Privacy Policy

1. Introduction

Welcome to Casual Game Studio ("we," "our," or "us"). We are committed to protecting your privacy and ensuring transparency about how we handle your personal information. This Privacy Policy explains our practices regarding the collection, use, disclosure, and protection of your information when you use our games, websites, and services.

This policy applies to all our games, websites, and services (collectively, "Services"). By using our Services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide Directly

• Contact Information: When you contact us, we may collect your name, email address, and any other information you choose to provide.
• Account Information: If you create an account, we collect your username, email address, and password.
• Communication: We collect information when you communicate with us, including support requests and feedback.

2.2 Information Collected Automatically

• Device Information: Device type, operating system, unique device identifiers, and mobile network information.
• Game Data: Game progress, achievements, scores, and gameplay statistics.
• Usage Data: How you interact with our Services, including time spent, features used, and user preferences.
• Technical Data: IP address, browser type, language preferences, and referring URLs.

2.3 Information from Third Parties

• Social Media: If you connect through social media platforms, we may receive information from those platforms.
• Analytics Services: We use third-party analytics services that may collect information about your use of our Services.
• Advertising Partners: Information from advertising networks to provide relevant advertisements.

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Provision

• Provide, maintain, and improve our games and services
• Process transactions and manage your account
• Provide customer support and respond to inquiries
• Save your game progress and preferences

3.2 Communication

• Send you updates about our games and services
• Respond to your comments, questions, and requests
• Send administrative information and important notices

3.3 Improvement and Analytics

• Analyze usage patterns to improve our Services
• Conduct research and development
• Monitor and analyze trends and usage

3.4 Legal and Security

• Protect against fraud, abuse, and security threats
• Comply with legal obligations and enforce our terms
• Resolve disputes and enforce agreements

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):

4.1 Contract Performance (Article 6(1)(b) GDPR)

We process your personal data when necessary to perform our contract with you or to take steps at your request before entering into a contract. This includes:

• Creating and managing your game account
• Providing game services and features
• Processing in-app purchases (if applicable)
• Saving game progress and user preferences
• Providing customer support services

4.2 Legitimate Interests (Article 6(1)(f) GDPR)

We process your personal data based on our legitimate interests, which we have balanced against your rights and freedoms. Our legitimate interests include:

• Service Improvement: Analyzing usage patterns to enhance game performance and user experience
• Security and Fraud Prevention: Protecting our services and users from security threats, fraud, and abuse
• Business Operations: Managing our business, including analytics, research and development
• Marketing: Sending you information about our games and services (where you haven't opted out)
• Legal Claims: Establishing, exercising, or defending legal claims

You have the right to object to processing based on legitimate interests at any time.

4.3 Consent (Article 6(1)(a) GDPR)

We obtain your explicit consent for:

• Direct marketing communications via email
• Optional data collection for personalization features
• Cookies and similar technologies (where required by law)
• Sharing data with third parties for marketing purposes

You can withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4.4 Legal Obligation (Article 6(1)(c) GDPR)

We process your personal data to comply with legal obligations, including:

• Responding to lawful requests from authorities
• Compliance with tax and accounting requirements
• Meeting regulatory reporting obligations
• Compliance with consumer protection laws

4.5 Vital Interests (Article 6(1)(d) GDPR)

In rare circumstances, we may process your personal data to protect your vital interests or those of another person, such as in emergency situations.

4.6 Public Task (Article 6(1)(e) GDPR)

This legal basis does not typically apply to our processing activities.

5. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers

We may share information with third-party service providers who help us operate our Services, such as:

• Cloud hosting and data storage providers
• Analytics and performance monitoring services
• Customer support platforms
• Payment processors (if applicable)

5.2 Legal Requirements

We may disclose information if required by law or in response to:

• Legal process, such as a court order or subpoena
• Government or regulatory requests
• Protecting our rights, property, or safety
• Preventing fraud or security threats

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity.

6. Data Retention

We retain your information for as long as necessary to:

• Provide our Services and maintain your account
• Comply with legal obligations
• Resolve disputes and enforce agreements
• Achieve the purposes outlined in this policy

We will delete or anonymize your personal information when it is no longer needed, unless we are required to retain it by law.

7. Your Rights and Choices

7.1 Rights for EEA, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under GDPR:

7.1.1 Right of Access (Article 15 GDPR)

You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and if so, access to the personal data and the following information:

• The purposes of the processing
• The categories of personal data concerned
• The recipients or categories of recipients to whom the personal data has been or will be disclosed
• The envisaged period for which the personal data will be stored
• The existence of your rights under GDPR
• The source of the data (if not collected directly from you)
• The existence of automated decision-making, including profiling

7.1.2 Right to Rectification (Article 16 GDPR)

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. You also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

7.1.3 Right to Erasure ('Right to be Forgotten') (Article 17 GDPR)

You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:

• The personal data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal ground for processing
• You object to the processing and there are no overriding legitimate grounds
• The personal data has been unlawfully processed
• The personal data must be erased for compliance with a legal obligation
• The personal data was collected in relation to the offer of information society services to a child

Note: This right does not apply where processing is necessary for compliance with a legal obligation, for the performance of a task carried out in the public interest, or for the establishment, exercise, or defense of legal claims.

7.1.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to obtain from us restriction of processing where one of the following applies:

• You contest the accuracy of the personal data (for a period enabling us to verify the accuracy)
• The processing is unlawful and you oppose the erasure of the personal data and request restriction instead
• We no longer need the personal data for processing, but you require it for legal claims
• You have objected to processing pending the verification of whether our legitimate grounds override yours

7.1.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller where:

• The processing is based on consent or on a contract
• The processing is carried out by automated means

We will provide the data in JSON or CSV format upon request.

7.1.6 Right to Object (Article 21 GDPR)

You have the right to object, on grounds relating to your particular situation, to processing of personal data concerning you which is based on legitimate interests. We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

Direct Marketing: You have the absolute right to object to the processing of your personal data for direct marketing purposes at any time.

7.1.7 Rights Related to Automated Decision-Making and Profiling (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Currently, we do not engage in automated decision-making that produces legal effects or similarly significantly affects you.

7.1.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

7.1.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR.

EU Supervisory Authorities: A list of supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

7.2 How to Exercise Your Rights

To exercise any of your rights under GDPR, please contact us at luu.hui.ting@gmail.com with the following information:

• Your full name and email address
• The specific right you wish to exercise
• Sufficient information to allow us to identify you and locate your data
• Proof of identity (if requested for security purposes)

Response Time: We will respond to your request within one month of receipt. In complex cases, we may extend this period by up to two additional months, and we will inform you of any such extension within the first month.

Free of Charge: We will not charge a fee for exercising your rights unless your request is manifestly unfounded or excessive, particularly if it is repetitive.

7.3 General Access and Control

All users, regardless of location, have the right to:

• Access: Request information about the personal data we hold about you
• Rectification: Correct inaccurate or incomplete information
• Erasure: Request deletion of your personal information
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your information
• Objection: Object to processing based on legitimate interests

7.4 Marketing Communications

You can opt out of marketing communications at any time by:

• Clicking the unsubscribe link in emails
• Contacting us directly
• Updating your account preferences

7.5 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Right to know what personal information we collect, use, disclose, and sell
• Right to Delete: Right to request deletion of personal information
• Right to Opt-Out: Right to opt-out of the sale or sharing of personal information
• Right to Correct: Right to correct inaccurate personal information
• Right to Limit: Right to limit the use and disclosure of sensitive personal information
• Right to Non-Discrimination: Right to non-discrimination for exercising your privacy rights
• Right to Opt-Out of Automated Decision-Making: Right to opt-out of automated decision-making technology

7.5.1 Categories of Personal Information We Collect (CCPA)

In the past 12 months, we have collected the following categories of personal information:

• Identifiers: Email addresses, usernames, device identifiers
• Internet Activity: Browsing history, search history, interaction with websites/apps
• Geolocation Data: General location information
• Inferences: Preferences and characteristics derived from your activity

7.5.2 Sources of Personal Information

• Directly from you (account creation, contact forms)
• Automatically from your device (usage data, analytics)
• From third parties (social media platforms, advertising partners)

7.5.3 Business Purposes for Collection

• Providing and maintaining our services
• Customer support and communication
• Security and fraud prevention
• Analytics and service improvement
• Marketing and advertising (with consent)

7.5.4 Sale and Sharing of Personal Information

We do not sell your personal information for monetary consideration. However, under the broad CCPA definition, some data sharing with advertising partners may be considered a "sale" or "sharing." You can opt-out of this by contacting us.

7.6 Virginia Privacy Rights (VCDPA)

If you are a Virginia resident, you have rights under the Virginia Consumer Data Protection Act (VCDPA):

• Right to access personal data
• Right to correct inaccuracies in personal data
• Right to delete personal data
• Right to obtain a copy of personal data
• Right to opt out of targeted advertising
• Right to opt out of the sale of personal data
• Right to opt out of profiling for decisions with legal effects

7.7 Colorado Privacy Rights (CPA)

If you are a Colorado resident, you have rights under the Colorado Privacy Act (CPA):

• Right to access personal data
• Right to correct inaccuracies in personal data
• Right to delete personal data
• Right to data portability
• Right to opt out of targeted advertising
• Right to opt out of the sale of personal data
• Right to opt out of profiling for decisions with legal effects

7.8 Connecticut Privacy Rights (CTDPA)

If you are a Connecticut resident, you have rights under the Connecticut Data Privacy Act (CTDPA):

• Right to access personal data
• Right to correct inaccuracies in personal data
• Right to delete personal data
• Right to data portability
• Right to opt out of targeted advertising
• Right to opt out of the sale of personal data
• Right to opt out of profiling for decisions with legal effects

7.9 Canadian Privacy Rights (PIPEDA)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

• Right to know what personal information we collect and how it's used
• Right to access your personal information
• Right to correct errors in your personal information
• Right to withdraw consent for collection, use, or disclosure
• Right to file a complaint with the Privacy Commissioner of Canada

7.10 Brazilian Privacy Rights (LGPD)

If you are a Brazilian resident, you have rights under the Lei Geral de Proteção de Dados (LGPD):

• Access: Confirmation of processing and access to data
• Correction: Correction of incomplete, inaccurate, or outdated data
• Anonymization: Anonymization, blocking, or deletion of unnecessary data
• Portability: Portability of data to another service provider
• Deletion: Deletion of data processed with consent
• Information: Information about public and private entities with whom data is shared
• Consent Withdrawal: Withdrawal of consent
• Opposition: Opposition to processing not complying with LGPD

7.11 Singapore Privacy Rights (PDPA)

If you are a Singapore resident, you have rights under the Personal Data Protection Act (PDPA):

• Right to access your personal data
• Right to correct your personal data
• Right to withdraw consent for collection, use, or disclosure
• Right to request limitation of processing
• Right to file a complaint with the Personal Data Protection Commission

7.12 Australian Privacy Rights

If you are an Australian resident, you have rights under the Privacy Act 1988:

• Right to access your personal information
• Right to correct your personal information
• Right to make a complaint about privacy breaches
• Right to request deletion of personal information in certain circumstances
• Right to file a complaint with the Office of the Australian Information Commissioner

7.13 South African Privacy Rights (POPIA)

If you are a South African resident, you have rights under the Protection of Personal Information Act (POPIA):

• Right to access your personal information
• Right to correct or delete personal information
• Right to object to processing
• Right to request records of third parties with access to your information
• Right to file a complaint with the Information Regulator

7.14 Japanese Privacy Rights

If you are a Japanese resident, you have rights under the Act on Protection of Personal Information (APPI):

• Right to disclosure of personal information
• Right to correction, addition, or deletion of personal information
• Right to suspension of use or deletion of personal information
• Right to suspension of provision to third parties
• Right to file a complaint with the Personal Information Protection Commission

8. Children's Privacy

8.1 Age Restrictions

Our Services have different age restrictions depending on your location:

• United States: Not intended for children under 13 (COPPA compliance)
• European Union/EEA/UK: Not intended for children under 16 without parental consent (GDPR compliance)
• Other jurisdictions: We comply with local age requirements

8.2 Parental Consent

Where required by law, we obtain verifiable parental consent before collecting personal information from children. Parents may:

• Review their child's personal information
• Request deletion of their child's personal information
• Refuse to permit further collection or use of their child's information
• Withdraw consent at any time

8.3 Limited Data Collection from Children

When we collect information from children (with appropriate consent), we:

• Collect only the minimum information necessary
• Do not condition participation on disclosure of more information than necessary
• Provide clear notice to parents about our information practices
• Implement additional security measures for children's data

8.4 Parental Rights and Controls

Parents and guardians can contact us at luu.hui.ting@gmail.com to:

• Access their child's personal information
• Correct or delete their child's personal information
• Withdraw consent for collection and use
• Request that we stop further collection from their child

8.5 School and Educational Context

If our services are used in an educational context, we may rely on schools to obtain appropriate consent from parents. We work with schools to ensure compliance with applicable laws including FERPA (Family Educational Rights and Privacy Act) in the United States.

9. International Data Transfers

Your personal data may be transferred to, stored, and processed in countries other than your country of residence. These countries may have different data protection laws than your country.

9.1 Transfers from the EEA, UK, and Switzerland

When we transfer your personal data outside the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure an adequate level of protection for your personal data by implementing appropriate safeguards:

9.1.1 Adequacy Decisions

We may transfer your data to countries that have been deemed by the European Commission to provide an adequate level of data protection. Currently, these include:

• Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay
• United States (organizations certified under the EU-U.S. Data Privacy Framework)

9.1.2 Standard Contractual Clauses (SCCs)

For transfers to countries without an adequacy decision, we use Standard Contractual Clauses approved by the European Commission. These are contractual commitments between companies transferring personal data, binding them to protect the privacy and security of your data.

9.1.3 Additional Safeguards

Where appropriate, we implement additional technical and organizational measures to ensure the security of your data, including:

• Encryption of data in transit and at rest
• Pseudonymization and anonymization techniques
• Access controls and authentication measures
• Regular security assessments of our service providers

9.2 Your Rights Regarding International Transfers

You have the right to:

• Obtain information about the safeguards we have in place for international transfers
• Request a copy of the safeguards (where this won't compromise security or intellectual property)
• Object to transfers in certain circumstances

9.3 Specific Transfer Scenarios

We may transfer your data internationally in the following scenarios:

• Cloud Storage: We use cloud service providers that may store data in multiple jurisdictions
• Customer Support: Our support team may be located in different countries
• Analytics: We use analytics services that may process data globally
• Security: Security monitoring services may operate from various locations

10. Security and Data Breach Notification

10.1 Security Measures

We implement comprehensive technical and organizational measures to protect your information:

10.1.1 Technical Safeguards

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Controls: Multi-factor authentication, role-based access control
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Data Backup: Regular encrypted backups with geographic distribution
• Vulnerability Management: Regular security scans and penetration testing
• Secure Development: Security-by-design principles in software development

10.1.2 Organizational Safeguards

• Employee Training: Regular privacy and security training for all staff
• Background Checks: Security clearance for personnel with data access
• Incident Response: Documented procedures for security incidents
• Vendor Management: Security assessments of third-party service providers
• Policy Framework: Comprehensive information security policies
• Audit and Monitoring: Regular security audits and continuous monitoring

10.2 Data Breach Notification

In the event of a personal data breach, we will:

10.2.1 Regulatory Notification

• GDPR: Notify supervisory authorities within 72 hours if the breach poses a risk
• State Laws: Comply with applicable state breach notification laws
• Sector-Specific: Follow industry-specific notification requirements

10.2.2 Individual Notification

We will notify affected individuals without undue delay when a breach is likely to result in a high risk to their rights and freedoms. Notifications will include:

• Nature of the personal data breach
• Categories and approximate number of individuals affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact information for further information
• Recommendations for individuals to protect themselves

10.2.3 Breach Response Process

1. Detection and Assessment: Immediate investigation and risk assessment
2. Containment: Steps to prevent further unauthorized access
3. Notification: Regulatory and individual notifications as required
4. Investigation: Root cause analysis and impact assessment
5. Remediation: Corrective actions and system improvements
6. Documentation: Comprehensive record-keeping of the incident

10.3 Security Limitations

While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to improve our security posture.

11. Cookies and Similar Technologies

11.1 What Are Cookies

Cookies are small text files that are placed on your device when you visit our website or use our services. We also use similar technologies such as web beacons, pixels, and local storage.

11.2 Types of Cookies We Use

11.2.1 Strictly Necessary Cookies

These cookies are essential for the operation of our website and services. They enable basic functions such as page navigation and access to secure areas. The website cannot function properly without these cookies.

• Session management cookies
• Security cookies
• Load balancing cookies

11.2.2 Performance and Analytics Cookies

These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously.

• Google Analytics cookies
• Usage statistics cookies
• Performance monitoring cookies

11.2.3 Functional Cookies

These cookies enable enhanced functionality and personalization, such as remembering your preferences and settings.

• Language preference cookies
• User interface customization cookies
• Game settings cookies

11.2.4 Marketing and Advertising Cookies

These cookies are used to deliver advertisements that are relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns.

11.3 Cookie Consent and Management

We obtain your consent before placing non-essential cookies on your device, as required by applicable law. You can manage your cookie preferences through:

• Our cookie consent banner (when you first visit our website)
• Your browser settings
• Third-party opt-out tools

11.4 Browser Settings

Most web browsers allow you to control cookies through their settings preferences. However, if you limit the ability of websites to set cookies, you may impact your overall user experience.

11.5 Third-Party Cookies

Some cookies on our website are set by third-party services. We have no control over these cookies, and you should check the relevant third party's website for more information about their cookies and how to manage them.

12. Artificial Intelligence and Automated Decision-Making

12.1 Use of AI Technologies

We may use artificial intelligence and machine learning technologies to:

• Game Personalization: Customize game difficulty and content recommendations
• Customer Support: Provide automated responses and chatbot assistance
• Analytics: Analyze usage patterns and improve user experience
• Security: Detect fraud, abuse, and security threats
• Content Moderation: Automatically review user-generated content

12.2 Automated Decision-Making

We may use automated decision-making processes, including:

• Account Security: Automatic suspension for suspected fraud or abuse
• Content Filtering: Automatic removal of inappropriate content
• Personalization: Automated recommendations based on preferences
• Marketing: Targeted advertising based on interests and behavior

12.3 Your Rights Regarding Automated Decisions

You have the right to:

• Be Informed: Know when automated decision-making is used
• Human Review: Request human intervention for significant automated decisions
• Challenge Decisions: Contest automated decisions that affect you
• Explanation: Receive meaningful information about the logic involved
• Opt-Out: Object to automated decision-making in certain circumstances

12.4 AI Training and Data Use

We may use aggregated and anonymized data to train and improve our AI systems. This includes:

• Gameplay patterns for game balancing
• User interaction data for interface improvements
• Support conversations for chatbot training (with personal identifiers removed)
• Usage statistics for recommendation algorithms

13. Biometric Data and Sensitive Information

13.1 Biometric Data

Currently, we do not collect biometric data (fingerprints, facial recognition, voice prints, etc.). If we introduce biometric features in the future, we will:

• Obtain explicit consent before collecting biometric data
• Provide clear notice about the purpose and duration of storage
• Implement enhanced security measures for biometric data
• Comply with applicable biometric privacy laws (BIPA, GDPR, etc.)
• Provide options to use alternative authentication methods

13.2 Sensitive Personal Information

We generally do not collect sensitive personal information such as:

• Health or medical information
• Financial account numbers
• Government identification numbers (except as required by law)
• Precise geolocation data
• Racial or ethnic origin
• Religious or philosophical beliefs
• Political opinions
• Trade union membership
• Sexual orientation or sex life

13.3 Special Category Data (GDPR)

If we process special category data under GDPR, we will:

• Obtain explicit consent or rely on another lawful basis
• Implement additional security measures
• Conduct Data Protection Impact Assessments
• Provide enhanced rights and protections

14. Third-Party Services and Integrations

Our Services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you use.

14.1 Third-Party Service Providers

We work with the following categories of third-party service providers:

• Analytics Providers: Google Analytics, Firebase Analytics
• Cloud Services: Amazon Web Services, Google Cloud Platform
• Customer Support: Support ticket systems and live chat services
• Payment Processors: Stripe, PayPal (if applicable)
• Advertising Networks: Google AdMob, Facebook Audience Network (if applicable)
• Content Delivery: CDN providers for faster content delivery
• Security Services: DDoS protection and security monitoring

14.2 Data Processing Agreements

We enter into data processing agreements with our service providers that include:

• Restrictions on data use and processing
• Security and confidentiality requirements
• Data breach notification obligations
• Rights to audit and monitor compliance
• Data deletion and return requirements

14.3 Social Media Integration

Our services may integrate with social media platforms. When you interact with these features:

• The social media company may collect information about you
• Your interactions may be visible to your social media connections
• Social media privacy policies govern their data practices
• You can control social media sharing through platform settings

14.4 Third-Party Analytics and Advertising

Third-party analytics and advertising services may collect information through:

• Cookies and Tracking Technologies: Web beacons, pixels, SDKs
• Device Information: Device type, OS, unique identifiers
• Usage Data: App usage, website interactions, ad engagement
• Location Data: General location for targeted advertising

You can opt-out of interest-based advertising through:

• NAI Opt-Out: https://optout.networkadvertising.org/
• DAA Opt-Out: https://optout.aboutads.info/
• Google Ad Settings: https://adssettings.google.com/
• Facebook Ad Preferences: https://www.facebook.com/ads/preferences/

15. Data Protection Impact Assessments (DPIA)

15.1 When We Conduct DPIAs

We conduct Data Protection Impact Assessments when processing is likely to result in high risk to individuals, including:

• Systematic and extensive evaluation of personal aspects based on automated processing
• Processing of special category data on a large scale
• Systematic monitoring of publicly accessible areas on a large scale
• Use of new technologies or innovative applications
• Processing that may result in high risk to rights and freedoms

15.2 DPIA Process

Our DPIA process includes:

1. Description: Detailed description of processing operations and purposes
2. Necessity Assessment: Evaluation of necessity and proportionality
3. Risk Assessment: Identification and assessment of risks to individuals
4. Mitigation Measures: Measures to address identified risks
5. Consultation: Consultation with stakeholders and data subjects where appropriate
6. Review: Regular review and updating of assessments

15.3 Prior Consultation

If a DPIA indicates high risk that cannot be mitigated, we will consult with the relevant supervisory authority before beginning processing.

16. Records of Processing Activities

16.1 Processing Records

We maintain records of our processing activities including:

• Name and contact details of the controller and DPO
• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients of personal data
• International transfers and safeguards
• Retention periods
• Technical and organizational security measures

16.2 Record Availability

These records are available to supervisory authorities upon request and form the basis of our accountability under GDPR and other privacy laws.

17. Updates to This Policy

17.1 Policy Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our data processing practices
• New legal requirements or regulatory guidance
• Technological developments
• Changes to our services or business operations
• Feedback from users or supervisory authorities

17.2 Notification of Changes

When we make changes, we will:

• Post the updated policy on our website
• Update the "Last Updated" date
• Notify you of significant changes via email or in-app notification
• Provide a summary of key changes where appropriate
• Allow a reasonable period for review before changes take effect

17.3 Material Changes

For material changes that significantly affect your rights or how we process your data, we may:

• Seek renewed consent where required
• Provide additional notice and explanation
• Offer opt-out options where legally permissible
• Conduct additional privacy impact assessments

17.4 Acceptance

Your continued use of our Services after any changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may discontinue use of our Services and request deletion of your data.

18. Contact Us

19. Definitions and Glossary

19.1 Key Terms

• Personal Information/Personal Data: Information that identifies, relates to, describes, or could reasonably be linked with you or your household.
• Processing: Any operation performed on personal information, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• Controller: The entity that determines the purposes and means of processing personal data.
• Processor: The entity that processes personal data on behalf of the controller.
• Data Subject: The individual to whom personal data relates.
• Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing.
• Services: Our games, websites, mobile applications, and related services.
• Third Party: Any individual or entity other than you or us.

19.2 Legal Frameworks

• GDPR: General Data Protection Regulation (EU) 2016/679
• UK GDPR: UK General Data Protection Regulation
• CCPA: California Consumer Privacy Act
• CPRA: California Privacy Rights Act
• PIPEDA: Personal Information Protection and Electronic Documents Act (Canada)
• LGPD: Lei Geral de Proteção de Dados (Brazil)
• PDPA: Personal Data Protection Act (Singapore)
• POPIA: Protection of Personal Information Act (South Africa)
• COPPA: Children's Online Privacy Protection Act (US)
• FERPA: Family Educational Rights and Privacy Act (US)

19.3 Technical Terms

• Cookies: Small text files stored on your device by websites
• Encryption: Process of converting data into a coded format to prevent unauthorized access
• Anonymization: Process of removing personal identifiers from data
• Pseudonymization: Process of replacing identifying information with artificial identifiers
• Data Breach: Unauthorized access, disclosure, or loss of personal data
• Cross-Border Transfer: Transfer of personal data from one country to another
• Automated Decision-Making: Decision-making by technological means without human involvement
• Profiling: Automated processing to evaluate personal aspects about an individual