PRIVACY POLICY FOR APPS

Lotum one GmbH, Am Goldstein 1, 61231 Bad Nauheim, Germany, ("Lotum" or "we") respects and protects your personal data.

The following Privacy Policy is intended to provide you with more detailed information about the collection, processing and use of data in connection with our games offered as mobile applications ("the Games Apps").

Lotum collects, processes and uses personal data exclusively in accordance with the applicable legal regulations. Therefore, the high data protection level of the General Data Protection Regulation ("GDPR") applies.

1. Scope of Application

1.1. This Privacy Policy is intended for all users of the Games Apps ("Users"). If certain services or individual apps of Lotum have a different data protection declaration, such declaration shall apply.

1.2. The scope of this Privacy Policy does not include services and offers of third parties that may be referred to in the Games App by so-called links. Lotum neither assumes responsibility for their content nor for compliance with data protection regulations by these third parties, unless otherwise stated in the privacy policy of the linked content. This applies, for example, to links via which social networks such as Facebook or chat apps such as WhatsApp can be accessed, and to links in advertisements that are played. For information on the handling of the User's personal data and their respective protection on these platforms, please refer to the privacy statement on the respective platform.

2. DOWNLOADING AND INSTALLING THE GAMES APPS

When you download and install our Games Apps, the operator of the platform through which you obtain the respective app (for example Apple, Inc. for the AppStore and Google Ireland Limited for the Google PlayStore) collects personal data required for the download. These data include in particular your name, your e-mail address and your postal code, time of download, the IP address and the individual device identification number of your device (so-called IMEI), as well as your payment information, if applicable. This collection and processing of your personal data is, however, basically carried out solely by the respective platform operator without our participation in the data processing or our ability to influence it. In this respect, the data protection provisions of the platform operator apply, which can be viewed on the platform in question. We only receive and process personal data collected by the platform operator to the extent necessary for the download and provision of the Games App. If we process personal data as part of the installation, this is done on the basis of the contract on the subscription and use of the Games App that you concluded with us when downloading and installing the app, in accordance with Article 6 (1) sentence 1 lit. b) GDPR.

3. COLLECTION, PROCESSING AND USE OF DATA WHEN USING THE GAMES APPS

3.1. When you start and use Lotum's Games Apps, depending on the Games App, a connection may be automatically established to the servers used by us in order to retrieve current content. Information that your device transmits to us is logged in the process. This includes the IP address of the device you are using, data on the operating system used as well as the installed Games App and its version, date and time (including time zone) of the respective access to the contents of the Games App as well as the information on which specific contents have been requested for the respective Games App. In addition, Lotum may collect and process personal data in order to fulfil its contractual obligations with the User, e.g. to create the User's player profile. Depending on the respective Games App, this data includes name and IP address and data identifying the User's device.

3.2. Lotum collects and processes these data in order to provide the Games App and the respective current content of the Games App. The provision of these data is not required by law, but is necessary for the conclusion of the user contract for the respective Games App and the associated service by Lotum. The User may voluntarily provide Lotum with further data with respect to the offer. The basis of this data processing for the fulfilment of contractual obligations is Article 6 (1) sentence 1 lit. b) GDPR.

4. IN-APP PAYMENTS

4.1. In some Games Apps, we may offer certain additional versions and content for purchase, e.g. the use of an ad-free version of the app. In order to conclude the corresponding contract and the associated payment processing, it is necessary to enter bank details or other payment-related data (e.g. credit card). For payment processing, we use the services provided by the respective operator of the platform through which you have obtained the Games App (for example, Apple, Inc. for the AppStore and Google Ireland Limited for the Google PlayStore). The aforementioned information will be processed accordingly together with the necessary usage data by the operator of the respective platform, insofar as this is necessary to process the payment. Details on the handling of your personal data in connection with the payment processing can be found in the privacy statement of the respective platform operator which can be viewed on the corresponding platform.

4.2. The use of these payment services is mandatorily required by the platform operator in order for us to be allowed to offer the app on the respective platform and also serves to provide you with an easy and smooth payment process in the app.

4.3. This data processing in connection with the purchase of additional content in the respective Games App, including payment processing, is carried out for the conclusion and processing of the contract regarding this content and thus on the basis of Article 6 (1) sentence 1 lit. b) GDPR.

5. SUPPORT REQUESTS AND CONTACT VIA THE GAMES APP

5.1. If you notify our customer support or otherwise contact us (e.g. with a contact form in the Games App), the information you provide in the contact, including the contact details given there, will be processed for the purpose of handling your enquiry and processing it, including investigating and rectifying any problems in the Games App and in the event of follow-up questions. In the event of a request to our customer support via the Games App, information on the Games App, your game progress and, if applicable, the problematic part of the game as well as technical data on your device will also be processed automatically.

5.2. We process this data in accordance with Article 6 (1) sentence 1 lit. b) GDPR, as far as you contact us within the framework of an existing contract for the use of the Games App or for the purpose of initiating such a contractual relationship. Otherwise, the storage and use of the data takes place on the basis of Article6(1) sentence 1 lit. f) GDPR, whereby our legitimate interest is the careful processing of your respective request and the solution of any technical problems.

6. ERROR REPORTING AND USAGE ANALYSIS VIA FIREBASE

6.1. The Games App implements functions of the Firebase service which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

6.2. Data on the general use of the app are collected and evaluated via the Firebase service (so-called Google Analytics for Firebase). At the same time, reports on errors and crashes that occur in the app are generated to analyse and resolve these errors and crashes. For these purposes, information on whether and how you use certain parts of the Games App is collected together with the IP address and other technical data on your device and the configurations assigned to it (hereinafter "Device-Related Data"), such as the manufacturer and model of the device, the language setting and the advertising ID as well as the country from which you use the app. In order to generate error reports, details about the error that occurred, information about the affected Games App and, if necessary, game-relevant data will be collected and processed additionally, but only if such an error occurs while you are using the app. Google evaluates such data on our behalf and compiles aggregated reports for us. We use these reports to gain insight into the general use of the Games App as well as into the errors that have occurred, in order to use this information to improve the content and functions of the app and, in particular, to eliminate existing errors and problems. Google may also transfer these data to servers operated by Google LLC in the USA and analyse them there. However, in member states of the European Union or in other states that are party to the Agreement on the European Economic Area your IP address will be shortened and thus made anonymous before it is transmitted to a Google server in the USA.

6.3. Google also processes the aforementioned data collected via the Firebase service to the extent covered by its own privacy policy which you can find at https://policies.google.com/privacy. There you will also find additional information on Google's handling of personal data.

6.4. We would like to point out that the transmission of data to servers in the USA used by Google LLC may involve additional risks, for instance the enforcement of your rights to these data may be more difficult. In order to counter these risks, we have concluded the standard data protection clauses by the EU Commission with Google LLC for this data transfer and also stipulated appropriate protective measures therein, which, depending on the need for protection of the data, also include data encryption and can be improved in accordance with the legal and technical conditions for appropriate protection of the data. If data is transferred to Google LLC in the USA, such transfer is based on Article 46 (2) lit. c) GDPR.

6.5. The data processing for analysis and error reporting is based on Article 6 (1) sentence 1 lit. f) GDPR. Our legitimate interest is to ensure that the Games App runs properly and without errors, for which purpose we must quickly identify and analyse any errors that occur. For this purpose, we require information on the error and the technical circumstances and actions in the game under which the error occurred, while it is not relevant for Lotum which User used the respective app and to what extent. It is therefore not a matter of creating user profiles for Lotum but rather of providing functional Games Apps, which is also why we only receive aggregated reports from Google. We have further concluded a data processing agreement with Google in accordance with Article 28 GDPR on data processing in the context of error analysis. Accordingly, Google will only process the data collected in this context in accordance with our instructions for this purpose. This forwarding of data to Google is therefore based on Article 28 GDPR.

7. FACEBOOK ANALYTICS

7.1. We also use Facebook Analytics in the Games Apps. This analytics service is provided by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook").

7.2. We use this service to evaluate the use of our Games Apps in order to identify any need for improvement and a scope for making the functions and content of the Games Apps even more user-friendly, and to be able to further develop our Games Apps on this basis. For this purpose, we use Facebook Analytics to record and view how the user base generally interacts with the Games Apps and whether and how certain functions and game content are generally used (for example, whether a certain game level is reached and successfully completed by Users at all). Facebook Analytics also collects IP addresses and Device-Related Data in this context. With the help of these data, Facebook creates aggregated reports on the interactions of the user base in the respective app as a whole and, if applicable, also in specific game sections. Facebook also includes demographic information about the user base of our Games Apps (such as approximate age group and gender) in the reports. Even beyond that, we only ever receive aggregated data and no information that we could relate to individual users, as it is only relevant for the aforementioned purpose how the user base or specific user groups use the Games Apps but not specific, individual Users. In addition, in order to prevent us from drawing conclusions about individual Users, we are only shown reports if a certain minimum number of Users is combined in the relevant data records. Under no circumstances do we combine the information with other data on individual Users.

7.3. Further information and the applicable privacy policy on Facebook's handling of personal data can be found at https://www.facebook.com/policy.php.

7.4. We use Facebook Analytics to protect our legitimate interests (Article 6 (1) sentence 1 lit. f) GDPR), whereby our legitimate interest is to be able to provide Users with the best possible functionalities in our Games Apps in order to offer Users the best possible gaming experience. For this purpose, we need to know how certain user groups act in our Games Apps, at what point games are cancelled and what kind of features are preferred. In this respect, at no time does Lotum focus on the individual User but always on generalised user groups, which is why we only receive aggregated reports from Facebook. The interests of the individual users are taken into account by the fact that they and their personal gaming behaviour remain unknown to us, especially since we cannot combine the aggregated data that we receive from Facebook with our own data in such a way that we could identify the individual User.

7.5. The data collected by the analysis service may also be transferred by Facebook to servers of Facebook, Inc. in the USA. In this particular case, Facebook and we guarantee that appropriate protection measures are in place in accordance with Article 44 et seq. GDPR. In particular, Facebook and we have agreed on the standard data protection clauses of the EU Commission as a precautionary measure which provide for appropriate protection measures for the specific case, such as encryption of the data, in accordance with Article 46 (2) lit. c) GDPR. The measures are also continuously developed and supplemented to the extent necessary to ensure an adequate level of data protection throughout.

8. PARTNER SERVICES FOR ADVERTISING IN THE GAMES APPS

We integrate services of advertising networks in the Games Apps with which we cooperate in order to be able to display third-party advertising to you while you are using the Games Apps.

In this context we use services of different advertising networks, whereby the personal data concerning you may be sent to several of the integrated advertising networks. By integrating different advertising networks, we ensure that only advertisements are displayed that are approved and specifically available by the advertiser for the respective country from which you have installed and use the relevant Games App. We generally make our Games Apps available worldwide which is why the advertisements shown in them are subject to different legal requirements depending on the User's country. The advertisement networks each work with different advertisers who may target their ads to only certain countries and adapt them solely to the legal requirements applicable there. In addition, advertisers have also set certain restrictions, such as a general maximum number of advertisements to be displayed per user or certain media in which the advertisements are to be displayed. However, we can only view individual advertisers and advertising campaigns relevant to our Game Apps in very limited cases in advance and therefore cannot evaluate them more precisely. To ensure that we are nevertheless always able to display advertising that has been approved by the advertiser for the User's region and may be specifically played, we use different advertising networks. Since we can only provide the free Games Apps by financing it through advertising, we have a legitimate interest in generally displaying advertising to the individual User in our Games Apps in order to generate revenue and to be able to continue to offer the apps free of charge, if possible worldwide.

However, personalisation of displayed advertising is only activated to the extent permitted by law. In particular, we only use data of a User who resides in the EU to display personalised advertising to this User if the respective User has consented to this in advance. In these cases, the legal basis for the processing of your data in connection with personalised advertising is your consent pursuant to Article 6 (1) sentence 1 lit. a) GDPR. You may, of course, revoke an already granted consent for data processing for personalised advertising at any time with effect for the future. Please note that we also display advertising to finance the free Games Apps if you have not consented to personalised advertising or have revoked such consent. In that case the advertising displayed will not be personalised, i.e. not adapted to your personal interests and usage habits. Only general information will be taken into account, for example the respective Games App and the country from which the app was installed and launched. More details on the display of these non-personalised advertisements and their legal basis are explained below for the individual advertising services.

For some games we may also offer you the option of purchasing a paid, ad-free version. In ad-free versions, of course, no advertising services are implemented and accordingly no data processing takes place for the purpose of displaying advertising in the app.

8.1. Google AdMob

8.1.1. The advertising network AdMob which is operated by Google is used in our Games Apps to integrate third-party advertising. In this context, Google receives information about the respective Game App (name, category and language of the Game App), Device-Related Data of your device as well as the IP address of your device, which is, however, shortened and only used in an abbreviated form, and information about some of your interactions in the app. The aforementioned data may also be transmitted to Google LLC servers in the USA for the AdMob service. Google processes this data in order to select specific advertisements without giving us the opportunity to exert any further influence, and to limit the display of an advertisement, especially in the case of multiple displays to a specific User. We have no insight into the selection of specific advertisements and the related data processing, nor do we have any more precise setting options to be able to influence this. Google uses the collected data in accordance with Google's privacy policy.

8.1.2. Google also records whether and if so, how you interact with the advertisement, the IP address and individual Device-Related Data of your device as well as, if applicable, your further usage behaviour following a click on the advertisement, in order to evaluate the success of the respective advertisement together with the aforementioned data and to properly invoice us and the advertiser accordingly. Based on their evaluations, Google also creates aggregated reports for us on the scope and results of the advertising. However, this only gives us access to aggregated data on the results of the advertising which Lotum cannot trace back to individual persons.

8.1.3. Further details on the processing of data by Google can be found in Google's privacy policy (https://policies.google.com/privacy) and in the information on the use of data from integrated Google services (https://policies.google.com/technologies/partner-sites?hl=de).

8.1.4. The basis for data processing as part of the AdMob service is our legitimate interest pursuant to Article 6 (1) sentence 1 lit. f) GDPR. It is our legitimate interest to play advertising to Users in order to finance the creation and further development of the free Games Apps. Financing through advertising allows us to generally offer the Games Apps worldwide. It is also in our legitimate interest to use the AdMob network which is specifically tailoured to advertising for apps, to display advertising that fits as coherently as possible into the format of the Games Apps and is not perceived by Users as annoying or inappropriate. As the Games Apps are available free of charge and are solely for your entertainment purposes, it is not apparent that your interests are overriding in this respect. For certain Games Apps we also offer you the option to use a paid, ad-free version of the Game Apps.

8.1.5. The transfer to servers of Google LLC in the USA is based on Article 46 (2) lit. c) GDPR. For this transfer we have agreed the standard data protection clauses of the EU Commission with Google LLC. Together with these clauses, we and Google LLC have also defined and implemented appropriate protection measures that take into account the need for protection of the data in each specific case and include encryption of the data. These measures are also continuously adapted in accordance with the legal and technical conditions for effective protection of the data in order to provide continuous assurance of an adequate level of protection.

8.2. ironSource

8.2.1. Furthermore, we implement the ironSource advertising service of ironSource Mobile Ltd, 121 Menachem Begin Rd, Tel Aviv, Israel ("ironSource"). ironSource collects the following information in order to independently and autonomously determine the advertisements to be played: your IP address, Device-Related Data on your device, including your operating system, the mobile network operator you use and how your device is connected to the Internet (e.g. via WLAN). ironSource also processes these data in order to limit the display of a particular advertisement, if necessary, especially if it has already been displayed to you several times.

8.2.2. If advertisements are called up for display in a Games App or if you click on one of these advertisements, ironSource records, among other things, your interaction with the advertisement, your IP address, your game progress in the Games App and, if applicable, your further usage behaviour after clicking on the advertisement. ironSource uses this information and the aforementioned data for advertising display in order to record the results of the respective advertisement and to create aggregated reports for us on this, as well as to properly invoice us and the advertiser based on this.

8.2.3. You can find further information on the handling of your personal data within the scope of this service in the ironSource privacy policy at https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-privacy-policy.

8.2.4. Data processing in connection with the ironSource service is legally based on Article 6 (1) sentence 1 lit. f) GDPR. Our legitimate interest here is to generate revenue in order to finance the development of the Games Apps provided free of charge and to be able to continuously improve and develop the Game Apps without financial costs for users. As the Games Apps are available free of charge and are solely for your entertainment purposes, it is not apparent that your interests are overriding in this respect. For certain Games Apps we also offer you the option to use a paid, ad-free version of the Game Apps.

8.2.5. We would like to point out that in connection with the integration of ironSource, personal data relating to you will be transferred to the State of Israel and thus outside the EU and the European Economic Area. A Decision on the Adequate Protection of Personal Data by the State of Israel exists by the EU Commission (No. 2011/61) regarding the transfer of data to Israel, so that an adequate level of data protection is also guaranteed there. The basis for this transfer is therefore Article 45 GDPR.

8.3. Facebook Audience Network

8.3.1. Our Games Apps also include advertising through the advertising network Facebook Audience Network. This advertising network is offered by Facebook. With this network, Facebook collects data on the respective Games App, Device-Related Data on your device and the IP address of your device. Facebook may also process these data on servers in the USA. Facebook uses these data to independently select the specific advertising in a process that is not accessible to us, as well as to limit the display of an advertisement, especially in the case of multiple displays to a specific User. We have no insight into the selection of specific advertisements and the related data processing, nor do we have any more precise setting options to be able to influence this.

8.3.2. If an advertisement is displayed to you by the Facebook Audience Network or if you click on such an advertisement, Facebook also records your interaction with the advertisement, as well as your further usage behaviour, if any, following a click on the advertisement. With these data, Facebook determines the results of the respective advertisement and processes them for the purpose of invoicing us and the advertiser. In this context, Facebook also provides reports for us and the advertiser, which, however, only provide aggregated data on the respective advertising and its results and which we are therefore unable to trace back to individuals or separate by individuals.

8.3.3. For more information on the handling of your personal data and their protection by Facebook, please see Facebook's privacy statement at https://www.facebook.com/policy.php.

8.3.4. The processing of data by the Facebook Audience Network is carried out in order to pursue our legitimate interests pursuant to Article 6 (1) sentence 1 lit. f) GDPR. This legitimate interest is to display advertising to Users in order to finance the development and customisation of the freely available Games Apps. Financing through advertising allows us to generally offer the Games Apps worldwide. As the Games Apps are available free of charge and are solely for your entertainment purposes, it is not apparent that your interests are overriding in this respect. For certain Games Apps we also offer you the option to use a paid, ad-free version of the Games App.

8.3.5. If data is transferred to servers of Facebook in the USA, such transfer is based on Article 46 (2) lit. c) GDPR. We have concluded the standard data protection clauses adopted by the EU Commission with Facebook for transferring data by the Facebook Audience Network, having included the implementation of appropriate protective measures. Facebook and we also regularly review the need for possible additions and, if necessary, the implementation of additional appropriate protection measures within the meaning of Article 44 et seq. of the Data Protection Regulation, to the extent as this is necessary to continuously grant a suitable level of data protection.

9. ADVERTISING ON FACEBOOK FOR LOTUM'S OFFERS

9.1. We advertise our own offers and Games Apps on websites and apps of other providers using Facebook's advertising services. Through these services, advertisements are displayed on the websites and apps of other providers who are part of the Facebook advertising network and have implemented the advertising network accordingly. Facebook also provides us with aggregated reports to track the success of our advertisements.

9.2. Facebook decides independently on the specific advertisements displayed and on the processing of your personal data in connection with the selection and displaying of these advertisements via the Facebook advertising network. In this respect, we can only impose abstract restrictions on user categories to which our advertising can potentially be shown at all, when the advertising is ordered, on the basis of a number of default settings defined by Facebook. However, Facebook carries out the data processing in connection with the selection of the user and the display of the advertisement independently and without any further instructions from us. Facebook does not receive any personal data from us in this context and we do not have any insight into the data processed by Facebook of the users to whom advertisements are shown, nor do we have any further influence on the related data processing.

9.3. Facebook also records the success of our advertisements for invoicing and analysis purposes. When the Games Apps are installed, both we and Facebook receive information that the User clicked on one of our advertisements, was redirected to the platform page where the relevant Games App can be downloaded, and then installed our app. This information may also be sent to Facebook servers in the USA. This links contacts that Users have with advertisements in apps of the Facebook advertising network (visual contacts and clicks on advertising banners) with subsequent interactions of the Users in our Games Apps, including the installation and launch of the specific app. The data collected in this way is also statistically analysed by Facebook. Facebook provides us with parts of the evaluations in the form of aggregated reports (so-called Facebook Ads Manager function), with which we gain an overview of the effectiveness of the advertising. We receive data on the results of our advertising and aggregated demographic information (such as approximate age group and gender) about the total Users who have viewed and clicked on our ads. However, we cannot view information that would personally identify Users. We do not combine the reports with any other personally identifiable information about individual Users.

9.4. The legal basis for the data processing described above in connection with the measurement of the effectiveness of our advertising on Facebook is our legitimate interests pursuant to Article 6 (1) sentence 1 lit. f) of the GDPR. Our legitimate interests are to be able to track the results and effectiveness of our advertisements via Facebook, and to be able to validate Facebook's invoicing for advertisements based on this. Your interests are taken into account by the fact that Facebook only displays advertisements to registered users of the Facebook social network and therefore only data of these Facebook users are used in the context of our advertising evaluation. During the registration process for the Facebook network, Facebook explicitly points out the processing of data for advertising purposes, including by advertisers such as us, and asks for the Facebook user's consent to such data processing. In addition, you can opt-out of our processing for measuring the effectiveness of our advertising.

9.5. Data are transferred to Facebook only in compliance with suitable protective measures in accordance with Article 44 et seq. GDPR. To this end, we have concluded the standard data protection clauses adopted by the EU Commission with Facebook in accordance with Article 46 (2) lit. c) GDPR. The clauses also provide for protective measures tailoured to the transfer which are continuously developed and adapted in order to ensure an appropriate level of data protection throughout.

9.6. Further information on the processing of your personal data by Facebook in the context of advertising on Facebook and the rights to which you are entitled in this context can be found here: https://www.facebook.com/policy.php.

9.7. You can also control the types of advertisements you see on the Facebook advertising network by visiting the page set up by Facebook and following the instructions there on how to set up usage-based advertising: https://www.facebook.com/settings?tab=ads. The settings you make on this website are applied throughout all platforms, i.e. they are applied to all devices on which you log into your Facebook account (such as desktop computers or mobile devices).

10. Facebook Login

10.1. In some Games Apps, you will need to create a player profile and provide some information (such as the player name you choose) according to the registration form.

In some Games Apps, we also offer you the option of creating a player profile by entering the login data of your Facebook user account (so-called "Facebook Login", formerly known as "Facebook Connect"), if you express your consent to this by clicking on the corresponding button to connect to Facebook ("Log in with Facebook"). The Facebook Login function is offered by Facebook. The login data of your Facebook account will be sent directly to Facebook. We do not have access to your login data. After verification of your login data, Facebook only informs us about the following data from your Facebook user account: the registered name, your profile picture, your language setting, and the country from where you are playing. Facebook further checks which other Facebook users with whom you are connected on Facebook (so-called "friends") have already played the respective Games App and provides us with this information. Lotum receives and uses the aforementioned data to set up your player profile in the Games App. We also use the information about your friends on Facebook to enable you to invite a Facebook friend to a joint game session and to easily start this game session. However, we only process this information to the extent necessary for a joint gaming session.

10.2. By using the Facebook Login function, Facebook receives the information that you have created a player profile for the relevant Games App and can link this information to your Facebook user account. Information on how Facebook handles your personal data can be found in Facebook's privacy statement at: https://www.facebook.com/privacy/explanation

10.3. Data processing with the Facebook Login function is legally based on your consent (Article 6 (1) p. 1 lit. a) GDPR) which you give when calling up Facebook Login and subsequently entering your login data to your Facebook account. You can revoke your consent to data processing when using Facebook Login at any time with effect for the future.

10.4. The transfer of your personal data to Facebook in this context is based on Article 46 (2) lit. c) GDPR. In this respect, above statements of section 9.5 apply accordingly.

11. Apple Sign In

11.1. In some Games Apps that require you to register with a player profile, you may also create your player profile by signing in to your Apple services profile (called an Apple ID account) if you express your consent to do so by clicking on the appropriate Apple connection button. The function required for this ("Apple Sign in") is provided by Apple Distribution International Ltd Hollyhill Industrial Estate, Hollyhill, Cork, Ireland ("Apple"). The necessary feature (called "Apple Sign In") is provided by Apple Distribution International Ltd. Hollyhill Industrial Estate, Hollyhill, Cork, Ireland ("Apple"). We do not have access to the login details of your Apple profile. After verification of your login data, we will only be informed about the following data from your Apple profile: the registered name, your Apple ID, your language setting, and the country from where you are playing.

11.2. Data processing for Apple Sign in is legally based on your consent (Article 6 (1) sentence 1 lit. a) GDPR) which you give when calling up Apple Sign in and subsequently entering your login data to your Apple ID account. You may revoke your consent at any time with effect for the future.

11.3. By using Apple Sign in, Apple may receive the information that you have created a player profile for the relevant Games App. Information on how Apple handles your personal data can be found in Apple's privacy statement at: www.apple.com/de/ privacy

11.4. In the event that the Apple Sign in feature transfers personal data concerning you to Apple, Inc. in the USA, Apple has ensured prior to the transfer that this transfer is covered by the EU Commission's standard data protection clauses pursuant to Article 46 (2) (c) of the GDPR. Apple and we also take additional technical security measures to protect your data, including appropriate encryption, pseudonymisation and reducing data processing as far as possible.

12. INVITING PLAYERS USING LINKS

12.1. In certain Games Apps, you may also be able to create an invitation to a shared gaming session with a direct link to the specific gaming session in order to send this invitation to a contact via a messenger app or by other means (e.g. e-mail). When the invitation to a game is created, a specific link is generated in the Games App that leads directly to the gaming session in the Games App.

12.2. To generate the direct link to the gaming session and to match the relevant Users in the same gaming session, we use the Firebase Dynamic Links service provided by Google. When the recipient clicks on an accordingly generated link to a gaming session, Google collects the recipient's IP address as well as information about the respective Games App and Device-Related Data about the used device. Google uses these data on our behalf to direct the recipient to the correct game in the Games App. For this purpose, the App must determine whether it was your contact who has clicked on the link and for which gaming session you have invited the recipient.

12.3. The data processing in connection with the direct link to the gaming session is carried out for the purpose of giving players an easy and direct way to start a gaming session with others and is therefore legally based on Article 6 (1) sentence 1 lit. f) GDPR. Our legitimate interest is to make it as easy and convenient as possible for our Users to start a game together and thus to provide Users with a special gaming experience. This is also in the interest of our Users, both the sender and the recipient of invitations to play a game. A possible conflicting interest of a recipient to the effect that their data is not transferred to Google is allowed for by the fact that such a data transfer only takes place if the recipient voluntarily clicks on the sent invitation link and thereby expresses that he or she accepts the game invitation. From this point on, it can no longer be assumed that the recipient has a conflicting interest regarding the processing of his or her personal data through our Games App.

12.4. From the aforementioned data, Google also compiles reports on the use of links to Games Apps which we evaluate. These reports provide us with information about the use of the generated links, the functioning of the link and any subsequent app openings or installations of the relevant Games App. However, we do not receive any information about the user navigation following the click on the link. All these reports only contain aggregated data and do not allow us to draw any conclusions about individual Users; data about individual Users are not visible to us. The data processing described above is necessary to protect our legitimate interests (Article 6 (1) sentence 1 lit. f) GDPR), whereby our legitimate interest is to be able to provide users with the best possible functionalities in our Game Apps in order to offer users an optimal gaming experience. For this purpose, we need insights from the Users' interactions with the provided links and their functionalities.

12.5. Google also processes the aforementioned data collected via the Firebase service to the extent covered by its own privacy policy which you can find at http://policies.google.com/privacy. There you will also find additional information on Google's handling of personal data.

12.6. We would like to point out that the transmission of data to servers in the USA used by Google LLC may involve additional risks, for instance the enforcement of your rights to these data may be more difficult. In order to counter these risks, we have concluded the standard data protection clauses by the EU Commission with Google LLC for this data transfer and also stipulated appropriate protective measures therein, which, depending on the need for protection of the data, also include data encryption and can be improved in accordance with the legal and technical conditions for appropriate protection of the data. If data is transferred to Google LLC in the USA, such transfer is based on Article 46 (2) lit. c) GDPR.

13. ERROR EVALUATION USING SENTRY ANALYTICS

13.1. In order to detect and correct technical errors, we use the Sentry Analytics service provided by Functional Software, Inc. dba Sentry, 132 Hawthorne Street, San Francisco, CA 94107 ("Sentry"). For this purpose, during the game session of a Games App, technical details on the use of the game and any action in the game are stored locally on your device. In the event of an error, these technical details, insofar as they are temporally related to the occurrence of the error, as well as your IP address are transmitted to Sentry and processed by Sentry together with the following data: information on the hardware and the operating system used on your device, name and version of the Games App used as well as the date, time, details of the error that occurred and game-related data in connection with the error. It is not possible for Sentry or us to identify you from the data transmitted to and processed by Sentry. Sentry also does not profile you at any time. On the basis of the above information, Sentry will, on behalf of Lotum, only produce reports and evaluations of identifiable errors, including the circumstances under which the error occurred, which may therefore provide information about possible causes of the error. In this context, the aforementioned data are also transmitted to a Sentry server in the USA and stored there. However, the data transferred for the Sentry service will not be associated to other data by Sentry and will be used solely for the analysis and correction of the technical error. The data collected will be stored by the Sentry service for a maximum of 90 days and then deleted.

13.2. Further information and Sentry's applicable privacy policy can be found at https://sentry.io/terms/ and https://sentry.io/privacy/.

13.3. We use the Sentry service to eliminate errors in our Games Apps and difficulties in their use as quickly and comprehensively as possible and thus to be able to continuously develop our offer towards an even smoother user experience. The basis for the use of the Sentry service is our legitimate interest, as described above, pursuant to Article 6 (1) sentence 1 lit. f) GDPR. Your legitimate interests are taken into account by removing any personal reference after a transmission of the technical data from your end device, but before its analysis. If you still do not want your data to be collected by the Sentry service in case of a possible error analysis, we must ask you to refrain from playing the free Games Apps.

13.4. We would like to point out that Sentry may also process data outside the EU or the European Economic Area, in particular on servers located in the USA. This may result in risks for Users, for example because it may make it more difficult to enforce Users' rights. We take these risks into account by taking appropriate protective measures in accordance with Art. 44 et seq. GDPR in particular by agreeing on the standard data protection clauses of the EU Commission with Sentry, which provide for appropriate protective measures such as encryption of data in individual cases. If data is transferred to Sentry in the USA, this is based on Art. 46 (2) (c) GDPR.

14. STORAGE, STORAGE PERIOD AND DELETION OF DATA

14.1. We will process your personal data for as long as is necessary to achieve the purposes of the processing, is required by law to retain the data or is necessary for other reasons. Subsequently, the data will be deleted in accordance with the statutory provisions.

14.2. However, we retain data that we store for legal reasons for as long as this is legally required. After expiry of a statutory retention period, the data are deleted immediately, unless there are other reasons preventing deletion in terms of Article 17 (3) GDPR.

15. Data security
Lotum has taken appropriate technical and organisational measures to protect personal data against accidental loss, damage, unauthorised access and unauthorised alteration. In particular, Lotum's data are only transferred in encrypted form. Lotum however clarifies that data protection and data security cannot be guaranteed for transfers outside Lotum's sphere of influence.

16. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES

16.1. Personal data will only be transferred to third parties without the User's explicit consent if this is necessary for the provision of Lotum's services (e.g. for the technical provision of the offer), unless stated otherwise at another point in this Privacy Policy. Accordingly, a transfer of data to such service providers (such as technical service providers) takes place in order to protect our legitimate interests pursuant to Article 6 (1) sentence 1 lit. f) GDPR, namely in order to be able to provide our Games Apps for retrieval at all. Of course, Lotum will ensure that the respective service provider has taken appropriate technical and organisational measures to guarantee the security of the data before forwarding the User's personal data.

16.2. We store the data which we collect when the Games Apps are used with the help of third-party services. We use the Google Cloud and Google Firebase services, both of which are provided by Google. These services may also collect and possibly store the IP address of your device when you use the Games Apps, but for a maximum of 30 days. However, Lotum does not receive the IP addresses directly and only views IP addresses collected by these services in exceptional cases and only if a legal basis exists, in particular insofar as this is necessary to protect Lotum's legitimate interests (e.g. during maintenance work or in the event of the investigation of technical problems). Google also transfers the collected data to their servers in the USA. We use these services to provide the aforementioned data for playing the Games App efficiently and with the lowest possible error rate to thereby ensure a smooth use of the game features. The legal basis for the associated data processing is Article 6 (1) sentence 1 lit. f) GDPR, whereby our legitimate interest is an optimal, technically sound provision of the Games App. As we have already explained several times above, we have concluded the standard data protection clauses adopted by the EU Commission with Google to safeguard the transfer of data to the USA. We have also concluded a data processing agreement with Google. The forwarding of personal data to Google in connection with the aforementioned services is therefore based on Article 46 (2) lit. c) and 28 GDPR.

16.3. Otherwise Lotum will not pass on the User's personal data to third parties, unless the User has expressly consented to the transfer (Article 6 (1) sentence 1 lit. a) GDPR) and Lotum is neither entitled nor obliged to transfer the data due to legal regulations or court orders. In the latter case, Lotum will transfer the data in order to fulfil a legal obligation according to Article 6 (1) sentence 1 lit. c) GDPR.

17. User Rights

17.1. Right to Object
The User has the right to object at any time, for reasons arising from the User's particular situation, to data processing based on Article 6 (1) sentence 1 lit. f) GDPR, unless Lotum can prove compelling reasons worthy of protection outweighing the User's interests, or the processing serves to assert, exercise or defend legal claims. The User may object to data processing for the purpose of direct marketing at any time without having to furnish special reasons for doing so.

17.2. Right to Information
The User has the right to obtain from Lotum information on personal data concerning the User stored at Lotum, on purposes of the processing, where such data come from, what kind of disclosure has been carried out, recipients or categories of recipients to whom personal data have been disclosed, storage period, and on the data subject's rights, free of charge, in writing or electronic form.

17.3. Right to Rectification, Erasure and/or Restriction of Data Processing
The User also has the right to demand at any time the rectification of inaccurate data, the deletion and/or, under the legal conditions, the restriction of the processing of the personal data stored about this User. The right to erasure exists only to the extent that Lotum is not legally required to retain the data and that there are no other reasons in terms of Article 17 (3) GDPR that prevent the erasure. Insofar as this includes personal data that are necessary for the provision of services to the User, the erasure or restriction of the processing of such data may only be carried out once the User no longer uses Lotum's offer.

17.4. Right to Data Portability
Moreover, in case the User has provided personal data concerning the User, and Lotum has processed these data due to the User's consent or for the purposes of performance of contract, the User has the right to request to be provided with these data from Lotum in a structured, commonly used and machine-readable format, as well as the right to have this information transmitted by Lotum to another data controller, where it is technically feasible (so-called right to data portability).

17.5. Right to Withdraw a Consent

All consents to the use of personal data declared by the User can be freely revoked by the User at any time with effect for the future.

17.6. Right to Lodge a Complaint with a Supervisory Authority
The User may also lodge a complaint with a supervisory authority against a data

processing which in the User's opinion violates the statutory provisions.

18. Changes to this Privacy Policy

Lotum reserves the right to change this Privacy Policy at any time, and Lotum will always comply with the legal requirements of data protection. Therefore, Lotum recommends that Users regularly take note of the most up-to-date Privacy Policy. Lotum will inform Users in advance on further use of data, for example by messages in this respect, in the Games App or by so-called push notifications, insofar as you have allowed such push notifications.

Lotum one GmbH, Am Goldstein 1, 61231 Bad Nauheim, Germany

Data Protection Officer: Susanne Klein, c/o Beiten Burkhardt Services GmbH, Ganghoferstra├če 33, 80339 Munich, Germany, privacy@lotum.de