Privacy Policy for the Game “Bomb Bots Arena” (“Game”)

I. Name and address of controller 
The controller within the meaning of the General Data Protection Regulation (hereinafter "GDPR") and other national data protection laws of EU countries and other data protection laws is:

Controller
Tiny Roar UG (haftungsbeschränkt)Hongkongstr. 7
20457 Hamburg
Support@tinyroar.de

II. General information about data processing

1. Extent of processing personal data
We will generally collect and use personal data of our users only if and to the extent necessary to make available a functional Game and/or to provide our content and services. Personal data of our users generally will be collected and/or used only with the prior consent of the user. An exception applies in cases where obtaining prior consent is practically impossible and where data processing is permitted by applicable law. The types of data we process are as follows:

- usage data (e.g. session times, purchases, interest in content, access times, friend list, score)
- meta/communication data (e.g., device information, IP addresses)

2. Legal basis for processing personal data
If we obtain the consent of a data subject for processing personal data, the legal basis for processing such personal data is Art. 6 para. 1 lit. a) EU General Data Protection Regulation (hereinafter "GDPR"). If we process personal data that are necessary to perform a contract to which the data subject is a party, the legal basis for processing such personal data is Art. 6 para. 1 b) GDPR. The same applies if processing personal data is necessary to perform pre-contractual measures. If processing personal data is necessary to perform a legal obligation of our company, the legal basis for such data processing is Art. 6 para. 1 lit. c) GDPR. If processing personal data is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and fundamental freedoms of the data subject do not outweigh that legitimate interest, the legal basis for such data processing is Art. 6 para. 1 lit. f) GDPR.

3. Erasure of data and duration of data storage
Personal data of a data subject will be erased or blocked as soon as they are no longer needed for the purposes for which they are stored. Data may also be blocked if provided for by EU or national regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or erased if recordkeeping obligations under the aforementioned norms expire, unless continued storage of such data is necessary to enter into or perform a contract.

III. Making available and using the Game

1. Description and extent of data processing
As part of the provision of the Game, we store and process the data records necessary for the operation of the Game. For this purpose, we also store data in logs when using the Game. Logs represent protocols of certain technical contents.

In this connection the following data will be collected for a limited time period:

(1) user name
(2) the date and time of access
(3) information about the type and version of the used hardware,
(4) the operating system of the user,
(5) the IP address of the user,
(6), information about in-game actions
(7) information about game progress including score
(8) purchases
(9) friend list
(10) geolocation based on IP address

Such data will be stored in log files of our system in order to provide the Game and to analyze any malfunctions. The processing is necessary to perform a contract to which the data subject is a party. Hence, the legal basis for processing such personal data is Art. 6 para. 1 b) GDPR.  

The score will be used to display the user’s achievement potentially in a highscore list. Such list displays the user’s nickname and the achieved score. 

If you connect yourself with other users via the “friends-functionality”, your nickname will be displayed in your friends’ “friend list”. If your undo the connection, your nickname will not be displayed in the respective “friend list” any more.

The legal basis for temporarily storing the aforementioned data in log files is Art. 6 para. 1 lit. b) GDPR. The data will be stored as long as the Playfab account exists (see Section 2) or you request deletion of the data.

2. Playfab account management
The service PlayFab, provided by Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052 USA (“PlayFab”) will collect data from you in order to manage your account data. PlayFab received your email address (if provided by you), your geolocation via IP address and your game progress. The processing is necessary to perform a contract to which the data subject is a party. Hence, the legal basis for processing such personal data is Art. 6 para. 1 b) GDPR.  
PlayFab may also develop, use, distribute and publish information and statistics derived from the Game for use on an anonymized, aggregate basis; provided, that no such information will contain statistics or other information that is specifically attributable to the overall performance of the Game. This use of your data will not result in the distribution or publication of any personally identifiable information. For more privacy information, see https://privacy.microsoft.com/en-us/privacystatement.

3. Analytics

Unity Analytics
In order to modify and improve our Game, we use Unity Analytics by Unity Technologies Finland Oy, Kaivokatu 6, 00100 Helsinki, Finland (“Unity”). Unity collects device information, like IP address and device identifiers, as well as events completed or actions taken within the Game, including level, number of credits, time it took you to earn them, metadata about in-game communications and the value and details of purchases. This collection and use of data makes it possible for your experience to operate as expected by permitting you to do things like redeem rewards you have earned or return to where you left off in a game. Other Unity customers may have access to aggregated reports about game activity in general across a number of games. These reports are based, in part, on your Game activities, but do not specifically identify you or your device. The reports described in this paragraph help us to make decisions on optimal methods to run the Games. For example, we may need to know the types of devices running the Game to determine how to support Game updates on an ongoing basis. For more information, see https://unity3d.com/de/legal/privacy-policy.

Google Analytics

The Game uses Google Analytics, a web analytics service provided by Google, Inc. or, if you are based in the EU, Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help us understand how users use the Game. The information generated by the cookie about your use of the Game (including your IP address) will be transmitted to and stored by Google on servers in the United States or, if you are based in the EU, in the EU. The Game uses Google Analytics with automatic IP anonymization. Google will first shorten your IP address within the member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA where it will be shortened. Google will use this information on behalf of us for the purpose of evaluating your use of the Game, compiling reports on Game activity and providing us with other services relating to Game activity and internet usage, in particular functions for Google Analytics reports for the service of demographic characteristics and interests. With the use of Google Analytics Demographics and Interest Reporting we can process data resulting from the interest-based advertising pursued by Google and/or data from third parties relating to our advertising audience (e.g. age, gender and interests) in connection with Google Analytics for targeted and optimized advertisement activities, strategies and contents of the Game. Further, Google may transfer this information to third parties, insofar as this is required by law or if third parties process the data on behalf of Google as a processor. Under no circumstances will Google associate your IP address with other data stored by Google. You may refuse the use of cookies by selecting the appropriate settings, however please note that if you do this you may not be able to use the full functionality of the Game. You can also prevent Google from collecting the data generated by the cookie and related to your use of the Game (including your IP address) and Google from processing this data.

The processing of the data is based on balancing of interests pursuant to Art. 6(1) lit. f GDPR. The continued improvement of the app as well as our services is a legitimate interest. For the exceptional cases, in which personal data is transferred to the U.S., Google is certified under the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. For more information, see https://policies.google.com/privacy and https://support.google.com/analytics/answer/6004245?hl=en.

2. Apple Sign-in
We offer you the option to use the Service “Sign-in with Apple” by Apple Inc., Infinite Loop, Cupertino, CA 95014, USA (“Apple”). When you see a Sign in with Apple button on, it means you can set up an account and sign in with your Apple ID. Instead of filling out forms and choosing another new password, you may tap the Sign in with Apple button, review your information, and sign in quickly and securely with Face ID, Touch ID, or your Device passcode. If you use the feature “Hide my email” Apple creates and shares a unique, random email address just for use with your account that forwards to your personal email. In this case, we only receive such random email address from Apple and not your personal email address. To sign into our Game you need an Apple ID that uses two-factor authentication and you need to be signed in to iCloud with this Apple ID on your Apple device. You can also use Sign in with Apple with web browsers and on other platforms, like Android or Windows. For more information on how “Sign-in with Apple” works and how Apple processes your personal information, see https://support.apple.com/en-us/HT210318.

3. Quantum Engine 
We use the Unity engine “Photon Quantum” by Exit Games GmbH,
Hongkongstr. 7, 20457 Hamburg Germany in order to enable multiplayer mode of our Game without lags. For this reason, we transmit your geolocation via IP address, your username and your friend list. 


V. Rights of data subjects

If we process your personal data, you will be a data subject within the meaning of the GDPR and you will have the following rights against the controller:

1. Right to information
You may demand that the controller confirm whether or not personal data about you are processed by us.
If we do process such data, you may demand the following information from the controller:

(1) the purposes for which your personal data are processed;

(2) the categories of personal data that are processed;

(3) the recipients or categories of recipients to whom your personal data have been or will be disclosed;

(4) how long we plan to store your personal data or, if that time period cannot be ascertained yet, the criteria used to determine how long we will store your personal data;

(5) whether you have a right to rectification or erasure of your personal data, a right to restricted processing by the controller, or a right to object to such processing;

(6) whether you have a right to lodge a complaint with a supervisory authority;

(7) any available information about the origin of data if they were not collected directly from the data subject; and

(8) whether your personal data will be transferred to any third country or international organization; in connection with such transfers you may demand to be informed of appropriate safeguards within the meaning of Art. 46 GDPR. 

2. Right to rectification
You have a right against the controller to have incorrect personal data rectified and/or to have incomplete personal data completed if the personal data we process are incorrect or incomplete. The controller must rectify data without undue delay.

3. Right to restricted processing
Under the following conditions you may demand restricted processing of your personal data:

(1) if you dispute the correctness of your personal data for a time period that allows the controller to review whether your personal data are correct;

(2) if processing is unlawful and you decline to have your personal data erased and instead demand restricted use of your personal data;

(3) if the controller no longer needs your personal data for the purposes for which they are processed, but you need such data to assert, exercise, or defend legal rights or claims, or

(4) if you have objected to processing of your personal data in accordance with Art. 21 para. 1 GDPR and it has not yet been determined whether there are overriding legitimate reasons of the controller.

If processing of your personal data is restricted, such data may – except for their storage – be processed only with your consent, or to assert, exercise, or defend legal rights or claims, to protect the rights of another natural person or legal entity, or for reasons related to an important public interest of the European Union or any member state.If processing of your personal data has been restricted under the aforementioned conditions, you will be notified by the controller before the restriction is lifted.

4. Right to erasure
a) Erasure obligationYou may demand that the controller erase your personal data without undue delay and the controller has an obligation to do so if one of the following reasons applies:
(1) your personal data are no longer needed for the purposes for which they were collected or are otherwise processed;

(2) you have revoked your consent on which the processing of your data is based in accordance with Art. 6 para. 1 let. a) or Art. 9 para. 2 lit. a) GDPR, and there is no other legal basis for processing your personal data;

(3) you have objected to processing of your personal data in accordance with Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for processing your personal data, or you object to processing in accordance with Art. 21 para. 2 GDPR;

(4) your personal data have been processed unlawfully;

(5) erasing your personal data is necessary to comply with a legal obligation under European law or member state law to which the controller is subject; or

(6) your personal data were collected with respect to offered information society services within the meaning of Art. 8 para. 1 GDPR.

b) Information to third parties
Where the controller has made personal data public and has an obligation under Art. 17, para. 1 to erase such personal data, the controller, taking into account available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing such personal data that the data subject has requested the erasure by such controllers of any links to, or copies or duplicates of, such personal data.

c) Exceptions
There is no right to erasure if processing personal data is necessary

(1) to exercise the right to freedom of expression and information;

(2) to comply with a legal obligation which requires processing of your personal data under EU or member state law to which the controller subject, or to perform a task that is in the public interest, or to exercise official authority vested in the controller;

(3) for reasons of the public interest in the area of public health within the meaning of Art. 9 para. 2 let. f) and i) and Art. 9 para. 3 GDPR; or(4) to assert, exercise, or defend legal rights or claims.

5. Right to notification
If you have exercised your right to rectification, erasure, or restricted processing against the controller, the controller has an obligation to notify all recipients to whom your personal data have been disclosed of such rectification, erasure, or restricted processing, unless this proves impossible or would be associated with unreasonable expense.You have a right to be informed of all such recipients by the controller.

6. Right to data portability
You have a right to receive personal data you have made available to the controller in a structured, standard, and machine-legible format. You also have the right to transfer your personal data to another controller without any interference by the controller to whom the personal data were made available, if

(1) processing is based on consent within the meaning of Art. 6 para. 1 lit. a) GDPR or Art. 9 para. 2 let. a) GDPR or on a contract within the meaning of Art. 6 para. 1 lit. b) GDPR, and

(2) data processing is automated.
In exercising the right to data portability you further have the right to have your personal data transferred directly from one controller to another controller, if and to the extent that this is technically feasible. No rights or freedoms of any other persons may be infringed thereby.The right to data portability does not apply to processing of personal data that is necessary to perform a task that is in the public interest or to processing of personal data in the exercise of official authority vested in the controller.

7. Right of objection
You have the right for reasons related to your particular situation to object to processing of your personal data at any time based on Art. 6 para. 1 lit. e) or f) GDPR; the same applies to any profiling based on the aforementioned provisions.If you object, the controller will no longer process your personal data, unless the controller can show that there are compelling protected reasons for processing your personal data that override your interests, rights and freedoms, or if your data are processed to assert, exercise, or defend legal rights or claims.If your personal data are processed for direct advertising purposes, you have a right to object to processing of your personal data for purposes of such advertising at any time; the same applies to any profiling associated with such direct advertising.If you object to processing of your personal data for purposes of direct advertising, your personal data will no longer be processed for such purposes.In connection with use of information society services you may exercise your right of objection – regardless of Directive 2002/58/EC – by using automated processes for which technical specifications are used. For this purpose you may send an email to us.

8. Right to revoke consent to data processing
You have a right to revoke your consent to data processing at any time. If you exercise your right of revocation, the lawfulness of data processing that occurs before revocation based on your consent will remain unaffected.

9. Automated decision in a particular case, including profiling
You have a right not to be subjected to a decision that is made exclusively by means of automated processing – including profiling – if such a decision has legal consequences for you or otherwise substantially impairs your interests. This does not apply if the decision

(1) is necessary to enter into or perform a contract between you and the controller,

(2) is permitted under EU or member state law to which the controller is subject and such law provides for appropriate safeguards to protect your rights, freedoms, and legitimate interests, or

(3) is made with your express consent.

However, such decisions may not be made with respect to special categories of personal data within the meaning of Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a) or g) GDPR applies and appropriate safeguards have been implemented to protect your rights, freedoms, and legitimate interests.

In cases 1) and 3) above the controller must implement appropriate safeguards to protect your rights, freedoms, and legitimate interests, which must include, at a minimum, a right to have a person acting on behalf of the controller take action, a right to present your own point of view, and a right to contest the decision.

10. Right to lodge complaint with supervisory authority
Without prejudice to any other available administrative or judicial remedies, you have a right to lodge a complaint with a supervisory authority, in particular a supervisory authority located in the member state of your habitual residence, at your workplace, or at the place of the purported infringement, if in your opinion the processing of your personal data violates the GDPR.The supervisory authority where the complaint is lodged will then notify the complainant of the progress and outcome of the complaint, including judicial remedies available under Art. 78 GDPR.