Last updated 20 January 2020
ALL DATA SUBJECTS ARE REQUIRED TO READ THIS PRIVACY AND DATA PROTECTION POLICY TO UNDERSTAND HOW COMPANY COLLECTS, USES, PROCESSES AND STORES PERSONAL DATA WHILE CONDUCTING ITS ACTIVITIES AND WHAT SECURITY MEASURES ARE BEING APPLIED.
a. Purposes. This Privacy and Data Protection Policy regulates the relationships between TURBO ROCKET GAMES LLC (hereinafter referred to as “the Company”) and Users, employees, contractors, stakeholders etc. (hereinafter referred to as “the Users” or “the other Data Subjects”) regarding the collection, use and processing of the Users` Personal Data.
b. Scope. This Privacy and Data Protection Policy of the Company is applied within all of the Company which are under the legal authority, under the supervision of or controlled by the Company.
c. Compliance. While conducting its activities, TUaRBO ROCKET GAMES LLC adheres all conditions and requirements stipulated by the current legislation of the USA, European legislation, including but not limited to, the GDPR as well as by other international legislative acts concerning data protection
“Automated decision-making” means an ability to make decisions by technological means without human involvement.
· outside the EU: person under the age of 13 years old;
· within the territory of the EU: person under the age of 16 years old.
“Company” means TURBO ROCKET GAMES LLC, the legal entity duly registered under the laws of the USA.
“Data controller” (“controller”) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the using and processing of Personal Data.
“Data processor” (“processor”) means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller;
“Data Protection Authority” (hereinafter referred to as “the DPA”) means an independent public authority which is established by a Member State pursuant to the GDPR to monitor the compliance with the GDPR and other applicable laws in order to protect the fundamental rights and freedoms of Data Subjects regarding the collecting, using and processing of their Personal Data and to facilitate the free flow of Personal Data. For the purposes of this Policy, DPA means a German Data Protection Authority, namely Federal Commissioner for Data Protection and Freedom of Information.
“Data Subject” means any living individual who is the subject of Personal Data held by the Company, including Users and other independent contractors/employees and other stakeholders.
“Data Subject consent” means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data.
“Filing system” means any structured set of Personal Data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
“Game” means the game produced by the Company, which is available for Services provided.
“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with natural person (also referred to as “individual”, “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data breach” means a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority where the breach is likely to adversely affect the personal data or privacy of the data subject.
“Processing” means any operation or set of operations which is performed with the Personal Data or with sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Profiling” means any form of automated processing of Personal Data intended to evaluate certain personal aspects relating to a natural person, or to analyze or predict performance of that person at work, economic situation, location, health, personal preferences, reliability, or behavior. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.
“Services” means services provided by the Company that include:
· creation of account which makes possible to associate the User’s game progress with him/her and save it on Company’s servers;
· providing support with authorization, account managing, account security, Game client software errors, in-game problems, in-game purchases, bans (technical and player assistance).
“Special categories of personal data” (hereinafter referred to as “the sensitive data”) means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
“Third party” means a natural or legal person, public authority, agency or body other than the Data Subject, controller, processor and persons who are authorized to process Personal Data under the direct authority of the controller or processor.
“User” means the Data Subject, who has downloaded and/or played the Games.
a. Consent. The Company may receive Personal Data from the Users or from its contractors in order to deliver its contractual obligations. If Company receives Uses` Personal Data from the Users it obtains the Users’ permission and consent. If Company receives Users` Personal Data from contractors or other third parties they have to obtains the Users` consent to transfer such Personal Data to the Company for the purposes of futher processing.
b. This Policy describes the main steps the Company makes to be in compliance with the GDPR, herewith, other conditions of compliance along with connected processes and procedures, may be described by other relevant documents, which the Data Subjects and any other stakeholders may find at the appropriate reference links stated herein.
c. Applications. The Users have a right to apply to the Company or to the appropriate Data Protection Authority as to his/her Personal Data breach if he/she becomes aware of it earlier than the Company.
d. Selling or Disclosing of Personal Data. Company warrants that it neither sells nor discloses for business purposes the Personal Data of its Users, including persons who are less than 16 years of age, to any legal persons, individuals or third parties and complies with other requirements of the applicable laws in this regard.
The General Data Protection Regulation 2016 (hereinafter referred to as “the GDPR”) replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual Member States that were developed in compliance with the Data Protection Directive 95/46/EC. Its main purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data are not processed without their knowledge, and, wherever possible, that it is processed with their consent.
General Data Protection Regulation (hereinafter “the GDPR”) applies to the citizens of the EU or EU Member States and other natural persons (whatever they nationality or place of residence), in relation to the processing of their personal data if they are located within the territory of the EU.
In collecting and using of personal data, the Company is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect them.
The purpose of this Policy is to set out the relevant legislation and to describe the steps the Company is taking to ensure that it complies with it.
This Policy applies to all Company’s employees, independent contractors, stakeholders and all other subjects that directly or indirectly participate in the personal data processing, including data subjects who have downloaded and/or play Games produced by the Company.
Company undertakes the following actions in order to ensure the compliance with the accountability principle of the applicable laws:
a. The legal basis for processing Personal Data is clear and unambiguous;
b. All staff involved in handling Personal Data understand their responsibilities for following good data protection practice;
c. Training in regard of data protection has been provided to all the staff;
d. Rules regarding consent are followed;
e. Necessary means are available to the Data Subjects wishing to exercise their rights regarding Personal Data, and such enquiries are handled effectively;
f. Regular reviews of procedures involving Personal Data are carried out;
g. Privacy by design is adopted for all new or changed systems and processes;
h. These actions are being reviewed on a regular basis as part of the management process concerned with data protection.
i. The Company has developed all internal documents to define roles concerning the Personal Data processing within the Company among the staff.
a. Lawfulness, Fairness and Transparency. Personal Data is processed on a lawful basis of consent, with all the information regarding the processing of Personal Data available to the Data Subjects and on a basis of accessible, easy-understandable, clear and plain-language communication with Data Subject relating to the processing of the Personal Data.
b. Purpose Limitation. Personal Data is collected strictly for purposes specified via this Policy and is not further processed in a manner that is incompatible with them, except as for the purposes of public interest, statistical scientific or historical research.
c. Data Minimization. Personal Data is collected strictly within the amounts necessary for the purposes for which they are processed.
d. Accuracy. Personal Data is accurate and kept up to date. Company ensures that inaccurate Personal Data are erased or rectified without delay.
e. Integrity and Confidentiality. Personal Data is processed by the Company in a manner that ensures appropriate level of security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
a. Purposes of Company. Personal Data of the Users are collected by the Company for such purposes as:
1. creation of account which makes possible to associate User’s game progress with him/her and save it on Turbo Rocket Games LLC’s servers;
2. providing support with authorization, account managing, account security, Game client software errors, in-game problems, in-game purchases, bans (technical and player assistance) to the User.
b. Purposes of Contractors. Company’s advertising contractors may process Users` Personal Data for such purposes as:
1. displaying advertising materials provided to target market (personalized advertising) within Games;
2. for any other purposes that the advertising contractors establish themselves.
1. Company does not collect, use or process Personal Data for any other purposes except as specified herein.
2. Personal Data of the Users within the EU are not collected by the Company or its advertising contractors for the purposes of marketing and advertising. Advertisements provided are context-specific and do not require Personal Data.
3. Company does not participate in determining of purposes of processing in conjunction with an advertising partner, and thus shall not be liable for the processing of such Personal Data conducted by the Company’s advertising partners.
a. Collected Data. While conducting its activities, the Company collects, uses and processes the following Personal Data of the Users:
1. e-mail address;
2. unique nickname;
3. IP address;
4. state of location;
5. age information.
b. IP Addresses. The Company uses the User’s IP address to define his/her country while User creates an account, and offers him/her the filled-in field. The Company does not process neither store the User’s IP address after account registration.
c. Age and State of Location. Personal Data concerning the User’s age and state of location are stored on his/her mobile device. The Company may have access to these User’s Personal Data only provided that the User have created an account and given the consent to processing of his/her Personal Data.
d. Role of Company. While collecting and processing the Personal Data of Users, the Company acts as the joint controller together with its advertising contractors, and the corresponding range of controller`s rights and responsibilities arises.
1. The Company does not collect and/or use and/or process any sensitive data.
2. The Company is not responsible for how the Advertising contractors process the Personal Data they collect from Users.
3. The Company does not use automated decision-making.
a. Moment of Collection. The Users’ Personal Data are collected by the Company while the appropriate User is registering in the Game. The Users’ Personal Data are collected by the Company’s advertising contractors while the appropriate User is launching the Game in the first time. Herewith, the Personal Data are being collected based on the Users’ consent providing of which is specified herein.
b. Consent Request Form. Company processes Personal Data of the basis of consent that must be obtained from the User in accordance with the GDPR, CCPA and others legislation acts requirements. Consent is to be provided by filling-in the Consent Request Form which Company provides the appropriate User with.
c. Privacy Notice. Company provides User with the Privacy Notice, which contains, including but not limited to, the precise information concerning the purposes of processing and the information on methods of processing as well as on the period for which such Personal Data are to be stored. Privacy Notice is to be provided to the Users within the Game before the appropriate consent/registering form is filled in.
d. Obtaining of Consent. The consent is considered to be provided to the Company after the User has placed the tick in front of the “I accept” button on the appropriate Consent Request Form provided by the Company through the Game for each separate purpose of processing of the Personal Data.
e. Essence of Consent. By giving the consent, User acknowledges and accepts all terms and conditions specified in the Privacy Notice and Consent Request Form as well as all the conditions specified in this Policy.
f. Obligation of Company. Company shall be able to demonstrate that consent was obtained in accordance with the provisions of the applicable laws for each processing operation if it is required by the supervisory authority.
a. Applicable Laws. As regards the matters of the Users` age, Company adheres provisions of GDPR and U.S. Children’s Online Privacy Protection Act (hereinafter referred to as “the COPPA”).
b. Permissible Processing. Company collects, uses and processes Personal Data obtained on the basis of consent from the Users who have reached:
1. outside the EU, the age of 13 years old;
2. within the territory of the EU, the age of 16 years old.
c. Personal Data of Children. Company does not process the Personal Data of сhildren, except as on a basis of parental or custodian consent. In such cases, controller shall make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the сhild.
d. Notification of Violation. The Company asks the Users to send a feedback by email to Company if the Users know that the Company processes Personal Data of a child. After receiving of such feedback the Company will delete such Personal Data immediately.
e. Disclaimer. Company will not be liable for any consequences if it becomes clear that the User has not reached the age of 16 at the moment of the consent is being provided.
f. Website Users’ Age.
1. The use of the Website shall be lawful if person is at least 13 years old.
g. GDPR requirements. The processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. Herewith, the Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
h. COPPA requirements. This Policy is in accordance with the, and outlines Company’s practices regarding children’s personal information. The Company does not collect, disclose or use any data defined as personal information from persons considered children under the COPPA. The personal data of Users
10. Advertisement Serving
a. General Information. Our Games may contain advertisements served by Advertising contractors defined in this document.
b. Contractor. Our Games may display advertisements served by SuperAwesome Trading Limited (“SuperAwesome”), a provider of kid-safe advertising services that are designed specifically for the compliance requirements of younger audiences, including those aged under 13. SuperAwesome places contextual advertising on our Games without collecting any personally identifiable information, including persistent identifiers.
c. COPPA Compliance. SuperAwesome is certified as COPPA-compliant by the kidSAFE Seal Program, an FTC-Approved COPPA Safe Harbor Program. Please visit www.kidsafeseal.com for more information.
d. GDPR Compliance. SuperAwesome also provides advertising services in compliance with the General Data Protection Regulation (EU 1996/679). Adopting an approach of “privacy by design and by default”, SuperAwesome utilises proprietary technologies so that it neither collects, stores nor shares your Personal Data to provision advertisements or target advertising to you.
e. Certification. SuperAwesome is a valid licensee, and participating member, of the Entertainment Software Rating Board’s Privacy Certified Program (“ESRB Privacy Certified”). To protect your privacy, SuperAwesome has voluntarily undertaken this privacy initiative, and its services have been reviewed and certified by ESRB Privacy Certified to meet established online information collection, use and disclosure practices. As a licensee of this privacy program, SuperAwesome’s services are subject to frequent audits and other enforcement and accountability mechanisms administered independently by ESRB Privacy Certified.
f. Contact Information. You may contact SuperAwesome directly at firstname.lastname@example.org, on + 44 203 668 6677, or by post: Privacy Team, SuperAwesome Trading Limited, 22 Long Acre, London WC2E 9LY, United Kingdom.
a. General Information. The User is entitled to withdraw the consent at any time he/she wishes.
b. Manual. To withdraw the consent User need to access into Settings, Privacy tab in the Game. Withdrawal of consent will delete the User’s account automatically.
c. Submission of the Request. User is entitled to send an appropriate appropriate request for withdrawing of the consent to the Company. The withdrawal of the consent is considered to be properly made after the Data Subject has sent such letter of withdrawal to the Company.
d. Procedure of Withdrawal. Company shall examine such request within 72 hours since a moment the respective form of withdrawal is received, and make the adequate decision.
The personal data of the User collected by the Company, are being processed in accordance with the principles stipulated by the GDPR. The Company takes all adequate measures to ensure the compliance with the GDPR while processing the Users’ personal data.
While processing the Users’ personal data, the automatic decision-making and profiling is not applied by the Company.
a. General Information. Taking into account the purposes of processing, the period of storage of Users’ Personal Data is 365 days since the date the Users’ accounts have been used for the last time (authorization, saving progress on the Company’s servers etc.).
b. Expiration of Period. After an expiration of the storage period, the Company is obliged to delete the Personal Data or ask the User to provide the Company with a new consent if the necessity of the processing of such Personal Data remains actual for the Company, or another purpose of processing appears.
c. Right of Company. Company is entitled to stop the storage of and delete the User’s Personal Data collected earlier at any time if such Personal Data are not needed anymore. Herewith, the Company is obliged to notify the User that his/her Personal Data deleted.
d. Exception. The Company may keep storing the Personal Data if a subsequent processing is stipulated by law and is deemed relevant for a purpose which is not compatible with the original purpose of processing stated in this Policy. Herewith, “processing for compatible purposes” means further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
a. List of Rights. This Policy provide all Data Subjects with opportunity to exercise any of the following rights:
1) right to access. The Data Subjects have a right to know whether their Personal Data are being processed and if so, access such data.
2) right to rectification. If the Personal Data are inaccurate, the respective Data Subject is entitled to ask the Company to correct them indeed.
3) right to erasure or right to be forgotten. The Data Subjects have a right to obtain from the Company the erasure of the Data Subjects’ Personal Data without undue delay and the Company has the obligation to erase such Personal Data without undue delay.
4) right to restriction of processing. The Data Subjects have a right to limit processing of their Personal Data with several exceptions under the scope of the applicable laws.
5) right to be informed. The Company obliged to inform Data Subjects what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties. This information must be communicated concisely and in plain language.
6) right to data portability. The Data Subjects are permitted to obtain and reuse their Personal Data for their own purposes across different services. This right only applies to Personal Data that Data Subject has provided to the Company by way of the consent.
7) right to object. The Data Subjects can object to the processing of Personal Data that are being processed by the Company. The Company must stop processing Personal Data unless the Company can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defense of legal claims.
8) right not to be subject to a decision based solely on automated processing. The Data Subjects have a right to object to any automated profiling which means any form of automated processing of Personal Data intended to evaluate certain personal aspects relating to a natural person, or to analyses or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior (hereinafter referred as “the Profiling”), that is occurring without consent. Herewith, the Data Subjects have a right to request their Personal Data are to be processed with the human involvement.
9) right not to be discriminated. Date Subject has a rights not to be discriminated by the Company because of exercising of any of their rights under this Policy.
10) right to authorize. Data Subject has a right to authorize another person solely to fill in the request on the Data Subject`s behalf, and Company shall comply with requests received from a person authorized by Data Subject.
b. Exercising of Rights. To exercise any of the rights mentioned above, the User should click on the corresponding menu and complete the appropriate form via the following link: https://turborocketgames.com/account.
c. Manual. Detailed terms on how to exercise these rights are stated in the respective procedures, that are accessible via the following link: https://turborocketgames.com/account.
d. Timescales. Timescales within which the Users may exercise the rights mentioned in this section are as follows:
The right to be informed
When the Personal Data are collected (if provided by Data Subject)
The right to access
The right to rectification
The right to erasure
Without undue delay
The right to restrict processing
Without undue delay
The right to data portability
The right to object
On receipt of objection
Rights related to automated decision making and profiling.
Right not to be discriminated
During the whole period of processing
Right to authorize
During the whole period of processing
a. General Information. Company hereby assures and warrants that it does not involve any discrimination of Users because of the Users` exercising of any of their rights, including, but not limited to, by:
1. Denying goods or services to Users;
2. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties, except as provided under this Policy;
3. Providing a different level or quality of goods or services to Users;
4. Suggesting that Users will receive a different price or rate for goods or services or a different level or quality of goods or services, except as provided under this Policy.
b. Exception. Notwithstanding the clause 14 (a), after a prior notification, Company may offer a different price, rate, level, or quality of goods or services to Users if that price or difference is directly related to the value provided to the Users by the Users` data.
c. Disclaimer. Company`s denial of Users` for reasons permitted by the applicable laws shall not be considered discriminatory.
a. General Information. The Company is responsible for ensuring that any Personal Data that Company holds and the Company is responsible for, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorized by Company to receive that data and is under an appropriate obligation of confidentiality.
b. Security Requirements. The Users’ Personal Data shall be treated with the highest security and must be kept:
1. (if required) in a lockable room with controlled access; and/or
2. (if required) in a locked drawer or filing cabinet; and/or
3. if computerized, password protected in line with corporate requirements in the Access Control Policy, and/or
4. stored on (removable) computer media which are encrypted.
c. Right to Clarify. The User is entitled to request the Company to clarify what security measures are applied while processing User’s Personal Data.
d. GDPR requirements. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
a. Types of Breaches. There are three different types of breaches:
1. “Confidentiality breach” means an unauthorized or accidental disclosure of, or access to Personal Data.
2. “Integrity breach” means an unauthorized or accidental alteration of Personal Data.
3. “Availability breach” means an accidental or unauthorized loss of access to, or destruction of Personal Data.
b. General Information. The Company takes all reasonable steps to minimize the risk of the Personal Data breach while processing the Personal Data.
c. Notification Procedure.
1. In a case of a Personal Data breach, the Company shall without undue delay and where feasible, not later than 72 hours after having become aware of it, notify the Personal Data breach to the Supervisory Authority competent in accordance with Article 55 GDPR, unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of Users.
2. The risk assessment the Company has to carry out, will determine whether the risk to the rights and freedoms of the Users affected is considered to be sufficiently high to require the notification of the Users.
3. Likewise, in the case of a Personal Data breach, which is likely to result in a high risk to the rights and freedoms of the Users, the Company shall without undue delay notify the appropriate User whose Personal Data breach were breached. However, if any subsequent measures have been taken to mitigate the high risk to the Users, so that it is no longer likely to happen, then communication to the User is not required.
d. Documentation. The Company documents all Personal Data breaches, comprising the facts relating to the Personal Data breach, its effects and the remedial action taken. That documentation shall enable the Supervisory Authority to verify compliance with the applicable laws.
a. General Information. The Company may transfer the Users’ Personal Data to its business and advertising contractors specified herein and which are registered within the European Union and the USA. The Company transfers the Personal Data with respect to the provisions of the applicable laws and on the basis of the adequacy decision if needed.
b. Transfer to Third Countries. The Users’ Personal Data are transferred to the third countries on the basis of an adequacy decision as it is stipulated by the applicable laws and regulations. During the transfer of the Personal Data to the third countries the Company provides appropriate safeguards, and only on condition that the Users’ rights and effective legal remedies for the Users are enforceable and available in such third countries.
c. Purposes of Transfer. The Company may transfer the Users’ Personal Data to third parties which are the Company’s business contractors only for the purposes of Personal Data processing such as technical and player assistance.
d. Advertising Contractors. Advertising contractors are the following:
1. Fyber (The Fyber Group, USA);
2. Chartboost (Chartboost Inc., USA);
3. Unity (Unity Technologies, Inc., USA);
4. AdMob (AdMob, Inc, USA);
5. Vungle ( Vungle, Inc., USA);
6. TapJoy (Tapjoy, Inc., USA);
7. Amazon Ads (Amazon Services LLC, USA);
8. KIDOZ (KIDO’Z Ltd, Israel);
9. SuperAwesome (SuperAwesome Limited, United Kingdom);
10. IronSource (ironSource Ltd, Israel).
a. Current Version of Policy. A current version of this Policy is available to all subjects concerned on the Website at the following link: https://turborocketgames.com
b. Company Information. TURBO ROCKET GAMES LLC is registered at the following address: 1013 Centre Road, Suite 403-B United States, Wilmington, Delaware, 19805 is committed to compliance with all relevant EU and the USA laws in respect of Personal Data and protection of the “rights and freedoms” of individuals while collecting, using and processing the Personal Data in accordance with the applicable laws.
c. Updating of Policy. Company updates this Policy at least once in 12 months. If the Company makes material changes to this Policy, the Company will notify the Users by email or by posting a notice on the website prior to the effective date of the changes. By continuing to access to the Game or use the website after those changes become effective, the Users agree to the revised Policy.