Last revised: 25 May 2018
By “Personal Data”, we refer to data that relates to you as an identified or identifiable natural person. Personal data include your name, your address, your telephone number, your email address, your age, your gender, or a part of your credit card number, for instance. Anonymous information, which we are not in a position to relate to you, does not qualify as Personal Data.
1. Controller’s name and contact details
Controller in the sense of the General Data Protection Regulation (GDPR) and other data protection or data privacy laws in the Member States of the European Union or the European Economic Area and other guidelines with a data protection nature regarding the Services is:
2400 Bridge Pkwy, 2nd Floor
Redwood City, CA 94065
United States of America
The Controller is called “Storm8”, “we”, “our” and “us” in this Policy.
The Representative of Storm8 pursuant to Art. 27 of the GDPR may be contacted at:
Tel: +49 (0) 40 99999 – 3430
Fax: +49 (0) 40 99999 – 3332
2. Contact details of the Data Protection Officer (DPO)
The Data Protection Officer of Storm8 may be contacted at email@example.com.
3. General information on data processing
We process Personal Data with your consent, when necessary for the performance of a contract with you, when processing is necessary for compliance with a legal obligation we are subject to, or based on our legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of you which require the protection of your Personal Data.
3.1 Information Security
We and our employees understand the need for user privacy, and we maintain reasonable and appropriate security procedures to protect your information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data. However, no security system is impenetrable, and we cannot guarantee the security of our systems or your information.
We will not knowingly collect personal information from any child, or process such information, without parental consent. For the purpose of this Policy, a child means any individual who is under the age of 16 (or the minimum legal age to consent to the collection and processing of personal information where this is different under applicable law).
We may share Personal Data with certain service providers in order to provide our Services to you. We use service providers for hosting, customer support, app distribution, and advertising.
The transfer to such recipients is based on the respective legal basis set out in this Policy, and is limited to what is necessary for the described purpose.
We may also share your Personal Data
3.4 Third country transfers
We transfer Personal Data to the following third countries:
|Recipients||Third countries||Legal safeguards of Recipients|
|Host provider||USA||DPAs (with attached guarantees), Privacy Shield|
|Customer support provider||USA||DPAs (with attached guarantees), Privacy Shield|
|App Distributors||USA||DPAs (with attached guarantees), Privacy Shield|
|Advertising Partners||USA||DPAs (with attached guarantees), Privacy Shield|
To receive a copy of the respective safeguards, please contact us at firstname.lastname@example.org.
3.5 Retention periods
We will retain your Personal Data only as long as it is necessary to fulfill the respective purpose, unless we are required by law to store your Personal Data longer.
3.6 Automated Decision-Making
We do not use automated-decision making, including profiling.
4. Use of our Site
On our Sites, we gather information either directly from you (e.g., when you provide certain information to us) or indirectly (e.g., through our Site’s technology).
4.1. Information collected indirectly
We indirectly collect a variety of information through your interaction with and use of our Sites. This information may include, but is not limited to, browser settings, data collected through automated electronic interactions, application usage data, demographic information, geographic or geo-location information, statistical and aggregated information (“Other Information”). The processing is necessary for the purpose of our legitimate interests in accordance with Article 6(1)(f) of the GDPR, as we need this information to keep user data safe by detecting certain threats, and to provide you with the best possible experience.
Statistical or aggregated information does not directly identify a specific person, but it may be derived from Personal Data. For example, we may aggregate Personal Data to calculate the percentage of users in a particular country.
If we combine Other Information with Personal Data, we will treat the combined information as Personal Data.
4.1.1 Tracking Data
Website traffic volume and patterns, such as the number of visitors to a given website or page on a daily basis is typically referred to as “Tracking Data”. This type of indirectly collected information is gathered through various means, such as an IP address, which is a number that is automatically assigned to your computer whenever you are surfing the Web. Web servers, the computers that “serve up” web pages, automatically identify your computer by its IP address. When you visit any of our Sites, our servers log your computer’s IP address.
To obtain these Tracking Data, we use third party analytics providers. The Third Party Analytics Providers use “Cookies”, which are text files placed on your computer, to help us analyse how users use our Sites. The information generated by the Cookie about your use of our Sites, including your IP address, will be transmitted to and stored by Third Party Analytics Providers’ servers. On our behalf, the Third Party Analytics Providers will use this information for the purpose of evaluating your use of our Sites, compiling reports on website activity, and providing other services relating to website activity. Our third party analytics tool is provided by Google. You may learn how to opt-out from Google’s collection of information from you at https://tools.google.com/dlpage/gaoptout. You may also find further information at Google Analytics: http://www.google.com/analytics/learn/privacy.html.
4.1.2 Third-party Cookies
Third parties serve cookies through our Sites for analytics and other purposes. This is described in more detail below. You can decide whether you want to accept these cookies. You may adjust your browser settings to prevent the reception of third-party cookies, or to provide notification whenever such third-party cookies are sent to you.
You may find a list of the cookies used on our Sites at http://www.storm8.com/cookie-notice.
4.2. Information collected directly
We also collect Personal Data and other information that you voluntarily provide. It is entirely your decision to provide the requested information. However, certain features of our Sites may not be available in this case.
We keep all information collected directly confidential, and will only use the information for the particular purpose it is collected for. We will seek your specific permission for any additional use.
4.2.1 User Accounts
When setting up an account on one of our Sites (“User Account”), you may be asked to provide Personal Data including, but not limited to, your name, email address, and your phone number.
As a user of our Sites, we may obtain your Personal Data when you register to use one of our Sites or services and products or when you provide feedback about our products or services. The processing is necessary to perform the contract with you according to Article 6(1)(b) of the GDPR. As a user, we will use your Personal Data, unless otherwise prohibited by law, for the following purposes:
Furthermore, we will use your Personal Data for our legitimate interests according to Article 6(1)(f) of the GDPR to notify you about information about features on our Sites, new product releases and service developments and to advertise our products and services in accordance with this Policy.
Any User Account data will only be stored until you decide to terminate your User Account. In case we are obliged to further store your Personal Data due to statutory retention requirements, your Personal Data will be barred for further use by us and only stored until such retention periods expire.
4.2.1 Personal Data provided by other means
Personal Data provided by you on our Sites by other means, e.g., via contact forms, will be stored in our service database and retained for the period necessary to fulfill our contractual obligations to you in accordance with Art. 6(1)(b) of the GDPR, unless a longer retention period is required by law.
5. Use of our Apps
Our Services include our applications which we publish (our “Games”).
5.1 Personal Data we Process
When you are playing one of our Games, we process the following Personal Data: Your username/game ID, your locale, your device identifier, and the platform your device uses. When you would like to use one of our Games on more than one device, it is necessary to set up a password, which we use to identify you together with your username/game ID.
We need this Personal Data to identify you; otherwise we are unable to provide you with our Services. The legal basis for our processing of your Personal Data is your contractual relationship with us (Art. 6(1)(b) of the GDPR).
We will also process the applicable time zone you are in upon login, your locale. as well as the language of your device when you log into our Games. Where the processing of your Personal Data exceeds the necessity to fulfill our contract (when analysing how you use our Game), the legal basis is our legitimate interest (Art. 6(1)(f) of the GDPR) to improve your experience with the game and to develop the game for future use.
5.2 Connection to Facebook
You may choose to connect a Game with your Facebook account (if this feature is available) in order to take advantage of additional social features or to keep your game data safe (otherwise it might be lost, when you lose access to your device). When doing so, we process your name, your email address, the location, time zone and your age previously provided to Facebook. We will also use your Facebook profile picture for any social features (like the leaderboard, etc.) within the game.
It is not necessary to connect the Game with a Facebook account in order to play the Game.
The legal basis for processing this Personal Data is our legitimate interest (Art. 6(1)(f) of the GDPR), which is to provide you with an easy option to connect to the Game, to keep your game data safe, and to enhance your experience in the game.
5.3 In-game Advertising
We process information about your location and the language settings of your device, your device identifier, along with your device model (including OS name and version) in order to provide you with relevant ads within the game. We use this information to analyse you, and we share your device identifier with advertising partners. The processing is based on our legitimate interests (Art. 6(1)(f) of the GDPR): We want to provide you with ads which are relevant to you in order to keep our Services running.
You have the right to object at any time to processing of your Personal Data for such marketing, including profiling.
6. Personal Data of Vendors
In order to provide our Services, we use vendors which provide their services to us. If you are a vendor or an employee of a vendor, we might collect your contact details. We do this to fulfil our contracts with our vendors or in order to enter into such a contract (Art. 6(1)(b) of the GDPR).
7. Your rights
You have the right to access your Personal Data that we hold about you and to correct, update, amend, suppress, delete or otherwise modify any Personal Data where it is inaccurate, or has been processed in violation of the applicable data protection regulations, unless we have to keep the Personal Data for legitimate business or legal purposes. When updating your Personal Data, we may ask you to verify your identity before we can act upon your request.
You may object to the use or processing of your Personal Data or withdraw consent to use your Personal Data at any time.
You have the following rights:
To exercise the rights referred to above, please contact email@example.com. You have the right to take legal actions in relation to any breach of your rights regarding the processing of the Personal Data, as well as to lodge complaints before the competent supervisory authority.
8. Changes to this Policy