Flaregames GmbH (“Flaregames”/“we”) is committed to protecting the privacy of its users (“users”/“you”) with regard to the processing of personal data. Flaregames observes the applicable data protection requirements.

We have compiled this document to inform our users about the handling of their data. If you have any questions concerning the use of your personal data by Flaregames, or if you would like to revoke a previously granted declaration of consent, please get in touch with us and tell us about the game you play, your platform and the server you use.

This Data Protection Statement applies to all services offered on the websites operated by Flaregames, in particular Flaregames.com, (“website”) and mobile applications, as well as the games offered for download via portals such as the Apple App Store and Google Play Store etc. (“games apps” or “apps”)

We offer our apps only to persons who are 16 years or older. This means that we do not process any data of persons who are younger than 16 years of age.

  1. Name and address of the data controller (the person in control of your data)

The data controller for the purposes of the General Data Protection Regulation and other national data protection laws of the Member States, as well as any other data protection-related regulation is:

Flaregames GmbH Duisburger Str. 6 10707 Berlin, Germany Email: Privacy@phoenixgames.com Website: www.Flaregames.com

  1. Name and address of the Data Protection Officer

The data controller has appointed the following Data Protection Officer:

Attorney, Information Technology Law Specialist Dr Christian Rauda, ARTANA Digital GmbH

Email: privacy@phoenixgames.com Website: www.artana.law

  1. General information on data processing

3.1 Legal basis for the processing of personal data Article 6 para. 1 lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data that was obtained with the consent of the data subject.

Article 6 para. 1 lit. b GDPR serves as the legal basis for the processing of personal data that is required for the performance of a contract to which the data subject is a party. This also applies to data processing operations that are necessary for the performance of pre-contractual measures.

In as far as the processing of personal data is required for compliance with a legal obligation incumbent on our company, the legal basis for data processing is Article 6 para. 1 lit. c GDPR.

In the event the vital interests of the data subject or another person compel us to process personal data, Article 6 para. 1 lit. d GDPR serves as the legal basis for such data processing.

Article 6 para. 1 lit. f GDPR serves as the legal basis if the data processing is necessary to safeguard a legitimate interest of our company or a third party in a situation where the interests, fundamental rights and fundamental freedoms of the data subject do not prevail over the legitimate interest of our company or a third party.

3.2 Deletion of data, storage period We will delete or block a data subject’s personal data as soon as the purpose of storing the data has been achieved. Personal data can be stored for longer periods if prescribed by a European or national legislator in EU regulations, laws or other regulations that govern the data controller. The data is also blocked or deleted at the end of a retention period prescribed by one of the above regulations, unless the data is required to be stored for a longer period for the purpose of performing or entering into a contract.

3.3 Data security We always try our best to put reasonable arrangements in place to prevent unauthorised access to your personal data, use of your personal data or manipulation of your personal data and to minimise the risk of these incidents occurring. The provision of personal data is, irrespective of whether disclosed in person, over the phone or via the internet, inevitably associated with certain risks and no technological system is absolutely fail-safe from being manipulated or sabotaged.

We process all information collected from you in accordance with the German and European data protection laws. All our employees are bound by data secrecy and the data protection regulations and have been instructed accordingly. When making a payment, your data will be transmitted using SSL-encryption technology.

  1. Collection and use of personal data via the website and apps

4.1 Our website can be used by all users without requiring registration. The following data is collected: internet protocol, IP address, URL of the referring website from which the file was requested, the date and time of access, browser type and operating system, the site visited by you, data volume transmitted, access status (file transfer, file not found etc.), duration and frequency of use. This data is also stored in the log files of our system. The data is not stored together with other personal data of the user.

4.2 Each access of a registered user on the website and each file access will cause the following use-specific access data to be transmitted to our server: internet protocol, shortened IP address, the respective device, advertising, user or ad ID, the URL of the referring website from which the file was requested or the ID of the social network if you used one to log on, date and time of access, territory from which the game app was downloaded, state in which the game app was accessed, browser type and operating system, the page visited by you, data volume transmitted, access status (file transfer, file not found etc.), duration and frequency of use, device type, language setting, date of downloading the game app, number of days since downloading the game app, name and number of game apps from Flaregames for which the user is registered. Flaregames also stores the game scores, levels achieved and other game-related data that we require to operate the game app for the user. We further store data for the purpose of placing advertising messages, specifically advertising messages that were delivered to the user. We collect the user’s advertising network ID and information on whether the user found the game app as a result of an advertising campaign.

4.3 To improve the gaming experience for our users, Flaregames will collect information on the duration of use, the number of times the games app was launched, internet protocol, IP address, device type and operating system, data volume transferred, access status (file transfer, file not found etc), avatar name, download tag and game app version, as well as amounts/tokens you have invested in the game app’s features. This data can be used to generate pseudonymised statistics that help Flaregames to make the apps and games even better for you, fix bugs and improve our services. The data is not used for any other purpose specifically related to the data subject. This data will be deleted as soon as there is no further need for their storage, the user has requested the data to be deleted, or a law prohibits the (continued) storage of the data. Data can only be deleted if the deletion is not opposed by a statutory retention obligation.

As a general rule, Flaregames will only collect and use the personal data specifically disclosed by the user, i.e. during his registration or login, for the user’s enrolment in prize competitions or use of paid services. Personal data means data that contains information about personal or factual circumstances (e.g. name, address, date of birth, e-mail address). The contractual use of the games apps requires the collection and processing of the user’s personal data by the stores Flaregames has no control over this type of data collection and does not accept any liability or responsibility. Detailed information about the data collected by Google Play and Apple App Store, Windows Store and other stores may be obtained from the data protection statement of the respective store. Flaregames processes this data to the extent it is provided by the stores and necessary for downloading the games app to the user’s device, as well as for the operation of the games app. The data is not stored for any other purposes. The user may be required to disclose additional data, such as his full name, address, etc., for purposes associated with the contractual use of the games app and the performance of the license agreement accepted by downloading the app, and in particular data associated with the use of paid services by the user (i.e. download of a paid app or in-game purchase). Flaregames does not collect and process any payment data (bank account numbers, credit card data, etc.). Google Play IDs and Game Center IDs can be saved to allow login from multiple devices. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Article 6, para. 1 lit. f GDPR.

4.9 Data processing purpose The temporary storage of a user’s IP address by the system is necessary to deliver the services to the user’s computer. This requires the IP address to remain stored for the duration of the session.

The storage in log files serves the purpose of warranting the faultless functioning of the services. The data also assists us in optimising the website and to warrant the security of our computer systems. The data is not analysed for any marketing purposes, it is analysed exclusively for statistical purposes.

We reserve the right to temporarily store IP addresses and log files for the purpose of monitoring compliance with the terms of use and rules of the games. This in particular serves the purpose of preventing potential misuse, investigate cases of misuse and to make individual case-specific data available to the investigating authorities for that purpose. In all other respects, the data will be anonymised to the greatest possible extent before carrying out any other analysis. The IP address and log files will be completely deleted at the end of the storage period, unless they are subject to statutory retention obligations or are a matter of interest in pending criminal proceedings or investigations into illegal use.

Our legitimate and prevailing interest in processing the data pursuant to Article 6 para. 1 lit. f GDPR is based on these purposes.

4.10 Period of storage The data will be deleted as soon as it is no longer required for achieving the purpose of their collection. Where data is collected for the purpose of making the website available, this is the case when the respective session has ended.

Where data is stored in log files, this is the case after a maximum period of seven days. In certain other cases, your data may be stored for longer periods. If this is the case, the IP addresses of the users will be deleted or anonymised, with the result that the accessing client can no longer be identified.

4.11 Your right to object and contest a decision Collecting the data for the purpose of making the website available and storing the data in log files is an essential requirement for the operation of the website. Users therefore cannot object against this type of data collection.

  1. Login via a third-party platform

5.1 By logging into the games via a third-party user account, such as the Facebook account or Google+ account or other social networks, the user declares his consent to the access to and/or storage of

certain account and/or profile information held by such third-party provider or certain information stored in cookies downloaded to your device by a third-party platform.

5.2 Flaregames will share this information with the third-party provider for the purpose of being used by such third party provider in accordance with the third party provider’s terms of use and privacy settings.

5.3 The user may change his login settings at any time if he wishes to prevent such data from being exchanged with Facebook, Google or other social networks he has previously used to login into on our services.

  1. Disclosure of the data to third parties; contract (data) processing

6.1 The user’s personal data will be treated confidential and will generally only be disclosed to external service providers or contractors with the user’s express consent, or if disclosure is necessary to perform a contract, respond to inquiries or to provide customer support. Flaregames cooperates with providers who collect and compile statistical data, as well as with IT service providers (i.e. computer centres, hosting, back-up and database services). The user’s legitimate interests are given consideration in accordance with the statutory requirements. The external service providers are under a statutory obligation to treat the data confidential and securely and are only permitted to use the data to the extent necessary to perform their duties. In as far as external service companies perform contract data processing, the statutory requirements pertaining to contract (data) processing are observed.

6.2 In all other respects, personal data is only disclosed if required for the protection of other users, for the prosecution of criminal offences, or as permitted under the statutory data protection regulations. We may in certain cases be compelled to disclose the data on the basis of statutory requirements (i.e. disclosure to investigating authorities). Disclosure is always limited to the extent necessary, legally permitted or prescribed.

6.3 A declaration of consent to the disclosure of data previously granted to us may be revoked at any time and without stating reasons.

  1. Modification and deletion

Flaregames can, at its own discretion or at the user’s request, complete, correct or delete any personal data stored by Flaregames in relation to the operation of this website or the games app that is incomplete, incorrect or outdated. Flaregames complies with the statutory requirements and deletes personal data immediately upon being requested to do so by the user, unless prevented from deleting the data by statutory retention obligations.

  1. Use of cookies

Our website uses so-called session or flash cookies. Cookies are small text files that are stored in the Internet browser or respectively by the Internet browser on the user’s computer system. A cookie can be placed on the user’s computer system when the user accesses one of our websites. This cookie contains a sequence of characters that allows for the unequivocal identification of the browser when revisiting the website. Some functions of our website can only be offered with the use of cookies. These functions require the browser to be recognised after having navigated to another website. The user data collected by technically necessary cookies will not be used to determine your identity or to create user profiles. The legal basis for the processing of personal data with the help of these cookies is our legitimate interest in accordance with Article 6 subsection 1 lit. f GDPR. Subject to your permission, we also use so-called persistent cookies, which will remain active after the session has ended (trans-session cookies). The legal basis for the processing of personal data with the help of these types of cookies is your declaration of consent pursuant to Article 6 subsection 1 lit. a GDPR. These cookies particularly serve the purpose of making our website more user-friendly, effective and secure.

A list of cookies used on our website and descriptions of these cookies can be found here.

Cookies are stored on the user’s computer and transmitted from there to our computer systems. This means that you have full control over the use of cookies at all times. By changing the settings of your Internet browser, you can deactivate or restrict the transmission of cookies. You can delete the cookies stored on your computer at any time. You can also set your system to automatically delete cookies. Some of the functions offered on this website may not be available if cookies have been deactivate.

  1. Links to other websites

Our website may from time to time contain interactive references (so-called links), for which Flaregames does not accept any responsibility. Flaregames has no control over the content and design of the linked external websites or internet services the user may access via our webpages. The respective operators of these internet services are exclusively responsible for their design, content and compliance with data protection requirements.

  1. Push notifications

10.1 Description and scope of data processing

You can set the configurations of your device to permit us to send you push notifications for updates to games apps and other relevant information. You can manage your push settings in the “options” or “settings” menu of your mobile app, or in the settings of your device.

10.2 Legal basis for data processing

The legal basis for the processing of the data for the purposes of a contract is Article 6 para. 1 lit. b GDPR.

10.3 Period of storage

The data will be stored until you delete them.

10.4 Your right to object and contest a decision

For Apple mobile devices: Open the settings on your mobile device (e.g. iPhone or iPad), and select the menu item “Privacy”. You can switch off ad tracking under the menu item “advertising”.

For devices with Android operating systems: Open the settings in your app-list and tap the “Ad” button. Once the ad window has opened, you can disable the Google Advertising ID.

  1. Protection of your data

We always try our best to put reasonable arrangements in place that are aimed at preventing unauthorised access to your personal data, use of your data or manipulation of your data and at minimising the risk of these incidents occurring. All our employees have been instructed with regard to their legal obligations to comply with data protection regulation and to maintain data secrecy. Our SSL transmission is certified by different official certificate authorities.

The provision of personal data, irrespective of whether disclosed in person, over the phone or via the internet, carries certain inevitable risks. No technological system is absolutely fail-safe from being manipulated or sabotaged. We would like to point out that there is always a residual risk of a transmission of data over the internet (i.e. communicating by email) being compromised. A fail-safe, guaranteed protection of the data against access by third parties is not possible.

  1. Rights of the data subject (the person whose data is collected)

The processing of your personal data makes you a data subject for the purposes of the GDPR. As a data subject, you may assert the following rights against the data controller:

12.1 Right to information You can request the data controller confirm whether we are processing any personal data relating to you.

If this is the case, you may request the data controller to provide you with the following information:

the purposes for which your personal data is being processed; the categories of personal data being processed; the recipients or categories of recipients to whom your personal data has been or will be disclosed; the planned duration of the storage of your personal data or, if no specific information is available, the criteria for determining the duration of storage; the existence of a right to correction or deletion of your personal data, or a right to restrict the processing by the data controller, or a right to object against the processing of the data; the existence of a right to lodge a complaint with a supervisory authority; in the case the personal data is not collected from the data subject personally, all available information about the source of the data; the existence of an automated decision-making procedure including profiling pursuant to Article 22 paras. 1 and 4 GDPR and - at least where this is the case - meaningful information about the logical reasoning involved, as well as the magnitude and intended implications of such data processing for the data subject.

You have the right to request information on whether your personal data is transmitted to a third country or an international organization. You may in this respect demand to be informed about the adequate safeguards taken in relation to the transmission pursuant to Article 46 GDPR.

12.2 Right to correction

You have the right to demand the data controller to correct and/or complete any of your personal data that is incorrect or incomplete. The data controller must correct or complete the data without undue delay.

12.3 Right to restrict the processing of data

You can demand the processing of your personal data to be restricted under the following conditions:

if you contest the accuracy of your personal data and allow the data controller adequate time to verify the accuracy of your personal data; If the data processing is unlawful and you decline the deletion of your personal data and rather demand the use of your personal data to be restricted; the data controller no longer requires your personal data for the data processing purposes, but you require them for the purpose of asserting, exercising or defending your legal interests, or if you have objected against the processing of your personal data in accordance with Article 21 para. 1 GDPR and a decision on whether the data controller’s legitimate interests prevail over your interests has not been made.

Where the processing of your personal data has been restricted, such data may - except for their storage - only be processed with your consent or for the purpose of asserting, exercising or defending legal interests, or to protect the legal interests of another person or legal entity, or for reasons of a substantial public interest of the European Union or a Member State.

If the data processing was restricted on the basis of the conditions stipulated above, you will be notified by the data controller prior to lifting the restriction.

12.4 Right to the deletion of your data

You may at any time delete your account.

12.4.1 Mandatory deletion

You may instruct the data controller to promptly delete your personal data. The data controller is legally required to delete such data without undue delay, provided one of the following reasons apply:

Your personal data is no longer required for the purposes they were collected or previously processed. You revoke your declaration of consent on which the data processing was based pursuant to Article 6 para. 1 lit. a or Article 9 para. 2 lit. a GDPR, and there is no other legal basis that would legitimate the data processing. You object against the data processing pursuant to Article 21 para. 1 GDPR and there are no prevailing legitimate reasons for the data processing, or you lodge an objection against the data processing pursuant to Article 21 para. 2 GDPR. The processing of your data was unlawful. The deletion of your personal data is necessary to perform a legal obligation under EU law or the law of a Member State governing the data controller. Your personal data was collected in relation to services offered by the information society pursuant to Article 8 para. 1 GDPR.

12.4.2 Notification of third parties Where the data controller has made your personal data publicly accessible and is required to delete your data under Article 17 para. 1 GDPR, the data controller will, in consideration of the available technology and cost of implementation, take adequate measures, including technical measures, to inform any other data controllers who process such personal data about the circumstance that you as the data subject have requested them to delete all links to said personal data, copies or reproductions of such personal data.

12.4.3 Exemptions You are not entitled to the deletion of your data to the extent the data processing is required

for the purpose of exercising the right to freedom of expression and right to information; for the purpose of performing a legal obligation imposed on the data processing under EU law or the law of a Member States governing the data controller, or to discharge of a function in the public interest or in the exercise of public authority conferred upon the data controller; For reasons of public interest concerning public health pursuant to Art. 9 Section 2 lit. h and i, as well as Article 9 para. 3 GDPR; For archiving, scientific or historical research purposes in the public interest, or for statistical purposes pursuant to Article 89 para. 1 GDPR, to the extent the right provided for at section a) is expected to render the achievement of the purposes of this data processing infeasible or to significantly impede them, or for the purpose of asserting, exercising or defending legal interests.

13 Right to onward notification

Where you have asserted your right to the correction, deletion or restriction of the data processing against the data controller, the data controller is required to notify all recipients your personal data was disclosed to about said correction or deletion of the data, or restrictions imposed on their processing, unless such notification is infeasible or would entail unreasonable effort or expense.

You are entitled to be informed about these recipients by the data controller.

14 Right to data portability

You have the right to receive the personal data disclosed by you to the data controller in a structured, popular and machine-readable format. You further have the right to transfer such data to another data controller without interference by the data controller said personal data was initially made available to, provided

the data processing is based on a declaration of consent pursuant to Article 6 para. 1 lit. a or Article 9 para. 2 lit. a GDPR, or on a contract pursuant to Article 6 para. 1 lit. b GDPR, and the data processing is conducted by way of automated processes.

When you exercise this right, you are further entitled to your personal data being transferred directly from one data controller to another data controller, subject to technical feasibility. This must not curtail the freedoms and rights of third parties.

The right to data portability does not apply to the processing of personal data that is required for the performance of a function in the public interest or in the exercise of public authority conferred upon the data controller.

15 Right to object

You have the right to lodge an objection against the processing of your personal data conducted on the basis of Article 6 para. 1 lit. e or f GDPR at any time for reasons that are attributable to your personal circumstances. This also applies to profiling based on the same provisions.

The data controller will then cease processing your personal data, unless he can demonstrate compelling legitimate interests for the data processing that prevail over your interests, rights and freedoms, or unless the data processing serves the purpose of asserting, exercising or defending legal interests.

Where your personal data is processed for direct advertising purposes, you have the right to lodge an objection against the processing of your personal data for such advertising purposes at any time; this also applies to profiling associated with such direct advertising.

If you lodge an objection against data processing for direct advertising purposes, your personal data will no longer be processed for these purposes.

When using services of the information society, you have the option to exercise your right to object via automated processes that use technical specifications, irrespective of the Directive 2002/58/EC.

16 Right to revoke data protection-related declarations of consent

You have the right to revoke a previously granted declaration of consent at any time. A revocation of consent is without prejudice to the lawfulness of the data processing conducted prior to your revocation.

17 Automated individual decision-making

You have the right not to be subjected to a decision based solely on automated processing, including profiling, which would produce legal effects concerning you or would significantly affect you in a similar way. This does not apply if the decision

is required for the conclusion or performance of a contract between you and the data controller, is authorised by a EU or Member State law governing the data controller and such law provides for adequate safeguards for your rights, freedoms and legitimate interests, or is based on your explicit consent.

These decisions may however not be made on the basis of personal data of special categories pursuant to Article 9 para. 1 GDPR, unless Article 9 para. 2 lit. a or g applies and adequate safeguards for your rights, freedoms and legitimate interests have been put in place.

In the cases referred to at (1) and (3), the data controller takes adequate measures to safeguard your rights, freedoms and legitimate interests, which at the minimum includes the right to obtain intervention of a person on the part of the data controller, the right to express your own opinion and the right to contest the decision.

18 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy that may be available to you, you have the right to lodge a complaint with a supervisory authority, in particular an authority in the Member State of your residence, your place of work or the place of the alleged infringement if you have reason to believe that your personal data is processed in violation of the GDPR.

The supervisory authority where the complaint was lodged will inform the complainant about the progress and results of the complaint, as well as the option to seek relief from a court of law pursuant to Article 78 GDPR.

19 Newsletter

Our website offers you the option of subscribing to a newsletter. We will need your email address to send the newsletter to you. We must also comply with the statutory requirement to verify that you are in fact the owner of the email address provided and would like to receive the newsletter. We verify this by sending you a confirmation email. Our games newsletter will inform you about current and upcoming games and game features. Our recruitment newsletter offers information on our current vacancies. The legal basis for processing your data is your declaration of consent pursuant to Article 6 para. 1 lit. a GDPR.

We only send our newsletters with your express consent. You may revoke your consent to the collection and storage of your data at any time without stating reasons. Please use the unsubscribe link at the end of each newsletter sent out by us or contact us to revoke your consent. Your data will be deleted after you have unsubscribed.

Last revised: 25 May 2018

Copyright: Flaregames GmbH ‒ All rights reserved.