Popcore Privacy Policy

POPCORE GmbH, c/o Factory Berlin, Rheinsberger Str. 76/77, 10115 Berlin, Germany ("POPCORE" or "we") respects your personal data. With the following privacy policy ("the Privacy Policy"), we would like to provide information on the collection, processing and use of data in connection with the website, the games and the other services of POPCORE ("Service"). POPCORE collects, processes or uses personal data exclusively within the framework of the applicable statutory provisions. Therefore, the high data protection level of the General Data Protection Regulation ("GDPR") applies.

1. Field of application
This Privacy Policy is directed to all users of the Service ("users" or "you"). Insofar as individual services of POPCORE have a different privacy policy, this shall apply. Likewise, third party services to which the Service may refer via links are also excluded from the scope of application. POPCORE is not responsible for their content or compliance with data protection regulations. This includes, for example, links to social networks. The processing of users' personal data via these social networks is carried out by the respective network operator without us having any influence on this processing. This also applies to the personal data which the ser communicates to us via such a platform, for example by writing our profile in the respective social network. The user can find information on the handling and protection of the personal data of the user on these platforms in the privacy policy of the respective platform.

2. Collecting, processing and use of data when accessing the website
2.1. When you visit the POPCORE website, information transmitted to us by your web browser will be recorded automatically. This includes the IP address of the end user device you are using, the date and time (including time zone) of the particular access to the website as well as the information which specific page or file you requested, the domain via which the particular request was made (the referrer URL) and the operating system and browser you are using.
2.2. POPCORE collects this data for the purpose of providing the website on the basis of Art. 6 par. 1 s. 1 lit. f) GDPR, whereby the legitimate interest of POPCORE is the provision of the website.
2.3. POPCORE may also use the aforementioned data to ensure proper functioning of POPCORE's website, particularly for IT security purposes. The basis for this collection and processing is Art. 6 par. 1 s. 1 lit. f) GDPR, whereby the legitimate interest of POPCORE is to ensure the security of the website.
2.4. POPCORE uses Google Analytics, a web analysis service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"), for statistical evaluation and optimisation of the Services. Google uses Google Analytics cookies (first-party cookies), which are stored for up to two years, to analyse the use of the website and the apps. The information collected using cookies (including IP addresses) is generally transmitted to and stored by Google on servers in the USA. POPCORE uses Google Analytics with the "_anonymizehelp()" extension, whereby all IP addresses are anonymised within the EU before transmission to the USA takes place, so that there is no longer any direct personal reference regarding the transmission and evaluation of the data. On behalf of POPCORE, Google analyses the website and app activities of the users and summarises the results in reports for POPCORE. This information may be transferred by Google to third parties where required to do so by law, or where such third parties process the information on Google's behalf. The user can object to the collection and storage of data by Google Analytics at any time with effect for the future by installing the following Google browser plug-in: https://tools.google.com/dlpage/gaoptout?hl=en 

3. Cookies
3.1. The POPCORE website may use cookies. Cookies are small text files that store settings and data on the user's device for transmission to POPCORE and are transmitted each time the user accesses the POPCORE website. Cookies enable POPCORE to recognise your device and, if available, to make your default settings available immediately. 
3.2. Cookies are used by POPCORE to make the website more user-friendly and effective, in particular by saving preferences selected by the user during the visit and by providing POPCORE with information on the use of the Website and other statistical information. Cookies are only placed with the consent of the user (Art. 6 par. 1 s. 1 lit. a) GDPR).
3.3. Some cookies are automatically deleted when the browser is closed. Other cookies remain stored for up to 2 years and are then automatically deleted.
3.4. In general, the user can set his browser in such a way that he is informed about the setting of cookies, the setting of cookies for certain cases or is generally excluded or the user only permits the setting of cookies in individual cases. In addition, the user can delete stored cookies in the settings of his browser. However, if cookies are deactivated the functionality of the POPCORE website may be restricted. 

4. Downloading mobile apps 
When downloading a mobile app from POPCORE, the operator of the platform on which the app is provided (e.g. Apple Inc. for the AppStore and Google LLC for the Google PlayStore and Amazon.com Inc. for the Amazon Appstore) collects the following data for the download: User name, email address, customer number of the account, time of download, payment information and the individual device code number. However, the platform operator is exclusively responsible for this collection. To the extent necessary for the download, POPCORE processes the data provided by the platform operator.

5. Collection, processing and usage of data for the fulfilment of contractual obligations, consent when using registration via single sign-on services
5.1. POPCORE collects, processes and uses personal data to fulfil contractual obligations, i.e. within the framework of concluding a contract with the user about the usage of the service, the execution of the contract and the termination of the contract, including the billing of paid elements of the Service. POPCORE will not pass on personal data to third parties if there is no legal basis or legal obligation and the user has not consented.
5.2. Personal data that POPCORE may collect in order to fulfil its contractual obligations towards the user includes, depending on the service, an identification number of the user's device which the user may reset (IDFA) as well as, where applicable, his email address (if provided by the user) and his IP address. The provision of this data is not required by law, but is required for the respective POPCORE service. The user may voluntarily transmit further data to POPCORE as part of the Service. Basis of this data processing for the fulfilment of contractual obligations is Art. 6 par. 1 s. 1 lit. b) GDPR. 
5.3. POPCORE may give users the opportunity to register for the indiviual Services via Facebook Connect, provided by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, for EU residents, Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). Additional registration is not required, if the user does not wish to do so. To log in, the user is forwarded to the Facebook page, where he can log in with his usage data. This links the user's Facebook profile and our Service. The link automatically transfers the following information from Facebook to POPCORE: Name and Facebook ID. POPCORE uses only the name of this data. This information is mandatory for the conclusion of the contract in order to identify the user. For further information on Facebook Connect and privacy settings, the user can refer to the Facebook Privacy Notice and Terms of Use; https://www.facebook.com/terms.php. The EU Commission has adopted an adequacy decision (No. 2016/1250) for the transfer to the USA, according to which companies that meet certain criteria guarantee an adequate level of protection, also known as "EU-US Privacy Shield". These companies are included in a list called the Privacy Shield List. Facebook is one of the companies listed there. The transmission to Facebook in connection with Facebook Connect is based on Art. 45 GDPR. It is up to the user whether he wishes to log on to POPCORE with Facebook-Connect. If the user decides to do so, the legal basis for the data processing associated with the use of Facebook-Connect is the user's consent pursuant to Art. 6 par. 1 s. 1 lit. a) GDPR.
5.4. When using the Service, POPCORE collects information on the type and scope of use of the Service ("Usage Data") in order to ensure that the Game proceeds in an orderly and contractual manner. Usage data in this sense are in detail characteristics for the identification of the user (such as IDFA), information regarding the beginning and end as well as type and extent of the respective use and information about the products and services used by the user. The legal basis for this data processing is Art. 6 par. 1 s. 1 lit. b) GDPR. POPCORE may also use this data to identify and eliminate errors or misuse of the Service. This data processing is based on Art. 6 par. 1 s. 1 lit. f) GDPR. Legitimate interest of POPCORE is ensuring the proper functioning and use of the Service.
5.5. POPCORE may transfer or store personal user data in other member states of the European Union or in other contracting states of the Agreement on the European Economic Area as well as in other states which ensure an adequate level of data protection, provided that the user consents to this or this is legally permissible.

6. Data processing in connection with ad-financed services
Parts of the Services (such as individual games or other individual services) may be wholly or partially financed by advertising. In the case of services financed by advertising, instead of a fee to be paid by the user for the provision and use of the advertising to the user during the use of the Service, advertising is displayed in order to finance the provision of the Service. In order to display advertising, data identifying the user's device used to access the Services (IP address, individual device ID of the e device or identifier) is processed. The processing of data for displaying advertising and transmission to service providers is based on Art. 6 par. 1 s. 1 lit. b) GDPR.

7. Sending advertising and analysis for market research purposes
POPCORE may collect and analyse statistical data on the use of the Service in aggregated or anonymised form for the development of advertising, for market research purposes, to improve the existing Services and to develop new products.

8. Analytics services
POPCORE uses analysis tools to optimise the Service, which enable the use of the Service to be analyised. This can be done through the use of IDFA, cookies, web beacons or tracking pixels. The used analysis tools collect and process data to identify the user's device. When some of these analysis tools are used, data is transferred to the USA and stored there for processing. The user can object to the use of all these services by making the appropriate settings in his device or as described below for the individual services. The transmission of the user's personal data to the providers of the analysis tools takes place on the basis of Art. 28 GDPR. The legal basis for the use of the analysis tools is Art. 6 par. 1 s. 1 lit. f) GDPR. The legitimate interest of POPCORE is the improvement and further development of the Service. In particular, this also requires knowledge and statistical analysis of the use of the Service and any crashes of the apps. POPCORE uses these analytics tools:
• POPCORE uses Tenjin, an attribution and analytics service provided by Tenjin, 26 O'Farrell St. Suite 310, San Francisco, CA 94108. 
POPCORE uses this service to understand user behaviour and assign it to the correct advertising media in order to measure the success of advertising measures and optimise them. The user can exercise his rights against Tenjin by sending an e-mail to the following address: privacy@tenjin.io. Further information on Tenjin's data protection can be found on https://www.tenjin.io/privacy. The transmission to Tenjin servers in the USA in this context is based on Art. 45 and 28 GDPR. Tenjin is one of the companies listed in the so-called "Privacy Shield List" which guarantee an adequate level of data protection on the basis of an adequacy decision of the EU Commission (No. 2016/1250).
• POPCORE uses services from Unity Technologies, including as a development platform, analytics provider (Unity Analytics) and advertising platform (Unity Ads). 
Behind Unity Technologies are the companies Unity Technologies, 30 3rd Street, San Francisco, CA 94103 (contact for users in the USA) and Unity Technologies Finland OY, Kaivokatu 8 B, 00100 Helsinki, Finland (contact for users in the EU). Users may exercise their rights against Unity Technologies by sending an e-mail to the following address: DPO@unity3d.com. For more information regarding Unity Technologies' privacy practices, please visit https://unity3d.com/de/legal/privacy-policy?_ga=2.85718809.1255162827.1534754208-973617766.1534754208, where you will also find further information about settings you can make about your personal information. Transmission to servers of Unity Technologies outside the EU in this context is based on Art. 46 GDPR. Details of the measures taken by Unity Technologies to protect the rights of data subjects can be obtained via the following e-mail address: DPO@unity3d.com.
• Firebase Analytics and Firebase Realtime Database
POPCORE uses Firebase Analytics and Firebase Realtime Database, each offered by Google (1600, Amphitheatre Parkway, Mountain View, CA 94043, USA). The user can object to the collection of the above information by Google at any time by sending an e-mail to optout@Popcore.de. Further information on data protection by Google can be found at https://policies.google.com/privacy?hl=en. The transmission to Google servers in the USA in this context is based on Art. 45 and 28 GDPR. Google is one of the companies listed in the so-called "Privacy Shield List" which guarantee an adequate level of data protection on the basis of an adequacy decision of the EU Commission (No. 2016/1250).
• Additional Google services
POPCORE uses various services provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), in particular the Admob service to play out and optimise advertising (ad mediation). Information on the use of POPCORE's services is transmitted to Google and thus generally to a Google server in the USA, where it is stored. Further information on this - including information on how the user can object to this data processing - can be found at https://support.google.com/admob/answer/7665968 Regarding the transfer of data to Google in the USA, the EU Commission has adopted an adequacy decision (No. 2016/1250), according to which companies that meet certain criteria guarantee an adequate level of protection, also known as "EU-US Privacy Shield". These companies are included in the so-called Privacy Shield List. Google is one of the companies listed there. The transmission to Google in this context is based on Art. 45 and 28 GDPR.
• Facebook Custom Audiences
We use the "Facebook Custom Audiences" service, which is offered by Facebook Inc, 1 Hacker Way, Menlo Park, CA 94025, USA, or, for EU residents, by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. With the help of Facebook Custom Audiences, it is possible for Facebook to identify users of our services as a target group for the display of ads, so-called "Facebook ads". Personal data to identify a user (such as an identification number of the user's mobile device, e.g. the Apple IDFA) is transferred to Facebook for this regard. Accordingly, we use these Facebook services to ensure that our Facebook Ads correspond to the potential interest of the users and are not intrusive. Facebook Custom Audiences also enable us to evaluate the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were directed to our website after clicking on a Facebook ad. We also use the "Lookalike Audiences" service provided by Facebook. As part of Lookalike Audiences, Facebook uses the users of our services to determine which other Facebook users have similar interests to the users of our services and are therefore potentially interested in our services. Thereby, we want to ensure that our Facebook ads are in line with the potential interests of the Facebook users and are not intrusive. Facebook processes the data in accordance with Facebook's data usage guidelines. Accordingly, the user can obtain additional information about how Facebook Custom Audiences work and how Facebook Ads are presented in general via Facebook's Data Usage Policy: https://www.facebook.com/policy.php. Users may object to the collection and use of their information to display Facebook Ads. To do this, you can go to the page set up by Facebook for this purpose and follow the instructions on the settings for usage-based advertising: https://www.facebook.com/settings?tab=ads or explain the objection via the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices. We use Facebook Custom Audiences to improve and measure the success of our Facebook advertisements. The legal basis for the associated data processing is therefore Art. 6 par. 1 s. 1 lit. f) GDPR, whereby our legitimate interest is the optimisation of our marketing measures. We use Lookalike Audiences as the legal basis for the associated data processing is therefore Art. 6 par. 1 s. 1 lit. f) GDPR, whereby our legitimate interest is the improvement of our advertising measures and expansion of the user base of our services. Transmission to Facebook servers in the USA in connection with these services is based on Art. 45 and 6 par. 1 s. 1 lit. f) GDPR. Facebook is one of the companies listed in the Privacy Shield List that guarantee an adequate level of data protection on the basis of an adequacy decision of the EU Commission (No. 2016/1250).
• Facebook Analytics
POPCORE uses the analysis tool Facebook Analytics provided by Facebook (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland). The information obtained in this way can also be transferred to a Facebook server outside the EU such as the USA. The user can object to the collection of the above-mentioned data by the Facebook analysis tool at any time by sending an e-mail to optout@popcore.com. The user can obtain further information on data protection by Facebook at https://www.facebook.com/privacy/explanation. The transmission to Facebook servers in the USA in this context is based on Art. 45 and 28 GDPR. Facebook is one of the companies listed in the so-called "Privacy Shield List" or also "Data Protection Shield List" that guarantee an adequate level of data protection on the basis of an adequacy decision of the EU Commission (No. 2016/1250).

9. Facebook Plugin
9.1. POPCORE implements the social plugins of the social network facebook.com in parts of the Service. These social plugin are provided by Facebook (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland). When the user accesses content included in this Service which contains such a social plugin from Facebook, the user's device establishs a direct connection to Facebook's servers, which may also be located in the USA. Facebook directly transmits the content of the social plugin to the user's browser, which then integrates it into the website of this service. POPCORE therefore has no influence on the extent of the data that Facebook collects with the help of this social plugin and informs the user according to his own level of knowledge: By integrating the social plugins, Facebook receives the information that the user accessed the Service. If the user is logged in to Facebook during this time, Facebook can attribute the usage to the user's Facebook account. If the user interacts with the social plugins, for example by clicking the "Like" button or making a comment, the corresponding information is transmitted directly from the user's device to Facebook and stored there. If the user is not a member of Facebook, it is still possible that Facebook stores the IP address of the user's terminal device, but according to Facebook only an anonymized IP address is stored in Germany. If the user is a member of Facebook and does not want Facebook to collect data about him or her via this service and link it to the user data stored on Facebook, the user must log out of Facebook before using the service. For further information on the purpose and extent of data collection and the further use of the data by Facebook, as well as your rights and options to protect your privacy, please refer to the Facebook's own privacy policy under the following link: https://www.facebook.com/about/privacy/. POPCORE points out that the user can block social plugins for his browser with the help of browser add-ons.
9.2. For the transmission of data to the USA, there is an EU Commission adequacy decision (No. 2016/1250) according to which companies that meet certain criteria guarantee an adequate level of protection, also known as the "EU-US Privacy Shield". These companies are listed in the so-called "Privacy Shield List". Facebook is one of the companies listed therein. The data transmission to Facebook connected to the social plugin is based on Art. 45 and 6 par. 1 s. 1 lit. f) GDPR. Our legitimate interest is to provide the best possible service based on the wishes and preferences of our users.
9.3. The legal basis for using this social plugin is the user's consent according to Art. 6 par. 1 s. 1 lit. a) or Art. 6 par. 1 s. 1 lit. f) GDPR. Our legitimate interest is to provide the best possible service based on the wishes and preferences of our users..

10. Communication between users
We want to inform the user that content uploaded within the Service can be made publicly accessible and can be seen by other users. We therefore ask the user to handle the information provided by him/her carefully. Uploaded user content is transmitted in order to fulfil the purpose of the service pursuant to Art. 6 par. 1 s. 1 lit. b) GDPR.

11. Storage period and erasure of data 
We process personal data only as long as the user is registered for the app and the website, or as long as it is necessary to achieve the purposes or is prescribed by a legal obligation to store the data. The data will then be erased immediately. Data we store for legal reasons will be retained for as long as is required by law (up to ten years). However, data we collect in the course of litigation will be retained for as long as is legally permissible. This may be up to 30 years. Regarding protocols that store network data, we delete the data at regular intervals - the exact time varies according to configuration rules (which can shorten the protocols by size and not by a specified time), whether the data was part of a snapshot that landed in a backup, and whether the protocols are part of a set of protocols that are routinely forwarded to a central protocol repository, but never longer than two years.

12. Data security
POPCORE hereby clarifies that data protection and data security cannot be guaranteed for transmissions outside POPCORE's sphere of influence, e.g. within your mobile network. We therefore draw the user's attention to the fact that his mobile network operator or unauthorized third parties may have access to the data that the user is transmitted to our servers or that is transmitted by us.

13. Disclosure of personal data to third parties
Personal data will only be disclosed to third parties without the express consent of the user where this is necessary to provide the services of POPCORE or to implement the contract with the user (e.g. to process payments, including for in app purchases, for the technical provision of the Service), unless otherwise regulated elsewhere in this Privacy Policy. Accordingly, the data is transmitted to such service providers (such as payment service providers, advertising providers, technical service providers) for the purpose of fulfilling the contract pursuant to Art. 6 par. 1 d. 1 lit. b) GDPR. POPCORE will of course ensure that the respective service provider has taken appropriate technical and organisational measures to ensure the security of the data before passing on the user's personal data. Furthermore, POPCORE will not disclose the user's personal data to third parties unless the user has expressly consented to such disclosure (Art. 6 par. 1 s. 1 lit. a) GDPR) and POPCORE is not entitled or obliged to disclose such data on the basis of statutory provisions or court orders. In the latter case, POPCORE shall transfer the data in order to fulfil a legal obligation pursuant to Art. 6 par. 1 s. 1 lit. c) GDPR.

14. User rights
14.1 Right to information 
The user has the right to obtain from POPCORE, free of charge and in writing, the personal data relating to him/her stored by POPCORE, the purposes for which it was processed, its origin, what it was passed on to which recipients or categories of recipients, the duration of the storage period and the rights of data subjects available to him/her.
14.2 Right to correction, deletion and/or restriction of personal data 
The user also has the right to demand the correction of incorrect data, the deletion and/or restriction of the processing of personal data stored about him at any time, insofar as there is no legal obligation for POPCORE to retain such data. Insofar as this includes such personal data that are required for the provision of services to the user, the deletion or restriction of the processing of this data can only take place if the user no longer uses the services offered by POPCORE. 
14.3 Right to object
The user has the right to object at any time to data processing based on Art. 6 par. 1 s. 1 lit. e) or f) GDPR for reasons arising from his particular situation, unless POPCORE can prove compelling reasons worthy of protection which outweigh the interests of the user or the processing serves the assertion, exercise or defence of legal claims. The user may object to data processing for the purpose of direct marketing at any time without special reasons being required.
14.4 Right to data portability
If the user provides data relating to him and POPCORE processes this data on the basis of the user's consent or to fulfil the contract, the user can demand that he receives this data from POPCORE in a structured, common and machine-readable format or that POPCORE transmits this data to another responsible person, insofar as this is technically possible (so-called right to data portability).
14.5 Right to withdraw consent
Any consent given by the user to the use of personal data may be freely revoked by the user at any time with effect for the future.
14.6 Right to make a complaint
The user can also make a complaint to a supervisory authority regarding data processing which, in his opinion, violates the statutory provisions.

15. Changes to the Privacy Policy 
POPCORE reserves the right to change this privacy policy at any time, while POPCORE will always comply with the legal requirements for data protection. Therefore, POPCORE recommends that users regularly take note of the applicable privacy policy. POPCORE will inform users in advance of any further use of data. Berlin, 11 September 2018
POPCORE GmbH , c/o Factory Mitte, Rheinsberger Str. 76/77, 10115 Berlin, Germany