Privacy Policy for website sviper.com, superspellheroes.com (“Website”) and App Super Spell Heroes (“App”)

 I. Name and address of controller and Data protection officer

The controller within the meaning of the General Data Protection Regulation (hereinafter “GDPR”) and other national data protection laws of EU countries and other data protection laws is:

Controller

Sviper GmbH
legal representative: Ole Schaper, CEO

Schanzenstr. 12b
20357 Hamburg

support@sviper.com

Fax +494035674960

Data protection officer

Dr. Christian Rauda
board-certified specialist in information technology law

GRAEF Rechtsanwälte Digital PartG mbB
Jungfrauenthal 8
20149 Hamburg
E-Mail: dpo@sviper.com
Website: www.graef.eu

II. General information about data processing

1. Extent of processing personal data

We will generally collect and use personal data of our users only if and to the extent necessary to make available a functional website and/or to provide our content and services. Personal data of our users generally will be collected and/or used only with the prior consent of the user. An exception applies in cases where obtaining prior consent is practically impossible and where data processing is permitted by applicable law. The types of data we process are as follows:

Website:

  • user data (e.g., visited websites, interest in content, access times)
  • meta/communication data (e.g., device information, IP addresses).

App:

  • usage data (e.g. session times, purchases, interest in content, access times)
  • meta/communication data (e.g., device information, IP addresses)

2. Legal basis for processing personal data

If we obtain the consent of a data subject for processing personal data, the legal basis for processing such personal data is Art. 6 para. 1 lit. a) EU General Data Protection Regulation (hereinafter “GDPR”). If we process personal data that are necessary to perform a contract to which the data subject is a party, the legal basis for processing such personal data is Art. 6 para. 1 b) GDPR. The same applies if processing personal data is necessary to perform pre-contractual measures. If processing personal data is necessary to perform a legal obligation of our company, the legal basis for such data processing is Art. 6 para. 1 lit. c) GDPR. If processing personal data is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and fundamental freedoms of the data subject do not outweigh that legitimate interest, the legal basis for such data processing is Art. 6 para. 1 lit. f) GDPR.

3. Erasure of data and duration of data storage

Personal data of a data subject will be erased or blocked as soon as they are no longer needed for the purposes for which they are stored. Data may also be blocked if provided for by EU or national regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or erased if recordkeeping obligations under the aforementioned norms expire, unless continued storage of such data is necessary to enter into or perform a contract.

III. Making available the Website and creating log files

1. Description and extent of data processing

When our Website is accessed, our system will automatically collect data and information from the computer system of the terminal device accessing the Website.

In this connection the following data will be collected for a limited time period:

(1) visited website

(2) quantity of data transmitted

(3) information about the type and version of the browser used,

(4) the operating system of the user,

(5) the IP address of the user,

(6) the date and time of access, and

(7) the websites from which the system of the user arrived on our Website

Such data will be stored in log files of our system. Such data are needed only to analyze any malfunctions and will be erased at the latest within seven days. The legal basis for temporarily storing data in log files is Art. 6 para. 1 lit. f) GDPR. Temporary storage of the IP address for the system is necessary for making the Website available to the terminal device of the user. For this purpose the IP address of the user must be stored for the duration of the session. Data are stored in log files to ensure the functionality of our Website. In addition, such data are used to optimize the Website and to ensure the security of our IT systems. Data will not be analyzed for marketing purposes in this connection, and we will draw no inferences as to your identity. The aforementioned purposes also provide the basis of our legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f) GDPR. Collecting data to make available the Website and storing data in log files is necessary for operating the Website. Consequently, users have no right to object to the collection or use of such data for the aforementioned purposes.

2. Online presence in social media

We maintain an online presence on social networks and platforms to communicate with clients, interested parties, and users who are active on those networks, and to be able to inform clients, interested parties, and users of our services.

Our Website therefore links to the website of Facebook, operated by Meta Platforms Inc., 1 Hacker Way, Menlo Park, CA 94025, U.S.A., or, if you reside in the EU, Mate Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (“Facebook”). Otherwise no data are exchanged with Facebook on our Website.

We also link to the website of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter “LinkedIn”). Otherwise no data are exchanged with LinkedIn on our Website.

When you access the aforementioned networks or platforms, the terms and conditions and data processing policies of the companies that operate those networks or platforms will apply. Unless otherwise provided in our data privacy policy, we will process data of users if they communicate with us through social networks or platforms, e.g., if they post on our Facebook pages, or send us messages.

3. Google and Youtube

We use Google Fonts and Google ReCaptcha on this website. These are the “Google Fonts” of the company Google Inc. and a test to exclude robot programs (bots) from website use. For the European area, the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. When visiting our website, the fonts are reloaded via a Google server using Google Fonts and any bots are excluded via Google ReCaptcha. Through these external calls, data such as the IP address of the user is transmitted to the Google servers, including in the USA. The legal basis for the data processing for Google Fonts and Google ReCaptcha is our overriding legitimate interest in the appealing presentation, security and simple functionality of our website in accordance with Art. 6 (1) lit. f) DSGVO. Google processes the data in the USA on the basis of EU standard contractual clauses and thus provides sufficient guarantees within the meaning of Art. 46 para. 1, para. 2 lit. c) DSGVO. For more information on data usage by Google, setting and objection options, please visit Google’s websites: https://www.google.com/intl/de/policies/privacy/partners

Our Website incorporates videos from YouTube. YouTube is operated by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Once you launch a YouTube video through the Website, a connection is established to the YouTube servers. This tells the YouTube server which of our pages you have visited. If you are logged in to your YouTube account, you allow YouTube to associate your surfing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, YouTube can store various cookies on your device after starting a video. With the help of these cookies, YouTube can obtain information about visitors to the Website. This information is used, among other things, to gather video statistics, improve the user experience and prevent fraud. The cookies remain on your terminal device until you delete them. The information generated by a cookie about the use of the website by the user is usually transferred to a server of Google LLC in the USA and stored there. Google processes the data in the USA on the basis of EU standard contract clauses and thus offers sufficient guarantees within the meaning of Art. 46 para. 1, para. 2 lit. c) GDPR.

After the start of a YouTube video, it is possible that further data processing processes may be triggered, over which we have no influence. The use of YouTube is based on your consent to YouTube (e.g. consent to the storage of cookies), Art. 6 para. 1 lit. a GDPR. Further information about data protection at YouTube can be found in their privacy policy at: https://policies.google.com/privacy?hl=de

IV. Making available and using the App

Description and extent of data processing

As part of the provision of the app, we store and process the data records necessary for the operation of the app. For this purpose we also store data in logs when using the app. Logs represent protocols of certain technical contents.

In this connection the following data will be collected for a limited time period:

(1) the date and time of access

(2) information about the type and version of the used hardware,

(3) the operating system of the user,

(4) the IP address of the user,

(5), information about in-game actions

(6) information about game progress

(7) purchases

Such data will be stored in log files of our system. Such data are needed only to analyze any malfunctions and will be erased at the latest within seven days. The legal basis for temporarily storing data in log files is Art. 6 para. 1 lit. f) GDPR. Temporary storage of the IP address for the system is necessary for making the Website available to the terminal device of the user. For this purpose the IP address of the user must be stored for the duration of the session. Data are stored in log files to ensure the functionality of our Website. In addition, such data are used to optimize the Website and to ensure the security of our IT systems. Data will not be analyzed for marketing purposes in this connection, and we will draw no inferences as to your identity. The aforementioned purposes also provide the basis of our legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f) GDPR. Collecting data to make available the Website and storing data in log files is necessary for operating the Website. Consequently, users have no right to object to the collection or use of such data for the aforementioned purposes.

2. Social Media

In our apps we use the “Software Developer KIT” (SDK) of the social network Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA. So-called tracking pixels are integrated in the App. When you use our App, the SDK establishes a direct connection between your browser or mobile device and the Facebook server.

Facebook thus receives information from your device, among other things, that our App has been accessed by your terminal device. If you are a Facebook user, Facebook can assign the visit to App to your user account. We would like to point out that, as the provider of the App, we do not have any knowledge of the content of the data transmitted or its use by Facebook. We can only select which segments of Facebook users (such as age, interests) our advertising should be displayed.

Facebook can also recognize whether a Facebook ad was successful, e.g. whether it led to an online purchase. This allows us to measure the effectiveness of Facebook ads for statistical and market research purposes.

We use a method of working in which no data records, in particular no e-mail addresses of our users – neither encrypted nor unencrypted – are transmitted to Facebook.

We use the data collected in the Facebook analysis tool “Facebook Analytics” to optimize our apps.

Further information on this can be found in Facebook’s privacy policy at https://www.facebook.com/about/privacy/. Please click here if you do not want data to be collected via Facebook pixels: https://www.facebook.com/settings?tab=ads#_= Alternatively, you can disable Facebook pixel on the Digital Advertising Alliance page at http://www.aboutads.info/choices/.

3. Login via Facebook Connect

You may log in to our services via Facebook Connect, a service of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA or, if you reside in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). If you use Facebook Connect, an additional registration is not necessary. To log in, you are redirected to the Facebook website where you can log in with your user data. This links your Facebook profile and our service. Through the link, we automatically receive information from Facebook. The following information is transferred to us: Facebook ID.

This information is mandatory for the conclusion of the contract in order to identify you. Further information on Facebook and privacy settings can be found in the data protection guidelines at: https://www.facebook.com/about/privacy/update.

4. Support form

a) Description and scope of data processing

In our App you may contact us via the in-app contact form. You will be transferred to a website hosted by our partner Zendesk Inc., 1019 Market St, San Francisco, CA 94103, USA.

b) The Legal Basis for Data Processing

The legal basis for processing the data if the user’s consent has been obtained is Art. 6 para. 1 lit. a) GDPR.

Legal basis for the processing of data which is collected in the course of the transmission of an email is Art. 6 para. 1 lit. f), GDPR. If the email contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b) GDPR.

c) The Purpose of Data Processing

We only use personal data provided on contact forms for processing of contact. If you contact us by email, processing also occurs in the necessary legitimate interest in the processing of the data.

Other personal data processed during the sending process are used to prevent misuse of the contact form and to ensure security of our information technology systems.

Other personal data processed during the sending process are used to prevent misuse of the contact form and to ensure security of our information technology systems.

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the purpose of fighting fraud and improving support, the data is stored for six months.

d) Objection and removal option

The user has the possibility at any time to withdraw his consent to the processing of personal data. If the user contacts us, he can revoke consent to the storage of his personal data at any time. In such a case, it will not be possible to continue saving data. In this case, all personal data stored when establishing contact with us shall be deleted.

Zendesk is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TOjeAAG&status=Active).

5. Analytics

a) Adjust

We use the mobile tracking technology of adjust GmbH, Saarbrücker St. 38a, 10405 Berlin, Germany (“Adjust”) to collect statistical data about your use of our services in order to continually improve them. When you use our apps, your device sends us information that we collect and analyze. We collect the following: IP address that is immediately anonymized, MAC address, anonymized device ID (Identifier For Advertisers – IDFA or Google Advertiser ID – GAID), language, time and date of access, statistical information about the use of our services. There are no direct personal identifiers. The data collected in this way is used to create anonymous user profiles. The data collected with the tracking technology will not be used to personally identify the visitor of these websites without the express consent of the person concerned. For more information, please refer to the Adjust data protection policy at: https://www.adjust.com/privacy-policy.

 

The legal basis for this processing is Art. 6(1)(f) GDPR. We have entered into a data processing agreement with Adjust.

The purpose is to improve your user experience with our services and to make our offer more attractive to you. In addition, the data collected is used to analyze the performance of marketing campaigns and generate performance reports.

 

The data will be retained by us for the duration of use of the service and by Adjust for 28 days.

Data collection and storage can be halted at any time with future effect by configuring your mobile device.

Android: Open the settings in your app list and tap on the “Ad” button. Once you have opened the ad window, you can disable the Google Advertising ID.

iOS: Open the settings on your mobile end device (e.g. iPhone or iPad) and select the menu option “Data protection”. Under the option “Advertising”, you can switch off the ad tracking.

6. Marketing-Services

We cooperate with companies that connect advertisers to us that want to host advertisements in our App.

a) The Legal Basis for Data Processing

The legal basis for processing the personal data using ad-networks is analysis, optimization and economical operation of our App within the meaning of Art. 6 par. 1 lit. f) GDPR.

b) The Purpose of Data Processing

We may include third-party advertisements based on marketing services.

c) Services:

AdMob is a mobile application advertising platform operated by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. It’s used to promote our App and to help advertisers enabling in-app advertising. AdMob also works with Google Analytics to help us to get information about our App’s usage and its effectiveness for any advertising campaigns.

For further information on data usage by Google, setting and blocking options, please see the Google websites: https://www.google.com/intl/de/policies/privacy/partners (“How Google uses information from sites or apps that use our services”)  https://www.google.com/policies/technologies/ads (“Use of data for advertising purposes”  https://www.google.com/settings/ads (“Control the information Google uses to show you ads”).

If you wish to object to interest-based advertising by Google marketing services, you can use the setting and opt-out options provided by Google: https://www.google.com/ads/preferences.

AppLovin is a mobile marketing service of the AppLovin Corporation, Palo Alto, California, USA, that provides us with a platform to deliver advertising to our consumers. Their technology enables us to show mobile application users more relevant advertising that is based on users’ interest in applications. In order to provide these services, AppLovin collects and uses certain information about user activity in mobile applications.

AppLovin is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TNsVAAW&status=Active).

The AppLovin Privacy Policy https://www.applovin.com/privacy/ explains how AppLovin collects, uses, and shares information through their advertising platform and their corporate website at www.applovin.com, as well as your choices related to that information.

IronSource is an adware service operated by ironSource Ltd., Tel Aviv, Israel. Their technology enables us to show mobile application users more relevant advertising that is based on users’ interest in applications. In order to provide these services, IronSource collects and uses certain information about user activity in mobile applications.

The IronSource Privacy Policy can be found here: https://www.ironsrc.com/wp-content/uploads/2019/03/ironSource-Privacy-Policy.pdf

UnityAds is a social media marketing service, integrated in our App, operated by Unity Technologies, 30 3rd Street, San Francisco, CA 94103, USA. Their technology enables us to show mobile application users more relevant advertising that is based on users’ interest in applications. In order to provide these services, UnityAds collects and uses certain information about user activity in mobile applications.

The UnityAds Privacy Policy (https://unity3d.com/legal/privacy-policy) explains how UnityAds collects, uses, and shares information through their advertising platform and their corporate website at https://unity3d.com, as well as your choices related to that information.

Vungle is an in-app video advertising platform operated by Vungle, Inc., 1255 Battery Street Suite 500, San Francisco, CA 94111 USA, with an office in London (6th floor WeWork, Aviation House 125 Kingsway, London, WC2B 6NH) and Berlin (Greifswalder Strasse 212, 10405 Berlin). Their technology enables us to show mobile application users more relevant advertising that is based on users’ interest in applications. In order to provide these services, Vungle collects and uses certain information about user activity in mobile applications.

Vungle is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt00000008SwjAAE&status=Active).

The Vungle Privacy Policy (http://vungle.com/privacy/) explains how Vungle collects, uses, and shares information through their advertising platform and their corporate website at https://vungle.com/, as well as your choices related to that information.

Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA or, if you reside in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”) provides a mobile advertising platform. Their technology enables us to provide advertising to our users.

Facebook is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection law  (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active). For more information, please have a look at Facebook’s privacy policy (https://www.facebook.com/full_data_use_policy).

V. Rights of data subjects

If we process your personal data, you will be a data subject within the meaning of the GDPR and you will have the following rights against the controller:

1. Right to information

You may demand that the controller confirm whether or not personal data about you are processed by us.

If we do process such data, you may demand the following information from the controller:

(1)        the purposes for which your personal data are processed;

(2)       the categories of personal data that are processed;

(3)       the recipients or categories of recipients to whom your personal data have been or will be disclosed;

(4)       how long we plan to store your personal data or, if that time period cannot be ascertained yet, the criteria used to determine how long we will store your personal data;

(5)       whether you have a right to rectification or erasure of your personal data, a right to restricted processing by the controller, or a right to object to such processing;

(6)       whether you have a right to lodge a complaint with a supervisory authority;

(7)       any available information about the origin of data if they were not collected directly from the data subject; and

(8)       whether your personal data will be transferred to any third country or international organization; in connection with such transfers you may demand to be informed of appropriate safeguards within the meaning of Art. 46 GDPR.

2. Right to rectification

You have a right against the controller to have incorrect personal data rectified and/or to have incomplete personal data completed if the personal data we process are incorrect or incomplete. The controller must rectify data without undue delay.

3. Right to restricted processing

Under the following conditions you may demand restricted processing of your personal data:

(1)       if you dispute the correctness of your personal data for a time period that allows the controller to review whether your personal data are correct;

(2)       if processing is unlawful and you decline to have your personal data erased and instead demand restricted use of your personal data;

(3)       if the controller no longer needs your personal data for the purposes for which they are processed, but you need such data to assert, exercise, or defend legal rights or claims, or

(4)       if you have objected to processing of your personal data in accordance with Art. 21 para. 1 GDPR and it has not yet been determined whether there are overriding legitimate reasons of the controller.

If processing of your personal data is restricted, such data may – except for their storage – be processed only with your consent, or to assert, exercise, or defend legal rights or claims, to protect the rights of another natural person or legal entity, or for reasons related to an important public interest of the European Union or any member state.

If processing of your personal data has been restricted under the aforementioned conditions, you will be notified by the controller before the restriction is lifted.

4. Right to erasure

a) Erasure obligation

You may demand that the controller erase your personal data without undue delay and the controller has an obligation to do so if one of the following reasons applies:

(1)       your personal data are no longer needed for the purposes for which they were collected or are otherwise processed;

(2)       you have revoked your consent on which the processing of your data is based in accordance with Art. 6 para. 1 let. a) or Art. 9 para. 2 lit. a) GDPR, and there is no other legal basis for processing your personal data;

(3)       you have objected to processing of your personal data in accordance with Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for processing your personal data, or you object to processing in accordance with Art. 21 para. 2 GDPR;

(4)       your personal data have been processed unlawfully;

(5)       erasing your personal data is necessary to comply with a legal obligation under European law or member state law to which the controller is subject; or

(6)       your personal data were collected with respect to offered information society services within the meaning of Art. 8 para. 1 GDPR.

b) Information to third parties

Where the controller has made personal data public and has an obligation under Art. 17, para. 1 to erase such personal data, the controller, taking into account available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing such personal data that the data subject has requested the erasure by such controllers of any links to, or copies or duplicates of, such personal data.

c) Exceptions

There is no right to erasure if processing personal data is necessary

(1)        to exercise the right to freedom of expression and information;

(2)       to comply with a legal obligation which requires processing of your personal data under EU or member state law to which the controller subject, or to perform a task that is in the public interest, or to exercise official authority vested in the controller;

(3)       for reasons of the public interest in the area of public health within the meaning of Art. 9 para. 2 let. f) and i) and Art. 9 para. 3 GDPR; or

(4)       to assert, exercise, or defend legal rights or claims.

5. Right to notification

If you have exercised your right to rectification, erasure, or restricted processing against the controller, the controller has an obligation to notify all recipients to whom your personal data have been disclosed of such rectification, erasure, or restricted processing, unless this proves impossible or would be associated with unreasonable expense.

You have a right to be informed of all such recipients by the controller.

6. Right to data portability

You have a right to receive personal data you have made available to the controller in a structured, standard, and machine-legible format. You also have the right to transfer your personal data to another controller without any interference by the controller to whom the personal data were made available, if

(1)       processing is based on consent within the meaning of Art. 6 para. 1 lit. a) GDPR or Art. 9 para. 2 let. a) GDPR or on a contract within the meaning of Art. 6 para. 1 lit. b) GDPR, and

(2)       data processing is automated.

In exercising the right to data portability you further have the right to have your personal data transferred directly from one controller to another controller, if and to the extent that this is technically feasible. No rights or freedoms of any other persons may be infringed thereby.

The right to data portability does not apply to processing of personal data that is necessary to perform a task that is in the public interest or to processing of personal data in the exercise of official authority vested in the controller.

7. Right of objection

You have the right for reasons related to your particular situation to object to processing of your personal data at any time based on Art. 6 para. 1 lit. e) or f) GDPR; the same applies to any profiling based on the aforementioned provisions.

If you object, the controller will no longer process your personal data, unless the controller can show that there are compelling protected reasons for processing your personal data that override your interests, rights and freedoms, or if your data are processed to assert, exercise, or defend legal rights or claims.

If your personal data are processed for direct advertising purposes, you have a right to object to processing of your personal data for purposes of such advertising at any time; the same applies to any profiling associated with such direct advertising.

If you object to processing of your personal data for purposes of direct advertising, your personal data will no longer be processed for such purposes.

In connection with use of information society services you may exercise your right of objection – regardless of Directive 2002/58/EC – by using automated processes for which technical specifications are used. For this purpose you may send an email to us.

8. Right to revoke consent to data processing

You have a right to revoke your consent to data processing at any time. If you exercise your right of revocation, the lawfulness of data processing that occurs before revocation based on your consent will remain unaffected.

9. Automated decision in a particular case, including profiling

You have a right not to be subjected to a decision that is made exclusively by means of automated processing – including profiling – if such a decision has legal consequences for you or otherwise substantially impairs your interests. This does not apply if the decision

(1)       is necessary to enter into or perform a contract between you and the controller,

(2)       is permitted under EU or member state law to which the controller is subject and such law provides for appropriate safeguards to protect your rights, freedoms, and legitimate interests, or

(3)       is made with your express consent.

However, such decisions may not be made with respect to special categories of personal data within the meaning of Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a) or g) GDPR applies and appropriate safeguards have been implemented to protect your rights, freedoms, and legitimate interests.

In cases 1) and 3) above the controller must implement appropriate safeguards to protect your rights, freedoms, and legitimate interests, which must include, at a minimum, a right to have a person acting on behalf of the controller take action, a right to present your own point of view, and a right to contest the decision.

10. Right to lodge complaint with supervisory authority

Without prejudice to any other available administrative or judicial remedies, you have a right to lodge a complaint with a supervisory authority, in particular a supervisory authority located in the member state of your habitual residence, at your workplace, or at the place of the purported infringement, if in your opinion the processing of your personal data violates the GDPR.

The supervisory authority where the complaint is lodged will then notify the complainant of the progress and outcome of the complaint, including judicial remedies available under Art. 78 GDPR.