Issued: 20 November 2019
Thank you for your interest in our online offer. Protecting your data is important to us. So, at this point, we would therefore like to explain to you which personal data we process for what purpose and in what form when you use our offers.
This policy applies to the apps operated by Spiele-Palast GmbH.
1. Responsible contact personThe contact person and so-called controller for the processing of your personal data when you use our app in accordance with the EU General Data Processing Regulation (GDPR) is
Spiele-Palast GmbH, Boxhagener Str. 106, DE-10245 Berlin.
Should you have any questions or suggestions regarding data protection, please do not hesitate to contact us personally. Our contact details are:
Boxhagener Str. 106
firstname.lastname@example.orgIf you have any questions about data protection in connection with our offers or the use of our apps, you can also contact our data protection officer at any time. They can be contacted via the above postal address and at the email address email@example.com (keyword: “To data protection officer”).
2. Data securityWe maintain state-of-the-art technical measures to guarantee data security, in particular to protect your personal data from risks during data transmission and against unauthorised third parties acquiring knowledge of your data. All passwords are encrypted using the SHA256 algorithm and an individual salt.
3. Use of our apps
3.1 Processing when using the apps without registrationYou can also use our apps without registering by using an anonymous profile. Here, too, personal data are already being processed.
For use without registration, the apps generate a device-specific identifying code the first time they are opened after installation. This code cannot be assigned to a specific data subject. In addition, the operating system used (e.g. Android or iOS), the host name of the accessing terminal device (IP address) and the time of the server request are processed for the technical display of the specified contents.
The functionality of the Internet technically requires that the IP address be stored at least in the short term. The IP addresses are deleted or anonymised after processing. In the case of anonymisation, the IP addresses are changed in such a way that the data subject cannot or can no longer be identified. A location determination is carried out on the basis of the anonymised IP address. For data protection reasons, this only goes as far as the geographical level of the country from which the request originates. This makes it impossible to draw any conclusions about the specific location or place of residence of a user.
The data in technical protocols (so-called log files) are evaluated by us in anonymised form in order to further improve our apps and to make them more user-friendly as well as finding and correcting errors more quickly.
The data processing is necessary so that you can inform yourself about the contents of our apps. The legal basis is Article 6(1)(f) of the GDPR, based on our interest in making users aware of our content. The processing of the specified data is required for the provision of the contents. Otherwise you will be unable to use the apps as desired.
3.2. Processing when using apps with registrationYou can use the apps with or without registration. You can log in using your Facebook social network account to further personalise the apps. It is also possible to upload a profile picture and choose a username. This is solely on an optional basis.
The user can carry out this personalisation in the apps via integrated social media services. We use the “Facebook Sign In” service for this (from Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA). In the event that personal data are transferred to the USA, Facebook has submitted to the EU-US Privacy Shield. There is a link between the apps and the Facebook account. From the provider, we store and process the provider’s full name, email address, profile picture, ID and token, as well as a list of your friends who also use our apps. For a person to appear on the Friends list, both must have chosen to share their Friends list with the apps and must not have disabled this permission during registration. These advanced personalisation features are optional and you can remove the personalisation or connection to the social media services from the app at any time. The purpose and scope of the data collection and the further processing and use of the data by the social media providers as well as your associated rights and setting options to protect your privacy can be found in the Facebook data policy.
Please note that when you log in via Facebook, data are transferred to the Facebook servers. If you are logged in to Facebook at this time with your username and password, the information that you are visiting our app will be transferred there and assigned to your user account. In principle, we have no influence on data processing on Facebook. However, we do receive statistics from Facebook about the use of and visits to our apps. Consequently, we share certain parameters with Facebook about our company and the offers on our apps. Facebook uses this information to generate more detailed statistics. Facebook may also use the data for its own purposes over which we have no control. Further information can be found in the Facebook data policy linked above. You may address your requests for information regarding data processing within the scope of logging in via Facebook to us via the contact data given in section 1. We will then inform you about the data we have collected and the data transmitted to us as well as their further processing and implement the your rights as exercised against us. Should you also wish to assert rights against Facebook, the easiest way to do so is to contact Facebook directly. Facebook knows both the details of the technical operation of the platform and the associated data processing as well as the specific purposes of the data processing and can, at your request, implement appropriate measures if you exercise your rights. The contact details can be found in the data policy linked above.
There is also the option of registering by email. To do this, you must create an account by entering your email address, a password of your choice and your freely definable player name. It is not compulsory to use your real name, i.e. pseudonymous participation in the game is possible. If you wish, you may also upload a profile picture. After registration is complete, we create your account. To do this, we store your email address, your encrypted password and your player names. If you have uploaded an image, we will also save it.
The legal basis is Article 6(1)(f) of the GDPR, based on our legitimate interest in providing enhanced functionality for a more personal user experience. This is also the legal basis for the general processing when using the apps with registration, based on the legitimate interest in creating synchronisation capabilities between devices and being able to offer functions with social interaction capabilities. If you do not wish to log in, the described functions cannot be used, but basic use of the apps is still possible.
4. Push notificationsThe apps use iOS and Android push notifications which can be deactivated at any time.
The push notifications are used to remind the player of information such as the day bonus or when a tournament starts for which a player has registered. In addition, our app uses remote push notifications for such cases where we do not already know in the app that they will occur, e.g. if another player has bought something for you or if we want to inform you about a sales promotion. For remote push notifications, we have implemented the services of Google and Apple ourselves, i.e. we do not use any third-party services here. The legal basis is Article 6(1)(f) of the GDPR, based on our interest in making users aware of our content and reminding them of this for important events such as tournaments.
Below we explain how push notifications are activated or deactivated – for the separate mobile operating systems for which we offer the app.
Open the “Settings” application in iOS and select the menu item “Notifications”. The following menu gives you an overview of all the apps installed on your device which have push notifications. Select the corresponding Spiele-Palast app. You can activate or deactivate the push notifications here.
Open the “Settings” application in the Android operating system and select the “Notifications” menu item under “Sounds and notifications”. The following menu gives you an overview of all the apps installed on your device which have push notifications. Select the corresponding Spiele-Palast app. You can activate or deactivate the push notifications here. The names may differ slightly depending on the version of Android you are using.
5. Rights/PermissionsSome features require that the apps are able to access certain services and data on your device. Depending on the mobile operating system you are using, this may require your express access permission. Below we explain how push notifications are activated or deactivated – for the separate mobile operating systems for which we offer the app. The legal basis is Article 6(1)(a) of the GDPR, based on your consent or on Article 6(1)(b) of the GDPR, if the authorisation is required for operation of the app.
Push notifications: If you click OK to the “Allow push notifications” query, you allow the apps to use push notifications to refer to specific events and topics (e.g. sales promotions, tournament start), even if the apps are not currently open.
The notifications can be by means of tones, messages and/or symbol identifiers (a picture or number on the app icon).
Mobile data: This function enables the apps to download and update data outside a WLAN network via mobile data connections (e.g. GSM, UMTS or LTE).
Access to media: This function enables the uploading of an avatar. When uploading, this is requested and may be rejected.
In addition to the standard permissions to run Android apps (such as receipt of Internet access or the ability of the device to vibrate; also called “normal permissions” by Google), we request the following permissions:
Access to media: This function enables the uploading of an avatar. When uploading, this is requested and may be rejected.
6. Participation in online games
6.1.When you participate in an online game, we collect and use additional data, insofar as these are required for the secure and fast execution and personalisation of the online game (“game data” such as scores, moves, game history, participation in leagues, membership in clubs, status of the premium membership). Since our online games also offer a multi-player experience, this also includes the publication of game data (e.g. game status, player name, club, rounds played, rating, platform, game statistics and, if applicable, profile picture) for friends or other players. In addition, we collect and use registration and game data insofar as these are required for billing for playing the online games. The legal basis is Article 6(1)(b) of the GDPR.
6.2.If you play the online game Pinochle-Palace, please note that we use the Unity technology for this from Unity Technologies (30 3rd Street, San Francisco, CA 94103, USA). This will involve Unity Technologies collecting some or all of the following information about your device: unique device identifiers (e.g. IDFV for iOS devices and Android ID for Android devices); IP address; country where the installation was performed (based on IP address); device manufacturer and model platform type (iOS, Android, Mac, Windows, etc.).) and operating system and version running on your system or device; language; CPU information such as model, number of CPUs present, frequency and instruction set support flags; graphics card type and vendor name; graphics card driver name and version (e.g. "nv4disp.dll 22.214.171.124"); which graphics API is used (e.g. "OpenGL 2.1" or "Direct3D 9.0c"); the amount of existing system and video RAM; the current screen resolution; the version of the Unity Editor used to create the game; sensor flags (e.g. device support for gyroscope, contact pressure or acceleration sensor); application or bundle identification ("App-ID") of the installed game; unique advertising identifiers for iOS and Android devices (e.g. IDFA or Android Ad ID); and a checksum of all sent data to ensure that it has been transmitted correctly.
In the event that personal data is transferred outside the European Economic Area (EEA) to countries with a level of data protection not considered adequate by the European Commission, we and Unity Technologies have taken appropriate measures, in particular the conclusion of standard contractual clauses, which are provided by the European Commission to protect your personal data. A copy of these measures can be obtained at DPO@unity3d.com.
You can opt-out of this data collection by Unity Technologies by clicking on the “Unity Data” button under the "Data Protection" item in the menu. You will then be forwarded to the Unity Technologies privacy settings. Pressing the "OPT-OUT" button will deactivate data collection by Unity Technologies.
More information on this can be found in Unity Technologies’ data policy as well as in the data protection FAQs.
7. Chargeable contentYou can add paid content (“premium content”) to our online games. Should you wish to purchase premium content, you will be required to enter your payment details. We have commissioned the following service providers to process the following payment methods:
- for payment via Sofortüberweisung: Sofort GmbH, Theresienhöhe 12, DE-80339 Munich
- for payment via PayPal: PayPal (Europe) Sà r.l. et Cie, S.C.A, 22-24 Boulevard Royal, L-2449 Luxembourg
- for payment via Boku: Boku Payments Inc, 735 Battery Street, 2nd Floor, San Francisco, CA 94111, USA
- for payment via DaoPay: DaoPay GmbH, Hackhofergasse 5/14, AT-1190 Vienna, Austria
- for payment via Facebook: Facebook Payments International Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin, 2 Ireland
- for payment via Google Play: Google Payment Limited, Belgrave House, 76 Buckingham Palace Road, London SW1W 9TQ, UK
- for payment via Amazon: Amazon Media EU Sà r.l. (Société à responsabilité limitée), 5 Rue Plaetis, L-2338 Luxembourg
- for payment via Apple iTunes Store: Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland
- for payment via Steam: Valve Corporation, 10500 NE 8th Street, Suite 1000, Bellevue, WA 98004-4345, USA
- for payment via Microsoft Store: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
8. Chat with other players
8.1.Some of our online games may offer you the opportunity to chat directly with other players and friends. Chat logs are stored here as follows: There are three different types of chat: 1. Public chats at the gaming table, 2. Club chats and 3. Private chats between individual players. We create chat logs for chats of type 1. (public at the gaming table) and type 2. (club chat), but not for type 3. There is also automated recognition of expletives with no. 1 (public chats at the gaming table), which can result in a warning or temporary suspension for the player. The chat logs are automatically deleted within 30 days. The legal basis for processing the chat logs is Article 6(1)(1)(b) of the GDPR. In the event of legitimate interest (e.g. insults or other improper or punishable behaviour), we also store individual chats for longer. The legal basis is Article 6(1)(1)(f) of the GDPR. Our interest is in protecting our players from insulting and other inappropriate comments.
8.2.Messages sent via the “Private chat” function are only visible to the recipient you have selected. Messages sent via the “Club chat” function are only visible to the members of the respective club.
9. Google Analytics and Firebase
9.1. Google AnalyticsOur apps use Google Analytics, an analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses technologies to analyse and improve our apps based on your user behaviour. The data resulting in this context can be transmitted by Google to a server in the USA for evaluation and stored there. In the event that personal data are transferred to the USA, Google has submitted to the EU-US Privacy Shield. However, your IP address is truncated before the usage statistics are evaluated, so no conclusions can be drawn about your identity. For this purpose, Google Analytics was extended in our apps by the code “anonymizeIP” in order to guarantee the anonymised collection of IP addresses.
Google will process the information obtained via the analyses in order to evaluate your use of the app, to compile reports on the activities for the app operators and to provide further services associated with the use of the app and the Internet. We use Google Analytics to analyse usage behaviour and for evaluation of the associated data in order to adapt our apps accordingly. The legal basis for this data processing is Article 6(1)(1)(f) of the GDPR.
You can configure our apps such that Google Analytics is not used. Use the “Tracking data” button in the data protection window of our app. This will prevent Google Analytics from collecting data on this app in the future (the opt-out only works on this particular device). If you wish to delete the data in our app, you must use this button again.
9.2. Google Analytics for FirebaseWe also use the analytics service “Google Analytics for Firebase”, which is offered by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland, “Google”). It processes technical usage data (e.g. IP address of your device, installation data such as the app version and time of installation, information on the content and functions you use, information on clicks, duration of use and information on your device such as device model and operating system). The information is collecting in pseudonymous form using so-called identifiers, e.g. in the form of the Apple Advertising ID or the Android Ad ID. Google will use this information for the purpose of evaluating your use of our websites and apps on our account, compiling statistical reports on general usage patterns for us and providing other services associated with use and internet usage for purposes of market research and tailoring our offerings to meet customer needs. As part of the reports, Google may also provide us with statistical data regarding the age structure of our users and other compiled demographic data. In the event that personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield.
The legal basis for this data processing is Article 6(1)(1)(f) of the GDPR.
You can configure our app such that Google Analytics for Firebase is not used. Use the “Tracking data” button in the data protection window of our app. This will prevent Google Analytics for Firebase from collecting data on this app in the future (the opt-out only works on this particular device). If you wish to delete the data in our app, you must use this button again.
10. Analysis via AdjustTo improve our apps, we use the services of “Adjust” (adjust GmbH, Saarbrücker Str. 38a, DE-10405 Berlin, Germany) for the apps on iOS and Android.
These processes take place anonymously or using pseudonyms, but never with direct association to a data subject. We would like to explain these technologies to you in more detail below. For this purpose, in addition to usage data, the following data may be processed: IP address, MAC address, mobile identifier depending on your mobile device such as iOS IDFA and IDFV, Android ID or Google Advertising ID (if Google Play services have been activated on your mobile device). The data will be transferred to an Adjust server where they are stored and evaluated. The corresponding results will be returned to us in anonymised form. Working with our partner Adjust, we use the information to tailor our advertising to you and your interests, to evaluate the effectiveness of our promotional campaigns and to better understand user behaviour after you have viewed a particular advertisement and then downloaded our mobile app. In addition, Adjust enables us to track certain events such as creating a user account, reaching 20 game rounds, completion of a purchase.
Further information about Adjust can be found at https://www.adjust.com/privacy-policy/ and at https://www.adjust.com/gdpr/.
You have the option to object to such analysis of your usage behaviour at any time by visiting the website https://www.adjust.com/opt-out/, selecting the terminal to which the objection applies and specifying the identifier of your mobile terminal (opt-out). Adjust will immediately terminate the corresponding usage tracking. If you have further questions about the opt-out, contact firstname.lastname@example.org or email@example.com. Alternatively, you can use the “Tracking data” button in the data protection window of our app. This will prevent Adjust collecting data within our app in the future (the opt-out only works on this particular device). If you wish to delete the data in our app, you must use this button again.
The legal basis is Article 6(1)(f) of the GDPR, based on our legitimate interest in the analysis of the usage behaviour to improve and further develop the app.
11. Online advertising
11.1. Facebook app eventsFor marketing purposes, our apps use so-called conversion and retargeting tags (also “Facebook Analytics” or “Facebook App Events”) from the social network Facebook, a service offered by Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA (“Facebook”). We use Facebook Pixel to analyse the general use of our apps and to track the effectiveness of Facebook advertising (“conversion”). In addition, we use the Facebook pixels to show you individualised advertising messages based on your interest in our products (“retargeting”). For this, Facebook processes data that the service collects on our apps. However, data processing only takes place when the purchase process has begun at Spiele-Palast or a purchase has been completed.
The data resulting in this context can be transmitted by Facebook to a server in the USA for evaluation and stored there. In the event that personal data are transferred to the USA, Facebook has submitted to the EU-US Privacy Shield.
If you are a member of Facebook and Facebook has permitted it via your account’s privacy settings, Facebook may also link the information we collect from your visit to us to your member account and use it to target Facebook ads. You can view and change the privacy settings of your Facebook profile at any time. If you are not a member of Facebook, you can stop processing of your information by clicking the “Tracking data” button in the data protection window of our app. This will prevent Facebook App Events collecting data within our app in the future (the opt-out only works on this particular device). If you wish to delete the data in our app, you must use this button again.
If you disable data processing by Facebook, Facebook will only display general Facebook ads that are not selected based on the information collected about you.
More information on this can be found in Facebook’s data policy.
12. Recipient of the data
12.1.The data collected by us will only be transferred if this is necessary to fulfil the contract or for provision of the technical functionality of the apps or if there is another legal basis for transferring the data.
In addition, a transfer may occur in connection with official enquiries, court decisions and legal proceedings if required for legal prosecution or enforcement.
12.2.For the technical provision of our website, online games and backend systems we use server services (e.g. application hosting, database server) from Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg (“AWS”), which processes our data on our account. Data processing by AWS takes place in a computer centre within the EU. In exceptional cases, the parent company of AWS (Amazon Web Services, Inc. 410 Terry Avenue North Seattle WA 98109, USA) may also access the data for maintenance purposes. In the event that data has to be transferred to the USA, Amazon Web Services, Inc. has submitted to the EU-US Privacy Shield. In addition, Amazon Web Services, Inc. is contractually committed to us to provide an appropriate level of data protection in accordance with the EU standard contractual clauses.
Further information can be found in AWS’s data policy.
13. NewsletterYou have the opportunity to subscribe to our newsletter, in which we provide you with regular information about innovations to our products and campaigns.
You can subscribe to our newsletter by registering on our app by email and then confirming your email address in the welcome email. The welcome email will once again make separate reference to the newsletter. However, use of the games offered by Spiele-Palast, does not require confirmation of the email address and therefore registration for the newsletter. You may unsubscribe from the newsletter at any time without incurring any costs other than the transmission costs in accordance with the basic tariffs. An “unsubscribe link” can be found in each newsletter. Notification via the contact data specified above or in the newsletter (e.g. by email or letter) is, of course, also sufficient. The legal basis for the processing is your consent as per Article 6(1)(a) of the GDPR.
In our newsletters we use commercially available technologies to measure interactions with the newsletters (e.g. opening of the email, clicked links). We use these data in pseudonymous form for general statistical evaluations as well as for the optimising and further development of our content and customer communication. This is done with the help of small graphics embedded in the newsletter (so-called pixels). The data are collected exclusively in pseudonymous form and are not associated in any way to your other personal data. The legal basis for this is our above-mentioned legitimate interest as per Article 6(1)(1)(f) of the GDPR. We want to use our newsletters to share content that is as relevant as possible to our customers and, as a result, to better understand what our readers are actually interested in. Should you not wish your usage behaviour to be analysed, you may unsubscribe from the newsletter or deactivate the graphics in your email program as standard. The data on the interaction with our newsletters are stored pseudonymously for 30 days and subsequently completely anonymised.
14. SendGrid as e-mail service providerFor the services on our app, we use the email delivery service provider “SendGrid” of SendGrid, Inc. (1801 California Street, Suite 500 Denver, Colorado 80202, USA). Two different types of emails are delivered using SendGrid. On the one hand, we use the service to send individual emails within the scope of contract performance (e.g. purchase confirmation, registration emails, password recovery emails). On the other hand, we also use the service to deliver our newsletter. In both cases, SendGrid receives the emails of the recipients from us. In some cases, additional data such as the player’s name or chip balance, as far as this is necessary for filling in placeholders in a newsletter. SendGrid acts as an email server and sends the information to the email addresses listed in the registration form. In the event that personal data are transferred to the USA, SendGrid has submitted to the EU-US Privacy Shield. The use of the SendGrid delivery service provider is based on our legitimate interests as per Article 6(1)(f) of the GDPR on the use of a user-friendly and secure newsletter system that serves both our business interests and the expectations of users.
More information on this can be found in the data protection policy from SendGrid and especially for the email delivery at https://sendgrid.com/policies/email/.
15. Storage periodIn principle, we store personal data for only as long as is necessary to fulfil the contractual or statutory obligations for which we have collected the data. We then delete the data immediately, unless we need the data until the end of the statutory limitation period for purposes of evidence for civil claims or due to statutory retention obligations.
For evidence purposes, we must retain contract data for a further three years beyond the end of the year in which our business relationship with you is terminated. Any claims shall lapse after the statutory period of limitation at the earliest as of this date.
Even after that, we must still store some of your data for accounting reasons. We are obliged to do so on the basis of statutory documentation obligations that may arise from the German Commercial Code, the Fiscal Code of Germany, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified therein for the retention of documents range from two to ten years.
Insofar as personal data is processed on the basis of legitimate interests pursuant to Article 6 (1) (f) of the GDPR, the personal data shall be deleted here at the latest when the legitimate interest in its processing no longer exists or the user requests the deletion of the data.
16. Your rightsYou shall have the right to request information about our processing of your personal data at any time. Within the scope of providing information, we will explain the data processing and provide you with an overview of the data we have stored which relates to you. Should the data stored by us be incorrect or no longer up to date, you shall have the right to have these data corrected. You may also request that your data be deleted. If, in exceptional cases, deletion is not possible due to other legal regulations, the data shall be blocked such that they are only available for this statutory purpose. The processing of your data may also be restricted, for example if you believe that the data we have stored are incorrect. You also have the right to data portability, i.e. we will send you, on request, a digital copy of the personal data you have provided to us.
To exercise your rights as described here, you may contact us via the above contact details at any time. This shall also apply if you wish to receive copies of guarantees to prove an adequate level of data protection.
Finally, you shall have the right to complain to our data protection supervisory authority. You may exercise this right before a supervisory authority in the Member State in which you are resident or working, or in the location of the suspected infringement. In Berlin, the location of the registered office Spiele-Palast GmbH, the responsible supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, DE-10969 Berlin.
Right of revocation and objection
You have the right to revoke your consent at any time. The consequence of this is that we shall not continue processing data based on this consent in the future. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent prior to revocation.
Insofar as we process your data on the basis of legitimate interests, you shall have the right to object to the processing of your data at any time for reasons arising from your particular situation. Should you object to data processing for direct marketing purposes, you have a general right of objection, which we will implement without you giving any reasons.
Should you wish to utilise your right of revocation or objection, an informal communication to the above-mentioned contact data is sufficient.