HEAVYWEIGHT REX OY’S PRIVACY POLICY

 

(updated on 5th of March 2020)

 

 

This Heavyweight Rex Oy’s (hereinafter Heavyweight Rex Oy may also be referred to as “we” or “us” or “our”) privacy policy describes the personal data processing activities of Heavyweight Rex Oy as the controller (hereinafter “Privacy Policy”) for the players of our games, visitors of our websites and related services, jobseekers and persons who contact us through email and other similar means. 

 

This Privacy Policy contains Heavyweight Rex Oy’s records of processing activities as the controller, and it also acts as a communication from us to our data subjects (hereinafter our data subjects may also be referred to as “you”) through which we inform the data subjects of the ways Heavyweight Rex Oy processes their personal data. Thus, this Privacy Policy contains at least the information that Articles 13, 14 and 30 of the EU’s General Data Protection Regulation (679/2016) (hereinafter “GDPR”) require of us. 

 

Heavyweight Rex Oy aims to ensure that this Privacy Policy is always publicly, transparently and easily applicable at Heavyweight Rex Oy’s websites. 

  1. CONTROLLER

Name: Heavyweight Rex Oy

Business ID: 2777391-9 

Address: Mikonkatu 3, 00100 Helsinki

 

  1. PERSON IN CHARGE OF DATA FILES

Name: Sami Liukka

Contact details: 050 4300 729, sami@heavyweightrex.com 

 

  1. CATEGORIES OF DATA SUBJECTS

Heavyweight Rex Oy’s Privacy Policy concerns the following categories of data subjects:

    • players of our games; 

    • visitors of our websites and related services;

  • affiliates and potential affiliates; 

  • jobseekers of Heavyweight Rex Oy; and

    • persons who contact us through email or other similar means.

 

  1. CATEGORIES OF PERSONAL DATA

The data files concerning players of our games may contain the following categories of personal data:

  • username;

  • preferential settings, as in preferred language;

  • the data concerning the use of money in in-app purchases; 

  • gameplay time and player progression; and

  • the player’s OEM platform. 

 

The data files concerning the visitors of our websites and related services may contain the following categories of personal data:

  • IP-address and mobile device identifiers (such as your device ID, advertising ID, MAC address, IMEI); and

  • other data related to cookies. 

 

The data files concerning affiliates and potential affiliates may contain the following categories of personal data:

  • contact information, such as full name, address, phone numbers, e-mail addresses and personal identification numbers; and

  • data relating to affiliate relationships. 

 

The data files concerning the jobseekers of Heavyweight Rex Oy may contain the following categories of personal data:

  • contact information, such as full name, address, phone numbers, e-mail addresses and personal identification numbers;

  • videos and pictures;

  • nationality, age, gender, title or profession and language skills;

  • other information derived from the CVs, such as the work experience, educational background and other such skills; and

  • possible registration information, such as username, pseudonym, password and other unique identification.

 

The data files concerning persons who contact us through email or other similar means may contain the following categories of personal data: 

  • contact information, such as full name, address, phone numbers, e-mail addresses and personal identification numbers;

  • information relating to the implementation of communications and information relating to use of services, such as browsing and search information; and

  • possible other information gathered with the data subject’s consent.

 

  1. PURPOSE OF THE PROCESSING OF PERSONAL DATA

Personal data of the players of our games can be handled for the following purposes:

  • management and development of the customer relationship;

  • customer service;

  • operation and improvement of services we provide;

  • for improving our user experience; 

  • marketing;

  • analytics;

  • to enable us to comply with our legal and regulatory obligations; and

  • analysis and statistics.

 

Personal data of the visitors of our websites and related services can be handled for the following purposes:

  • for improving our website; and

  • analysis and statistics.

 

Personal data of affiliates and potential affiliates can be handled for the following purposes:

  • management and development of affiliate relationships; and

  • marketing.

 

Personal data of the jobseekers of Heavyweight Rex Oy can be handled for the following purposes:

  • management and development jobseeker relationships;

  • to enable us to comply with our legal and regulatory obligations; and

  • analysis and statistics.

 

Personal data of persons who contact us through email or other similar means can be handled for the following purposes:

  • customer service;

  • improving customer experience;

  • to enable us to comply with our legal and regulatory obligations; and

  • analysis and statistics. 

 

  1. LEGAL BASIS FOR PROCESSING

We have a right to process personal data of the players of our games based on the:

  • performance of a contract between us and our customers; and

  • legitimate interests pursued by us, as we need to market our services and process analytics data of the data subject to improve our services to keep us in business. 

 

We have a right to process personal data of the visitors of our websites and related services based on the:

  • legitimate interests pursued by us, as it is necessary for us to process cookie data to improve our websites and related services and to keep us in business.

 

We have a right to process personal data of affiliates and potential affiliates based on the:

  • performance of a contract between us; and

  • legitimate interests pursued by us, as we need to market our services to keep us in business.

 

 

We have a right to process personal data of the jobseekers of Heavyweight Rex Oy based on the:

  • legitimate interests pursued by us, as it is necessary for us to process the personal data to evaluate the jobseekers and potential employment relationships; and / or

  • our legal obligations as an employer. 

 

We have a right to process personal data of the persons who contact us through email or other similar means based on the:

  • legitimate interests pursued by us, as it is necessary for us to process personal data to handle the contacts made to us.

 

The legal basis for processing may however change. Such a change may result from e.g. our arising legal obligation to hold on to personal data.

 

  1. REGULAR SOURCES OF INFORMATION

Information regarding the data subjects are regularly gathered:

  • from data subjects themselves via phone, internet, e-mail or in other similar fashion; 

  • with cookies and other similar technology;

  • by Heavyweight Rex Oy’s other affiliate companies; and

  • from the Population Register Center/Population Information System, Posti’s address database, phone companies’ databases and other similar private and public registries.

 

  1. PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED

    1. 8.1) We shall retain only the necessary data of the players of our games for a period of two (2) years following the end of customer relationships. 

 

    1. 8.2)We shall retain only the necessary data of affiliates for a period of three (3) years following the end of affiliate relationship.

 

    1. 8.3) We shall retain only the necessary data of potential affiliates for a period of three (3) years following first contact made, if the potential affiliate has not turned into our actual affiliate. 

 

    1. 8.4)We shall retain only the necessary data of our jobseekers for a period of 24 months following first contact made, if the potential affiliate has not turned into our actual affiliate.

 

    1. 8.5) We shall retain only the necessary data of persons who contact us through email or other similar means for a period of one (1) year following the contact.

 

    1. 8.6) However, we may retain the data of all data subjects for longer than is described above, where we are required to do so by law, it is necessary due to legal proceedings and it is necessary for any similar reason. We shall be careful not to apply this Section in vain.

 

    1. 8.7) We inspect the necessity of the personal data stored regularly and keep records of the inspections.

 

  1. CATEGORIES OF RECIPIENTS OF PERSONAL DATA

The recipients of personal data may consist of the following categories:

  • Heavyweight Rex Oy’s affiliate companies;

  • parties who offer cloud services for data storage;

  • parties who offer accounting and auditing services; and

  • parties who help Heavyweight Rex Oy to fulfill its legal obligations.

 

  1. REGULAR DISCLOSURE OF DATA AND INFORMATION TRANSFER OUTSIDE OF EU OR THE EUROPEAN ECONOMIC AREA

Some of the recipients of personal data described in Section 9 are located within the United States of America. When transferring personal data those parties, we shall ensure that the personal data is provided adequate security measures, e.g. by ensuring that the receiving party has an EU-U.S. Privacy Shield certificate or that the party has signed a valid standard data protection clause with us.

 

  1. DATA SUBJECTS’ RIGHTS

The data subject has a right to use all of the below mentioned rights.

 

The contacts concerning the rights shall be submitted to the person in charge of the data file stated in Section 2. The rights of the data subject can be put into action only when the data subject has been satisfactorily identified.

 

Right to inspect

Having presented the adequate and necessary information, the data subject has the right to know what, if any, data the controller has stored of her/him into this register. While providing the requested information to the data subject, the controller must also inform the data subject of the register’s regular sources of information, to what are the personal data used for and where is it regularly disclosed to. 

 

Right to rectify and erasure

The data subject has a right to request the controller to rectify the inaccurate and incomplete personal data concerning the data subject. 

 

The data subject can request the controller to erase the personal data concerning the data subject, if:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  • the data subject withdraws consent on which the processing is based on;

  • the personal data have been unlawfully processed; or

  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

 

Let it be known that the data subjects’ rights to rectify and erase data does not concern the data which the controller must retain due to its legal obligations. 

 

If the controller does not accept the data subject’s request to rectify or erase the personal data, it must give a decision of the matter to the data subject in a written form. The decision must include the reasons for which the request was not granted. The data subject may refer the matter to the relevant authorities (the Data Protection Ombudsman in Finland). 

 

The controller must inform the party to whom the controller has disclosed the personal data to or has received the personal data from of the rectification or erasure of personal data. However, there is no such obligation where the fulfilment of the obligation would be practically impossible or otherwise unreasonable. 

 

Right to restriction of processing

The data subject can request the controller to restrict the processing of the personal data concerning the data subject where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; 

  • the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; 

  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or

  • the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

 

If the controller has based the restriction of the processing of personal data on the abovementioned criteria, the controller shall give a notification for the data subject before removing the restriction. 

 

Right to object

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning her/him for such marketing, which includes profiling to the extent that it is related to such direct marketing. 

 

Right to data portability

The data subject shall have the right to receive the personal data concerning her/him, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or a contract.

 

Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 

 

However, the data subject shall not have the aforementioned right if the decision is: 

  • necessary for entering into, or performance of, a contract between the data subject and us; 

  • is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or 

  • is based on the data subject's explicit consent.

 

Right to withdraw consent

Where the legal basis for the processing of personal data is the consent of the data subject, the data subject shall have the right to withdraw her/his consent. 

 

  1. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

 

Data subject shall have the right to lodge a complaint with a supervisory authority, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. The complaint can be lodged in the Member State of her/his habitual residence, place of work or place of the alleged infringement.

 

  1. COOKIES

Cookies are small text files that a website stores on your device when you browse that website. Cookies store data of your website use.

 

You can control and/or remove cookies freely at the individual browser level. Instructions can be found for example in here: aboutcookies.org

 

As a Wix-based website, Wix places the following cookies on our website:

 

 

Cookie name, Life span, Purpose

 

svSession, Persistent*, Identifies unique visitors and tracks a visitor’s sessions on a site

 

Cookie name, Life span, Purpose

hs, Session**, Security

 

Cookie name, Life span, Purpose

XSRF-TOKEN, Session, Security

 

Cookie name, Life span, Purpose

 

 

smSession, Persistent (two weeks), Identifies logged in site members

 

Cookie name, Life span, Purpose

TSxxxxxxxx (where x is replaced with a random series of numbers and letters), Persistent, Security

 

Cookie name, Life span, Purpose

TSxxxxxxxx_d (where x is replaced with a random series of numbers and letters), Persistent, Security

 

 

* “Persistent” life span means that the cookies are stored until they expire or until you delete them. Usually the cookies with persistent life span collect identifying information about the user. 

** “Session” life span means that the cookies are erased when you close your browser and do not collect data from your computer. The data typically stored for a session do not typically collect data to identify a person.

 

For more detail about Wix and cookies please visit https://www.wix.com/ and https://support.wix.com/en/article/cookies-and-your-wix-site

 

  1. ANALYTICS DATA

Our games use analytics data of the way our game is played (e.g. in-game play progress, levels, games played, session length, preferred settings and so on). We process that data based on our legitimate interest, as it is necessary for us to do so to improve our games and to keep us in business. 

 

We use the following programs to gather analytics of the players of our games:

  • GameAnalytics;

  • Unity IAP;

  • Unity Analytics; 

  • AppsFlyer; 

  • Facebook SDK; and

  • Crashlytics

 

You cannot choose not to share analytics data of your behavior in our games because the analytics data is necessary for us to provide our games.

 

  1. DESCRIPTION OF THE TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

We have encrypted our databases that consist of personal data and use only programs that provide adequate security for the data we process:

  • we use Amazon RDS for PostgreSQL to provide our games, and the program provides for appropriate data safety and security measures under the GDPR; and

  • we otherwise have appropriate technical and organizational security policies and procedures to protect personal data from loss, misuse or other comparable unauthorized access.

 

  1. DATA PROTECTION PRINCIPLES

Heavyweight Rex Oy uses all reasonable efforts to maintain physical, electronic, and administrative safeguards to protect personal information from unauthorized or inappropriate access, but Heavyweight Rex Oy note that the Internet is not always a secure medium. Heavyweight Rex Oy restricts access to information about data subjects only to the personnel of Heavyweight Rex Oy that need to know the information e.g. for responding to inquiries or requests made by the data subjects.