PRIVACY AND DATA PROTECTION POLICY
THIS PRIVACY AND DATA PROTECTION POLICY DEFINES THE REGULATION OF THE RELATIONSHIP BETWEEN TURBO ROCKET GAMES LLC (HEREINAFTER COMPANY) AND USERS, EMPLOYEES, INDEPENDENT CONTRACTORS, STAKEHOLDERS (HEREINAFTER THE USERS OR OTHER DATA SUBJECT) REGARDING THE USE OF THE USERS’ PERSONAL DATA.
WHEREAS ALL DATA SUBJECTS ARE REQUIRED TO READ THIS PRIVACY AND DATA PROTECTION POLICY TO UNDERSTAND HOW COMPANY COLLECTS AND PROCESSES PERSONAL DATA WHILE CONDUCTING ITS ACTIVITIES AND WHAT SECURITY MEASURES ARE BEING APPLIED.
WHEREAS PRIVACY AND DATA PROTECTION POLICY OF THE COMPANY IS APPLIED IN ALL COMPANIES OF THE COMPANY, WHICH ARE UNDER THE LEGAL AUTHORITY UNDER THE SUPERVISION OF OR CONTROLLED BY COMPANY.
While conducting its activities, TURBO ROCKET GAMES LLC adheres all conditions and requirements stipulated by the current legislation of the USA, European legislation, including but not limited to, the GDPR as well as by other international legislative acts concerning data protection.
While processing the personal data, the definitions stated herein have the following meaning:
‘Personal data’ means any information relating to an identified or identifiable natural person (also referred to as “individual”/“data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Special categories of personal data’ (‘sensitive data’) means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
‘Data controller’ (‘controller’) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
‘Data processor’ (‘processor’) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘Data Subject’ means any living individual who is the subject of personal data held by the Company, including Users and other independent contractors/employees and other stakeholders.
‘User’ means the data subject, who has downloaded and/or played Games.
‘Game’ means the game produced by the Company, which is available for Services provided.
‘Services’ means services provided by the Company that include:
- creation an account which make possible to associate user’s game progress with him/her and save it on Company’s servers;
- providing support with authorization, account managing, account security, game client software errors, in-game problems, in-game purchases, bans (technical and player assistance).
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘Profiling’ means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyses or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.
‘Automated decision-making’ means an ability to make decisions by technological means without human involvement.
‘Personal data breach’ means a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority where the breach is likely to adversely affect the personal data or privacy of the data subject.
‘Data subject consent’ means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
‘Filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
‘Company’ means TURBO ROCKET GAMES LLC, the legal entity duly registered under the laws of the USA.
‘Data Protection Authority’ (DPA) means an independent public authority which is established by a Member State pursuant to the GDPR. In the contents of this Policy the DPA means a German Data Protection Authority.
TURBO ROCKET GAMES LLC is registered at the following address: 1013 Centre Road, Suite 403-B United States, Wilmington, Delaware, 19805 is committed to compliance with all relevant EU and the USA laws in respect of personal data and protection of the “rights and freedoms” of individuals while collecting and processing the personal data in accordance with the General Data Protection Regulation (GDPR).
This Privacy and Data Protection Policy (Policy) sets out how the Company uses, processes and stores the Data Subjects’ personal data. The Company may get such personal data from the Users or from its partners in order to deliver the contractual obligations. In other cases, the Company will get such personal data from the Users with the User’s permission and consent or may receive Users’ personal data from third parties to whom the Users have given consent to transfer such personal data to the Company.
This Policy describes the main steps the Company makes to be in compliance with the GDPR, herewith, other conditions of compliance along with connected processes and procedures, may be described by other relevant documents, which the Data Subjects and any other stakeholders may find at the appropriate reference links stated herein.
The Users have a right to apply to the Company or to the appropriate Data Protection Authority as to his/her personal data breach if he/she becomes aware of it earlier than the Company.
The General Data Protection Regulation 2016 (GDPR) replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual Member States that were developed in compliance with the Data Protection Directive 95/46/EC. Its main purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data are not processed without their knowledge, and, wherever possible, that it is processed with their consent.
General Data Protection Regulation (hereinafter “the GDPR”) applies to the citizens of the EU or EU Member States and other natural persons (whatever they nationality or place of residence), in relation to the processing of their personal data if they are located within the territory of the EU.
In collecting and using of personal data, the Company is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect them.
The purpose of this Policy is to set out the relevant legislation and to describe the steps the Company is taking to ensure that it complies with it.
This Policy applies to all Company’s employees, independent contractors, stakeholders and all other subjects that directly or indirectly participate in the personal data processing, including data subjects who have downloaded and/or play Games produced by the Company.
The following actions are undertaken to ensure that the Company complies at all times with the accountability principle of the GDPR:
These actions are being reviewed on a regular basis as part of the management process concerned with data protection.
The Company has developed all internal documents to define roles concerning the personal data processing within the Company among the staff.
PRINCIPLES OF PROCESSING
While conducting collecting and processing the personal data, the Company adheres the principles provided by the GDPR. The Company’s policies and procedures are designed to ensure compliance with the principles.
(a) Lawfulness, fairness and transparency
Lawfully – the controller identifies a lawful basis before the processing of the personal data. These provisions are often referred to as the “conditions for processing”, for example consent.
Fairly – in order to process the personal data fairly, the controller has to make certain information available to the data subjects as practicable. This applies whether the personal data have been obtained directly from the data subjects or from other sources.
Transparently – any information and communication relating to the processing of the personal data is easily accessible and easy to understand, using clear and plain language.
(b) Purpose limitation
The personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, pursuant to Article 89(1) GDPR, not be considered to be incompatible with the initial purposes.
(c) Data minimization
The personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
The personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
(e) Storage limitation
The personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject.
(f) Integrity and confidentiality
The personal data must be processed in a manner that ensures appropriate level of security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
PERSONAL DATA THE COMPANY COLLECTS AND PROCESSES
While conducting its activities, the Company collects and processes the following personal data of the Users: e-mail address, unique nickname, IP address, country, age.
The Company does not collect and/or process any sensitive data.
Processing of personal data within the territory of the EU
The Company uses the User’s IP address to define his/her country while creating an account, and offer him/her the filled-in field. The Company does not process neither storage the User’s IP address after account registration any longer.
Personal data concerning the User’s age and country are stored on his/her mobile device. The Company may have access to the User’s personal data only provided that the User have created an account and given the consent to processing of his/her personal data.
While collecting and processing the personal data of Users, the Company acts as the joint controllers with the advertising partners, and the corresponding range of controller rights and responsibilities arises. The Company collects no personal data belonging to the natural persons within the territory of the EU for marketing purposes. Advertisements provided are context-specific and do not require personal data.
The Company is not responsible for how the Advertising partners process the Personal data they collect from Users.
The Company does not use automated decision-making.
THE PURPOSE OF PROCESSING
The personal data of the Users are collected by the Company for the purposes of:
- creation an account which makes possible to associate User’s game progress with him/her and save it on Turbo Rocket Games LLC’s servers;
- providing support with authorization, account managing, account security, game client software errors, in-game problems, in-game purchases, bans (technical and player assistance) to the User.
The Company’s advertising partners may process Users personal data for the purposes of:
- displaying in Games advertising materials provided to target market (personalized advertising) or for any other purposes that the advertising partners establish themselves.
The personal data of the Users who are in the EU are not collected by the Company or its advertising partner for the purposes of marketing and advertising.
Under the GDPR, the controller shall specify one or more specific purposes for which the personal data are to be processed. Herewith, it is unlawful to collect and process personal data for any other purposes but defined as follows.
The Company’s liability for processing of personal data within the territory of the EU
The personal data of the Users may be processed for the purposes determined by the Company’s advertising partners. The Company does not participate in determining of such purposes in conjunction with an advertising partner, and thus shall not be liable for the processing of such personal data conducted by the Company’s advertising partners.
THE LAWFULNESS OF PROCESSING
Under Article 6 GDPR, there are six alternative ways in which the lawfulness of a specific case of processing of personal data may be established under the GDPR. This Policy has been drawn up to identify the appropriate lawful grounds for the processing of the personal data provided and to document the processing in accordance with the GDPR.
The personal data of Users
The Users’ personal data are being collected by the Company while the appropriate User is registering in the game. The Users’ personal data are being collected by the Company’s advertising partners while the appropriate User is launching the game the first time. Herewith, the personal data are being collected based on the Users’ consent, the providing of which is specified herein.
The Company processes the personal data based on the consent that must be obtained from the User in accordance with the GDPR requirements. Herewith, the consent is to be provided by filling-in the Consent Request Form the Company provide the appropriate User with.
Along with the Consent Request Form, the Company provides the User with the Privacy Notice, which contains, including but not limited to, the precise information concerning the purposes of processing and the information on methods of processing as well as on the period for which such personal data are to be stored.
The consent is considered to be provided to the Company after the User has placed the tick in front of the “I accept” button on the appropriate Consent Request Form provided by the Company through the game for each separate purpose of processing of the personal data.
By giving the consent, the User acknowledges and accepts all terms and conditions specified in the Privacy Notice and Consent Request Form as well as all the conditions specified in this Policy.
Herewith, it is worth to clarify that the Privacy Notice is to be provided to the Users within the game before the appropriate consent/registering form is filled in.
The Company shall be able to demonstrate that the consent was obtained in accordance with the provisions of the GDPR for each processing operation if it is required by the supervisory authority.
The processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. Herewith, the Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
The personal data of Users
The Company does not process the personal data of сhildren as defined above in this Policy.
The Company may process the personal data of a сhild if parental or custodian consent has been obtained. The controller shall make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility over the сhild.
The Company asks the Users to send a feedback by email to Company if the Users know that the Company processes personal data of a child. The Company will delete such personal data immediately.
Herewith, the Company will not be liable for any consequences if it becomes clear that the User has not reached the age of 16 at the moment of the consent is being provided.
WITHDRAWAL OF CONSENT
The User is entitled to withdraw the consent at any time he/she wishes. The withdrawal of the consent can be made by going into Settings, Privacy tab in the game. Withdrawal of consent will delete the User’s account automatically.
The personal data of the User collected by the Company, are being processed in accordance with the principles stipulated by the GDPR. The Company takes all adequate measures to ensure the compliance with the GDPR while processing the Users’ personal data.
While processing the Users’ personal data, the automatic decision-making and profiling is not applied by the Company.
THE PERIOD OF STORAGE
Article 5 (1) (e) GDPR stipulates that the Personal data must be kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
After an expiry of the storage period, the Company is obliged to delete the personal data or ask the User to provide the Company with a new consent if the necessity of the processing of such personal data remains actual for the Company, or another purpose of processing appears.
The personal data of Users
Taking into account the purposes of processing, the period of storage of Users’ personal data (period of storage) is 365 days since the date the Users’ accounts have been used the last time (authorization, saving progress on the Company’s servers etc.).
The Company is entitled to stop the storage of and delete the User’s personal data collected earlier at any time if such personal data are not needed anymore. Herewith, the Company is obliged to notify the User that his/her personal data are deleted.
The Company may keep storing the personal data if a subsequent processing is stipulated by law and is deemed relevant for a purpose which is not compatible with the original purpose of processing stated in this Policy. Herewith, ‘processing for compatible purposes’ means further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
DATA SUBJECTS RIGHTS
The Users, whose personal data are being processed by the Company, have the Data subjects’ rights stipulated by the GDPR.
The personal data of Users
To realize any of the rights mentioned above, the User should click on the corresponding menu and complete the appropriate form at the following link: https://turborocketgames.com/account.
Detailed terms of exercise of the rights mentioned above are stated in the respective procedures, that are accessible at the following link: https://turborocketgames.com/account.
These are the timescales within which the Users may realize the rights mentioned in this section:
Data Subject Request
The right to be informed
When the personal data are collected (if provided by data subject)
The right to access
The right to rectification
The right to erasure
Without undue delay
The right to restrict processing
Without undue delay
The right to data portability
The right to object
On receipt of objection
Rights in relation to automated decision making and profiling.
PERSONAL DATA SECURITY
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
The personal data of Users
The Company is responsible for ensuring that any personal data that Company holds and the Company is responsible for, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorized by Company to receive that data and is under an appropriate obligation of confidentiality.
The Users’ personal data shall be treated with the highest security and must be kept:
The User is entitled to request the Company to clarify what security measures are applied while processing User’s personal data.
DATA BREACH NOTIFICATION
‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
There are three different kinds of breach under the GDPR:
The personal data of Users
The Company takes all reasonable steps to minimize the risk of the personal data breach while processing the personal data.
In a case of a personal data breach, the Company shall without undue delay and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Supervisory Authority competent in accordance with Article 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of Users.
The risk assessment the Company has to carry out, will determine whether the risk to the rights and freedoms of the Users affected is considered to be sufficiently high to require the notification of the Users.
Also, in the case of a personal data breach, which is likely to result in a high risk to the rights and freedoms of the Users, the Company shall without undue delay notify the appropriate User whose personal data were breached.
However, if any subsequent measures have been taken to mitigate the high risk to the Users, so that it is no longer likely to happen, then communication to the User is not required by the GDPR.
The Company documents all personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the Supervisory Authority to verify compliance with the GDPR.
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of the GDPR, the conditions laid down in the GDPR Chapter 5 are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in the Chapter 5 GDPR shall be applied in order to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined.
The European Commission has the power to determine, on the basis of Article 45 GDPR whether a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into. Under the appropriate Decision of EU Commission, the personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.
The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.
The Company may transfer the Users’ personal data to its business and advertising partners specified hereabove and which are registered within the European Union and the USA. The Company transfers the personal data with respect to the provisions of the GDPR and on the base of the adequacy decision if needed.
The Users’ personal data are transferred to the third country on the basis of an adequacy decision as it is stipulated by the GDPR and other related document issued by the EU Commission. During the transfer of the personal data to the third country the Company provides appropriate safeguards, and only on condition that the Users’ rights and effective legal remedies for the Users are enforceable and available in such third country.
The personal data of Users
The Company does not trade or transfer the Users’ personal data to any legal persons, individuals or third parties. The Company is authorized to transfer personal data to third parties only according to terms and purposes determined in this Policy.
The Company may transfer the Users’ personal data to third parties which are the Company’s business partners only for the purposes of personal data processing such as technical and player assistance.
Company’s advertising partners may collect personal data independently. In this case the Company does not process personal data collected by the advertising partners. Advertising partners are the following:
A current version of this Policy is available to all subjects concerned on the Website at the following link: https://turborocketgames.com
The Company may revise this Policy from time to time. If the Company makes material changes to this Policy, the Company will notify the Users by email or by posting a notice on the website prior to the effective date of the changes. By continuing to access to the Game or use the website after those changes become effective, the Users agree to the revised Policy.
This Policy is approved by the Manager on 25 May 2018.