I. The controller of personal data.
The controller of Users’ personal data (the “Controller”) is OneMoreGame.Studio Spółka z ograniczoną odpowiedzialnością (a limited liability company incorporated under the laws of Poland) with its registered office in Kraków at the addres: ul. Promienistych 1, 31-481 Kraków, entered into the register of entrepreneurs of the Polish National Court Register by the District Court for Kraków-Śródmieście in Kraków, XI Commercial Division of the National Court Register, under the KRS number: 0000748567, having a tax registration number NIP: 9452221951, statistical number REGON: 381299995, share capital: PLN 50.000.
II. Contact with the Controller
The Controler can be contacted via e-mail: firstname.lastname@example.org or via the Data Protection Officer.
III. Data Protection Officer
Questions or concerns regarding the processing of personal data by OneMoreGame.Studio may be directed to the Data Protection Officer at the email address: email@example.com.
IV. Terms used
All terms used in this Policy have the same meaning as the terms indicated in §2 of the Terms of Services provided by electronic means by OneMoreGame.Studio.
V. Purposes and bases of processing personal data.
The Controller processes the following types of personal data:
- First name, last name and email address,
- IP of the mobile device on which the Games are installed
- The type and version of the mobile device on which the User accesses the Game,
- Data concerning payments made by the User in the Games (transaction ID),
- The data provided by the User through the Login System, including the data saved therein – if the User has chosen to identify their in-Game account with the aforementioned profile or account,
- Data concerning the User's use of the Games, including, in particular, information on the times and manner of playing, types of devices on which the Games are installed,
- Information about the User's achievements within the Games, Games’ results and points scored,
- The messages sent by User via Chats made available in the Games,
- Data concerning correspondence sent by the User to the Controller,
- User's interactions with the Controller in the Game or in social media,
- Advertising identifiers of Mobile Devices on which the User uses the Games.
When does the Controller collect personal data?
Personal data is collected:
- When installing the Game on the User’s Mobile Device,
- In every instance of the User using the Game,
- When messages via the in-Game Chat are sent,
- When payments for Virtual goods made available in the Game are made,
- When the User chooses to additionally identify their in-Game Account with the Login Systems,
- When the User sends the correspondence to the Controller (by e-mail or in traditional form).
Why does the Controller collect personal data?
- To allow the Users to use the Games provided by the Controller,
- To provide to the Users electronic services available within the scope of the Games,
- To allow the Users to use various functionalities provided in the Games, including the Chat,
- To establish and maintain registers and records in accordance with GDPR,
- To properly manage the operation of the Games and all accompanying services,
- To transmit the information included by Users in messages sent through the in-Game Chat,
- To prevent violations of Terms of service and transmission of illegal content,
- For analytical and statistical purposes – in order to improve the performance of the Games,
- To provide Users with advertisements and contents consistent with their interests.
From whom are the personal data obtained?
Personal data come from the Users who have installed the Games on their Mobile Devices. The Controller may also obtain the User’s personal data from the operators of Login Systems, if the User chooses to additionally identify their in‑Game Account using such Login System.
On what bases does the Controller process personal data?
- Consent of a parent or legal guardian for Users under 16 years of age - Articles 6(1)(a) and 8(1) GDPR – to the extent within which other bases do not apply.
- The User's consent – Article 6(1)(a) GDPR – to the extent within which other bases do not apply.
- Performance of the agreement for the provision of services provided by electronic means or steps prior to entering into the agreement taken at the request of the data subject (with respect to the provision and operation of the Game, as well as allowing the User to purchase Virtual goods) - Article 6(1)(b) GDPR.
- Compliance with legal obligations to which the Controller is subject (with respect to maintaining registers and documentation in accordance with the provisions of generally applicable law, including tax-related obligations) - Article 6(1)(c) GDPR.
- Legitimate interests of the Controller with respect to:
- conducting analyses and gathering statistical data to improve the performance of the Games,
- managing the operation of the Game,
- preventing the Users from sending illegal content in the Game Chat and from abusing the Game,
- establishing records and registers related to the processing of personal data in accordance with GDPR,
- marketing purposes of the Controller and third parties related to the Controller,
VI. Processing of personal data within the in-Game Chat
The Controller, within the Games’ operations, makes available to the Users certain Chat functionalities, allowing for communication between Users. While using this functionality the User can enter any message addressed to other Users. Such message may contain information including also personal data. The Controller within normal operation of the Chat, does not have the capacity to identify persons whose data can be thus processed, however, the messages may be moderated with respect to offensive or illegal content.
VII. Processing of childrens’ personal data
- The Controller does not knowingly take any action to obtain personal data of children under 16 years of age, including those from direct advertising or advertisements tailored to the recipient's interests, nor does the Controller direct such ads to children under 16 years of age.
- Moreover, the Controller does not knowingly allow children under 16 years of age to use the Games.
- If a User is convinced that the Controller may have any data from or pertaining to a child under 16 years of age, or is the parent or legal guardian of a child who has used the Games without the required consent, please contact us by email at the address: firstname.lastname@example.org.
VIII. Identification of the User Account in the Game
- Upon creating an in-game account, the User shall receive a unique User ID, by which their in-Game activities are identified.
- If the User so chooses, their Account may additionally be identified by a Login System. In such a case the Controller may receive from the entities providing the login functionalities data such as the name, last name, the user’s email or their avatar, which are processed in connection with the maintenance of the User's account.
- Choosing the additional identification allows the User to access their up-to-date state of the Game regardless of the Device on which the User uses the Game. Should the User choose to use this feature, the Game, depending on its functionalities, may or may not have the permission to publish certain information in the User's profile or account.
IX. Who can be the recipient of personal data?
- The recipients of the Users' personal data processed by the Controller may be:
- Entities providing services to the Controller – with respect to server hosting services or similar services.
- Entities providing legal services to the Controller,
- Entities with equity- or personal relations with the Controller – within the scope of developing, publishing and making the Games' available to Users on behalf of the Controller,
- Providers of advertisement and marketing materials, made available in the Games.
X. Use of advertising identifiers and similar technologies
- In order to make available to the Users the Games as well as advertisements tailored to their interests, the Controller uses technologies such as advertisement IDs or other similar technologies. These are used by the Controller to provide services by electronic means to the Users and allow to collect the data obtained from the Mobile Devices on which the User uses the Game, allowing for the collection of data:
- Identifying the User and the Mobile Device on which the User is using the Game,
- Identifying the User with the Login System, if the User had chosen to additionally identify their Account this way,
- Determining how the User uses the Games and storing the up-to-date state of the Game,
- Enabling the processing of payments for Virtual goods by payment platforms, and then making the Virtual goods available to the User,
- Providing to Users advertisements tailored their interests,
- Enabling the Controller and third parties to provide the User with more personalized services, in particular with respect to providing services in the User's language.
- Advertising identifiers that the Controller uses are temporary, non-personal identifiers, such as the Android advertising identifier or the Apple advertising identifier. Such identifiers are always exclusively linked to the Mobile Device on which the User uses the Game.
- The Controller may also use other technologies in the Games such as pixel tracking.
- The technologies referred to in sections 2 and 3, as well as other similar technologies, allow the advertisers to recognize the User’s Mobile Device while the User is using the Game.
- The User may at any time turn off the advertising identifiers in their Mobile Device or reset the settings of such advertising identifiers by changing the settings on their Device. The settings can be changed according to the user's manual of the Mobile Device a User is using.
- Users domiciled in Europe, Canada or the United States may withdraw their consent to the collection of information by advertising partners who are members of the Digital Advertising Alliance by making a statement on the website:
- For European Users: http://www.youronlinechoices.com/
- For Canadian Users: http://www.youronlinechoices.com/
- For US Users: http://www.aboutads.info/choices/.
- In some advertisements, the AdChoices logo is available - in this case, the user may resign by clicking this logo.
- Consent withdrawal referred to in sections 6 and 7 means that the advertisements displayed after the withdrawal will not be tailored to the User's interests, but may still be displayed. The User’s Mobile Device will still be identified, but this data can be used e.g. to limit the frequency of displaying specific advertisements on the User Device.
XI. Processing of personal data in connection with marketing and advertising
- In some Games advertisements and marketing contents from third parties directed at Users might be shown.
- Within the scope of displaying these contents, the Controller – unless the User withdraws their consent to the processing of their personal data for marketing purposes – may process the following personal data of the Users:
- Advertising identifiers and other information collected on the User’s Mobile Device,
- Information about the Users in-Game activity and the Users interactions in the Games,
- Other information that the Controller may obtain from its marketing partners or third parties to whom the User has given consent to share such information, or they may share such information on another legal basis.
- While displaying third parties’ advertisements and marketing content, the Controller may provide its marketing partners with non-personal identifiers and other information from the User’s Mobile Device for the purpose of technically enabling the delivery of advertisements to the User’s Mobile Device. Such information may be combined with information already in the marketing partners' possession in order to better tailor the content displayed to the User’s preferences.
- To prevent such data from being shared, the User should update the settings on their Mobile Device.
- Updating the settings does not affect the ability to play the Game, nor does it cause the ads to cease being displayed on the Device, but only disables them being adjusted in accordance to the information about the User.
- In some Games the User can enable the option to have advertisements displayed in certain areas of the Game. Enabling such option is tantamount to the User giving consent to having his data processed for marketing purposes.
XII. How long does the Controller store personal data?
- The Controller stores the data for the following periods:
- With respect to personal data necessary for provision of services by electronic means and the performance of the agreement for provision of services by electronic means – for the period necessary for provision of services by electronic means, but no longer than till the expiry of the limitation periods for claims related to the services provided.
- With respect to personal data processed on the basis of consent – till the User revokes their consent or till the purpose of processing is achieved, but in no case longer than till the User ceases using the Game or the purpose of processing is achieved.
- With respect to personal data processed on the basis of the legitimate interests of the Controller – till an effective objection is filed or till the purpose of processing is achieved, no longer however than 15 years, calculated from the end of the year in which the processing began.
- With respect to personal data processed for analytical purposes or the purposes related to the administration of the Games – till the moment such data becomes outdated or no longer relevant.
- When a request is made to exercise the right to be forgotten, each application is considered individually.
XIII. Does the Controller transfer personal data to third countries?
- The Controller uses services and technologies offered by third parties, including those incorporated in countries outside the European Union, such as the United States and Israel, which under GDPR are treated as third countries.
- GDPR restricts the possibility of transferring personal data to third countries, as such countries may not ensure an adequate level of protection of personal data of European Union citizens and as European law does not apply there. Each controller is obliged to determine the legal basis for such transfer of personal data.
- The Controller warrants and represents that in connection with the use of services and technology, personal data is transferred:
- For U.S. entities, to entities that have joined the Privacy Shield Program, pursuant to the European Commission Implementing Decision of 12 July 2016. More information on this may be found at the European Commission's website at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_pl. This program’s participants assure that they will comply with the high standards of personal data protection that apply in the European Union, hence it is lawful to use their services and technologies when processing personal data.
- For Israeli entities, the Decision of the European Commission of 31 January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the State of Israel with regard to automated processing of personal data, and this Decision has not been declared ineffective or has not been repealed as of the date of drafting of this Policy.
- The Controller will at any time provide you with additional explanations on the transfer of personal data, and you have the right to obtain a copy of the personal data transferred to a third country at any time.
XIV. What are the rights of persons whose personal data are processed?
- The User whose personal data are processed by the Controller, has the right to:
- Access their personal data and receive a copy thereof,
- Request that their personal data be corrected or supplemented,
- Request that their personal data be deleted – the User may request that their data be deleted if they are convinced that there are no bases for the Controller to process their personal data and that there are no grounds for the data being processed in future.
- Request that the processing of their personal data be restricted – the User may demand that the Controller limit the processing of the User’s personal data only to storing or performing activities agreed with the User, if the data are incorrect or processed without legal basis, or the User does want the data deleted due to the need to store the data in order to establish, pursue or defend claims, or for the time necessary for an objection to the processing of personal data to be considered.
- File an objection to the processing of personal data:
- Processing of personal data for direct marketing purposes: the User has the right to object to the processing of their personal data for direct marketing purposes. Exercising this right causes the Controller to stop processing personal data.
- Objection on grounds of particular situation: the User has the right to object to the processing of their personal data on the basis of a legitimate interest for purposes other than direct marketing. The objection should then indicate what kind of a particular situation concerns the User that justifies the request to stop processing personal data. The Controller will stop processing the personal data for these purposes unless the Controller demonstrates that the bases for further processing take precedence over the rights of the User or that the data are necessary to establish, pursue or defend a claim.
- Data transfer – the User has the right to receive, in a structured, commonly used machine-readable format, personal data concerning them and which have been transferred to the Controller on the basis of consent given by the User. The user may ask that the Controller transmit them directly to another entity.
- For Users domiciled in California (USA), the California Consumer Privacy Act (CCPA) allows companies to prohibit the sale of state residents' personal information to third parties. The Controller stipulates that although the provision of personal data to advertising partners described in this Policy may be deemed as selling data within the meaning of the CCPA, the Controller does not sell any personal data. If a California resident does not want their personal information to be transmitted to other recipients, they should update the Game's privacy settings or provide the Controller with a request not to sell their personal information.
- The User can exercise their rights by sending an email to the address: email@example.com.
XV. Can I withdraw my consent for processing my personal data?
If the personal data is processed on the basis of the User's consent, they may at any time withdraw their consent to the processing of personal data. Withdrawal of consent to the processing of personal data shall not affect the lawfulness of processing based on consent before its withdrawal. The user can exercise their right by sending an email to the address: firstname.lastname@example.org.
XVI. Right of complaint to the supervisory authority
If a User believes their personal data is being unlawfully processed, they may file a complaint with the supervisory authority. The lead supervisory authority with whom a complaint concerning the processing of personal data can be filed is the Polish authority – the President of the Personal Data Protection Office.
XVII. Is it necessary to provide personal data?
The provision of personal data is voluntary. It is however required if a User wishes to use the Games on their Mobile Device and use their functionality to the full extent, including, in particular, the option of identifying their in-Game account with a Login System.
XVIII. Use of server logs
- Information about some events triggered by Users is saved as a server log.
- The data in the form of server logs are used exclusively for the purpose of proper administration of the Games and to ensure the smooth operation of the Games and their functionalities.
- They following may be recorded:
- Mobile Device’s make and model;
- hardware identifier;
- type and version of the operating system;
- date and time of login,
- Mobile Device’s IP address.
- User action logs may also be recorded, which are then available in the tools supporting various Game(s) functionalities.
- The data described in section 2 above are not associated with specific Users and are used only for the proper administration of the Game and to ensure its continuous operation.
XIX. Does the Controller use profiling and automated decision-making?
- The Games can use technologies that allow profiling and automated decision-making with respect to Users.
- Profiling which the Controller may use in the Game, consists of monitoring the preferences and activity of the Users and the results achieved by them in the Games. Thanks to such actions, the Controller can better adjust the operation of the Games to the Users' preferences, as well as allow the Users to make better use of some of the functionalities made available in the Games.
- Automated decision-making is based on data about the Users' use of the Games, the ways they interact with the Game or the frequency with which they purchase the Currency units or other in-Game items.
- Automated decision-making is designed to enable the User to enjoy the Game as much as possible, including: by customizing offers for the Currency units or other in-Game items.
- Automated decision making is lawful as it serves the Controller's legitimate interest in ensuring that the Users make the most convenient use of the functionalities made available in the Game.
- Decisions made as described above may have an impact on the User's situation, including the disclosure of individual Game functionalities, changes in the state of the Game or the User's decision to purchase the Currency units or other in-Game items.
- If the User does not agree with the decision made in an automated way, he is entitled to object, e.g. in the form of a complaint filed in the manner specified in the Terms of Service. The User may also contact the Controller with respect to the purpose of filing and objection by sending an email to the address: email@example.com.
- The Controller guarantees that each User's objection will be considered by an appropriate person authorized to analyze such requests and make decisions about them. Notifications are not analyzed through the IT system.
XX. Final provisions