PRIVACY AND DATA PROTECTION POLICY

PRIVACY AND DATA PROTECTION POLICY

Last updated 31 August 2020

ALL DATA SUBJECTS ARE REQUIRED TO READ THIS PRIVACY AND DATA PROTECTION POLICY TO UNDERSTAND HOW COMPANY COLLECTS, USES, PROCESSES AND STORES PERSONAL DATA WHILE CONDUCTING ITS ACTIVITIES AND WHAT SECURITY MEASURES ARE BEING APPLIED.

1. Purposes and Scope of Policy.

a. Purposes. This Privacy and Data Protection Policy regulates the relationships between TURBO ROCKET GAMES LLC (hereinafter referred to as “the Company”) and Users, employees, contractors, stakeholders etc. (hereinafter referred to as “the Users” or “the other Data Subjects”) regarding the collection, use and processing of the Users` Personal Data.

b. Scope. This Privacy and Data Protection Policy of the Company is applied within all affiliates of the Company which are under the legal authority, under the supervision of or controlled by the Company.

c. Compliance. While conducting its activities, TURBO ROCKET GAMES LLC adheres all conditions and requirements stipulated by the current legislation of the USA, European legislation, including but not limited to, the GDPR as well as by other international acts concerning data protection.

2. Definitions.

“Automated decision-making” means an ability to make decisions by technological means without human involvement.

“Child” means:

· outside the EU: person under the age of 13 years old;

· within the territory of the EU: person under the age of 16 years old.

“Data controller” (“controller”) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the using and processing of Personal Data.

“Data processor” (“processor”) means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller;

“Data Protection Authority” (hereinafter referred to as “the DPA”) means an independent public authority which is established by a State and is responsible to monitor the compliance with the applicable laws in order to protect the fundamental rights and freedoms of Data Subjects regarding the collecting, using and processing of their Personal Data and to facilitate the free flow of Personal Data. For the purposes of this Policy, DPA means a German Data Protection Authority, namely Federal Commissioner for Data Protection and Freedom of Information.

“Data Subject” means any living individual who is the subject of Personal Data held by the Company, including Users and other independent contractors/employees and other stakeholders.

“Data Subject consent” means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data.

“Filing system” means any structured set of Personal Data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

“Game” means the game produced by the Company, which is available for Services provided.

“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with natural person (also referred to as “individual”, “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data includes data of identified natural person used to formulate behavioral profiles of this particular person.

“Personal Data breach” means a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

“Processing” means any operation or set of operations which is performed with the Personal Data or with sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Profiling” means any form of automated processing of Personal Data intended to evaluate certain personal aspects relating to a natural person, or to analyze or predict performance of that person at work, economic situation, location, health, personal preferences, reliability, or behavior.

“Services” means services provided by the Company that include:

· creation of account which makes possible to associate the User’s game progress with him/her and save it on Company’s servers;

· providing support with authorization, account managing, account security, Game client software errors, in-game problems, in-game purchases, bans (technical and player assistance).

“Special categories of personal data” (hereinafter referred to as “the sensitive data”) means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

“Third party” means a natural or legal person, public authority, agency or body other than the Data Subject, controller, processor and persons who are authorized to process Personal Data under the direct authority of the controller or processor.

“User” means the Data Subject, who has downloaded and/or played the Games.

3. General Provisions.

a. Consent. The Company may receive Personal Data from the Users or from its contractors in order to deliver its contractual obligations. If Company receives Uses` Personal Data from the Users it obtains the Users’ permission and consent. If Company receives Users` Personal Data from contractors or other third parties they have to obtain the Users` consent to transfer such Personal Data to the Company for the purposes of further processing.

b. Personal Data Inclusions. Personal Data includes data of identified natural person used to formulate behavioral profiles of this particular person. Personal Data includes anonymized data if the process of anonymization to which such data were submitted has been reversed, using exclusively its own means, or if such data can be reversed applying reasonable efforts. For the purposes of this clause, determination of what the reasonable efforts are shall take objective factors into account, such as cost and time necessary to reverse the process of anonymization, depending on the available technology, and the exclusive use of its own means.

c. Applications. The Users have a right to apply to the Company or to the appropriate Data Protection Authority as to his/her Personal Data breach if he/she becomes aware of it earlier than the Company.

d. Selling or Disclosing of Personal Data. Company warrants that it neither sells nor discloses for business purposes the Personal Data of its Users, including persons who are less than 16 years of age, to any legal persons, individuals or third parties and complies with other requirements of the applicable laws in this regard.

4. Compliance.

Company undertakes the following actions in order to ensure the compliance with the accountability principle of the applicable laws:

a. The legal basis for processing Personal Data is clear and unambiguous;

b. All staff involved in handling Personal Data understand their responsibilities for following good data protection practice;

c. Training in regard of data protection has been provided to all the staff;

d. Rules regarding consent are followed;

e. Necessary means are available to the Data Subjects wishing to exercise their rights regarding Personal Data, and such enquiries are handled effectively;

f. Regular reviews of procedures involving Personal Data are carried out;

g. Privacy by design is adopted for all new or changed systems and processes;

h. These actions are being reviewed on a regular basis as part of the management process concerned with data protection.

i. The Company has developed all internal documents to define roles concerning the Personal Data processing within the Company among the staff.

5. Principles of Processing.

a. Lawfulness, Fairness and Transparency. Personal Data is processed on a lawful basis of consent, with all the information regarding the processing of Personal Data available to the Data Subjects and on a basis of accessible, easy-understandable, clear and plain-language communication with Data Subject relating to the processing of the Personal Data.

b. Purpose Limitation. Personal Data is collected strictly for purposes specified via this Policy and is not further processed in a manner that is incompatible with them, except as for the purposes of public interest, statistical scientific or historical research.

c. Data Minimization. Personal Data is collected strictly within the amounts necessary for the purposes for which they are processed.

d. Accuracy. Personal Data is accurate and kept up to date. Company ensures that inaccurate Personal Data are erased or rectified without delay.

e. Integrity and Confidentiality. Personal Data is processed by the Company in a manner that ensures appropriate level of security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

6. Purposes of Processing.

a. Purposes of Company. Personal Data of the Users are collected by the Company for such purposes as:

1. creation of account which makes possible to associate User’s game progress with him/her and save it on Turbo Rocket Games LLC’s servers;

2. providing support with authorization, account managing, account security, Game client software errors, in-game problems, in-game purchases, bans (technical and player assistance) to the User.

b. Purposes of Contractors. Company’s advertising contractors may process Users` Personal Data for such purposes as:

1. displaying advertising materials provided to target market (personalized advertising) within Games;

2. for any other purposes that the advertising contractors establish themselves.

c. Disclaimer.

1. Company does not collect, use or process Personal Data for any other purposes except as specified herein.

2. Personal Data of the Users within the EU are not collected by the Company or its advertising contractors for the purposes of marketing and advertising. Advertisements provided are context-specific and do not require Personal Data.

3. Company is not liable for the processing of Personal Data conducted by the Company’s advertising contractors.

7. Personal Data.

a. Collected Data. While conducting its activities, the Company collects, uses and processes the following Personal Data of the Users:

1. e-mail address;

2. unique nickname;

3. IP address;

4. state of location;

5. age information.

b. IP Addresses. The Company uses the User’s IP address to define his/her country while User creates an account, and offers him/her the filled-in field. The Company does not process neither store the User’s IP address after account registration.

c. Age and State of Location. Personal Data concerning the User’s age and state of location are stored on his/her mobile device. The Company may have access to these User’s Personal Data only provided that the User have created an account and given the consent to processing of his/her Personal Data.

d. Role of Company. While collecting and processing the Personal Data of Users, the Company acts as the joint controller together with its advertising contractors, and the corresponding range of controller`s rights and responsibilities arises.

e. Disclaimer.

1. The Company does not collect and/or use and/or process any sensitive data.

2. The Company is not responsible for how the Advertising contractors process the Personal Data they collect from Users.

3. The Company does not use automated decision-making.

8. Lawfulness of Processing.

a. Moment of Collection. The Users’ Personal Data are collected by the Company while the appropriate User is registering in the Game. The Users’ Personal Data are collected by the Company’s advertising contractors while the appropriate User is launching the Game in the first time. Herewith, the Personal Data are being collected based on the Users’ consent providing of which is specified herein.

b. Consent Request Form. Company processes Personal Data of the basis of consent that must be obtained from the User. Consent is to be provided by filling-in the Consent Request Form which Company provides the appropriate User with.

c. Privacy Notice. Company provides User with the Privacy Notice, which contains, including but not limited to, the precise information concerning the purposes of processing and the information on methods of processing as well as on the period for which such Personal Data are to be stored. Privacy Notice is to be provided to the Users within the Game before the appropriate consent/registering form is filled in.

d. Obtaining of Consent. The consent is considered to be provided to the Company after the User has placed the tick in front of the “I accept” button on the appropriate Consent Request Form provided by the Company through the Game for each separate purpose of processing of the Personal Data.

e. Essence of Consent. By giving the consent, User acknowledges and accepts all terms and conditions specified in the Privacy Notice and Consent Request Form as well as all the conditions specified in this Policy.

f. Obligation of Company. Company shall be able to demonstrate that consent was obtained in accordance with the provisions of the applicable laws for each processing operation if it is required by the supervisory authority.

9. Users` Age.

a. Applicable Laws. As regards the matters of the Users` age, Company adheres provisions of GDPR and U.S. Children’s Online Privacy Protection Act (hereinafter referred to as “the COPPA”).

b. Permissible Processing. Company collects, uses and processes Personal Data obtained on the basis of consent from the Users who have reached:

1. outside the EU, the age of 13 years old;

2. within the territory of the EU, the age of 16 years old.

c. Personal Data of Children. Company does not process the Personal Data of сhildren, except as on a basis of parental or custodian consent. In such cases, controller shall make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the сhild.

d. Notification of Violation. The Company asks the Users to send a feedback by email to Company if the Users know that the Company processes Personal Data of a child. After receiving of such feedback the Company will delete such Personal Data immediately.

e. Disclaimer. Company will not be liable for any consequences if it becomes clear that the User has not reached the age of 16 at the moment of the consent is being provided.

f. Limitations. Company does not condition the participation of Data Subjects who are the children to games, internet applications or other activities in exchange for provision of personal data except if it is strictly necessary for the activities which Company conducts.

g. Website Users’ Age.

1. The use of the Website shall be lawful if person is at least 13 years old.

2. Any use of the Website by a person under 13 years is unlawful and constitutes a violation of this Terms of Use and Privacy and Data Protection Policy.

10. Advertisement Serving.

a. General Information. Our Games may contain advertisements served by Advertising contractors defined in this document.

b. Contractor. Our Games may display advertisements served by SuperAwesome Trading Limited (“SuperAwesome”), Unity Technologies (“Unity”) and KIDOZ Limited (“KIDOZ”) which are the providers of kid-safe advertising services that are designed specifically for the compliance requirements of younger audiences, including those aged under 13. SuperAwesome, Unity and KIDOZ place contextual advertising on our Games without collecting any personally identifiable information, including persistent identifiers.

c. COPPA Compliance. SuperAwesome and KIDOZ are certified as COPPA-compliant by the kidSAFE Seal Program, an FTC-Approved COPPA Safe Harbor Program. Please visit www.kidsafeseal.com for more information. Unity is complied with COPPA requirements for operators of applications directed to children under 13 y.o. Please visit docs.unity3d.com/Manual/UnityAnalyticsCOPPA.html for more information.

d. GDPR Compliance. SuperAwesome, Unity and KIDOZ also provide advertising services in compliance with the General Data Protection Regulation (EU 1996/679). Adopting an approach of “privacy by design and by default”, SuperAwesome, Unity and KIDOZ utilise proprietary technologies so that it neither collects, stores nor shares your Personal Data to provision advertisements or target advertising to you.

e. CCPA Compliance. SuperAwesome, Unity and KIDOZ also provide advertising services in compliance with the California Consumer Privacy Act. SuperAwesome, Unity and KIDOZ ensure the fulfillment of the consumers’ rights to opt out of the sale of your personal information, request the deletion of certain personal information, and/or request a disclosure of personal information from the company.

f. Certification. SuperAwesome is a valid licensee, and participating member, of the Entertainment Software Rating Board’s Privacy Certified Program (“ESRB Privacy Certified”). To protect your privacy, SuperAwesome has voluntarily undertaken this privacy initiative, and its services have been reviewed and certified by ESRB Privacy Certified to meet established online information collection, use and disclosure practices. As a licensee of this privacy program, SuperAwesome’s services are subject to frequent audits and other enforcement and accountability mechanisms administered independently by ESRB Privacy Certified.

g. Contact Information. You may contact SuperAwesome directly at privacy@superawesome.tv, on + 44 203 668 6677, or by post: Privacy Team, SuperAwesome Trading Limited, 22 Long Acre, London WC2E 9LY, United Kingdom. You may contact Unity directly at DPO@unity3d.com, on +14155393162 or by post: Privacy Terms, Unity Technologies, 30 Third Street San Francisco, CA 94103 USA. You may contact KIDOZ directly at support@kidoz.net, on online contact form available at kidoz.net/contact-2/ or by post: Privacy Terms, №16, 6-9 Bridgewater Square, London, EC2Y8AG, UK.

11. Withdrawal of Consent.

a. General Information. The User is entitled to withdraw the consent at any time he/she wishes.

b. Manual. To withdraw the consent User need to access into Settings, Privacy tab in the Game. Withdrawal of consent will delete the User’s account automatically.

c. Submission of the Request. User is entitled to send an appropriate appropriate request for withdrawing of the consent to the Company. The withdrawal of the consent is considered to be properly made after the Data Subject has sent such letter of withdrawal to the Company.

d. Procedure of Withdrawal. Company shall examine such request within 72 hours since a moment the respective form of withdrawal is received, and make the adequate decision.

12. Storage Period.

a. General Information. Taking into account the purposes of processing, the period of storage of Users’ Personal Data is 365 days since the date the Users’ accounts have been used for the last time (authorization, saving progress on the Company’s servers etc.).

b. Expiration of Period. After an expiration of the storage period, the Company is obliged to delete the Personal Data or ask the User to provide the Company with a new consent if the necessity of the processing of such Personal Data remains actual for the Company, or another purpose of processing appears.

c. Right of Company. Company is entitled to stop the storage of and delete the User’s Personal Data collected earlier at any time if such Personal Data are not needed anymore. Herewith, the Company is obliged to notify the User that his/her Personal Data deleted.

d. Exception. The Company may keep storing the Personal Data if a subsequent processing is stipulated by law and is deemed relevant for a purpose which is not compatible with the original purpose of processing stated in this Policy. Herewith, “processing for compatible purposes” means further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

13. Data Subjects’ Rights.

a. List of Rights. This Policy provide all Data Subjects with opportunity to exercise any of the following rights:

1. right to access. The Data Subjects have a right to know whether their Personal Data are being processed and if so, access such data.

2. right to rectification. If the Personal Data are inaccurate, the respective Data Subject is entitled to ask the Company to correct them indeed.

3. right to erasure or right to be forgotten. The Data Subjects have a right to obtain from the Company the erasure of the Data Subjects’ Personal Data without undue delay and the Company has the obligation to erase such Personal Data without undue delay.

4. right to restriction of processing. The Data Subjects have a right to limit processing of their Personal Data with several exceptions under the scope of the applicable laws.

5. right to be informed. The Company obliged to inform Data Subjects what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties. This information must be communicated concisely and in plain language.

6. right to data portability. The Data Subjects are permitted to obtain and reuse their Personal Data for their own purposes across different services. This right only applies to Personal Data that Data Subject has provided to the Company by way of the consent.

7. right to object. The Data Subjects can object to the processing of Personal Data that are being processed by the Company. The Company must stop processing Personal Data unless the Company can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defense of legal claims.

8. right not to be subject to a decision based solely on automated processing. The Data Subjects have a right to object to any automated profiling which means any form of automated processing of Personal Data intended to evaluate certain personal aspects relating to a natural person, or to analyses or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior (hereinafter referred as “the Profiling”), that is occurring without consent. Herewith, the Data Subjects have a right to request their Personal Data are to be processed with the human involvement.

9. right not to be discriminated. Date Subject has a rights not to be discriminated by the Company because of exercising of any of their rights under this Policy.

10. right to authorize. Data Subject has a right to authorize another person solely to fill in the request on the Data Subject`s behalf, and Company shall comply with requests received from a person authorized by Data Subject.

b. Exercising of Rights. To exercise any of the rights mentioned above, the User should click on the corresponding menu and complete the appropriate form via the following link: https://turborocketgames.com/account.

c. Manual. Detailed terms on how to exercise these rights are stated in the respective procedures, that are accessible via the following link: https://turborocketgames.com/account.

d. Timescales. Timescales within which the Users may exercise the rights mentioned in this section are as follows:

The right to be informed

When the Personal Data are collected (if provided by Data Subject)

The right to access

One month

The right to rectification

One month

The right to erasure

Without undue delay

The right to restrict processing

Without undue delay

The right to data portability

One month

The right to object

On receipt of objection

Rights related to automated decision making and profiling.

Not specified

Right not to be discriminated

During the whole period of processing

Right to authorize

During the whole period of processing

14. Non-Discrimination.

a. General Information. Company hereby assures and warrants that it does not involve any discrimination of Users because of the Users` exercising of any of their rights, including, but not limited to, by:

1. Denying goods or services to Users;

2. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties, except as provided under this Policy;

3. Providing a different level or quality of goods or services to Users;

4. Suggesting that Users will receive a different price or rate for goods or services or a different level or quality of goods or services, except as provided under this Policy.

b. Exception. Notwithstanding the clause 14 (a), after a prior notification, Company may offer a different price, rate, level, or quality of goods or services to Users if that price or difference is directly related to the value provided to the Users by the Users` data.

c. Disclaimer. Company`s denial of Users` for reasons permitted by the applicable laws shall not be considered discriminatory.

15. Personal Data Security.

a. General Information. The Company is responsible for ensuring that any Personal Data that Company holds and the Company is responsible for, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorized by Company to receive that data and is under an appropriate obligation of confidentiality.

b. Security Requirements. The Users’ Personal Data shall be treated with the highest security and must be kept:

1. (if required) in a lockable room with controlled access; and/or

2. (if required) in a locked drawer or filing cabinet; and/or

3. if computerized, password protected in line with corporate requirements in the Access Control Policy, and/or

4. stored on (removable) computer media which are encrypted.

c. Right to Clarify. The User is entitled to request the Company to clarify what security measures are applied while processing User’s Personal Data.

16. Data Breach Notification.

a. Types of Breaches. There are three different types of breaches:

1. “Confidentiality breach” means an unauthorized or accidental disclosure of, or access to Personal Data.

2. “Integrity breach” means an unauthorized or accidental alteration of Personal Data.

3. “Availability breach” means an accidental or unauthorized loss of access to, or destruction of Personal Data.

b. General Information. The Company takes all reasonable steps to minimize the risk of the Personal Data breach while processing the Personal Data.

c. Notification Procedure.

1. In a case of a Personal Data breach, the Company shall without undue delay and where feasible, not later than 72 hours after having become aware of it, notify the Personal Data breach to the Supervisory Authority, unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of Users.

2. The risk assessment the Company has to carry out, will determine whether the risk to the rights and freedoms of the Users affected is considered to be sufficiently high to require the notification of the Users.

3. Likewise, in the case of a Personal Data breach, which is likely to result in a high risk to the rights and freedoms of the Users, the Company shall without undue delay notify the appropriate User whose Personal Data breach were breached. However, if any subsequent measures have been taken to mitigate the high risk to the Users, so that it is no longer likely to happen, then communication to the User is not required.

d. Documentation. The Company documents all Personal Data breaches, comprising the facts relating to the Personal Data breach, its effects and the remedial action taken. That documentation shall enable the Supervisory Authority to verify compliance with the applicable laws.

17. Data Transfer.

a. General Information. The Company may transfer the Users’ Personal Data to its business and advertising contractors specified herein and which are registered within the European Union and the USA. The Company transfers the Personal Data with respect to the provisions of the applicable laws and on the basis of the adequacy decision if needed.

b. Transfer to Third Countries. The Company may transfer the personal data to third countries, including the onward transfers of the personal data from the third countries to another third countries. Transfers of the personal data to the third countries as specified hereinabove sometimes may be connected with the possible risks pursuant to the absence of an adequacy decision and appropriate safeguards under the GDPR in this regard. If the adequacy decision and/or appropriate safeguards regarding the transfer the personal data to a third countries are absent, Company transfers the personal data to third countries based on the consent provided by Data Subject.

c. Purposes of Transfer. The Company may transfer the Users’ Personal Data to third parties which are the Company’s business contractors only for the purposes of Personal Data processing such as technical and player assistance.

d. Advertising Contractors. Advertising contractors are the following:

1. Fyber (The Fyber Group, USA);

2. Chartboost (Chartboost Inc., USA);

3. Unity (Unity Technologies, Inc., USA);

4. AdMob (AdMob, Inc, USA);

5. Vungle ( Vungle, Inc., USA);

6. KIDOZ (KIDO’Z Ltd, Israel);

7. SuperAwesome (SuperAwesome Limited, United Kingdom);

18. Additional Conditions.

a. Current Version of Policy. A current version of this Policy is available to all subjects concerned on the Website at the following link: https://turborocketgames.com.

b. Company Information. TURBO ROCKET GAMES LLC is registered at the following address: 1013 Centre Road, Suite 403-B United States, Wilmington, Delaware, 19805 is committed to compliance with all relevant EU and the USA laws in respect of Personal Data and protection of the “rights and freedoms” of individuals while collecting, using and processing the Personal Data in accordance with the applicable laws.

c. Data Protection Personnel. Company appoints an officer to be in charge of personal data processing who can be contacted via email legal@turborocketgames [“dot”] com. Such officers responsibilities are to accept complaints and communications from Data Subjects and provide explanations and adopt respective measures, receive communications from the national authority and adopt respective measures, orient company’s employees and contractors regarding practices to be taken regard to personal data protection and carry out other duties as determined by the Company or set forth under the applicable laws. Company appoints Volodymyr Duchenchuk as an officer to be in charge of personal data processing.

d. Updating of Policy. Company updates this Policy at least once in 12 months. If the Company makes material changes to this Policy, the Company will notify the Users by email or by posting a notice on the website prior to the effective date of the changes. By continuing to access to the Game or use the website after those changes become effective, the Users agree to the revised Policy.