ALL DATA SUBJECTS ARE REQUIRED TO READ THIS PRIVACY AND DATA PROTECTION POLICY TO UNDERSTAND HOW COMPANY COLLECTS, USES, PROCESSES AND STORES PERSONAL DATA WHILE CONDUCTING ITS ACTIVITIES AND WHAT SECURITY MEASURES ARE BEING APPLIED.
1. Purposes and Scope of Policy
1.1. Purposes: This Privacy and Data Protection Policy regulates the relationships between WHILDEY 2016 LTD. (hereinafter referred to as “the Company”) and Users, employees, contractors, stakeholders etc. (hereinafter referred to as “the Users” or “the other Data Subjects”) regarding the collection, use and processing of the Users' Personal Data.
1.2. Scope: This Privacy and Data Protection Policy of the Company is applied within all of the Company activities which are under the legal authority, under the supervision of or controlled by the Company.
1.3. Compliance: While conducting its activities, the Company adheres all conditions and requirements stipulated by the current legislation of the USA & EU, including but not limited to COPPA, CCPA & the GDPR as well as by other international legislative acts concerning data protection.
“Advertising Clients" stands for online Publishers and Mobile Developers that receive the Company's advertising service.
"Advertising Contractor" means a Third Party company that provides advertising service to the Company and servers as a direct advertiser or a mediator on behalf on advertiser.
“Advertising Mediation" stands for the advertising service that the Company provides to its Advertising Clients.
"Anonymized" means irreversably encoded version of the provided (raw) data - via encoding that does not allow reconstraction of the originally provided data.
“Automated decision-making” means an ability to make decisions by technological means without human involvement.
“Child” ("Children") means:
- outside the EU: person (persons) under the age of 13 years old;
- within the territory of the EU: person (persons) under the age of 16 years old.
"CCPA" means The California Consumer Privacy Act is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.
“Company” means WHILDEY 2016 LTD., the legal entity duly registered under the laws of the Israel.
"COPPA" means The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law designed to limit the collection and use of personal information about children by the operators of Internet services and Web sites.
“Data controller” (“controller”) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the using and processing of Personal Data.
“Data processor” (“processor”) means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.
“Data Protection Authority” (hereinafter referred to as “the DPA”) means an independent public authority which is established by a Member State pursuant to the GDPR to monitor the compliance with the GDPR and other applicable laws in order to protect the fundamental rights and freedoms of Data Subjects regarding the collecting, using and processing of their Personal Data and to facilitate the free flow of Personal Data. For the purposes of this Policy, DPA means a German Data Protection Authority, namely Federal Commissioner for Data Protection and Freedom of Information.
“Data Subject” means any living individual who is the subject of Personal Data held by the Company, including Users and other independent contractors/employees and other stakeholders.
“Data Subject consent” means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data.
“Filing system” means any structured set of Personal Data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
"GDPR" stands for The General Data Protection Regulation 2016 (hereinafter referred to as “the GDPR”). GDPR replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual Member States that were developed in compliance with the Data Protection Directive 95/46/EC.
"Mobile App" means mobile application (i.e. game) developed by the Company and is available for Services provided.
“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with natural person (also referred to as “individual”, “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data breach” means a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority where the breach is likely to adversely affect the personal data or privacy of the data subject.
“Processing” means any operation or set of operations which is performed with the Personal Data or with sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Profiling” means any form of automated processing of Personal Data intended to evaluate certain personal aspects relating to a natural person, or to analyze or predict performance of that person at work, economic situation, location, health, personal preferences, reliability, or behavior. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.
“Services” means services provided by the Company that include:
- creation of account which makes possible to associate the User’s game progress with him/her and save it on the Company’s servers;
- providing support with authorization, account managing, account security, Game client software errors, in-game problems, in-game purchases, bans (technical and player assistance).
“Special categories of personal data” (hereinafter referred to as “the sensitive data”) means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
“Third party” means a natural or legal person, public authority, agency or body other than the Data Subject, controller, processor and persons who are authorized to process Personal Data under the direct authority of the controller or processor.
“User” means the Data Subject, who has downloaded and/or played the Games.
3. General Provisions
3.1. Consent: The Company may receive Personal Data from the Users or from its Advertising Clients in order to deliver its contractual obligations. If the Company receives Users' Personal Data from the Users, it obtains the Users' permission and consent. If the Company receives Users' Personal Data from Advertising Clients or other third parties they have to obtains the Users' consent to transfer such Personal Data to the Company for the purposes of futher processing.
3.2. This Policy: Describes the main steps the Company makes to be in compliance with the COPPA, CCPA & GDPR, herewith, other conditions of compliance along with connected processes and procedures, may be described by other relevant documents, which the Data Subjects and any other stakeholders may find at the appropriate reference links stated herein.
3.3. Applications: The Users have a right to apply to the Company or to the appropriate Data Protection Authority as to his/her Personal Data breach if he/she becomes aware of it earlier than the Company.
3.4. Selling or Disclosing of Personal Data: the Company warrants that it neither sells nor discloses for business purposes the Personal Data of its Users, including persons who are less than 16 years of age, to any legal persons, individuals or third parties and complies with other requirements of the applicable laws in this regard.
3.5. The company does not use browser cookies.
4.1. CCPA is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.
4.2. COPPA is a U.S. federal law designed to limit the collection and use of personal information about children.
4.3. GDPR's main purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data are not processed without their knowledge, and, wherever possible, that it is processed with their consent. It applies to the citizens of the EU or EU Member States and other natural persons (whatever they nationality or place of residence), in relation to the processing of their personal data if they are located within the territory of the EU.
4.4. In collecting and using of personal data, the Company is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect them.
4.5. The purpose of this Policy is to set out the relevant legislation and to describe the steps the Company is taking to ensure that it complies with it.
4.6. This Policy applies to all Company’s employees, independent contractors, stakeholders and all other subjects that directly or indirectly participate in the personal data processing, including data subjects who have downloaded and/or play Games produced by the Company.
4.7. The Company undertakes the following actions in order to ensure the compliance with the accountability principle of the applicable laws:
4.7.1. The legal basis for processing Personal Data is clear and unambiguous;
4.7.2. All staff involved in handling Personal Data understand their responsibilities for following good data protection practice;
4.7.3. Training with regards to data protection has been provided to all the staff;
4.7.4. Rules regarding consent are followed;
4.7.5. Necessary means are available to the Data Subjects wishing to exercise their rights regarding Personal Data, and such enquiries are handled effectively;
4.7.6. Regular reviews of procedures involving Personal Data are carried out;
4.7.7. Privacy by design is adopted for all new or changed systems and processes;
4.7.8. These actions are being reviewed on a regular basis as part of the management process concerned with data protection.
4.7.9. The Company has developed all internal documents to define roles concerning the Personal Data processing within the Company among the staff.
6. Purposes of Processing
6.1. Purposes of Company: Personal Data of the Users are collected by the Company for such purposes as:
6.1.1. Mobile Apps:
- Creation of account which makes possible to associate User's Mobile App progress with him/her and save it on the Company servers;
- Providing support with authorization, account managing, account security, Mobile App client software errors, in-Mobile App problems, in-Mobile App purchases, bans (technical and player assistance) to the User.
6.1.2. Advertising Mediation:
- Implementation of frequency capping with regards to delivering advertising campaigns to the same device;
- Geo-location based advertising.
6.2. Purposes of Advertising Contractors: Company's advertising contractors may process Users' Personal Data for such purposes as:
6.2.1. Displaying advertising materials provided to target market (personalized advertising) within Company's Mobile Apps or within online assets of the Company's Advertising Clients;
6.2.2. For any other purposes that the advertising contractors establish themselves.
6.3.1. Company does not collect, use or process Personal Data for any other purposes except as specified herein;
6.3.2. Personal Data of the Mobile App Users within the EU or US California is not collected by the Company or its Advertising Contractors for the purposes of marketing and advertising if the User did not provide a clear consent that his/her Personal Data can be collected and used for. Advertisements provided without a proper user consent are context-specific and do not require Personal Data;
6.3.3. Company does not participate in determining purposes of processing in conjunction with an advertising partner, and thus shall not be liable for the processing of such Personal Data conducted by the Company’s advertising partners.
6.3.4. The company does not use any Personal Data for behavioral targeting and / or re-targeting.
6.3.4. While providing Advertising Mediation service, the Company receives a clear indication from its Advertising Clients whether User's Personal Data can be passed on to its Advertising Constractors. If no such indication is provided the Company does not provide its Advertising Constractors with the User's Personal Data.
7. Personal Data
7.1. Collected Data: While conducting its activities, the Company collects, uses and processes the following Personal Data of the Users:
7.1.1. E-mail address - used for Mobile App user account creation and login;
7.1.2. Unique nickname - used for Mobile App user account creation and login;
7.1.3. IP address;
7.1.4. Age information;
7.1.5. Advertising ID.
7.2. IP Address:
7.2.1. Mobile Apps: The Company uses the User's IP address:
- To define his/her country while User creates an account, and offer him/her the filled-in field;
- The Company does not process neither store the User’s IP address after account registration.
7.2.2. Advertising Mediation: The Company uses the User's IP address provided by its Advertising Clients to define his/her country. Furthermore the IP Address is Anonymized for:
- Implementation of frequency capping with regards to delivering advertising campaigns to the same device - requires storing Anonymized User's IP Address for up to 24 hours;
- Geo-location based advertising - does not require storing User's IP Address;
- The Company's servers automatically delete Anonymized User's IP address within up to 24 hours from receiving it.
7.3. Age: Personal Data concerning the User’s age is stored on his/her mobile device. The Company may have access to these User’s Personal Data only provided that the User have created an account and given the consent to processing of his/her Personal Data.
7.4. Advertising ID:
7.2.1. Mobile Apps: The Company uses the User's Advertising ID only provided that the User have created an account and given the consent to processing of his/her Personal Data.
7.2.2. Advertising Mediation: The Company is being provided with the User's Advertising ID by its Advertising Clients, together with the User's consent to processing of his/her Personal Data.
7.5. Role of the Company:
7.5.1. While collecting and processing the Personal Data of Users, the Company acts as the joint controller together with its Advertising Contractors, and the corresponding range of controller's rights and responsibilities arises;
7.5.2. While processing the Personal Data of Users provided by the Company's Advertising Clients, the Company acts as the joint processor together with its Advertising Contractors, and the corresponding range of processor's rights and responsibilities arises.
7.6.1. The Company does not collect and/or use and/or process any sensitive data, such as but to limited to gender, physical address, and others.
7.6.2. The Company is not responsible for how its Advertising Clients collect and process, and its Advertising Contractors process the Users' Personal Data.
7.6.3. The Company uses automated decision-making that stores Anonymized Advertising IDs and IP Addresses, and automatical removal of those within up to 24 hours.
8. Lawfulness of Processing
8.1. Mobile Apps:
8.1.1. Moment of Collection: The Users’ Personal Data are collected by the Company while the appropriate User is registering in the Game. The Users’ Personal Data are collected by the Company’s advertising contractors while the appropriate User is launching the Game in the first time. Herewith, the Personal Data are being collected based on the Users’ consent providing of which is specified herein.
8.1.2. Consent Request Form: Company processes Personal Data of the basis of consent that must be obtained from the User in accordance with the GDPR, CCPA and others legislation acts requirements. Consent is to be provided by filling-in the Consent Request Form which Company provides the appropriate User with.
8.1.3. Privacy Notice: Company provides User with the Privacy Notice, which contains, including but not limited to, the precise information concerning the purposes of processing and the information on methods of processing as well as on the period for which such Personal Data are to be stored. Privacy Notice is to be provided to the Users within the Game before the appropriate consent/registering form is filled in.
8.1.4. Obtaining of Consent: The consent is considered to be provided to the Company after the User has placed the tick in front of the “I accept” button on the appropriate Consent Request Form provided by the Company through the Game for each separate purpose of processing of the Personal Data.
8.1.5. Essence of Consent. By giving the consent, User acknowledges and accepts all terms and conditions specified in the Privacy Notice and Consent Request Form as well as all the conditions specified in this Policy.
8.1.6. Obligation of the Company: The Company shall be able to demonstrate that consent was obtained in accordance with the provisions of the applicable laws for each processing operation if it is required by the supervisory authority.
8.2. Advertising Mediation:
8.2.1. Moment of Collection: The Company does not collect The Users’ Personal Data from the user but receives it from its Advertising Clients. Therefore the Company serves as the Personal Data processor.
8.2.2. Obtaining of Consent: Company's Advertising Clients are responsible for collection of User's Personal Data and obtaining Uer's consent. When collected, User's consent and personal data are passed to the Company. If User's Personal Data falls under CCPA, COPPA or GDPR conditions, in-ability to provide User's consent will prevent the Companies ability to pass it over to its Advertising Contractors.
9. Users' Age
9.1. Applicable Laws: With regards to the matters of the Users' age, Company adheres provisions of EU GDPR and US COPPA.
9.2. Permissible Processing: Company collects, uses and processes Personal Data obtained on the basis of consent from the Users who have reached:
- Outside the EU, the age of 13 years old;
- Within the territory of the EU, the age of 16 years old.
9.3. Personal Data of Children: Company does not process the Personal Data of сhildren, except as on a basis of parental or custodian consent. In such cases, controller shall make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the сhild.
9.4. Notification of Violation: The Company asks the Users to send a feedback by email to Company if the Users know that the Company processes Personal Data of a child. After receiving of such feedback the Company will delete such Personal Data immediately.
9.5. Disclaimer: Company will not be liable for any consequences if it becomes clear that the User has not reached the age of 16 at the moment of the consent is being provided.
9.6. GDPR requirements: The processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. Herewith, the Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
9.7. COPPA requirements: This Policy is in accordance with the, and outlines Company’s practices regarding children’s personal information. The Company does not collect, disclose or use any data defined as personal information from persons considered children under the COPPA.