Privacy Policy

Provision of information pursuant to Art 13 and – if stated explicitly – Art 14 of the General Data Protection Regulation 2016/679/EU (“GDPR”) regarding the processing of personal data concerning:

(i) the website https://portalmonstars.com/ (“Website”);

(ii) the PC and mobile game “Portal Monstars” (“Software”), available via software distribution platforms Apple App Store, Google Play and Steam; as well as

(iii) our social media presences outlined under point 8 (“Social Media Presences”).

Thank you for your interest in our website. The protection of your privacy is of high priority to us. Consequently, we only process your personal data on the basis of legal requirements set by the GDPR , other relevant legal provisions as well as the relevant provisions concerning the publication of our Software on the respective software distribution platform.

In general, you are not obligated to provide data. Data processed automatically when accessing the Website are either not personal data or are stored only for short periods (cf. point 6.2.1). However, if you decide to contact us via a contact option presented on the Website (e.g., in the imprint), within our Software or within this Data Protection Declaration, you have to provide us certain of your data being necessary for processing your respective request (cf. point 6.1.1). Using our Software is furthermore necessarily connected with the data processing activities as outlined under point 6.3. In case you do not wish any processing of your respective data, we cannot render our services to you.

1. Definitions

Data protection laws are generally relevant in case any processing of personal data is concerned. The terms used within the scope of this Data Protection Declaration are defined in and by the GDPR. As such, the broad definition of processing (Art 4 item 2 GDPR) of personal data means any operation or set of operations performed on personal data. Any information allowing us or third parties to potentially identify you in person can be considered your personal data, which makes you a data subject (Art 4 item 1 GDPR) within this context. The following terms are particularly relevant for a better understanding of this Data Protection Declaration:

 

Term	Definition	Regulation
Controller	Natural or legal person or other body which has decisive influence on the processing of personal and is therefore subject to data protection obligations.	Art 4 item 7 GDPR Art 24 GDPR
Joint Controllers	Controllers, which process personal data in common interest and have each at least partly a decisive influence on decisions made in this regard.	Art 26 GDPR
Processor	External service provider which processes personal data on behalf of the controller and is contractually bound to its instructions. The processor thereby acts as a kind of extended arm of the controller.	Art 4 item 8 GDPR Art 28 GDPR
Recipient	Generally, every natural or legal person or other body outside of the organisation of the controller to which data being subject to the controller’s responsibility are disclosed.	Art 4 item 9 GDPR
Legal basis	Condition determined by law that constitutes an authorisation to lawfully process personal data.	Art 6 para 1 GDPR
Transfer to third countries	Transfer of personal data to countries outside of the EU respectively EEA through which they are detracted from the sole control of the GDPR due to stronger ties to the legal system of such third country. This might take place where data are disclosed to a recipient that (i) has its seat/residency in such third country or (ii) maintains a server there on which personal data are processed.	Chapter V GDPR
Adequacy decision	A resolution of the European Commission through which the adequacy of the data protection level in a third country is acknowledged, and consequently a transfer of data is possible without further restrictions.	Art 45 GDPR
Appropriate safeguards	Various instruments which allow the transfer of personal data into a third country for which an adequacy decision does not exist. As far as third-country transfers by us are based on appropriate safeguards, you may request a copy thereof by contacting us under the contact options as outlined subsequently.	Art 46 GDPR

2. Information on the controller and contact details

Controller in the sense of Art 4 item 7 GDPR:	Contact details:
Rykings Games e.U. (“we”) Hebragasse 5/23 1090 Vienna Austria	Email: support@rykings.com

 

3. Rights of the data subject

You may decide to exercise any of the following rights concerning our processing of your personal data at any time free of charge by means of a notification being sent to one of the contact options outlined under point 2; we shall then answer your request as soon as possible and within one (1) month at the latest (in exceptional cases, restrictions on these rights are possible, for instance, if otherwise the rights of third parties would be affected):

• access to and further information concerning your individual data processed by us (right of access, Art 15 GDPR);
• rectification of wrongly recorded data or data that have become inaccurate or incomplete (right to rectification, Art 16 GDPR);
• erasure of data which (i) are not necessary in light of the purpose of data processing, (ii) are processed unlawfully, (iii) must be erased due to a legal obligation or an objection to the processing (right to erasure, Art 17 GDPR);
• temporary restriction of processing under certain circumstances (right to restriction of processing, Art 18 GDPR);
• withdrawal of consent (for definitions see point 6) granted for the processing of your personal data at any time; however, please note that the withdrawal of your consent does not retroactively affect the lawfulness of data processing based on such consent – it solely affects subsequent processing activities (right to withdraw; Art 7 para 3 GDPR);
• objection to any processing of your data being based on our legitimate interest (for definitions see point 6) on grounds relating to your particular situation or being executed for direct marketing purposes (right to object; Art 21 para 1 and 2 GDPR);
• transfer of your personal data which are processed for the performance of a contract or on the basis of your consent in a machine-readable format to you or directly to another controller upon request (right to data portability; Art 20 GDPR);
• right to lodge a complaint with a supervisory authority in respect of our processing of your data; in Austria, a complaint has to meet the requirements laid out in § 24 Austrian Data Protection Act and has to be directed to the Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna, email: dsb@dsb.gv.at, Phone: +43 1 52 152-0 (for the simplification of this process, the Austrian Data Protection Authority provides forms at: https://www.dsb.gv.at/dokumente [German only]).

 

4. Transfer of your data; recipients

For the purposes executing the data processing activities as indicated in the course of this Data Protection Declaration, we may transfer your personal data to the following recipients or make them available to them:

Within our organisation, your data will only be provided to those entities or employees who need them to fulfil their respectively our respective obligations.

Furthermore, (external) processors engaged by us receive your data if they need these data to provide their respective services (whereby the mere possibility to access personal data is sufficient).

Within the context of our Website, the following processors may have access to your personal data:

• Contabo GmbH, Aschauer Straße 32a, 81549 Munich, Germany (as hosting provider of our Website – cf. point 6.2.1);
• Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (as provider of the backend platform “PlayFab” used for the realisation of our Software – cf. point 7.3.2);
• Unity Technologies S.F., 30 3RD St San Francisco, CA, 94103-3104m USA (as provider of the game engine “Unity” used for the realisation of our Software – cf. point 7.3.3).

Additionally, we may transfer your data to independent controllers, as far as this is deemed necessary, we are legally obliged to do so or you have provided your respective consent. This may include, in particular, the following recipients:

• Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill Cork, Ireland, respectively a group company (as operator of software distribution platform “Apple App Store”, which we use to distribute our Software – cf. point 5.2);
• Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, Ireland, respectively a group company (as operator of software distribution platform “Google Play Store”, which we use to distribute our Software – cf. point 5.2);
• Valve Corporation, 10900 NE 4th street, 500 Bellevue, WA 98004, USA (as operator of software distribution platform “Steam”, which we use to distribute our Software – cf. point 5.2). Lastly, we are joint controllers in the sense of Art 26 GDPR with the service providers described under point 8 when accessing and interacting with our Social Media Presences. Furthermore, we are joint controllers with Google Ireland Limited (see above) in respect of embedding YouTube videos into our Website (cf. point 7.3.1).

5. Information on independent third-party services

Subsequently, you can find information in regards to independent services of third parties, to which some of your personal data may be disclosed under certain circumstances when using our services. Within this context, the respective operators are independent controllers in respect of their processing of your personal data.

This must be differentiated from (i) the use and implementation of third-party services into our Website and Software (cf. point 7) as well as (ii) our processing of your data in the course of our Social Media Presences (cf. point 8). In regards to those processing activities, we are sole or at least joint controller in terms of your data.

5.1 Links to third-party sites

On our Website and in this Data Protection Declaration as well as potentially within our Software, we use links to websites of third parties, e.g., links to social networks. If you click on one of these links, you will be forwarded to the respective website. For the operators of these websites, it is only evident that you have accessed our Website (or Software) beforehand. However, please be aware that accessing third-party sites results in additional processing of your data in the sphere of the respective third party! Accordingly, we refer you, in general, to the separate data protection declarations of these websites.

5.2 Additional information on software distribution platforms

In order to be able to install our Software on your respective end device and to use it accordingly, you have to obtain it beforehand via a software distribution platform. We offer our Software within this context via the following platforms:

• Apple App Store, which is controlled by Apple Distribution International Ltd. (cf. point 4) from a data protection point of view within the EU (outside of the EU/EEA, group companies such as Apple Inc. [California, USA] can act as controller of your data instead) – further information on the data protection practices of the operator can be looked up at: https://www.apple.com/legal/privacy/en-ww/;
• Google Play Store, which is controlled by Google Ireland Limited (cf. point 4) from a data protection point of view within the EU (outside of the EU/EEA, group companies such as Google LLC [California, USA] can act as controller of your data instead) – further information on the data protection practices of the operator can be looked up at: https://policies.google.com/privacy?hl=en;
• Valve Corporation, 10900 NE 4th street, 500 Bellevue, WA 98004, USA (as operator of software distribution platform “Steam”, which we use to distribute our Software – cf. point 5.2)
• Steam, which is controlled by Valve Corporation (cf. point 4) from a data protection point of view – further information on the data protection practices of the operator can be looked up at: https://store.steampowered.com/privacy_agreement/?l=english&snr=1_44_44_.

Moreover, we may use certain functions of these platforms, for instance, to process payments initiated via the Software or to link information such as gaming progress to your account with the respective operator.

As, in principle, we have no influence on the processing of your data by the respective operator, please also review its data protection information (as linked above).

6. Data processing operations

In the subsequent section, data processing operations that may occur when accessing or using our Website are described in detail. Within this context, we provide you with information on the essential elements of each data processing operation, namely (a) type and extent (when and how), (b) purpose (why) as well as (c) the storage period of your data (how long).

Moreover, we inform you about the legal basis which we use to justify the respective data processing operation as required by the GDPR. The following chart provides you with a first overview of possible legal bases, which we use in this regard:

 

Term	Definition	Regulation
Consent	You have given us your consent prior to the beginning of the data processing operation and for the specific occasion, which therefore authorises us to process your data. (For the right to withdraw your previously given consent at any time, see point 3.)	Art 6 para 1 lit a GDPR
Performance of a contract	The processing of your data is necessary for the performance of a contract concluded with you or to take steps prior to entering into a contract with you at your request.	Art 6 para 1 lit b GDPR
Legal obligation	The processing of your data is necessary to comply with a legal obligation we are subject to.	Art 6 para 1 lit c GDPR
Legitimate interests	The processing of your data is (i) necessary for the purposes of legitimate interests pursued by us or a third party and (ii) we have considered your conflicting interests and fundamental rights and freedoms accordingly. (For the right to object to interest-based processing due to your particular situation, see point 3.).	Art 6 para 1 lit f GDPR

6.1 Common data processing operations concerning Website and Software

6.1.1 Contacting

1. Type and extent of data processing: When contacting us via contact details provided on our Website (e.g., the imprint) or within our Software, we will use your data as indicated in order to process your contact request and deal with it. Certain additional information may be provided voluntarily. The data processing involved is necessary to issue a response in respect of your request.
2. Legal basis and purpose: Purpose of the data processing is to enable us an exchange with users of the Website or Software. We answer your request on the basis of our legitimate interest (Art 6 para 1 lit f GDPR; for the “right to object”, see point 3) in maintaining a properly functioning contact system, which is a prerequisite for the provision of any services. As far as your request is based on an existing contractual relationship with us or you are interested in establishing said contractual relationship, the processing is based on the performance of the corresponding contract, or on taking steps prior to entering into a contract with you at your request (Art 6 para 1 lit b GDPR).
3. Storage period: We delete your requests as well as your contact data if the request has been answered conclusively. Your data are, in general, stored for a period of three (3) months and subsequently erased if we do not receive follow-up requests and if the data must not be further processed for different purposes (e.g., for the fulfilment of legal documentation obligations).

6.2 Data processing operations in the course of using the Website

6.2.1 Processing of traffic data; server log files

1. Type and extent of data processing: You can visit our Website without providing any personal information. However, out of technical necessity, so-called “traffic data” are processed automatically when a website is accessed. Within this context, in particular, the following categories of traffic data can be transferred to the server that is requested to provide a respective website or file:
   1. implicit access data (automatic, inevitable and unsolicited transmission): IP address used, user agent (browser type/version used), accessed site (URL), previously visited website (referrer URL), time of the access request, language settings.
   2. implicit access data (transmission where provided for in the source code of the respective service): screen resolution, colour depth, time zone, touchscreen support, browser plugins. Traffic data will be stored by us in so-called server log files – however, your IP address will be shortened beforehand. Hosting provider of our Website is Contabo GmbH (cf. point 4). Traffic data may also be transferred to providers of third-party services embedded into our Website (cf. point 7).
2. Legal basis and purpose: The purpose of this data processing operation is to establish and maintain technical security with regards to our Website. The processing is based on our legitimate interest (Art 6 para 1 lit f GDPR; for the “right to object”, see point 3) in achieving the mentioned purpose.
3. Storage period: Server log files are stored for a period of fourteen (14) days and subsequently automatically erased.

6.2.2 Use of cookies and similar technologies

1. Type and extent of data processing: On our Website, we use so-called “cookies”. Cookies are small data sets that are stored on your end device by your respective browser. They are placed by a web server and sent back to it as soon as a new connection is established in order to recognise the user and his settings. In this sense a cookie assigns a specific identity consisting of numbers and letters to your end device.Cookies can fulfil different purposes, e.g., helping to maintain the functionality of websites with regard to state of the art functions and user experience. The actual content of a specific cookie is always determined by the website that created it. Cookies always contain the following information: (i) name of the cookie; (ii) name of the server the cookie originates from; (iii) ID number of the cookie; (iv) an end date at the end of which the cookie is automatically deleted.Cookies can be used by the visited Website (“First-party cookies”) or – e.g., for advertising purposes – by third parties (“Third-party cookies”). From a legal point of view, cookies have to be differentiated as follows: (i) so-called “technically necessary” cookies, required for the proper functioning of websites by enabling basic functions such as site navigation and access to protected areas; (ii) other types of cookies (e.g., to generate statistics or display personalised advertising).Most browsers automatically accept cookies. Moreover, you have the option to customise your browser settings so that cookies are either generally declined or only allowed in certain ways (e.g., limiting refusal to third-party cookies). However, if you change your browser’s cookie settings, our Website may no longer be fully usable.In addition to cookies, we may use similar technologies such as, in particular, the local and session storage of your browser in order to store certain data on your end device. In contrast to “cookies”, this method is safer and faster because data are not transferred automatically to the respective server with every HTTP request, but stored by your browser software. Since their functionality is similar to that of cookies, the information on cookies above applies correspondingly.Specifically, we use the following cookies respectively local/session storage objects:
   

   Cookie name	Provider	Purpose	Type and lifetime
   wp-wpml_current_language	Website operator	Used to store the user’s language settings	Technically necessary first-party session cookie, which will be stored on your end device for the respective browser session
   YSC	YouTube (Google Ireland, cf. point 7.3.1)	Used to track and store user interactions	Third-party tracking session cookie, which will be stored on your end device for the respective browser session
   VISITOR_INFO1_LIVE	YouTube (Google Ireland, cf. point 7.3.1)	Used to evaluate your bandwidth	Persistent third-party cookie, which will be stored on your end device for 6 months
   yt-remote-device-id	YouTube (Google Ireland, cf. point 7.3.1)	Stores your preferences regarding the use of the embedded video player	Persistent third-party local storage object
   yt-remote-connected-devices	YouTube (Google Ireland, cf. point 7.3.1)	Stores your preferences regarding the use of the embedded video player	Persistent third-party local storage object
   ytidb::LAST_RESULT_ENTRY_KEY	YouTube (Google Ireland, cf. point 7.3.1)	Used to determine optimal video quality based on your end device and network settings	Persistent third-party local storage object
   readable	(Google Ireland, cf. point 7.3.1)	optimal video quality based on your end device and network settings	party local storage object
   yt-player-bandwidth	YouTube (Google Ireland, cf. point 7.3.1)	Used to evaluate your bandwidth	Persistent third-party local storage object
   yt-player-volume	YouTube (Google Ireland, cf. point 7.3.1)	Used in combination with the volume regulation implemented into the embedded video player	Third-party local and session storage object
   yt-remote-session-app	YouTube (Google Ireland, cf. point 7.3.1)	Stores your preferences regarding the use of the embedded video player	Third-party session storage object, which will be stored on your end device for the respective browser session
   yt-remote-cast-installed	YouTube (Google Ireland, cf. point 7.3.1)	Stores your preferences regarding the use of the embedded video player	Third-party session storage object, which will be stored on your end device for the respective browser session
   yt-remote-session-name	YouTube (Google Ireland, cf. point 7.3.1)	Stores your preferences regarding the use of the embedded video player	Third-party session storage object, which will be stored on your end device for the respective browser session
   yt-remote-cast-available	YouTube (Google Ireland, cf. point 7.3.1)	Stores your preferences regarding the use of the embedded video player	Third-party session storage object, which will be stored on your end device for the respective browser session
   yt-remote-fast-check- period	YouTube (Google Ireland, cf. point 7.3.1)	Stores your preferences regarding the use of the embedded video player	Third-party session storage object, which will be stored on your end device for the respective browser session

2. Legal basis and purpose: We use technically necessary cookies to maintain the proper functioning of our Website on the basis of our respective legitimate interest (Art 6 para 1 lit f GDPR; for the “right to object”, see point 3), as far as personal data are processed within this context. Other types of cookies may be uses by us in case you provide your prior consent (Art 6 para 1 lit a GDPR, for the “right to withdraw”, see point 3). (c) Storage period: With regard to the storage period, cookies can be classified as so-called “session cookies” (automatic erasure as soon as the current browser session ends) or so-called “persistent cookies” (erasure after a previously defined expiration date or manually). Information in the session storage is also stored for the respective browser session only (thus, comparable to session cookies). Information in the local storage, however, has no previously defined expiration date. Via your browser settings, you have the option to delete the entirety of cookies already stored on your end device and/or clear the local/session storage

6.2.3 Functional third-party implementations

1. Type and extent of data processing: Due to third-party software which is embedded into our Website, additional data processing activities may be initiated for different purposes. The specific services and their functionality are briefly described under point 7.2; further information can be found in detailed descriptions under point 7.3.
2. Legal basis and purpose: The relevant purpose and legal basis are outlined in the course of the description of the respective service.
3. Storage period: We store generated data in accordance with the requirements and possibilities stipulated by the relevant service for as long as it is necessary to fulfil the respective processing purpose.

6.3 Data processing operations in the course of using the Software

6.3.1 Download and installation of the Software

1. Type and extent of data processing: In case you decide to obtain our Software via a software distribution platform (cf. Point 5.2), we have to access your respective end device and store certain data on it (also in the course of additional downloads after initial installation has been finished). This is necessary that we can make our Software available to you on the basis of your prior explicit request (i.e., download via the respective software distribution platform).
2. Legal basis and purpose: Purpose of processing is the transfer of data necessary for the use of our Software on your end device. Legal basis is the fulfilment of the respective contract concluded for the use of our Software respectively to take steps prior to entering into a contract on your request (Art 6 para 1 lit b GDPR).
3. Storage period: The respective data remain stored on your end device until you delete our Software and any associated data.

6.3.2 Account management; purchases within the Software

1. Type and extent of data processing: To use our Software, you need a player account, which will be created automatically on the basis of the respective Device ID of your end device when accessing the Software for the first time. Afterwards, you may link this player account voluntarily to your email address or alternatively to your account at the respective software distribution platform (cf. point 5.2) in order to, for instance, transfer your player account to a new end device.Payment processes in the course of using the Software are technically executed via the infrastructure of the respective software distribution platform (cf. point 5.2). We merely receive certain payment information which we need to adequately render our services (e.g., country, date, price, tax rate); as we do not collect these data from you as a data subject directly, information in respect of payment processes is provided according to Art 14 GDPR.
2. Legal basis and purpose: Processing of your data in respect of creating player accounts and concluded payments serves the purpose of providing the necessary infrastructure and handling necessary processes so that our Software can be used on your end device and that we can adequately pursue our business purpose. Legal basis is the fulfilment of the respective contract concluded for the use of our Software respectively fulfilment of individual associated contracts concerning the purchase of digital content (Art 6 para 1 lit b GDPR).As far as data – particularly in the context of payments – are subject to legal retention periods in the individual case, we may further process said data for the purpose of fulfilling such legal obligations (Art 6 para 1 lit c GDPR).A possible linkage of your player account with an email address or your account at the respective software distribution platform is based on your consent (Art 6 para 1 lit a GDPR), which you provide through the corresponding active interaction (for the “right to withdraw”, see point 3).
3. Storage period: In principle, player accounts are retained until you request erasure. You may erase your account at any time via the settings options of the Software, which, however, will result in a loss of your game progress. Data on payments will be erased as soon as they are no longer necessary for contract execution; nevertheless, they must potentially be kept for certain periods to fulfil legal retention obligations.

6.3.3 Gaming operation; player vs. player feature

1. Type and extent of data processing: When using our Software (gaming operation), certain data must be processed to access required information and to establish the respective connection (particularly, User ID, Device ID, technical traffic data). For the gaming operation, it is furthermore necessary to process your player name as well as interaction data (gaming progress, virtual inventory, etc.).To realise the gaming operation of our Software, we use the cross-platform game engine “Unity” (also see point 7.3.3) as well as the backend system “PlayFab” of Microsoft’s Azure platform (also see point 7.3.2).When using the Software for the first time, it is also necessary to determine a player name (which can be changed at any time via the Software’s settings options). Your player name, your profile picture, your online status as well as certain gaming statistics (e.g., current rank in the player vs. player mode) will be disclosed to other players in the course of gaming operation (player vs. player feature) and thus particularly serve to realise the multiplayer functions of the Software.
2. Legal basis and purpose: We process your data in the course of the gaming operation for the purpose of rendering our services. Legal basis is the fulfilment of the respective contract concluded for the use of our Software (Art 6 para 1 lit b GDPR). Purpose of processing in the course of the player vs. player feature is enhancing the gaming experience. Legal basis is our legitimate interest in realising a competitive gaming experience as well as the respective legitimate interest of the Software’s users (Art 6 para 1 lit f GDPR; for the “right to object”, see point 3).
3. Storage period: Data being necessary for the gaming operation are principally stored for the duration of the user’s use of our Software or as long as we offer the Software – this allows you to continuously access your past gaming progress. However, complete erasure of your data and your player profile (including statistics, leaderboard entries, etc.) can be requested at any time by contacting us.

6.3.4 Push notifications

1. Type and extent of data processing: In respect of our Software, we provide and support the delivery of push notifications in order to particularly inform you about game-related events or lengthy periods of inactivity. After installation of our Software, receiving push notifications is either automatically activated or you will be asked if you want to activate push notifications, depending on the respective settings/operating system on your end device. Principally, push notifications can also be deactivated for individual applications in the settings of the device, although there may be differences depending on the platform and operating system. If push notifications are activated, your device will be registered at a particular service provider depending on your operating system (Google Cloud Messaging Service for Android and Apple Push Notification Service for iOS). Subsequently, your respective provider will assign a registration ID (Android) or a token (iOS) to your device. Such ID or token is stored on your device for future delivery of notifications and consists of a combination of letters and numbers. Additionally, the ID or token is transferred to and stored on our servers for later usage. Thus, when an event occurs to which a push notification shall be sent, the particular notification together with all responding IDs or tokens will be forwarded from our server to the respective service provider. Then, the notification will be forwarded by the respective service provider to your device.
2. Legal basis and purpose: We process your data for the purpose of delivering the information requested in the course of using our Software as well as for effective marketing of our offer. Push notifications will be sent on the basis of your consent (Art 6 para 1 lit a GDPR), which you provide by means of a respective active action via your device settings (for the “right to withdraw”, see point 3).
3. Storage period: In the context of delivering push notifications, only the abovementioned device- specific identifiers are stored by us. We will delete your respective data in case that you withdraw your previously given consent for receiving push-notifications respectively demand erasure.

6.3.5 Analysis and evaluation; personalised advertisements

1. Type and extent of data processing: We process data concerning your use of our Software, on the one hand, to generate statistical information (crash and log protocols, diagnostic data, other performance-related data). On the other hand, we process data (e.g., approx. location, purchases made, user interactions) for analysis purposes in order (i) to receive information about the use of our Software (e.g., in regards to user count, user frequency, geographical distribution of users) and (ii) to display personalised advertisements within our Software or within advertising networks of third parties. Further information on the analysis solutions used within this context, please review points 7.3.2 and 7.3.3.
2. Legal basis and purpose: Generating statistical information, on the one hand, serves the purpose of maintaining stability, safety and functionality of our Software. Legal basis is our legitimate interest (Art 6 para 1 lit f GDPR) in ensuring that our Software is adequately powerful and secure (for the “right to object”, see point 3) as well as – concerning the maintenance of the normal functionality of the Software – fulfilment of the respective contract concluded for the use of our Software (Art 6 para 1 lit b GDPR). On the other hand, processing of your data for analysis purposes is executed to assess the reception of our services and to make them more effective. Processing of your data to display personalised advertisements serves the purpose of generating information to efficiently advertise our offerings. Legal basis in both cases is your prior consent (Art 6 para 1 lit a GDPR), which we gather directly via the Software from your (for the “right to withdraw”, see point 3). In the absence of your consent for the personalisation of advertisements, we shall solely display contextual adverts to you based on your approx. location – this serves our respective legitimate interest (Art 6 para 1 lit f GDPR) in marketing our services (for the “right to object”, see point 3).
3. Storage period: For information on the storage period of certain data within this context, please review the respective elucidations under points 7.3.2 and 7.3.3 on individual analysis solutions utilized. In the context of merely displaying contextual advertisements, no personal data will be stored.

7. Use of third-party services and third-party software

7.1 General explanations

1. Purpose of processing: In order to optimise our Website for its intended purposes, provide necessary or useful functions in regards to an economically viable pursuit of our business activity as well as to make available services to users that are usually expected in our line of business, we utilise a variety of services on our Website which are rendered by third-party service providers and subsequently described below.
2. Processing roles: Unless stated otherwise, the respective third-party service provider acts as our processor and subsequently provides its services in our name and on the basis of a corresponding agreement. However, some of the engaged third-party service providers may (also) receive data as independent controllers for their own purposes, in particular for the optimisation of their services. Regardless of their specific processing role, they are in any case considered recipients of some of your data, since the use of the respective service on our Website requires the processing of your data by the corresponding service provider.
3. Necessary processing: From a purely technical perspective, certain traffic data are transferred when visiting any website, and may be transferred to implemented services as well (cf. point 6.2.1). Any such transmission of traffic data that is technically necessary is based on our legitimate interest (Art 6 para 1 lit f GDPR) in integrating the respective services with adequate effort into our Website (for the “right to object”, see point 3). Any further use of traffic data within this context is grounded on a separate legal basis pursuant to the specific information provided below.

7.2 Overview and brief summary

Subsequently, you can find a brief summary of services used as well as accompanying basic legal information.

If you press on the name of one of the services, you will be transferred to the data protection declaration of the respective service provider. Please be aware that accessing third-party sites results in additional processing of your data in the sphere of the respective third party (cf. point 5.1).

Service	Processing operation	Purpose	Legal basis
YouTube	Processing of traffic data and use of storage technologies to implement video content via inline frames	Realisation of a state-of-the-art service as well as appealing presentation of our content	Consent (Art 6 para 1 lit a GDPR)
PlayFab	Processing user data via Microsoft Azure cloud computing platform	Backend framework to realise the Software	Contract performance (Art 6 para 1 lit b GDPR); Legitimate interest (Art 6 para 1 lit f GDPR)
Unity Cloud Diagnostics	Processing of metadata	Problem analysis and elimination	Legitimate interest (Art 6 para 1 lit f GDPR)
Unity Analytics	Processing of data on user behaviour (tracking)	Analysis	Consent (Art 6 para 1 lit a GDPR)
Unity Ads	Processing of traffic data; processing of data on user behaviour	Provision of (personalised) advertisements	Legitimate interest (Art 6 para 1 lit f GDPR); if applicable, consent (Art 6 para 1 lit a GDPR)

7.3 Individual third-party services

7.3.1 Embedding of YouTube videos

On our Website, videos of the platform https://www.youtube.com, a service of Google Ireland Limited, Barrow Street, Dublin 4, Ireland (“Google Ireland”), are embedded as an inline frame.

In the course of the implementation, Google Ireland uses cookies as well as the local/session storage of your end device (cf. point 6.2.2) for the collection and statistical evaluation of data. Google Ireland uses the information collected via storage technologies under its own responsibility to compile accurate video statistics, prevent fraud and improve user-friendliness.

Information generated by the use of cookies as well as traffic data (inter alia, your IP address) are subsequently transferred to a Google server and stored there. However, the IP address will be shortened beforehand. An immediate allocation to your person is only possible if you are logged into your Google account when accessing a respective video, or when accessing a subpage with such integrated video after you have already given your previous consent. Therefore, if necessary, please log out of your account before you allow us to display the video or access the respective page.

We base our processing of your data within that context on your prior consent (Art 6 para 1 lit a GDPR; for the “right to withdraw”, see point 3). We receive statistical evaluations from Google Ireland in regards to the retrieval of individual videos embedded in the Website without reference to the respective user.

Google Ireland may outsource certain processing activities to third parties such as group companies, wherefore a processing of your data in the US, in particular by Google LLC (California, USA), may take place; any such potential transfer is usually based on the adequacy decision of the EU Commission in the sense of Art 45 GDPR concerning the “EU-US Data Privacy Framework”. You may check the respective certification of Google LLC under: https://www.dataprivacyframework.gov/s/participant-search/participant- detail?id=a2zt000000001L5AAI&status=Active.

Since the videos are only embedded in our Website but played directly via https://www.youtube.com, the terms of use and data protection declaration of YouTube/Google apply in that context: https://policies.google.com/privacy?hl=en.

7.3.2 Microsoft Azure PlayFab

In order to realise our Software, we use the backend system “PlayFab” via the Microsoft Azure platform. This framework is provided to us by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft Ireland”). We use PlayFab in particular for the following:

• to realise the gaming operation of our Software;
• to analyse gaming data and behaviour;
• to improve gaming experience.

Our Software will be hosted on the Microsoft Azure platform leading to your data processed within this context being stored on servers of Microsoft Ireland. This concerns, inter alia, technical data referring to the respective user and end device (e.g., User ID, Device ID, IP address, operating system, CPU, GPU), information on the particular use of the Software (e.g., accessing and exiting the Software, number and extent of purchases made) as well as information on the gaming operation required for debugging purposes (e.g., playing a card or using an effect).

We use PlayFab and Microsoft Azure for the purpose of being able to perform the contract you concluded with us on the use of the Software (Art 6 para 1 lit b GDPR). In respect of necessary data processing activities to realise the gaming operation, please already review point 6.3.3.

Moreover, we conduct analyses of data concerning gaming operation and player behaviour for adequate evaluations of our service on the basis of our legitimate interests within this context (cf. point 6.3.5).

Data stored within the framework of PlayFab which are not necessary for the continuing gaming operation (e.g., technical information on the end device, accessing and exiting the Software) are erased automatically after a period of thirty (30) days.

Microsoft Ireland may outsource certain processing activities to third parties such as group companies, wherefore a processing of your data in the US, in particular by Microsoft Corporation (Washington, USA), may take place; any such potential transfer is usually based on the adequacy decision of the EU Commission in the sense of Art 45 GDPR concerning the “EU-US Data Privacy Framework”. You may check the respective certification of Microsoft Corporation under: https://www.dataprivacyframework.gov/s/participant-search/participant- detail?id=a2zt0000000KzNaAAK&status=Active. Please also review the Microsoft privacy statement for information in greater detail on how data protection is handled: https://privacy.microsoft.com/en-us/privacystatement.

7.3.3 Unity

In order to realise our Software, we use the cross-platform game engine “Unity” of Unity Technologies S.F., 30 3RD St San Francisco, CA, 94103-3104m USA. A respective transfer of your personal data to the USA is based on standard data protection clauses of the EU Commission (Art 46 para 2 lit c GDPR).

For further information on data protection practices of Unity Technologies S.F., please also review the privacy policy of the service provider under https://unity.com/de/legal/game-player-and-app- user-privacy-policy#biometric.

In principle, we use the following Unity services:

Unity Cloud Diagnostics

We use the service “Unity Cloud Diagnostics” in order to preserve stability and security of our Software, and to maintain its normal functionalit. Within this context, we solely process data being relevant for troubleshooting purposes, such as information on your end device (hardware, operating system used), version of our Software, cause for a potential crash, etc. For further information, please also review point 6.3.5. Data processed in the context of Unity Cloud Diagnostics are stored for a period of seven (7) days.

Unity Analytics

In case you provide us your consent (Art 6 para 1 lit a GDPR), we use the service “Unity Analytics” for analysis purposes. Within this context, we process certain data on the use of our Software, such as new users of the Software per day, active users per day, time spent by a user, etc.

Your data collected by means of Unity Analytics are stored for a duration of thirteen (13) months and automatically erased afterwards. Moreover, you may request erasure of your data via the respective settings options of our Software at any time.

For further information in this regard, please also review point 6.3.5.

Unity Ads; Unity LevelPlay

We use the service “Unity Ads” and ads mediation offers of Unity, which allow us to display (personalised) advertisements within the Software and within advertising networks of third parties. In case you provide us your consent (Art 6 Abs 1 lit a DSGVO), data on your use of our Software will be processed in advance for this purpose in order to be able to tailor advertisements to your interests – you can withdraw your previously given consent at any time via the respective option within the Software. Moreover, you can adjust your Unity data protection settings by interacting accordingly with any advertisement displayed within the Software (e.g., requesting erasure of your data). In the absence of your consent for the personalisation of advertisements, we shall solely display contextual adverts to you based on your approx. location. For further information in this regard, please also review point 6.3.5.

8. Social Media Presences

For the purpose of promoting our business activity and our service offer, we maintain presences in various social networks and similar platforms. The processing of your data in this context is based on our legitimate interest (Art 6 para 1 lit f GDPR; for the “right to object”, see point 3) in expanding our reach as well as providing additional information and means of communication to users of social networks and similar platforms. In order to reach said purposes at the best possible rate, we may utilise functions provided by the respective service provider to measure our reach in detail (access statistics, identification of returning users, etc.).

In the course of accessing any of the online presences outlined subsequently, we process the general information being evident due to your profile in the respective network/platform as well as additional continuance, contact or content data, as far as you provide us with such data by interacting with our online presence and its contents. We do not store those data separately outside of the respective social network.

Since we jointly decide with the relevant service provider (respectively entity expressly outlined as controller) upon purposes and means of data processing in the course of a respective online presence, we are to be considered joint controllers in the sense of Art 26 GDPR. The provider of each social network respectively platform mentioned shall act as the primary point of contact with regard to all general and technical questions in respect of our online presences; this also applies to fulfilling rights of the data subjects in the sense of point 3. However, in case of requests concerning the specific operation of our online presences, your interactions with them or information published/collected via such channels, we shall be the primary point of contact; point 3 as well as other stipulations in this Data Protection Declaration apply correspondingly.

Some of the subsequent service providers are respectively their server landscape is located outside of the EU/EEA or they use processors to render their services to which this applies. Please be aware that we have no influence if or to which extent such transfers take place when using the respective network. You can find the relevant information on how each service provider handles third-country transfers (which might include data of you provided in the course of interacting with our Social Media Presences) in the relevant data protection information of such service provider (cf. the respective links under each subsequent subsection). Mostly, those service providers utilise a certification according to the “EU-US Data Privacy Framework” pursuant to the respective adequacy decision of the EU Commission in the sense of Art 45 GDPR or standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the European Commission in order to justify their transfers.

You can review the most relevant certifications relating to group companies of the subsequently displayed providers under the following links:

• Meta Platforms, Inc. (re “Instagram”): https://www.dataprivacyframework.gov/s/participant- search/participant-detail?id=a2zt0000000GnywAAC&status=Active.

8.1 Facebook

Controller of the social network “Facebook” for the EEA region is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta Ireland”). In respect of the operation of our Facebook fan page “Portal Monstars” (https://www.facebook.com/portalmonstars), we are joint controllers in the sense of Art 26 GDPR with Meta Ireland.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by Facebook in order to personalise and maintain our Facebook fan page. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://www.facebook.com/terms) as well as the separate data protection declaration (https://www.facebook.com/policy.php) and consider the settings options in your Facebook account. In regards to any information provided by us via mechanisms made available by Facebook (posts, shares, etc.), we are naturally fully responsible.

8.2 Instagram

The social network “Instagram” is operated by Instagram Inc., 1601 Willow Road, Menlo Park, California 94025, USA, which is part of the Facebook group. Controller from a data protection point of view with regard to the EEA region is Meta Ireland (cf. point 8.1). In respect of the operation of our Instagram account “portalmonstars” (https://www.instagram.com/portalmonstars/), we are joint controllers in the sense of Art 26 GDPR with Meta Ireland.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by Instagram in order to personalise and maintain our Instagram account. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://help.instagram.com/581066165581870?cms_id=581066165581870) as well as the separate data protection declaration (https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect) and consider the settings options in your Instagram account. In regards to any information provided by us via mechanisms made available by Instagram (postings, stories, etc.), we are naturally fully responsible.