Privacy Policy – Game

Introduction

Welcome to “Lootist”!

We, CM-InnoTec UG (haftungsbeschränkt), attach great importance to the protection of your privacy and your personal data. The following privacy policy informs you about how we handle information that is collected during your use of our app “Lootist” and the associated services. This statement is an integral part of our Terms of Use and is intended to give you a clear understanding of what data we collect, how this data is used and what control options you have as a user.

Responsible body

The controller responsible for data processing in the “Lootist” mobile app is

CM-InnoTec UG (haftungsbeschränkt)
Bayreuther Str. 50
95496 Glashütten
Phone: +49 (0) 9279 / 977 97 60
E-Mail: privacy@loot.ist

Scope of data collection and purpose of processing

When using our mobile app “Lootist”, various personal data is collected and processed in order to offer you the best possible user experience and to provide our services.

User management via Microsoft PlayFab

User management in “Lootist” is carried out via the Microsoft PlayFab service. The following data is collected and processed:

• User name
• E-mail address
• Password (encrypted)
• IP address
• Device information (device type, operating system, unique device identification)

This data is used to create your user account, identify you in the app and enable you to access the app functions.

Further information about PlayFab can be found here: https://learn.microsoft.com/en-us/gaming/playfab/what-is-playfab

PlayFab privacy policy

PlayFab, a Microsoft service, has its own privacy policy that describes how the company collects, uses and protects personal data. You can find PlayFab’s privacy policy at https://playfab.com/privacy-terms/. We recommend that you read this statement carefully in order to gain a comprehensive understanding of PlayFab’s data processing practices.

Technical and organizational measures (TOM) of PlayFab

PlayFab uses various technical and organizational measures to ensure the security and protection of the processed data. These include, among others:

• Encryption of data during transmission and storage
• Access controls and authorization management
• Regular safety checks and audits
• Training employees in data protection and security
• Incident response plans for dealing with data protection incidents

Further information on PlayFab’s specific technical and organizational measures can be found in the PlayFab Terms of Service at https://playfab.com/terms/.

Legal basis for data processing

The processing of your personal data by PlayFab is based on the fulfillment of the contract pursuant to Art. 6 para. 1 lit. b GDPR, as the data processing is necessary for the provision of the PlayFab services and the use of our app.

Data transfer to third countries

PlayFab is a service provided by Microsoft, a company based in the United States. By using PlayFab, your data may be transferred to the USA and processed there. Microsoft ensures an adequate level of protection for personal data from the EU through appropriate safeguards, such as standard contractual clauses.

Your rights

As a data subject, you have the right to access, rectification, erasure, restriction of processing and data portability in relation to your personal data processed by PlayFab. To assert your rights, please contact PlayFab directly or us as the controller.

By using our app and the associated PlayFab services, you consent to the processing of your personal data by PlayFab to the extent described above.

Game logic via Microsoft Azure

The game logic of “Lootist” is processed via Microsoft Azure. The following data is processed:

• Game progress
• In-game purchases
• Interactions with other players
• Usage statistics (e.g. playing time, number of sessions)

This data is used to optimize the gaming experience, further develop the app and fix technical problems.

Purpose of data processing

Processing this data allows us to provide you with a seamless and personalized gaming experience. By analyzing game progress, in-game purchases and interactions with other players, we can adjust game mechanics, develop new content and ensure that the game remains fair and balanced. The usage statistics help us to monitor the performance of the app, identify potential technical issues and improve the stability and reliability of the game.

Legal basis for data processing

The processing of game logic data is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to offer you an optimal gaming experience, to continuously improve the app and to effectively resolve technical problems.

Storage duration

The game logic data processed via Azure is stored for as long as is necessary to fulfill the above-mentioned purposes. As soon as the data is no longer required, it is deleted or anonymized. Anonymized data that does not allow conclusions to be drawn about individual persons may be stored for longer for statistical purposes and to improve the game.

Security of data processing

Microsoft Azure offers comprehensive security measures to ensure the confidentiality, integrity and availability of the processed data. These include encryption, access controls, regular security audits and compliance with international security standards. We work closely with Microsoft to ensure that data processing in Azure meets the highest security requirements.

By using Microsoft Azure for the game logic of “Lootist”, we ensure that your data is processed securely and efficiently to provide you with the best possible gaming experience. We attach great importance to the protection of your privacy and always treat your personal data confidentially and in accordance with the applicable data protection laws.

Information on data collection / optimization of the gaming experience

In principle, the following data is collected in the game:

Categories of data	Description of the data	Legal basis for the survey	Purpose of data collection
Identity data (PlayerID, PlayFabID, display name)	Names or user names, titles, avatars	Necessary for the performance of a contract (Art. 6(1)(b))	The data is necessary so that CM-InnoTec can offer the experience expected by the customer.
Contact details (e-mail address)	All data stored for us to contact you as a user.	Consent (Art. 6(1)(a)), legitimate interest (Art. 6(1)(f))	If you provide your contact details, we will use them to restore your account if necessary and to contact you if it is in your interest, which we consider to be a legitimate interest.
Localization data (country, region, city)	Data on the user’s location.	Legitimate interest (Art. 6(1)(f))	We use localization data to monitor the load on our global servers and use this information to improve your experience by fixing issues such as latency or ping.
Time data (time of login, date of transaction, time of profile creation)	Data indicating the date/time of use of certain actions.	Necessary for the performance of a contract (Art. 6(1)(b))	CM-InnoTec collects lifetime usage data to ensure that we deliver the expected product and experience to our users.
Platform data (Apple Game Center, Google Play Games Services)	Data indicating the platform used to log in or, in certain cases, which social media platform is associated with a user account.	Necessary for the performance of a contract (Art. 6(1)(b))	At the moment, it is required that you connect either your Google Play Games Services account on Android or your Apple Game Center account on iOS. This is necessary to provide a seamless login experience without having to provide an email address or other social media account.
Technical data (IP address, language, operating system)	Data on technical information of the device used.	Legitimate interest (Art. 6(1)(f))	We use this data to optimize our services for specific devices. For example, if a particular phone model has ongoing problems, this data helps us to identify and fix the problem.

This data collection makes it possible to optimize the gaming experience, resolve technical problems and adapt the services to the needs of the users. Processing is carried out in accordance with the applicable data protection regulations and serves to ensure the best possible user experience.

Use of Unity Ads

In our app “Lootist” we use Unity Ads to show you personalized advertising. Unity Ads is a service provided by Unity Technologies ApS, which enables us to integrate advertisements into our app and thus offer a free gaming experience.

Type of data processed

When you see advertisements through Unity Ads, certain information about your interaction with the advertisement and your device is transmitted to Unity. This includes:

• Unique device identifiers (e.g. Advertising ID, IDFV)
• Information about your device (e.g. device type, operating system, IP address)
• Information about your interaction with the advertisement (e.g. number of views, clicks)
• Location data (if you have allowed the app to access your location)

Purpose of data processing

The data collected by Unity Ads is used to show you relevant and interesting advertising, to measure and improve the effectiveness of advertising campaigns and to prevent fraud and misuse.

Legal basis

The processing of your data by Unity Ads is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR, which you give by using our app and viewing the advertising. You can withdraw your consent at any time by deactivating the display of personalized advertising in the settings of your device.

Privacy policy of Unity Ads

For more information on how Unity Ads processes and protects your data, please refer to Unity Ads’ privacy policy, which you can view at https://unity3d.com/legal/privacy-policy.

Storage duration

The data collected by Unity Ads will be stored for as long as is necessary for the above-mentioned purposes or until you withdraw your consent.

Data transfer to third countries

Unity Ads is based in the USA. By using Unity Ads, your data may be transferred to the USA and processed there. However, Unity has submitted to the EU-US Privacy Shield to ensure an adequate level of protection for personal data from the EU.

Your rights

You have the right to obtain information about the data processed by Unity Ads and to correct, delete or restrict its processing. You also have the right to object to the processing and to withdraw your consent at any time.

By using our app and viewing any advertisements, you consent to the processing of your data by Unity Ads to the extent described above. We strive to provide you with an entertaining gaming experience while protecting your privacy.

Use of Kochava

We use Kochava, a service for analyzing and optimizing our marketing campaigns. This enables us to measure and optimize the effectiveness of our advertising measures, among other things.

Type of data processed

Kochava collects information about installations and interactions with our game, including but not limited to IP address, device identifiers, advertising IDs and game usage data.

Purpose of data processing

The data collected is used to analyze the success of our marketing campaigns, improve the user experience and optimize our marketing.

Legal basis

The processing of your data by Kochava is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR, which you give by using our app. You can withdraw your consent at any time by unsubscribing your devices from Kochava (see opt-out option).

Privacy policy of Kochava

For more information on how Kochava processes and protects your data, please refer to Kochava’s privacy policy, which you can view at https://www.kochava.com/legal/data-processing-policy/.

Storage duration

The data collected by Kochava will be stored for as long as is necessary for the above-mentioned purposes or until you withdraw your consent.

Disclosure to third parties

Kochava may share the collected data with its partners to support the analysis and optimization of our marketing campaigns.

Data transfer to third countries

Kochava is a service provided by a company based in the USA. By using these services, your data may be transferred to the USA and processed there. Kochava ensures an adequate level of protection for personal data from the EU through appropriate safeguards, such as standard contractual clauses.

Your rights

You have the right to obtain information about the data processed by Kochava and to correct, delete or restrict its processing. You also have the right to object to the processing and to withdraw your consent at any time.

By using our app, you consent to the processing of your data by Kochava to the extent described above.

Opt-out option

You can object to the collection and processing of your data by Kochava at any time by opting out at the following link: https://www.kochava.com/privacy/opt-out/

Please note that you must opt out on each device on which you use our app.

In-app purchases via App Store and Google Play Store

If you make in-app purchases of premium content in “Lootist”, the necessary data will be processed via the respective app store (Apple App Store or Google Play Store). The following data is processed:

• Purchase history
• Transaction ID
• Device information

This data is used to process your purchases, to grant you access to the purchased content and to carry out billing. Processing is carried out in accordance with the data protection provisions of the respective app store.

Legal basis for data processing

The processing of your data in connection with in-app purchases is based on the fulfillment of the purchase contract in accordance with Art. 6 para. 1 lit. b GDPR. The provision of this data is necessary to complete the purchase and to grant you access to the purchased content.

Forwarding of data to app stores

Please note that we have to transmit certain data to the respective app store (Apple App Store or Google Play Store) as part of the purchase process. This includes information about the purchase made, the transaction ID and device information. The processing of this data by the app stores is subject to their own privacy policies, which you can view in the respective privacy policies.

Storage duration

The data collected in connection with in-app purchases is stored for as long as is necessary to process the purchase, provide the purchased content and comply with statutory retention obligations. After the storage period has expired, the data is deleted or anonymized.

Your rights

As a data subject, you have the right to access, rectification, erasure, restriction of processing and data portability in relation to your personal data processed in the context of in-app purchases. To assert your rights, please contact us using the contact details provided.

Security of your data

We take appropriate technical and organizational measures to ensure the security of your data for in-app purchases. This includes using secure transmission protocols, encrypting sensitive data and regularly reviewing our security measures.

By using the in-app purchase option in “Lootist”, you consent to the processing of your data to the extent described above. We strive to provide you with a secure and transparent purchasing experience while protecting your privacy rights.

Legal basis for data processing

The processing of your personal data in “Lootist” takes place on the following legal bases:

Art. 6 para. 1 lit. a GDPR: Consent of the data subject

If you have given us your express consent to process your personal data for specific purposes, this consent serves as the legal basis for the corresponding data processing. You have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Art. 6 para. 1 lit. b GDPR: Performance of a contract with the data subject

The processing of your personal data may be necessary to fulfill a contract to which you are a party or to carry out pre-contractual measures at your request. In this case, Art. 6 para. 1 lit. b GDPR serves as the legal basis for data processing.

Art. 6 para. 1 lit. c GDPR: Fulfillment of a legal obligation

In certain cases, we are legally obliged to process your personal data, for example due to retention obligations under tax or commercial law. In these cases, data processing is carried out on the basis of Art. 6 para. 1 lit. c GDPR.

Art. 6 para. 1 lit. f GDPR: Safeguarding the legitimate interests of the controller

In some cases, we process your personal data on the basis of our legitimate interests or the legitimate interests of third parties, unless your interests or fundamental rights and freedoms prevail. Examples of such legitimate interests include improving our app, troubleshooting, ensuring the security of our systems or preventing fraud. In these cases, we rely on Art. 6 para. 1 lit. f GDPR as the legal basis.

We ensure that we always have a valid legal basis when processing your personal data and that we comply with the principles of data processing in accordance with Art. 5 GDPR. These include, in particular, the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.

If you have any questions about the legal basis for data processing in “Lootist” or would like further information, please contact us using the contact details provided. We will be happy to answer your concerns and ensure transparency regarding the processing of your personal data.

Data security and storage duration

We take appropriate technical and organizational measures to protect your data from loss, misuse or unauthorized access. These include, among other things:

• Use of encryption technologies such as SSL/TLS for the secure transmission of your data
• Access controls and restriction of access to your data to authorized personnel
• Regular security checks and tests of our systems to identify and eliminate potential vulnerabilities
• Training our employees in data protection and information security
• Use of firewalls and anti-virus software to protect against external threats
• Careful selection and review of our hosters and contractual partners with regard to data and information security protection
• Documented agreements with hosters and contractual partners that ensure the protection and confidentiality of your data
• Regulated and user-defined access authorization for hosters and contractual partners to the absolutely necessary data
• Regular review of the data protection and data security measures of our hosters and contractual partners
• Obligation of hosters and contractual partners to destroy data received after termination of the contractual relationship

We only store your personal data for as long as is necessary to fulfill the above-mentioned purposes, unless longer storage is required due to statutory retention obligations. The specific storage periods depend on the type of data and the purpose of its processing. After the respective storage period has expired, the data is routinely deleted or anonymized.

Please note that despite our best efforts, no security measure is perfect and we cannot guarantee the absolute security of your data. If you have reason to believe that your interaction with us is no longer secure, please inform us immediately using the contact details provided in the “Contact” section.

We reserve the right to change and adapt our security measures from time to time in order to keep pace with technological developments and the changing threat landscape. However, we will always inform you of any significant changes to our security practices.

Your rights

As a data subject, you have the following rights in relation to the processing of your personal data:

– Right to information (Art. 15 GDPR): You have the right to request confirmation from us as to whether we are processing personal data concerning you. If this is the case, you have a right to information about this personal data.

– Right to rectification (Art. 16 GDPR): You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data.

– Right to erasure (Art. 17 GDPR): You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the grounds provided for by law applies and insofar as the processing or storage is not necessary.

– Right to restriction of processing (Art. 18 GDPR): You have the right to demand that we restrict processing if one of the legal requirements is met.

– Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent or on a contract and the processing is carried out by automated means.

– Right to object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is necessary for the purposes of the legitimate interests pursued by us or for the performance of a task carried out in the public interest. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

– Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

To assert your rights, please use the contact details above.

Changes to the privacy policy

We reserve the right to update this privacy policy if necessary. This may be necessary due to changes in our data processing practices, new legal requirements or improvements to our services. Our aim is to always provide transparent information about our data protection practices and to give you an up-to-date and accurate picture of how we process your data.

Notification of changes

If we make significant changes to our privacy policy, we will inform you by placing a clearly visible notice in our app and on our website. In the event of significant changes that affect your rights or introduce new processing of your data, we will also notify you directly, for example by email or via a message in the app.

Approval of changes

Depending on the nature of the changes, it may be necessary for you to agree to the updated privacy policy in order to continue using our app and services. In such cases, we will ask you to give your consent before the changes take effect for you.

Archive of data protection declarations

We maintain an archive of our previous privacy statements so that you can understand how our privacy practices have evolved over time. We will be happy to provide you with previous versions of our privacy policy on request.

Regular review

We recommend that you check our privacy policy regularly to stay informed of any changes. You will always find the latest version in the app and on our website. The date of the last update is indicated at the beginning of the privacy policy.

Questions and comments

If you have any questions, comments or concerns regarding changes to our privacy policy, you can contact us at any time. We will be happy to answer your concerns and provide you with further information about our data protection practices.

We endeavor to keep our privacy policy up to date and adapt it to changing requirements and expectations. The protection of your privacy and your personal data is always our top priority.

Last updated: 03.09.2024