for as long as it is needed for the purposes set out in this Policy, or for as long as the law obliges us to.

  • Account data — for the lifetime of the account, plus up to 12 months following its deletion to guard against abuse.
  • Order, invoice and tax data — for a minimum of 7 years from the close of the financial year, as the Estonian Accounting Act requires.
  • Support correspondence — for up to 24 months after the case is closed.
  • Marketing data — until you withdraw consent, or after 24 months without activity, whichever comes first.
  • Cookies — see the Cookies Policy for the duration of individual cookies.
  • Security logs — for up to 12 months, after which they are aggregated or deleted.

10. How we protect your data

We put in place technical and organisational measures suited to the level of risk, among them:

  • TLS/SSL encryption covering all traffic between your browser and our servers.
  • Encrypted storage of sensitive fields, and passwords that are salted and hashed (we never keep passwords in readable form).
  • Tight access controls, two-factor authentication for staff, and a documented procedure for removing access when staff leave.
  • Regular backups held in a separate location and tested to confirm they can be restored.
  • Ongoing monitoring for unusual activity, along with rate-limiting and bot protection on critical endpoints.
  • Due diligence on vendors and data processing agreements with every processor.

No system can promise complete security. Should we discover a personal data breach that is likely to pose a risk to your rights and freedoms, we will inform you and the relevant supervisory authority within 72 hours, in keeping with Articles 33 and 34 GDPR.

11. Your rights under the GDPR

Subject to the conditions laid down in the GDPR, you hold the following rights over your personal data:

  • Right of access — to obtain a copy of the data we hold about you.
  • Right to rectification — to have inaccurate or incomplete data corrected.
  • Right to erasure (“right to be forgotten”) — to request that we delete data we no longer need, subject to our legal retention duties.
  • Right to restriction — to ask us to suspend processing while a complaint or correction is being looked into.
  • Right to data portability — to receive the data you supplied in a structured, machine-readable format.
  • Right to object — to object at any time to processing founded on legitimate interests, including profiling, and to direct marketing.
  • Right to withdraw consent — where we rely on consent, you may withdraw it at any time, without affecting the lawfulness of processing already performed.
  • Right not to be subject to automated decision-making — we do not take decisions that produce legal or similarly significant effects relying solely on automated processing.

To act on any of these rights, write to privacy@stormwick.com. We reply to verified requests within one month. Your first request carries no charge; where a request is plainly unfounded or excessive, we may apply a reasonable fee or decline to act on it.

If our response leaves you dissatisfied, you are entitled to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee) or with the supervisory authority in the EU/EEA Member State where you reside.

12. Children

StormWick is meant for users aged 16 and above. We do not knowingly gather personal data from anyone under 16. If you suspect that a child has supplied us with personal data, please write to privacy@stormwick.com and we will erase it without undue delay.

Certain titles in our catalogue carry age ratings (PEGI, ESRB), which are displayed on the relevant product page. Confirming that a product is suitable for its intended user remains your responsibility.

13. Changes to this Policy

From time to time we may revise this Privacy Policy to keep pace with changes to our service, to technology, to legal requirements, or in response to customer feedback. The date of the most recent revision is shown at the top of this page. Significant changes will be announced on the site and, where suitable, by e-mail to registered users.

14. Contact and complaints

For privacy questions, to make a request under the GDPR, or to report a suspected data incident, please reach out to:

You can also get in touch through our Contacts page.