Privacy Policy February 13, 2023

Privacy Policy

Privacy declaration for Sandbox Interactive GmbH (albiononline.com)

The information in this declaration applies to the processing of personal data on or via our website and is intended in particular to inform you of the scope of processing, the purposes of processing, the recipients, legal bases, storage periods and your rights. Personal data are all information relating to an identified or identifiable natural person, i.e. a person (hereinafter also referred to as "data subject"), including for example your name, your address or your email address. Processing" of personal data means in particular the collection, storage, use and transmission of such data.

I. Name and Address of the data controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

Sandbox Interactive GmbH
Pappelallee 78
10437 Berlin
Germany
Email: info@sandbox-interactive.com
Website: albiononline.com

II. Contact data of the data protection officer

The data protection officer can be consulted under the following contact details:

Peter Birgersson
Deloitte AB
Rehnsgatan 11
113 79 Stockholm, Sweden
Email: datenschutz@sandbox-interactive.com

III. General information data processing

1. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, legal basis is Art. 6 para. 1 lit. a GDPR.

Insofar as the processing of personal data is required for the performance of a contract to which the data subject is a party, legal basis is Art. 6 para. 1 lit. b GDPR. This also applies to processing operations that are necessary to carry out pre-contractual measures.

Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, legal basis is Art. 6 para. 1 lit. c GDPR.

If processing of data is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, legal basis is Art. 6 para. 1 lit. f GDPR.

2. Data deletion principle and storage time

The personal data of the data subject will be deleted or processing restricted as soon as the purpose of storage ceases to apply. Hard copy printouts of personal data are shredded or burned, whereas electronic files of personal data are disposed through technical or physical means that ensure the information cannot be recovered. In certain cases, data can be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the data controller is subject.

3. Data Recipients

Employees of our company and service providers who support us in data processing within the scope of a commissioned data processing agreement (e.g. service providers for IT operations) have access to your personal data to the extent necessary to fulfil the purposes stated below. We are legally obliged in individual cases to transmit personal data to authorities (e.g. requests for information from investigating authorities) or natural/legal persons (e.g. to assert claims). Further information on possible recipients of your personal data can be found in the next sections of this privacy policy.

4. Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if such processing takes place in the context of using the services of third parties or disclosure or transfer of data to third parties, this will only take place in order to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we will only process or transfer the data to a third country outside of the EU if the special requirements of Art. 44 ff. GDPR are met. This means that the processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to that of the EU (e.g. for Canada, Japan, Switzerland) or compliance with officially recognized special contractual obligations (so-called "EU standard contractual clauses").

IV. Provision of the website and creation of log files

1. Description and extent of data processing

Every time you visit our website, our system automatically collects data and information from the computer system of the accessing device (computer, smartphone, tablet, etc.).

The following data is collected:

Information about the browser type and version used
The operating system of the accessing device
The IP address of the accessing device
Date and time of access
Websites from which the system of the accessing device reaches our website

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

2. Legal basis for data processing

Legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's device. For this the IP address of the user must remain stored for the duration of the session.

The data is stored in log files to ensure the functionality of the website.

In addition, the data serves us to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

Our legitimate interest in data processing also lies in these purposes.

4. Storage time

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

If the data is stored in log files, this will happen after seven days at the latest. Further storage is possible. In this case, however, the IP addresses of the users are deleted or made anonymous, so that an identification of the accessing client is no longer possible.

5. Recipient of the data and transfer to a third country

We use the services of the processor G Core Labs S.A., 2A, Rue Albert Borschette, L-1246 Luxembourg (G-Core) to process personal data. G-Core is permitted to process personal data outside the European Union. G-Core has concluded EU Standard Contractual Clauses with their service providers (subcontractors). A copy of the EU Standard Contractual Clauses can be found here: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:DE:PDF

V. Usage of Cookies required for operation

1. Description and extent of data processing

Our website uses so called Session- or flash-cookies (“necessary cookies”). Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. If a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic character string that enables a unique identification of the browser when the website is called up again.

The following data is stored and transmitted in the necessary cookies:

Language settings
Log-in information

2. Legal basis for data processing

The legal basis for the processing of personal data using necessary cookies is Art. 6 para 1 lit. f GDPR.

3. Purpose of data processing

The purpose of using cookies is to simplify the use of our website for users. Some functions of our website cannot be offered without the use of cookies. For this it is necessary that the browser is recognized even after a change of pages within our internet presence. The cookies are not used to create user profiles.

We need cookies for the following applications:

Possibility of accepting language settings
Technical implementation of the log-in function

4. Storage time

Cookies are stored on your device with which you access our website and are transmitted to our site. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website. Otherwise, the necessary cookies are automatically deleted after 14 days.

VI. Remember Me function

1. Description and scope of data processing

Users of our services can choose the so-called "Remember Me" function. If a user visits our website and sets a check mark at the "Remember Me" checkbox, a cookie is stored in the user's browser. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the user revisits the website and enables automatic login.

In this cookie ['keeploggedin'], double-hashed login information is stored and transmitted in encoded form

2. Legal basis for data processing

The legal basis for the processing of personal data using the "Remember Me" cookie is Art. 6 para. 1 lit. a GDPR.

3. Purpose of data processing

The purpose of using the "Remember Me" cookie is to increase the convenience of using our website. The "Remember Me" cookie is not used to create user profiles.

4. Duration of storage

The "Remember Me" cookie is stored in the user's browser until the user revokes his or her consent. This can be done by logout of the account or by deleting the cookie ['keeploggedin'] in the browser settings.

VII. Newsletter

1. Description and extent of data processing

If you register on our website for Albion Online and grant us the right to use your email address for a newsletter, we may subsequently use this for sending you a newsletter in which we inform you at regular intervals about news in connection with Albion Online (e.g. about patches, updates, community events, special promotions, interesting information about the development of Albion Online and, if applicable, offers about our game) The data from the input mask is transferred to us during registration:

Email address

In addition, the following data is collected upon registration:

IP address of the accessing device
The date and time of registration

2. Legal basis for data processing

The legal basis for sending the newsletter and the related processing of the email address is § 7 para. 3 UWG and/or Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing

In this regard, the collection of the user's email address serves to deliver the newsletter which contains information about patches, updates, community events, special promotions, interesting information about the development of Albion Online and, if applicable, offers about our game. The collection of other personal data as part of the registration process serves to prevent misuse of the services or the email address used. This also constitutes our legitimate interest in the processing.

4. Storage time

The data will be deleted as soon as the purpose of its collection is no longer given. The user's email address will therefore be stored until the user withdraws his consent to receiving the newsletter. If we need the user's email address for further purposes (see further details in this data privacy declaration), the deletion will be replaced by the corresponding restriction on processing, i.e. we will no longer use the email address for sending the newsletter.

The other personal data collected during the registration process will generally be deleted after a period of seven days.

5. Possibility of opposition and elimination

The affected user can withdraw his consent to the dispatch of the newsletter at any time. For this purpose there is a corresponding link in every newsletter. Furthermore, the user can unsubscribe from the newsletter in his account settings. For the withdrawal of consent no other costs arise than the transmission costs according to the basic rates.

6. Recipients of the data and transfer to a third country

As part of sending the newsletter, we will forward your email address to SendGrid Inc. 1801 California Street, Denver, CO 8020, USA and Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L- 1855, Luxembourg (AWS). SendGrid Inc. and AWS are newsletter management service providers who take over the dispatch of our newsletter for us as contract processors (cf. Art. 28 GDPR). Your personal data will be processed by SendGrid Inc. in the USA and by AWS in the European Union on our behalf within the scope of the newsletter dispatch.

A transfer to SendGrid Inc. in the USA as a third country within the meaning of the GDPR is permissible according to Art. 44, 46 GDPR, as they have concluded EU standard contract clauses with us. The companies thus offer sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR.

AWS EMEA SARL is a subsidiary of Amazon Web Services (AWS), Inc, 410 Terry Avenue North, Seattle, WA 98109 so a transfer of your personal data within the company to the US is possible.

A transfer to AWS within the meaning of the GDPR is permissible according to Art. 44, 46 GDPR, as they have concluded EU standard contract clauses with us. The company thus offers sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR.

AWS is permitted to process personal data outside the European Union. This is legitimate as AWS has concluded EU Standard Contractual Clauses with their service providers (subcontractors). A copy of the EU Standard Contractual Clauses can be found here: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

VIII. User requests by contact form, email and Facebook

1. Description and extent of data processing

There is a contact form on our website which can be used for making contact. If a user uses this option, the data entered in the input mask is transmitted and saved including the time of the request. In addition, the IP address of the used device is stored.

It is also possible to contact us via the email address provided on our website. In this case, the user's personal data transmitted via email will be stored.

In addition, contact via Facebook is possible. You can write us a message from your Facebook profile. The name of your Facebook profile and, if applicable, your clear name will be transferred to us.

2. Legal basis for data processing

The legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR and, insofar as the personal data are processed for the execution of a contract, Art. 6 para. 1 lit. b GDPR.

3. Purpose of data processing

Purpose of data processing is the handling of requests, in particular support requests for technical problems with the game and the handling of other questions. The processing of personal data serves us solely to handle the contact approach. Unless we process the data for the purpose of fulfilling contractual or pre-contractual obligations, this is also our legitimate interest in the processing of the data which outweighs the user's interest .

4. Storage time

The data will be deleted as soon as the purpose of its collection is no longer given. For the personal data from the input mask of the contact form and those that were sent by email, this is the case when the respective conversation with the user is finished. The conversation is finished when the circumstances indicate that the matter in question has been solved.

If data is collected in the course of email communication which we are obliged to store due to tax, commercial law or other regulations, it will not be deleted until the respective legal retention or storage periods have expired. The legal basis for this data storage is Art. 6 para. 1 lit. c GDPR.

The additional personal data collected during the sending process will be deleted after a period of three years at the latest.

5. Recipient of the data and transfer to a third country

Within the scope of user inquiries, we forward the aforementioned data to the service provider Zendesk Inc. 1019 Market St, San Francisco, CA 94103, USA, which takes over the organisational handling of user inquiries including a so-called ticket system as a processor (cf. Art. 28 GDPR). Your personal data will be processed by Zendesk in the USA on our behalf in the course of processing user inquiries. The content of the enquiries will be processed by us.

A transfer to Zendesk Inc. in the USA is permitted. Zendesk Inc. has concluded EU standard contractual clauses with us and thus offers sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR.

IX. Registration

1. Description and extent of data processing

On our website, we offer users the opportunity to register for the Albion Online game by providing personal data. The data is entered into an input mask and transmitted to us and saved. The data will not be passed on to third parties. The following data is collected during the registration process:

Email address
Password

At the time of registration, the following data is also stored:

The IP address of the user
The date and time of registration

2. Legal basis for data processing

The legal basis for the processing of data is Art. 6 para. 1 lit. b GDPR.

3. Purpose of data processing

A registration of the user is necessary for the fulfilment of the contract with the user and/or for the execution of pre-contractual measures.

The user and Sandbox Interactive GmbH conclude a contract for the use of the game Albion Online (more details in the terms of use of Sandbox Interactive GmbH). The personal data provided are used to identify the user by creating a user account. The creation of the user account enables the user to participate in the online game Albion Online and to create, manage and use his own characters in the context of the game.

4. Storage time

The data will be deleted as soon as the purpose of its collection is no longer given. For the data collected during the registration process, this is usually the case when the user contract is terminated and the user's account is deleted.

If data is collected in the course of the registration which we are obliged to store due to tax, commercial law or other regulations, it will not be deleted until the respective legal retention or storage periods have expired. The legal basis for this data storage is Art. 6 para. 1 lit. c GDPR.

5. Possibility of opposition and elimination

As a user you have the possibility to cancel the registration at any time. Write us a message at the following address:

Email: support@albiononline.com

Web: https://albiononline.com/en/profile/support

If the data is required to fulfil a contract or to carry out pre-contractual measures or if there are legal storage obligations, premature deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion. If deletion is not possible, processing may be restricted.

6. Recipient of the data and transfer to a third country

We use the services of the processor G Core Labs S.A., 2A, Rue Albert Borschette, L-1246 Luxembourg (G-Core) to process personal data. G-Core is permitted to process personal data outside the European Union. This is legitimate as G-Core has concluded EU Standard Contractual Clauses with their service providers (subcontractors). G-Core thus offers sufficient guarantees for an adequate data protection according to Art. 46 DSGVO. A copy of the EU Standard Contractual Clauses can be found here: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:DE:PDF

We confirm the registration of an account and each completed purchase process with a transactional email. As part of sending the transactional email, we forward your email address to Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L- 1855, Luxembourg. AWS is an email delivery service provider that handles the sending of emails for us as a processor (cf. Art. 28 DSGVO). Your personal data is processed by this company within the European Union on our behalf in the context of sending e-mails.

AWS EMEA SARL is a subsidiary of Amazon Web Services (AWS), Inc, 410 Terry Avenue North, Seattle, WA 98109 so a transfer of your personal data within the company to the US is possible.

AWS is permitted to process personal data outside the European Union. This is legitimate as AWS has concluded EU Standard Contractual Clauses with their service providers (subcontractors). A copy of the EU Standard Contractual Clauses can be found here:
https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

A transfer to AWS in the USA as a third country within the meaning of the GDPR is permissible according to Art. 44, 46 GDPR, as they have concluded EU standard contract clauses with us. The company thus offers sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR.

X. Gaming operation

1. Description and extent of data processing

As part of the provision of the game Albion Online, we store and process the datasets necessary for the operation of the game and website. For this purpose, we also store data in logs when using the game. Logs are protocols of certain technical contents.

In-game-storage and processing includes the following data:

Time of the log-ins
IP address
Information about actions in the game
Progress of the game
News
User messages/chat protocols
Information on operating systems and hardware used

2. Legal basis for data processing

The legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR and, insofar as the personal data are processed for the execution of a contract, Art. 6 para. 1 lit. b GDPR.

3. Purpose of data processing

The purpose of data processing is the technical implementation and the provision and operation of the game. The specific purpose of saving the logs is a technical improvement of the game Albion Online (quality assurance). To prevent program crashes and other malfunctions (in the future) it is necessary to record and analyze them. In case of a crash of Albion Online or a problem in the game process, an error analysis can be performed by reading the logs in connection with your IP and ID and information about the device used. The chat logs are stored in order to be able to trace the respective chats in case of complaints, e.g. because of insults.

These purposes also constitute our legitimate interest in the processing of personal data, which outweighs the user's interest in not processing, unless we process the data for the purpose of fulfilling contractual or pre-contractual obligations.

4. Storage time

The data will be deleted as soon as the purpose of its collection is no longer given. This is the case as soon as the data is no longer required for the use and provision of the game, for example if you have deleted your account and there are no further reasons for storing the data. The log data is kept as long as it is required for the purpose of analysis and diagnosis of the cause of crashes or malfunctions or fraud detection. As a rule, the data is deleted immediately after the facts have been clarified, but at the latest after 3 years. The chat logs/ -protocols are usually deleted after 30 days.

If certain data is collected in the course of gaming operations which we are obliged to store due to tax, commercial law or other regulations, it will not be deleted until the respective legal retention or storage periods have expired. The legal basis for this data storage is Art. 6 para. 1 lit. c GDPR.

5. Recipients of the data and transfer to a third country

As part of our gaming operations, we share your information with various companies in Canada and the USA.

We forward the log data to OVH Canada, 50 Rue de l'Aluminerie, Beauharnois, QC J6N 0C2, Canada, that stores the logs for quality assurance as a processor (cf. Art. 28 GDPR). Your personal data will be processed by these companies in Canada on our behalf for quality assurance purposes.

A transfer to OVH to Canada as a third country within the meaning of the GDPR is permissible according to Art. 44, 45 GDPR, as an adequate level of data protection is given for Canada in relation to this company.

On the basis of Art. 25 para. 6 EU-data privacy directive (1995), the EU Commission has issued an adequacy decision (2002/2/EC) for Canada, i.e. there is an intergovernmental agreement between Canada and the European Union. This agreement regulates the protection of personal data transferred to Canada from a member state of the European Union. Accordingly, private companies subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) are required to provide adequate data protection. This ensures an adequate level of protection for the processor OVH despite the lack of an adequacy decision by the EU Commission within the meaning of Art. 45 GDPR.

We will forward your data to Backblaze Inc, 500 Ben Franklin Ct San Mateo, CA 94401, USA, which takes over backup services for the log data as a processor (cf. Art. 28 GDPR) within the scope of quality assurance. Your personal data will be processed by this company in the USA on our behalf for quality assurance purposes. Backblaze Inc. has concluded EU standard contractual clauses with us and thus offers sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR.

We will also forward your data to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, which handles quality assurance as a contract processor using the Crashlytics tool (cf. Art. 28 GDPR). Your personal data will be processed by this company in the USA on our behalf for quality assurance purposes. Google has concluded EU standard contractual clauses with its group companies in the USA and thus offers sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR.

We use the services of the processor G Core Labs S.A., 2A, Rue Albert Borschette, L-1246 Luxembourg (G-Core) to process personal data. G-Core is permitted to process personal data outside the European Union. This is legitimate as G-Core has concluded EU Standard Contractual Clauses with their service providers (subcontractors). G-Core thus offers sufficient guarantees for an adequate data protection according to article 46 GDPR. A copy of the EU Standard Contractual Clauses can be found here: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:DE:PDF

XI. Payment and verification of payment

1. Description and extent of data processing

When paying for digital goods in our shop, it is important to us to monitor the security of payment transactions and the legitimacy of the payment and thus also to protect your payment data from potential misuse. As part of the payment process in the shop, the following data, among others, are processed by us:

IP
Email address
Language in which the shop is used
Account ID
Order information

The payment data (account number, credit card number, etc.) are expressly not collected by us, but by the corresponding payment service providers. For the processing of the payment we primarily work with the European service provider Adyen BV.

2. Legal basis for data processing

The legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR and, insofar as the personal data are processed for the execution of a contract, Art. 6 para. 1 lit. b GDPR.

3. Purpose of data processing

Purpose of data processing is to manage the payment transaction and to verify its legality, in particular to prevent fraud and to settle any disputes on payment. This is also our legitimate interest in the processing.

4. Storage time

The data will be deleted as soon as the purpose of its collection is no longer given. This is the case as soon as the check for the corresponding payment transaction has been completed and it has been ensured that the corresponding payment was made legally.

If data is collected in the course of payment operations which we are obliged to store due to tax, commercial law or other regulations, it will not be deleted until the respective legal retention or storage periods have expired. The legal basis for this data storage is Art. 6 para. 1 lit. c GDPR.

5. Recipients of the data (and transfer to a third country)

As part of the payment, we will forward the data specified under point X. No. 1. to the service provider Adyen BV, Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, Netherlands. Adyen then collects the data relevant for the payment as contract processor (cf. Art. 28 GDPR) for us and processes the payment. Adyen only stores your payment data in Europe.

As part of the payment via PayPal, Adyen will forward the information described in section X. No. 1. to the payment service provider PayPal Inc. so that PayPal Inc. can execute your payment. The further payment, in particular the collection of payment data, will then be made via PayPal Inc via your PayPal account. This is governed by the privacy policy of PayPal Inc.

XII. Custom-Audiences and Lookalike-Audiences

1. Description and extent of data processing

If you have registered for Albion Online on our website and have provided your email address and consent to custom or lookalike audiences (sending the encrypted email address for matching to Facebook, YouTube, Reddit and TikTok), we can use these lookalike audiences to send you interesting advertisements in connection with Albion Online on Facebook, YouTube, Reddit and TikTok, provided you are a customer there.

For more information on the collection and use of data by Facebook (a service of Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland), YouTube (a service of Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland), Reddit (Reddit, Inc., 548 Market St. #16093, San Francisco, California 94104, USA) or TikTok (a service of TikTok Technology Ltd, 10 Earlsfort Terrace, D02 T380, Dublin, Ireland) and your rights and options to protect your privacy are set forth in the Facebook Privacy Notice at https://www.facebook.com/about/privacy/ or YouTube/Google at https://policies.google.com/privacy?hl=de&gl=de or Reddit at https://www.redditinc.com/policies/privacy-policy or TikTok at https://www.tiktok.com/legal/privacy-policy?lang=de-DE.

2. Legal basis for data processing

The legal basis for sending the encrypted email address and the associated processing of the email address is Art. 6 para. 1 lit. a GDPR.

3. Purpose of data processing

In this context, the processing of the email address serves the purpose of sending you interesting advertisements in connection with Albion Online on Facebook, YouTube, Reddit and TikTok, if you are a potential customer there.

4. Storage time, Possibility of opposition and elimination

Your email address will only be processed for these processing purposes until you revoke your consent. All processing operations carried out until you revoke your consent remain unaffected. You can revoke your consent at any time in your user profile.

5. Recipient of the data and transfer to a third country

As part of the Lookalike-Audiences functions, your encrypted email address is transmitted to Facebook, YouTube/Google, Reddit or TikTok (depending on whether you are a customer there). It may happen that Facebook, YouTube/Google, Reddit or TikTok also process data on servers outside the European Union. By concluding EU standard contract clauses, the companies guarantee an adequate level of data protection within the meaning of Artt. 44 et seq. GDPR. The legal basis for processing outside the European Union in connection with the lookalike audit function is Art. 6 Para. 1 lit. a GDPR. You can also revoke this consent at any time in the settings. If you revoke your consent for processing outside the European Union, however, it will no longer be possible to continue using the Custom- or Lookalike-Audiences functions.

XIII. Marketing Pixel

1. Description and scope of data processing

We use marketing pixels on our website from the service providers Facebook (a service of Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland), YouTube (a service of Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland), Reddit (Reddit, Inc., 548 Market St. #16093, San Francisco, California 94104, USA), TikTok (a service of TikTok Technology Ltd, 10 Earlsfort Terrace, D02 T380, Dublin, Ireland), Twitter (a service of Twitter International Unlimited Company, One Cumberland Place, Fenian Street Dublin 2, D02 AX07 Ireland), LINE (a service of LINE Corporation, Yotsuya Tower 23rd FL., 1-6-1 Yotsuya, Shinjuku-ku, Tokyo, 160-0004, Japan) and Yahoo (a service of Yahoo EMEA Limited, 5-7 Point Square, North Wall Quay, Dublin, Ireland). We implemented a code for each of these services on our website. Each pixel is a snippet of JavaScript code that loads a collection of functions that allow service providers to track your user actions if you came to our website via service provider ads. For example, if you purchase a product on our website, the pixels are triggered and store your actions on our website in respective cookies. These cookies enable the service providers to match your user data (customer data such as IP address, user ID) with the data of your respective service provider account. The service providers then delete this data. The collected data is anonymous and cannot be viewed by us and is only used for advertising purposes. If you are a user of one of the service providers and are logged in to your account there, your visit to our website is automatically assigned to your respective service provider user account.

We only want to show our services or products to people who are really interested in them. With the help of those marketing pixels our advertising measures can be better adjusted to your wishes and interests. For example, users of the aforementioned platforms (provided they have allowed the use of cookies required for personalized advertising) will see appropriate ads. In addition, the service providers use the collected data for analysis purposes and their own advertisements.

The cookies, which are set by the integration of marketing pixels, can be found here: https://albiononline.com/cookies

For more information on the collection and use of the data by our service providers as well as on your rights and possibilities for the protection of your privacy in this regard, please refer to the privacy notices of our processors.
Facebook: https://www.facebook.com/about/privacy
Youtube/ Google: https://policies.google.com/privacy
Reddit: https://www.redditinc.com/policies/privacy-policy
TikTok: https://www.tiktok.com/legal/privacy-policy
Twitter: https://twitter.com/de/privacy
LINE: https://line.me/en/terms/policy
Yahoo: https://legal.yahoo.com/us/en/yahoo/privacy

2. Legal basis for data processing

The legal basis for the setting of cookies and the associated processing of personal data is Art. 6 para. 1 let. a GDPR.

3. Purpose of data processing

The purpose of setting cookies is to send you interesting advertisements in connection with Albion Online on Facebook, Twitter, LINE, Yahoo, YouTube, Reddit and TikTok, if you are a customer there.

4. Duration of storage, possibility of objection and removal

The cookies are only processed for these processing purposes until you revoke your consent. All processing operations carried out until you revoke your consent remain unaffected by this. You can revoke your consent at any time here: https://albiononline.com/cookies

5. Recipient of the data and transfer to a third country

Within the scope of the use of marketing pixels functions, the personal data contained in the cookies is transmitted to Facebook, Twitter, Line, Yahoo, YouTube/Google, Reddit or TikTok (depending on whether you are a customer there). It may happen that Facebook, Twitter, Line, Yahoo, YouTube/Google, Reddit or TikTok also process data on servers outside the European Union. By concluding EU standard contract clauses, Facebook, Youtube/ Google, Reddit, TikTok, Twitter, LINE and Yahoo guarantee an adequate level of data protection within the meaning of Artt. 44 et seq. GDPR. The legal basis for the processing outside the European Union in connection with the marketing pixels is Art. 6 para. 1 lit. a GDPR. You can also revoke this consent at any time in the settings. However, if you revoke only your consent for processing outside the European Union, further use of the marketing pixel functions will no longer be possible.

XIV. AppsFlyer

1. Description and scope of data processing

We use the analytics and advertising service AppsFlyer of AppsFlyer Ltd, 14 Maskit st., Herzliiya, Israel, on our Website and in our Apps. In order to track the use of the Website and the Apps, we provide AppsFlyer with information regarding the use of the Website and the Apps, regarding the Website by means of cookies and regarding the Apps by means of the SDK (Software Development Kit). In the case of the website, this is information to determine statistical parameters about the use of our offers, such as IP address, cookie ID, device ID, IDFA ("identifier for advertisers"), user data (browser, operating system, device information), marketing touchpoint information (channel, source, campaign, timestamp), onsite touchpoint information (page visited, referrer URL, action/conversion/add to basket, timestamp). When using our apps, we transmit information about downloads and installs as well as regarding "in-app events" such as in-app purchases. AppsFlyer receives information from the data transmitted to the servers by the SDKs in a mobile end-user application. The data collected by the SDK includes information such as IP addresses (anonymized), browser, platform, SDK version, anonymized user ID, IDFA ("identifier for advertisers"), Android ID, Google advertiser ID, time key, developer key, application version and device identifiers (such as Identifier For Advertisers), Google advertiser ID, device model, device manufacturer, operating system version, in-app events (e.g. add to cart, in-app purchases, clicks, engagement time) and network status (WLAN/3G). We receive the information from AppsFlyer exclusively in aggregated and insofar anonymous form.

We also use the data collected by Appsflyer to run marketing campaigns on our app and website channels.

2. Legal basis for data processing

The legal basis for the data processing related to AppsFlyer for analytics as well for the marketing purposes is your consent (Art. 6 para. 1 lit a GDPR); for the website, consent to the use of cookies and for the apps, consent in the respective window provided for this purpose.

3. Purpose of the data processing

We use the AppsFlyer service to measure the success of our campaigns. The end user data collected by the AppsFlyer platform is representative for us to analyze our apps.

With this service we are also able to run marketing campaigns and analyze how successful they were.

4. Duration of data processing, possibility of revocation

Data processing via AppsFlyer takes place until you revoke your consent. You can revoke your consent to data collection and storage by AppsFlyer at any time with effect for the future by deactivating AppsFlyer cookies on the website or - in the case of an app - deactivating AppsFlyer in the profile settings or following the instructions at https://www.appsflyer.com/optout. The consent of the website and app are independent of each other and can therefore also be revoked separately. All processing operations carried out until the revocation of the respective consent remain unaffected.

5. Recipients of the data and transfer to a third country

A transmission of your data to third countries cannot be excluded. We guarantee the adequacy of data transfer to third countries through the agreement of EU standard contractual clauses.

XV. Google Firebase

1. Description and scope of data processing

We use the developer platform called “Google Firebase” as well as the associated functions and services of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; “Google”). Google Firebase is a platform for developing apps for mobile devices and websites. Google Firebase offers a variety of features, which can be found on the following summary page: https://firebase.google.com/products/ The functions include the storage of apps, including users’ personal data, such as content they have created or information regarding their interaction with the apps. Google Firebase also offers interfaces that allow interaction between the users of the app and other services. The analysis of user interactions is carried out using the analysis service of Firebase Analytics. This service helps us to record our users’ interactions. Events such as the first time an app is opened, the uninstalling of an app, updates, crashes or the frequency of use of the app are recorded. Certain user interests are also recorded and evaluated. The information processed by Google Firebase may be used with other Google services, such as Google Analytics and Google marketing services. In this case, only pseudonymous information, such as the Android Advertising ID or the Advertising Identifier for iOS, will be processed to identify users’ mobile devices. Additional information on the use of data for marketing purposes by Google can be found on the summary page: https://www.google.com/policies/technologies/ads, Google’s privacy policy is available at https://www.google.com/policies/privacy.

2. Legal basis for data processing

The legal basis for the data processing related to Google Firebase is your consent according to Art. 6 para. 1 lit a GDPR https://gdpr-info.eu/art-6-gdpr

3. Purpose of the data processing

We use the Google Firebase services to measure the success of our marketing campaigns and to optimize our communication with our existing app users.

4. Duration of data processing, possibility of revocation

If you wish to object to interest-based advertising through Google marketing services, you can use the settings and opt-out options provided by Google: http://www.google.com/ads/preferences.

5. Recipients of the data and transfer to a third country

A transmission of your data to the USA cannot be excluded. We guarantee the adequacy of data transfer to the third country USA through the agreement of EU standard contractual clauses.

XVI. Cheat prevention by Easy Anti-Cheat (‘EAC’)

1. Description and extent of data processing

Upon registration or during the use of Albion Online, the following data may be collected and processed about the user:

Username and account identifier;
In-game reports filed involving the subject;
In-game movements and other gameplay behavior;
Technical information about the hardware used to play the Game, such as motherboard manufacturer, CPU identifier, GPU identifier, and
general performance indicators;
Technical information about the methods, technics, technologies or alike used by the subject within the Game that may be suspected to indicate the use of methods that are considered unacceptable by Sandbox Interactive GmbH; and/or
Other equivalent information.

In addition, the Service may collect automatically saved data, such as the technical log of the server (e.g. the user's IP-address or session history), during the use of the Game.

The above-mentioned data is primarily obtained from the user's usage of Albion Online. Additionally, player account identification data may also be obtained from us or our service providers such as Steam, GOG, and others (“Service Providers”). By registering for the Game, the user agrees to accept these disclosures.

2. Legal basis for data processing

The legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR and, insofar as the personal data are processed for the execution of a contract, Art. 6 para. 1 lit. b GDPR. A transfer to service providers in Switzerland as a third country within the meaning of the GDPR is permissible in accordance with Art. 44, 45 GDPR, as an adequate level of data protection is given for Switzerland on the basis of an appropriateness decision of the EU Commission.

3. Purpose of data processing

The purpose of processing personal data is to provide solutions against cheating and fraud in Albion Online. In practice this means information is gathered of the Players interacting in the Game and the gathered information is exchanged between Service Provider and us.

Service Provider uses the personal data of users for the following purposes.

Prevention and solving of misuse of the Game by the user (e.g. cheating and other unacceptable methods);
Identification and solving of misuse of the Game by the user (e.g. cheating and other unacceptable methods);
Compilation of statistics, analyzing and auditing regarding users;
Identification of the user’s digital player account;
User-specific adaptation of the Service;
Producing and developing the Services; and/or
Other equivalent purposes of use.

4. Storage time

General profile data and aggregated statistical data about users are stored for the entire duration of the legitimate interest of the Customer and the service agreement between Service Provider and us for Albion Online.

Other personal data are processed in real-time and stored for a duration of maximum 5 days. If the data is suspected to indicate misuse in the Game, the relevant data samples are stored for at most 3 months. If the data is determined to indicate misuse in the Game, the data remains stored until no longer necessary for the purposes provided herein.

5. Automated decision-making

The processing of users' personal data will include automated decision-making. The method by which Easy Anti-Cheat processes the data allows observation of whether particular personal data suggests anomalies and may indicate misuse of the Game.

If the user is deemed to have misused Albion Online based on automated decision-making, they will be flagged and it is up to us to determine what consequences are implemented for the identified misuse of the Game. If we decide to sanction a user based on the information Service Provider has provided, the user will have the opportunity to appeal the automated decision by contacting Service Provider’s helpdesk at www.easy.ac/contact/, at which point an expert will review the data and assess the decision.

6. Recipient of the data and transfer to a third country

The recipient of the data is Easy Anti-Cheat Oy, Tammasaarenkatu 3, FI-00180 Helsinki, Finland.

The user's personal data may be transferred outside of the European Union or the European Economic Area to the parties expressed in the privacy statement of Easy Anti-Cheat: https://www.easy.ac/support/albion/account/privacy/

Users can be assured that the transfer of information is always executed in a legal and professional manner. Our service provider has concluded EU standard contractual clauses with its subcontractors and thus offers sufficient guarantees for adequate data protection within the meaning of Art. 46 DSGVO.

XVII. Cheat prevention by Xigncode

1. Description and extent of data processing

Upon registration or during the use of Albion Online, the following data may be collected and processed about the user:

User-ID;
In-game movements and other gameplay behavior;
Technical information about the hardware and the operating system used to play the Game, including indicators for connected HID-hardware;
Technical information about the methods, techniques, technologies or alike used by the subject within the Game that may be suspected to indicate the use of methods that are considered unacceptable by Sandbox Interactive GmbH; and/or
Other equivalent information.

In addition, the Service may collect automatically saved data, such as the technical log of the server (e.g. the user's IP-address or session history), during the use of the Game.

2. Legal basis for data processing

The legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR and, insofar as the personal data are processed for the execution of a contract, Art. 6 para. 1 lit. b GDPR.

3. Purpose of data processing

Service Provider uses the personal data of users for the following purposes.

Prevention and solving of misuse of the Game by the user (e.g. cheating and other unacceptable methods);
Identification and solving of misuse of the Game by the user (e.g. cheating and other unacceptable methods);
Compilation of statistics, analyzing and auditing regarding users;
Identification of the user’s digital player account;
User-specific adaptation of the Service;
Producing and developing the Services; and/or
Other equivalent purposes of use.

4. Storage time

Other personal data are processed in real-time and stored for a duration of a maximum of 30 days. If the data is determined to indicate misuse in the Game, the data remains stored until no longer necessary for the purposes provided herein.

5. Automated decision-making

The processing of users' personal data will include automated decision-making. The method by which Xigncode processes the data allows observation of whether particular personal data suggests anomalies and may indicate misuse of the Game.

6. Recipient of the data and transfer to a third country

The recipient of the data is Wellbia.com Co., Ltd., #1107, AceHighEnd Tower 3, 145, Gasan Digital 1.ro, Geumcheon-gu, Seoul, Korea 08506.

Users can be assured that the transfer of information is always executed in a legal and professional manner. We have concluded EU Standard Contractual Clauses with our service provider Wellbia.com Co., Ltd. thus offer sufficient guarantees for adequate data protection within the meaning of Art. 46 DSGVO.

XVIII. Web analysis with Google Analytics

1. Description and extent of data processing

Our website uses Google Universal Analytics, a web analysis service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Universal Analytics uses "cookies", which are text files placed on users' computers, to help the website analyze how users use the site. The information generated by the cookie about the use of the website by users is generally transferred to a Google server in the USA and stored there. IP anonymization has been activated on this website so that the IP addresses of users of Google within Member States of the European Union or in other signatory states to the Agreement on the European Economic Area are previously shortened. In some cases, the full IP address is transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate the use of the website by the users, to compile reports on the website activities and to provide the website operator with further services associated with the use of the website and the Internet. The IP address transmitted by your browser in the context of Google Universal Analytics is not merged with other Google data.

2. Legal basis for data processing

The legal basis for processing users' personal data is Art. 6 para. 1 lit. a GDPR.

3. Purpose of data processing

The processing of user data by Google Analytics enables us to analyze the surfing behavior of our users. We are able to compile information about the use of the individual components of our website by evaluating the data obtained. This helps us to continuously improve our website and its user-friendliness. By anonymizing the IP address, users' interest in protecting their personal data is sufficiently taken into account.

4. Storage time

Google Analytics cookies will only be processed until you revoke your consent. All processing operations carried out until you revoke your consent remain unaffected. You can revoke your consent at any time here: https://albiononline.com/cookies

You can also object to the collection of data described above at any time with effect for the future by using the deactivation add-on for browsers from Google Analytics at http://tools.google.com/dlpage/gaoptout?hl=en.
There won't be data transferred to Google Universal Analytics anymore.

Furthermore, you can also prevent data collection by Google Universal Analytics by clicking on this link. An opt-out cookie is set to prevent future collection of your data when you visit this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie again.

In addition, user and event-level data stored by Google that is linked to cookies, user IDs (e.g. User ID) or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) is anonymized or deleted after 14 months. Details can be found under the following link: https://support.google.com/analytics/answer/7667196?hl=de.

5. Recipient of the data and transfer to a third country

The recipient of the data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For the cases in which personal data is transferred to the USA, a transfer to Google Inc. in the USA is permitted. The company has been certified according to the requirements of the EU-US Privacy Shield. Details on the Privacy Shield can be found in Section IV No. 5 of this data protection declaration.

XIX. Surveys

1. Description and extent of data processing

We conduct occasional customer surveys for our game and other services. For this purpose, we collect and process your data as provided in the surveys. We use the services of SurveyMonkey Inc (a service of San Mateo, One Curiosity Way, San Mateo, California 94403, USA) and Google Forms (a service of Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland) to conduct the surveys. SurveyMonkey and Google collect additional information like your IP address from participants in the form of cookies, which are only intended to ensure that the survey service is fully usable and that the surveys run as intended. Depending on the content of the survey we may ask about your geographical location, email address, demographical data or similar. Your participation in the surveys is entirely voluntary. If you do not participate in the survey, no personal information will be collected.

For more information on the collection and use of the data by SurveyMonkey and Google, please refer to the privacy notices of SurveyMonkey at https://www.surveymonkey.com/mp/legal/privacy/ and Google at https://policies.google.com/privacy.

2. Legal basis for data processing

The legal basis for the use of this information is your consent in accordance with Art. 6 paragraph 1 sentence 1 letter a GDPR. Your participation in the surveys is voluntary. Your consent to its use may be revoked at any time.

3. Purpose of data processing

The data processing serves the purpose of improving the game and customer experience when interacting with our game or services.

4. Storage time

Your personal information will only be processed for these purposes until you revoke your consent. All processing operations carried out until you revoke your consent remain unaffected.

5. Recipient of the data and transfer to a third country

The adequacy of data transfer to the third country USA is guaranteed through the agreement of EU standard contractual clauses. By concluding EU standard contract clauses, Google and SurveyMonkey guarantee an adequate level of data protection within the meaning of Art. 44 et seq. GDPR. The legal basis for the processing outside the European Union in connection with the surveys is Art. 6 para. 1 lit. a GDPR.

XX. Other recipients of personal data (EU only)

For the provision of our website and the offered contact possibilities, we make use of other service providers, including host providers and email providers, each based in the European Union, who process the data stored by them exclusively on our behalf as processors according to Art. 28 GDPR.

XXI. Rights of the data subject

If your personal information is processed, you have the following rights.

1. Right of access

You have the right to obtain from us confirmation as to whether or not personal information concerning you are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right to request from us rectification or erasure of personal data or restriction of processing of personal information or to object to such processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from you, any available information as to their source;

h) the existence of automated decision-making, including profiling, referred to in Art. 22 para. 1 and 4 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.

2. Right of rectification

You have the right to obtain from us within undue delay the rectification of inaccurate or incomplete personal information. Taking into account the purposes of the processing, you shall have the right to have incomplete personal information completed, including by means of providing a supplementary statement.

3. Right to restriction of processing

You shall have the right to obtain from us restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by yourself, for a period enabling us to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the personal information and requests the restriction of their use instead;

c) we no longer need the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

d) You have objected to processing pursuant to Art. 21 para. 1 pending the verification whether the legitimate grounds override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

If you have obtained restriction of processing pursuant to the above, you shall be informed by us before the restriction of processing is lifted.

4. Right to erasure (‘right to be forgotten’)

You shall have the right to obtain from us the erasure of personal information concerning without undue delay and we shall have the obligation to erase personal information without undue delay where one of the following grounds applies:

a) the personal information is no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) you withdraw consent on which the processing is based according to Art. 6 para.1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, and where there is no other legal ground for the processing;

c) you object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para 2 GDPR;

d) the personal information has been unlawfully processed;

e) the personal information has to be erased for compliance with a legal obligation in the European Union

f) the personal information has been collected in relation to the offer of information society services referred to in Article 8 para.1.

Where we have made the personal information public and is obliged pursuant to the above to erase the personal information, we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The right to erasure shall not apply to the extent that processing is necessary:

a) for exercising the right of freedom of expression and information;

b) for compliance with a legal obligation which requires processing by the European Union or for the performance of a task carried out in the public interest

c) for reasons of public interest relating to public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the DPA;

d) for archiving, scientific or historical research purposes in the public interest or for statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right referred to in section a) is likely to make it impossible or seriously impede the attainment of the objectives of such processing, or

e) for the establishment, exercise or defence of legal claims.

5. Notification regarding rectification or erasure of personal data or restriction of processing

We shall communicate any rectification or erasure of personal data or restriction of processing carried to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients if you request it.

6. Right to data portability

You have the right to receive the personal information, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal information have been provided, where:

a) the processing is based on consent pursuant to Art. 6 para 1 lit. a or Art. 6 para 1 lit. b or Art. 2 para 2 lit. a

b) the processing is carried out by automated means.

The right shall not adversely affect the rights and freedoms of others.

In exercising your right to data portability you shall have the right to have the personal information transmitted directly from one controller to another, where technically feasible.

The exercise of this right shall be without prejudice to the right of erasure. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning him or her which is based on Art. 6 para. 1 lit e) or lit. f). We shall no longer process the personal information unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Where personal information is processed for direct marketing purposes, you shall have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal information shall no longer be processed for such purposes.

At the latest at the time of the first communication with you, the right referred to above shall be explicitly brought to your attention shall be presented clearly and separately from any other information.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise his or her right to object by automated means using technical specifications.

8. Right to revoke the declaration of consent

You have the right to revoke your data protection declaration of consent at any time. Revocation of your consent does not affect the legality of the processing that has taken place on the basis of your consent until revocation.

9. Automated individual decision-making

The you shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you

This shall not apply if the decision:

a) is necessary for entering into, or performance of, a contract between you and us

b) is authorised by European Union law and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

c) is based on your explicit consent.

We shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on our part, to express our point of view and to contest the decision.

Decisions shall not be based on special categories of personal data referred to in unless Art. 9 para.2 lit. a) or lit g) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

10. Right of complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the European Member State where you reside, work or suspect of infringement, if you believe that the processing of personal information concerning you is not in compliance with GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

XXII. List of companies we provision personal data to, after consent:

Company Name: Google Ireland Limited
Items of Provision: Encrypted e-mail address, Android Advertising ID, iOS Advertising identifier, records user events like app opens / crashes, user interests
Purpose: Ad campaign measurement and performance of marketing campaigns
Retention & Use Period: Until consent is revoked or account deleted

Company Name: Facebook Ireland Limited
Items of Provision: Encrypted e-mail address
Purpose: Ad campaign measurement and performance of marketing campaigns
Retention & Use Period: Until consent is revoked or account deleted

Company Name: TikTok Pte. Ltd
Items of Provision: Encrypted e-mail address
Purpose: Ad campaign measurement and performance of marketing campaigns
Retention & Use Period: Until consent is revoked or account deleted

Company Name: reddit
Items of Provision: Encrypted e-mail address
Purpose: Ad campaign measurement and performance of marketing campaigns
Retention & Use Period: Until consent is revoked or account deleted

Company Name: AppsFlyer
Items of Provision: IP addresses (anonymized), browser, platform, SDK version, anonymized user ID, IDFA ("identifier for advertisers"), Android ID, Google advertiser ID, time key, developer key, application version and device identifiers (such as Identifier For Advertisers), Google advertiser ID, device model, device manufacturer, operating system version, in-app events (e.g. add to cart, in-app purchases, clicks, engagement time) and network status (WLAN/3G)
Purpose: Ad campaign measurement and performance of marketing campaigns
Retention & Use Period: Until consent is revoked or account deleted

Company Name: Twitter International Unlimited Company
Country: USA
Purpose: Statistical Analysis, Marketing
Data transfered: Encrypted email address
Retention period: Until consent is revoked or account is deleted

Company Name: LINE Corporation
Country: Japan
Purpose: Statistical Analysis, Marketing
Data transfered: Encrypted email address
Retention period: Until consent is revoked or account is deleted

Company Name: Yahoo EMEA Limited
Country: USA
Purpose: Statistical Analysis, Marketing
Data transfered: Encrypted email address
Retention period: Until consent is revoked or account is deleted

XXIII. List of all our data processing partners, including those we provision data to after consent and the target country / countries of data transfer:

Company Name: Zendesk (privacy@zendesk.com)
Country: USA
Purpose: Handling User Requests in Customer Support
Data transferred: E-mail address, customer query, IP Address, Account ID
Retention Period: Account deletion, three years after the request is concluded the latest

Company Name: OVH (privacy@corp.ovh.us)
Country: Canada
Purpose: Gaming operation - Web hosting, Cloud storage
Data transferred: e-mail address, IP address, account ID
Retention Period: After legal retention or storage periods have expired or until account deletion

Company Name: Adyen B.V. (dpo@adyen.com)
Country: Netherlands
Purpose: Payment transaction and verify legality
Data transferred: IP address, e-mail address, shop language, account ID, order information
Retention Period: After legal retention or storage periods have expired

Company Name: G-Core Labs S.A. (privacy@gcore.com)
Country: Luxembourg, US
Purpose: Gaming operation
Data transferred: Time of log-in, ip address, information about actions in the game, progress of the game, user messages / chat protocols, information on operating system, e-mail address
Retention Period: After legal retention or storage periods have expired or until account deletion

Company Name: Paypal (https://www.paypal.com/de/smarthelp/contact-us/privacy)
Country: EU, USA
Purpose: Payment transaction and verify legality
Data transferred: IP address, e-mail address, shop language, account ID, order information
Retention Period: After legal retention or storage periods have expired

Company Name: Easy Anti-Cheat (privacy@support.epicgames.com)
Country: EU, USA
Purpose: Solutions against cheating and fraud
Data transferred: Username and account identifier, In-game reports filed involving the subject, In-game movements and other gameplay behavior, technical information about the hardware used to play the Game, such as motherboard manufacturer, CPU identifier, GPU identifier, and
general performance indicators; technical information about the methods, technologies or alike used by the subject within the Game that may be suspected to indicate the use of methods that are considered unacceptable by Sandbox Interactive GmbH; and/or other equivalent information.
Retention Period: General and aggregated statistical data, for the duration of the service agreement; personal data for five days, in case of suspected misuse 3 months

Company Name: Facebook Ireland Limited (support@fb.com)
Country: Ireland
Purpose: Statistical analysis and marketing
Data transferred: Encrypted email address
Retention Period: Until consent is revoked or account is deleted

Company Name: Sendgrid Inc. / Twilio ( privacy@twilio.com)
Country: USA
Purpose: Game information and offers
Data transferred: E-mail address
Retention Period: Until consent is revoked or account is deleted

Company Name: Google Ireland Limited (support-deutschland@google.com)
Country: Ireland
Purpose: Statistical Analysis, Marketing, Quality Assurance
Data transferred: Encrypted email address, Android Advertising ID, iOS Advertising identifier, records user events like app opens / crashes, user interests
Retention Period: Until consent is revoked or account is deleted

Company Name: TikTok (https://www.tiktok.com/legal/report/DPO)
Country: Ireland
Purpose: Statistical Analysis, Marketing
Data transferred: Encrypted email address
Retention Period: Until consent is revoked or account is deleted

Company Name: Backblaze (privacy@backblaze.com)
Country: USA
Purpose: Data security
Data transferred: Encrypted Backup data
Retention Period: Until consent is revoked or account is deleted and backup retention period has run out

Company Name: XignCode (biz@wellbia.com)
Country: Korea
Purpose: Solutions against cheating and fraud
Data transferred: User-ID; In-game movements and other gameplay behavior; technical information about the hardware and the operating system used to play the Game, including indicators for connected HID-hardware; technical information about the methods, techniques, technologies or alike used by the subject within the Game that may be suspected to indicate the use of methods that are considered unacceptable by Sandbox Interactive GmbH; and/or other equivalent information.
Retention Period: General and aggregated statistical data, for the duration of the service agreement; personal data for a maximum of 30 days

Company Name: Reddit (eurepresentative@reddit.com)
Country: USA
Purpose: Statistical Analysis, Marketing
Data transferred: Encrypted email address
Retention Period: Until consent is revoked or account is deleted

Company Name: AppsFlyer (privacy@appsflyer.com)
Country: Israel
Purpose: Ad campaign measurement and performance of marketing campaigns
Data transferred: IP address (anonymized), browser, platform, SDK version, anonymized user ID, IDFA ("identifier for advertisers"), Android ID, Google advertiser ID, time key, developer key, application version and device identifiers (such as Identifier For Advertisers), Google advertiser ID, device model, device manufacturer, operating system version, in-app events (e.g. add to cart, in-app purchases, clicks, engagement time) and network status (WLAN/3G)
Retention Period: Until consent is revoked or account is deleted

Company Name: Amazon Web Services (eu-privacy@amazon.de)
Country: Worldwide, depending on user location
Purpose: Content Delivery Network
Data transferred: IP address
Retention Period: After conclusion of client download

Company Name: Amazon Web Services (eu-privacy@amazon.de)
Country: Germany
Purpose: Transactional email delivery
Data transferred: E-mail address
Retention Period: Until account is deleted

Effective February 13, 2023