PRIVACY POLICY - SUPERFUSE
PRIVACY POLICY – SUPERFUSE
Version 1.0 – January 2023
1. Stitch Heads
Superfuse is a video game developed by Stitch Heads B.V. We are a Dutch company that is globally active. We store our data on servers in the European Economic Area, unless stated otherwise below.
We process your personal data when you play Superfuse (including its expansions, updates and DLC insofar applicable). In this privacy policy we summarize when and how we collect, use and secure your personal data, as well as your rights to your data various laws, including but not limited to the EU General Data Protection Regulation (“GDPR”), the U.S. Children’s Online Privacy Protection Act (“COPPA”) and the California Consumer Privacy Act (“CCPA”), and the choices you have associated with that data.
This privacy policy describes:
· The information we may collect, how we may collect such information and the purposes of our collection;
· How we may use and with whom we may share such information;
· How you can access and update your information; and
· How we protect the information we may store about you.
Disclosure to California Residents: In our efforts to comply with applicable regulation, we ask and advise that California residents review the CCPA Disclosure section at the end of this privacy policy. Although we do not sell end user data, we will provide notice if at any time those circumstances change.
2. General
We may change provisions of this privacy policy from time to time. If we do that, we will inform you of the changes. However, we also advise you to check for yourself from time to time whether the privacy policy has been changed.
3. Which personal data do we collect and for which purposes?
There are a number of ways in which we can collect your personal data if you play our game. Below we explain which personal data we may collect from you. The personal data is processed according to your role and to the different processing purposes. The data retention period also differs depending on the processing goal. Note that should there be any legal changes to the possible data retention periods, these legal changes will take precedence over the periods mentioned in this privacy policy.
Provision of the game
A. To be able to provide you the game and the intended experience, we process the personal data mentioned below. Our processing ground is the performance of a contract with you.
Playing offline
If you play our game offline, we process the ID of the platform you use to play our game (such as your Steam-ID if you use Steam). Other data is stored locally. You may choose to share this information with the platform you use, but this is a processing activity between you and the platform (for example Steam cloud saving). We are not involved in this data processing. For more information on how the platform processes your data, please consult the privacy policy of the relevant platform.
Playing online
If you play our game online, the following personal data is processed until you request removal of your account or personal data. Our purpose is to provide you with the game. This information is provided to us by the platform you use to play our game, except your game progression and last login which is collected by our game.
· The ID of the platform you use to play our game (such as your Steam-ID if you use Steam)
· Your profile name (for example your Steam profile name if you use Steam)
· Game progression and save data
· Account-ID (linked via your platform account)
· Friends list
· Online or offline status
· Language preferences
· Last login
This personal data will be shared with i3D. The ID of the platform you use to play our game and your game progression and save data are also processed by Google. These parties may process your personal data in the United States, although we did conclude standard contractual clauses with them.
For the provision of our game if you play online, we make use of the Epic Online Services. We will share with Epic the ID of the platform you use to play our game, your profile name and your last login on the relevant platform.
Your account is not linked to Epic Games
If your platform account is not yet linked to an Epic Online Services Product User ID, we will link an Epic Online Services Product User ID to the ID of the platform you use to play our game. This allows us to authenticate you, in order for us to be able to load the correct save data. Epic Games may process your personal data in the United States, although we did conclude standard contractual clauses with them.
Your account is linked to Epic Games
If your platform account is already linked to an Epic Games Account, we will receive from Epic Games your Epic Account ID, profile name, friends list, online or offline status, language preferences and country. This personal data is processed by us in order to be able to provide you with the online game experience.
Matchmaking
To provide matchmaking services, we process the following personal data for the duration of the play session if you use the matchmaking option of our game. This data is processed by i3D. They may process your personal data in the United States, although we did conclude a data processing agreement and standard contractual clauses with them.
· User-ID
· IP-address
· Player region (based on IP-address)
· In-game chat
Analytics and improving our game
B. To be able to improve our game, we process the personal data mentioned below as you play our game. Our processing ground is our legitimate interest to improve our game. If you do not wish for us to process the information mentioned below, you can opt-out through the settings in our game or send us an e-mail at support@stitchheads.com.
We use diagnostics and analytics software of MongoDB and Epic Online Services to process the following personal data up to 30 days after collecting the personal data. MongoDB and Epic Online Services may process your personal data in the United States, although we did conclude a data processing agreement and standard contractual clauses with them.
· Date and time of playing (including how long certain parts of the game took)
· Game information (such as the map or game mode you’re playing)
· User-ID
· Session-ID
· The platform used to play the game
· Game version
· Server region in which you play
· Character data (such as name, level, items, playtime and character type)
· General location (province and country) based on your IP-address
· E-mail address (if provided to us voluntarily to file bug and/or crash reports)
Contact
C. To be able to provide the ability for you to contact us, we process the personal data mentioned below when you contact us. Our processing ground is our legitimate interest to be able to communicate with you. If you do not wish for us to process the information mentioned below, you cannot contact us.
We use a mail provider to process the following personal data up to 90 days after the contact request has been dealt with. This data is processed by Google. They may process your personal data in the United States, although we did conclude a data processing agreement and standard contractual clauses with them.
· E-mail address
· Any other information provided in the e-mail (such as a name, game related issues or inquiries, your e-mail provider etc.)
4. Sharing personal data
We may use so-called data processors to process your personal data on our behalf. We conclude data processing agreements with these processors, to assure they only process your personal data on our instruction.
We use the following types of processors:
· companies that provide storage of (personal) data and database management and maintenance;
· software providers;
· research firms and providers of analytical software to improve our services;
· hosting provider(s).
If you provide additional information to these processors yourself, we are not responsible for this. It is wise to inform yourself properly about the processor and his company before you provide your personal data.
Sharing data with your consent
We may also share personal data with others if you give us permission to do so. For example we can cooperate with other parties to offer you specific services or offers. If you register for these services or marketing offers, we may provide your name or contact details if they are necessary to provide that service or contact you. Before we do this, you will always be expressly asked for your consent.
Sharing based on our legal responsibility
We may also share personal data with third parties if this is:
1. necessary to comply with our legal obligations;
2. necessary to comply with legal requests from authorities;
3. is required to respond to any legal claims;
4. necessary to protect the rights, property or safety of us, our users, our employees or the public;
5. is required to protect ourselves or our users against fraudulent, abusive, inappropriate or unlawful use of our services.
We will immediately notify you if a government agency makes a request that relates to your personal data, unless we are not allowed to do so on the grounds of the law.
Merger or sale (part) of the company
It may happen that we disclose, share or transfer your personal data when we transfer part of our business. Examples include (negotiations about) a merger, sale of parts of the company or obtaining loans. We will of course try to limit the impact for you as far as possible by transferring personal data only when necessary and anonymizing where possible.
5. Protection of personal data
Protecting your personal data is of the utmost importance for us. We have therefore taken appropriate technical and organizational security measures in order to protect your personal data. These measures include, but are not limited to:
- We only engage trusted providers of databases to store data, which have taken adequate physical and electronic measures to minimize the risk of unauthorized access, loss or misuse of personal data.
- We use TLS (Transport Layer Security) technology to encrypt information or personal data.
- We make backups of personal data.
- Vulnerabilities in the software are dealt with as quickly as reasonably possible.
We would like to point out that we cannot guarantee absolute security when sending personal data via the internet or storing personal data. We advise you to take this into account before sharing personal data.
6. Links to third party sites
Our game may contain links to other websites and services. These third party websites and services can collect and retain information about you. If you provide your personal data to third parties, then we are not involved. We have no control over these sites or the activities of the third parties. In that case, the privacy policy of the third party applies. We are not responsible for the content of the privacy policy of these parties and the way in which these parties deal with personal data. We encourage you to review their privacy and security practices and policies before you provide personal information to them.
7. Children’s Privacy
We take children’s privacy very seriously, and we do not directly or knowingly collect any personal data from end users deemed to be children under their respective national laws through our game. We strive to comply with the Children’s Online Privacy Protection Act of 1998, the U.S. law that protects the privacy and information of children. We strongly encourage parents and guardians to learn more about this important regulation. For more information, you can visit: https://epic.org/privacy/kids/#introduction. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from children without verification of parental consent, we take steps to remove that information from our servers.
If you are under the age of 13 and using our game, please have a parent or guardian nearby to provide any information we may request, including an e-mail address or platform specific username, as applicable.
8. Your rights
We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your personal data.
You may update, correct, or provide additional information to your personal data by resubmitting your information or contacting us directly. If you are correcting information provided to a third party please correct your information via the methods and direction provided by the applicable third party.
If you wish to be informed what personal data we may hold about you and if you want it to be removed from our systems, please contact us via the contact email listed below.
You have the right:
· To know what personal information we maintain about you;
· To receive a copy of your personal information in a structured, commonly used and machine-readable or commonly used electronic format on request;
· To update and modify personal information is incorrect or incomplete;
· To object to our processing of your personal information when collection is based on a legitimate interest; and
· To delete or restrict how we use your personal information, but this right is determined by applicable law and may impact your access to our game.
Please note that we may ask you to verify your identity before responding to such requests.
GDPR
Under the GDPR, individuals residing in the EU and other territories that have adopted GDPR compliance or comparable regulation have certain rights with regard to their personal data. The rights that we describe below are not absolute rights. We will always consider whether we can reasonably meet your request. If we cannot meet your request, or if it would be at the expense of the privacy of others, we can refuse your request. If we refuse a request, we will let you know and explain our reasons.
Right of access
You have the right to request which personal data we process about you. You can also ask us to provide insight into the processing grounds, relevant categories of personal data, the (categories of) recipients of personal data, the retention period, the source of the data and whether or not we use automated decision making.
You may also request a copy of your personal data that we process. Do you want additional copies? Then we can charge a reasonable fee for this.
Right to rectification
If the personal data processed by us about you is incorrect or incomplete, you can request us to adjust or supplement the personal data.
If we grant your request, we will, to the extent reasonably possible, inform the parties to whom we provide information.
Right to erasure
Do you no longer want us to process certain personal data about you? Then you can request us to delete certain (or all) personal data about you. Whether we will delete data depends on the processing ground. We only delete data that we process on the basis of a legal obligation or for the performance of the agreement if the personal data is no longer necessary. If we process data based on our legitimate interest, we will only delete data if your interest outweighs ours. We will make this assessment. If we process the data on the basis of consent, we will only delete the data if you withdraw your consent. Have we accidentally processed data or does a specific law require that we delete data? Then we will delete the data. If the data is necessary for the settlement of a legal proceeding or a (legal) dispute, we will only delete the personal data after the end of the proceedings or the dispute.
If we grant your request, we will, to the extent reasonably possible, inform the parties to whom we provide information.
Restriction of processing
If you dispute the accuracy of personal data processed by us, if you believe that we have processed your personal data unlawfully, if we no longer need the data or if you have objected to the processing, you can also request us to restrict the processing of that personal data. For example, during the time that we need to assess your dispute or objection, or if it is already clear that there is no longer any legal ground for further processing of those personal data, but you still have an interest in us not deleting the personal data. If we limit the processing of your personal data at your request, we may still use that data for the settlement of legal proceedings or a (legal) dispute.
Right to data portability
At your request, we may transfer the data that we automatically process to execute the agreement or based on your consent, to you or another party designated by you. You can make such a request at reasonable intervals.
Automated individual decision making
We do not take decisions based solely on automated processing.
Right of restriction of processing and withdrawal of permission
If we process data on the grounds of a legitimate interest, you may object to the processing. If we process data on the basis of your consent, you may withdraw that consent. For more information, please refer to the relevant processing purposes above.
Exercising your rights
You can send a request for access, correction, deletion, data transfer of your personal data or request for withdrawal of your consent or objection to the processing of your personal data to support@stitchheads.com.
To prevent abuse, we may ask you to identify yourself adequately in the case of a written request for access, rectification or erasure.
We strive to process your request, complaint or objection within a month. If it is not possible to make a decision within a month, we will inform you of the reasons for the delay and the time when the decision is expected to be made (no longer than 3 months after receipt).
Dutch Data Protection Authority
Do you have a complaint about our processing of your personal data? Please contact us. We are naturally happy to assist you. If we cannot come to a solution, you are also entitled to submit a complaint to the national privacy authority, in this case the Dutch Data Protection Authority. For this you can contact the Dutch Data Protection Authority via https://autoriteitpersoonsgegevens.nl.
9. Contact
If you have questions, concerns or comments about this privacy policy or our data processing, please contact us via e-mail on support@stitchheads.com
California Consumer Data Rights
Stitch Heads B.V. complies with the California Consumer Privacy Act of 2018 (CCPA) as amended, that secures specific privacy rights for California consumers.
Categories of Data We Collect and Their Uses
Category
Examples
Collected
Reasons for Collection
“Sold” to 3rd Party?
Identifiers
A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
Yes
To provide the game and matchmaking services for the duration of the play session.
No
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
Yes
To respond to questions regarding this privacy policy.
No
Protected classification characteristics under California or federal law.
Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
No
N/A
N/A
Commercial information.
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.
Biometric information.
Internet or other similar network activity.
Physical location or movements.
Geolocation data.
No
N/A
N/A
No
N/A
N/A
Yes
Inferences may be drawn from gameplay telemetry data solely with regard to the game. This data is used to improve the game.
No
Yes
Inferences may be drawn from gameplay telemetry data solely with regard to the game. This data is used to improve the game.
No
Sensory data.
Audio, electronic, visual, thermal, olfactory, or similar information.
No
N/A
N/A
Professional or employment-related information.
Current or past job history or performance evaluations.
No
N/A
N/A
Inferences drawn from other personal information.
Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Yes
Inferences may be drawn from gameplay telemetry data solely with regard to the game. This data is used to improve the game.
No
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
No
N/A
N/A
Personal Information does not include:
· Publicly available information from government records.
· De-identified or aggregated consumer information.
· Information excluded from the CCPA's scope, like:
1. Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
2. Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.
We may obtain the categories of Personal Information listed above from the following categories of sources:
· Directly from our end users. For example, from end users who provide feedback to us, or in the event that you contact us with questions regarding this privacy policy.
· Indirectly from our end users. For example, through information we collect in the event that you contact us with questions regarding this privacy policy.
· Directly and indirectly from activity through the game. For example, from APIs, and other information related to improving our game.
· From third parties that interact with us in connection with the game we perform.
All such Personal Information is used as otherwise described above in our privacy policy.
Sharing Personal Information
We may disclose your Personal Information to a third party for a business purpose. When we disclose Personal Information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract.
In the preceding twelve (12) months, we have disclosed the following categories of Personal Information for a business purpose;
Identifiers, Internet or other similar network activity and Inferences drawn from other personal information.
Your Rights and Choices
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past twelve (12) months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
· The categories of Personal Information we collected about you;
· The categories of sources for the Personal Information we collected about you;
· Our business or commercial purpose for collecting that Personal Information;
· The categories of third parties with whom we share that Personal Information; and
· The specific pieces of Personal Information we collected about you (also called a “data portability” request).
We generally do not sell end user data. However, if we do sell your Personal Information for a business purpose, we will also disclose to you:
· The Personal Information that each category of recipient purchased; and
· Disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained.
Deletion Request Rights
You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service providers to:
· Complete any transaction for which we collected the Personal Information, provide a product or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
· Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
· Debug products, including our game, to identify and repair errors that impair existing intended functionality;
· Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
· Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.);
· Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent;
· Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
· Comply with a legal obligation; or
· Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us at support@stitchheads.com.
Requests must include "California Privacy Rights Request" in the first line of the description and include your name, street address, city, state, and ZIP code.
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a twelve (12) month period. The verifiable consumer request must:
· Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative; and
· Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to ninety (90) days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the twelve (12) month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
· Deny you goods or services;
· Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
· Provide you a different level or quality of goods or services; or
· Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.