Privacy Policy
Controller: Mederu OÜ (Estonia)
Services covered: KITAMAE: Empire of Sails, and BOREAL
Effective date: 2026-06-30
Version: 2026-06-30
This Policy is published in English. Any translation, including automatic browser translation, is provided for convenience only; the English text is authoritative and prevails in case of any discrepancy.
1. Who we are
1.1 This Privacy Policy explains how Mederu OÜ, a private limited company incorporated in Estonia (registry code: 16964705, registered address: Ahtri tn 12, Tallinn, Harju County, Estonia) (“Mederu”, “we”, “us”, or “our”), processes personal data in connection with the maritime trading simulation “KITAMAE: Empire of Sails” (“KITAMAE”) and the BOREAL editorial and observatory website (“BOREAL”) (together, the “Services”).
1.2 Mederu OÜ is the data controller for the personal data described in this Policy.
1.3 For any privacy question or to exercise your rights, contact us at privacy@kitamae.app.
2. Our approach to your data
2.1 We collect as little personal data as possible. The Services are built so that data we do not need is not collected in the first place. Two examples:
(a) When someone tries to sign up to KITAMAE without an invitation, our system rejects the sign-up before any account is created, so no account or email record for that person is stored.
(b) Our application and voting endpoints use your IP address only momentarily, in memory, to limit abuse. We do not store IP addresses in our database.
2.2 We are subject to the EU General Data Protection Regulation (GDPR). All data is hosted within the European Union.
3. The personal data we process
We process personal data in three separate contexts. The legal basis differs for each, so we describe them separately.
3.1 Beta application (BOREAL application form)
When you apply to take part in the KITAMAE closed beta through the BOREAL application form, we process:
- your email address;
- your country of residence;
- your confirmation that you are at least 16 years old;
- your agreement to the Terms of Service and this Privacy Policy, together with the date and time of that agreement and the version of each document you agreed to;
- optionally, if you choose to provide them: your preferred language, prior gaming experience, whether you took part in a related draw, your experience of Japan, and how you heard about us (referral).
We do not collect anything beyond the fields presented in the form.
3.2 Invitation management (access control)
To run the invitation-only beta, we keep an invitation list of email addresses that are permitted to register. For each entry we may also hold a short administrative label (such as the name of an organisation or media outlet), the cohort or wave, and whether the invitation has been used. Email addresses on this list come either from beta applicants who have been selected, or are provided to us directly (for example, by a media contact who asks to be included).
3.3 Your KITAMAE account
When you sign in to KITAMAE using your Google account, we process:
- your email address and Google account identifier, which we receive from Google’s sign-in service to authenticate you;
- a profile for your gameplay, which may include a username you choose, your country, an avatar, and your in-game state (such as rank, funds, ships, and progress). Your in-game state is game data, but it is linked to you and so is treated as personal data.
We do not operate a separate password for KITAMAE; authentication is handled through Google.
3.4 Contact enquiries
When you contact us through the contact form on the BOREAL website, we process:
- the type of enquiry (about the game, a media enquiry, or other);
- your name and email address;
- your message;
- optionally, your organisation, and — for media enquiries — details such as the outlet name, outlet URL, role, preferred timing, and interview format;
- your agreement to this Privacy Policy, together with the date and time of that agreement and the version you agreed to.
We do not collect anything beyond the fields presented in the form. If you contact us directly by email instead, we process the contact details and content of your message.
4. Why we process it, and our legal basis
| Context | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Beta application (3.1) | To manage applications and decide who to invite to the beta | Consent — Art. 6(1)(a) |
| Invitation management (3.2) | To control who may register, to prevent re-registration, and for audit | Legitimate interests — Art. 6(1)(f) |
| KITAMAE account (3.3) | To create your account and provide the Game to you | Performance of a contract — Art. 6(1)(b) |
| Contact enquiries (3.4) | To receive and respond to your enquiry | Consent — Art. 6(1)(a) |
4.1 Where we rely on consent (beta application), you may withdraw it at any time by contacting privacy@kitamae.app. Withdrawal does not affect processing carried out before withdrawal.
4.2 Where we rely on legitimate interests (invitation management), our interest is in operating a controlled, invitation-only beta and protecting it from abuse. We have weighed this against your rights and consider the impact minimal, as the data held is limited to an email address and basic administrative detail.
5. How long we keep it
5.1 Beta applications (3.1): we delete application data within 90 days after the end of the beta, unless we are required to keep it longer by law.
5.2 Invitation list (3.2): we delete the entire invitation list at the end of the beta. In addition, if you ask us to delete your account, we delete the corresponding entry on the invitation list.
5.3 KITAMAE account (3.3): we keep your account data until you ask us to delete your account, or until the Services end.
5.4 Some records held momentarily in memory (such as IP addresses used for rate-limiting) are not stored and are not retained.
5.5 Contact enquiries (3.4): we keep enquiry data for as long as needed to handle your enquiry and then delete it. If you are a media or business contact and we have an ongoing reason to stay in touch, we may retain your contact details separately for that purpose; we will not keep enquiry data longer than necessary.
6. Who we share it with
6.1 We do not sell your personal data. We share it only with service providers (“processors”) who help us run the Services, and only as needed:
- Supabase — database, authentication, and storage hosting (EU region);
- Google — sign-in / authentication provider for KITAMAE, and Google Analytics for usage analytics across the Services;
- Vercel — hosting and delivery of the KITAMAE front end and the BOREAL website;
- Railway — hosting for our administrative and background server (which connects to the database but is not used to store a separate copy of your data);
- Cloudflare — domain, network, and email routing for our contact addresses.
6.2 In the future, if and when we introduce paid features, we will use Stripe to process payments. We will update this Policy before that processing begins. We do not currently process payment data.
6.3 Some of these providers may process data outside the European Economic Area (for example, in the United States). Where that happens, the transfer is protected by an appropriate safeguard recognised under the GDPR, such as the EU Standard Contractual Clauses or an adequacy decision.
7. Analytics and cookies
7.1 We use Google Analytics 4 across the Services (KITAMAE and BOREAL) to understand how the Services are used, so that we can improve them.
7.2 Google Analytics uses cookies and similar technologies. We operate it in consent mode: analytics and advertising storage are denied by default, and no analytics cookies are set and no analytics data is sent until you give consent.
7.3 When you first use the Services, a consent banner lets you choose between “Necessary only” (which keeps analytics and advertising storage denied) and “Allow all” (which enables analytics). If you do not make a choice, analytics remains disabled. Your choice is stored on your device so that it is remembered on future visits, and you can change it.
7.4 Cookies and storage that are strictly necessary for the Services to function (for example, to keep you signed in or to remember your consent choice) are used without consent, as permitted by law. We do not use analytics or advertising cookies unless you have consented.
7.5 For more information about how Google processes data, see Google’s own privacy documentation.
8. Your rights
8.1 Under the GDPR you have the right to:
- access the personal data we hold about you;
- rectify inaccurate data;
- erase your data (“right to be forgotten”);
- restrict or object to our processing;
- data portability (receive your data in a portable form); and
- withdraw consent where processing is based on consent.
8.2 To exercise any of these rights, contact privacy@kitamae.app. We will respond within the time limits set by the GDPR (normally one month).
8.3 If you ask us to delete your application, we delete it permanently from our database. If you ask us to delete your KITAMAE account, we delete your account and the related invitation-list entry; account deletion at the authentication level is carried out by us through our provider’s tools. If you ask us to delete a contact enquiry you sent us, we delete it permanently from our database.
8.4 You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). You may also complain to the authority in your own country of residence.
9. Children
9.1 The Services are intended for users aged 16 and over. We do not knowingly collect personal data from anyone below the applicable minimum age. If you believe a child has provided us with personal data, contact privacy@kitamae.app and we will delete it.
10. Security
10.1 We take reasonable technical and organisational measures to protect personal data, including hosting within the EU, access controls, and protected administrative access. No system can be guaranteed completely secure, but we work to protect your data against unauthorised access, loss, or misuse.
11. Changes to this Policy
11.1 We may update this Policy from time to time. When we do, we will update the version identifier above. Where the change is material, we will take reasonable steps to inform you. Consent records for the application form reference the version of this Policy in effect at the time of submission.
12. Contact
Mederu OÜ
Registry code: 16964705
Registered address: Ahtri tn 12, Tallinn, Harju County, Estonia
Privacy contact: privacy@kitamae.app
General contact: contact@kitamae.app