Privacy Policy
Effective date: June 23, 2026
1. Who we are
Counterwatch is operated by Supre.me AB (Swedish company registration number 559424-3163), a company registered in Sweden. Supre.me AB is the data controller for personal data processed through the Counterwatch website (counterwatch.gg) and the Counterwatch desktop application distributed via Overwolf. This Privacy Policy covers both surfaces and explains what we collect, why, and what rights you have.
Because we are established in the EU, we are not required to appoint an Article 27 EU representative. We have not appointed a Data Protection Officer. You can reach us about any privacy matter using the contact details in section 14.
The Overwolf client has its own privacy policy governing the Overwolf platform itself. This policy is not an agreement with Overwolf.
2. Personal data we collect
Depending on how you use Counterwatch, we may collect or receive the following categories of data.
Account information (desktop app and website)
- Email address (for signed-in users).
- Single-sign-on (SSO) / authentication identifiers and tokens.
- Profile information you choose to provide (e.g., display name).
Other players observed in matches
- To build community statistics and power the app's live-match features, Counterwatch records in-game identifiers (such as Overwatch BattleTags and Marvel Rivals / NetEase ids), the heroes played, and per-match performance stats for players seen in tracked matches. Most of these players are not Counterwatch users: roughly 97% of the players we store have never installed the app.
- Where this data comes from: identifiers and match stats are captured from live matches through the Overwolf game integration. For Overwatch, we may then collect additional public profile information from Blizzard's public profile pages, looked up using identifiers we already saw in a match. We do not mass-collect profiles.
- We rely on legitimate interest for this processing. See section 5 for the details and how to object.
Support tickets and attachments
- When you contact support or submit a ticket, we store your message, your email address, and any files or images you attach (stored in Supabase Storage).
Payment information
- If you buy a subscription, our payment provider (Tebex) processes the payment. We receive and store payment metadata such as the transaction, subscription tier, and status. We do not receive or store your full card details.
Error and crash diagnostics
- When the app or website hits an error or crash, we collect technical diagnostics such as error messages, stack traces, and basic device and app context. These are stored in Bugsink, an error tracker we host on our own infrastructure.
Hashed email (desktop app only, advertising identity)
- For certain user tiers of the desktop app, an email hash may be generated for advertising identity purposes. A hashed email is a cryptographic hash of your email address and is used to help advertisers measure and personalize ads without revealing your plain email address.
- You can opt out of hashed email usage via Overwolf client settings ("Use data to customize Overwolf for you").
- The website (counterwatch.gg) does not generate or use a hashed email. The website does carry third-party display ads served by Nitro (NitroPay); those ads do not use a hashed email and are separate from the desktop app's Overwolf advertising (see sections 6 and 9).
Usage and device information
- Feature interactions and diagnostic / performance information.
- Technical identifiers such as device type, browser, and IP address, used for security, fraud prevention, and (in the desktop app) advertising.
3. How we use personal data
- To provide and operate Counterwatch services and features.
- To authenticate users and manage accounts.
- To produce community statistics, shown in aggregate on the website, and live-match features, shown in the desktop app, from the match data we observe.
- To improve the app and website, fix bugs, measure performance, and develop new features.
- To process subscription payments and meet our bookkeeping obligations.
- To monitor, diagnose, and fix errors and crashes.
- For advertising in the desktop app (through Overwolf, as applicable to your user tier) and to serve and measure third-party display ads on the website (through Nitro). See sections 6 and 9.
- For audits, fraud prevention, security, and compliance.
4. Legal bases for processing (GDPR)
Where GDPR applies, we rely on the following legal bases:
- Contract: to provide the service you sign up for, including account authentication.
- Consent: for website analytics cookies (Mixpanel and Google Analytics), for website advertising and ad cookies (Nitro and its ad partners) where consent is required, and for desktop-app advertising features where consent is required. You can withdraw consent at any time (see section 12).
- Legitimate interest:for security, fraud prevention, and the reliability of our service, and to record observed players' in-game identifiers and match stats so we can produce community statistics and live-match features (see section 5).
- Legal obligation: to keep payment and accounting records for the period required by Swedish bookkeeping law.
5. Players observed in matches (legitimate interest)
Counterwatch's value comes from real match data. To produce hero win rates, counters, and synergies, and to power the app's live-match overlay, we record in-game identifiers and match stats for the players seen in tracked matches. Most of those players are not Counterwatch users. We process this data under the legitimate interest basis in Article 6(1)(f) GDPR.
What we collect:in-game identifiers (BattleTags, NetEase ids), the heroes played, and per-match performance stats. For Overwatch we may add public profile information from Blizzard's public profile pages, which we use to show individual player profiles in the app. Our community statistics come from this live match data, not from profile pages. We do not collect contact details, real-world identity, or any special-category data about observed players.
Our balancing test, in short: the data is already visible inside the game to everyone in the match; we use only what the game exposes; we do not build advertising profiles from it, contact observed players, or sell it; and aggregate statistics benefit the whole player community. We keep the footprint minimal and redact identifiers when someone objects.
Children: Overwatch and Marvel Rivals are played by minors, so the players we observe can include children. We treat their data with the same limits: we use only the in-game identifiers and gameplay stats the match already shows everyone, we never collect contact details or special-category data, we do not build individual advertising profiles, and what we publish is aggregate. The right to object and to request removal applies equally, and we act on it the same way.
Where it appears: the website currently shows community statistics in aggregate only. It does not list individual players. The desktop app shows individual players for your own matches, the same information the game itself shows you on the scoreboard.
Your right to object: if you are an observed player and you do not want us to process your in-game identifier, you can object or ask us to remove it on the Data requests page. Because we must avoid deleting another person's data, we verify a reasonable connection to the identifier before acting, and we respond within one month.
6. Cookies and similar technologies (website)
The website uses cookies and browser storage to keep you signed in, to understand which features people actually use so we can improve them, and to serve and measure third-party display ads (Nitro and its ad partners). In the EU, EEA, and UK, analytics and advertising cookies load only after you consent through the consent banner.
| Name | Provider | Purpose | Category | Duration |
|---|---|---|---|---|
Supabase auth tokens (sb-*) | Supabase | Sign-in / session | Strictly necessary | Session / up to 1 year |
euconsent-v2, ncmp-cc | Nitro (NitroPay) | Records your EU consent choices (consent management platform) | Strictly necessary | 12 months |
mp_* (localStorage) | Mixpanel | Product analytics (anonymous ID, page views, feature usage) | Analytics (opt-in) | Up to 12 months |
_ga | Google Analytics: distinguishes site visitors | Analytics (opt-in) | Up to 2 years (browsers may shorten this) | |
_ga_* | Google Analytics: persists session state | Analytics (opt-in) | Up to 2 years (browsers may shorten this) | |
| Advertising cookies (Nitro and Google ad-exchange partners) | Nitro (NitroPay), Google, and ad partners | Serve, frequency-cap, and measure display ads | Advertising (opt-in in the EU / EEA / UK) | Varies by partner (typically up to 13 months) |
CCPAOPTOUT | Nitro (NitroPay) | Records a California "Do Not Sell or Share" opt-out | Strictly necessary | Until you clear it |
In the EU, EEA, and UK, analytics and advertising cookies are only activated after you accept them in the consent banner. You can change your choice at any time using the "Cookie settings" link in the footer. California residents can opt out of the sale or sharing of personal information using the "Do Not Sell or Share My Personal Information" link in the footer (see section 12).
7. Analytics and error diagnostics
Website: we use Mixpanel for anonymous product analytics and Google Analytics for aggregate traffic measurement. In the EU, EEA, and UK, both load only after you accept analytics in the consent banner. The website does not use session replay or autocapture.
Website advertising:the website shows third-party display ads served by Nitro (NitroPay), an Overwolf company. Nitro and its ad partners may set advertising cookies and process ad-request data to serve and measure ads. In the EU, EEA, and UK this happens only after you consent. See section 9. This is separate from the desktop app's Overwolf advertising.
Desktop app:the app uses Mixpanel for product analytics, including autocapture, which records interactions inside the app so we can find and fix problems and improve features. You can control this through the app's settings and Overwolf's data controls.
Errors and crashes: diagnostics from both the app and the website are sent to Bugsink, an error tracker we host ourselves. They are not shared with a third-party analytics service.
8. Which desktop-app users have hashed emails
Hashed email and advertising behaviour in the desktop app varies by user tier:
| Tier | Has email hash | Sees ads |
|---|---|---|
| Guest | No | Yes |
| Free | Yes | Yes |
| Plus | Yes | No |
| Premium | Yes | No |
9. Sharing personal data
Overwolf (desktop app, required disclosure)
We share desktop-app users' email addresses, SSO information, and data related to advertising (as applicable to your tier) with Overwolf. Overwolf is the platform that distributes the desktop app.
Website display ads (Nitro / Overwolf)
The website's display ads are served by Nitro (NitroPay), part of Overwolf, acting as our ad management partner. To serve, frequency-cap, and measure ads, ad-request data (such as your IP address, device and browser information, approximate location, and the page you are viewing) is shared with Nitro and, under Google Multiple Customer Management (MCM), with Google and its advertising exchanges and partners. In the EU, EEA, and UK this sharing happens only after you consent through the cookie banner, and you can withdraw consent at any time. This website advertising is separate from the desktop app's Overwolf advertising described above.
Service providers (processors)
We share personal data with third-party service providers that help us operate the service. Current processors:
- Supabase: authentication and backend services, including account management and storage.
- Mixpanel: product analytics for the website and desktop app.
- Tebex: payment processing for subscriptions. Tebex processes your payment and returns transaction metadata to us.
- Google (Google Analytics 4): aggregate website traffic analytics (website only, not the desktop app). Google acts as our processor. Google Analytics sets the
_gaand_ga_*cookies to measure how visitors find and use the site. It does not log or store your IP address; the IP is used only to estimate your approximate (city-level) location and is then discarded. We do not link it to Google Ads or use it to build advertising profiles. In the EU, EEA, and UK you can opt out using the Cookie settings link, or anywhere with Google's Analytics Opt-out Browser Add-on. See Google's Privacy Policy for how Google processes this data. - Amazon Web Services (AWS): cloud hosting for the website, our backend services, and our self-hosted error tracker. AWS provides infrastructure only and does not use your data for its own purposes.
Our error tracker (Bugsink) is self-hosted on our own AWS infrastructure, so error diagnostics are not shared with a third-party analytics provider. If we add further providers, we will update this Privacy Policy.
Where in-game data comes from (sources, not recipients)
We observe in-game data through the Overwolf game integration, and, for Overwatch, from Blizzard's public profile pages. Blizzard (Overwatch) and NetEase (Marvel Rivals) operate the games and are the source of this data. They are not our processors, and we do not share Counterwatch user data with them.
10. International data transfers
Supre.me AB is based in Sweden, and some of our processing happens outside the European Economic Area, so your personal data may be transferred internationally. Our website, backend services, and self-hosted error tracker (Bugsink) run on Amazon Web Services in the United States (the us-east-1 region). Other providers, including Mixpanel and Google, are also in the United States. For these US transfers we rely on the EU-U.S. Data Privacy Framework and, where applicable, Standard Contractual Clauses (SCCs); Google, AWS, and Mixpanel are certified under the Data Privacy Framework. Our payment provider, Tebex, is in the United Kingdom, which the European Commission recognises as providing an adequate level of data protection. Our website advertising partner Nitro (NitroPay / Overwolf), together with Google and its ad exchanges under Google MCM, may also process ad-request data in the United States and other countries; for these transfers we rely on the EU-U.S. Data Privacy Framework and, where applicable, Standard Contractual Clauses. Each provider is contractually bound to protect your data.
11. Data retention
- Account data: retained for the life of your account. You can request deletion at any time (see section 12).
- Observed-player data: kept while it is relevant to current community statistics and the app's live features. If you object and we verify your connection to an identifier, we redact or remove it within one month.
- Payment and accounting records: retained for about 7 years to comply with Swedish bookkeeping law (Bokföringslagen). We cannot delete these earlier on request.
- Website analytics data: Mixpanel up to 12 months from collection, then anonymized or deleted. Google Analytics user-level and event-level data is retained for 14 months; aggregated reports may be retained longer by Google.
- Website advertising and consent data: ad cookies set by Nitro and its partners expire per the durations in section 6. Your EU consent choices are stored in the consent platform cookies (
euconsent-v2/ncmp-cc) for up to 12 months, and a California opt-out (CCPAOPTOUT) stays on your device until you clear it. - Support correspondence: up to 24 months after the matter is resolved.
- Error and crash diagnostics: stored in our self-hosted error tracker, which keeps a limited number of recent events and automatically evicts older or less relevant ones rather than holding them for a fixed period.
- We may retain specific records longer where required to comply with legal obligations, resolve disputes, or enforce agreements.
When we delete personal data, residual copies may remain in encrypted backups until those backups age out on a scheduled roll-off. We do not surgically edit individual records out of backups.
12. Your rights and choices
You have the right to access, rectification (correction), erasure (deletion), restriction of processing, data portability, and objection. To exercise any of these, use the Data requests page.
- Verifying your identity:the website does not have a login. If you have a Counterwatch account, email us from the email address on your account so we can confirm it is you. If you are an observed player without an account, tell us the game and the exact in-game identifier; because we must not delete another person's data, we may ask for more information and may decline a request where we cannot reasonably establish that the identifier is yours.
- Timing and limits: we respond within one month. For complex or numerous requests we may extend this by up to two further months, and we will tell you within the first month if we need to. Some data is kept regardless of your request: payment and accounting records are retained under bookkeeping law, and copies in encrypted backups age out on a roll-off schedule rather than being edited individually.
- Withdraw consent:in the EU, EEA, and UK you can change or withdraw cookie consent (analytics and advertising) using the "Cookie settings" link in the website footer, which reopens the consent manager. You can opt out of hashed email usage in the desktop app via Overwolf client settings ("Use data to customize Overwolf for you").
- Object:you can object to processing based on legitimate interest, including our processing of observed players' in-game identifiers (see section 5).
- Lodge a complaint: with a supervisory authority (see section 13).
- California residents:the website shows programmatic third-party display ads. Under California law (CPRA), serving these ads may count as "sharing" personal information for cross-context behavioral advertising. We do not sell your personal information for money. You can opt out of this sharing using the "Do Not Sell or Share My Personal Information" link in the website footer, which records your choice on your device, and we honor the Global Privacy Control (GPC) browser signal as a valid opt-out. Apart from website advertising, Google Analytics and Mixpanel act as our service providers for first-party analytics only. You can also request access to or deletion of your information using the email in section 14. The desktop app's advertising is governed separately (see sections 2, 8, and 9).
13. Supervisory authority
If you are in the EU / EEA and you believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority. The authority for Sweden is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), available at imy.se.
14. Contact information
To exercise your rights or ask questions about this Privacy Policy, contact us:
Name: Supre.me AB
Company registration number: 559424-3163
Address: Kommendörsgatan 9, C/O Tech Farm, 114 48 Stockholm, Sweden
Email: oskar@counterwatch.gg
This Privacy Policy may be updated from time to time. Material changes will be announced on this page with an updated effective date.