Contenders are Fearless
Any regular group stage match is now played as a Bo3. New point distribution. Fearless in any Bo3 and Bo5 match. All rule changes can be found here.
Background (v1)

Privacy Policy

onethreefive gaming GmbH & heartbase group GmbH



onethreefive gaming GmbH (hereinafter "we", "us" or "onethreefive") takes the protection of your personal data seriously. This Privacy Policy informs you about which of your data is processed, for what purposes, on what legal basis and to what extent, to whom it is disclosed, and what rights you have.

This Privacy Policy applies to the Prime League platform and to the other domains listed under Sec. 19. It replaces the Privacy Policy previously used by Freaks 4U Gaming GmbH and the GameSports network.

Joint Controllers and Data Protection Officer



Joint Controllers (Art. 26 GDPR)


The following companies are joint controllers within the meaning of Art. 26 GDPR:
onethreefive gaming GmbH
An der Spreeschanze 10
13599 Berlin
Managing Director: Michael Haenisch

E-Mail: datenschutz@onethreefive.de

Court of Registration: Amtsgericht Berlin-Charlottenburg
Commercial Register Number: HRB 283760 B
VAT ID Number: DE460339655

heartbase group GmbH
An der Spreeschanze 10
13599 Berlin
Managing Director: Michael Haenisch

E-Mail: datenschutz@heartbasegroup.com

Court of Registration: Amtsgericht Berlin-Charlottenburg
Commercial Register Number: HRB 283458 B
VAT ID Number: DE460478584

Division of Responsibilities and Single Point of Contact (Art. 26 GDPR)


The joint controllership is governed by an agreement pursuant to Art. 26 GDPR between onethreefive gaming GmbH and heartbase group GmbH. The following division of responsibilities applies in essence:

heartbase group GmbH: Decisions on the strategic direction of the platform; technical operation of the platform and management of the user database.

onethreefive gaming GmbH: Day-to-day operation of the platform (league operations, support system, news, social media channels).

Regardless of this internal division of responsibilities, data subjects may exercise their rights (Art. 15–22 GDPR) against either controller. The joint point of contact is:

E-Mail: datenschutz@onethreefive.de

Data Protection Officer


Both joint controllers have jointly appointed an external Data Protection Officer:

harrand consulting GmbH
Wernigeroder Str. 41, 16341 Panketal, Germany

E-Mail: datenschutz@onethreefive.de


Transfer of Existing Data from the Former GameSports Network (Information pursuant to Art. 14 GDPR)


In the course of the insolvency proceedings of Freaks 4U Gaming GmbH, we received certain user data from the former GameSports network as part of an asset acquisition. This includes in particular the user data of the platforms of the former GameSports network (including 99damage.de, primeleague.gg).

The technical operation of the platform and the management of the user database are carried out by heartbase group GmbH as joint controller within the meaning of Art. 26 GDPR (see Sec. 1.2). The data from this acquisition was obtained by heartbase group GmbH and is processed by both companies in accordance with the Art. 26 GDPR agreement.

Source of the Data (Art. 14(2)(f) GDPR)


If you were already registered as a user in the Freaks 4U Gaming GmbH network before 1 May 2026, we received your account data not directly from you, but through the asset acquisition described above.

Categories of Data Concerned (Art. 14(1)(d) GDPR)


  • Username and e-mail address
  • Profile information including linked game accounts
  • Activity data (e.g. tournament participations, posts, login timestamps)
  • Hashed authentication data (passwords are not accessible in plain text)


Purposes and Legal Basis (Art. 14(1)(c) GDPR)


We process the acquired data in order to continue your existing user account and to continue offering you the services associated with that account. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the seamless continuation of an existing service relationship and in preserving the content you have created (profile, activities, participations).

Retention Period (Art. 14(2)(a) GDPR)


Acquired accounts that have not been logged into after 1 May 2026 will receive up to 3 reactivation e-mails to the stored address over 48 months of inactivity. If there is no response within a further 12 months, the account will be deleted (total retention period in the event of complete inactivity after the transition: 60 months). See also Sec. 15.

Your Right to Object


You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data arising from the asset acquisition, pursuant to Art. 21 GDPR. In the event of an objection, we will cease processing unless we can demonstrate compelling legitimate grounds. You can delete your account at any time at: https://www.primeleague.gg/de/users/delete_account

General Notes on Purposes and Legal Bases


We process your personal data in compliance with the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the Telecommunications Digital Services Data Protection Act (TDDDG).

Unless otherwise specified in the sections below, processing is based on the following legal bases:

  • Art. 6(1)(a) GDPR – where consent is given (e.g. optional notifications, integration of external services via our consent management)
  • Art. 6(1)(b) GDPR – for the performance of the user agreement (provision of the account, platform features and tournaments)
  • Art. 6(1)(c) GDPR – for compliance with legal obligations
  • Art. 6(1)(f) GDPR – for the purposes of our legitimate interests (e.g. IT security, abuse prevention, continuation of acquired accounts)
  • Section 25(1) TDDDG – for storage/access of information on end devices based on your consent
  • Section 25(2) TDDDG – for strictly necessary cookies


Provision of the Website and Server Log Files


Each time our website is accessed, the browser technically transmits the following information to our server, which is temporarily stored in log files:
  • IP address
  • Date and time of access
  • Accessed URL / referrer URL
  • Browser type and version
  • Operating system


Purpose: provision of the website, ensuring IT security and stability, prevention of abuse. Legal basis: Art. 6(1)(f) GDPR.

Log files are automatically deleted after 30 days, unless security-relevant incidents require longer retention.

Cookies and Consent Management


We use cookies and similar technologies (e.g. localStorage) on our website.

Strictly Necessary Cookies


Certain cookies are technically required for the website to function (e.g. session cookies, login cookies, cookies for storing your consent preferences). Legal basis: Section 25(2) No. 2 TDDDG and Art. 6(1)(b)/(f) GDPR.

Consent Management


We use a consent management system to manage consents for non-essential cookies and third-party services. When you first visit our website, a banner is displayed in which you can independently and granularly decide on the activation of individual third-party services. Prior to your consent, no such third-party services are loaded and no data is transmitted to the respective providers.

The banner contains detailed information on: the purpose of the service, cookies used and their storage duration, data categories, third-country transfers and safeguards, and the identity of the respective provider.

Your consents are stored with timestamp and configuration for accountability purposes (Art. 7(1) GDPR). You can adjust or withdraw your consents at any time with effect for the future by reopening the consent button at the bottom right of the website.

Via the consent management system, we obtain consent in particular for the following third-party services: Google Analytics 4, Google reCAPTCHA, and the embedding of content from X (formerly Twitter), Facebook, Instagram, Twitch and YouTube.

Legal basis for the data processing via the consent management system itself: Section 25(2) No. 2 TDDDG and Art. 6(1)(c) and (f) GDPR (accountability obligation and legitimate interest in compliant consent management).

Registration and User Account


To use certain parts of our service (including tournaments or comments), creating an account is required. During registration, we collect the following data:
  • Username
  • E-mail address
  • Password (stored in hashed form)
  • Confirmation of minimum age (see Sec. 18.3)

You may optionally add further information to your profile, e.g. interests, personal description, profile picture or linked game accounts. Mandatory fields are indicated as such.

Purpose: provision and management of the user account, identification towards other users in the community, participation in tournaments and competitions.

Legal basis: Art. 6(1)(b) GDPR (performance of the user agreement) and, for voluntary profile information, Art. 6(1)(a) GDPR (consent).

Login via External Providers (Single Sign-On)



You have the option to log in to our platforms via the following external services:
  • Discord (Discord Inc., USA)
  • Google (Google Ireland Limited; data also processed by Google LLC, USA)
  • Twitch (Twitch Interactive Inc., USA / Amazon)
  • X (X Corp., USA, formerly Twitter)


The actual login takes place directly with the respective third-party provider. We typically only receive a unique user ID and your e-mail address with confirmation that you are logged in under that identifier with the third-party provider. When using Discord login, we additionally store your Discord username in order to send you notifications via Discord on request (see Sec. 9). What further data the third-party provider transmits to us depends on your privacy settings with that provider.

Purpose: simplified authentication. Legal basis: Art. 6(1)(b) GDPR (performance of the user agreement) or Art. 6(1)(a) GDPR (consent, where you choose the SSO method).

As part of SSO login, data is transferred to the USA. The providers named above may hold DPF certifications or rely on Standard Contractual Clauses (see Sec. 14). Please refer to the privacy notices of the respective providers:


Community, Profile and Activity Data



We record your activities within our service and display them in your profile and at other appropriate locations for other users. These include in particular:
  • Time of last visit / online status
  • Posts, comments and ratings submitted by you
  • Tournament participations, results, leaderboard positions
  • Linked game accounts (e.g. for identification in tournaments)


Purpose: provision of community features, enabling gaming and tournament operations. Legal basis: Art. 6(1)(b) GDPR; where you voluntarily make content public, additionally Art. 6(1)(a) GDPR.

Only data that you yourself have entered, linked or uploaded, or that is required for tournament operations, is displayed publicly.

Platform Notifications



We operate a notification system on our platform. In your profile settings, you can granularly specify which categories of notifications you wish to receive and via which channel: e-mail, in-app on the platform, push notification or Discord.

Service Notifications (contract-related)


Notifications directly related to the operation of your account or your tournament participation (e.g. match start, match results, schedule changes, security-relevant information) form part of the user agreement. Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR.

Editorial and Promotional Notifications (consent)


Content of a promotional or editorial nature (e.g. league news, new tournament formats, platform features, offers from our partners) will only be sent to you if you actively enable the relevant category and channel in your profile settings (opt-in). Legal basis: Art. 6(1)(a) GDPR; for e-mail additionally Section 7(2) UWG (Act Against Unfair Competition).

Delivery via Discord


If you enable Discord notifications, we transmit the content of the notification to Discord Inc. (USA), which delivers it to you via your Discord account. Discord processes this data as an independent controller under its own privacy policy. Third-country transfer to the USA: see Sec. 14.

Withdrawal and Adjustment


You can adjust or fully withdraw your consents at any time in your profile settings per category and channel (Art. 7(3) GDPR). The lawfulness of processing carried out prior to withdrawal remains unaffected.

Contact and Prize Competitions



Contact


If you contact us by e-mail, contact form or other means of communication, we process the data you provide (at minimum your e-mail address and the content of your enquiry, and where applicable your name) in order to handle your request.

Legal basis: Art. 6(1)(b) GDPR (for contract-related enquiries) or Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries).

Prize Competitions and Tournaments with Prizes


When participating in prize competitions or tournaments with prizes, we process the data required for this purpose. If you are selected as a winner and receive a prize, we additionally collect:
  • Postal address (solely for the purpose of dispatching the prize)


Legal basis: Art. 6(1)(b) GDPR (contract for conducting the prize competition / tournament).

We pass your postal address exclusively to the contracted shipping service provider or a sponsor who handles the dispatch. Your postal address will not be used for any other purpose.

Retention period: We retain shipping data for up to 3 months after dispatch in order to ensure traceability (e.g. in the event of shipping issues or complaints). It is then deleted, unless statutory retention obligations apply.

Web Analytics, Bot Protection and External Content



We use the following third-party services. Where they are not strictly necessary, they are activated only after your consent via our consent management (see Sec. 5.2).

Google Analytics 4


We use Google Analytics 4 (GA4) by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) for statistical analysis of the use of our service. Usage data (e.g. pages visited, time spent, interactions) is collected and analysed. Data is transferred to Google LLC in the USA; Google LLC is certified under the EU–US Data Privacy Framework.

GA4 places cookies on your device, which are set only after your consent.

Legal basis: Section 25(1) TDDDG and Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time via our consent management.

Further information: https://policies.google.com/privacy

Google reCAPTCHA


We use Google reCAPTCHA by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) to protect our forms and services from abusive access and automated requests (bots). reCAPTCHA analyses behaviour on the page as well as device and browser characteristics, and transmits this data to Google. Data is transferred to Google LLC in the USA; Google LLC is certified under the EU–US Data Privacy Framework.

The use of reCAPTCHA is technically necessary to ensure the security and functionality of our services. No separate consent is obtained for this purpose.

Legal basis: Section 25(2) No. 2 TDDDG (technically strictly necessary) and Art. 6(1)(f) GDPR (legitimate interest in protecting our services against abuse).

Further information: https://policies.google.com/privacy

Embedding External Content (Social Media, Video)


We embed content from the following providers on our pages:
  • X (X Corp., USA, formerly Twitter)
  • Facebook (Meta Platforms Ireland Limited; data also processed by Meta Platforms, Inc., USA)
  • Instagram (Meta Platforms Ireland Limited; data also processed by Meta Platforms, Inc., USA)
  • Twitch (Twitch Interactive Inc., USA / Amazon)
  • YouTube (Google Ireland Limited; data also processed by Google LLC, USA)


This content is embedded via our consent management system. Prior to your consent, no data is transmitted to the respective providers. Only after consent has been activated will the embedded content be loaded and data (in particular the IP address, browser information, and any cookies) may be transferred to the respective provider.

These providers are independent data controllers and potential recipients of your data. Where the US-based providers listed are certified under the EU–US Data Privacy Framework, an adequacy decision exists; otherwise Standard Contractual Clauses apply.

Legal basis: Art. 6(1)(a) GDPR and Section 25(1) TDDDG (consent). You can withdraw your consent at any time.


Social Media Presences



We operate public profiles on the following social media platforms:


When you visit our profiles or interact with our content, data about your behaviour is collected and processed by the respective platform operators. We have no influence over this processing. The privacy policies of the respective providers apply.

Instagram and Threads (Meta)


Operator: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (data also processed by Meta Platforms Inc., USA).

For the operation of our Instagram and Threads pages, we are joint controllers together with Meta within the meaning of Art. 26 GDPR. This follows from the fact that Meta provides us, as page operators, with aggregated statistical data about visitors to and interactions with our page (so-called Insights). The primary point of contact for exercising your data subject rights in relation to page statistics is Meta. However, you may also assert your rights against us.

Legal basis for operating our pages: Art. 6(1)(f) GDPR. Our legitimate interest lies in external communications and the reach of our platform.

Third-country transfer to the USA: Meta LLC is certified under the EU–US Data Privacy Framework.

Meta's privacy notice: https://www.facebook.com/privacy/policy/

Information on the Page Controller Addendum (Art. 26 GDPR): https://www.facebook.com/legal/terms/page_controller_addendum

TikTok


Operator: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin 2, Ireland (data also processed by TikTok Inc., USA, and TikTok Information Technologies UK Limited).

When you visit our TikTok page, TikTok processes data about your behaviour on the platform in accordance with its own terms of use and privacy policy. We receive aggregated, anonymised statistics about our content (video views, reach, interactions).

Legal basis: Art. 6(1)(f) GDPR.

Third-country transfer: Transfers to the USA and other third countries may occur. TikTok relies on Standard Contractual Clauses.

TikTok's privacy notice: https://www.tiktok.com/legal/page/eea/privacy-policy/de

X (formerly Twitter)


Operator: X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

When you visit our X page or interact with our content, X Corp. processes data about your behaviour in accordance with its privacy policy.

Legal basis: Art. 6(1)(f) GDPR.

Third-country transfer to the USA: X Corp. relies on Standard Contractual Clauses.

X's privacy notice: https://x.com/privacy

YouTube


Operator: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (data also processed by Google LLC, USA).

When you visit our YouTube channel, Google processes data about your behaviour on the platform. We receive aggregated statistics about our videos and channel views via YouTube Studio.

Legal basis: Art. 6(1)(f) GDPR.

Third-country transfer to the USA: Google LLC is certified under the EU–US Data Privacy Framework.

Google/YouTube's privacy notice: https://policies.google.com/privacy

Twitch


Operator: Twitch Interactive, Inc., 350 Bush Street, 2nd Floor, San Francisco, CA 94104, USA (subsidiary of Amazon).

When you visit our Twitch channel or watch our streams, Twitch processes data about your behaviour on the platform. We receive aggregated statistics about our streams and channel views.

Legal basis: Art. 6(1)(f) GDPR.

Third-country transfer to the USA: Twitch relies on Standard Contractual Clauses.

Twitch's privacy notice: https://www.twitch.tv/p/legal/privacy-notice/

Recipients and Data Processors



We only disclose your data to third parties where this is permitted by law, you have consented, or a contractual or legal obligation requires it.

Data Processors (Art. 28 GDPR)


We engage carefully selected data processors with whom we have entered into appropriate agreements pursuant to Art. 28 GDPR. The following categories of data processors are used:
  • Providers of technical infrastructure, hosting and IT security
  • Content Delivery Network
  • Consent management service providers


All data processors are contractually obligated pursuant to Art. 28 GDPR to process data exclusively on our instructions and not for their own purposes.

Other Recipients


In addition, we may disclose your data to:
  • Authorities for the fulfilment of statutory reporting obligations (tax authorities, social security bodies, law enforcement agencies)
  • Legal advisors, tax advisors and auditors in the course of their professional duties
  • Shipping, logistics and sponsoring partners in connection with the dispatch or delivery of prizes (see Sec. 10.2)


Your data is not passed on to third parties for advertising purposes or sold.

Transfers to Third Countries



Your personal data is transferred to countries outside the EU or EEA (third countries) only where:
  • an adequacy decision of the EU Commission exists for the third country (e.g. EU–US Data Privacy Framework, where the recipient is certified),
  • appropriate safeguards within the meaning of Art. 46 GDPR exist (in particular EU Standard Contractual Clauses, supplemented by additional technical and organisational measures), or
  • you have expressly consented to the transfer (Art. 49(1)(a) GDPR).


Where third-party services based in the USA are activated via our consent management system (e.g. Google, Meta, X, Discord), the specific information on the third-country transfer and the applicable safeguards is provided there.

Retention Periods



We store personal data only for as long as is necessary to fulfil the respective purposes or as required by statutory retention obligations:
  • Active account data: For as long as the account exists.
  • Inactive accounts: You will receive up to 3 reminder e-mails over 48 months of inactivity. If there is no response within a further 12 months, the account will be deleted (total period: 60 months).
  • Server log files: 30 days.
  • Notification settings / consents: Until withdrawal or account deletion; proof of consent is retained beyond this for appropriate limitation periods.
  • Contact requests: Until final processing, thereafter for appropriate limitation and retention periods.
  • Prize shipping data (postal addresses): Up to 3 months after dispatch.
  • Prize competition data (other): Until conclusion of the prize competition, plus any applicable statutory retention periods under commercial or tax law.
  • Data relevant under commercial and tax law: 6 or 10 years pursuant to Sections 257 HGB (Commercial Code) and 147 AO (Fiscal Code).


For cookies and similar technologies, the specific retention periods are indicated in the consent management system.

Your Rights as a Data Subject



You have the following rights under the GDPR:
  • Access (Art. 15 GDPR): You may request information about what data we process about you.
  • Rectification (Art. 16 GDPR): You may request the correction of inaccurate data or the completion of incomplete data.
  • Erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.
  • Restriction of processing (Art. 18 GDPR): You may request a restriction on processing.
  • Data portability (Art. 20 GDPR): You may receive your data in a structured, commonly used and machine-readable format, or request its transfer to another controller.
  • Withdrawal of consent (Art. 7(3) GDPR): You may withdraw any consent given at any time with effect for the future.
  • Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority (see Sec. 17).


To exercise your rights, an informal message to datenschutz@onethreefive.de is sufficient.

Right to Lodge a Complaint with a Supervisory Authority



You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data. The competent supervisory authority at our registered office is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
(Berlin Commissioner for Data Protection and Freedom of Information)
Alt-Moabit 59-61, 10555 Berlin
E-Mail: mailbox@datenschutz-berlin.de
Web: https://www.datenschutz-berlin.de

Further Information



Obligation to Provide Data


Unless otherwise stated, the provision of the data collected is neither legally nor contractually required. However, the provision of certain data (in particular username, e-mail address, password) is necessary in order to create and use a user account.

Automated Individual Decision-Making (Art. 22 GDPR)


Automated decision-making including profiling within the meaning of Art. 22 GDPR does not take place.

Minimum Age (Art. 8 GDPR)


The minimum age for using our service is 16 years. Upon reaching the age of 16, users can effectively consent to the data processing associated with use of the service (Art. 8(1) GDPR).

If we become aware that data of persons under the age of 16 is being processed, we will immediately block or delete the relevant account and associated data.

Data Security


We implement technical and organisational security measures pursuant to Art. 32 GDPR to protect your data against manipulation, loss, destruction and unauthorised access. Data transmission on our website is carried out using TLS encryption. Passwords are stored exclusively in hashed form and are not accessible in plain text.

Scope / Domains



This Privacy Policy applies to the following domains:
  • www.primeleague.gg
  • www.heartbase.gg


Changes to this Privacy Policy



We reserve the right to update this Privacy Policy to reflect changes in the legal situation or changes to our services and processing activities. The current version can always be found at the relevant location on the respective platforms.

Last updated: 21 May 2026