Issued: December 7, 2020
Thank you for your interest in our online offer. Protecting your data is important to us. So, at this point, we would therefore like to explain to you which personal data we process, for what purpose, and in what form when you use our offers.
This policy applies to the websites and online games operated by Spiele-Palast GmbH and also if you play our games via a social network such as Facebook or visit our Facebook fan pages.
1. Responsible contact person
The contact person and so-called controller for the processing of your personal data described below in accordance with the EU General Data Protection Regulation (GDPR) is
Spiele-Palast GmbH, Boxhagener Str. 106, DE-10245 Berlin.
One exception to this is when you use our Facebook fan pages and personal data is processed for Page Insights, as described in section 9.1; here we are joint controllers together with Facebook.
Should you have any questions or suggestions regarding data protection, please do not hesitate to contact us personally. Our contact details are:
Boxhagener Str. 106
If you have any questions about data protection in connection with our offers or the use of our website, you can also contact our data protection officer at any time. They can be contacted via the above postal address and at the email address firstname.lastname@example.org (keyword: “To data protection officer”).
2. Data security
We maintain state-of-the-art technical measures to guarantee data security, in particular to protect your personal data from risks during data transmission and against unauthorised third parties acquiring knowledge of your data.
All passwords are encrypted using the SHA256 algorithm and an individual salt.
3. Use of our websites
The following data are collected during an ongoing connection for communication between your Internet browser and our web server:
- Date and time of access
- Name of the requested website/file
- Page from which the file was requested
- Address of the requested website and the requesting website
- Access status (file transferred, file not found, etc.)
- Web browser and operating system used
- IP address
- The amount of data transferred in each case.
The data processing is necessary to facilitate the visit to the website and to guarantee the permanent functionality and security of our systems. For the purposes described above, the above data are also temporarily stored in internal log files in order to generate statistical data on the use of our website, to further develop our website with regard to the usage habits of our visitors (e.g. if the proportion of mobile devices via which the pages are accessed increases) and in general to maintain our website administratively. The legal basis is Article 6(1)(1)(b) of the GDPR.
The log files are stored for 30 days and archived after subsequent anonymisation by means of an abbreviation, so that it is subsequently no longer possible to establish a reference to individual users.
Furthermore, cookies are used when our website is in use. Cookies are small files that are stored by your web browser and contain information for exchange with our web server. Cookies are used to make our website more user-friendly and attractive. Basically, there are two different types of cookies – session cookies, which are deleted as soon as you close your browser, and long-term cookies, which are stored for a longer period or indefinitely. This storage helps us to personalise our websites and our offers for you and to facilitate your use, for example by saving certain entries and settings in such a way that you no longer have to repeat them constantly.
We mainly use session cookies, which are deleted when the browser is closed. Session cookies are used for login authentication and load sharing.
We use long-term cookies to save your language settings or to indicate that information placed on our website has been shown to you – so that it is not displayed again the next time you visit the website. The same applies to your login data, so that you can log in again more easily on the website. Long-term cookies are automatically deleted after a specified period, which may vary depending on the cookie. These services are based on our legitimate interests; the legal basis is Article 6(1)(1)(f) of the GDPR. Their purpose is to enable you to use our website more comfortably and individually.
Participation in our online games requires registration. There are two methods for registering for an online game: Either register directly on our websites or log in via your Facebook member account (Facebook login). If you play our games via Facebook, you will automatically use your Facebook account to join the game, so registration is not required.
4.2. Direct registration
Should you wish to register directly, you must create an account by entering your email address, a password of your choice and your freely definable player name. It is not compulsory to use your real name, i.e. pseudonymous participation in the game is possible. If you wish, you may also upload a profile picture.
After registration is complete, we create your account. To do this, we store your email address, your encrypted password and your player names. If you have uploaded an image, we will also save it. The legal basis for this is Article 6(1)(b) of the GDPR. In addition, also on the basis of Article 6(1)(f) of the GDPR, we store the country of origin of the IP address that you used for registration for the purpose of evaluating the reach of our online games and in which countries the players of our online games are located.
4.3. Facebook login
To register with your Facebook member account, you must follow these steps:
First, click on the “Continue with Facebook” button.
After clicking on “Continue with Facebook”, you will be redirected to the Facebook website as a first step. This tells Facebook that you want to register for an account with us.
There Facebook will ask you to enter your Facebook login credentials and to log in to Facebook. Please note: If you are already logged in to Facebook, this first step will be skipped.
Once you are logged in to Facebook, a (second) step will link your Facebook profile and the online game you wish to play. In addition, Facebook will at this point give you the opportunity to access our linked Data Protection and General Terms and Conditions. This link provides us with the following information about you from Facebook:
- Public profile (e.g. name, age, profile photo, gender)
- Friends list (voluntary)
- Email address (voluntary)
We only use your name and profile picture from your public profile data to create your account. We use your friends list to show your Facebook friendships in-game, if these friends are also registered with us.
Once successfully linked, we take over the above data from Facebook and use it to create your account. If you wish, you may complete your profile data with further information.
You can now log in to your new account using the “Continue with Facebook” button.
Please note that when using the Facebook login, your data can also be transmitted to Facebook servers in the USA. There is currently no decision by the EU Commission that the US provides an adequate level of data protection.
The legal basis for the aforementioned transmission and processing of your data by us is Article 6(1)(1)(b) of the GDPR.
More information on this can be found in Facebook’s data policy.
If, at a later date, you wish to remove your Facebook member account from one of our online games, you can do so by removing the relevant online game within your Facebook profile.
Our website also features links to our respective game apps on Facebook. Please note that when you click on a link to Facebook or log in via Facebook, data are transferred to the Facebook servers. If you are logged in to Facebook at this time with your username and password, the information that you are visiting our app will be transferred there and assigned to your user account. In principle, we have no influence on data processing on Facebook. However, we do receive statistics from Facebook about the use of and visits to our apps. Consequently, we share certain parameters with Facebook about our company and the offers on our apps. Facebook uses this information to generate more detailed statistics. Facebook may also use the data for its own purposes over which we have no control.
Further information can be found in the Facebook data policy linked above (cf. section 4.3.2.). You may address your requests for information regarding data processing within the scope of our apps to us via the contact data given in section 1. We will then inform you about the data we have collected and the data transmitted to us as well as their further processing and implement your rights as exercised against us. Should you also wish to assert rights against Facebook, the easiest way to do so is to contact Facebook directly. Facebook knows both the details of the technical operation of the platform and the associated data processing as well as the specific purposes of the data processing and can, at your request, implement appropriate measures if you exercise your rights. The contact details can be found in the data policy linked above.
5. Participation in online games
When you participate in an online game, we collect and use additional data, insofar as these are required for the secure and fast execution and personalisation of the online game (“game data” such as scores, moves, game history, participation in leagues, membership in clubs, status of the premium membership). Since our online games also offer a multi-player experience, this also includes the publication of game data (e.g. game status, player name, club, rounds played, rating, platform, game statistics and, if applicable, profile picture) for friends or other players. In addition, we collect and use registration, game and access data insofar as these are required for billing for playing the online games. The legal basis is Article 6(1)(b) of the GDPR.
If you play the online game Pinochle-Palace, please note that we use the Unity technology for this from Unity Technologies (30 3rd Street, San Francisco, CA 94103, USA). This will involve Unity Technologies collecting some or all of the following information about your device: unique device identifiers (e.g. IDFV for iOS devices and Android ID for Android devices); IP address; country where the installation was performed (based on IP address); device manufacturer and model platform type (iOS, Android, Mac, Windows, etc.) and operating system and version running on your system or device; language; CPU information such as model, number of CPUs present, frequency and instruction set support flags; graphics card type and vendor name; graphics card driver name and version (e.g. “nv4disp.dll 18.104.22.168”); which graphics API is used (e.g. “OpenGL 2.1” or “Direct3D 9.0c”); the amount of existing system and video RAM; the current screen resolution; the version of the Unity Editor used to create the game; sensor flags (e.g. device support for gyroscope, contact pressure or acceleration sensor); application or bundle identification (“App-ID”) of the installed game; unique advertising identifiers for iOS and Android devices (e.g. IDFA or Android Ad ID); and a checksum of all sent data to ensure that it has been transmitted correctly.
In the event that personal data is transferred outside the European Economic Area (EEA) to countries with a level of data protection not considered adequate by the European Commission, we and Unity Technologies have taken appropriate measures, in particular the conclusion of standard contractual clauses, which are provided by the European Commission to protect your personal data. A copy of these measures can be obtained at DPO@unity3d.com.
You can opt-out of this data collection by Unity Technologies by clicking on the “Unity Data” button under the “Data Protection” item in the menu. You will then be forwarded to the Unity Technologies privacy settings. Pressing the “OPT-OUT” button will deactivate data collection by Unity Technologies.
More information on this can be found in Unity Technologies’ data policy as well as in the data protection FAQs.
In order to offer safe and fair gaming to all users, we make reasonable use of playing, registration and access data (e.g. IP addresses) in order to detect unusual activity or conduct that we know from experience indicates fraudulent or abusive use of our online games (e.g. suspicious reaction behaviour indicating the use of bots or cheats, or multiple logins from different devices at the same time). We also use this data to investigate complaints we receive from other users. In cases of suspected fraud or abuse, we may temporarily suspend your player account in order to protect you, other users and/or Spiele-Palast from fraud or abuse. If this happens, Spiele-Palast will inform you on your next login attempt of the suspension and, if applicable, any information or steps required to lift the suspension. The legal basis is Art. 6(1) Sentence 1(f) GDPR, based on our and our users’ legitimate interest in preventing fraud and abuse.
6. Chargeable content
You can add paid content (“premium content”) to our online games. Should you wish to purchase premium content, you will be required to enter your payment details. We have commissioned the following service providers to process the following payment methods:
- for payment via Sofortüberweisung: Sofort GmbH, Theresienhöhe 12, DE-80339 Munich
- for payment via PayPal: PayPal (Europe) Sà r.l. et Cie, S.C.A, 22-24 Boulevard Royal, L-2449 Luxembourg
- for payment via Boku: Boku Payments Inc, 735 Battery Street, 2nd Floor, San Francisco, CA 94111, USA
- for payment via DaoPay: DaoPay GmbH, Hackhofergasse 5/14, AT-1190 Vienna, Austria
- for payment via Facebook: Facebook Payments International Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin, 2 Ireland
- for payment via Google Play: Google Payment Limited, Belgrave House, 76 Buckingham Palace Road, London SW1W 9TQ, UK
- for payment via Amazon: Amazon Media EU Sà r.l. (Société à responsabilité limitée), 5 Rue Plaetis, L-2338 Luxembourg
- for payment via Apple iTunes Store: Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland
- for payment via Steam: Valve Corporation, 10500 NE 8th Street, Suite 1000, Bellevue, WA 98004-4345, USA
- for payment via Microsoft Store: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
All information that you provide to the aforementioned service providers in the context of payment processing will not be transferred to us by them. We only receive information that payment for the respective Spiele-Palast GmbH offer has been made by the respective buyer.
7. Chat with other players
Some of our online games may offer you the opportunity to chat directly with other players and friends. Chat logs are stored here as follows: There are three different types of chat: 1. Public chats at the gaming table, 2. Club chats and 3. Private chats between individual players. We create chat logs for chats of type 1. (public at the gaming table) and type 2. (club chat), but not for type 3. There is also automated recognition of expletives with no. 1 (public chats at the gaming table), which can result in a warning or temporary suspension for the player. The chat logs are automatically deleted within 30 days. The legal basis for processing the chat logs is Article 6(1)(1)(b) of the GDPR. In the event of legitimate interest (e.g. insults or other improper or punishable behaviour), we also store individual chats for longer. The legal basis is Article 6(1)(1)(f) of the GDPR. Our interest is in protecting our players from insulting and other inappropriate comments.
Messages sent via the “Private chat” function are only visible to the recipient you have selected. Messages sent via the “Club chat” function are only visible to the members of the respective club.
8. Blog comment function
You can make public comments on our blogs. For this we need your name or your freely selectable pseudonym as well as your email address. Optionally, you can enter the URL of your homepage.
Please note that we do not review comments prior to publication. However, we do randomly check comments and delete them if they contain illegal content.
As we may be held liable for unlawful comments, we store your email address and your IP address, the latter being automatically deleted or made anonymous after 30 days. We use these data only to contact you in the event that a third party claims to have had its rights infringed by your comment (e.g. in the case of an insult) and, in such cases, to prevent you from committing similar violations in the future. If necessary, we also use your email address to contact you about the subject of your comment (no advertising). The legal basis is Article 6(1)(f) of the GDPR. In this way, we want to pursue and prevent the aforementioned infringements.
9. Google Analytics and Firebase
9.1. Google Analytics
Google will process the information obtained by the cookies in order to evaluate your use of the website, to compile reports on the website activities for the website operators and to provide further services associated with the use of the website and the Internet. We use Google Analytics to analyse usage behaviour and for evaluation of the associated data in order to adapt our website accordingly. The legal basis for this data processing is Article 6(1)(1)(f) of the GDPR.
9.2. Google Analytics for Firebase
We also use the analytics service “Google Analytics for Firebase”, which is offered by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland, “Google”). It processes technical usage data (e.g. IP address of your device, installation data such as the app version and time of installation, information on the content and functions you use, information on clicks, duration of use and information on your device such as device model and operating system). The information is collecting in pseudonymous form using so-called identifiers, e.g. in the form of the Apple Advertising ID or the Android Ad ID. Google will use this information for the purpose of evaluating your use of our websites and apps on our account, compiling statistical reports on general usage patterns for us and providing other services associated with use and internet usage for purposes of market research and tailoring our offerings to meet customer needs. As part of the reports, Google may also provide us with statistical data regarding the age structure of our users and other compiled demographic data. In the event that personal data is transferred to the USA, Google is contractually committed to us to provide an appropriate level of data protection in accordance with the EU standard contractual clauses.
The legal basis for this data processing is Article 6(1)(1)(f) of the GDPR.
10. Use of our Facebook fan pages
10.1. Usage analysis for Page Insights
The data used by Facebook for Page Insights includes, for example, information about the frequency of visits to the fan pages, activities related to the content we post (such as whether a post is “liked” or a mouse hovered over a page’s name or profile picture in order to see a preview of the page content), and whether a computer or mobile device is used to visit the fan page. With the help of Page Insights, Spiele-Palast receives information from Facebook about how its fan pages are used, what interests the users have, and what content is particularly popular. This allows Spiele-Palast to better align its fan page activities with the interests and usage habits of its Facebook audience.
Spiele-Palast and Facebook are joint controllers responsible for the data processing described above in connection with Page Insights. To this end, Spiele-Palast and Facebook have concluded an agreement to determine which party meets which data protection requirements under the GDPR with regard to the processing of Page Insights data. Facebook has summarised the essence of this agreement here.
If a participant has consented to Facebook processing Page Insights data as described above, the legal basis of this is Art. 6(1) Sentence 1(a) of the GDPR. Furthermore, the legal basis is Art. 6(1) Sentence 1(f) of the GDPR, based on Spiele-Palast’s legitimate interest, as described above, in the optimisation of its fan page activities.
10.2. Your rights with regard to Page Insights
More information about your rights in connection with Page Insights and how to exercise them is available on Facebook here.
Since Spiele-Palast does not have access to the Page Insights data collected by Facebook, you should contact Facebook directly if you wish to exercise your rights in this regard. You can also contact us to exercise your rights; we will then forward your request to Facebook.
10.3. Further data processing by Facebook
Spiele-Palast has no influence on how Facebook processes data for other purposes and is not responsible for this. Detailed information on further data processing by Facebook can be found in Facebook’s Data Policy.
11. Online advertising
11.1. Facebook app events
For marketing purposes, our websites use so-called conversion and retargeting tags (also “Facebook Analytics” or “Facebook App Events”) from the social network Facebook, a service offered by Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA (“Facebook”). We use Facebook Pixel to analyse the general use of our websites and to track the effectiveness of Facebook advertising (“conversion”). In addition, we use the Facebook pixels to show you individualised advertising messages based on your interest in our products (“retargeting”). For this, Facebook processes data that the service collects via cookies and similar technologies on our websites. However, data processing only takes place when the purchase process has begun at Spiele-Palast or a purchase has been completed.
Please note that the data resulting in this context can be transmitted by Facebook to a server in the USA for evaluation and processed there. There is currently no decision by the EU Commission that the US provides an adequate level of data protection. In particular, there is a risk that your data processed by Facebook in the USA may be collected by US security authorities also without a court order or legal protection.
If you disable data processing by Facebook, Facebook will only display general Facebook ads that are not selected based on the information collected about you.
More information on this can be found in Facebook’s data policy.
11.2. Google Ads conversion tracking and remarketing
12. Recipient of the data
The data collected by us will only be transferred if this is necessary to fulfil the contract or for provision of the technical functionality of the website or if there is another legal basis for transferring the data.
For the technical provision of our website, online games and backend systems we use server services (e.g. application hosting, database server) from Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg (“AWS”), which processes our data on our account. Data processing by AWS takes place in a computer centre within the EU. In exceptional cases, the parent company of AWS (Amazon Web Services, Inc. 410 Terry Avenue North Seattle WA 98109, USA) may also access the data for maintenance purposes. In the event that data has to be transferred to the USA, Amazon Web Services, Inc. is contractually committed to us to provide an appropriate level of data protection in accordance with the EU standard contractual clauses.
Further information can be found in AWS’s data policy.
Since our online games offer a multi-player experience, in some of our online games certain game data (e.g. player name, club, rating, game statistics and, if applicable, profile picture) is published on our website and in our online games for all users in the form of highscore lists, live statistics or in similar form, in order to give them a realistic impression of the game activity and level of play. The legal basis is Article 6(1)(b) of the GDPR.
In addition, a transfer may occur in connection with official enquiries, court decisions and legal proceedings if required for legal prosecution or enforcement.
You have the opportunity to subscribe to our newsletter, in which we provide you with regular information about innovations to our products and campaigns.
You can subscribe to our newsletter by registering on our website and then confirming your email address in the welcome email. The welcome email will once again make separate reference to the newsletter. However, use of the games offered by Spiele-Palast, does not require confirmation of the email address and therefore registration for the newsletter. You may unsubscribe from the newsletter at any time without incurring any costs other than the transmission costs in accordance with the basic tariffs. An “unsubscribe link” can be found in each newsletter. Notification via the contact data specified above or in the newsletter (e.g. by email or letter) is, of course, also sufficient. The legal basis for the processing is your consent as per Article 6(1)(a) of the GDPR.
In our newsletters we use commercially available technologies to measure interactions with the newsletters (e.g. opening of the email, clicked links). We use these data in pseudonymous form for general statistical evaluations as well as for the optimising and further development of our content and customer communication. This is done with the help of small graphics embedded in the newsletter (so-called pixels). The data are collected exclusively in pseudonymous form and are not associated in any way to your other personal data. The legal basis for this is our above-mentioned legitimate interest as per Article 6(1)(1)(f) of the GDPR. We want to use our newsletters to share content that is as relevant as possible to our customers and, as a result, to better understand what our readers are actually interested in. Should you not wish your usage behaviour to be analysed, you may unsubscribe from the newsletter or deactivate the graphics in your email program as standard. The data on the interaction with our newsletters are stored pseudonymously for 30 days and subsequently completely anonymised.
14. SendGrid as e-mail service provider
For the services on our website, we use the email delivery service provider “SendGrid” of SendGrid, Inc. (1801 California Street, Suite 500 Denver, Colorado 80202, USA). Two different types of emails are delivered using SendGrid. On the one hand, we use the service to send individual emails within the scope of contract performance (e.g. purchase confirmation, registration emails, password recovery emails). On the other hand, we also use the service to deliver our newsletter. In both cases, SendGrid receives the emails of the recipients from us. In some cases, additional data such as the player’s name or chip balance, as far as this is necessary for filling in placeholders in a newsletter. SendGrid acts as an email server and sends the information to the email addresses listed in the registration form. In the event that personal data are transferred to the USA, SendGrid is contractually committed to us to provide an appropriate level of data protection in accordance with the EU standard contractual clauses. The use of the SendGrid delivery service provider is based on our legitimate interests as per Article 6(1)(f) of the GDPR on the use of a user-friendly and secure newsletter system that serves both our business interests and the expectations of users.
More information on this can be found in the data protection policy from SendGrid and especially for the email delivery at https://sendgrid.com/policies/email/.
15. Storage period
In principle, we store personal data for only as long as is necessary to fulfil the contractual or statutory obligations for which we have collected the data. We then delete the data immediately, unless we need the data until the end of the statutory limitation period for purposes of evidence for civil claims or due to statutory retention obligations.
For evidence purposes, we must retain contract data for a further three years beyond the end of the year in which our business relationship with you is terminated. Any claims shall lapse after the statutory period of limitation at the earliest as of this date.
Even after that, we must still store some of your data for accounting reasons. We are obliged to do so on the basis of statutory documentation obligations that may arise from the German Commercial Code, the Fiscal Code of Germany, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified therein for the retention of documents range from two to ten years.
Insofar as personal data is processed on the basis of legitimate interests pursuant to Article 6 (1) (f) of the GDPR, the personal data shall be deleted here at the latest when the legitimate interest in its processing no longer exists or the user requests the deletion of the data.
16. Your rights
You shall have the right to request information about our processing of your personal data at any time. Within the scope of providing information, we will explain the data processing and provide you with an overview of the data we have stored which relates to you. Should the data stored by us be incorrect or no longer up to date, you shall have the right to have these data corrected. You may also request that your data be deleted. If, in exceptional cases, deletion is not possible due to other legal regulations, the data shall be blocked such that they are only available for this statutory purpose. The processing of your data may also be restricted, for example if you believe that the data we have stored are incorrect. You also have the right to data portability, i.e. we will send you, on request, a digital copy of the personal data you have provided to us.
To exercise your rights as described here, you may contact us via the above contact details at any time. This shall also apply if you wish to receive copies of guarantees to prove an adequate level of data protection.
Finally, you shall have the right to complain to our data protection supervisory authority. You may exercise this right before a supervisory authority in the Member State in which you are resident or working, or in the location of the suspected infringement. In Berlin, the location of the registered office Spiele-Palast GmbH, the responsible supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, DE-10969 Berlin.
Right of revocation and objection
You have the right to revoke your consent at any time. The consequence of this is that we shall not continue processing data based on this consent in the future. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent prior to revocation.
Insofar as we process your data on the basis of legitimate interests, you shall have the right to object to the processing of your data at any time for reasons arising from your particular situation. Should you object to data processing for direct marketing purposes, you have a general right of objection, which we will implement without you giving any reasons. In the event of an objection to an automatic temporary suspension of your player account (see clause 5.3), you have the right to contest the suspension, to inform us of your own position, and to request that one of our employees manually review the suspension (also taking into account your point of view).
Should you wish to utilise your right of revocation or objection, an informal communication to the above-mentioned contact data is sufficient.