Who we are and what this policy covers
Last Z Rewards is an independent fan-built service that automates gift-code redemption and daily store rewards for Last Z: Survival Shooter (a game published by Florere Game Limited / Omnilojo Pte Ltd). This policy explains what personal data we hold about you, why we hold it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the UK GDPR.
We are not affiliated with, endorsed by, or operated on behalf of Florere Game Limited.
Controller: Last Z Rewards (operated by the maintainer of lsscodes/lastz-rewards). Contact: see the Contact page. The same operator identity runs the project's Ko-fi page at ko-fi.com/lastzrewards.
Scope: this policy applies to the website at lastzrewards.com and the back-end services that support it. It does not apply to Florere Game Limited, the game client itself, or any other site or service we link to.
Categories of personal data we process
| Category | What we hold | Source |
|---|---|---|
| Account data | Verified email address (via phone.email's passwordless one-time-password widget — see the phone.email Privacy Policy), a normalised form of that email used for de-duplication, a randomly generated subscriber id. We never see or store any password. | You, at sign-in. |
| Subscription data | Tier (free / paid), tier start + end dates, the list of in-game Player IDs you have linked, opt-in or opt-out flags per Player ID. | You, in the dashboard. |
| Redemption history | The gift codes we have attempted to redeem for your Player IDs, the result of each attempt, the timestamp. | Generated by our worker. |
| Operational data | IP address (truncated to the visible client, captured for the access log and rate-limit counters), browser user-agent, page-alert dismissal cookie, session cookie. | Sent by your browser. |
| Payment data | We do not see card numbers. When you support the project on Ko-fi, Ko-fi tells us only that the supporter slug matches an active monthly tier — no card details, no billing address. | Ko-fi (processor). |
| Submitted gift codes | Codes you submit via the public /add-gift-code form, plus the IP address that submitted them (for abuse protection). |
You. |
| Support correspondence | If you write to us via Telegram / WhatsApp / Line / email or via Crisp live chat after consent, we hold the content of those conversations. | You. |
Why we process this data (and the legal basis)
| Purpose | Legal basis |
|---|---|
| Provide the rewards-redemption service you signed up for (linking Player IDs, redeeming codes, showing your dashboard). | Performance of a contract — GDPR Art. 6(1)(b). |
| Detect, block, and rate-limit abuse (anonymous submission caps, bot/scanner blocklist, audit log of admin actions). | Legitimate interests — GDPR Art. 6(1)(f). Necessary to keep the service available for legitimate users. |
| Send essential operational notifications (subscription-expiry banner, page alerts). | Performance of a contract and legitimate interests. |
| Measure aggregate site usage (via Google Analytics 4 — only if you accept the analytics category in the cookie banner). | Consent — GDPR Art. 6(1)(a). |
| Provide live chat (via Crisp — only if you accept the functional category). | Consent — GDPR Art. 6(1)(a). |
| Show the Ko-fi donate button (only if you accept the marketing category). | Consent — GDPR Art. 6(1)(a). |
You can withdraw consent for analytics, live chat, or the donate button at any time via the Manage cookies link in the footer. Withdrawal does not affect any processing carried out before withdrawal.
Who processes your data on our behalf
We use the following processors. Each has its own privacy policy and security posture; transfers outside the EU/UK rely on the European Commission's Standard Contractual Clauses (SCCs) where applicable.
| Processor | What they do | Location | Transfer mechanism |
|---|---|---|---|
| Web app hosting provider | Hosts the lastzrewards.com web application (the Flask app you are reading this page on). |
Frankfurt, Germany (EU) | EU-resident processor — no third-country transfer for the web layer. DPA. |
| Database hosting provider | Hosts the database that holds subscriber records, redemption history, and the audit log. | Frankfurt, Germany (EU) | EU-resident processor — no third-country transfer for the database tier. DPA. |
| Compute / worker hosting provider | Runs the worker process that calls the Last Z gift centre and store APIs on a schedule. | US | SCCs / DPA. |
| Network / API-gateway provider | Provides the multi-region API gateway the worker uses to spread requests across IP ranges to satisfy the game's rate limits. | EU / US (multi-region) | DPA + SCCs. |
| Ko-fi Labs, Inc. | Processes monthly supporter payments and exposes the supporter slug to us via the public Ko-fi page. We never see card data. | US | SCCs. |
| Crisp IM SAS | Live chat (only if you accept the functional category). | France (EU) | EU-resident processor — no third-country transfer. |
| Google Ireland Ltd. / Google LLC | Google Analytics 4 measurement (only if you accept the analytics category). | EU / US | SCCs + Google EU-US Data Privacy Framework certification. |
| Nextgen Phonemail Technology Private Limited (operating as phone.email) | Passwordless one-time-password sign-in. The OTP widget is hosted by phone.email — they handle the email-delivery + verification step. After you complete the OTP we receive only the verified email address; we never see the OTP itself, your phone.email account password, or any other data they hold. See the phone.email Privacy Policy and Terms & Conditions. | India | SCCs. |
| Florere Game Limited / Omnilojo Pte Ltd | The game publisher. We send them your Player ID + the gift code on every redemption attempt; we receive an outcome code in response. We do not send your email, IP, or any other personal data. | Hong Kong / Singapore | The game publisher is a recipient of necessary game-side identifiers (Player ID) only. Player IDs are not, on their own, attributable to a real identity without our database; the recipient is the game itself, which already holds the Player ID. |
We do not sell personal data, and we do not share it for advertising or profiling beyond the analytics measurement above.
How long we keep your data
| Data | Retention |
|---|---|
| Subscriber record (your email, linked Player IDs, settings). | For the lifetime of your account + 12 months after account deletion (allows you to recover an accidentally-deleted account). After that, hard-deleted. |
| Redemption history (which codes succeeded against which Player ID). | 24 months from each redemption attempt. |
| Admin audit log (record of admin actions taken on the platform). | 24 months. |
| Contact-form / Crisp chat submissions. | 12 months from last message. |
| Submitted gift codes + the submitter IP. | 12 months for the IP; the code itself is part of the catalog and kept until it is retired. |
| Server access logs (IP, user agent, requested route, status code). | 30 days. |
| Cookie-consent preferences. | 6 months (then we re-prompt). |
| Page-alert dismissal cookie. | 1 year client-side (the cookie); pruned server-side as alerts age out. |
Your rights and how to exercise them
Quick link: to make any of the data-subject requests described below — access, correction, deletion, portability, etc. — write to us via the Contact page. We will acknowledge within 5 working days and substantively respond within 30 days.
Under the GDPR and UK GDPR you have the following rights with respect to your personal data:
- Right of access — ask us for a copy of the data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — ask us to delete your account and the data tied to it.
- Right to restriction — ask us to stop processing your data while a question is being resolved.
- Right to data portability — ask us for a machine-readable export of the data you have provided to us.
- Right to object — object to processing carried out under our legitimate-interest basis (e.g. analytics if you have not consented).
- Right to withdraw consent — for any processing based on consent, withdraw at any time (via the Manage cookies footer link for cookies, or via /contact for anything else).
- Right to complain to a supervisory authority — in the EU/UK you can complain to your local data-protection authority. A list of EU/EEA DPAs is maintained on the EDPB website; in the UK the supervisory authority is the Information Commissioner's Office.
To exercise any of these rights, write to us via the /contact page from the email address you used to sign up. We will:
- Acknowledge your request within 5 working days.
- Substantively respond within 30 days of receiving your request, in line with the GDPR's hard ceiling. If your request is unusually complex we may extend by up to 60 additional days and will tell you why.
- Verify that you control the email address tied to the account before disclosing or modifying anything — we do not require additional ID.
There is no fee for a reasonable first request. Repetitive or manifestly unfounded requests may incur a reasonable charge or be refused, in line with GDPR Art. 12(5).
International transfers
Our web application and primary database are both hosted in Frankfurt, Germany (EU), so the data we hold about you stays on EU soil at rest. Some of our other processors (analytics, the gift-code worker, and a small number of widget-backing services) are based outside the EU/UK. Where personal data is transferred to a country that has not received a European Commission adequacy decision, we rely on the Standard Contractual Clauses and, where applicable, the processor's certification under the EU-US Data Privacy Framework. We do not use binding corporate rules.
Children
The service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16; this matches Last Z: Survival Shooter's official age rating (16+ on the App Store and Google Play). If you are under 16, please do not sign up. If you believe a child under 16 has signed up, contact us and we will delete the account.
Security
We protect your data with: TLS for everything on the wire; HTTP-only, SameSite=Lax session cookies; CSRF tokens on all state-changing form submissions; a tight Content-Security-Policy; per-IP and per-route rate limits; bot and vulnerability-scanner user-agent blocking; admin actions gated by a per-game grant table and recorded in an audit log; daily automated database backups managed by our hosting provider. We cannot guarantee absolute security — no system can — but we take it seriously and continually tighten the surface.
Cookies
For the full inventory of cookies this site uses, see the Cookie Policy. You can change your choices at any time via the Manage cookie preferences button below or the Manage link in the page footer.
Changes to this policy
We will note material changes at the top of this page with a new "Last reviewed" date. For substantial changes (new processor categories, new lawful bases, retention extensions) we will additionally surface a site-wide notice via the page-alerts banner for at least 14 days before the change takes effect.
Contact
For privacy questions, data-subject requests, or anything else covered by this policy, contact us.
This policy was last reviewed on 2026-05-22 and represents a starting point pending review by legal counsel. Material changes will be notified via the site footer and email where applicable.