Privacy Policy
Information for the data subject pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR) and Spanish law LOPDGDD (Ley Orgánica 3/2018, of 5 December, on the protection of personal data and the guarantee of digital rights).
Siesta Soft S.L. (the “Controller” or “Burraconline”) informs you, as the data subject, about the processing of your personal data carried out in connection with browsing this website, downloading the game, registering your account and using the Burraconline service and game. Processing is carried out in accordance with the GDPR, the LOPDGDD and the guidelines of the Spanish Data Protection Agency (AEPD).
Scope
This policy applies in a unified manner to:
- the website www.burraconline.com, used mainly to present and download the game;
- the account registration (apodo/nickname) and the sign-up process, which takes place through the restricted page hosted on web.burraconline.com, loaded within the application via an embedded browser component;
- the use of the Burraconline game and service on all platforms (Windows, macOS, iOS and Android).
At the time of registration you are asked to accept the documents linked to sign-up (Privacy Policy, Rules and Terms and Conditions), accessible from this same site.
Definitions
Processing: any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, storage, alteration, consultation, use, disclosure, restriction, erasure or destruction.
Personal data: any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier (for example, the unique identifier of the machine on which the Burraconline game is installed).
Browsing data: the computer systems and software used to operate this site acquire, in the course of their normal operation, certain data whose transmission is implicit in the use of internet communication protocols (for example IP addresses, URI addresses of the requested resources, time of the request, submission method, server response code and parameters relating to the user's operating system and environment). This data is used to obtain statistical information on use of the service and to monitor its correct functioning, and may be used to establish liability in the event of cybercrimes against the site. Save for this possibility, web contact data is not retained for more than seven days.
Data Controller
Siesta Soft S.L.
Calle Valle de la Ballestera, 32
46015 – Valencia (Spain)
VAT/NIF: ES-B72397904
The Controller has not appointed a Data Protection Officer (DPO), as none of the cases of mandatory appointment under Article 37 of the GDPR apply. For any matter relating to the protection of your data, you may contact the email address indicated.
Categories of data we process
Depending on your relationship with us, we may process the following categories of personal data:
- Identification and account data: apodo (nickname) and email address.
- Access credentials: password (stored in encrypted form) and data associated with sign-in.
- Technical identifiers: unique device identifier, IP address and data relating to the machine environment.
- Usage and game data: games played, statistics, rankings, preferences and activity within the service.
- Communications: the content of support requests, reports and messages you send us, as well as the messages you post in the game chat.
- Browsing data: as described in the previous section.
Payment for Elite subscriptions and tokens is made through the payment providers' platforms (Google Play, Apple App Store, Stripe and PayPal), which act as controllers or processors as the case may be. The Controller does not collect or store your card or payment instrument data and issues, where applicable, simplified invoices that do not require your identifying tax details.
Purposes of processing and legal bases
The Controller processes your personal data only where one of the following legal bases under Article 6 of the GDPR applies: performance of a contract or pre-contractual measures (Art. 6.1.b), legitimate interest (Art. 6.1.f), compliance with a legal obligation (Art. 6.1.c) or your consent (Art. 6.1.a).
| Purpose of processing | Legal basis |
|---|---|
| Enabling the registration and management of your account (apodo) | Performance of contract |
| Enabling use of all features of the Burraconline game and service | Performance of contract |
| Managing Elite subscriptions and the purchase of tokens and virtual items | Performance of contract |
| Providing technical support and customer care and responding to your queries | Performance of contract / Pre-contractual measures |
| Monitoring the correct functioning of the site and the game | Performance of contract / Legitimate interest |
| Moderating the game chat and handling reports between players | Legitimate interest |
| Ensuring the security of the service and preventing, detecting and investigating fraud, abuse and conduct contrary to the rules | Legitimate interest |
| Preventing the re-access of users banned from the service | Legitimate interest |
| Establishing liability in the event of cybercrimes against the site or the game | Legitimate interest |
| Measuring use of the site via analytics tools and non-technical cookies (e.g. Google Analytics) | Data subject's consent |
| Complying with applicable legal obligations (administrative, accounting and tax) | Legal obligation |
| Responding to requests from authorities and exercising or defending legal claims | Legal obligation / Legitimate interest |
| Extraordinary transactions such as mergers, transfers or business branch transfers (due diligence) | Legitimate interest |
| Sending commercial communications and advertising material from Siesta Soft S.L. about its own products and services, including market research | Data subject's consent |
| Disclosing data to third parties for their promotional communications and profiling to send you communications in line with your profile | Data subject's consent |
Where processing is based on legitimate interest, that interest consists, depending on the case, in: ensuring the security and integrity of the service and the community of players; preventing and investigating fraud, abuse and uses contrary to the rules (including the creation of multiple accounts and the circumvention of bans); ensuring the correct technical functioning of the service; defending the rights of the Controller and of other users; and managing its own business activity. In each case, the Controller has assessed that such interests are not overridden by the fundamental rights and freedoms of the data subjects.
The marketing and profiling purposes indicated are carried out solely with your prior consent, given through the optional checkboxes in the registration form. You may withdraw that consent at any time, without affecting the provision of the other services or the lawfulness of processing carried out before withdrawal.
Game chat and user-generated content
The game includes a chat that allows communication between players. In order to ensure a safe and respectful environment, messages may be subject to moderation, in particular following reports from other users, on the basis of our legitimate interest (Art. 6.1.f of the GDPR) in the security of the service and the resolution of disputes.
We recommend that you do not post sensitive personal data in the chat (for example, relating to your health, religion, political opinions or sexual orientation) or third-party data. If you voluntarily make manifestly public in the chat any special-category data referred to in Article 9 of the GDPR, our processing of it will be limited to moderation and security activities and is based on Article 9.2.e of the GDPR (data manifestly made public by the data subject). We do not process such data for profiling purposes.
Automated decision-making
In general, no decisions are made based solely on automated processing of data within the meaning of Article 22 of the GDPR, with one exception: the automatic refusal of registration to persons previously banned for conduct contrary to the rules and the terms and conditions of use.
This measure is necessary for entering into and performing the contract and to protect the security of the service and the community. For security and fraud-prevention reasons, the specific criteria and technical mechanisms used to detect circumvention of bans are confidential. In any case, you have the right to obtain human intervention, to express your point of view and to contest the decision by writing to the Controller's email address.
Recipients of personal data
Your personal data may be processed, within the scope of the services provided and for the purposes indicated, by suppliers acting as data processors, by way of example and without limitation:
- hosting and cloud infrastructure providers (servers located in the European Union);
- transactional email providers (for example SendGrid or Postmark);
- payment providers for Elite subscriptions and tokens (Google Play, Apple App Store, Stripe and PayPal);
- measurement and analytics providers and cookie consent management providers (for example Google Analytics and Cookiebot);
- professionals who provide services to the Controller (for example tax or accounting advisors).
Your data may also be disclosed to third parties to comply with legal obligations, in particular to law enforcement, judicial and administrative authorities and other competent bodies, upon a legitimate request. The Controller's duly authorised staff may access the data to perform their duties. For statistical purposes, data is processed in anonymised form.
Transfer of data to third countries
Your data is generally processed within the European Union and stored on servers located in the EU. However, some of the providers indicated (for example Google, Apple, Stripe or PayPal) may process data in countries outside the EU, in particular the United States. In such cases, international transfers are carried out with the appropriate safeguards provided for by the GDPR, such as adherence to the EU-U.S. Data Privacy Framework, the conclusion of Standard Contractual Clauses approved by the European Commission or the existence of an adequacy decision. You may request additional information about these safeguards by writing to the Controller's email address.
Data retention period
Your personal data will be retained only for the time necessary to achieve the purposes indicated, in accordance with the principles of data minimisation and storage limitation. In general, your account data is retained for as long as the account remains active. Following a cancellation request, the data undergoes a two-phase process (temporary retention with pseudonymisation and subsequent definitive deletion), so that definitive deletion takes place once 5 years have elapsed from the cancellation request, unless retention for a further period is necessary to comply with legal obligations (in particular accounting and tax), manage ongoing blocks or handle ongoing legal proceedings. Browsing data is retained for a maximum of seven days, save where it is necessary to establish liability for cybercrimes.
In the case of banned users, and on the basis of our legitimate interest in preventing their re-access to the service and protecting the community, we will retain a limited set of identifying data (such as the IP address, the device identifier and the email address, individually or in combination) for the time necessary to keep the ban effective, which may entail retention of a prolonged duration. Once such retention is no longer necessary, the data will be deleted.
Retention is carried out with appropriate technical and organisational measures to ensure the integrity, confidentiality and availability of the information.
Processing of minors' data
Use of the service is intended for persons who are at least 14 years old, the age from which, pursuant to Article 7 of the LOPDGDD (applicable Spanish law, in line with Art. 8 of the GDPR), a minor may validly give their consent to the processing of personal data. The processing of data of minors under 14 is lawful only if the consent of the holder of parental responsibility or guardianship is in place. If we become aware that data of a minor under 14 has been provided without such consent, we will delete it.
Cookies
This site uses technical cookies necessary for its operation and, subject to your consent, analytics and third-party cookies. Consent is managed through Cookiebot. You can review the detailed list of cookies, their purposes and their legal basis, and modify or withdraw your consent, in the Cookie Declaration.
Security measures
The Controller applies appropriate technical and organisational measures, in accordance with Article 32 of the GDPR, to ensure a level of security appropriate to the risk, protecting personal data against destruction, loss, alteration or unauthorised access.
Rights of the data subject
You have the right to obtain confirmation as to whether or not we are processing your data and, where this is the case, to exercise the following rights:
- Access to your personal data;
- Rectification of inaccurate or incomplete data;
- Erasure of data where the legal grounds apply;
- Restriction of processing in certain cases;
- Objection to processing based on legitimate interest;
- Portability of data, under the terms of Article 20 of the GDPR.
You may exercise these rights free of charge by writing to the Controller's email address, indicating the right you wish to exercise and providing proof of your identity. We will respond to your request within one month, extendable in accordance with the legislation.
Right to withdraw consent
Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out beforehand, although it may make it impossible to provide the service based on that consent.
Right to lodge a complaint with the supervisory authority
If you consider that the processing of your data does not comply with the law, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), C/ Jorge Juan, 6, 28001 Madrid, or through its website at www.aepd.es, as the lead authority given that the Controller is established in Spain, as well as with the supervisory authority of your country of residence.
Obligation to provide personal data
Providing the data requested for registration and performance of the contract is necessary in order for us to provide the service; refusal may prevent the creation of the account or the use of certain features. Providing data for purposes based on consent is optional, and its absence does not prevent access to the services for which such consent is not required.
Changes to this policy
The Controller may amend this Privacy Policy to adapt it to legislative changes or changes in the processing carried out. Updated versions will be published on this same page.
Last updated: June 2026.