Privacy Policy Microsoft Start Apps

Lotum GmbH, Am Goldstein 1, 61231 Bad Nauheim, Germany ("Lotum" or "we") respects and protects your personal data.

Lotum collects, processes or uses personal data exclusively within the applicable legal framework. Therefore, the high data protection level of the General Data Protection Regulation (GDPR) holds true.

  1. Field of application
  1. We develop games ("Microsoft Start Games") that are available on Microsoft Start, a platform provided by the Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052-6399, USA ("Microsoft"). In this privacy policy we inform you about the collection, processing and use of data concerning the Microsoft Start Games.
  2. Insofar as individual services of Lotum have different privacy policies, these apply.
  3. The Microsoft Start Games can only be accessed via Microsoft Start, which is operated solely by Microsoft, and only if you have registered for the Microsoft network. The processing of data by Microsoft when you register your Microsoft account and every time you access Microsoft Start is excluded from the field of application of this privacy policy. Likewise, cookies that Microsoft may use for statistical evaluations when you access Microsoft Start are not within this privacy policy's scope. Microsoft organizes the aforementioned data processing independently and on its own responsibility, without us having any influence on this. For further information on this data processing by Microsoft see Microsoft’s privacy policy under https://privacy.microsoft.com/de-DE/.

  1. Data processed when accessing and using the Microsoft Start Games
  1. When you first access one of our Microsoft Start Games, we will assign you one unique ID per Microsoft Start Game (the "Player ID"). Lotum uses the Player ID solely to create your player profile in the Microsoft Start Game to the extent necessary for using the game and aggerate certain game data, e.g., the number of levels played, within this player profile. Besides this, Lotum uses no personal data or device data to provide you with the gaming experience. Lotum will not use this data to create user profiles for any other purpose than to provide the Microsoft Start Games. Microsoft provides us with no personal information of yours and at no point does Lotum receive any personal data from your Microsoft account. The data processing in this context is carried out for the purpose of performing the contract with you on the use of the Microsoft Start Game pursuant to Art. 6 (1) (b) GDPR. If you want to have the aforementioned data on you including the player profile deleted, you can, for example, send an email to games@Lotum.de. In order to be able to identify the data concerning you for deletion, we need your Player ID. Please note that it is not possible to use the Microsoft Start Games without such a player profile. If you use our Microsoft Start Games again after deletion of your player profile, a new player profile will be set up for you.
  2. In order for you to access and play the respective Microsoft Start Game including all game functions, Lotum collects and processes data on the use of the Microsoft Start Game (data on game progress such as completed levels, decisions and answers made in the game, jokers and player aids used, high scores achieved, ongoing and paused game sessions). This data is linked to the Player ID and added to your player profile by Lotum. At no point will any of this data be transferred to or shared with Microsoft. The processing of this data for the use of the Microsoft Start Game is carried out for performance the contract with you on the use of the Microsoft Start Game pursuant to Art. 6 (1) (b) GDPR.

  1. Usage analysis via Firebase
  1. The Microsoft Start Game implements functions of the Firebase service, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
  2. Data on the general use of the Microsoft Start Game are collected and evaluated via the Firebase service (so-called Google Analytics for Firebase). For these purposes, information on whether and how you use certain parts of the Microsoft Start Games is collected together with the IP address, a hash of your Player ID and other technical data on your device and the configurations assigned to it (hereinafter "Device-Related Data"), such as the manufacturer and model of the device, the language setting as well as the country from which you use the Microsoft Start Game. At no time will personal data from your player profile, such as your username and Player ID, be transmitted to Google in clear text.
    Google evaluates such data on our behalf and compiles aggregated reports for us. We use these reports to gain insight into the general use of the Microsoft Start Game, in order to use this information to improve the content and functions of the Microsoft Start Game and, in particular, to eliminate existing errors and problems. In addition to this, we also get access to the in-game activity of individual users through Google, based on an anonymized user-id. Nevertheless, it is not relevant for Lotum which User used the respective Microsoft Start Game and to what extent. It is therefore not a matter of creating user profiles for Lotum but rather of providing functional Microsoft Start Games through the analysis of aggregated reports from Google. Google may also transfer these data to servers operated by Google LLC in the USA and analyse them there. However, in member states of the European Union or in other states that are party to the Agreement on the European Economic Area your IP address will be shortened and thus made anonymous before it is transmitted to a Google server in the USA.
  3. Google also processes the aforementioned data collected via the Firebase service to the extent covered by its own privacy policy which you can find at https://policies.google.com/privacy. There you will also find additional information on Google's handling of personal data.
  4. We would like to point out that the transmission of data to servers in the USA used by Google LLC may involve additional risks, for instance the enforcement of your rights to these data may be more difficult. In order to counter these risks, the standard data protection clauses by the EU Commission have been concluded with Google LLC for this data transfer, including appropriate protective measures, which, depending on the need for protection of the data, also include data encryption and can be improved in accordance with the legal and technical conditions for appropriate protection of the data. If data is transferred to Google LLC in the USA, such transfer is based on Article 46 (2) (c) GDPR.
  5. We only use Firebase for the data analysing purposes described above, if you consent to it via the Microsoft Start platform settings. In these cases, the legal basis for the processing of your data is Article 6 (1) (a) GDPR. You may revoke an already granted consent for data processing at any time with effect for the future. We have further concluded a data processing agreement with Google in accordance with Article 28 GDPR on data processing in the context of error analysis. Accordingly, Google will only process the data collected in this context in accordance with our instructions for this purpose. This forwarding of data to Google is therefore based on Article 28 GDPR.

  1. Usage analysis and data visualization via Looker
  1. We also use Looker in our Microsoft Start Games. This analytics and data visualization service is provided by Looker Data Science Inc., 101 Church Street Santa Cruz, CA 95060, USA („Looker").
  2. We use this service to evaluate and visualize the use of our Microsoft Start Games in order to identify any need for improvement and a scope for making the functions and content of the Microsoft Start Games even more user-friendly, and to be able to further develop our Microsoft Start Games on this basis. For this purpose, we use Looker to view how the user base generally interacts with the Microsoft Start Game and whether and how certain functions and game content are generally used (for example, whether a certain game level is reached and successfully completed by Users at all). Looker in this context doesn’t collect any data by itself, but rather exclusively uses the data previously collected via the Firebase service. With the help of these data, Looker creates aggregated reports on the interactions of the user base in the respective app as a whole and, if applicable, also in specific game sections. Looker may also include demographic information about the user base of our Microsoft Start Games (such as approximate age group and gender) in the reports. Even beyond that, we only ever receive aggregated data and no information that we could relate to individual users, as it is only relevant for the aforementioned purpose how the user base or specific user groups use the Microsoft Start Game but not specific, individual Users.
  3. Further information and the applicable privacy policy on Looker's handling of personal data can be found at https://looker.com/trust-center/privacy/policy/.
  4. The data used by the analysis service may be transferred by Looker to servers in the USA. In this particular case, Looker and we guarantee that appropriate protection measures are in place in accordance with Article 44 et seq. GDPR. In particular, Looker and we have agreed on the standard data protection clauses of the EU Commission as a precautionary measure which provide for appropriate protection measures for the specific case, such as encryption of the data, in accordance with Article 46 (2) (c) GDPR. The measures are also continuously developed and supplemented to the extent necessary to ensure an adequate level of data protection throughout.
  5. We only use Looker in connection with Google Firebase for the data analysing purposes described above, if you consent to it via the Microsoft Start platform settings. In these cases, the legal basis for the processing of your data is Article 6 (1) (a) GDPR. You may revoke an already granted consent for data processing at any time with effect for the future.

  1. Error analysis with Sentry Analytics
  1. In order to detect and correct technical errors, we use the service Sentry Analytics provided by Functional Software, Inc. dba Sentry, 132 Hawthorne Street, San Francisco, CA 94107, USA ("Sentry"), within our Microsoft Start Games.
  2. For this purpose, during the play session of a Microsoft Start Game, technical details regarding the use of the game and any in-game actions will be stored locally on your device. In the event of an error, these technical details, insofar they are relevant based on the time at which the error occurred, as well as your IP address will be transmitted to Sentry and processed by Sentry along with the following data: Information regarding the hardware and operating system of your device, the name and version of the Microsoft Start Game used, a hash of the Player ID as well as the date, time, details of the error that occurred and game-related data connected to the error. At no time will personal data from your player profile, such as your username and Player ID, be forwarded to Sentry in clear text. Sentry will not profile you at any time. Based on the aforementioned information, Sentry, on behalf of Lotum, merely provides reports and evaluations of apparent errors, including the circumstances of the error's occurrence which may therefore provide insight on possible causes for the error. In this context, the above-mentioned information will also be transmitted to and stored on a Sentry server in the USA. However, Sentry will not merge the data transmitted as part of the Sentry service with any other data and the data will only be used to analyse and correct the technical error. The data collected will be stored by the Sentry service for a maximum of 90 days and deleted afterwards.
  3. For further information and the applicable privacy policies of Sentry please visit https://sentry.io/terms/ and https://sentry.io/privacy/.
  4. We use the Sentry service to resolve any errors in our Microsoft Start Games and difficulties in using them as swiftly and thoroughly as possible, and thus to further develop our services continuously for ensuring a smooth user experience. The basis for using the Sentry service is our legitimate interest, as described above, in accordance with Art. 6 (1) (f) GDPR. Your legitimate interests are taken into account by removing any personal reference after a transmission of the technical data from your end device, but before its analysis. If you still do not want your data to be collected by the Sentry service in case of a possible error analysis, we must ask you to refrain from playing the free Microsoft Start Games.
  5. We would like to point out that Sentry may also process data outside the EU or the European Economic Area, in particular on servers located in the USA. This may result in risks for Users, for example because it may make it more difficult to enforce Users' rights. We take these risks into account by taking appropriate protective measures in accordance with Art. 44 et seq. GDPR in particular by agreeing on the standard data protection clauses of the EU Commission with Sentry, which provide for appropriate protective measures such as encryption of data in individual cases. If data is transferred to Sentry in the USA, this is based on Art. 46 (2) (c) GDPR.

  1. Storage period and erasure of data
  1. We process your personal data as long as it is necessary to achieve the purposes of the processing, or is prescribed by a legal obligation to store the data. Subsequently, the data is deleted in accordance with statutory laws.
  2. Data that we store for legal reasons, however, is stored for as long as this is required by law. After expiry of a statutory retention period, the data will be deleted without undue delay, unless there are other reasons within the meaning of Art. 17 (3) GDPR opposing the deletion.

  1. Data security

    Lotum has taken appropriate technical and organisational measures to protect personal data against accidental loss, damage, unauthorised access or unauthorised changes. In particular, Lotum will transmit data only in encrypted form. However, Lotum points out that privacy and data security cannot be guaranteed for transmissions outside Lotum's sphere of influence.

  1. Transmission to Third Parties
  1. We store and process all data, e.g., User-ID and game data, necessary for the provision of the Microsoft Start Game only locally on your device.
  2. Lotum will not pass on the user's personal data to third parties unless the user has expressly consented to the transfer (Art. 6 (1) (a) GDPR), or Lotum is entitled or obliged to do so by legal provisions or court orders. In the latter case, the transmission is carried out by Lotum to fulfil a legal obligation pursuant to Art. 6 (1) (c) GDPR.

  1. User rights
  1. Right to object

    The user has the right to object at any time to data processing based on Art. 6 (1) (e) or (f) GDPR for reasons arising from his particular situation, unless Lotum can prove compelling reasons worthy of protection, which outweigh the interests of the user, or the processing serves to assert, exercise or defend legal claims. The user can object to data processing for the purpose of direct advertising at any time without special reasons being required.

  1. Right to information

    The user has the right to obtain free of charge from Lotum the personal data stored by Lotum concerning him or her, the processing purposes, their origin, which transfer to which recipients or categories of recipients took place, the storage period and the rights of the data subjects available to him or her.

  1. Right to correction, deletion and/or restriction of data processing

    Furthermore, the user has the right to request at any time the correction of incorrect data, the deletion and/or restriction of the processing of personal data stored about him or her, insofar as there is no legal obligation for Lotum to keep records or other reasons in the sense of Art. 17 (3) GDPR which prevent deletion. Insofar as this includes personal data that is necessary for the provision of services to the user, the deletion or restriction of the processing of this data can only take place when the user no longer uses Lotum's services.

  1. Right to data portability

    If the user provides data relating to him or her and Lotum processes such data on the basis of the user's consent or in order to fulfil the contract, the user may request that he/she receives such data in a structured, current and machine-readable format from Lotum or that Lotum transmits such data to another controller, insofar as this is technically possible (so-called right to data portability).

  1. Right to revoke consent

    Any consent given by the user to the use of personal data can be freely revoked by the user at any time with effect for the future.

  1. Right to complain to a supervisory authority

    The user may also lodge a complaint with a supervisory authority against data processing which he or she considers to be in breach of the statutory provisions.

  1. Changes to the Privacy Policy

Lotum reserves the right to change this privacy policy at any time, while Lotum will always comply with the legal requirements of data protection. Therefore, Lotum recommends that users regularly take note of the applicable privacy policy. Lotum will inform users in advance of any further use of data, for example via in-game notification or so-called push notifications in your browser, if you allow such push notifications.

Lotum GmbH, Am Goldstein 1, 61231 Bad Nauheim, Germany

Data Protection Officer of Lotum GmbH: Susanne Klein, c/o Beiten Burkhardt Services GmbH, Ganghoferstraße 33, 80339 München, Germany, privacy@lotum.de