Privacy Policy Card Merge Master
We, Card Merge Master, Luxury Catamarans LTD BLOCK 4, Flat 3, 24 Dromo Synoikismos Makariou III, 4155 Limassol, are committed to protecting privacy of users of the Card Merge Master website, Card Merge Master application(s), and/or other related services (hereinafter collectively the “Card Merge Master Services” or the “Services”).
For the purposes of this Privacy Policy, Card Merge Master is the “data controller” for all Card Merge Master Services.
This Privacy Policy describes the types of personal and non-personal data we collect and how we use such data. This Privacy Policy is part of our General Terms and Conditions and applies to all Card Merge Master Services. Therefore, please make sure that you read and understand our Privacy Policy, as well as the General Terms and Conditions.
This Privacy Policy does not apply to any third-party websites, services or applications, even if they may be accessible through the Card Merge Master Services.
By using any of the Card Merge Master Services, you hereby warrant and represent that (i) you have read, understand and agree to this Privacy Policy, (ii) you are over 16 years of age (or are a parent or guardian with such authority to agree to this Privacy Policy for the benefit of an individual who is under 16 years of age). If you do not accept the terms set forth in this Privacy Policy and the consents associated therewith, please do not use our Services.
Last revised: August 2020
1. What types and categories of data we collect, process and use?
We collect, process and use personal and non-personal data.
1.1 Personal and non-personal data
The term “personal data” is defined by the Federal Data Protection Act (BDSG) and the European General Data Protection Regulation (GDPR). You can think of your personal data as any data that allow you to be identified or that can be correlated to you.
On the other hand, “non-personal” data cannot be correlated to any specific person. By removing identifiable parts from and anonymizing personal data, personal data may be converted into “non-personal data.”
1.2 Data we collect, process and use
We collect, process and use three types of data:
Typically, we collect, process and use the following categories of data:
2. How is data collected?
Personal data is collected by us only if you provide such data to us on your own initiative by choosing to use our Services. To be able to use our Services, you must register your account with us.
2.1 Login
You may create an Card Merge Master user account through our login system. Following registration, you will be able to use your user account to subscribe to all Card Merge Master Services. To register, you must provide us with at least the following information:
Before completing the registration process, you must confirm that you have read our Privacy Policy and accept our General Terms and Conditions.
2.2 Adding information to your user profile
Card Merge Master application(s) also enable you to provide us with additional information, such as your gender, fitness level, and workout goals. After registering, you can add more information to your profile (e.g., a profile photo). If you do so, you will once again provide us with personal data. We will also receive data (including personal data) from you when you communicate with us or other users through an Card Merge Master application. If you create a workout schedule, we will receive information about which and how many workouts you have completed. We will also receive information about how you use Card Merge Master application(s). In that case, too, you will provide us with personal data.
2.3 Enabling access rights to your device
For you to be able to use an Card Merge Master application to the full extent, we will also need certain access rights to your smart phone. For example, we need access to your camera or your photos if you upload or want to change a profile photo. We use push messages to send you workout reminders or to notify you of new followers or comments. When you want to use such a function for the first time, we will ask you whether you grant us such access rights or we will ask you to grant us access by selecting the appropriate settings. Generally, you may revoke such access rights at any time by changing the appropriate settings.
2.4 Newsletter
You can register for our newsletter. That way, you will receive regular updates about the Card Merge Master Services. All you need to receive our newsletter is to provide us with a valid e-mail address. If you are no longer interested in receiving the newsletter, you may unsubscribe at any time using the link that is included in each newsletter.
2.5 Linking your account to Facebook
You can also link your Card Merge Master user account to your Facebook profile. To do so, simply choose “Login with Facebook” during the registration process; you will then be transferred to Facebook. There, you will be shown to which Facebook data we will receive access. We will store your Facebook e-mail address. This is the e-mail address we will use to contact you, if necessary. We will also record the fact that you have registered through Facebook.
2.6 Website
You will also transfer certain information to us when you access our website or Card Merge Master application(s), e.g., your IP address. We will also receive data about which terminal device (computer, smartphone, tablet, etc.) you are using, which browser (Internet Explorer, Safari, Firefox, etc.) you are using, the time at which you access the website, the so-called referrer, and the data volume transferred. Such data cannot be used by us to identify the user. This data is processed for statistical purposes only. Such analyses help us make our Services more attractive and, if necessary, to improve our Services.
2.7 Log files
Every time you access our website the aforementioned data will be automatically stored in log files. A log file automatically logs all or defined actions on a computer system. Such log files are important, for example, for process control and automation. In the case of databases a log file tracks changes to the database of correctly executed transactions. In the event of an error (e.g., a system crash), this allows the current dataset to be restored. Log files are also created by web servers. Inter alia, the following data are logged: the address of the accessing computer, authentication fields, date and time of access, access method, content of HTML access, status code of the web server, and information about the browser and operating system used by the client.
2.8 Other possible instances of data collection
Collection of data also happens, for example, when you contact us or other users, i.e., when you open your Card Merge Master user account, sign up for a subscription, upload a profile photo, or use our Services to send messages.
3. What are our legal bases for processing of your data?
We will collect, process, and use your personal data and other data to support the delivery of Card Merge Master Services in accordance with our General Terms and Conditions. In this section we provide information on the legal basis for our processing of your Personal Data as required by Art. 13 and 14 of the GDPR, as well as provide detailed information about the purposes of collection, processing and use of your data.
We process your data based on the Article 6 of the GDPR relying on the following legal bases:
We may also process the data if it is necessary to protect vital interests of our users and/or other people, or for the performance of an obligation to carry out in the public interest pursuant to Art. 6(1) (d) and (e).
4. What do we use your data for (purposes of processing)?
We will use personal data you have provided to us only if and to the extent necessary for providing our Services and handling of the contract or if you have consented that we may use your data for the purposes described in this Privacy Policy.
We process and use data (including personal data) you make available to us voluntarily on the website or through the Card Merge Master application in various situations (e.g., when you send us an e-mail). We also use data that are collected automatically on our website or through the Card Merge Master application. Finally, we may also receive data about you from third parties, for example when another user provides us with information about you.
We collect, process and use data for the following purposes:
If required by law, we will ask for your consent before collecting, processing, or using your personal data for any of the aforementioned purposes.
We will also notify you if we want to use your personal data for a new or different purpose. We will use your personal data for such other purposes only if and to the extent necessary or permitted by applicable law or with your consent.
5. How long and where are data stored?
Your personal data will be stored for as long as this is necessary for achieving the defined purposes of processing. If you cancel your user account, we will also erase within reasonable time or archive your personal data, i.e. restrict processing. An exception applies only if we have a legal obligation to archive data for a certain time period.
6. Cookies and tracking pixels
We collect information about visitors to our website and about users of our Card Merge Master application(s) in order to improve our Services. For this purpose we use different kinds of so-called cookies and tracking pixels (a.k.a. web beacons).
A cookie allows a web server to place a text file (e.g., a clear ID) on your computer or smart phone/tablet. Cookies are used, for example, to automatically recognize you the next time you visit our websites or use Card Merge Master application. The cookie is sent either by the web server to your browser or is generated by client-side scripting (e.g., JavaScript). Cookie data will be stored locally on your terminal device and in most cases will be effective only for a limited time period.
Websites that include flash media write user-specific data to your computer and later read such data. Such files are called flash cookies or local shared objects (LSO). Such files are not managed by your browser, but rather by the flash player plug-in. Flash cookies are subject to the same rules as conventional cookies. Flash cookies, too, can only be read by the website that caused those flash cookies to be placed. However, flash cookies can store a substantially greater volume of data.
Your browser offers extensive setting options to manage cookies. For example, you can deactivate cookies in your browser or limit cookies to certain websites. You can also program your browser to first notify you before a cookie is placed. You can also choose these settings on your mobile terminal devices. You can at any time manage cookies by changing the settings of your devices, delete cookies, or block cookies altogether.
You can also visit our website even if you block cookies on your terminal device. If you block cookies, the display of our website may however be impaired and not all functions may be available to you. You can also use Card Merge Master application(s) without cookies. In that case, you may however no longer be able to use all functions of such application as conveniently.
Tracking pixels are small graphics in HTML e-mails or on websites. When you access such a website, your access to the tracking pixel will be recorded in a log file. This allows statistical analysis, which, in turn, can be used to improve our Services. You can set your e-mail program or your browser so that HTML e-mails will be displayed as text only, thereby preventing the use of some tracking pixels.
7. Transfer of data to third parties
Your personal data will be transferred to third parties only if we have a legal obligation to do so, if the data transfer is necessary for performance of the contract, or if you have consented to the transfer of your data. Third-party service providers and partner companies will receive your data only if and to the extent necessary for performance of the contract or with your consent. In such cases, the extent to which data are transferred will however be kept to the absolute minimum. To the extent that our service providers come into contact with your personal data, we will make sure that they too will comply with all applicable data protection laws. Please also read the data privacy policies of such third-party providers.
We use cloud services. This means we will transfer your data to a third party – the cloud services provider – and store data on the servers of that provider. In some cases, your data may also be stored on servers outside the European Union (EU) or European Economic Area (EEA). In some cases, your data may also be processed there. We either ensure through appropriate contracts that such service providers guarantee the same level of data privacy to which you are also entitled in the European Union or we use only providers that are EU-US Privacy Shield certified ( https://www.privacyshield.gov/welcome). Either alternative ensures an appropriate level data privacy.
8. Data processing – third-party services and partners
To be able to offer you all functions and services of Card Merge Master application(s) in the most convenient way possible and to be able to continuously improve our Services, we use third-party services and partners. We also use the assistance of third parties to improve our website. Finally, we use certain tools for our marketing.
Below is the description of the third-party services we use and for what purposes:
8.1 Google
We use a number of different Google services (Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043, U.S.A. – hereinafter “Google”) for analysis and marketing purposes. These tools collect and statistically analyze data about your use of our Services in different ways. We also use your data to show you personalized ads with the help of Google services. By using our website or our Card Merge Master Services, you consent that we may use your data for these purposes.
Below (in 8.1.1-8.1.6) we will explain the different services and the ways in which you can to conveniently revoke your consent, and we provide you with additional important information.
Additional information about how Google handles data transmitted by us is available here: https://www.google.com/intl/de/policies/privacy/partners/.
You can find additional information about how Google uses cookies in the data privacy policy of Google here: ( https://www.google.com/intl/de/policies/privacy/).
Information generated by Google tools is generally transferred to a server of Google in the United States and stored there. Google and its subsidiaries are EU-US Privacy-Shield certified.
8.1.1 Google Analytics
Our application(s) and our website use Google Analytics, a web analysis program of Google. Google Analytics uses cookies that are stored on your terminal device and allows an analysis of your use. We activate IP address anonymization so that IP addresses will first be truncated by Google within the European Union. On our behalf Google uses such information to analyze your use of our Services as well as the use of our Services by other users, and provides us with reports and other services. The IP address transmitted from your terminal device to Google Analytics will not be merged with any other data of Google. Google will transfer your data to third parties only if permitted by applicable law or in accordance with outsourced data processing agreements.
You can prevent the collection and processing of information generated by the Google cookie by placing an opt-out cookie or deactivating Google Analytics in the menu of your terminal device. In the alternative, you can also install a browser plug-in, which you will find here: https://tools.google.com/dlpage/gaoptout/.
8.1.2 DoubleClick by Google
DoubleClickuses cookies to show you ads that are relevant to you. In the process, a pseudonymous identification number (ID) is assigned to you to monitor which ads have been shown in your browser and which ads have been clicked. Such cookies contain no personal information. DoubleClick cookies allow Google and its partner websites to show ads on the basis of previous visits to our website or other websites on the Internet. Information generated by such cookies is transferred by Google to a server in the United States for analysis, where it is stored. Google never merges your data with any other data of Google. Data is transferred to third parties by Google only if permitted by applicable law or in accordance with outsourced data processing agreements.
If you do not wish to receive personalized ads, you can place an opt-out cookie:
https://www.google.de/settings/ads/onweb#display_optout
You can also install the DoubleClick deactivation browser add-on. You will find this browser plug-in here:
https://www.google.com/settings/ads/onweb/
8.1.3 Google AdWords
We use Google AdWordsto advertise our offers. Following a search on Google, our ads will be shown in the areas designated for this purpose. Our website registers with the help of cookies how many users have found our Services through such ads. We use such data to optimize our ads. A cookie is stored by Google when an ad is clicked. You can block the cookie by selecting the appropriate settings in your browser. In that case, your visit to our website will not be included in anonymous user statistics.
If you do not wish to receive personalized ads, you can place an opt-out cookie:
https://www.google.de/settings/ads/onweb#display_optout
You can also block cookies, for example, by installing an appropriate browser plug-in, which is available here:
https://support.google.com/ads/answer/7395996?hl=de
8.1.4 Google Dynamic Remarketing
We use Google Dynamic Remarketingfunctions on our website. This technology allows us to show automatically generated, target group-based ads following your visit to our website. The ads shown are based on products and services on which you clicked or which you viewed during your last visit to our website. Google uses cookies to generate interest-based ads. If you do not wish to receive user-based ads from Google, you can deactivate ads by selecting the appropriate settings of Google.
If you do not wish to receive personalized ads, you can place an opt out cookie:
https://www.google.de/settings/ads/onweb#display_optout
You can block personalized ads by installing the appropriate browser plug-in, which is available here:
https://support.google.com/ads/answer/7395996?hl=de
You can also block personalized ads from Google and other advertising networks by opting out on the following page:
https://www.youronlinechoices.com/de/praferenzmanagement/
8.1.5 Firebase
Firebaseis a Google subsidiary with its registered office in San Francisco, CA, U.S.A. We use Firebase SDKand Google Analytics for Firebasefor our Mind Ritual application(s). This tool allows us to use the same Google Analytics functions for an application that can also be used for websites. Firebase uses technologies that work similar to cookies, in particular advertising IDs. This way, we collect information about how you use the Card Merge Master application(s). We use such data for statistical analysis purposes, to test our offers (e.g., A/B testing), and to improve our offers. In addition, we use such information for personalized advertising. By using our Services you consent to our collection of such data. In addition, we use Firebase Remote Config to make changes to our Card Merge Master application(s).
If you do not wish that such data is collected, you may opt out at any time. You can conveniently do so, for example, by selecting the appropriate settings in your mobile terminal device. How you can prevent such data from being collected on your Android device is explained, for example, here:
https://www.google.com/policies/technologies/ads/
On your iOS device you will find the appropriate setting under Settings > Data Privacy > Advertising.
8.1.6 Crashlytics
We use Crashlyticsto analyze the application stability of our Card Merge Master application(s). Crashlytics is a subsidiary of Google. Crashlytics delivers analyses of errors and system crashes in real time, thereby facilitating maintenance of the application. In the process none of your personal data will be transmitted, but only crash reports with information about register codes and your device, e.g., type of device and version of operating system.
The diagnostic data collected are processed in the United States. Like Google and other subsidiaries of Google, Crashlytics is EU-US Privacy Shield certified.
Diagnostic information is subject to the data privacy policy of Crashlytics, which is available here:
https://try.crashlytics.com/terms/ .
8.2 Social plug-ins
We use the following social plug-ins for our website:
These plug-ins routinely collect data from you and transfer such data to servers of the provider.
Once activated, such plug-ins will also record your IP address. In addition, activated social plug-ins will place a cookie with a clear ID when the relevant website is accessed. This also allows providers to create profiles of your user behavior. Such a cookie is placed whether or not you are a member of the social network. If you are a member of a social network and are logged in when you visit our website or when you use the Card Merge Master application(s), data and information about your visit to our website or your use of an Card Merge Master application may be linked to your profile on the social network. Please note that we have no control over the exact extent to which your data will be collected by social network providers. For more information about the extent, type, and purpose of data processing and about rights and settings to protect your privacy, please refer to the data privacy policy of the relevant social network provider. These are available at the following addresses:
8.2.1 Facebook Connect
We use the “Facebook Connect” function, so that you can register and log in with us using your Facebook account.
If you use Facebook Connect, Facebook profile data and public data from your Facebook profile will be transferred to us. Conversely, data may be transferred from us to your Facebook profile. Such data are used by us to register you on our website or for Card Merge Master application(s) or to allow you to log in. For this purpose we also store and process such data.
By registering on our website or for an Card Merge Master application with the help of Facebook Connect you consent that your profile data from your Facebook profile may be transferred to us and, conversely, that we may transfer data to Facebook.
Please also note that Facebook receives information through Facebook Connect about how you use our Card Merge Master application(s) and our website.
For information about the purpose and extent of data processing, the further processing and use of data by Facebook, and your rights and setting options to protect your privacy, please refer to the data privacy policy of Facebook: https://www.facebook.com/policy.php.
8.3 Adjust
Card Merge Master application(s) and our website use the Adjustservice of adjust GmbH (Saarbrücker Str. 37A, 10405 Berlin). The Adjustservice has been audited and certified in accordance with the ePrivacyseal (European Seal for Your Privacy) (see https://www.eprivacy.eu/vergebene-siegel/).
This service allows us to monitor our marketing performance, to adjust our advertising campaigns, and to better understand, overall, how you use our application. To achieve this goal, we can, inter alia, monitor in real time how you interact with our application. For this purpose Adjust, for example, collects your IP address in anonymous form (as a hash value), and tracks when you install and open Card Merge Master application(s) for the first time, how you interact with the application, or on which ads you click.
Once collected, such data are not merged with any other data for personal identification purposes.
You may choose at any time that such data shall no longer be collected in the future. If so, please simply use the opt-out option of adjust at https://www.adjust.com/opt-out/.
8.4 Amplitude
Amplitude is an analysis service of Amplitude Inc (631 Howard Street, Suite 300, San Francisco, CA 94105, U.S.A.). This tool collects technical information, such as the type of your device (e.g., iPhone 6), the operating system used (e.g., iOS 10.3), or the name of your provider (e.g., Vodafone). In addition, Amplitude tracks events that occur in our Card Merge Master application(s). Such events may, for example, be completed workouts. In other words, Amplitude helps us understand how you use our Services.
Data collected by Amplitude Inc. in the United States is transferred to servers of Amplitude Inc. in the United States, where they are stored. Amplitude is EU-US Privacy Shield certified.
You will find additional information about the manner in which Amplitude processes data at:
https://amplitude.com/privacy .
8.5 Facebook Custom Audiences
We use the remarketing function “Custom Audiences” of Facebook Inc. (1601 Willow Road, Menlo Park, California 94025, U.S.A.). This function allows us to show visitors of our website and users of Card Merge Master application(s) interest-based ads when they visit Facebook (“Facebook ads”), and to analyze such Facebook ads for statistical and market research purposes, which helps us optimize future advertising. For this purpose we use the so-called Facebook pixel (website) and Facebook SDK (Mind Ritual application).
Collected data are anonymous for us and allow no inferences as to your identity. Aside from us, Facebook however also stores and processes such data. Facebook may correlate such data to your user profile, and Facebook may also use such data for its own advertising purposes in accordance with the Facebook data privacy policy ( https://www.facebook.com/about/privacy/).
Such data may allow Facebook and its partners to show ads on or off Facebook.
Facebook generally also stores such data on servers in the United States. Facebook is EU-US Privacy Shield certified.
You can generally block the placement of cookies on your computer by selecting the appropriate settings in your browser, so that cookies will no longer be placed on your computer in the future and/or so that cookies that have already been placed will be deleted. If you do so, you may no longer be able to correctly use some functions on our website.
With the help of an appropriate opt-out cookie from Digital Advertising Alliance you can also completely deactivate advertising by third-party providers such as Facebook:
https://www.aboutads.info/choices/
In the alternative, you can deactivate the remarketing function “Custom Audiences” in your Facebook settings:
https://www.facebook.com/settings/?tab=ads#_=_
To do so, you must be registered with Facebook.
9. Data security
Data transfers are generally subject to security gaps. It is technically impossible to protect your data 100% from access by third parties. However, we strive to minimize this risk as much as possible. We therefore maintain state-of-the-art measures to guarantee data security and to protect your data from access by third parties. In addition, we use strong SSL or TLS encryption for all data transfers. However, please make sure not to provide your login data to any third parties.
10. Websites of third parties
We occasionally place links to websites of third parties. Although we carefully select such third parties, we make no guarantee and assume no liability for the correctness or completeness of content or data security of any third-party websites. Nor does this Privacy Policy apply to linked third-party websites. We assume no responsibility for data privacy policies or content of any other websites.
11. Changes to this Privacy Policy
We may need to make changes to this Privacy Policy, for example if we add new functions or services to the application. We will however notify you of any changes and ask that you read and accept such changes before they are implemented by us.
12. Your rights: information/revocation/erasure and data controller
You may at any time and at no cost request us to provide you information about your personal data that are processed by us, correction of any errors in your personal data, termination of processing of your personal data, or erasure of your personal data – subject to mandatory legal provisions or obligations to the contrary. In particular, if you qualify as the “data subject” under the terms of (GDPR), you have the right to:
13. Contact details of the Data Controller and Data Protection Officer
To exercise your rights under GDPR, simply contact us at any time by letter or e-mail at:
Card Merge Master
TrueMyth Games Ltd
Renatou Kartesiou, 17
Agios Athanasios, Cyprus
4105 Limassol
E-mail: [email protected]
Managing director: Pavlos Dimitriou
Recorded in the Commercial Register of Cyprus under number HE 396141
VAT ID: 10409887M
Please note that communications by email can always be flawed by security gaps. Therefore, if you have a particularly sensitive request, please contact our data protection officer by postal mail.