Privacy Policy
1. Introduction
This Privacy Policy describes how Enthrall Computing, LLC ("we," "us," or "our"), an Oregon limited liability company, collects, uses, stores, and protects your personal data when you use Manasight — an MTG Arena companion application consisting of a desktop overlay client and a cloud-based analytics platform, available at manasight.gg.
We are the data controller for personal data processed through Manasight. We are committed to protecting your privacy and handling your data transparently, in compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable privacy laws.
This policy applies to all users of the Manasight desktop application, the Manasight website, and any associated services. It does not apply to third-party websites or services linked from our platform.
If you have questions about this policy, you can reach us at support@enthrallcomputing.com.
2. Information We Collect
We collect the following categories of personal data:
2.1 Account Data
When you create a Manasight account, we collect:
- Email address — used for authentication, account recovery, and service communications.
- Country code — your self-selected country during signup.
- GeoIP-detected country — your approximate country determined from your IP address at signup. This is used solely for jurisdiction classification, not stored as a precise location.
- Jurisdiction classification — whether your account falls under an opt-in or opt-out consent regime, derived from your country code and GeoIP-detected country using a most-restrictive-jurisdiction rule (see Section 7).
- Authentication tokens — session tokens used to keep you signed in. These are generated and managed by our authentication provider.
2.2 Gameplay Data
If data upload is enabled for your account (see Section 7 for how consent works), we collect data from MTG Arena log files on your device:
- Deck lists — the cards in your constructed and limited decks.
- Match results — wins, losses, opponents (pseudonymized), game modes, and formats.
- Game events — card plays, mulligan decisions, and other in-game actions recorded in the MTG Arena log file.
- Draft picks — your selections during limited drafts.
- Game state data — board state, life totals, and other match information parsed from log files.
How we collect Gameplay Data: The Manasight desktop application reads your local MTG Arena log file. It does not modify the log file, inject code into the game client, or read memory from any running process. Log file reading is read-only. Before Gameplay Data leaves your device, it is filtered to remove sensitive information and player identifiers are pseudonymized.
What we do NOT collect from game logs:
- We do not collect your MTG Arena account credentials (username, password, or login tokens).
- We do not read game client memory or interact with any running process.
- We do not collect data from any application other than MTG Arena's log file.
2.3 Usage Data
We collect basic information about how you interact with the Manasight service:
- Pages visited on the Manasight website.
- Features used within the desktop application and web platform.
- Client version and platform (operating system) of your Manasight installation.
Usage data is collected primarily through our own infrastructure and our infrastructure providers (see Section 14 for a full list of service providers). If we use additional third-party analytics services in the future, we will update this policy and Section 14 accordingly.
2.4 Consent Records
When you grant, revoke, or modify your data collection consent, we record:
- Consent action — what changed (granted, revoked, country changed, jurisdiction changed).
- Previous and new consent state.
- Timestamp of the consent change.
- IP address at the time of the consent change.
- Client information (application version and platform) at the time of the consent change.
Consent records are maintained as a permanent audit trail. This data is collected to demonstrate that valid consent was obtained, as required by GDPR Article 7(1). IP addresses in consent records are retained for compliance purposes and are exempt from erasure requests under GDPR Article 17(3)(b) (processing required for compliance with a legal obligation).
2.5 Server Logs
Our infrastructure automatically records:
- IP addresses of incoming requests.
- Request metadata — HTTP method, URL path, response status, timestamps, and User-Agent headers.
Server logs are used for security monitoring, abuse prevention, debugging, and service improvement. They are retained for up to 90 days and then automatically deleted.
2.6 Information We Do NOT Collect
- MTG Arena account credentials — we never ask for or store your Arena username, password, or login tokens.
- Game client memory or process data — we read only the log file; we do not inspect running processes.
- Data from other applications — we only read the MTG Arena log file.
- Financial or payment data — Manasight does not currently offer a paid tier. If we introduce paid features in the future, payment processing will be handled by a third-party payment processor, and we will update this policy accordingly.
- Data from users who have not consented — if you are in an opt-in jurisdiction and have not granted consent, no Gameplay Data leaves your device (see Section 7).
3. How We Collect Information
We collect information through three methods:
3.1 Information You Provide
- Account registration — email address, country selection.
- Consent decisions — your choices about data collection.
3.2 Log File Reading
The Manasight desktop application reads your local MTG Arena log file. This is a passive, read-only process:
- The application monitors the log file that MTG Arena writes to your local file system.
- Parsed game events are used locally to power the desktop overlay regardless of your consent status. Local-only features never transmit data to our servers.
- If data upload is enabled, parsed events are filtered and pseudonymized on your device before being transmitted to our cloud platform over an encrypted connection.
3.3 Automatic Collection
- Server logs — collected automatically by our infrastructure when you interact with our services.
- GeoIP detection — your approximate country is determined from your IP address at signup. The IP address is not stored for this purpose; only the resulting country code is retained.
4. How We Use Information
We use your personal data for the following purposes:
| Purpose | Data Categories Used |
|---|---|
| Provide the service — authenticate you, sync your data across devices, power the desktop overlay and web analytics dashboard | Account Data, Gameplay Data |
| Generate personal analytics — match history, win rates, draft performance, and other statistics visible to you in your account | Gameplay Data |
| Publish aggregated and anonymized statistics — meta insights, format popularity, archetype win rates, and other aggregate analytics. Published statistics are aggregated and anonymized using industry-standard techniques to prevent re-identification of individual users. | Gameplay Data (aggregated and anonymized) |
| Improve the service — understand how features are used, identify bugs, monitor performance, and prioritize development | Usage Data, Server Logs |
| Maintain security and prevent abuse — detect and respond to unauthorized access, attacks, or misuse | Server Logs |
| Comply with legal obligations — maintain consent audit trails, respond to data subject requests, meet regulatory requirements | Consent Records, Account Data |
We do not use your personal data for advertising, profiling for marketing purposes, or automated decision-making that produces legal effects.
5. Legal Basis for Processing (GDPR Article 6)
For users in the European Union, European Economic Area, and United Kingdom, we process personal data under the following legal bases:
| Data Category | Legal Basis | Explanation |
|---|---|---|
| Account Data | Performance of a contract — Article 6(1)(b) | Processing your email, country, and authentication data is necessary to provide the Manasight service you signed up for. |
| Gameplay Data | Consent — Article 6(1)(a) | For users in opt-in jurisdictions (EU/EEA/UK and others), Gameplay Data is uploaded only after you provide explicit, informed, freely given consent. You may withdraw consent at any time (see Section 7). |
| Usage Data | Legitimate interest — Article 6(1)(f) | We have a legitimate interest in understanding how our service is used in order to improve it. This processing is proportionate to its purpose and does not override your fundamental rights. You may object to this processing (see Section 11). |
| Consent Records | Legal obligation — Article 6(1)(c) | GDPR Article 7(1) requires us to demonstrate that valid consent was obtained. Maintaining consent audit records is necessary to comply with this obligation. |
| Server Logs | Legitimate interest — Article 6(1)(f) | We have a legitimate interest in securing our infrastructure, preventing abuse, diagnosing errors, and improving service reliability. Server logs are retained for up to 90 days and are limited to operational purposes. |
6. Information for Users Outside the EU/EEA/UK
If you are in a jurisdiction that does not require opt-in consent for data collection (such as most US states), Gameplay Data upload is enabled by default when you create your account. You may disable data upload at any time through your account settings.
6.1 California Residents (CCPA/CPRA)
Where applicable, we comply with the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). California residents have the right to:
- Know what personal data we collect, the categories of sources from which it is collected, and the business or commercial purpose for collecting it (see Sections 2, 3, and 4 of this policy).
- Access a copy of the personal data we have collected about you.
- Correct inaccurate personal data we hold about you.
- Delete your personal data, subject to certain exceptions.
- Opt out of the sale or sharing of personal data. We do not sell or share your personal data as defined by the CCPA/CPRA. Because we do not sell or share personal data, no opt-out mechanism is required; however, you may contact us at any time to confirm this status.
- Not be discriminated against for exercising your privacy rights.
Categories of personal information collected: We collect identifiers (email address), internet or electronic network activity information (usage data, server logs), and other information derived from your use of the Service (gameplay data). For the specific data elements in each category, see Section 2.
Sources of personal information: We collect personal information directly from you (account registration, consent decisions) and automatically from your device and our infrastructure (log file reading, server logs, GeoIP detection). See Section 3 for details.
6.2 Oregon Residents (Oregon Consumer Privacy Act)
Oregon residents have rights under the Oregon Consumer Privacy Act (OCPA), including the right to:
- Know whether we are processing your personal data.
- Access your personal data.
- Correct inaccuracies in your personal data.
- Delete your personal data.
- Data portability — obtain a copy of your personal data in a portable and usable format.
- Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in any of these activities.
6.3 Other US State Privacy Laws
Residents of other states with applicable privacy laws (including Colorado, Connecticut, Virginia, and others) may have similar rights under those laws. To exercise any of these rights, contact us at support@enthrallcomputing.com. See Section 11 for details on how we handle data subject requests.
7. Jurisdiction-Aware Consent
Manasight uses a two-tier consent model based on your jurisdiction:
7.1 Opt-In Jurisdictions (EU/EEA/UK and Others)
If you are in a jurisdiction that requires opt-in consent under applicable data protection law (including but not limited to the EU/EEA, United Kingdom, and Brazil):
- No Gameplay Data leaves your device until you explicitly opt in. The desktop overlay works without uploading any data.
- Before any Gameplay Data is uploaded, you will be presented with a clear consent request that explains what data is collected, how it is used, and your right to withdraw consent at any time.
- The consent mechanism offers equally prominent options to enable or decline data upload. There are no pre-ticked boxes, dark patterns, or defaults toward consent.
- If you decline, your decision is respected. You can change your mind at any time in your account settings.
7.2 Opt-Out Jurisdictions (US and Others)
If you are in a jurisdiction that permits opt-out consent:
- Gameplay Data upload is enabled by default. You will be informed that data upload is active and how to disable it.
- You can disable data upload at any time through your account settings.
7.3 How Your Jurisdiction Is Determined
At signup, we determine your jurisdiction using two signals:
- Your self-selected country in the signup form.
- Your GeoIP-detected country determined from your IP address at the network edge.
We apply a most-restrictive-jurisdiction rule: if either signal indicates an opt-in jurisdiction, opt-in protections apply. This ensures that users physically located in opt-in jurisdictions receive appropriate protections regardless of their country selection, consistent with applicable data protection law.
If GeoIP detection fails, we default to the opt-in regime as the most protective fallback.
7.4 Changing Your Consent
- You can change your consent status at any time through your account settings.
- Consent changes take effect immediately. Disabling data upload stops all new data uploads.
- Disabling data upload does not delete data already stored on our servers. To request deletion of existing data, see Section 11 (Your Rights).
- Your use of the Service is not conditional on consenting to data upload. Core desktop overlay features do not require data upload.
- If you are in an opt-in jurisdiction, re-enabling data upload after disabling it requires a clear affirmative action indicating your renewed consent.
7.5 Changing Your Country
- You can update your country in your profile settings at any time. Country changes are subject to the most-restrictive-jurisdiction rule described in Section 7.3.
- If your country change results in a move to an opt-in jurisdiction and you have not previously provided opt-in consent, data upload will be paused until you provide fresh consent.
- If your country change results in a move to an opt-out jurisdiction, any existing consent remains valid and data upload continues under the opt-out model.
8. Data Sharing and Disclosure
8.1 We Do Not Sell Your Data
We do not sell, rent, or trade your individual personal data to any third party as defined by applicable privacy law.
8.2 Aggregated and Anonymized Statistics
We may publish aggregated and anonymized statistics derived from Gameplay Data, such as format meta breakdowns, archetype win rates, and draft pick trends. Published statistics are aggregated and anonymized using industry-standard techniques to prevent re-identification of individual users. Once aggregated and anonymized to this standard, this data is no longer personal data.
8.3 Service Providers (Data Processors)
We share personal data with the following service providers who process data on our behalf, under data processing agreements (DPAs) that require them to protect your data:
| Provider | Purpose | Data Shared |
|---|---|---|
| Cloudflare | Infrastructure — application hosting, storage, and database services | Gameplay Data, Account Data, Server Logs |
| Supabase | Authentication — user account management, login, and session handling | Email address, authentication tokens, account metadata |
8.4 Legal Requirements
We may disclose personal data if required to do so by law, regulation, legal process, or governmental request. We will notify you of such requests where legally permitted to do so.
8.5 Business Transfers
If Enthrall Computing, LLC is involved in a merger, acquisition, or asset sale, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any such transfer and any change to the privacy policy applicable to your data.
9. Data Storage and Security
9.1 Data Location
Your personal data at rest is stored in the European Union. Our infrastructure providers are configured with EU data residency restrictions. Personal data may be transiently processed outside the EU during request handling before being stored in the EU. For details on safeguards for international transfers, see Section 15.
9.2 Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in transit — all data transmitted between your device and our servers is encrypted.
- Encryption at rest — data stored in our infrastructure is encrypted at rest by our infrastructure providers.
- Pseudonymization — player identifiers in Gameplay Data are pseudonymized before upload to provide an additional layer of protection against unauthorized access.
- Privacy filtering — Gameplay Data is filtered on your device to remove sensitive information before transmission to our servers.
- Access controls — access to personal data is restricted to authorized systems and personnel on a need-to-know basis.
- Infrastructure security — our service providers maintain industry-standard security certifications.
9.3 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within the timeframe required by applicable law (72 hours where feasible under GDPR Article 33). If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay.
10. Data Retention
We retain your personal data for the following periods:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account Data | While your account is active; deleted within 90 days of account deletion | The grace period allows for account recovery in case of accidental deletion. |
| Gameplay Data | While your account is active. Deleted or anonymized within 90 days of account deletion. | Data is retained to provide you with ongoing analytics and match history. |
| Anonymized/aggregated statistics | Retained indefinitely | Once data is aggregated and anonymized, it is no longer personal data and is not subject to retention limits. |
| Server Logs | Up to 90 days | Retention sufficient for security monitoring, debugging, and service improvement. |
| Consent audit trail | As required by applicable law | Retained to demonstrate compliance with consent requirements. Retention period is determined by applicable statute of limitations and regulatory requirements. |
When data reaches the end of its retention period, it is automatically deleted or irreversibly anonymized. Deletion of Gameplay Data means removal of the data from our systems, including any metadata linking the data to your account.
11. Your Rights
Depending on your jurisdiction, you may have certain rights regarding your personal data under applicable privacy law.
All Users
All users, regardless of jurisdiction, may:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate personal data. You can update your email address, country, and other profile information directly through your account settings.
- Erasure — request deletion of your personal data. Upon receiving a valid request, we will delete your account data, Gameplay Data, and associated metadata from our systems without undue delay, instruct our data processors to delete your data, and retain only records necessary for legal compliance. Anonymized and aggregated statistics that no longer identify you will not be affected.
- Withdraw consent — where processing is based on consent (Gameplay Data), you may withdraw consent at any time through your account settings. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.
Additional Rights for EU/EEA/UK Residents
If you are in the EU/EEA/UK, you have the following additional rights under the GDPR:
- Restrict processing (Article 18) — request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of your data or have objected to processing.
- Data portability (Article 20) — receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Object to processing (Article 21) — object to processing based on legitimate interest (Usage Data and Server Logs). We will cease processing unless we demonstrate compelling legitimate grounds.
- Lodge a complaint — lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at the European Data Protection Board website.
Additional Rights for US Residents
Residents of states with applicable privacy laws (including California, Oregon, Colorado, Connecticut, Virginia, and others) may have additional rights under those laws, including the right to know what data is collected, opt out of the sale of personal data, and not be discriminated against for exercising privacy rights. See Section 6 for details.
How to Exercise Your Rights
To exercise any of these rights, contact us at support@enthrallcomputing.com. We will respond to your request within the timeframe required by applicable law. If your request is complex or we receive a large number of requests, we may extend this period as permitted by law, and we will notify you of any such extension.
We may ask you to verify your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.
12. Children's Privacy
Manasight is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at support@enthrallcomputing.com.
13. Cookies and Tracking Technologies
Authentication Cookies
We use session cookies strictly necessary for authentication — keeping you signed in when you use the Manasight website. These cookies are essential for the service to function and do not require consent under the ePrivacy Directive (Article 5(3) exemption for strictly necessary cookies).
What We Currently Do Not Use
We do not currently use third-party tracking cookies, advertising cookies, cross-site tracking, or browser fingerprinting. If we introduce additional cookies or tracking technologies in the future, we will update this policy and provide appropriate notice and consent mechanisms as required by applicable law.
14. Third-Party Services
We use third-party services as data processors, as described in Section 8.3. Data processing agreements with appropriate safeguards (including EU Standard Contractual Clauses where applicable) are in place with each provider.
For more information about how these providers handle data:
- Cloudflare: Privacy Policy, GDPR Compliance
- Supabase: Privacy Policy, DPA
15. International Data Transfers
Personal data at rest is stored in the European Union (see Section 9.1). Personal data may be transiently processed outside the EU during request handling. Where data transfers outside the EU occur, they are protected by Standard Contractual Clauses included in our data processing agreements (see Section 14) and the security measures described in Section 9.2.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law.
- Material changes — if we make changes that significantly affect how we process your personal data, we will provide reasonable advance notice via email (to the address associated with your account) and/or a prominent notice within the Manasight application or website.
- Non-material changes — minor clarifications, formatting updates, or changes that do not affect your rights will be posted with an updated "Last Updated" date.
We encourage you to review this policy periodically. Your continued use of Manasight after changes take effect constitutes acceptance of the updated policy. Where our processing of your data is based on consent, material changes to that processing will require your renewed consent before taking effect. If you do not agree with the changes, you may delete your account and discontinue use of the service.
17. Data Protection Contact
For any questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:
Enthrall Computing, LLC
Oregon, United States
Email: support@enthrallcomputing.com
This email address serves as the point of contact for all data protection inquiries, including data subject access requests, consent management, and complaints.
We aim to respond to all inquiries within the timeframe required by applicable law.
17.1 EU/EEA & UK GDPR Representatives (Article 27)
If you are located in the EU or UK and have questions or concerns regarding your personal data, you may contact our GDPR representative:
EU Representative:
Euverify Ltd (Ireland)
Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork, T23 AT2P, Ireland
Email: gdpr@euverify.com
UK Representative:
Euverify Ltd (UK)
3rd Floor, 86–90 Paul Street, London, EC2A 4NE, United Kingdom
Email: gdpr@euverify.com
To submit a Data Subject Access Request (DSAR), data deletion request, or any other GDPR-related inquiry, you may contact the representative by email at gdpr@euverify.com or use the Euverify GDPR portal. Requests submitted through the portal are logged and tracked to ensure timely response and compliance.
18. Supplementary Information Required by GDPR Article 13
To ensure full compliance with GDPR Article 13 information requirements, we confirm:
| GDPR Article 13 Requirement | Location in This Policy |
|---|---|
| Identity and contact details of the controller | Section 1, Section 17 |
| Contact details of the representative in the Union | Section 17.1 |
| Purposes of processing and legal basis | Section 4, Section 5 |
| Legitimate interests pursued | Section 5 (Usage Data, Server Logs) |
| Recipients or categories of recipients | Section 8, Section 14 |
| Details of international transfers and safeguards | Section 9.1, Section 15 |
| Retention periods | Section 10 |
| Data subject rights | Section 11 |
| Right to withdraw consent | Section 7.4, Section 11 |
| Right to lodge complaint with supervisory authority | Section 11 |
| Whether provision of data is a statutory or contractual requirement | Account Data is required to use the service. Gameplay Data is voluntary (subject to consent). |
| Existence of automated decision-making | We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you. |