MTG Corporate Website Privacy Policy

Welcome to our Privacy Policy, which contains information on how we process personal data when you visit our website, communicate, or otherwise interact with us as outlined herein. If you have any questions regarding our use of your personal data, please feel free to contact us through the channels provided below.

When we refer to “you” in this Privacy Policy, we refer to you as a data subject (see Section II. below for more details on what this means). If you are interacting with us on behalf of others, please make sure all affected parties receive the information stated in this Privacy Policy.

I. Who Are We?

If we speak of “MTG”, “we” or “us” in this Privacy Policy, we refer to ourselves as controller as defined below. Our contact details are:

Modern Times Group MTG AB
Skeppsbron 18, Box 2094,
111 30 Stockholm, Sweden
Tel: +46 8 562 000 50

If you have any questions regarding this Privacy Policy, data protection or if you want to exercise your rights as mentioned in Section IV, you can at any time contact our Data Protection Officer. Her contact details are:

Colette Yatesc/o Modern Times Group MTG AB
Skeppsbron 18, Box 2094,
111 30 Stockholm, Sweden
E-Mail: [email protected]

II. Meaning of Terms

The meaning of the terms listed in this Privacy Policy are defined by the General Data Protection Regulation (“GDPR”). When we refer to the GDPR we are referring to the General Data Protection Regulation of the UK as well unless we specify otherwise.

All definitions set out in Art. 4 of the GDPR apply to this Privacy Policy. For transparency, we’d like to explicitly outline the meaning of the terms listed below under the GDPR:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying data;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing is determined by Union or Member State law, the controller, or the specific criteria for its nomination, may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

III. Legal Basis

As a controller we need a legal basis to process your data lawfully, according to Art. 6(1) of the GDPR. If

you have given your consent to the processing of your personal data for one or more specific purposes, this forms a legal basis under 6(1)(a) of the GDPR;
the processing is necessary for the performance of a contract between you and us or in order to take steps at your request prior to entering into a contract, the legal basis for this is 6(1)(b) of the GDPR;
the processing is necessary for compliance with a legal obligation which applies to us, the legal basis for this is 6(1)(c) of the GDPR;
the processing is necessary to protect our legitimate interests or the legitimate interests of a third party, and such legitimate interests are not outweighed by your interests or fundamental rights and freedoms, the legal basis for this is 6(1)(f) of the GDPR.

IV. Your Rights

Under the GDPR you have the following rights in regards to our processing of your personal data:

Right of information: You have the right to be provided information regarding our processing of your personal data, in accordance with Art. 13 and 14 of the GDPR.
Right of access: You have the right to obtain confirmation as to whether we are processing your personal data and, if this should be the case, access to the personal data, in accordance with Art. 15 of the GDPR.
Right to rectification: You have the right to obtain rectification of inaccurate or incomplete personal data about you, in accordance with Art. 16 of the GDPR.
Right to erasure (“right to be forgotten”): Under certain circumstances you have the right to the erasure of your personal data, in accordance with Art. 17 of the GDPR.
Right to restriction: Under certain circumstances you have the right to obtain a restriction on the processing of your personal data, in accordance with Art. 18 of the GDPR.
Right to data portability: Under certain circumstances you have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format, and the right to transmit this data to another controller, in accordance with Art. 20 of the GDPR.
Right to object: Under certain circumstances you have the right to object to the processing of your personal data, in accordance with Art. 21 of the GDPR. This includes, but is not limited to, the right to object in cases where we process your personal data under the legal basis of legitimate interest, as established under Art. 6(1)(f) of the GDPR.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of the EU of your habitual residence, place of work or the place of the alleged infringement, if you believe that the processing of your personal data infringes upon your rights under the GDPR, as set out in Art. 77 of the GDPR.

The supervisory authority primarily responsible for handling complaints regarding our data processing activities is Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden, [email protected].

Right to make a Data Protection Complaint under the DUAA: If you feel that we have processed your persona data in an unlawful manner you have a right to raise a data protection complaint with us under the UK Data (Use and Access) Act and can do so by contacting us at [email protected]. If you are not satisfied with our response, you may make a complaint to the ICO (The Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom, +44 303 123 1113, website: https://ico.org.uk).
Right to withdraw consent: If the processing of your personal data is based on your consent, as set out in either Art. 6(1)(a) or Art. 9(2)(a) of the GDPR, you have the right to withdraw your consent at any time, in accordance with Art. 7(3) of the GDPR. Such withdrawal does not affect the lawfulness of any processing based on consent prior to its withdrawal.
Right not to be subject to a decision based solely on automated processing: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects that impact you or similarly significantly affects you, as set out in Art. 22(1) of the GDPR.

V. Recipients / Categories of Recipients

The personal data we process can also be processed by other parties on our behalf, and according to our instructions, or shared with and processed by other controllers. When data is processed according to this Privacy Policy, it is principally done by our employees and freelancers commissioned by us, who are responsible for that specific processing activity.

The following list gives you an overview of the main providers of the tools and services we use, who might consequently be recipients of your data:

Providers of office tools

Microsoft Enterprise Service Privacy
Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052
USA

and

Microsoft Ireland Operations, Ltd.
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18, D18 P521,
Ireland
(both together “Microsoft”)

and

Slack Technologies, Inc.,
500 Howard Street, San Francisco,
CA 94105
USA
(“Slack”)

Data protection management tool

OneTrust Technology Limited
82 St. John Street
Farringdon, London EC1M 4JN
United Kingdom
(“OneTrust”)

Press release tool

Cision Sverige AB
Box 24194, 104 51, Stockholm
Sweden
(“Cision”)

Provider of data management systems and IT services

Vivicta AB
Gustav III:s Boulevard 173
169 70 Solna
Sweden
(“Vivicta“)

Provider of Supplier Invoice Management

Fast Four BV
Evert van de Beekstraat 1
1118 CL Schiphol
Netherlands
(“FastFour”)

And

Oracle Netsuit
Oracle Corporation UK Limited
Oracle Parkway
Thames Valley Park
Reading RG6 1RA
United Kingdom
(”Netsuit”)

Website Security and Performance Provider

Cloudfare Inc.
101 Townsend Street,
San Francisco, CA 94107
USA

Providers of streaming services

Inderes AB
Vattugatan 17,
111 52 Stockholm
Sweden
> Privacy Policy
(“Inderes”)

and

Vimeo.com, Inc.
Attention: Data Protection Officer
330 West 34th Street, 5th Floor
New York, New York 10001
> Privacy Policy
(“Vimeo”)

Some of these recipients are established outside of the European Union. We generally rely on one of two potential safeguards when these recipients receive your personal data to ensure they provide an adequate level of data protection:

If a recipient is located in a country the European Commission has found provides an adequate level of data protection, we rely on such adequacy decision by the EU Commission.
If a recipient is not located in a country with an adequate level of data protection according to the European Commission, we either concluded a contract with this recipient in which we agree to rules that ensure the adequate care of your personal data through the implementation of the EU Standard Contractual Clauses developed by the European Commission, or we rely on the binding corporate rules of a group of undertakings or enterprises that were approved by a supervisory authority.

Apart from the main possible recipients mentioned above, the following categories of recipients can receive personal data from us only when necessary: financial and IT services; host providers; providers of data rooms for M&A transactions; potential buyers or sellers of an M&A transaction; external financial and legal advisors and auditors; courts or governmental authorities that legally legitimately oblige us (e.g., through subpoenas, court orders, governmental requests or search warrants) to disclose data; and providers for streaming live events.

You can find details on which recipients and categories of recipients are involved in the processing of personal data under Section VI.

VI. General Data Processing

Below you will find information about how we process your personal data. These are the typical processing activities that may occur when you interact with us. Every processing activity is broken down into 5 parts:

(a.) What: What data is processed?

(b.) Why: For what purpose is the data processed?

(c.) Who: With whom do we share the data?

(d.) Legal Basis: What law allows us to process the data?

(e.) How Long: How long do we keep the data?

1. Communicating With You

a. What

If we communicate with you via email or mail, we process all personal data you disclose to us during our conversation (e.g., you name, email address, the reason why you are contacting us etc.).

Apart from this, it is also possible that we use other online messaging systems to communicate with you if you choose to contact us over these channels. Please note that, if you wish to contact us via such alternative messaging systems, it is possible that the companies offering these services will also process your personal data, and that their privacy policies will also apply. We have no influence over such data processing by third parties. For further information about how these companies process your personal data, please refer to their privacy policies.

b. Why

Depending on the circumstances, your personal data may be processed at your request prior to entering into a contract with us, or to enable us to perform a contract you have concluded with us. Additionally, some processing activities are required for compliance with legal obligations. Apart from this, processing activities may occur based on our legitimate interest to respond to you when you contact us, and to maintain proof of the content of our conversations, including but not limited to those related to potential legal claims.

c. Who

Providers of our office tools may be recipients of the processed personal data.

d. Legal Basis

The legal basis for our processing of your personal data prior to you entering into a contract with us, or to perform a contract you have entered into with us, is Art. 6(1)(b) of the GDPR.

The legal basis for processing your personal data in compliance with our legal obligations is Art. 6(1)(c) of the GDPR.

The legal basis for processing your personal data under our legitimate interest is Art. 6(1)(f) of the GDPR.

e. How long

Your personal data is, at minimum, stored until the conclusion of the contract with you. If your personal data was collected at your request prior to entering into a contract with us, we will store that data for as long as objectively reasonable to fully conclude our dialog with you. In addition to this, your data will be stored according to any relevant statutory storage periods, as well as any applicable statutory limitation periods, so that we may sufficiently defend ourselves against potential legal claims.

2. Visiting Our Website

a. What

When you visit our website, we process your IP-address.

b. Why

We process this data to display the website correctly in your browser. This is a legitimate interest of ours.

c. Who

IT service providers and host providers may be recipients of your personal data.

d. Legal Basis

The legal basis for processing this personal data is Art. 6(1)(f) of the GDPR.

e. How long

This personal data is only processed during your visit to our website and is not stored in log files.

3. Press Release Subscription

a. What

You can choose to receive our news and company information via email. To send you the press releases and reports, we process your email address and the selection of content you elected to receive, as well as data regarding whether you opened the email and the time it was opened.

b. Why

The purpose of processing this personal data is to keep you updated on our business developments, products, and services via email as per your request and according to your preferences, and to better understand what material you found most relevant.

c. Who

The provider of our press release tool is the recipient of this personal data.

d. Legal Basis

The legal basis for processing your personal data is your declaration of consent, in accordance with Art. 6(1)(a) of the GDPR.

e. How long

Your personal data will be stored for as long as you do not withdraw your consent. You can at any time withdraw your consent with future effect by using the unsubscribe link at the bottom of the email you received from us, or by contacting [email protected].

4. Data Subject Requests

a. What

When you contact us to make use of your data subject rights (see above), we process your name, email address and any additional information you provide us in your request, as well as any additional personal data you may provide to verify your identity as legitimate data subject.

We might also process your personal data when you make a request to another company of the MTG group which is an affiliate company of ours (“MTG Company”) if the company reaches out to us for legal advice regarding the matter.

b. Why

The personal data provided in your request is processed for the purpose of answering you, as well as ensuring our compliance with the GDPR by helping you as a data subject exercise your rights as set out in the GDPR. This is also a legitimate interest of ours.

If we process additional personal data to verify your identity, this is done for fraud prevention, which is a legitimate interest of ours.

If we receive your personal data from an MTG Company in connection with a request for legal advice, we process your personal data to ensure that the advice provided is accurate and complete. As a parent company, we work closely with all MTG Companies and support them to ensure our group-wide compliance with applicable laws. This is a legitimate interest of ours and all MTG Companies.

c. Who

Depending on the specific case, recipients of your personal data could be the provider of our data protection management tool, our office tool providers or external legal advisors.

d. Legal Basis

The legal basis for processing the data in your request is Art. 6(1)(c) in connection with Art. 12 of the GDPR, as well as Art. 6(1)(f) of the GDPR.

The legal basis for verifying your identity is Art. 6(1)(f) of the GDPR.

If we receive your personal data from an MTG Company, the legal basis for receiving and processing that data is Art. 6(1)(f) of the GDPR.

e. How long

The data is stored for three years, starting at the end of the year in which you made your request, so we and/or the respective MTG Company may prove our compliance and defend ourselves against any potential legal claims made within the general statute of limitations period in Sweden for consumer claims.

5. Legal Work

a. What

We work together with MTG Companies and external advisors to assess and manage legal matters. If a matter or dispute between you and us, or between you and an MTG Company (see definition in Section VI.4.a), requires relevant legal review, we and, if necessary, the relevant MTG Company, process the relevant data. This may include your name, e-mail address and contact details.

It is possible that MTG Companies seek legal support from us as their mother company. In such cases, we may receive your personal data from the aforementioned MTG Companies, and process your personal data as required to grant them legal support.

If we receive a legitimate and legally binding request to disclose data (e.g., through subpoenas, court orders, governmental requests or search warrants) from authorized courts or governmental authorities, we will comply with such request.

b. Why

The purpose of processing this data is to enable the effective and uniform handling of legal matters within the MTG Companies. This is a legitimate interest of ours. In addition, the data processing may be used to execute, perform and conclude contracts with you.

As a parent company, we also have a legitimate interest in supporting MTG Companies with legal matters to safeguard our business interests, the respective MTG Company and the entire MTG Group.

We also have a legal obligation to comply with any legitimate and legally binding requests from authorized courts or governmental authorities.

c. Who

Recipients of the personal data may be the providers of our office tools or external legal advisors and auditors. Additionally, if we receive your personal data from an MTG Company seeking our support, the same potential recipients apply.

In the case of legitimate and legally binding obligations by authorized courts or governmental authorities, such courts or authorities would be the recipients of the data.

d. Legal Basis

If the data processing is conducted in relation to the conclusion or performance of a contract with you, the legal basis of the data processing is Art. 6(1)(b) of the GDPR.

If the data processing is based on a legitimate interest, the legal basis is Art. 6(1)(f) of the GDPR.

In the case of legally legitimate and binding obligations by authorized courts or governmental authorities, the legal basis for disclosing data would be Art. 6(1)(c) of the GDPR in connection with the respective laws that state the legal binding effect of the obligation.

e. How long

The storage period for personal data processed for the purpose of handling legal matters, disputes or complying with legal obligations is governed by the relevant statute of limitations, so that we may sufficiently defend ourselves against claims, or by the relevant data retention legal obligations.

6. Due Diligence

a. What

We gather information on different companies to assess whether they are suitable for MTG’s merger and acquisition strategy and portfolio. Occasionally we will also employ external consultants to assist in the assessment process of a particular company.

b. Why

The purpose of the data processing by us and – if applicable – any engaged external consultants, is that it enables us to conduct due diligence prior to making decisions regarding the merger and acquisition of new companies. The data we collect may further be used for comparison purposes in subsequent acquisition processes if the company was not initially acquired in full. This is a legitimate interest of ours.

c. Who

Recipients of the processed personal data may be our executives, board of directors, external agencies and legal teams. We can receive your personal data from the Group companies, directly from you, from data brokers or from external consultants.

d. Legal Basis

The data processing is based on a legitimate interest, the legal basis is Art. 6(1)(f) of the GDPR.

e. How long

The storage period for data processed for this processing activity is until due diligence is completed or ten years, depending on the circumstances.

7. Job Applications

a. What

We process your personal data when you apply for a job or a freelancer position (e.g., your name, date of birth, address, data included in your cover letter or CV, etc.).

b. Why

The data is processed to decide if a contract with you will be executed, or, if you already have a contract with us, to perform our obligations under the contract or terminate the contract.

If we have decided not to hire you or if your employment with us has ended, your data will be stored to enable us to defend ourselves against potential claims based on § 64 Diskrimineringslag in connection with § 10 Lag om medbestämmande i arbetslivet. This is a legitimate interest of ours under Section 6(1)(f) of the GDPR.

c. Who

Recipients of the processed personal data can be the providers of our office tools or external HR consultants.

d. Legal Basis

The legal basis for processing your personal data when you are applying for a position with us and during your employment is Art. 6(1)(b) of the GDPR.

The legal basis for processing your personal data if we have decided not to hire you, or if your employment with us has ended, is Art. 6(1)(f) of the GDPR.

e. How long

If we work together with you, your data is stored for the applicable statutory storage periods. In general, this is ten years starting at the end of the year in which your contract has concluded (criteria derived from the general statute of limitations in Sweden). Should we decide not to hire you, we will delete your application two years after the decision of non-employment so that we may defend ourselves against potential claims based on § 64 Diskrimineringslag in connection with § 10 Lag om medbestämmande i arbetslivet and Article 6(1)(f) of the GDPR.

8. Cookies, Website Analytics & Consent Management

We use cookies on our website. To make information about these readily available to you and allow you to easily grant or withdraw consent or object to cookie-based processing based on a legitimate interest of ours, we have implemented a consent management platform. You can at any time open the consent management platform by clicking the “CUSTOMIZE COOKIES” link at the bottom of our website. In the consent management platform and in our Cookie Policy, you will find information on what data is processed, who the recipient is, the purpose of the processing, our legal basis and our data retention period.

You can contact us at any time via [email protected] if you want to withdraw or object to the processing of your personal data.

9. No Automated Decision-Making

We do not process your data by means of automated decision-making (e.g., profiling).

10. Cybersecurity & Unsolicited Communications

a. What

In certain cases, we process your email address for cybersecurity reasons and/or for blocking unsolicited communications.

b. Why

The data is processed to block potentially malicious communications and secure our IT systems when we have reason to believe that communications you send us pose a potential threat to our IT systems, and/or to block unsolicited communications you send us to protect our employees from content that negatively impacts their work and/or well-being.

c. Who

Recipients of the processed personal data may be the providers of our office tools or the provider of our data management systems and IT services.

d. Legal Basis

The legal basis for processing your personal data for cybersecurity purposes and for blocking unsolicited communications is Art. 6(1)(f) of the GDPR.

e. How long

We store your personal data for as long as we objectively have reason to believe that your communications pose a potential threat to our IT systems and/or that you will send us further unsolicited communications.

11. Livestreams

a. What

Public Livestreams: You can sign up to receive an invitation to the livestreams we offer, such as MTG’s quarterly results or our Capital Markets events, by signing up for our press release distribution. By signing up, we process obligatory data, such as your email address, name, the name of the company you work for, and possibly other optional data, such as your phone number.

Internal Livestreams: If you are an employee or freelancer working for MTG or a Group Company, you can join the internal livestreams we offer, such as All-Hands, or other global company events. In order to send you an invitation and let you join the livestream, we process your name and business email address.

When you participate in a Public or Internal Livestream, depending on your settings, the username you chose may be displayed to other participants, as well as your image and vocal communications. If you choose to ask a question or make a comment during the livestream or in the chat of a livestream, we process any personal data you might disclose while doing this.

Public and Internal Livestreams may be recorded and uploaded to a video streaming platform to make the video available for those who were unable to attend the livestream.

b. Why

When you sign up to attend one of our live streams, we need to process your personal data to send you details on how to join the stream, to adequately prepare for the stream, and to, if needed, internally debrief regarding the success of the stream, e.g., which topics were of interest to which viewers and how we can improve our livestreams in the future.

Data that is visible to other participants (e.g., username) or that you disclose during a livestream is processed by us to offer a functioning livestream and participation features.

As a participant of a livestream, you can choose whether you want to have your image and vocal communications displayed in the livestream. Please note that livestreams may be recorded and uploaded to video streaming platforms for those unable to attend. If you do not wish to be recorded, please let us know beforehand. Unfortunately, in such cases you will not be able to join the livestream since we do not have the ability to exclude individual attendees from the recording.

c. Who

The Recipients of your personal data will vary from event to event. We usually use our provider of office tools for group-internal livestreams (Microsoft), and potentially also public livestreams. However, depending on the type of livestream, we may choose to use a different company for streaming the event.

Internal Livestreams that are recorded can be stored on Microsoft Teams or Vimeo.

Public Livestreams that are recorded can be stored on Vimeo or Inderes.

d. Legal Basis

The legal basis for processing your personal data is Art. 6(1)(f) of the GDPR.

e. How long

Participant lists for our Capital Markets event are stored for a maximum period of one year.

If a livestream is streamed and recorded via Inderes, the video is stored and accessible for three years.

Livestreams recorded via Microsoft Teams are deleted within a week after the stream has taken place.

Internal Livestreams recorded and made accessible via Vimeo will be deleted 3 months after having been made accessible.

Should we use a different company when streaming an event, we will ensure that the personal data processed to participate in the livestream is not stored by that provider for longer than necessary.

VII. Group Cooperations – General Information

Together with our gaming studios we form a group of undertakings. We cooperate closely with the gaming studios of the group (each a “Group Company”) to learn from one another, help each other and improve how the group makes games. We like to see ourselves as a small gaming village in which we strive together to make great games.

The following Group Companies are part of our gaming village:

Hutch Games Ltd

44-46 Scrutton Street,
London, England, EC2A 4HH
UK

InnoGames GmbH

Friesenstraße 13
20097 Hamburg
Germany

Ninja Kiwi Ltd

17 Shamrock Drive,
Kumeu, 0810
New Zealand

Ninja Kiwi Europe Ltd

Unit 13, Vision Building, 20 Greenmarket, Dundee
DD1 4QB
United Kingdom

Ninja Kiwi Americas

140 Divisadero St Apt. 6
San Francisco, CA
94117-3238
United States

PlaySimple Games Pte Ltd, India

Second Floor, Anjaneya Techno Park No. 147,
Kodihalli, HAL Old Airport Rd,
Bangalore – 560008
India

Playsimple Games Pte Ltd, Singapore

30 Cecile Street
#19-08, Prudential Tower
Singapore, 049712

Plarium Global Ltd

2 Abba Eban Bld., P.O. Box 12258,
4672520 Herzliya Pituach
Israel

Snowprint Studios AB

Box 3694
10359 Stockholm
Sweden

Snowprint Studios Germany GmbH

Karl-Marx-Allee 3
10178 Berlin
Germany

VIII. Group Cooperations – Joint Controllerships

What does joint controllership mean?

When we cooperate with a Group Company, we may sometimes jointly determine if and how your personal data is processed. In such a case the companies involved are each controllers of your personal data and the working relationship is called a joint controllership. We have concluded an agreement with all Group Companies which establishes the rules for our joint controllership and includes standard contractual clauses that ensure the personal data of people located within the European Union (or European Economic Area) is adequately safeguarded when transferred between us and a Group Company that is neither established in the European Union nor a country considered to have the same level of data protection as the European Union.

In the following cases we and Group Companies are joint controllers of your personal data:

1. Mergers & Acquisitions

a.What

We can support each other when buying or selling a company. Under such circumstances, a strictly limited number of involved personnel may receive access to personal data (e.g., names, email addresses, unique identifiers) included in relevant documentation or determine what and how personal data will be shared with a potential buyer. In general, personal data is anonymized before it is disclosed. Should it be necessary to disclose personal data, such disclosure will be kept to a minimum.

b. Why

The purpose of such a cooperation is to enable the review of relevant material so that a potential buyer, seller and/or the involved Group Companies can make good business decisions. This is a legitimate interest of ours, the involved Group Companies, and the potential sellers or buyers.

c. Who

Recipients of the processed personal data can be providers of our office tools, providers of data rooms as well as external financial and legal advisors, involved Group Companies, and potential buyers. We can receive your personal data from a Group Company or a potential seller.

d. Legal Basis

The legal basis for processing your personal data is Art. 6(1)(f) of the GDPR.

e. How long

The storage periods for personal data processed for the purpose of handling legal matters or disputes is governed by the relevant statute of limitations periods, to ensure we can sufficiently defend ourselves against legal claims and meet any relevant legal obligations. If a transaction has been successful, we might be obliged to store the respective personal data according to the applicable statutory provisions, in which case we will store the documents according to the retention periods stated in such provisions. Personal data related to an unsuccessful transaction, that is no longer relevant to that transaction or another purpose under this Privacy Policy, will be deleted.

2. Business Intelligence

a. What

To help Companies in the Group make improvements to their games, we process a limited amount of pseudonymous data shared by Group Companies to gain insight into how you play our games and what features you enjoy. This personal data may include a group-internal unique identifier, game title, time of install, platform, country code per install, marketing channel/category and marketing campaign, browser information, engagement with the game (log-in sessions), amount of money spent in the game, and the effectiveness of a marketing campaign.

b. Why

Improving our understanding of how you play our Group Company’s games and what features you enjoy helps us and the Group Companies improve our games and marketing strategies. As parent company, it is essential for us to understand how games of the Group Companies are played and the effectiveness of any marketing efforts to ensure our games are enjoyable and that we will continue making new games. This interest is shared by the Group Company whose game you are playing as well as the other Group Companies since they are part of our gaming village.

c. Who

Recipients of the personal data are Vivicta and Microsoft, who help us administer and manage the data. We receive the data from the Group Company whose game you are playing, and do not share the data with other Group Companies.

d. Legal Basis

The legal basis for processing your personal data is Art. 6(1)(f) of the GDPR.

e. How long

Your personal data is stored for as long as you remain an active player in one of our Group Company’s games. Your data will be deleted or anonymized once you have successfully requested and received confirmation for deletion from the relevant Group Company or potentially after meeting a threshold period of inactivity in the game. Please refer to the privacy policy of the Group Company whose game you are playing for details regarding their retention periods for inactive player data.

3. Data Protection Compliance Work

a. What

We support the Group Companies with their data protection compliance efforts. Together with them, we may jointly process your personal data to ensure compliance with data protection laws, e.g., names, email addresses, usernames, unique identifiers (e.g., game-ID players). E.g., when you reach out to a Group Company with a data protection request and the Group Company seeks our support responding in an adequate and timely manner.

b. Why

We want to offer you a high level of data protection when you play our Group Companies’ games. To ensure that Group Companies comply with relevant data protection laws we offer them our support. This is a legitimate interest of ours, yours, and all Group Companies.

c. Who

The providers of our office tools and OneTrust may be recipients of the processed personal data.

d. Legal Basis

The legal basis for processing your personal data is Art. 6(1)(c) of the GDPR in connection with Art. 12, 30, and 35 of the GDPR and Art. 6(1)(f) of the GDPR.

e. How long

The data will be stored for the time needed for the Group Company you are contacting to prove it’s compliance with data protection laws. During this time, we will only access your request if needed to support the Group Company or provide proof of our compliance efforts (e.g., to a data protection authority). Please reference the privacy policy of the Group Company whose game you are playing for details regarding their retention period for data protection requests.

Who can you contact?

When we process your personal data, you have certain rights under the GDPR, which you can find in Section IV of this Privacy Policy. If you have questions regarding our joint controllerships or want to make use of your data protection rights, you can contact us anytime through the contact address mentioned in Section I of this Privacy Policy.

How is your data secured?

We have implemented technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, in accordance with Art. 24 and 32 of the GDPR.

What happens in a case of a personal data breach?

In the case of a personal data breach under the GDPR that is likely to result in a risk to your rights and freedoms, we will, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the competent supervisory authority.

Should such breach likely result in a high risk to your rights and freedoms, or where required by Article 34 of the GDPR, we, or the respective Group Company, will inform you of the personal data breach without undue delay.

IX. Group Cooperations – Independent Controllerships

With the exception of cases where we jointly process personal data, we cooperate with other Group Companies as independent controllers of your personal data in the following cases:

1. Developing or Distributing Games

a. What

We can support Group Companies when they are developing or distributing their games (e.g., consultations regarding game features or functionalities). In this process it is possible that certain player personal data points might be disclosed to us, such as names, email addresses, usernames, or unique identifiers. Such personal data will not be actively stored or used by us.

b. Why

Since we and the Group Companies are part of the same group, and we are their parent company, we share a legitimate interest in developing and distributing great games. We work closely together to achieve this interest.

c. Who

The providers of our office tools may be recipients of the processed personal data.

d. Legal Basis

The legal basis for processing your personal data is Art. 6(1)(f) of the GDPR.

e. How long

Your personal data may be stored by the Group Company whose game you are playing in accordance with it’s listed applicable retention periods (e.g., the retention period for your account data). Please check out the privacy policy of the Group Company whose game you are playing for details.

2. Legal Support

a. What

We may support Group Companies by providing guidance regarding legal complaints, claims, court proceedings or other legal matters. In such cases we might receive personal data from the Group Company (e.g., names and contact details of plaintiffs or complainants) of persons involved in such legal matters.

b. Why

Since we and the Group Companies are part of the same group, and we are their parent company, we share a legitimate interest in effectively handling legal complaints, claims, court proceedings and other legal matters we might be facing. We will work closely together at this aim.

c. Who

Providers of our office tools may be recipients of the processed personal data.

d. Legal Basis

The legal basis for processing your personal data is Art. 6(1)(f) of the GDPR.

e. How long

The personal data will be retained according to the relevant legal obligations (e.g., employment laws) or our legitimate interest in defending ourselves or the respective Group Company against legal claims.

3. Freelancer & Outsourcing

a. What

If you are a freelancer providing services to a Group Company, the Group Company may share your personal data with us, e.g., name and contact details.

b. Why

Since we are all part of the same group, and we are their parent company, we share a legitimate interest in effectively handling budgets and ensuring effective project management, which can necessitate the sharing of information about freelancers between us and the Group Company with whom they work.

c. Who

The providers of our office tools may be recipients of the processed personal data.

d. Legal Basis

The legal basis for processing your personal data is Art. 6(1)(f) of the GDPR.

e. How long

Your personal data will be stored for the term of the contract you have with the Group Company and, if required by bookkeeping laws, for as long as it is necessary to retain documentation on financial transactions connected to your work.

Last Updated: May 26, 2026