PRIVACY STATEMENT – VERTIGO
Version 1.0 – 22nd of December 2020
Vertigo
Vertigo Studios B.V. and affiliated companies (’Vertigo’) are Dutch companies. We are active in the European Economic Area (EEA) and we keep our data on servers in the EEA, unless stated otherwise below.
We process your personal data when you use our games, applications, websites and software and when we contact you or if we have a business relationship with you. In this privacy statement we summarize when and how we collect, use and secure your personal data.
GENERAL
We may change provisions of this privacy statement from time to time. If we do that, we will inform you of the changes. However, we also advise you to check for yourself from time to time whether the privacy statement has been changed.
Which personal data do we collect and for which purposes?
There are a number of ways in which we can collect your personal data. In this section we explain which personal data we may collect from you. The personal data is sorted according to your role and to the different processing goals. The data retention period also differs depending on the processing goal. This period will also be mentioned below. Note that should there be any legal changes to the possible data retention periods, these legal changes will take precedent over the periods mentioned in this privacy statement.
3.1 If you are a player of our games
- To be able to provide you the game and the intended experience, we process the personal data mentioned below. Our processing ground is the performance of a contract with you.
If you play our games, we process the following personal data up to 10 years after your last use of the game. Our purpose is to provide you the game.
- Your in-game progression data
- Your in-game friends and relations
If you have to authenticate with a Vertigo account, we process the following personal data up to 10 years after your last use of the Vertigo account:
- E-mail address
- User-ID or platform user-ID
- Password
- Which Vertigo games you own
- Your platform (Steam, Oculus etc.)
To provide matchmaking services, we process the following personal data up to 2 weeks after the matchmaking:
- Username
- IP-address
- To be able to secure our games, we process your IP-address up until 1 year after collection of the IP-address or 1 year after an incident in which your IP-address was involved has been handled. Our processing ground is our legitimate interest to secure our games.
- To be able to improve our games, we process the personal data mentioned below. Our processing ground is our legitimate interest to improve our games. If you do not wish for us to process the information mentioned below, you can send us an e-mail at legal@vertigo-games.com. An opt-out option in the game settings is being worked on.
We use diagnostics and analytics software of Sentry.io to process the following personal data up to 90 days after collecting the personal data:
- GPU and GPU driver
- The VR software development kit that you use
- The (VR) platform that you use
- The VR headset that you use and its serial code
- Username
- IP-address
- Used peripherals
- Game version
- Game settings
- Owned DLC
Sentry.io may store this personal data on its servers in the United States. Sentry.io has guaranteed us to store the information in accordance with the General Data Protection Regulation.
Other analytical data that we process for up to 2 years after collecting it:
- User-ID or platform user-ID
- Time, date, duration and general location of using our game
- Time and date of connections with the matchmaking servers
- In-game statistics (such as checkpoints reached, time spent per part)
- Device information (such as CPU, GPU, memory size, screen resolution, OS, language, VR device)
- If you contact us as a player, we process the personal data mentioned below up to 5 years after our last contact moment. Our processing ground is our legitimate interest to be able to reply on your requests.
- Name
- E-mail address
- Communication and content of e-mails
We may send our e-mail via Mailchimp. Mailchimp may store this personal data in the United States. Mailchimp has guaranteed us to store the information in accordance with the General Data Protection Regulation.
3.2 If you are a visitor to our websites (including the sub-pages of our games)
- To be able to secure our websites, we your IP-address up until 1 year after collection of the IP-address or 1 year after an incident in which your IP-address was involved has been handled. Our processing ground is our legitimate interest to secure our websites.
- To be able to improve our websites, we process the personal data mentioned below. Our processing ground is our legitimate interest to improve our websites. If you do not wish for us to process the information mentioned below, you can opt-out of analytical cookies in our cookie notice or cookie settings.
We use Google Analytics software and cookies to process the following personal data up to 2 years after collecting the personal data:
- User-ID
- Device information (such as CPU, memory size, screen resolution, OS, language)
- IP-address
- Device-ID
- How you use our website and your referral page (this data may also be processed by Facebook)
Google Analytics may store this personal data outside of the EEA. Google has guaranteed us to store the information in accordance with the General Data Protection Regulation.
- If you contact us as a visitor to one of our websites, we process the personal data mentioned below up to 5 years after our last contact moment. Our processing ground is our legitimate interest to be able to reply on your requests.
- Name
- Company name (if you are a business customer)
- E-mail address
- Communication and content of e-mails
- The type of games you are interested in (if provided in the contact form)
- Your general location (country and/or province level)
- If you opened our e-mail
We may send our e-mail via Mailchimp. Mailchimp may store this personal data in the United States. Mailchimp has guaranteed us to store the information in accordance with the General Data Protection Regulation.
- If you participate in contests, we process the personal data mentioned below up to 6 months after the contest is over and the prize has been sent.
If you participate in a contest, we process the following personal data based on our legitimate purpose to review your participation and compliance with the conditions of participation.
- Your general location (country and/or province level)
- Date of participation
- Date of birth
- Answers to the questions and/or actions taken for the contest
If you win a contest, we process the following personal data based on your consent to send you the prize.
- Name
- Address
- E-mail address
We host contests via Gleam.io. Gleam.io may store the personal data mentioned above in the United States. Gleam.io is bound to the standard contractual clauses as approved by the European Commission.
- If you sign up for our newsletter, we process the personal data mentioned below until you sign off. Our processing ground is your permission, granted by signing up for the newsletter.
- Name
- E-mail address
- Your general location (country and/or province level)
We may send our newsletter via Mailchimp. Mailchimp may store this personal data in the United States. Mailchimp has guaranteed us to store the information in accordance with the General Data Protection Regulation.
3.3 If you are a business customer or supplier
- We have a legal (tax) obligation to maintain a decent administration. For this purpose we process the personal data mentioned below up to 7 years after receiving the information.
- Name
- Company name
- Address
- Payment data and information
- Invoice data
- VAT identification number
- To handle payments, we process the personal data mentioned below up to 2 years after the end of the agreement for which the payment was made. Our processing ground is the performance of a contract with you.
- Payment data and information
- Invoice data
If you use a foreign payment provider, your personal data may be stored outside of the EEA.
- We may send you marketing material. We process the personal data mentioned below up to 5 years after our last contact moment. Our processing ground is our legitimate interest to send our customers and suppliers marketing materials for comparable services.
- Name
- Company name
- Address
- E-mail address
- Telephone number
- To be able to contact you, we process the personal data mentioned below.
If we need to contact you for the performance of our agreement, we process the personal data mentioned below up until 2 years after the end of the agreement or up until 5 years after our last contact moment (whichever comes first).
- Name
- Company name
- Address
- E-mail address
- Telephone number
- Communication and content of e-mails
- Skype-ID
The personal data mentioned above may be stored in our CRM (Zoho) and may be used for online signatures by Eversign. These parties may store the personal data outside of the EEA. Both parties are bound to the standard contractual clauses as approved by the European Commission.
If you contact us for another reason than the performance of a contract, we process the personal data mentioned below up until 5 years after our last contact moment. Our processing ground is our legitimate interest to be able to reply on your requests.
- Name
- Company name
- Address
- E-mail address
- Telephone number
- Communication and content of e-mails
- The type of games you are interested in (if provided in the contact form)
- Your general location (country and/or province level)
- If you opened our e-mail
- Your work related function
- Professional information and statistics (such as your website, channel, number of visitors and/or biographic information)
- VR platform/headset that is used
We may send our e-mail via Mailchimp. Mailchimp may store this personal data in the United States. Mailchimp has guaranteed us to store the information in accordance with the General Data Protection Regulation.
Your professional information and statistics may be stored in our CRM (Zoho). Zoho may store the personal data outside of the EEA, but is bound to the standard contractual clauses as approved by the European Commission.
- To be able to invite you to events, we process the personal data mentioned below up to 5 years after our last contact moment with you. Our processing ground is our legitimate interest to invite our customers to events for marketing purposes.
- Name
- Company name
- E-mail address
- Telephone number
- Date of birth
- Your work related function
We may send our invites via Mailchimp. Mailchimp may store this personal data in the United States. Mailchimp has guaranteed us to store the information in accordance with the General Data Protection Regulation.
- We may send you our newsletter. We process the personal data mentioned below until you sign off for the newsletter. Our processing ground is our legitimate interest to send our customers and suppliers marketing materials for comparable services.
- Name
- E-mail address
- Your general location (country and/or province level)
We may send our newsletters via Mailchimp. Mailchimp may store this personal data in the United States. Mailchimp has guaranteed us to store the information in accordance with the General Data Protection Regulation.
3.4 If you are press
- To be able to contact you, we process the personal data mentioned below.
If you contact us, we process the personal data mentioned below up until 5 years after our last contact moment. Our processing ground is our legitimate interest to be able to reply on your requests.
- Name
- Company name
- E-mail address
- Communication and content of e-mails
- The type of games you are interested in (if provided in the contact form)
- Your general location (country and/or province level)
- If you opened our e-mail
We may send our e-mail via Mailchimp. Mailchimp may store this personal data in the United States. Mailchimp has guaranteed us to store the information in accordance with the General Data Protection Regulation.
If we contact you without a prior request from you, we process the personal data mentioned below up until 5 years after our last contact moment. We will first ask you for permission to be able to contact you.
- Name
- Company name
- E-mail address
- Telephone number
- Communication and content of e-mails
- The type of games you are interested in (if provided in the contact form)
- Your general location (country and/or province level)
- Your work related function
- If you opened our e-mail
- Twitter account name
- Professional information and statistics (such as your website, channel, number of visitors and/or biographic information)
- VR platform/headset that is used
We may send our e-mail via Mailchimp. Mailchimp may store this personal data in the United States. Mailchimp has guaranteed us to store the information in accordance with the General Data Protection Regulation.
- To be able to invite you to events, we process the personal data mentioned below up to 5 years after our last contact moment with you. We will first ask you for permission to be able to invite you.
- Name
- Company name
- E-mail address
- Telephone number
- Date of birth
- Your work related function
We may send our e-mail via Mailchimp. Mailchimp may store this personal data in the United States. Mailchimp has guaranteed us to store the information in accordance with the General Data Protection Regulation.
- To be able to send you promotional gifts, we process the personal data mentioned below up to 5 years after our last contact moment with you. We will first ask you for permission to be able to send you promotional gifts.
- Name
- Address
4.Sharing personal data
We may use so called processors to process your personal data on our behalf. We conclude processing agreements with these processors, to assure they only process your personal data on our instruction.
We use the following types of processors:
- companies that provide storage of (personal) data and database management and maintenance:
- research firms and providers of analytical software to improve our services (e.g. privacy-friendly Google Analytics that does not share personal data with Google);
- hosting provider(s);
- providers of customer management software;
- providers of video software and storage.
If you provide additional information to these processors yourself, we are not responsible for this. It is wise to inform yourself properly about the processor and his company before you provide your personal data.
Sharing data with your consent
We may also share personal data with others if you give us permission to do so. For example we can cooperate with other parties to offer you specific services or offers. If you register for these services or marketing offers, we may provide your name or contact details if they are necessary to provide that service or contact you. Before we do this, you will always be expressly asked for your consent.
Sharing based on our legal responsibility
We may also share personal data with third parties if this is:
- reasonably necessary or appropriate to comply with our legal obligations;
2. necessary to comply with legal requests from authorities;
3. is required to respond to any legal claims;
4. necessary to protect the rights, property or safety of us, our users, our employees or the public;
5. is required to protect ourselves or our users against fraudulent, abusive, inappropriate or unlawful use of our services.
We will immediately notify you if a government agency makes a request that relates to your personal data, unless we are not allowed to do so on the grounds of the law.
Merger or sale (part) of the company
It may happen that we disclose, share or transfer your personal data when we transfer part of our business. Examples include (negotiations about) a merger, sale of parts of the company or obtaining loans. We will of course try to limit the impact for you as far as possible by transferring personal data only when necessary and anonymizing where possible.
5 . Protection of personal data
Protecting your personal data is of the utmost importance for us. We have therefore taken appropriate technical and organizational security measures in order to protect your personal data. These measures include, but are not limited to:
– We protect our databases with physical and electronic measures, to minimize the risk of unauthorized access, loss or misuse of personal data.
– We use TLS (Transport Layer Security) technology to encrypt sensitive information or personal data, such as account passwords and other identifiable information about payments.
– We make backups of personal data.
– Sensitive information is stored encrypted.
– Vulnerabilities in the software are dealt with as quickly as reasonably possible.
We would like to point out that we cannot guarantee absolute security when sending personal data via the internet or storing personal data. We advise you to take this into account before sharing personal data.
6 . Links to third party sites
Our websites and games may contain links to other websites and services. In addition, our platform can also provide advertisements from third parties. Third party websites and services can collect and retain information about you. If you provide your personal data to third parties, then we are not involved. We have no control over this sites or the activities of the third parties. In that case, the privacy policy of the third party applies. We are not responsible for the content of the privacy policy of these parties and the way in which these parties deal with personal data. We encourage you to review their privacy and security practices and policies before you provide personal information to them.
7.Cookies
We will make use of cookies when you visit our websites. More information about cookies and the cookies we place, can be found in our cookie policy on our website.
8.Your rights
Privacy legislation gives you certain rights with regard to your own personal data. The rights that we describe below are not absolute rights. We will always consider whether we can reasonably meet your request. If we cannot meet your request, or if it would be at the expense of the privacy of others, we can refuse your request. If we refuse a request, we will let you know and explain our reasons.
Right of access
You have the right to request which personal data we process about you. You can also ask us to provide insight into the processing grounds, relevant categories of personal data, the (categories of) recipients of personal data, the retention period, the source of the data and whether or not we use automated decision making.
You may also request a copy of your personal data that we process. Do you want additional copies? Then we can charge a reasonable fee for this.
Right to rectification
If the personal data processed by us about you is incorrect or incomplete, you can request us to adjust or supplement the personal data.
If we grant your request, we will, to the extent reasonably possible, inform the parties to whom we provide information.
Right to erasure
Do you no longer want us to process certain personal data about you? Then you can request us to delete certain (or all) personal data about you. Whether we will delete data depends on the processing ground. We only delete data that we process on the basis of a legal obligation or for the performance of the agreement if the personal data is no longer necessary. If we process data based on our legitimate interest, we will only delete data if your interest outweighs ours. We will make this assessment. If we process the data on the basis of consent, we will only delete the data if you withdraw your consent. Have we accidentally processed data or does a specific law require that we delete data? Then we will delete the data. If the data is necessary for the settlement of a legal proceeding or a (legal) dispute, we will only delete the personal data after the end of the proceedings or the dispute.
If we grant your request, we will, to the extent reasonably possible, inform the parties to whom we provide information.
Restriction of processing
If you dispute the accuracy of personal data processed by us, if you believe that we have processed your personal data unlawfully, if we no longer need the data or if you have objected to the processing, you can also request us to restrict the processing of that personal data. For example, during the time that we need to assess your dispute or objection, or if it is already clear that there is no longer any legal ground for further processing of those personal data, but you still have an interest in us not deleting the personal data. If we limit the processing of your personal data at your request, we may still use that data for the settlement of legal proceedings or a (legal) dispute.
Right to data portability
At your request, we may transfer the data that we automatically process to execute the agreement or based on your consent, to you or another party designated by you. You can make such a request at reasonable intervals.
Automated individual decision making
We do not take decisions based solely on automated processing.
Right of restriction of processing and withdrawal of permission
If we process data on the grounds of a legitimate interest, you may object to the processing. If we process data on the basis of your consent, you may withdraw that consent. For more information, please refer to the relevant processing purposes above.
Exercising your rights
You can send a request for access, correction, deletion, data transfer of your personal data or request for withdrawal of your consent or objection to the processing of your personal data to legal@vertigo-games.com.
To prevent abuse, we ask you to identify yourself adequately in the case of a written request for access, rectification or erasure. You can do this by sending a copy of a valid proof of identity. Do not forget to screen off your citizen service number and passport photo on the copy.
We strive to process your request, complaint or objection within a month. If it is not possible to make a decision within a month, we will inform you of the reasons for the delay and the time when the decision is expected to be made (no longer than 3 months after receipt).
Dutch Data Protection Authority
Do you have a complaint about our processing of your personal data? Please contact us. We are naturally happy to assist you. If we cannot come to a solution, you are also entitled to submit a complaint to the national privacy authority, in this case the Dutch Data Protection Authority. For this you can contact the Dutch Data Protection Authority via https://autoriteitpersoonsgegevens.nl.
9.Contact
If you have questions, concerns or comments about this privacy statement or our data processing, please contact us via e-mail on legal@vertigo-games.com.