Data protection policy of Imperia Online JSC

This is the data protection policy of Imperia Online JSC (“Imperia Online”, “we”). We provide, in various ways, such as our website (“website”), electronic games (“services”). With this data protection policy, we would like to provide you with information on which personal data we collect and process. Furthermore, we would like to inform you about your rights. The responsibility to protect and process personal data is an important concern to Imperia Online. Your data is protected against unauthorized access as well as loss using various technical and contractual measures. Imperia Online has taken the necessary technical and organizational measures for this purpose. If links lead to third-party websites, please note that these companies provide their own data protection statements that apply accordingly.

I. Name and address of the responsible party

The responsible party, with respect to the General Data Protection Regulation and other national data protection laws of member states as well as other data protection provisions, is:
Imperia Online JSC
VAT number: BG205098993

Infinity Tower
69 Bulgaria Blvd., fl. 16
Sofia, 1404
Bulgaria

Contacts:
E-Mail: support_en@imperialsupport.org
Website: www.imperiaonline.bg


II. Contact of the data protection officer
dpo@imperiaonline.org


III. General information on data processing

1. Scope of personal data processing

As a rule, we only collect personal data that you share when making use of the services while logging in or registering and when utilizing fee-based services, as needed. Personal data is considered data that includes information on personal or factual circumstances. When logging in and registering as a user to our website, you merely need to provide an email address and/or user name and/or password.The password is encrypted and does not allow any conclusion to be made on the actual password at any time. Within the scope of carrying out the user contract concluded, in particular your chosen fee-based services, additional data, such as complete name, address, banking details, credit card numbers, etc. may be required. Additionally, when processing your requests or to provide you with support, it is sometimes required to ask you for personal data such as name, address, email address, and telephone number. We also collect data as part of voluntary participation in inquiries and surveys. We submit personal data only to cooperating companies or external service providers, provided this is legally required or permitted, in particular in performance of a contract, to process payments, as well as to protect other users or defend against dangers for national or public security, or to prosecute criminal offenses. Your interests worthy of protection are considered in pursuance with statutory data protection regulations. In the event of a default in payment, we hereby reserve the right to commission a collection agency or an attorney to collect the payment due, as needed, and to provide the necessary data within this context. We treat all of this data in a confidential manner and in consideration of statutory data protection regulations. As a rule, we do not provide such information to third parties without your permission, unless it is required to execute and settle the contract, to process your request, or to provide you with support, or permitted according to statutory data protection regulations.

2. Legal basis for processing personal data

If we receive the consent of the person concerned to process personal data, Art. 6 Para. 1 a of the EU General Data Protection Regulation (GDPR) serves as the legal basis for processing personal data. When processing personal data that is required to perform a contract whose contractual party is the person concerned, Art. 6 Para. 1 b GDPR serves as the legal basis. This also applies to processing processes that are required to carry out pre-contractual measures. If personal data must be processed to comply with a legal requirement to which our company is subject, Art. 6 Para. 1 c GDPR serves as the legal basis. In the event that the vital interests of the person concerned or another natural person make it necessary to process personal data, Art. 6 Para. 1 d GDPR serves as the legal basis. If processing is required to protect a legitimate interest of our company or a third party, and if the interests, basic rights, and basic freedoms of the party concerned do not prevail over the previously stated interest, Art. 6 Para. 1 f GDPR serves as the legal basis.

3. Purpose of processing personal data

We collect and process data in order to enable you to use our services. This also includes processing for the purpose of data security and the stability and operational security of our system as well as accounting purposes. We process data in order to provide you assistance when you submit support inquiries. Data is also processed in order to discover and prevent the improper use of multiple accounts, e.g. fraudulent purposes. Data is processed in order to acquire new customers and distribute promotional material that we believe correlates with your interests.

4. Data erasure and storage duration

The personal data of the person concerned is erased or locked as soon as there is no longer a reason to store it, or 50 months have passed since the last activity of your account in the game. Data may also be stored if required by European or national lawmakers in Union directives, laws, or other regulation to which the responsible party is subject. Data may also be stored or erased after the storage period stipulated by the specified standards expires, unless the continued storage of the data is required to conclude or perform a contract.

5. Data security

We endeavor to take reasonable precautions in order to prevent unauthorized access to your personal data as well as unauthorized use or falsification of this data and to minimize the associated risks. Nevertheless, providing personal data, whether in person, on the telephone, or via the internet, is always associated with risks and no technical system is completely free of the possibility of manipulation or sabotage. We process the data collected from you in accordance with German and European data protection law. All employees are required to protect data privacy and comply with data protection regulation, and are trained accordingly. For payment purposes, your data is transmitted using the SSL process and encrypted.


IV. Provision of services and creation of log files

1. Description and scope of data processing

Whenever our services are solicited, our system automatically collects data and information on the visiting computer system. The following data is collected during this:

- Internet protocol
- IP address
- URL of the referring website from which the file was requested
- Date and time of access
- Browser type and operating system as well as hardware information
- The site you visited
- Quantity of data transmitted
- Access status (file transferred, file not found, etc.)
- Duration and frequency of use
- Available IDs of third parties (such as Google Play ID, Facebook ID, etc.) in order to enable cross-device use

The data is also stored in the log files of our system.

2. Legal basis for data processing

Art. 6 Para. 1 f GDPR is the legal basis for the temporary storage of data and log files.

3. Purpose of data processing

Temporary storage of the IP address by the system is necessary in order to deliver services to the computer of the user. To do so, the IP address of the user must be stored for the duration of the session. Data is stored in log files in order to ensure the functionality of the services. Additionally, the data also serves to optimize the services and to ensure the security of our IT systems. Data is stored over the duration of the session for purposes of combating fraud (e.g. payment fraud, violation of the rules of play through the use of multiple accounts by the same person) and for the purposes of IT security (e.g. protection against DDoS attacks). Otherwise, the data is stored merely for purposes of statistical evaluation. In order to monitor compliance with the rules of use and rules of play, we reserve the right to store IP addresses and log files for a certain period of time after our services are utilized. In particular, this procedure serves to avoid certain cases of misuse or to resolve them and be able to forward the data in individual cases to investigative authorities or to rectify bugs.   Additionally, any evaluation of data is carried out in an anonymous manner wherever possible. After this period ends, the IP address and log files are completely erased, unless there exist mandatory statutory storage requirements or concrete criminal or abuse proceedings. For these purposes, our legitimate and overriding interest is to process data in accordance with Art. 6 Para. 1 f GDPR.

4. Duration of storage

The data is erased as soon as it is no longer required to achieve the purpose for which it was collected or after 50 months have passed since the last activity of your account in the game.

5. Option to object and erase

Data collection to provide services and data storage in log files is absolutely required in order to ensure the uninterrupted provision of services. As a consequence, the user has no option to object.



V. Push notifications

1. Description and scope of data processing

We can send push notifications to your device in order to share with you updates on services, news, and other relevant messages.

2. Legal basis for data processing

The legal basis for processing data is Art. 6 Para. 1 b GDPR if a contract exists.

3. Option to object and erase

You can prevent your data from being processed by applying the respective settings to your system. Please refer to the documentation of the system you use.


VI. Contact form and email, in-game support

1. Description and scope of data processing

There is a contact form on our website which can be used to contact us electronically. If a user makes use of this option, the data submitted into the input form will be sent to us and stored. This data is:

- Email
- Type of request
- User name
- Subject
- Question/problem
- Browser, hardware, and operating system data

Alternatively, we can be contacted using the email provided. In this case, the personal data of the user is saved with the email used to send it. Alternatively, you can also send inquiries to us within the game. In this context, no data is forwarded to third parties. The data is used exclusively to process the inquiry.

2. Legal basis for data processing

The legal basis for processing data is Art. 6 Para.1 a GDPR if the user has provided consent. The legal basis for processing data, that is submitted when an email is sent, is Art. 6 Para. 1 f GDPR. If the email is intended to conclude a contract, the further legal basis for processing is Art. 6 Para. 1 b GDPR.

3. Purpose of data processing

We process personal data from the input form solely to process communication. In the event that contact is made via email, there is also the required legitimate interest to process the data here. The other data processed during the submission process serves to prevent misuse of the contact form and to ensure the security of our IT systems.

4. Duration of storage

The data is erased as soon as it is no longer required to achieve the purpose for which it was collected. The data is stored for 50 months for the purposes of combating fraud and improving support.

5. Option to object and erase

The user has the option, at any time, to withdraw his consent to process the personal data. If the user contacts us, he can object to the storage of his personal data at any time. In such an event, the conversation cannot continue. All personal data, that was stored when contact was made, is erased in this case.


VII. Cookies, web beacons, etc.

1. Description and scope of data processing

Cookies

We use so-called cookies, which are text files or pixels, that are stored on the user’s display device.This concerns technologies that can be used to collect certain user-specific settings and technical information with which the user can be identified. We employ cookies in order to make our services more user friendly. Some elements of our services require that the user can be identified. We also use cookies that allow us to analyze the behavior of the user.

Additionally, we use cookies to target advertisements. Cookies are stored on the user’s display device.

There are permanent cookies, that are stored for a longer period of time on your display device, and session cookies, that are temporarily stored on your display device and erased after the service is provided.

We use necessary cookies, function cookies, performance cookies, targeting and advertising cookies, and conversion tracking cookies.

Necessary cookies. These cookies are necessary to use our services. Without these necessary cookies, it is possible that we will not be able to provide you certain services or features or that the services will not be depicted correctly.

Function cookies. Function cookies enable us to recognize your settings and provide you with advanced and better adapted features, such as a personal adjustment of services, recognizing whether we have asked you certain things, or you have requested other services.

All of these features help us to improve the services for you.

Performance cookies. Performance cookies are also sometimes called analytics cookies, collect information on your use of services, and enable us to improve the functionality of our services.

For example, performance cookies show us which pages are used most often, how the entire usage pattern of the services looks, help us to detect problems with the use of services, and determine whether our advertising is presented effectively or not.

Targeting and advertising cookies. We and our service providers can employ targeting or advertising cookies in order to show you promotions that are better adjusted to your interests and preferences.
We can use targeting or advertising cookies in order to limit the number of identical advertisements that are shown to you with our services, or to determine or increase the effectiveness of our marketing campaigns.

These cookies show, for example, what you have viewed while using our services, and we share this information with other organizations, such as advertising clients. The display of advertising supports operations and the further development of our services.

Conversion tracking cookies.

In order to provide our users with the best possible gaming experience, we strive to constantly add new players to our games. In the process of determining and driving marketing measures, we use conversion tracking. In doing so, a marketing partner records, with our help, when a user completes a registration or a predefined action in the game. This occurs either via direct automated contact with the server of the marketing partner or through an intermediary service provider. The data that we transfer is limited to what is most necessary. When starting to use our services, the user is informed about the use of cookies. If the user does not wish for our cookies to be stored on his display device, would like to delete a stored cookie, or would like to be informed about the storage of such, the user can configure his browser or mobile end device accordingly. The details of how these are applied can be found using the help information of the browser. We would like to explicitly state that, in this case, not all functions of the services can be used in their entirety. If you access our services via third parties, it may be the case that they use cookies. We have no influence on this. Please note the data protection guidelines of these third parties.

2. Legal basis for data processing

The legal basis for processing personal data when using cookies is Art. 6 Para. 1 f GDPR.

3. Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use. Some functions of our software cannot be provided without the use of cookies. The user data collected via technically necessary cookies are not used to create user profiles. Analytics cookies are used for the purpose of improving the quality of our services and their contents. Via these analytics cookies, we learn how the services are used and can thus constantly optimize our products. For these purposes, we also have a legitimate interest in the processing of personal data according to Art. 6 Para. 1 f GDPR. Additionally, we have a legitimate interest in directing advertising in our services. We have an interest in finding new customers. In order to achieve this, our advertising partners must use cookies.

4. Duration of storage, option to object and erase

Cookies are saved on the user’s device and sent to us from it. Therefore, as the user, you also have full control on the use of cookies. By changing the settings in your internet browser or mobile device, you can deactivate or limit the transmission of cookies. Cookies that have already been saved can be erased at any time. This can also occur automatically. If cookies are deactivated, it may be the case that not all of the functions of the services can be used in their entirety.
 
VIII. Logging in via third parties
We offer you the option of logging in to our services with login data of other services (“partners”). It is thus not necessary to register again. A non-conclusive list of our partners includes, for example, Facebook, Google, or Steam. In this case, you can log in to our services through a partner. To do so, your account with our partner is linked to our service. The partner then sends us the respective information that serves exclusively for quality assurance measures and is not shared with third parties at any time. For additional information on the service you prefer, please refer to the above contact (see. “I. Name and address of the responsible party”).


IX. Rights of the person concerned

If we process your personal data, you are the person concerned in the sense of the GDPR, and you have the following rights with respect to the responsible party.

1. Right of access

You can request from the responsible party a confirmation of whether personal data that concerns you is processed by us. If such processing occurs, you can request the following information from the responsible party:

- The purposes for which the personal data is processed;
- The categories of personal data that is processed;
- The recipient or categories of recipients to which the personal data that concerns you was submitted or not submitted;
- The planned duration of storage of the personal data concerning you, or, if concrete information on this is not available, the criteria for determining the storage duration;
- The existence of a right to disclose or erase the personal data concerning you, a right to limit processing on the part of the responsible party, or a right to object to this processing;
- The existence of a right to lodge a complaint with a supervisory authority;
- All available information on the source of the data if the personal data is not collected for the person concerned;
- The existence of an automated decision making process including profiling in accordance with Art. 22 Para. 1 and 4 GDPR and, at least in these cases, detailed information on the logic involved as well as the scope and the desired effects of such processing for the person concerned.

You have the right to request information on whether the personal data concerning you is sent to a third country or an international organization. In this context, you can request suitable guarantees pursuant to Art. 46 GDPR in connection with the transfer.

2. Right to rectification

You have the right to rectification and/or completion, with respect to the responsible party, provided that the processed personal data concerning you is incorrect or incomplete. The responsible party must make the rectification without delay.

3. Right to limit processing

Under the following conditions, you can request a limit to the processing of the personal data concerning you:

- If you contest the correctness of the personal data concerning you for a duration of time that enables the responsible party to verify the correctness of the personal data;
- The processing is illegal and you refuse erasure of the personal data and instead request a limitation of the use of the personal data;
- The responsible party no longer requires the personal data for the purposes of processing, but you require it to assert, exercise, or defend legal claims, or
- If you have submitted the objection to processing according to Art. 21 Para. 1 GDPR and it is not yet certain whether the legitimate concerns of the responsible party prevail over your concerns.

If the processing of the personal data concerning you was limited, this data, except for its storage, may only be processed with your consent or to assert, exercise, or defend legal claims, or to protect the rights of another natural or legal person or for reasons of an important public interest of the Union or a member state. If processing was limited according to the above conditions, you will be informed by the responsible party before the limitation is applied.

4. Right to erasure

We offer the option to independently delete or correct your own personal data in game. If you are logged in to your account, you can delete your personal data in the settings of your user account.

a) Obligation to erase

You can request that the responsible party immediately erase the personal data concerning you, provided one of the following reasons applies:

- The personal data concerning you is no longer required for the purposes for which it was collected or processed in another manner.
- You withdraw your consent upon which processing pursuant to Art. 6 Para. 1 a or Art. 9 Para. 2 a DSGVO is based, and there is no other legal basis for processing.
- You submit an objection to processing pursuant to Art. 21 Para. 1 GDPR and there exist no superordinate legitimate reasons for processing, or you submit an objection to processing pursuant to Art. 21 Para. 2 GDPR.
- The personal data concerning you was processed illegally.
- The erasure of the personal data concerning you is required to comply with a legal requirement according to Union law or the law of a member state to which the responsible party is subject.
- The personal data concerning you was collected in regard to services offered by the information company in accordance with Art. 8 Para. 1 GDPR.

b) Information to third parties

If the responsible party published the personal data concerning you and is required to erase such according to Art. 17 Para. 1 GDPR, said party will take suitable measures, also of a technical nature and in consideration of available technology and implementation costs, to inform data processors processing the personal data that you, as the person concerned, have requested the erasure of all links to this personal data or copies or replications of this personal data.

c) Exceptions

There is no right of erasure if processing is required to exercise the right of free expression and information;

- To comply with a legal obligation to which the responsible party is subject according to Union law or that of a member state for processing purposes, or to perform a task that is in the public interest or in the practice of public authority conferred to the responsible party;
- For reasons of public interest in the area of public health according to Art. 9 Para. 2 h and i as well as Art. 9 Para. 3 GDPR;
- For archiving purposes, scientific or historic research purposes, or for statistical purposes in the public interest according to Art. 89 Para. 1 GDPR, provided that the right specified in section a) temporarily makes the achievement of the goals of processing impossible or severely limits such, or
- To assert, exercise, or defend legal claims.

5. Right to information

If you have asserted the right to information on, erasure, or limitation of processing with respect to the responsible party, said party is required to share this rectification or erasure of the data or limitation of processing with all recipients to whom the personal data concerning you was published, unless this proves to be impossible or is associated with excessive cost. You have the right to information on these recipients from the responsible party.

6. Right to data transferability

You have the right to receive the personal data concerning you, which you provided to the responsible party, in a structured, standard, and machine-readable format. Additionally, you have the right to transfer this data to another responsible party without obstruction on the part of the responsible party, to which the personal data was provided,

- provided that processing occurs based on consent pursuant to Art. 6 Para. 1 a GDPR or Art. 9 Para. 2 a GDPR or a contract pursuant to Art. 6 Para. 1 b GDPR,
- and the processing is carried out using automatic processes.

When exercising this right, you also have the right to ensure that the personal data concerning you is transferred directly from one responsible party to another responsible party, provided this is technically feasible. The freedom and rights of others may not be affected by this. The right of data transferability does not apply for processing personal data that is required to carry out a task that is in the public interest or in the practice of public authority conferred to the responsible party;

7. Right to object

You have the right, for reasons relating to your particular situation, to submit at any time objection to processing of the personal data concerning you which is conducted based on Art. 6 Para. 1 e or f GDPR; this also applies to profiling based on these conditions. The responsible party no longer processes the personal data concerning you, unless said party can provide evidence of compelling reasons worthy of protection for the processing that prevail over your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims. If the personal data concerning you is processed in order to pursue direct advertising, you have the right to submit at any time objection to processing of the personal data concerning you for the purposes of such advertising; this also applies to profiling, provided it is in connection with direct advertising. If you object to processing for the purpose of direct advertising, the personal data concerning you will no longer be processed for these purposes. Regardless of Directive 2002/58/EC, you have the option, in connection with the use of services of the information company, of exercising your right to object using an automated process that uses technical specifications.

8. Right to withdraw data protection declarations of consent

You have the right to withdraw your declaration of consent at any time. The withdrawal of consent does not affect the legality of the processing conducted on the basis of the consent up to the date of the withdrawal.

9. Automated decision in individual cases including profiling

You have the right not to be subjected to a decision based solely on automated processing, including profiling, which will have legal effect or similarly affect you in a similar manner. This does not apply if the decision

a) is required to conclude or carry out a contract between you and the responsible party,

b) is permissible on the basis of Union or member state law to which the responsible party is subject, and that legislation contains suitable measures to safeguard your rights and freedoms and your legitimate interests, or

c) is made with your explicit consent.

However, these decisions must not be based on special categories of personal data under Art. 9 Para. 1 GDPR, provided that Art. 9 Para. 2 a or g does not apply, and reasonable measures have been taken to protect your rights and freedoms and your legitimate interests.

With respect to the situations mentioned in (a) and (c), the responsible party shall take appropriate measures to protect your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person on the part of the responsible party to express his own position and challenge the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial legal remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence or employment or the place of the alleged infringement, if you believe that the processing of the personal data concerning you violates the GDPR. The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.