Data Protection Guidelines of Bytro Labs GmbH

This is the data protection guideline of Bytro Labs GmbH (“Bytro Labs,” “we”). On our website („website“), we offer information on our services (“games”). In this data protection guideline we will inform you about which personal data we collect and process. We will also inform you about your rights. The responsibility of protecting and processing personal data is an important concern to Bytro Labs. Thanks to various technical and contractual measures, your data is protected against unauthorized access as well as loss. Bytro Labs took all technical and organizational measures necessary for this. In case of links directing to websites of third parties, please note that these companies provide own data protection guidelines that are applicable then. We provide our services only to persons of at least 16 years of age. Thus, we do not knowingly gather and process data of persons younger than 16 years of age.

I. Name and Address of Liable Entity

Liable in line with the General Data Protection Regulation and other national data protection laws of member states as well as any other data protection regulations is:

Bytro Labs GmbH
Zirkusweg 2
20359 Hamburg
e-Mail: support@bytro.com
Website: www.bytro.com

II. Name and Address of the Data Protection Officer

The data protection officer of the responsible party is:

Deloitte AB
Rehnsgatan 11, 113 79 Stockholm – Sweden

E-Mail: datenschutzbeauftragter@bytro.com

III. General Remarks on Data Processing

1. Extent of Processing of Personal Data
We gather and use personal data of our users generally only as far as it is necessary for providing a functional website as well as our contents and services. Gathering and using personal data of our users normally will happen only after the user’s consent was given. An exception is made for those cases where for factual reasons no prior consent could be obtained and processing the data is allowed by legal provisions.

2. Legal Basis for Processing of Personal Data
Insofar as we receive consent for the processing procedures from the affected person, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as legal basis for processing personal data.

For processing personal data necessary for executing a contract the affected person is contracting party of, Art. 6 para. 1 lit. b GDPR serves as legal basis. This also applies to processing procedures necessary to perform precontractual measures.

Insofar as processing personal data is necessary in order to fulfill legal obligations our company is subject to, Art. 6 para. 1 lit. c GDPR serves as legal basis.

In case vital interests of the affected person or another natural person call for personal data to be processed, Art. 6 para. 1 lit. d GDPR serves as legal basis.

If processing is necessary for upholding a justified interest of our company or a third party, as long as the interests, fundamental rights, and fundamental freedoms of the affected person do not outweigh the former interest, Art. 6 para. 1 lit. f GDPR serves as legal basis for processing.

3. Deletion of Data and Storage Period
All personal data of the affected person get deleted or blocked as soon as the reason for storing them expires. Besides, storing can take place when intended so by European or national lawmakers in form of Union regulations, laws, or other provisions the liable entity is subject to. Blocking or deletion of data also takes place when a storage period prescribed by said norms expires, unless there exists a necessity for continuing to store the data to conclude or fulfill a contract.

4. Data Security
We are eager to make arrangements to a reasonable extent in order to prevent unauthorized access or distortion of these data and minimize the according risks. Nonetheless, providing personal data, be it personally, by phone, or via internet, always involves a certain amount of risk as no technological system can be entirely free from the possibility of getting manipulated or sabotaged.

We process the data gathered from you in accordance with German and European data protection laws. All employees are bound to data secrecy and data protection regulations and trained accordingly. For payment processes, your data is transmitted in an encrypted form using the SSL method.

IV. Provision of Services and Creation of Log Files

1. Description and Extent of Data Processing
Upon every access of our website, our system automatically records data and information from the computer system of the accessing computer.

The following data are gathered in the process:

Internet protocol

IP address

URL of the directing website from which the file was requested

Date and time of access

Type of browser and operating system as well as hardware information

The site visited by you

Transmitted data volume

Access status (file transmitted, file not found, etc.),

Length and frequency of usage

The data are also saved in the log files of our system.

1. Legal Basis for Data Processing
Legal basis for temporarily saving data and log files is Art. 6 para. 1 lit. f GDPR.

2. Purpose of Data Processing
Having the system temporarily save the IP address is necessary in order to make delivering the services to the user’s computer possible. For this purpose the user’s IP address must be saved over the course of the session.
The saving in log files is done in order to ensure the functionality of the services. Also the data serve us in optimizing the services and in securing the security of our information technological systems. Only a statistical evaluation of the data sets takes place.

For supervising compliance with the terms of use and game rules, we reserve the right to store IP addresses and log files for a certain amount of time. This method in particular serves the purpose of being able to prevent potential cases of misuse or clearing them and, in individual cases, handing over the data to investigating authorities for this purpose. Apart from that, any other kind of data processing takes place in an anonymized form where possible. After this period expires, IP address and log files are deleted completely, unless there are mandatory legal retention obligations in place or concrete preliminary proceedings for prosecution or misuse are pendent.

These purposes also make up our justified and overriding interest in processing data pursuant to Art. 6 para. 1 lit. f GDPR.

1. Duration of Storage
The data are deleted once they are no longer needed for fulfilling the purpose they were gathered for.

2. Possibilities of Objection and Removal
Gathering data for services and saving data in log files is absolutely necessary to operate the website. Consequently, the user has no possibility of objecting those.

V. E-mail Contact

1. Description and Extent of Data Processing
Making contact is possible via the e-mail address provided. In this case the user’s personal data transmitted along with the e-mail are saved.

In this context no data are passed on to third parties. The data are used to process the request exclusively.

1. Legal basis for Data Processing
Legal basis for processing data when the user’s consent is present is Art. 6 para. 1 lit. a GDPR.

Legal basis for processing data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f GDPR. If the e-mail contact is targeted at forming a contract, Art. 6 para. 1 lit. b GDPR is additional legal basis for processing.

2. Purpose of Data Processing
Processing the personal data for us serves the sole purpose of processing the contact. This is also what makes up the required justified interest in processing the data.

3. Duration of Storage
The data are deleted once they are no longer needed for the purpose they were gathered for. For personal data transmitted via e-mail that is the case when the respective conversation with the user has come to an end. The conversation has come to an end when it can be concluded from the circumstances that the issue in question has been resolved conclusively.

4. Possibilities of Objection and Removal
The user has the possibility to at any time revoke their consent to having personal data processed. If the user makes contact with us, they may at any time object to having their personal data stored. In such an event, the conversation cannot be continued. All personal data saved in the course of making contact will be deleted in this case.

VI. Data Protection for Applicants and During Application Process

We gather and process personal data of applicants for the purpose of handling the application process. The data is used to check your suitability for the position (or, as the case may be, other job openings in our company) and complete the application process. The processing may take place electronically as well. That is the case in particular if an applicant transmits their respective application documents to the head of department electronically, for example via e-mail or by using the online form that can be found on the website. Your applicant data will be sighted by the human resources department after receiving them. Suitable applications are then forwarded internally to the department heads in charge of the respective vacant position. Then the further procedure gets coordinated. As a matter of principal, in our company only those who need access to your data to ensure an orderly run of our application process will be granted it. If the person in charge of processing an application enters an employment contract with an applicant, the transmitted data, bearing in mind all legal provisions, will be saved for the purpose of handling the employment. If the person in charge of processing an application does not enter an employment contract with the applicant, the application documents will be deleted after announcing the rejection, unless the person in charge of processing the application holds other justified interests opposing deletion. Other justified interests in this sense are, for example, a burden of proof in a lawsuit under the General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz AGG). Legal basis for processing is Art. 6 para. 1 lit. b GDPR. Should the occasion arise that after completing the application process the data are required for prosecution, the data can be processed based on the requirements of Art. 6 GDPR, especially to appreciate justified interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our interest in that case would be assertion of or defense against claims. We will delete data six months after a rejection unless you gave consent to a longer period of storing. Should your application be crowned by success in form of being offered a position, the data will be moved from the applicant data system over to our human resource management system.

VII. Online Presences in Social Media

We run online presences in social networks and platforms to be able to communicate with our customers, interested persons, and users who are active there and inform them about our services. Consequently, we published links to the respective companies’ sites. Any further exchange of information with these companies does not take place in this context. When accessing the respective networks and platforms, the terms of use and data processing guidelines of the respective operators apply. Unless stated differently within our data protection guideline, we process user data insofar as they communicate with us within the social networks and platforms, for example by leaving posts on our online presences or sending us messages.

VIII. Rights of Affected Persons

If personal data of yours is processed, you are an affected person in the sense of GDPR and thus hold the following rights against the liable entity:

1. Right to Information
You may demand confirmation from the liable entity on whether personal data regarding your person are processed by us.

In case such a processing takes place, you may demand disclosure of the following information from the liable entity:

  • the purposes the personal data are processed for;
  • the categories of personal data being processed;
  • the receivers or categories of receivers towards whom the personal data regarding your person were disclosed or will be disclosed;
  • the intended storage period of personal data regarding your person or, in case concrete information regarding this is impossible to give, criteria for determining the storage period;
  • the existence of a right to correction or deletion of personal data regarding your person, and of a right to limit processing by the liable entity or the right to object this processing;
  • the existence of a right to complain to a supervisory authority;
  • all information available on the origin of the data, provided the personal data are not given by the affected person;
  • the existence of an automated decision making including profiling pursuant to Art. 22 para. 1 and 4 GDPR and – at least in these cases – insightful information on the logic involved as well as scope and intended impact of such processing for the person affected.

You are granted the right to demand information on whether the personal data regarding your person are transmitted to a third country or an international organization. In this context you may demand to be educated about any suitable guarantees pursuant to Art. 46 GDPR connected with this transmitting.

2. Right to Correction
You hold a right to correction and/or completion against the liable entity, insofar as the processed personal data regarding your person are incorrect or incomplete. The liable entity has to make corrections immediately.

3. Right to Limit the Processing
Under the following requirements, you may demand a limitation of processing personal data regarding your person:

  • if you dispute the correctness of the personal data regarding your person for a period that allows the liable entity to check the correctness of the personal data;
  • if the processing is illegal and you reject the deletion of the personal data and instead demand the limitation of usage of the personal data;
  • if the liable entity no longer needs the personal data for purposes of processing, whereas you need them to assert, exercise, or defend legal claims, or
  • if you appealed against the processing pursuant to Art. 21 para. 1 GDPR and it is not decided yet whether the justified reasons of the liable entity outweigh your reasons.

If the processing of personal data regarding your person was limited, these data may – apart from storing them – be processed only with your consent, or in order to assert, exercise, or defend legal claims, or to protect the rights of another natural or legal person, or because of an important public interest of the Union or a member state.

If the limitation of processing was limited according the above-mentioned requirements, you will be informed by the liable entity before the limitation is lifted.

4. Right to Deletion
We offer the possibility of deleting or correcting your own personal data ingame on your own. When logged into your account, you may delete your personal data by choosing “Settings” and “Delete Account” at the end of the page.

a) Deletion Obligation
You may demand immediate deletion of personal data regarding your person from the liable entity in case one of the following reasons is applicable:

  • The personal data regarding your person are no longer required to fulfill the purposes they were gathered or processed in another way for.
  • You revoke your consent the processing pursuant to Art. 6 para. 1 lit a or Art. 9 para. 2 lit. a GDPR was based on and there is no other legal basis for processing.
  • You object the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding justified reasons for processing, or you object the processing pursuant to Art. 21 para. 2 DPGR.
  • The personal data regarding your person were processed illegally.
  • The deletion of the personal data regarding your person is necessary in order to meet a legal obligation of Union law or law of a member state the liable entity is subject to.
  • The personal data regarding your person were gathered in regards to services offered by the information corporation pursuant to Art. 8 para. 1 GDPR.

b) Information for Third Parties
If the liable entity published the personal data regarding your person and if pursuant to Art. 17 para. 1 GDPR they are obliged to delete them, they will, bearing available technology and implementation costs in mind, take measures, including technical measures, to inform persons responsible for data processing, who process the personal data, that you, being the affected person, demanded deletion of all links to these personal data or copies or replicas of these personal data.

c) Exceptions
The right to deletion does not apply insofar as the processing is necessary

  • to exercise the right to free expression and information;
  • to meet a legal obligation requiring processing according to Union law or law of a member state the liable entity is subject to, or to perform a task of public interest or in the exercise of public authority granted to the liable entity;
  • for reasons of public interest from the public health sector pursuant to Abs. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
  • for archive purposes in the public interest, scientific or historic research purposes, or statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the right mentioned under section a) foreseeably will make the realization of its objectives impossible or seriously compromise them, or
  • for assertion, exercise, or defence of legal claims.

5. Right to be Informed
If you asserted your right to correction, deletion, or limitation of processing against the liable entity, they are obliged to communicate this correction or deletion of data or limitation of processing to all receivers the personal data regarding your person were disclosed to, unless this turns out to be impossible or connected with disproportional efforts.

You hold the right against the liable entity to be informed about these receivers.

6. Right to Data Transferability
You hold the right to receive the personal data regarding your person you provided the liable entity with in a structured, common, and machine-readable form. Furthermore you hold the right to hand on these data to another liable entity without obstacles from the liable entity who received the personal data in the first place, if

  • the processing is based on consent pursuant to Art. 6 para. 1 lit a GDPR or Art. 9 para. 2 lit a GDPR, or on an agreement pursuant to Art. 6 para. 1 lit b GDPR and
  • processing takes places using automated procedures.

In application of this law, you also hold the right to have the personal data regarding your person transmitted from one liable entity directly to another liable entity, as far as that is technically possible. Freedoms and rights of other persons are not to be affected by this.

The right to data transferability does not apply to processing personal data necessary for performing tasks of public interest or in the exercise of public authority granted to the liable entity.

7. Right to Object
You hold the right to object the processing of personal data regarding your person, happening pursuant to Art. 6 para. 1 lit. e or f GDPR, at any time for reasons resulting from your special situation; this also applies to any profiling based on these provisions.

The liable entity no longer processes the personal data regarding your person, unless they can proof compelling legitimate reasons that outweigh your rights and freedoms, or if the processing serves the purpose of asserting, exercising, or defending legal claims.

If the personal data regarding your person is processed in order to pursue direct advertising, you hold the right to object the processing of personal data regarding your person for the purpose of advertisements of that kind at any time; this also applies to any profiling connected with such direct forms of advertising.

If you object the processing for purposes of direct advertising, the personal data regarding your person will no longer be processed for these purposes.

You have the possibility, in the context of services performed by the information corporation – regardless of directive 2002/58/EG – to exercise your right to objection by means of automated methods using technical specifications.

8. Right to Revoke Data Protectional Declarations of Consent
You hold the right to revoke your data protectional declaration of consent at any time. The legality of any processing that took place based on the consent prior to the revocation remains untouched by the revocation of consent.

9. Automated Decision Making in Individual Cases Including Profiling
You hold the right not be subject to a decision based on an exclusively automated processing – including profiling – that takes legal effect on you or significantly affects you in similar ways. This does not apply if the decision

a) is necessary for concluding or fulfilling a contract between you and the entity liable,
b) is legal based on Union or member state regulations the liable entity is subject to and these regulations contain appropriate measures to protect your rights and freedoms as well as justified interests, or
c) happens with your explicit consent.

However, these decisions must not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit a or g apply and appropriate measures to protect the rights and freedoms as well your justified interests were taken.

Regarding the cases mentioned in (a) and (c), the liable entity takes appropriate measures to protect the rights and freedoms as well as your justified interests, part of which at minimum must be the right to have a person intervene on the part of the liable entity, to explain the own standpoint, and to challenge the decision.

10. Right to Complain to a Supervisory Authority
Irrespective of any other legal or judicial remedy, you hold the right to complain to a supervisory authority, in particular in the member state of your residence, your workplace, or the presumed place of breach, if you are of the opinion that the processing of the personal data regarding your person violates the GDPR.

The supervisory authority receiving the complaint informs the complainant on the status and results of the complaint, including the possibility of legal remedy pursuant to Art. 78 GDPR.