We, Super Crowd Entertainment GmbH (“SuperCrowd” or “we”), wish to inform you about our processing of your personal data when using our mobile app “SuperCrowd” (“App”) in accordance with the General Data Protection Regulation (“GDPR”).

I. General Information

1. Data Protection Officer

Responsible under the GDPR, other national data protection laws of the member states, and other data protection regulations is:

Super Crowd Entertainment GmbH
Papenstraße 27a
22089 Hamburg
Email: support@super-crowd.com
Website: www.super-crowd.com

2. Legal bases for processing personal data

We process some of your personal data on the following legal bases:

a) Consent of the data subject

If we obtain consent from the data subject for specific purposes, the legal basis is Art. 6 (1) sentence 1 lit. a GDPR.

b) Fulfillment of contractual obligations

If processing is necessary for the performance of a contract to which you are a party, the legal basis is Art. 6 (1) sentence 1 lit. b GDPR. This also applies to processing operations required to carry out pre-contractual measures.

c) Legal requirements and obligations

If processing is necessary to comply with a legal obligation to which we are subject, the legal basis is Art. 6 (1) sentence 1 lit. c GDPR.

d) Protection of legitimate interests

If processing is necessary to protect our legitimate interests or those of a third party and your interests, fundamental rights and freedoms do not override the aforementioned interest, the legal basis is Art. 6 (1) sentence 1 lit. f GDPR.

3. Storage duration and deletion of personal data

The personal data will be deleted or blocked as soon as the purpose for processing no longer exists.

4. Recipients of personal data

Internally, only those departments process personal data that need it to fulfill their processing purposes. This also applies to our commissioned processors, service providers, and agents. All departments and individuals working with personal data are obligated to confidentiality and have been informed about the sensitive handling of such data.

Personal data will only be passed on to third parties if this is in line with data protection regulations. In particular, individuals involved in our business operations (e.g., banks, tax consultants, IT and EDV service providers) as well as government agencies/authorities may receive your personal data, provided this is necessary to fulfill a legal obligation.

5. Data processing in third countries

Our services may require the processing of personal data in countries outside the EU/EEA (“third countries”) by our processors. If personal data processing takes place and there is no European-standard level of data protection in the country confirmed by an adequacy decision pursuant to Art. 45 (3) GDPR by the EU Commission, we have established appropriate guarantees in the sense of Art. 46 GDPR with the affected processors using EU standard contractual clauses. A copy of the EU standard contractual clauses can be found here: https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021D0914&from=DE.

Where third-country processing takes place, we point this out below.

6. Data Subject Rights

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights against us as responsible:

a) Right to information

You have the right, according to Art. 15 GDPR, to request information about the personal data we process. In particular, you can request information on

• the processing purposes,
• the category of data,
• the categories of recipients to whom your data has been or will be disclosed, and the information on whether the personal data is transferred to a third country or an international organization (in this context, you can request to be informed about the appropriate guarantees according to Art. 46 GDPR),
• the planned storage duration,
• the existence of a right to rectification, deletion, restriction of processing or objection,
• the existence of a complaint right,
• the origin of their data, if not collected by us
• and the existence of automated decision-making including profiling according to Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the scope and the intended effects of such processing for the data subject.

b) Right to rectification

You have the right, according to Art. 16 GDPR, to demand the correction and/or completion of your personal data if it is incorrect or incomplete. We must make the correction immediately.

c) Right to restriction of processing

You have the right, according to Art. 18 GDPR, to request the restriction of the processing of your data, as far as the accuracy of the data is disputed by you or the processing is unlawful.

If the processing restriction has been restricted, you will be informed by us before the restriction is lifted.

d) Right to erasure

You have the right, according to Art. 17 GDPR, to request the deletion of your personal data, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims.

e) Right to notification

If you have asserted the right to rectification, deletion or restriction of processing against us, we are obliged to inform all recipients to whom the personal data have been disclosed of the rectification, deletion of personal data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.

f) Right to data portability

You have the right, according to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another responsible party.

g) Right to object

You have the right, according to Art. 21 GDPR, to object to the processing, as far as the processing is based on Art. 6 (1) sentence 1 lit. e or lit. f GDPR.

h) Right to revoke the data protection consent declaration

You have the right, according to Art. 7 (3) GDPR, to revoke your data protection consent declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

i) Right to complain to a supervisory authority

You have the right, according to Art. 77 GDPR, to complain to a data protection supervisory authority about our processing of your personal data.

II. Specific data processing when using the mobile app “SuperCrowd”

When using the app, the following processing of personal data takes place:

1. Download of the App

Our app is provided via the platforms of Google (Google Play) and Apple (App Store). The platforms also offer the possibility of in-app purchases and other services. We have no influence on their data processing, and the respective platform operator is the data protection officer. Their respective terms of use and privacy notices apply.

The privacy notices of the Google Play Store can be found here: https://policies.google.com/privacy?hl=de

The privacy notices of the Apple AppStore can be found here: https://support.apple.com/de-de/HT211970

2. Hosting of the App

All data generated during the use of the app is stored on servers. The data stored on servers is accessed for various processing purposes.

The data processing in the form of storing personal data is based on the user agreement you accepted during the app installation; hence the legal basis is Art. 6 (1) sentence 1 lit. b GDPR.

Personal data will be deleted from the servers as soon as there is no reason for processing, typically upon termination of the contractual relationship, unless legal regulations require longer retention.

For this processing on servers, we use the service provider […], with whom we have concluded a contract for order processing.

3. Registration

Using our app requires creating an account. This primarily enables us to assign friend codes to the respective user. The following categories of personal data may be processed:

• Selected account name
• Email address (optional)

For optional use of Single-Sign-On services, the following data is required for registration:

• […]

The data processing is based on the user agreement, thus according to Art. 6 (1) sentence 1 lit. b GDPR.

Personal data will be deleted as soon as there is no reason for processing, typically upon termination of the contractual relationship, unless legal regulations require longer retention.

4. Usage of the App

The use of the app requires data processing, without which the app cannot be operated. These data processing activities are particularly necessary to make the app available and functional as well as to identify and rectify errors.

The following categories of personal data may be processed:

• Account name
• Internal ID
• Linking with the AppStore or Google Play
• Type of device used (iPhone, iPad, etc.)
• Model number
• Device operating system
• Device setting data
• Date of download
• App version
• Days since download (“Account age”)
• Duration of app usage
• Number of app accesses
• Error message (via an ID: which user had an error)
• Progress: stickers collected
• Loot Vault
• Player Level
• Avatar appearance
• Friends list
• Which faction one has joined
• What the user has unlocked
• Which users one has scanned in which event
• Which event one has joined

The data processing is based on the user agreement, thus according to Art. 6 (1) sentence 1 lit. b GDPR.

Finally, the following categories of personal data can be processed:

• Player name (real name)
• Place of residence
• Favorite food
• Hobby
• Email address
• Email provider linkage

The data processing is based on your consent, thus according to Art. 6 (1) sentence 1 lit. a GDPR. Consent can be revoked at any time by changing the app settings or in the user account. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

Personal data will be deleted as soon as there is no reason for processing, typically upon termination of the contractual relationship, unless legal regulations require longer retention.

5. Creation of Aggregated Information

We create aggregated (summarized, not user-specific) statistical information from the available personal data. We use this statistical information for various purposes, such as optimizing the app, improving our services and marketing campaigns, or similar. The aggregated information is no longer personal data.

During aggregation, the following categories of personal data may be used:

• Number of users per event
• Number of users in the voluntary faction
• Amount of experience per faction per event
• Sticker scan rate
• Window opening rate
• Number of clicks on a link
• Total number of friends collected per event
• Number of users in a faction per event

The creation of aggregated statistical information is based on our legitimate interest in enabling versatile evaluations and assessments of our games, Art. 6 (1) sentence 1 lit. f GDPR. Your interests do not override this, as the aggregation of data removes the reference to persons and thus enables anonymous and data-saving further processing.