Privacy policy

Data protection

Data privacy policy of Xyrality GmbH

This is the data privacy policy of Xyrality GmbH (“Xyrality”, “We”). We offer electronic games via both our website (“Website”) and mobile applications (“Mobile Apps” or “Apps”) (jointly referred to as “Services”). We inform you in this data privacy policy about which personal data we are gathering and processing. We moreover inform you about your rights. The responsibility for protecting and processing personal data is an important concern for us. Your data is secured against unauthorised access, as well as loss, with the aid of various technical and contractual measures. For that purpose, we have implemented the necessary technical and organisational measures. Where any links placed lead to websites of third parties, please note that such companies prepare their own data privacy statements, which then apply to that extent. We only offer our services to people who are at least 16 years old. We therefore do not knowingly gather or process data from individuals under the age of 16 years.

I. Name and address of the Controller

The Controller, within the meaning of the General Data Protection Regulation and other national data privacy laws of the Member States, as well as any other provisions under data protection law, is:

Xyrality GmbH
Friedensallee 290
D-22763 Hamburg
E-Mail: info(at)xyrality.com
Tel.: +49 (0)(40) 3573 0010
Managing Director: Sven Ossenbrüggen

II. Name and address of the Data Protection Officer

The Controller’s Data Protection Officer is:

Attorney-at-Law and Specialist Lawyer for Information Technology Law
Dr. Christian Rauda
GRAEF Rechtsanwälte Digital PartG mbB
Jungfrauenthal 8
20149 Hamburg, Germany
E-mail: datenschutzbeauftragter@xyrality.com
Website: www.graef.eu

III. General remarks concerning data processing

1. Scope of the processing of personal data
We essentially only gather the personal data that you inform us of when using our services within the scope of your registration and making use of services subject to a fee, as the case may be. Personal data is data that contains details about personal or technical circumstances. When you log in and register as a user, we only need you to specify an e-mail address and a password. The password is saved in encrypted form, which never permits any conclusion to be drawn about the actual password.

We offer you the opportunity to log in to our services using log-in data of other services (“Partners”). No additional registration is required. A non-conclusive list of our partners includes, for example, Facebook and Google.

In this case, your logging in to our services is essentially performed through the partner. The result is that your profile stored with the Partner is linked to our services. In that respect, the Partner transmits to us the information concerned, which exclusively serves the purpose of quality control measures and is never at any time shared with third parties. For further information on the service you prefer, please contact the company named above (I. Name and address of the Controller).

Within the scope of implementing the concluded use agreement, in particular in the context of the services subject to a fee that you chose, it may be necessary to provide further data, e.g. your full name, address, bank account details, credit card number, etc. It is sometimes also necessary to ask for personal information such as name, address, e-mail address and telephone number for processing of your inquiries or providing technical support.

We, moreover, gather data in the course of voluntary participation in enquiries and surveys. We only pass on personal data to collaborating companies or external service providers if the latter is stipulated by law or legitimate, in particular in order to fulfil the contract, process payment or protect other users, or to fend off any risks to state and public security or prosecute criminal offences. 

Your protection worthy interests are taken into consideration, in line with the statutory data protection provisions. In the event of arrears of payment, we reserve the right to commission a debt collection agency or attorney-at-law with collecting the outstanding debt, and, in this context, pass on the necessary data.

We will treat all such data as confidential, taking account of the statutory data protection provisions. Essentially, we do not pass on such information to third parties without your permission unless the latter is admissible in order to implement and execute the contract or process your enquiry or is necessary in order to attend to your case or in accordance with the statutory data protection provisions.

2. Legal basis for the processing of personal data
Should we obtain the data subject’s consent for processing procedures in regard to personal data, Art. 6(1)(a) General Data Protection Regulation (GDPR) serves as a legal basis for the processing of personal data.

When processing personal data that is required in order to fulfil a contract, to which the data subject is a contracting party, Art. 6(1)(b) GDPR serves as a legal basis. This also applies to any processing procedures that are necessary in order to implement pre-contractual measures.

Should it be necessary to process personal data to fulfil a legal obligation, to which our company is subject, Art. 6(1)(c) GDPR serves as a legal basis.

In the event of vital interests of the data subject or another natural person making it necessary to process personal data, Art. 6(1)(d) GDPR serves as a legal basis.

Should the processing be necessary in order to protect a legitimate interest on the part of our company or a third party, and should the interests, basic rights and basic freedoms of the data subject not outweigh the first-named interest, Art. 6(1)(f) shall serve as a legal basis for the processing.

3. Purpose of the processing of personal data
We gather and process personal data to enable you to use our services. That also includes processing it for the purpose of data security, as well as the stability and operational security of our system, and also for invoicing purposes. We process data to assist you when you have any support queries. Data is also processed in order to unveil and prevent misuse of multiple accounts, e.g. for the purposes of fraud. Data processing serves to obtain new customers and make use of advertising that we believe is in line with your interests.

4. Deletion of data and duration of storage
The personal data of the data subject is deleted or blocked once the purpose of storing it no longer exists. It may, moreover, be stored beyond that time if this has been stipulated by the European or national legislative authority in EU ordinances, laws or other regulations to which the Controller is subject. The data may also be blocked or deleted if a storage period stipulated by said standards expires, unless the necessity for further storage of the data for concluding an agreement or fulfilling an agreement exists.

5. Data security
We endeavour to take precautions, to a reasonable extent, to prevent unauthorised access to your personal data, as well as the unauthorised use or falsification of such data and minimise the corresponding risks. Providing personal data, whether it is provided personally, by telephone or over the Internet, is always associated with risks, and no technological system is entirely free of the possibility of being manipulated or sabotaged.

We process the information gathered from you in line with German and European data protection law. All our employees are obliged to data secrecy and complying with the data protection provisions and are briefed in regard to it. In the case of payment transactions, your data is transmitted in encrypted form, using the SSL procedure.

IV. Provision of the services and creation of log files

1. Description and scope of the data processing
Every time you access our website our system automatically gathers data and information from the computer system of the accessing computer.
In the process, the following data is gathered:

IP address
The URL of the referring website, from which the file was requested
The date and time of access
The browser type and operating system
The page visited by you
The volume of data transmitted
The access status (file transmitted, file not found, etc.)
The duration and frequency of use

The data is likewise stored in the log files of our system. This data is not stored together with other personal data of the user.
When mobile apps are accessed, the following data and information is gathered:

IP address
Date and time of access
Type of device and operating system
The volume of data transmitted
The access status (file transmitted, file not found, etc.)
The duration and frequency of use
Google Play IDs or Game Center IDs may be stored, in order to log you in across multiple devices. 
The IFA (iOS Advertising Identifier)
The GAID (Google Advertising Identifier)
The Login ID
The Player ID
The push notification identifier

2. Legal basis for the data processing
The legal basis for the temporary storage of the data and the log files is Art. 6(1)(f) GDPR.

3. Purpose of the data processing
The temporary storage of the IP address by the system is necessary to enable the services to be delivered to the user’s PC. For this purpose, the user’s IP address needs to be stored for the duration of the session.
The data is stored in log files to ensure the functionality of the services. In addition, the data serves the purpose of optimising the services and ensuring that our IT systems are secure. It also serves to provide customised advertising.

In order to monitor compliance with the terms and conditions of use and the rules of the game, we reserve the right to store IP addresses and log files for a period of 30 days after the services have been used. This procedure in particular serves to be able to prevent or clarify any cases of abuse and to be able to pass on the data, for this purpose, to investigation authorities in the individual case. Furthermore, any other evaluation of data is, if possible, undertaken in anonymised form. Once this period has expired, the IP address and log files are deleted entirely, unless any mandatory statutory archival obligations exist or any specific criminal prosecution and abuse investigations are pending.
These purposes are also the reason for our legitimate and overwhelming interest in processing the data pursuant to Art. 6(1)(f) GDPR.

4. Duration of storage
The data is deleted once it is no longer necessary in order to achieve the purpose for which it was gathered.

In the event of data being stored in log files, this is at the latest the case once 30 days have expired. Storage extending beyond that is possible. In such a case, the user’s IP addresses are deleted or alienated, so that it is no longer possible for them to be allocated to the accessing client.

5. The possibility of objection and deletion
Gathering the data in order to provide the services and store the data in log files is necessary in order to operate the services and fix bugs. There is consequently no possibility for the user to object.

V. Push notifications

1. Description and scope of the data processing
If you have adjusted corresponding settings on your device, we can send push notifications to your mobile device, to inform you about any updates to services, as well as any other relevant messages. You can manage push notifications on the “Options” or “Settings” pages in the mobile app, or in the settings of your device.

You can switch off the tracking of your Device ID in the settings of your device.

2. Legal basis for the data processing
The legal basis for the processing of the data when a contract is in place is Art. 6(1)(b) GDPR.

3. Duration of storage

The data is stored in the log files for 30 days.

4. The possibility of objection and deletion

In the case of a mobile terminal of the Apple brand: Open the settings on your mobile terminal (e.g. iPhone or iPad) and select the menu item “Data privacy”. You can switch off the ad tracking under the item “Advertising”.

In the case of devices with the Android operating system: Open the settings in your app list and tap the “Ad” button. Once the “Ad” window has opened, you can deactivate the Google Advertising ID.

VI. Contact form and e-mail contact

1. Description and scope of the data processing
A contact form is available on our website, which can be used for making contact with us electronically. Should a user make use of this option, the data entered into the input mask is transmitted to us and saved. This data includes:

E-mail address
User name
Heading
Question/issue

At the time of the message being sent, the following data is stored in addition:

The user’s IP address
The date and time when the message was sent

Alternatively, it is possible for you to contact us via the e-mail address provided. In this case, the user’s personal data transmitted with the e-mail will be saved.

No data is passed on to third parties in this context. The data will exclusively be used for processing the enquiry.

2. Legal basis for the data processing
When user consent exists, the legal basis for the processing of the data is Art. 6(1)(a) GDPR.

The legal basis for the processing of the data transmitted in the course of sending an e-mail is Art. 6(1)(f) GDPR. If the aim of the e-mail contact is the conclusion of a contract, the additional legal basis for the process is Art. 6(1)(b) GDPR.

3. Purpose of the data processing
The processing of the personal data from the input mask only serves the purpose of facilitating communication with you. If contact is made by e-mail, the legitimate interest in the processing of the data that is required is also precisely that.
The other personal data processed when submitting the contact form serves the purpose of preventing abuse of the contact form and ensuring the security of our IT systems.

4. Duration of storage
The data is deleted once it is no longer necessary in order to achieve the purpose for which it was gathered. In regard to the personal data from the input mask of the contact form and data which has been transmitted by e-mail, this is the case if the respective conversation with the user has come to an end. The conversation is deemed to have come to an end if it can be inferred from the circumstances that the relevant facts have been conclusively clarified.

The additional personal data gathered when submitting the contact form is deleted at the latest upon expiry of a period of seven days.

5. The possibility of objection and deletion
The user has the opportunity to revoke his or her consent to the processing of the personal data at any time. Should the user take up contact with us, he or she may object to the storage of his or her personal data at any time. In such a case, the conversation cannot be continued. All personal data that has been stored in the course of taking up contact will, in this case, be deleted.

VII. Cookies, web beacons, etc.

1. Description and scope of the data processing

Cookies
We deploy so-called “cookies”, i.e. text files or pixels that are stored on the user’s terminal. These are technologies with the aid of which certain user-specific settings and technical information with which the user can be identified can be gathered. We deploy cookies in order to design our services in a more user-friendly manner. Some elements of our services require it to be possible to identify the user. We moreover use cookies that make it possible to analyse user behaviour. We also use cookies to display advertising. The use of cookies is usual, and common practice on many websites. Cookies are stored on the user’s terminal.

Permanent cookies are cookies of the sort that can be found on your terminal for an extended period of time. Session cookies, in turn, are stored on your terminal temporarily and are deleted once the services have been closed.

We deploy necessary cookies, cookies for analysis, performance cookies and targeting cookies.

Necessary cookies. These cookies are necessary in order to use the services. Without these necessary cookies it may be the case that we may not able to provide you with certain services or features, or that the services are not displayed properly.

Function cookies. Function cookies make it possible for us to recognise your previous settings again, and provide you with extended and better adapted features, e.g. personal adjustment of the services or recognising whether we have enquired with you about certain things or whether you have enquired about any other services. All these features help us to improve the services for you.

Performance cookies. Performance cookies are sometimes also called analytical cookies (Analytics Cookies), and gather information about your use of the services, enabling us to improve the functioning of the services. For example, performance cookies show us which pages are used most frequently, as well as what the entire usage pattern for the services looks like, and help us to recognise problems in using the services and establish whether our advertising is displayed effectively or not.

Targeting and advertising cookies. We and our service providers may deploy targeting or advertising cookies to show you advertisements that are better adapted to your interests and preferences. We may use targeting or advertising cookies to delimit the number of identical advertisements that you get to see when using the services or to ascertain the efficiency of our marketing campaigns. These cookies record, for example, what you have looked at when using the services, and we share this information with other organisations, such as advertising customers.

You can find a list of deployed cookies here.

When starting to use our services, users are informed about the deployment of cookies. If the user does not wish cookies to be stored on his or her terminal, wishes to delete a stored cookie or would like to be notified about it being stored, he or she can adjust his or her browser or mobile terminal accordingly. How to do this in detail can be inferred from the help function available within the browser. We would like to expressly point out, that you may, in such a case, not be able to use all the functions of the services in their entirety.
Should you access our services via third parties, it may be the case that such third parties place cookies. We have no control over this. Please note the data privacy provisions of the third parties.

2. Legal basis for the data processing
The legal basis for the processing of personal data using cookies is Art. 6(1)(f) GDPR.

3. Purpose of the data processing
The purpose of using technically necessary cookies is to simplify use. Some functions of our software cannot be provided without deploying cookies. The user data gathered by technically necessary cookies is not used to create user profiles. The analytical cookies (Analytics Cookies) are used for the purpose of improving the quality and content of our services. By using the analytical cookies, we find out how the services are used, enabling us to continually optimise our services. These purposes are also the reason for our legitimate interest in processing the data pursuant to Art. 6(1)(f) GDPR. We moreover have a legitimate interest in showing advertising within our services. We are interested in finding new customers. In order for this to become possible, our advertising partners need to deploy cookies.

4. Duration of the storage, possibility of objection and deletion
Cookies are stored on the user’s device and transmitted to us by the latter. You, as a user, therefore also have full control over the use of cookies. By adjusting the settings in your web browser or mobile device, you can deactivate or limit the transmission of cookies. You can at any time delete any cookies already stored. This can also be done in an automated way. If cookies are deactivated, you may no longer be able to use all the functions of the services. The data is deleted once it is no longer necessary to achieve the purpose for which it was gathered.

VIII. Rights of the data subject
If personal data of yours are processed, this means you are the data subject within the meaning of the GDPR, and you have the following rights in relation to the controller:

1. Your right to information
You may request confirmation from the controller whether any personal data concerning you is processed by us.
Should this be the case, you can request information about the following from the controller:
– the purposes for which the personal data is processed;
– the categories of personal data that are processed;
– the recipients or categories of recipients to whom the personal data relating to you have been disclosed or will still be disclosed;
– the scheduled duration of storage of the personal data concerning you or, if this specific information is not available, criteria for laying down the period of storage;
– the existence of a right to correction or deletion of the personal data concerning you, a right to limitation of the processing by the controller or a right to object to such processing;
– the existence of a right of appeal to a supervisory authority;
– if the data was not gathered from the data subject, any information available on the origin of the data;
– the existence of automated decision making, including profiling, in accordance with Art. 22(1) and (4) GDPR and – at least in such cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject. You are entitled to request information on whether the personal data concerning you is transmitted to a country outside the EU or an international organisation. In this context, you may request to be informed about the suitable warranties under Art. 46 GDPR in connection with the transmission.

2. The right of correction
You have a right to correction and/or completion of the data by the controller if the personal data processed concerning you is incorrect or incomplete. The controller is required to make the correction without delay.

3. The right to limitation of the processing
You may, on the following prerequisites, request that the processing of the personal data concerning you be limited:
– if you dispute the accuracy of your personal data for a period of time that enables the controller to verify the accuracy of the personal data;
– if the processing is illegitimate and you decline to have the personal data deleted, and instead, request the use of the personal data to be limited;
– if the controller no longer needs the personal data for the purposes of the processing, but you need it in order to assert, exercise or defend legal claims; or
– if you have filed an opposition against the processing pursuant to Art. 21(1) GDPR and it has not yet been established whether the controller’s legitimate grounds outweigh your grounds.
Should the processing of the personal data concerning you have been limited, such data may – apart from being saved – only be processed with your consent or in order to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons involving a significant public interest on the part of the EU or a Member State.
Should the limitation of the processing have been limited in accordance with the above-mentioned prerequisites, you will be briefed by the controller before the restriction is lifted.

4. The right to deletion

a) Deletion obligation
You may request the controller to have the personal data concerning you deleted without delay, and the controller is obliged to delete such data immediately, as long as one of the following reasons exists:
The personal data concerning you is no longer necessary for the purposes for which it was gathered or otherwise processed.
You revoke your consent, on which the processing pursuant to Art. 6(1)(a) or Art. 9(2)(A) GDPR was based, and there is no other legal basis for the processing.
Pursuant to Art. 21(1) GDPR, you file an opposition against the processing and no overriding legitimate grounds for the processing exist, or you file an objection to the processing pursuant to Art. 21(2) GDPR.
The personal data concerning you has been processed illegitimately.
The deletion of the personal data concerning you is necessary in order to fulfil a legal obligation under EU law or the law of the Member States, to which the controller is subject.
The personal data concerning you was gathered in relation to information society services offered pursuant to Art. 8(1) GDPR.

a) Information given to third parties
Should the controller have made the personal data concerning you public, and should it be obliged, pursuant to Art. 17(1) GDPR, to delete it, it shall take appropriate measures, taking into account the available technology and costs of implementation, also of a technical nature, to inform parties responsible for processing the data, who process the personal data, that you, as a data subject, have requested them to delete any links to such personal data or copies or replications of such personal data.

b) Exceptions
The right to deletion does not exist if the processing is necessary
– in order to exercise the right to free expression of opinion and information;
– in order to fulfil a legal obligation that, according to the law of the EU or the Member States, to which the controller is subject, is required by the processing, or in order to take on a task that is in the public interest or is carried out in order to exercise official authority that has been assigned to the controller;
– for reasons in the field of public health that are in the public interest pursuant to Art. 9(2)(h) and (i), as well as Art. 9(3) GDPR;
– for archival purposes, scientific or historic research purposes or statistical purposes that are in the public interest pursuant to Art. 89(1) GDPR, if the right specified in Section a) is likely to make the implementation of the objectives of such processing impossible or seriously compromise them; or
– to assert, exercise or defend legal claims.

5. The right to a briefing
Should you have asserted the right to correction, deletion or limitation of the processing vis-à-vis the controller, the latter is obliged to inform all recipients to which it has disclosed the personal data concerned about the correction or deletion of the data or limitation of the processing, unless this proves impossible or involves disproportionate effort.
You are entitled to be informed about such recipients by the controller.

6. The right to data portability
You are entitled to receive the personal data concerning you that you have provided the controller with in a structured, common and machine-readable format. In addition, you have the right to transmit such data to another controller, without being impeded by the controller to whom you had provided the personal data, if
the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, or a contract pursuant to Art. 6(1)(b) GDPR; and
the processing is undertaken with the aid of automated procedures.
In exercise of this right, you moreover have the right to bring about that the personal data concerned is transmitted directly from one controller to another controller, provided that this is technically feasible. Freedoms and rights of other persons may not be impaired thereby.
The right to data portability does not apply to any processing of personal data which is necessary in order to take on a task that is in the public interest or in exercise of public authority that has been conferred upon the controller.

7. The right of objection
You are entitled, for reasons which arise from your particular situation, to file an objection against the processing of the personal data concerning you, which is being undertaken based on Art. 6(1)(e) or (f) GDPR. This also applies to any profiling based on such provisions.
The controller will no longer process the personal data concerning you unless it can provide evidence of reasons for the processing worthy of protection which outweigh your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
Should the personal data concerning you be processed in order to engage in direct advertising, you are entitled to file an objection to the processing of the personal data concerning you for the purpose of such advertising at any time. This also applies to profiling, in so far as it is connected with such direct advertising.
Should you object to the processing for purposes of direct advertising, the personal data concerning you will no longer be processed for such purposes.
You have the opportunity, in connection with the use of information society services – notwithstanding Directive 2002/58/EC – to exercise your right of objection by means of an automated procedure, where technical specifications are used.

8. The right to revoke declarations of consent under data protection law
You are entitled to revoke your declaration of consent under data protection law at any time. The legitimacy of the processing that has been undertaken based on the consent prior to revocation is not affected by the consent being revoked.

9. Automated decision in the individual case, including profiling
You are entitled not to be subjected to a decision based solely on automated processing, – including profiling –, which develops a legal impact in relation to you or considerably impairs you in a similar way. This does not apply if the decision
a) is necessary for concluding or fulfilling a contract between you and the controller;
b) is permissible based on legal provisions of the EU or the Member States to which the controller is subject, and these legal provisions contain appropriate measures to preserve your rights and freedoms, as well as your legitimate interests; or
c) is taken with your explicit consent.
Such decisions may, however, not be based on special categories of personal data pursuant to Art. 9(1) GDPR, unless Art. 9(2)(a) or (g) applies and appropriate measures have been taken to protect the rights and freedoms, as well as your legitimate interests.
In regard to the cases specified in (a) and (c), the controller shall take appropriate measures to preserve the rights and freedoms, as well as your legitimate interests, which at least includes the right to bring about the intervention of a person on the part of the controller, to explain one’s own point of view and to contest the decision.

10. The right to appeal to a supervisory authority
Notwithstanding any other legal remedy, or legal remedy under administrative or judicial law, you are entitled to file an appeal with a supervisory authority, in particular in the Member State that is your place of residence, your place of work or the place of the presumed infringement if you are of the opinion that the processing of the personal data concerned infringes the GDPR.
The supervisory authority with which the appeal has been filed will inform the party filing the appeal about the status and the results of the appeal, including the option of a judicial legal remedy pursuant to Art. 78 GDPR.