Privacy Policy

This is the Privacy Policy of DPI Merchandising LLC. If you are located in the U.S., please see the U.S. Privacy Policy here.

General Privacy Policy

Last Updated: May 14, 2026

Table of Contents

1. Introduction
2. Categories of Personal Data We Process and Why
3. How Long Will Your Personal Data Be Stored?
4. Which Third Parties Will Have Access to Your Personal Data?
5. International Transfers of Personal Data
6. Children’s Personal Data
7. Security of Personal Data
8. Third Parties’ Processing of Personal Data
9. Data Protection Rights for European Residents
10. Brazilian Residents’ Rights
11. Contact Details
12. Changes to This Privacy Policy

1. Introduction

This Privacy Policy describes how DPI Merchandising LLC (the “Company,” or “we,” “our,” or “us”) processes your Personal Data (as defined below) when you visit our website at https://shop.xboxgamestudios.com (the “Site”), when you are in contact with us, or when you use our various products and services (collectively, the “Services”).

We process your Personal Data only for the purposes described herein and, in each case, only to the extent necessary to achieve the respective purpose.

If you have further questions or comments regarding privacy or wish to assert your legal rights, please contact the Company using the contact details in the section “Contact Details” below.

Please read this Privacy Policy before you use or register for our Services, for information on how we collect, use and distribute your Personal Data.

2. Categories of Personal Data We Process and Why

Depending on the specific Services you use and how you interact with us, we will process various categories of your Personal Data.

Definition of Personal Data: “Personal Data” refers to any information relating to an identified or identifiable natural person. Personal Data is information that identifies you directly or indirectly (also in conjunction with other data).

Personal Data Voluntarily Provided: We may receive the following categories of Personal Data directly from you when you choose to provide it to us.

• Contact details: Name, email address, address, phone number.
• User account details: Username, login information, password, user-ID, age, language settings, marketing preferences, and social media username.
• Correspondence with you: Any information included in your messages, phone calls, emails and survey responses.

·       Information regarding purchases: Purchase and return history, current orders, invoices, delivery information, payment information, which game platform you use.

Personal Data Automatically Collected: We may also collect certain categories of Personal Data from you automatically when you use our Services, including the following details about your network, device, and interactions with our Services: IP address, information about your interactions with our Services (such as dates and times of logins), browser type and version, time zone setting, browser plug-in type, operating system and version, Google AdID, Apple IDFA and device event information.

Mandatory and Optional Data: We require certain categories of Personal Data from you to provide the Services that you request. For example, if you order certain merchandise to be sent to you, we require your name, email address, items ordered, shipping address, and payment information. We take steps in our online forms to identify which fields are mandatory. If you do not provide such mandatory Personal Data, we may be unable to provide the Services or complete your transaction. Some Personal Data fields are optional and help us to customize our communications and Services to you, but choosing not to provide them will not affect your ability to use our core Services.

Purposes of Processing: You can read more about our purposes for processing your Personal Data and which categories of Personal Data we process to achieve each purpose in the table below. Where we rely on legitimate interests as a legal basis, we have carried out a balancing assessment to ensure that such interests (such as operating, improving, and securing our Services and providing good customer service) do not override your fundamental rights and freedoms.

Purposes	Categories of Personal Data	Legal basis
To provide you the Services, by authenticating your login information, verifying your age, remembering your settings, hosting and providing backend infrastructure for our Site and process payments and transactions.	-              Contact details; -              Location; -              Age; -              Information regarding purchases; -              Correspondence with you; -              User account details; and -              IP-address and information regarding your device.	Performance of the contract between us.
To create, maintain, customize, and secure your user account on the Site.	-              Contact details; -              Location; -              Age; -              User account details; and -              IP-address and information regarding your device.	Performance of the contract between us.
To improve or develop the Services, including by optimizing traffic, conducting analytics, and research, managing landing pages, and heat mapping the Site.	-              User account details; -              Location; -              IP-address and information regarding your device; and -              How you interact with the Site.	Our legitimate interest of developing and improving our Services.
To market our business and to communicate with you regarding promotions and sales, upcoming events, news on products and the Services and to analyze the effectiveness of such advertisements.	-              Contact details; -              Information regarding purchases; -              User account details; -              IP-address and device; and -              Your interactions with our communications.	Our legitimate interest in marketing our business.   If you have subscribed to our newsletter, our legal basis for the processing is your consent.
To send information to you, including confirmations, technical information, updates, security alerts and administrative messages.	-              Contact details; -              Information regarding purchases; -              User account details; and -              IP-address and device.	Performance of the contract between us.
To communicate with you when you message us, respond to our posts, “like“ our posts, or otherwise interact with us on social media platforms.	-              Contact details; -              User account details; -              Correspondence with you; and -              Social media username.	Our legitimate interest in communicating with you.
To arrange events and contests.	-              Contact details; -              Information regarding purchases; and -              User account details.	Our legitimate interest in marketing our business and maintaining a relationship with you as a customer.
To provide and develop our customer service and support, answer questions and manage complaints.	-              Contact details; -              User account details; -              Information regarding purchases; -              Correspondence with you; -              Responses to surveys; and -              Social media username if you contact us on such platforms.	Performance of the contract between us.
To comply with legal obligations, and to respond to legal inquiries from authorities.	-              Contact details; -              Correspondence with you; -              Information regarding purchases; and -              User account details.	Legal obligation.
To safeguard and defend the rights of our business, for example in case of a legal process, and to investigate and respond to fraudulent, unauthorized, or illegal activity on the Services.	-              Contact details; -              User account details; -              Correspondence with you; and -              Information regarding purchases.	The legitimate interest to defend the rights of our business.
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding.	-              User account details; -              Location; -              IP-address and information regarding your device; -              Information regarding purchases; and -              How you interact with the Site.	The legitimate interest to evaluate or conduct changes of the business.

We may use information that does not identify you (including former Personal Data that has been anonymized) for other purposes.

Sources of Data: We and our service providers (such as payment, delivery, and analytics service providers) collect the Personal Data we have about you directly from you. If you connect your account with us with a social media account, we may also receive certain limited details about you from the relevant social media platform. For information about what Personal Data your social media platform may disclose to us, please review the platform’s privacy statement.

No Automated Processing for Significant Decisions: We do not use your Personal Data to make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. We may use analytics and statistical tools to better understand how users interact with the Site, but such processing does not result in automated decisions with legal or similarly significant effects.

3. How Long Will Your Personal Data Be Stored

We store Personal Data for the duration of your relationship with us and thereafter as follows: account, transaction, and customer service data are generally retained for up to seven years to comply with accounting, tax, and legal obligations; marketing data is retained until you opt out or withdraw consent; and analytics data is retained in aggregated or anonymized form where possible. Where no specific retention period applies, we retain Personal Data only for as long as necessary to fulfill the purposes described in this Privacy Policy.

However, in some cases, Personal Data may be stored for longer due to laws or other regulations to which we are subject, or for as long as the retention of Personal Data is required due to other legal reasons. This may include keeping your Personal Data for the period necessary for us to pursue legitimate business interests, comply with (and demonstrate compliance with) legal obligations, resolve disputes or enforce our agreements. If there are legitimate reasons opposing a deletion, for instance statutory retention or storage periods, processing of these Personal Data will be limited. In such cases, the processing of Personal Data will stop as soon as the reason for further storage ceases to exist, for example if the statutory retention period expires.

If we process your Personal Data as a part of a recruitment process and you are not offered the position, we will store the Personal Data included in your application for a period of two years after the process is finalized.

If the right to process Personal Data is based on your consent, the Personal Data will be deleted or anonymized as soon as reasonably possible after the purpose of the storage is canceled or if you withdraw your consent. You can withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of the consent before the withdrawal.

4. Which Third Parties Will Have Access to Your Personal Data?

 

Our service providers

We engage a limited number of service providers, including hosting providers, payment processors, logistics and delivery services providers, customer service providers, analytics providers, and marketing service providers, who may process Personal Data on our behalf for the purposes described above as our data processors. The suppliers provide services related to e.g. the Site, shipping, marketing and IT support. The suppliers may process your Personal Data if it is necessary for them to be able to carry out their assignments. All their processing of your Personal Data is under our responsibility. We have entered into data processing agreements with our suppliers, and we ensure that they have undertaken the corresponding obligations arising from this Privacy Policy.

Transfer for legal or law enforcement reasons

We may also disclose Personal Data to law enforcement or the relevant civil authorities to enforce legal rights and to comply with the law, or to comply with a decision by a government or other competent authority. Our legal basis for such sharing of Personal Data is compliance with legal requirements.

Additionally, we will disclose your Personal Data to authorities if we have reason to believe that such disclosure is required to respond to potential or actual violations or interference with the Company’s rights, property, reputation, business operations, users or others who may be harmed, or if we believe disclosures are required to protect our rights or us against fraud, or to comply with any lawsuit, court order or legal process served. Our legal basis for sharing the Personal Data is our legitimate interest in protecting and defending our business during a legal process.

Corporate Transactions

In the context of corporate transactions (acquisition, sale, restructuring of companies or company shares), third parties may gain access to your Personal Data. Our legal basis for sharing the Personal Data is our legitimate interest in participating in a corporate transaction.

SHOPIFY

We also disclose Personal Data to Shopify, as outlined at Section 9 below.

5. International Transfers of Personal Data

We are a global business. Personal Data may be stored and processed in any country where we have operations or engage service providers. We may transfer Personal Data to our service providers and other recipients in countries other than the country in which the Personal Data was originally collected; namely, Canada, Ireland, Austria and Latvia. Those countries may have data protection rules that differ from those of your country.

However, we will take measures to ensure that any such transfers comply with applicable data protection laws and that your Personal Data remains protected according to the standards described in this Privacy Policy. In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your Personal Data.

If you are located in the European Economic Area (“EEA”) or Switzerland, we comply with applicable laws to provide an adequate level of data protection for the transfer of your Personal Data to the U.S. and other countries outside of the EEA (“Third Countries”). We ensure that international data transfers to Third Countries are governed by an adequate data transfer mechanism based on a risk assessment regarding the transfer. We rely on one or more of the following mechanisms: EU Standard Contractual Clauses, or verification that the European Commission has adopted an adequacy decision for the respective Third Country.

For further information about the EU Standard Contractual Clauses, please contact us by email at privacy@dpipromo.com.

6. Children's Personal Data

Protecting children’s privacy is particularly important to us. The Company understands that parents, guardians or other adults often use our family services, including for children. If a child under the age of 16 (or below the minimum age in the country concerned, which can be lower) submits Personal Data to the Company, and we learn that such Personal Data contains information of a child below 16 (or below the applicable minimum age) and without effective consent, we will delete the Personal Data as soon as possible. Our policy is to comply with any applicable law protecting minors.

The consent of children under the age of 16 is only effective if a parent or guardian has given their consent for the processing.

The Company, taking into account the available technology, makes efforts to ensure that parents or guardians have given their consent to our processing of children’s Personal Data. Nevertheless, we would like to inform parents and guardians that age verifications can be technically bypassed. Please do not leave your children unattended on the Internet and explain to them the importance of properly handling their Personal Data.

7. Security of Personal Data

We are committed to data security within the framework of applicable data protection laws and current IT security standards. Your Personal Data is protected against unauthorized access and loss through the use of various technical, physical, administrative, and contractual measures. We have taken the necessary technical and organizational measures intended to ensure that we fully comply with our Privacy Policy.

All our employees are required to comply with data security and privacy policies, have appropriate instructions, and receive regular training. Individuals requiring access to perform their tasks are legally bound by a confidentiality and non-disclosure agreement.

8. Third Parties' Processing of Personal Data

We remind you that in various technical areas, we work with external partners who offer websites and services accessible from our Services. The fact that we link to a website is not an endorsement, authorization, or representation of our affiliation with that third party. If you click on a link to a third-party site, including an advertisement, you will leave the Site and go to the site you selected. The third party is responsible for their own processing of your Personal Data. If you visit a third-party site, you should consult that site's privacy policy before providing any Personal Data.

Our Site uses cookies and similar technologies. Please read our Cookie Policy to learn more about the use of cookies.

9. Relationship With Shopify

Shopify acts as a data processor for Personal Data processed on our behalf to host the Site, process orders, and provide core e-commerce functionality. In addition, Shopify acts as an independent controller for personal information it processes for its own purposes, including operating, improving, and securing its platform and enhanced features, as described below.

The Services are hosted by Shopify, which collects and processes personal information about your access to and use of the Services in order to provide and improve the Services for you. Information you submit to the Services will be transmitted to and shared with Shopify as well as third parties that may be located in countries other than where you reside, in order to provide and improve the Services for you. In addition, to help protect, grow, and improve our business, we use certain Shopify enhanced features that incorporate data and information obtained from your interactions with our Site, along with other merchants and with Shopify. To provide these enhanced features, Shopify may make use of personal information collected about your interactions with our store, along with other merchants, and with Shopify. In these circumstances, Shopify is responsible for the processing of your personal information, including for responding to your requests to exercise your rights over use of your personal information for these purposes. To learn more about how Shopify uses your personal information and any rights you may have, you can visit the Shopify Consumer Privacy Policy. Depending on where you live, you may exercise certain rights with respect to your personal information here https://privacy.shopify.com/en.

To learn more about how Shopify uses your personal information and any rights you may have, including rights related to data processed by Shopify, you can visit https://privacy.shopify.com/en and https://www.shopify.com/legal/dpa.

10. Data Protection Rights for European Residents

If you are located within the EEA, UK or Switzerland, you have several rights when we process your Personal Data, including those described below. You can contact us at any time if you have questions or wish to exercise any of the rights described below. Please direct your data protection requests to privacy@dpipromo.com. We reserve the right to take appropriate security measures to ensure that you are who you claim to be when you contact us. If you cannot satisfactorily demonstrate your identity, we may not be able to fully meet your request.

Access to Personal Data

You have the right to know what Personal Data we are processing about you. If you wish to receive copies of your Personal Data, you can request a compiled register extract from us that contains all the Personal Data we process about you.

Correction and Deletion

If your Personal Data is incomplete or incorrect, you have the right to have it corrected or supplemented. You also have the right to request that your Personal Data should be deleted. We will then review your request, but we may have the right to deny it if the processing of your Personal Data is necessary for us to comply with applicable law. Please keep in mind that we may not be able to provide you with the Services if you request to have your Personal Data deleted.

Restrictions of our Processing

Under certain conditions, you have the right to request that we restrict our processing of your Personal Data. This means that we mark the Personal Data so that it is only processed for certain specific purposes in the future. Please keep in mind that we may not be able to provide you with the Services if we restrict the processing of your Personal Data.

Right to Data Portability

In some circumstances you have the right to request the transfer of your Personal Data to another data controller in a structured, commonly used, and machine-readable format.

Right to Object

You have the right to object to the processing of Personal Data based on the legal basis of legitimate interest. You may also object to processing of your Personal Data for direct marketing purposes.

Right to Lodge a Complaint

If you believe that we have not processed your Personal Data correctly, you have the right to lodge a complaint with the data protection authority in your country. You can view the contact information of EEA supervisory authorities at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en, the contact information of the UK Information Commissioner’s Office at https://ico.org.uk/global/contact-us/, and the contact information of the Swiss Federal Data Protection and Information Commissioner at https://www.edoeb.admin.ch/en/contact-2.

Right to Withdraw Consent

If you have given your consent to certain processing, you have the right to withdraw your consent at any time. We will immediately stop processing upon the withdrawal of your consent, unless we are required by law to retain the Personal Data for longer.

In addition, we will honor your opt-out preferences if you enact the Global Privacy Control (GPC) opt-out signal on your browser. If we are able to associate the device sending the signal to a Shopify account, we will apply the opt out request to the account as well.

11. Brazilian Residents’ Rights

The Lei Geral de Proteção de Dados (“LGPD”) applies to Brazilian residents. If you are a Brazilian resident, you have several important rights:

• Know when we use your Personal Data
• Access your Personal Data, correct any errors, or delete your Personal Data
• Anonymize, block, or delete data that we don’t need or are not processing in compliance with the LGPD
• Request the transfer of your Personal Data to another provider
• Be informed about who we share your Personal Data with
• Be informed about your ability to deny consent and any consequences
• To withdraw your consent

These rights apply to any Personal Data collected or processed in Brazil, as well as any Personal Data processed for the purpose of providing goods or services in Brazil.

If you would like to exercise any of those rights, please email us at privacy@dpipromo.com. To ensure the security and integrity of your Personal Data, we may ask you for additional information in justified cases to verify that you are the owner of that Personal Data.

12. Contact Details

If you have any questions, wish to file a complaint, or wish to make any request authorized by this Privacy Policy, please contact us, the controller, at the following address or email:

DPI Merchandising LLC., 245 Industrial Drive, Roseburg, OR 97471 privacy@dpipromo.com.

This Privacy Policy has been designed to be accessible to people with disabilities. If you experience any difficulties accessing the information here, please contact us at the email address stated above.

13. Changes to This Privacy Policy

From time to time, we update this Privacy Policy to reflect any changes in how we handle your Personal Data. Should we make such significant changes to how we process Personal Data that we are obliged to notify you about the changes or ask for your consent again, we will do so.