1. Name and address of the responsible party
The responsible party, with respect to the General Data Protection Regulation and other national data protection laws of member states as well as other data protection provisions, is:
Power Challenge AB
Gamla Tanneforsvägen 17C
582 54 Linköping
2. Name and address of the data protection officer
The data protection officer of the responsible party is:
Attorney and certified specialist in information technology law
Dr. Christian Rauda
GRAEF Rechtsanwälte Digital PartG mbH
3. General information on data processing
3.1. Scope of personal data processing
As a rule, we only collect personal data that you share when making use of the services while logging in or registering and when utilizing fee-based services, as needed. Personal data is considered data that includes information on personal or factual circumstances. When logging in and registering as a user on our website, you merely need to provide an email address and/or username and/or password. The password is encrypted and does not allow any conclusion to be made on the actual password at any time.
Within the scope of carrying out the user contract concluded, in particular your chosen fee-based services, additional data, such as complete name, address, credit card numbers, etc. may be required. Additionally, when processing your requests or to provide you with support, it is sometimes required to ask you for personal data such as name, address, email address, and telephone number.
We submit personal data only to cooperating companies or external service providers, provided this is legally required or permitted, in particular in performance of a contract, to process payments, as well as to protect other users or defend against dangers for national or public security, or to prosecute criminal offenses.
We treat all of this data in a confidential manner and in consideration of statutory data protection regulations.
3.2. Legal basis for processing personal data
If we receive the consent of the person concerned to process personal data, Art. 6 Para. 1 a of the EU General Data Protection Regulation (GDPR) serves as the legal basis for processing personal data. When processing personal data that is required to perform a contract whose contractual party is the person concerned, Art. 6 Para. 1 b GDPR serves as the legal basis. This also applies to processing processes that are required to carry out pre-contractual measures. If personal data must be processed to comply with a legal requirement to which our company is subject, Art. 6 Para. 1 c GDPR serves as the legal basis. In the event that the vital interests of the person concerned or another natural person make it necessary to process personal data, Art. 6 Para. 1 d GDPR serves as the legal basis. If processing is required to protect a legitimate interest of our company or a third party, and if the interests, basic rights, and basic freedoms of the party concerned do not prevail over the previously stated interest, Art. 6 Para. 1 f GDPR serves as the legal basis.
3.3. Purpose of processing personal data
We collect and process data in order to enable you to use our services. This also includes processing for the purpose of data security and the stability and operational security of our system as well as accounting purposes. Data is also processed in order to:
- Provide you assistance when you submit support inquiries;
- Discover and prevent the improper use of multiple accounts, e.g. fraudulent purposes;
- Acquire new customers;
- Distribute promotional material that we believe correlates with your interests.
3.4. Data erasure and storage duration
The personal data of the person concerned is erased as soon as there is no longer a reason to store it. Some data may be retained for a longer period if required by European or national lawmakers in Union directives, laws, or other regulation to which the responsible party is subject.
3.5. Data security
We endeavor to take reasonable precautions in order to prevent unauthorized access to your personal data as well as unauthorized use or falsification of this data and to minimize the associated risks. Nevertheless, providing personal data, whether in person, on the telephone, or via the internet, is always associated with risks and no technical system is completely free of the possibility of manipulation or sabotage.
We process the data collected from you in accordance with Swedish and European data protection law. All employees are required to protect data privacy and comply with data protection regulation, and are trained accordingly. For payment purposes, your data is transmitted using the SSL process and encrypted.
4. Provision of services and creation of log files
4.1. Description and scope of data processing
Whenever our services are solicited, our system automatically collects data and information on the visiting computer system. The following data is collected during this:
- Internet protocol
- IP address
- URL of the referring website from which the file was requested
- Date and time of access
- Browser type and operating system as well as hardware information
- The site you visited
- Quantity of data transmitted
- Access status (file transferred, file not found, etc.)
- Duration and frequency of use
The data is also stored in the log files of our system.
4.2. Legal basis for data processing
Art. 6 Para. 1 f GDPR is the legal basis for the temporary storage of data and log files.
4.3. Purpose of data processing
Temporary storage of the IP address by the system is necessary in order to deliver services to the computer of the user. To do so, the IP address of the user must be stored for the duration of the session. Data is stored in log files in order to ensure the functionality of the services. Additionally, the data also serves to optimize the services and to ensure the security of our IT systems. Data is stored over the duration of the session for purposes of combating fraud (e.g. payment fraud, violation of the rules of play through the use of multiple accounts by the same person) and for the purposes of IT security (e.g. protection against DDoS attacks). Otherwise, the data is stored merely for purposes of statistical evaluation.
In order to monitor compliance with the rules of use and rules of play, we reserve the right to store IP addresses and log files for a certain period of time after our services are utilized. In particular, this procedure serves to avoid certain cases of misuse or to resolve them and be able to forward the data in individual cases to investigative authorities or to rectify bugs. Any evaluation of data is carried out in an anonymous manner wherever possible. After this period ends, the IP address and log files are completely erased, unless there exist mandatory statutory storage requirements or concrete criminal or abuse proceedings.
For these purposes, our legitimate and overriding interest is to process data in accordance with Art. 6 Para. 1 f GDPR.
4.4. Duration of storage
The data is erased as soon as it is no longer required to achieve the purpose for which it was collected.
4.5. Option to object and erase
Data collection to provide services and data storage in log files is absolutely required in order to ensure the uninterrupted provision of services. As a consequence, the user has no option to object.
5. Push notifications
5.1. Description and scope of data processing
We can send push notifications to your device in order to share with you updates on services, news, and other relevant messages.
5.2. Legal basis for data processing
The legal basis for processing data is Art. 6 Para. 1 b GDPR if a contract exists.
5.3. Option to object and erase
You can prevent your data from being processed by applying the respective settings to your system. Please refer to the documentation of the system you use.
6. Contact form and email, in-game support
6.1. Description and scope of data processing
There is a contact form on our website which can be used to contact us electronically. If a user makes use of this option, the data submitted into the input form will be sent to us and stored. This data is:
- Type of request
- User ID and username
- Team ID and team name
- IP address
Alternatively, we can be contacted using the email provided. In this case, the personal data of the user is saved with the email used to send it. You can also send inquiries to us within the game. In this context, no data is forwarded to third parties. The data is used exclusively to process the inquiry.
6.2. Legal basis for data processing
The legal basis for processing data is Art. 6 Para. 1 a GDPR if the user has provided consent. The legal basis for processing data, that is submitted when an email is sent, is Art. 6 Para. 1 f GDPR. If the email is intended to conclude a contract, the further legal basis for processing is Art. 6 Para. 1 b GDPR.
6.3. Purpose of data processing
We process personal data from the input form solely to process communication. In the event that contact is made via email, there is also the required legitimate interest to process the data here. The other data processed during the submission process serves to prevent misuse of the contact form and to ensure the security of our IT systems.
6.4. Duration of storage
The data is erased as soon as it is no longer required to achieve the purpose for which it was collected. The data is stored for twelve months for the purposes of combating fraud and improving support.
6.5. Option to object and erase
The user has the option, at any time, to withdraw their consent to process the personal data. If the user contacts us, they can object to the storage of their personal data at any time. In such an event, the conversation cannot continue. All personal data, that was stored when contact was made, is erased in this case.
7. Cookies, web beacons, etc.
7.1. Description and scope of data processing
There are permanent cookies, that are stored for a longer period of time on your display device, and session cookies, that are temporarily stored on your display device and erased after the service is provided. We use necessary cookies, function cookies, performance cookies, targeting and advertising cookies, and conversion tracking cookies.
Necessary cookies. These cookies are necessary to use our services. Without these necessary cookies, it is possible that we will not be able to provide you certain services or features or that the services will not be depicted correctly.
Function cookies. Function cookies enable us to recognize your settings and provide you with advanced and better adapted features, such as a personal adjustment of services, recognizing whether we have asked you certain things, or you have requested other services.
Performance cookies. Performance cookies, also sometimes called analytics cookies, collect information on your use of services, and enable us to improve the functionality of our services. For example, performance cookies show us which pages are used most often, how the entire usage pattern of the services looks, help us to detect problems with the use of services, and determine whether our advertising is presented effectively or not.
Targeting and advertising cookies. We and our service providers can employ targeting or advertising cookies in order to show you promotions that are better adjusted to your interests and preferences. We can also use targeting or advertising cookies in order to limit the number of identical advertisements that are shown to you with our services, or to determine or increase the effectiveness of our marketing campaigns. These cookies show, for example, what you have viewed while using our services, and we share this information with other organizations, such as advertising clients. The display of advertising supports operations and the further development of our services.
Conversion tracking cookies. In order to provide our users with the best possible gaming experience, we strive to constantly add new players to our games. In the process of determining and driving marketing measures, we use conversion tracking. In doing so, a marketing partner records, with our help, when a user completes a registration or a predefined action in the game. This occurs either via direct automated contact with the server of the marketing partner or through an intermediary service provider. The data that we transfer is limited to what is most necessary.
7.2. Legal basis for data processing
The legal basis for processing personal data when using cookies is Art. 6 Para. 1 f GDPR.
7.3. Purpose of data processing
Necessary cookies are required in order for us to be able to offer our services. Some functions of our software cannot be provided without the use of these cookies. The user data collected via necessary cookies is not used to create user profiles. Performance cookies are used for the purpose of improving the quality of our services and their contents. Via these performance cookies, we learn how the services are used and can thus constantly optimize our products.
7.4. Duration of storage, option to object and erase
8. Logging in via third parties
We offer you the option of logging in to our services with login data of other services ("partners"), for example, Facebook. It is thus not necessary to register again. In this case, you can log in to our services through a partner. To do so, your account with our partner is linked to our service. The partner then sends us the respective information that serves exclusively for quality assurance measures and is not shared with third parties at any time. For additional information on the service you prefer, please refer to the above contact (see. "1. Name and address of the responsible party").
9. Rights of the person concerned
If we process your personal data, you are the person concerned in the sense of the GDPR, and you have the following rights with respect to the responsible party.
9.1. Right of access
You can request from the responsible party a confirmation of whether personal data that concerns you is processed by us. If such processing occurs, you can request the following information from the responsible party:
- The purposes for which the personal data is processed;
- The categories of personal data that is processed;
- The recipient or categories of recipients to which the personal data that concerns you was submitted or not submitted;
- The planned duration of storage of the personal data concerning you, or, if concrete information on this is not available, the criteria for determining the storage duration;
- The existence of a right to disclose or erase the personal data concerning you, a right to limit processing on the part of the responsible party, or a right to object to this processing;
- The existence of a right to lodge a complaint with a supervisory authority;
- All available information on the source of the data if the personal data is not collected for the person concerned;
- The existence of an automated decision making process including profiling in accordance with Art. 22 Para. 1 and 4 GDPR and, at least in these cases, detailed information on the logic involved as well as the scope and the desired effects of such processing for the person concerned.
You have the right to request information on whether the personal data concerning you is sent to a third country or an international organization. In this context, you can request suitable guarantees pursuant to Art. 46 GDPR in connection with the transfer.
9.2. Right to rectification
You have the right to rectification and/or completion, with respect to the responsible party, provided that the processed personal data concerning you is incorrect or incomplete. The responsible party must make the rectification without delay.
9.3. Right to limit processing
Under the following conditions, you can request a limit to the processing of the personal data concerning you:
- If you contest the correctness of the personal data concerning you for a duration of time that enables the responsible party to verify the correctness of the personal data;
- The processing is illegal and you refuse erasure of the personal data and instead request a limitation of the use of the personal data;
- The responsible party no longer requires the personal data for the purposes of processing, but you require it to assert, exercise, or defend legal claims, or
- If you have submitted the objection to processing according to Art. 21 Para. 1 GDPR and it is not yet certain whether the legitimate concerns of the responsible party prevail over your concerns.
If the processing of the personal data concerning you was limited, this data, except for its storage, may only be processed with your consent or to assert, exercise, or defend legal claims, or to protect the rights of another natural or legal person or for reasons of an important public interest of the Union or a member state. If processing was limited according to the above conditions, you will be informed by the responsible party before the limitation is applied.
9.4. Right to erasure
We offer the option to independently delete or correct your own personal data in game. If you are logged in to your account, you can delete your personal data in the settings of your user account.
9.4.1. Obligation to erase
You can request that the responsible party immediately erase the personal data concerning you, provided one of the following reasons applies:
- The personal data concerning you is no longer required for the purposes for which it was collected or processed in another manner.
- You withdraw your consent upon which processing pursuant to Art. 6 Para. 1 a or Art. 9 Para. 2 a DSGVO is based, and there is no other legal basis for processing.
- You submit an objection to processing pursuant to Art. 21 Para. 1 GDPR and there exist no superordinate legitimate reasons for processing, or you submit an objection to processing pursuant to Art. 21 Para. 2 GDPR.
- The personal data concerning you was processed illegally.
- The erasure of the personal data concerning you is required to comply with a legal requirement according to Union law or the law of a member state to which the responsible party is subject.
- The personal data concerning you was collected in regard to services offered by the information company in accordance with Art. 8 Para. 1 GDPR.
9.4.2. Information to third parties
If the responsible party published the personal data concerning you and is required to erase such according to Art. 17 Para. 1 GDPR, said party will take suitable measures, also of a technical nature and in consideration of available technology and implementation costs, to inform data processors processing the personal data that you, as the person concerned, have requested the erasure of all links to this personal data or copies or replications of this personal data.
There is no right of erasure if processing is required to exercise the right of free expression and information;
- To comply with a legal obligation to which the responsible party is subject according to Union law or that of a member state for processing purposes, or to perform a task that is in the public interest or in the practice of public authority conferred to the responsible party;
- For reasons of public interest in the area of public health according to Art. 9 Para. 2 h and i as well as Art. 9 Para. 3 GDPR;
- For archiving purposes, scientific or historic research purposes, or for statistical purposes in the public interest according to Art. 89 Para. 1 GDPR, provided that the right specified in section a) temporarily makes the achievement of the goals of processing impossible or severely limits such, or
- To assert, exercise, or defend legal claims.
9.5. Right to information
If you have asserted the right to information on, erasure, or limitation of processing with respect to the responsible party, said party is required to share this rectification or erasure of the data or limitation of processing with all recipients to whom the personal data concerning you was published, unless this proves to be impossible or is associated with excessive cost. You have the right to information on these recipients from the responsible party.
9.6. Right to data transferability
You have the right to receive the personal data concerning you, which you provided to the responsible party, in a structured, standard, and machine-readable format. Additionally, you have the right to transfer this data to another responsible party without obstruction on the part of the responsible party, to which the personal data was provided,
- provided that processing occurs based on consent pursuant to Art. 6 Para. 1 a GDPR or Art. 9 Para. 2 a GDPR or a contract pursuant to Art. 6 Para. 1 b GDPR,
- and the processing is carried out using automatic processes.
When exercising this right, you also have the right to ensure that the personal data concerning you is transferred directly from one responsible party to another responsible party, provided this is technically feasible. The freedom and rights of others may not be affected by this. The right of data transferability does not apply for processing personal data that is required to carry out a task that is in the public interest or in the practice of public authority conferred to the responsible party;
9.7. Right to object
You have the right, for reasons relating to your particular situation, to submit at any time objection to processing of the personal data concerning you which is conducted based on Art. 6 Para. 1 e or f GDPR; this also applies to profiling based on these conditions. The responsible party no longer processes the personal data concerning you, unless said party can provide evidence of compelling reasons worthy of protection for the processing that prevail over your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
If the personal data concerning you is processed in order to pursue direct advertising, you have the right to submit at any time objection to processing of the personal data concerning you for the purposes of such advertising; this also applies to profiling, provided it is in connection with direct advertising. If you object to processing for the purpose of direct advertising, the personal data concerning you will no longer be processed for these purposes.
Regardless of Directive 2002/58/EC, you have the option, in connection with the use of services of the information company, of exercising your right to object using an automated process that uses technical specifications.
9.8. Right to withdraw data protection declarations of consent
You have the right to withdraw your declaration of consent at any time. The withdrawal of consent does not affect the legality of the processing conducted on the basis of the consent up to the date of the withdrawal.
9.9. Automated decision in individual cases including profiling
You have the right not to be subjected to a decision based solely on automated processing, including profiling, which will have legal effect or similarly affect you in a similar manner. This does not apply if the decision
- is required to conclude or carry out a contract between you and the responsible party,
- is permissible on the basis of Union or member state law to which the responsible party is subject, and that legislation contains suitable measures to safeguard your rights and freedoms and your legitimate interests, or
- is made with your explicit consent.
However, these decisions must not be based on special categories of personal data under Art. 9 Para. 1 GDPR, provided that Art. 9 Para. 2 a or g does not apply, and reasonable measures have been taken to protect your rights and freedoms and your legitimate interests. With respect to the situations mentioned in (a) and (c), the responsible party shall take appropriate measures to protect your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person on the part of the responsible party to express their own position and challenge the decision.
9.10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial legal remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence or employment or the place of the alleged infringement, if you believe that the processing of the personal data concerning you violates the GDPR. The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.