Privacy policy

Information on Data Protection

With this privacy statement, we are informing you about how we handle your personal data when you use our website or our online desktop or mobile game “Shakes & Fidget”, and about your rights according to the European General Data Protection Regulation (GDPR) and the German Data Protection Act (BDSG). The party responsible for data processing is Playa Games GmbH (hereinafter referred to as “we” or “us”).

Table of contents

I. General information

II. Data processing on our websites and when using our “Shakes & Fidget” game

III. Data processing on our social media pages

IV. Data processing via our mobile apps

V. Other data processing

I. General information

1. Contact

If you have any questions or suggestions about this information or would like to contact us regarding the assertion of your rights, please send your request to

Playa Games GmbH
Alstertor 9, 20095 Hamburg – Germany
Email : datenschutz@playa-games.com (no game support)

2. Legal basis

Under data protection law, the term “personal data” refers to all information that is related to an identified or identifiable person. We process personal data in accordance with the relevant data protection regulations, particularly the GDPR and BDSG. We only process data on the basis of legal consent. We process personal data only with your consent (Section 15 (3) German Telemedia Act (TMG) or Article 6 (1) (a) GDPR) to fulfill a contract to which you are a party, or upon your request for the execution of pre-contractual measures (Article 6 (1) (b) GDPR), to fulfill a legal obligation (Article 6 (1) (c) GDPR) or if the processing is required to safeguard our legitimate interests or those of a third party, provided that this is not outweighed by your interests or fundamental rights and freedoms which require the protection of personal data (Article 6 (1) (f) GDPR).

If you are applying for a vacant position at our company, we also process your personal data to decide whether to establish an employment relationship (Section 26 (1) (1) BDSG).

3. Storage period

Unless stated otherwise in the following information, we only store the data as long as required to achieve the purpose of the processing or to fulfill our contractual or legal obligations. These legal retention periods may arise in particular due to commercial or tax law provisions. Starting at the end of the calendar year in which the data was collected, we will store any personal data contained in our accounting records for ten years and personal data contained in commercial letters and contracts for six years. Apart from that, we will store data in connection with consent requiring proof, as well as data related to complaints and payment claims, for the duration of the legal limitation period. We will delete data stored for advertising purposes if you object to its processing for this purpose.

Any data the app stored on your mobile device can remain there until you remove the app.

4. Categories of recipients of the data

We use order processors in the scope of processing your data. The processing operations performed by such processors include, for example, hosting, maintenance and support of IT systems, customer and order management, order processing, accounting and billing, marketing measures, or the destruction of files and data carriers. An order processor is a natural or legal person, authority, agency or other body that processes personal data on behalf of the data controller. Order processors do not use the data for their own purposes; instead, they perform the data processing exclusively for the data controller and are contractually obligated to take appropriate technical and organizational measures to ensure data protection. Aside from that, we may transfer your personal data to bodies such as postal and delivery services, principal banks, tax consultants/public accountants, or the tax authorities. The following information may indicate additional recipients.

5. Data transfer to third countries

Visiting our website may be accompanied by the transfer of certain personal data to third countries, i.e., countries in which the GDPR is not applicable law. This kind of transfer is permissible if the European Commission has determined that an appropriate level of data protection is provided in such a third country. If no such adequacy decision is available from the European Commission, the personal data is only transferred to a third country if appropriate safeguards in accordance with Article 46 GDPR are in place, or if one of the conditions of Article 49 GDPR is met.

Unless stated otherwise below, we use the standard EU contractual clauses for the transfer of personal data to order processors in third countries: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32010D0087.

If you consent to the transfer of personal data to third countries, the transfer is performed on the legal basis of Article 49 (1) (a) GDPR.

6. Processing within the exercise of your rights

If you exercise your rights in accordance with Articles 15 to 22 GDPR, we will process the personal data transferred to us for the purpose of implementing these rights and to be able to furnish proof thereof. Data which we store for the purpose of preparing and providing information will only be processed by us for this purpose as well as for purposes of data protection control; apart from that, we will restrict processing in accordance with Article 18 GDPR.

This processing is performed on the legal basis of Article 6 (1) (c) GDPR in conjunction with Article 15 to 22 GDPR and Section 34 (2) BDSG.

7. Your rights

As a data subject, you have the right to assert your data subject rights against us. In particular, you have the following rights:

· In accordance with Article 15 GDPR and Section 34 BDSG, you have the right to request information about whether and, if applicable, to what extent we process personal data in relation to you.

· You have the right to demand that we correct your data in accordance with Article 16 GDPR.

· You have the right to demand that we delete your personal data in accordance with Article 17 GDPR and Section 35 BDSG.

· You have the right to demand the restriction of the processing of your personal data in accordance with Article 18 GDPR.

· In accordance with Article 20 GDPR, you have the right to obtain the personal data concerning you, which you made available to us, in a structured, common and machine-readable format and to transmit this data to another responsible person.

· If you have given us separate consent to data processing, you can revoke this consent at any time in accordance with Article 7 (3) GDPR. This will not affect the lawfulness of any processing performed on the basis of the consent that is carried out previous to such a revocation.

· According to Article 77 GDPR, if you believe that the processing of data relating to you violates the regulations of the GDPR, you have the right to lodge a complaint with a supervisory authority.

You can also use our support tool to exercise your rights.

8. Right to object

According to Article 21 (1) GDPR, you have the right to object to data processing performed on the legal basis of Article 6 (1) (e) or (f) GDPR for reasons arising from your particular situation. If we process personal data about you for the purpose of direct marketing, you can object to this processing in accordance with Article 21 (2) and (3) GDPR.

You can also use our support tool to exercise your right to object.

9. Data protection officer

You can reach our data protection officer with the following contact information:

DPO: Deloitte AB

Rehnsgatan 11, 113 79 Stockholm – Sweden

Email: datenschutz@playa-games.com

II. Data processing on our websites and when using our “Shakes & Fidget” game

When you use our websites or our “Shakes & Fidget” game, we collect information which you provide to us. During your visit to the website, we also automatically collect certain information about your use of the website. In the Data Protection Act, the IP address is also fundamentally considered to be personal data. An IP address is assigned by the Internet provider to any device connected to the Internet in order for it to send and receive data.

1. Processing of server log files

During the purely informative use of our website, general information that your browser transmits to our server is initially stored automatically (meaning, not via a registration). By default, this includes: Browser type/version, operating system, accessed page, previously visited page (referrer URL), IP address, date and time of the server access, and HTTP status code. The processing is performed to protect our legitimate interests and is carried out on the legal basis of Article 6 (1) (f) GDPR. This processing is for the purpose of the technical management and security of the website. The stored data is deleted at regular intervals unless there is a justified suspicion of unlawful use based on specific indications, which would make further examination and processing of the information necessary for this reason. We are unable to identify you as the data subject on the basis of the stored information. Articles 15 to 22 GDPR therefore are not applicable pursuant to Article 11 (2) GDPR unless, in order to exercise your rights stated in these articles, you provide additional information that enables your identification.

2. Cookies

We use cookies and similar technologies (“cookies”) on our website. Cookies are small text files that are stored in your browser when you visit a website. This identifies the browser being used and can be recognized by web servers. Your browser gives you full control over the use of cookies. You can delete the cookies via the security settings of your browser at any time. In your browser settings, you can object to cookies in general or for specific cases. More information on this topic is available from the German Federal Office for Information Security: https://www.bsi-fuer-buerger.de/BSIFB/DE/Empfehlungen/EinrichtungSoftware/EinrichtungBrowser/Sicherheitsmassnahmen/Cookies/cookies_node.html

The use of cookies is technically necessary to operate our website and thus permissible without the user’s consent. We may also use cookies to offer specific features and content, as well as for purposes of analysis and marketing. These may include cookies from third-party providers (so-called third-party cookies). We only use such technically unnecessaries cookies with your consent in accordance with Section 15 (3) TMG or Article 6 (1) (a) GDPR.

3. Consent management tool

Our websites use a consent management banner to control cookies. The consent banner enables users of our website to consent to certain data processing operations or revoke previously given consent. By confirming the “I accept” button or by saving individual cookie settings, you consent to the use of the associated cookies. Your consent is the legal basis under data protection regulations in line with Article 6 (1) (a) GDPR.

The banner also helps us to provide evidence of a declaration of consent. For this purpose, we process information about the declaration of consent and additional log data on this declaration. Cookies are also used to collect this data.

Processing this data is necessary so that the giving of consent can be proven. The legal basis arises from our legal obligation to document your consent (Article 6 (1) (c) in conjunction with Article 7 (1) GDPR).

4. Contact options and inquiries

Our websites and apps include contact forms which you can use to send us messages. In this process, the transfer of your data is encrypted (this can be recognized by the “https” in your browser’s address bar). All data fields marked as mandatory are required to process your request. If these fields are not provided, we will not be able to work on your request. The provision of additional data is voluntary. Alternatively, you can send us a message to the contact email address. We will process the data for the purpose of answering your inquiry. If your inquiry concerns the conclusion or performance of a contract with us, Article 6 (1) (b) GDPR is the legal basis for the data processing. Otherwise, we will process the data on the basis of our legitimate interest in establishing contact with inquiring persons. In that case, the legal basis for the data processing is Article 6 (1) (f) GDPR.

5. Processing of personal data when using our “Shakes & Fidget” game

When you create a user account for our Games, we assign it a unique number. We store the username and password you chose as well as the email address you entered, unless you sign in via Facebook login (for third-party logins, see section 3 for more information). The provision of this data is a prerequisite for concluding a contract. We use a double opt-in procedure to verify whether the email address you provide really belongs to you.

Participation is not a prerequisite for using our games. However, we recommend it because we can only use validated email addresses to send you important messages such as login confirmations, password changes, or occasional information about the games you play. The legal basis for the latter direct advertising is Article 6 (f) GDPR. We may also use your hashed email address to advertise our games via social networks so long as the hash method used does not allow for retroactive decryption.

We store the originating IP address and the time at which the registration is made. We also store the originating IP address and the time when you validate your email address. This is to comply with our burden of proof, to ward off attacks against our system, and to ensure compliance with the rules of the game.

When you use our games, your device communicates with our servers. In that context, we record signing in and signing out times of your user account, as well as any relevant IP addresses. This can be the IP address of your telecommunications connection or of your mobile device. We process this data in order to handle violations of our T&Cs and playing rules, and to comply with the requirements of law enforcement authorities.

You can also communicate with other users in our games and may divulge personal information. In regards to this, we advise that you exercise caution. If you receive messages from other users, they will be saved to your user account. This allows you to view all the messages you have received in the game. Deleting messages in the game will also delete them from your user account.

Apart from this, the processing of personal data during the registration and use of our “Shakes & Fidget” game is performed to fulfill our contract and is carried out on the legal basis of Article 6 (1) (b) GDPR.

6. Login through third-party providers

When creating a user account for our games, you can either enter your information manually or use data already provided to a third party.

If you are using Facebook Login, Facebook (Facebook, Inc.) will send the information from your public Facebook profile and your email address to us once you have consented to this data transfer. The public information transferred in such a manner consists of your ID, name, first_name, last_name, link, gender, locale, time zone, updated_time, and verified. This transmitted information will be used to create a new user account in the playing environment you select. The data is transferred to us once. Of the transferred data, we save only the Facebook Token and the Facebook ID, since these are required for logging in to one of our games. We do not obtain knowledge of your Facebook password. However, Facebook may save data about your use of our games.

You can also create a user account for our games on Steam (Steam is a product owned by Valve Corporation; for more information, please visit http://store.steampowered.com/subscriber_agreement/). In this case, we do not receive any personal data.

The processing of personal data is performed to fulfill our contract and is carried out on the legal basis of Article 6 (1) (b) GDPR.

7. Additional content

Our games are strictly free to play. However, we also offer additional services with costs. If you decide to purchase such services, the financial transaction will be carried out by the service provider you select, such as PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal L-2449, Luxembourg) or Paymentwall (PW Inc., a Nevada corporation), facilitated by Goodgame Studios (Altigi GmbH, Theodorstr. 42–90, Haus 9, 22761 Hamburg, Germany). The privacy policy for Goodgame Studios can be found at the following link: https://goodgamestudios.com/de/datenschutz/

Goodgame Studios is responsible for the technical side of processing the payment. In this event, we may transfer data to other service providers to the extent necessary to determine the price, for billing, and for payment collection. Specifically, this data includes your alias, the game world on which you created your user account, the language settings, and your pre-selection (if any). Any personal data that you provide to the service provider, in particular your name, address, and payment information, will not be forwarded to us.

After payment has been processed, we receive and store an acknowledgement from the respective service provider. This acknowledgement contains information that allows us to verify the status of the respective transaction. This is necessary in order to provide the agreed and paid for service and, if necessary, provide customer service.

The processing of personal data is performed to fulfill our contract and is carried out on the legal basis of Article 6 (1) (b) GDPR.

8. Tube

Our “Tube” allows players to watch commercials. This feature will show videos from changing third-party providers, in particular those of Fyber N.V., Wallstraße 9–13, 10179 Berlin, Germany. By default, the Tube is deactivated and no data is transferred to third parties. A transfer will only occur after consent in accordance with Article 6 (1) (a) GDPR. If players decide to watch a commercial, we will send the player's IP address and an advertising ID to the third-party provider. Once a video has been watched, the provider sends us a confirmation so that we can credit the player the respective in-game bonus (“Lucky Coins” for the Wheel of Fortune). For more information on how Fyber protects your data, please visit https://www.fyber.com/legal/gdpr-faqs/). You can deactivate the Tube in the in-game settings, thereby revoking your consent.

9. Newsletter

On our website we offer the option of subscribing to our newsletter. After you subscribe, we will regularly inform you about the latest news regarding our offers. A valid email address is required to subscribe to the newsletter. To verify the email address, you will first receive a registration email with a link for your confirmation (double opt-in). If you subscribe to the newsletter on our website, we will process personal data such as your email address and name on the basis of the consent you have given us. The processing is carried out on the legal basis of Article 6 (1) (a) GDPR. You can revoke your consent at any time with effect for the future, for example, through the “Unsubscribe” link in the newsletter or by contacting us via the above-mentioned channels. The legality of the already performed data processing operations remains unaffected by the revocation. When you subscribe to the newsletter, we also store the IP address, date, and time of registration. Processing this data is necessary so that the giving of consent can be proven. The legal basis arises from our legal obligation to document your consent (Article 6 (1) (c) in conjunction with Article 7 (1) GDPR).

We also analyze the reading behavior and opening rates pertaining to our newsletter. For this purpose, we collect and process pseudonymous usage data, which we do not amalgamate with your email address or IP address. The legal basis for the analysis of our newsletter is Article 6 (1) (f) GDPR and the processing serves our legitimate interest in optimizing our newsletter. You may object to this at any time via one of the contact channels mentioned above.

10. Analysis, tracking, & retargeting

a. Facebook Pixel

On our website, we use Facebook Pixel, a Facebook business tool from Facebook Ireland Limited (Ireland, EU). You can get information about how to contact Facebook Ireland and the data protection officer of Facebook Ireland in the privacy policy of Facebook Ireland at https://www.facebook.com/about/privacy.

Facebook Pixel is a JavaScript code snippet that enables us to track the activities of visitors on our website. This tracking is called conversion tracking. For this purpose, Facebook Pixel collects and processes the following information (so-called event data):

Some of this event data is information stored in the end device you use. Additionally, Facebook Pixel sets cookies in which information is stored on your end device. This storage of information by Facebook Pixel or access to information already stored in your end device only occurs with your consent.

Tracked conversions appear in the dashboard of our Facebook Ad Manager and Facebook Analytics. There we can use the tracked conversions to measure the effectiveness of our ads, to set custom audiences for ad targeting, for dynamic ad campaigns and to analyze the effectiveness of the conversion funnels of our website. The features we use via Facebook Pixel are described in more detail below.

Processing of event data for advertising purposes

The event data collected via Facebook Pixel is used for the targeting of our ads and improvement of the ad delivery, for the personalization of features and content, and for the improvement and security of the Facebook products.

For this purpose, event data is collected on our website via Facebook Pixel and transmitted to Facebook Ireland. This is only carried out if you have previously given your consent to this. For that reason, the legal basis for the collection and transmission of personal data by us to Facebook Ireland is Article 6 (1) (a) GDPR.

We and Facebook Ireland perform the collection and transmission of the event data as joint controllers. As joint controllers, we have entered into a data processing agreement with Facebook Ireland which defines the allocation of the data protection obligations between us and Facebook Ireland. Among other things, we and Facebook Ireland have agreed

You can access the agreement that we concluded with Facebook Ireland at https://www.facebook.com/legal/controller_addendum.

Facebook Ireland is solely responsible for the processing of the transmitted event data following the transmission. You can find further information on how Facebook Ireland processes personal data, including the legal basis relied on by Facebook Ireland and the options to exercise your rights against Facebook Ireland in the data policy of Facebook Ireland under https://www.facebook.com/about/privacy.

Processing of event data for analysis purposes

We also commissioned Facebook Ireland to prepare reports about the effect of our ad campaigns and other online content based on the event data collected by Facebook Pixel (campaign reports) and to provide analyses and insights about users and their use of our website, products, and services (analyses). For this purpose, we transmit personal data contained in the event data to Facebook Ireland. As our order processor, Facebook Ireland processes the transmitted personal data to prepare the campaign reports and analyses for us.

The processing of personal data for the preparation of analyses and campaign reports is carried out only if you have previously given your consent to this. For this reason, the legal basis for this processing of personal data is Article 6 (1) (a) GDPR.

A transmission of data to Facebook Inc. in the USA cannot be ruled out. The legal basis for this transmission is provided by the standard contractual clauses for the transmission of personal data to order processors in third countries. In this regard, please note the information in the section “Data transfer to third countries”.

11. TikTok Custom Audiences

We use the TikTok product Custom Audiences (customer file) of the two providers

· TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and

· TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom (hereinafter both are collectively referred to as “TikTok”).

The product TikTok Custom Audiences (customer file) enables us to transmit contact information about the users of one of our games to TikTok. TikTok will check this contact information on our behalf against data about users who are already using TikTok services, such as the video portal with the same name, to create so-called Custom Audiences for the purpose of displaying targeted advertisements. A Custom Audience is a particular target group which is shown additional ads on TikTok’s services on the basis of existing interest in our offers and products.

The contact information we transmit to TikTok in order to create Custom Audiences consists only of the device ID of an end device used while accessing our games. Here, we use only the device ID of end devices that use the Android operating system. The device ID is pseudonymized locally on our system via a so-called hash function before being transmitted to TikTok for the creation of the Custom Audiences. TikTok uses this data for us as an order processor. As an order processor, TikTok does not use the data for its own purposes; instead, it performs the data processing exclusively for us and is contractually obligated to take appropriate technical and organizational measures to ensure data protection.

The device ID is information stored in the end device that you use. The device ID that is already stored in your end device is only accessed, and this information is only used further, if you have not objected to this. The processing serves our legitimate interest in displaying targeted advertising for our products. For that reason, the required legal basis for the collection and transmission of the device ID by us to TikTok and its use to create Custom Audiences is Article 6 (1) (f) GDPR.

When the TikTok product Custom Audiences (customer file) is used, a transmission of data to a TikTok entity in a third country in which European data protection law is not applicable cannot be ruled out. The legal basis for this transmission is provided by the standard contractual clauses for the transmission of personal data to order processors in third countries, which you can access at the following link: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32010D0087

Find further information on how TikTok uses personal data can be found in TikTok’s data policy at https://www.tiktok.com/legal/privacy-policy?lang=de-DE .

12. Cloudflare for content integration

We use the Cloudflare service from Cloudflare Inc. (USA) on our website to display content. This integration technically requires the processing of your IP address so that content can be sent to your browser. For this reason, your IP address is transmitted to Cloudflare. This data processing is performed to protect our legitimate interests in the optimization and economical operation of our website and is carried out on the legal basis of Article 6 (1) (f) GDPR. You can object to this data processing at any time via the settings in your browser or certain browser extensions. One of these extensions, for example, is the matrix-based firewall uMatrix for the Firefox and Google Chrome browsers. Please note that this may lead to functional limitations on the website.

In this regard, please note the information in the section “Data transfer to third countries”. Additional information on data protection at Cloudflare can be found in Cloudflare’s privacy statement: https://www.cloudflare.com/privacypolicy/.

13. Google Fonts for content integration

On our website we use Google Web Fonts from Google Ireland Limited (Ireland/EU) to display fonts. This integration technically requires the processing of your IP address so that content can be sent to your browser. For this reason, your IP address is transmitted to Google. This data processing is performed to protect our legitimate interests in the optimization and economical operation of our website and is carried out on the legal basis of Article 6 (1) (f) GDPR. You can object to this data processing at any time via the settings in your browser or certain browser extensions. One of these extensions, for example, is the matrix-based firewall uMatrix for the Firefox and Google Chrome browsers. Please note that this may lead to functional limitations on the website.

When using Google services, a transmission of data to Google Inc. in the USA cannot be ruled out. Additional information on data protection at Google can be found in Google’s privacy statement: https://www.google.com/policies/privacy .

III. Data processing on our social media pages

We are represented by company pages on several social media platforms. We use these to offer additional opportunities to get and exchange information about our company. Our company has company pages on the following social media platforms:

- Facebook

- Instagram

- Tiktok

- LinkedIn

- Xing

- Twitch

- YouTube

When you visit a profile on a social media platform or interact with it, personal data about you may be processed. The information associated with the social media profile you use also regularly consists of personal data. This also captures news and statements made while using the profile. Additionally, certain information is often automatically collected about your visit to a social media profile whenever you use it, which may also constitute personal data.

1. Visiting a social media page

a. Facebook and Instagram page

When you visit our Facebook or Instagram page, which we use to present our company or individual products from our offers, certain information about you is processed. Facebook Ireland Ltd. (Ireland/EU – “Facebook”) is the sole controller of this processing of personal data. You can find more information about the processing of personal data by Facebook at https://www.facebook.com/privacy/explanation . Facebook offers the possibility to opt out of certain data processing; information and opt-out features can be found at https://www.facebook.com/settings?tab=ads .

For our Facebook and Instagram page, Facebook provides statistics and insights in anonymized form, which help us gain information about the type of actions carried out by people on our page (so-called “page insights”). These page insights are created on the basis of certain information about people who have visited our page. This processing of personal data is carried out by Facebook and us as joint controllers. The processing serves our legitimate interest in evaluating the types of actions performed on our page and in improving our page on the basis of these insights. The legal basis for this processing is Article 6 (1) (f) GDPR. We are unable to allocate the information acquired via the page insights to individual user profiles that interact with our Facebook and Instagram pages . As joint controllers, we have entered into a data processing agreement with Facebook which defines the allocation of the data protection obligations between us and Facebook. You can find details about the processing of personal data to create page insights and about the agreement concluded between us and Facebook at https://www.facebook.com/legal/terms/information_about_page_insights_data . In respect to this data processing, you also have the possibility of asserting your data subject rights (see “Your rights”) against Facebook. More information on this can be found in Facebook’s privacy policy at https://www.facebook.com/privacy/explanation .

Please note that, according to Facebook’s privacy policy, user data is also processed in the USA or other third countries. Facebook only transmits user data to countries for which an adequacy decision has been provided by the European Commission according to Article 45 GDPR, or on the basis of appropriate safeguards according to Article 46 GDPR.

b. LinkedIn company page

LinkedIn Ireland Unlimited Company (Ireland/EU – “LinkedIn”) is the sole controller for processing personal data when visiting our LinkedIn page. You can find more information about the processing of personal data by LinkedIn at https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy .

When you visit our LinkedIn company page, follow this page, or interact with this page, LinkedIn processes personal data to provide us with statistics and insights in anonymized form. This helps us gain information about the type of actions carried out by people on our page (so-called page insights). For this purpose, LinkedIn particularly processes data that you have already provided to LinkedIn through the information in your profile, such as data on position, country, industry, years of employment, company size, and employment status. Additionally, LinkedIn processes information about how you interact with our LinkedIn company page, e.g., whether you follow our LinkedIn company page. LinkedIn does not provide us with any personal data about you with the page insights. We can only access the summarized page insights. It is also not possible for us to draw conclusions about individual members from the information in the page insights. This processing of personal data for the page insights is carried out by LinkedIn and us as joint controllers. The processing serves our legitimate interest in evaluating the types of actions performed on our LinkedIn company page and in improving this company page on the basis of these insights. The legal basis for this processing is Article 6 (1) (f) GDPR. As joint controllers, we have entered into a data processing agreement with LinkedIn which defines the allocation of the data protection obligations between us and LinkedIn. This agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum . Accordingly, the following applies:

· LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights pursuant to the GDPR. You can contact LinkedIn for this purpose online at the following link ( https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de ) or via LinkedIn’s contact information in the privacy policy. You can contact the data protection officer of LinkedIn Ireland at the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO . To exercise your rights in connection with the processing of personal data related to the page insights, you can also contact us at the provided contact information. In such a case, we will forward your inquiry to LinkedIn.

· LinkedIn and we have agreed that the Irish Data Protection Commission is the lead supervisory authority that monitors the processing for the page insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or with any other supervisory authority.

Please note that, according to the LinkedIn privacy policy, personal data is also processed by LinkedIn in the USA or other third countries. LinkedIn only transmits personal data to countries for which an adequacy decision has been provided by the European Commission according to Article 45 GDPR, or on the basis of appropriate safeguards according to Article 46 GDPR.

c. TikTok

TikTok Technology Limited (Ireland/EU) is the sole controller for the processing of personal data by TikTok. You can find more information about the processing of personal data by TikTok Technology Limited at https://www.tiktok.com/legal/privacy-policy?lang=de .

d. Xing

New Work SE (Germany/EU) is the sole controller for processing personal data when visiting our Xing profile. You can find more information about the processing of personal data by New Work SE at https://privacy.xing.com/de/datenschutzerklaerung .

e. Twitch

Twitch Interactive, Inc. (USA) is the sole controller for processing personal data when visiting our Twitch channel. You can find more information about the processing of personal data by Twitch Interactive, Inc. or Google Ireland Limited at https://www.twitch.tv/p/de-de/legal/privacy-notice/ .

f. YouTube

Google Ireland Limited (Ireland/EU) is the sole controller for processing personal data when visiting our YouTube channel. You can find more information about the processing of personal data by YouTube or Google Ireland Limited at https://policies.google.com/privacy .

2. Comments and direct messages

We also process information that you have provided to us via our company page on the respective social media platform. This information might include the username, contact information, or a message to us. We are the sole controllers of these processing operations by us. We process the data on the basis of our legitimate interest in establishing contact with inquiring persons. The legal basis for the data processing is Article 6 (1) (f) GDPR. There may be further data processing if you have consented to this (Article 6 (1) (a) GDPR) or if this is required for the fulfillment of a legal obligation (Article 6 (1) (c) GDPR).

IV. Data processing via our mobile apps

In addition to our other online offers, we also make our “Shakes & Fidget” computer game available as mobile apps that you can download to your mobile end device. Below, we inform you about the additional collection and processing of personal data when using “Shakes & Fidget” on our mobile app.

1. Download of the app

When you download the app, certain required information is transmitted to the app store you select (e.g., Google Play or Apple App Store). In particular, your user name, email address, customer number of your account, time of the download, and individual device number may be processed. The processing of this data is performed exclusively by the provider of the respective app store and is beyond our control.

2. Automatic processing of personal data when using the app

When the mobile app is used, we collect the personal data described below in order to enable the convenient use of the features. If you want to use our mobile app, we collect the following data that is technically necessary for us to offer you the features of our mobile app and safeguard its stability and security.

· IP address

· Date and time of the request

· Time zone difference to Greenwich Mean Time (GMT)

· Content of the request (specific page)

· Access status/HTTP status code

· Amount of data transferred

· Website from which the request originates

· Operating system and interface

· Language and version of the browser software.

The legal basis for the processing of this data is Article 6 (1) (f) GDPR.

3. Permissions on the end device when using the app

Use of the app may require access to certain functions of the end device in use. For this purpose, the app requires the following permissions:

Internet access: This is required so the app can access the game server.

4. Login through third-party providers

If you use an Apple device, you can create a user account on our servers via the Game Center login. In this case, Apple (Apple, Inc.) will transfer your Apple ID, Game Center name, and email address to us. For more information on Apple's privacy policy, please visit http://www.apple.com/privacy/privacy-policy/

Verification on Android devices works in a similar manner (“Google Play Games”). In this case, game information will be sent to Google and linked to the user's Google+ identity. It will also be visible in a variety of Google products (https://developers.google.com/games/services/terms). For more information on Google's privacy policy, please visit https://www.google.de/intl/policies/policies/privacy/

5. Push notifications

We store Push Tokens in order to be able to send Push Messages to your Android or Apple device. We may also use this technology for other platforms in the future. You can manage Push Messages under “Options” or “Settings” in the mobile app or in your device settings.

The legal basis for the processing of this data is Article 6 (1) (f) GDPR.

6. Game Analytics

We use the tracking tool “Game Analytics” from GameAnalytics ApS, Vesterbrogade 34, 4th Floor, DK-1620 Copenhagen V, Denmark, in some of our apps to continuously improve them.

Game Analytics collects the IP address, UDI (Unique Device Identifier), platform (iOS or Android), the device and its operating system, as well as the time of the first app use.

When the data has been collected by Game Analytics, it is provided to us in anonymized form, which means that we are unable to draw any conclusions about you. You can find the privacy policy of Game Analytics here: https://www.gameanalytics.com/privacy .

The processing is performed to serve our legitimate interests in the analysis of our game use and is carried out on the legal basis of Article 6 (1) (f) GDPR.

7. AppsFlyer

We use the AppsFlyer analytical service by AppsFlyer Ltd. (Israel). We use the AppsFlyer service to measure the success of our campaigns. We receive the information from AppsFlyer in aggregate form. To track the use of a mobile app, we transmit AppsFlyer information regarding downloads and installations as well as regarding “in-app events”, such as in-app purchases. You can opt out of the data compilation and storage by AppsFlyer at any time with effect for the future by following the instructions at https://www.appsflyer.com/optout.

AppsFlyer receives information from the data transmitted by SDKs (Software Development Kits) in a mobile end-user application to servers. The data collected by the SDK includes information such as IP addresses (anonymized), browser, platform, SDK version, anonymized user ID, time key, developer key, application version and device identifiers (such as Identifier For Advertisers), Google advertising ID, device model, device manufacturer, operating system version, in-app events, and network status (WLAN/3G). We consider the end user data collected by the AppsFlyer platform representative for the analysis of our applications.

This processing is performed to serve our legitimate interests in the marketing of our apps and is carried out on the legal basis of Article 6 (1) (f) GDPR.

V. Other data processing

1. Contact via email

When you send us a message via the provided contact email, we will process the transmitted data for the purpose of answering your inquiry. We process the data on the basis of our legitimate interest in establishing contact with inquiring persons. The legal basis for the data processing is Article 6 (1) (f) GDPR.

2. Use of the email address for marketing purposes

We may use the email address that you entered during the registration or order placement in order to inform you about similar products and services offered by us. The legal basis for this is Article 6 (1) (f) GDPR in conjunction with Section 7 Article 3 of the German Act Against Unfair Practices (UWG). You have the right to object to this at any time without incurring any costs other than the transmission costs in accordance with basic rates. To do this, you can unsubscribe by clicking on the link provided in every email.

3. Sweepstakes

If you participate in sweepstakes, we will process your personal data to execute and process the sweepstakes. This includes particularly the selection of the winners, the notification of winning a prize, and the delivery of the prize. If the delivery or provision of certain prizes is carried out via another company (such as a subsidiary or other cooperative partner), we will transmit the required extent of the winner’s data to this company. After the sweepstakes have been completed, we will delete the data, unless there are legal retention periods that prevent the immediate deletion. The legal basis for the processing is Article 6 (1) (b) GDPR.

4. Applications

If you apply for a job at our company, we will process your application data exclusively for purposes related to your interest in current or future employment at our company and the processing of your application. Only the relevant representatives at our company will process and take notice of your application. All employees who are entrusted with data processing are bound to maintain the confidentiality of your data. If we are unable to offer you employment, we will store the data you transmitted to us for up to six months following the potential rejection. We do this for the purpose of answering questions related to your application and rejection. This does not apply if a deletion is prevented by legal provisions, if further storage is necessary for the purpose of furnishing proof, or if you expressly consented to a longer storage period. The legal basis for the data processing is Section 26 (1) sentence 1 BDSG. If we store your application data for more than six months and you expressly consented to this, we hereby point out that this consent can be freely revoked at any time in accordance with Article 7 (3) GDPR. This will not affect the lawfulness of any processing performed on the basis of the consent that is carried out previous to such a revocation.

Current as of: June 2021