Controller – XRCOO
Personal Data – refers to information that pertains to an individual who can be identified or is identifiable through specific factors related to their physical, physiological, genetic, mental, economic, cultural, or social identity.
Anonymous Data – refers to information that does not directly or indirectly identify an individual and cannot be reasonably utilized to identify a specific person.
GDPR – stands for the General Data Protection Regulation. It is a regulation enacted by the European Union, specifically Regulation (EU) 2016/679 of the European Parliament and of the Council, passed on April 27, 2016. The GDPR focuses on safeguarding the privacy and protection of personal data of individuals within the European Union (EU) and the European Economic Area (EEA). It replaces Directive 95/46/EC and aims to harmonize data protection laws across EU member states while enhancing individuals’ rights and control over their personal data.
Website – refers to the online platform or web address, specifically the website operated by the Controller, accessible at https://vrclub.live
Services – encompass any game or game extension published by XRCOO, including but not limited to VR Club Live or any additional game extensions provided by XRCOO.
Third Parties – refer to the business partners of the Controller who may be involved in the distribution of Services. This includes entities such as Meta (formerly Facebook), Sony, HTC, Valve, and other relevant partners.
User – refers to any individual, specifically a natural person, who visits the Website or utilizes one or more of the services or functionalities described in the Policy.
PROCESSING OF DATA IN CONNECTION WITH THE USE OF THE WEBSITE AND OUR SERVICES
As part of the User’s use of the Website and/or our Services, the Controller collects data to the extent required to provide the specific services offered. This includes gathering information about the User’s activities on the Website and/or their utilization of the Services. The data collected is limited to what is necessary for the proper functioning and provision of the requested services.
The Controller collects two types of information: Personal Data and Anonymous Data.
- Personal Data includes IP address, identifier information of your device (such as device make and model, information about device operating systems, or other device or system-related specifications), and e-mail address.
- Anonymous Data includes information about localization and User interactions and actions during the use of the Services, including information about favorite levels, points, game time, score, Service reset, and unlocked achievements.
In providing Services, the Controller may use Third Parties. Third Parties may use automated means of data collection and may record information about Users use of the Services. These actions are subject to Third Parties’ privacy policies.
Link to Terms and Conditions of third-party service providers used by the app
The detailed rules and purposes for processing collected Personal Data and Anonymous Data are described below.
PURPOSES AND LEGAL BASIS FOR DATA PROCESSING
USE OF THE WEBSITE AND OTHER SERVICES
Personal Data and Anonymous Data of all persons using the Website and/or other Services (including IP address or other identifiers and information collected through cookies or other similar technologies) are processed by the Controller:
- The legal basis for processing personal and anonymous data in order to provide services electronically and make content available to users is the necessity of processing to perform the contract, as outlined in Article 6(1)(b) of the General Data Protection Regulation (GDPR).
- For the processing of personal and anonymous data for analytical and statistical purposes, the legal basis is the legitimate interest of the Controller, as defined in Article 6(1)(f) of the General Data Protection Regulation (GDPR). This legitimate interest is based on conducting analyses of users’ activities and preferences to enhance the functionalities and services provided.
- To potentially support the establishment and defense of claims, the legal foundation for processing is the Controller’s legitimate interest, as outlined in Article 6(1) point (f) of the GDPR. This legitimate interest pertains to safeguarding the Controller’s rights.
- The Controller and other entities may process Personal Data for marketing purposes, specifically related to the display of behavioral advertising. The guidelines and principles for processing Personal Data for marketing purposes are detailed in the MARKETING section.
The User’s actions on the Website and/or their utilization of the Services, which include both Personal Data and Anonymous Data, are documented in system logs. These logs serve as a specialized computer program that chronologically stores information about events and activities associated with the IT system utilized by the Controller to provide services. The data collected in these logs are primarily processed for the purpose of service provision. Additionally, the Controller processes this information for technical and administrative reasons to ensure IT system security, manage the system, and for analytical and statistical purposes. The legal basis for this processing is the Controller’s legitimate interest, as stated in Article 6(1) point (f) of the GDPR.
The Controller offers a newsletter service, subject to the terms and conditions, to individuals who have provided their email address for this specific purpose. Providing data is necessary to deliver the newsletter service, and if this information is not provided, the newsletter cannot be sent. This method of communication with the User may involve profiling.
Personal Data are processed:
- The legal basis for processing Personal Data for the purpose of providing the newsletter service is the necessity of processing to fulfill the contractual obligations as defined in Article 6(1) point (b) of the GDPR.
- When directing marketing content to the User as part of a newsletter, the legal basis for processing, which includes the use of profiling, is the legitimate interest of the Controller in accordance with Article 6(1) point (f) of the GDPR, along with the consent provided by the User to receive the newsletter.
- The legal basis for processing data for analytical and statistical purposes is the legitimate interest of the Controller, as stated in Article 6(1) point (f) of the GDPR. This process involves conducting analyses of Users’ activities on the Website to enhance and improve the functionalities used.
- To potentially establish and exercise claims or defend against claims, the legal basis for processing is the legitimate interest of the Controller, as defined in Article 6(1) point (f) of the GDPR. This legitimate interest pertains to safeguarding the rights of the Controller.
During recruitment processes, the Controller expects the transfer of Personal Data, such as CVs or resumes, to strictly comply with the provisions of labor law. Therefore, no additional information beyond what is stipulated by labor law should be provided. If applications contain supplementary data that exceeds the scope defined by labor law, their processing will rely on the candidate’s consent, as outlined in Article 6(1) point (a) of the GDPR. This consent is expressed through the explicit and affirmative action of the candidate when submitting the application documents. Irrelevant information included in the applications will not be utilized or considered in the recruitment process.
Personal data are processed:
- In cases where the preferred form of employment is an employment contract, the processing of Personal Data is based on the legal obligation of the Controller, as specified in Article 6(1) point (c) of the GDPR, in conjunction with the provisions of labor law. This legal basis is necessary to fulfill the Controller’s legal obligations pertaining to the employment process, primarily governed by the Labour Code.
- When the preferred form of employment is a civil law contract, the processing of data contained in the application documents during the recruitment process is based on the legal basis of taking steps at the request of the data subject prior to entering into a contract, as stated in Article 6(1) point (b) of the GDPR. This legal basis enables the processing of data necessary for conducting the recruitment process and considering the candidate for a potential contract.
- For the purpose of conducting the recruitment process concerning data that is not required by law or by the Controller, as well as for future recruitment processes, the legal basis for processing is based on the candidate’s consent, as specified in Article 6(1) point (a) of the GDPR.
- To ensure the candidate’s qualifications and skills are verified and to establish the terms of cooperation, the legal basis for processing personal data is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR). The Controller’s legitimate interest lies in assessing job applicants and establishing potential collaboration terms.
- To enable the Controller to potentially pursue and defend claims, the legal basis for processing personal data is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR).
If personal data is processed based on consent, it is important to note that consent can be withdrawn at any time, and such withdrawal will not affect the lawfulness of the processing that occurred prior to the withdrawal. In cases where consent is obtained for future recruitment processes, the personal data will be deleted after two years, unless consent is withdrawn earlier.
In accordance with Article 22(1) of the Labour Code, the provision of data within the specified scope is mandatory for candidates expressing a preference for employment based on an employment contract. This requirement is governed by relevant laws, particularly the Labour Code. For candidates who prefer employment based on a civil law contract, the provision of such data is required by the Controller. Failure to provide this data will result in the candidate being ineligible for consideration in the recruitment process. The provision of any additional data beyond this scope is voluntary.
OTHER PROCESSES OF PERSONAL DATA PROCESSING
E-MAIL AND REGULAR MAIL
When it comes to correspondence sent to the Controller via email or regular mail that is unrelated to services provided to the sender or any other contractual agreements, the personal data included in such correspondence will be processed solely for the purpose of communication and resolving the specific matter mentioned in the correspondence.
Personal data are processed for the following purposes:
- The legal basis for processing personal data for the purpose of communication and resolution of the matter in such correspondence is the legitimate interest of the Controller. This legitimate interest, as outlined in Article 6(1)(f) of the GDPR, is based on the Controller’s aim to handle correspondence related to their business activities effectively.
- The Controller relies on its legitimate interest (as stated in Article 6(1) point (f) of the GDPR) to process data, specifically for defending its business interests, including the establishment or defense against potential claims.
CONTACT BY PHONE
If the purpose of contacting the Controller by phone does not pertain to the contracted agreement or the provided services, the Controller may ask for Personal Data only if it is essential for addressing the specific matter of the contact.
Personal data are processed for the following purposes:
- The legal basis for processing, allowing contact, and addressing requests, is the Controller’s legitimate interest (as stated in Article 6(1) point (f) of the GDPR). This interest arises from the necessity to resolve reported matters pertaining to their business activities.
- The Controller’s legitimate interest, as specified in Article 6(1) point (f) of the GDPR, serves as the legal basis for processing data. This includes the Controller’s defense of their business interests through the establishment or exercise of potential claims or defense against such claims.
DATA COLLECTION AS PART OF BUSINESS CONTACTS
The Controller collects personal data in various situations related to their business activity, such as business meetings, events, or exchanging business cards. This data is collected with the purpose of initiating and maintaining business contacts. The legal basis for this processing is the legitimate interest of the Controller, as outlined in Article 6(1) point (f) of the GDPR. This legitimate interest stems from the need to network in connection with the conducted business activity.
The Controller processes Users’ Personal Data for the purpose of conducting marketing activities, which may include:
- presenting general marketing content to the User that is not specifically customized to their preferences (contextual advertising).
- presenting the User with marketing content that aligns with their interests (behavioral advertising).
The Controller sometimes uses profiling for marketing purposes. This means that the Controller uses automatic data processing to analyze the Users’ chosen factors and understand their behavior or predict their future. This makes the content more suitable for the User’s personal preferences and interests.
The Controller and his trusted partners use the Users’ Personal Data, including Personal Data collected through cookies and other similar technologies, for marketing purposes related to showing the Users behavioral advertising (i.e. advertising that matches the User’s preferences). In this case, the processing of Personal Data also involves the profiling of Users.
The Controller uses the Personal Data of the Users who visit the Controller’s social media profiles (Facebook, Twitter). These data are used only for managing the profile, including informing the Users about the Controller’s activities and advertising various events, services, and products. The legal basis for the Controller’s use of Personal Data for this purpose is his legitimate interest (Article 6(1) point (f) of the GDPR) in promoting his own brand.
COOKIES AND SIMILAR TECHNOLOGY
Cookies are small text files stored on the User’s device when visiting the Website. Cookies gather information that makes using the Website easier – e.g. by remembering the User’s visits to the Website and actions done by him/her.
The Controller uses essential cookies mainly to deliver the User the services and features of the Website that the User wants to use. Essential cookies can only be installed by the Controller through the Website.
The legal basis for the use of data in relation to the use of essential cookies is the necessity of use to execute the contract (Article 6(1) point (b) of the GDPR).
FUNCTIONAL AND ANALYTICAL COOKIES
Functional cookies are used to recall and adjust the Website to the User’s selections, e.g. in terms of language preferences. Functional cookies can be installed by the Controller and his partners through the Website.
Analytical cookies allow to get information such as the number of visits and sources of traffic on the Website. They are used to determine which pages are more and which are less popular and to understand how Users navigate the Website by keeping statistics on the traffic on the Website. The use is done for the purpose of improving the performance of the Website. The information gathered by these cookies is aggregated, so they do not aim to establish your identity. Functional cookies can be installed by the Controller and his partners through the Website.
The legal basis for the use of Personal Data in relation to the use of functional and analytical cookies by the Controller, for this purpose, is consent (Article 6(1) point (a) of the GDPR).
The use of Personal Data in relation to the use of functional and analytical cookies depends on the User’s consent to the use (separately) of functional and analytical cookies through the cookie consent management platform. This consent can be withdrawn at any time through this platform.
Advertising cookies allow matching the advertising content shown to the User’s interests within and outside the Website. Based on the information from these cookies and the User’s activity on other websites, a profile of the User’s interests is created. Advertising cookies can be installed by the Controller and his partners through our website.
The legal basis for the use of Personal Data in relation to the use of advertising cookies by the Controller, for this purpose, is consent (Article 6(1) point (a) of the GDPR).
The use of Personal Data in relation to the use of advertising cookies is permitted after getting the User’s consent to the use through the consent management platform. This consent can be withdrawn at any time through this platform.
ANALYTICAL AND MARKETING TOOLS USED BY THE CONTROLLER’S PARTNERS
Google Analytics cookies are the files used by Google to analyze how the User uses the Website and to create statistics and reports on the functioning of the Website. Google does not use the collected data to identify the User, nor does it combine this information to enable identification. Detailed information about the scope and principles of data collection in connection with this service can be found at this link: https://www.google.com/intl/pl/policies/privacy/partners.
Facebook Pixel is a tool that allows measuring the effectiveness of advertising campaigns carried out by the Controller on Facebook. The tool allows advanced data analytics in order to optimize the Controller’s activities also with the use of other tools offered by Facebook. Detailed information on data processing by Facebook can be found at this link: https://www.facebook.com/help/443357099140264?helpref=about_content.
Twitter Pixel is a web tag that is deployed on a website to track site activity or conversions. The tool combines our older web tags – Universal Web Tags (UWT) and Single Event Tags (SET) – into a single, easier-to-use solution. Detailed information on data processing by Twitter can be found at this link: https://twitter.com/en/privacy
COOKIES SETTINGS MANAGEMENT
The User does not need to agree to cookies that are essential for the telecommunications service (data transmission for showing the content) – these cookies cannot be turned off by the User if he/she wants to use the Website.
To get personalized ads, the User needs to accept the installation of cookies through the cookie consent management platform and keep the browser settings that let the Website store cookies in the User’s device.
The User can revoke the consent to cookies on the Website through the cookie consent management platform. The User can access the banner again by clicking on the “Manage cookies” button below or the same button in the footer of every sub-page of the Website.
The User can revoke consent by clicking on the “COOKIE SETTINGS” button after seeing the banner. Then he/she should slide the switch next to the chosen cookie category and click on the “SAVE SETTINGS” button.
Users have also the option of opting out of cookies by using the browser in incognito mode.
To exercise your rights regarding access, rectification, erasure, restriction, transfer, objection to the processing of your personal data, or to lodge a complaint or ask any questions related to cookies, please send your request to the following email address: [email protected].
DURATION OF DATA PROCESSING
The duration of data processing conducted by the Controller depends on the nature of the service provided and the purpose of processing. Generally, data is processed for the duration of the service provision, until consent is withdrawn, or until an effective objection is raised against the data processing when the legal basis is the Controller’s legitimate interest.
The processing period may be extended if necessary for the establishment and exercise of potential claims or defense against claims, and thereafter only to the extent required by law. After the expiration of the processing period, the data will be permanently deleted or anonymized.
DATA SUBJECT RIGHTS
Data subjects have the following rights:
- The right to be informed about the processing of personal data: The Controller is required to provide the natural person making the request with information regarding the processing of their personal data. This includes details about the purposes and legal basis for processing, the extent of the data being held, the entities to which the data is disclosed, and the anticipated date of data erasure.
- The right to obtain a copy of the data: The Controller is obligated to provide a copy of the processed data that pertains to the natural person making the request.
- The right to rectification: The Controller is obligated to rectify any inconsistencies or errors in the personal data processed and to complete it if it is found to be incomplete.
- The right to data erasure: Based on this right, individuals can request the erasure of their personal data if its processing is no longer necessary for the purposes for which it was collected.
- The right to restrict processing: Upon request, if an individual exercises this right, the Controller must halt processing operations on the personal data, except for operations authorized by the data subject, and restrict its storage according to the adopted retention rules. The processing will remain restricted until the reasons for the restriction cease to exist (for example, if a decision from a supervisory authority permits further processing).
- The right to data portability: Under this right, if personal data is processed by automated means in connection with a contract or consent, the Controller is obligated to provide the data subject with their personal data in a machine-readable format. Additionally, it is possible to request the transfer of the data to another entity, provided that it is technically feasible for both the Controller and the designated entity.
- The right to object to processing for marketing purposes: If applicable, individuals have the right to object, without justification, to the processing of their personal data for marketing purposes at any time.
- The right to object to other purposes of data processing: Individuals have the right to object, for reasons relating to their particular situation, to the processing of their personal data that is carried out based on the legitimate interests of the Controller (e.g., for property protection). The objection should include a justification for the objection.
- The right to withdraw consent: If personal data is processed based on consent given, individuals have the right to withdraw their consent at any time. However, this does not affect the lawfulness of the processing carried out prior to the withdrawal.
- The right to lodge a complaint: If the processing of personal data is believed to violate the provisions of the GDPR or other data protection laws, individuals have the right to lodge a complaint with the supervisory authority responsible for data protection oversight.
- The supervisory authority responsible for the processing of personal data is determined based on the data subject’s habitual place of residence, place of work, or the location where the alleged breach occurred. In the case of Poland, the supervisory authority is the President of the Office for Personal Data Protection (Urząd Ochrony Danych Osobowych), also known as UODO.
SUBMITTING REQUESTS FOR THE EXERCISE OF RIGHTS
Requests regarding the exercise of data subjects’ rights can be submitted via electronic communication to the email address: [email protected]
When submitting a request, please provide the following details, if possible:
- Specify the right you wish to exercise (e.g., right to data access, right to erasure, etc.).
- Clearly indicate the processing activities the request pertains to (e.g., use of a specific service, activity on a particular website, etc.).
- Identify the specific purposes of processing the request concerns (e.g., purposes related to service provision, etc.).
If the Controller is unable to identify the individual based on the submitted request, additional information will be requested from the requesting party. Providing such information is optional, but failure to do so will result in the request being refused.
The request can be submitted in person or through a proxy, such as a family member. To ensure data security, the Controller recommends using a power of attorney certified by a notary public, authorized legal advisor, or attorney. This will expedite the verification of the request’s authenticity.
The Controller aims to respond to the request within one month of its receipt. If an extension is necessary, the requesting party will be informed of the reasons for the delay.
If the request is submitted electronically, the response will be given in the same form unless an alternative form is requested. For other cases, the response will be provided in writing. However, if the time constraint makes it impossible to respond in writing and the extent of the requesting party’s data allows for electronic communication, the response will be given electronically.
As part of the service provision, Personal Data will be shared with external entities. This includes suppliers responsible for IT system operations, marketing agencies (for marketing services), and entities related to the Controller, such as companies within the same group.
With the User’s consent, their data may also be shared with other entities for their own purposes, including marketing.
The Controller retains the right to disclose specific User information to competent authorities or third parties who request such information based on legal grounds and in compliance with applicable laws.
TRANSFER OF DATA OUTSIDE THE EEA
The protection of Personal Data outside the European Economic Area (EEA) is different from that provided by European law. Therefore, the Controller transfers Personal Data outside the EEA only when needed and with a sufficient level of protection, especially by:
- Working with processors of Personal Data in the countries that got a relevant decision from the European Commission, determining a sufficient level of protection of Personal Data (you will find the detailed information here).
- Using the standard contractual clauses issued by the European Commission. Together with the required extra security measures, these provide the same protection to Personal Data as they have in the European Union.
- Using the binding corporate rules approved by the competent supervisory authority.
The Controller shall always inform about its intention to transfer Personal Data outside the EEA at the stage of their collection.
PERSONAL DATA SECURITY
The Controller shall regularly do a risk analysis to make sure that the Personal Data is processed by the Controller in a safe way – especially ensuring that only the authorized people can access the data and only as much as they need for their tasks. The Controller shall make sure that all actions on Personal Data are recorded and done only by authorized employees and associates.
The Controller shall take all necessary steps to ensure that its subcontractors and other entities he works with also apply appropriate security measures when they process Personal Data for the Controller.
The Controller can be reached at the email address [email protected]
The Policy is verified regularly and updated as necessary.
The Policy has been adopted and is effective since 26.05.2023
TERMS OF SERVICE
When accessing the website https://vrclub.live or participating in any XRCOO games, which include VR Club Live and its expansions, you are acknowledging and agreeing to the terms of service. You are expected to adhere to all applicable laws and regulations, including local laws. Failure to agree to these terms will result in your prohibition from accessing or using this website. The content available on this website and within the games is protected by copyright and trademark laws.
The content available on XRCOO’s website and in games is provided “as is.” XRCOO does not make any warranties, whether expressed or implied, and hereby disclaims and denies all other warranties, including but not limited to implied warranties or conditions of merchantability, fitness for a specific purpose, or non-infringement of intellectual property or other violations of rights.
Additionally, XRCOO does not guarantee or make any representations regarding the accuracy, probable outcomes, or reliability of using the materials found on its website or in games. This applies to any information related to such materials or to any websites linked to the XRCOO site.
Under no circumstances shall XRCOO or its suppliers be held liable for any damages, including but not limited to loss of data or profit, or any disruptions to business operations, resulting from the use or inability to use the materials on XRCOO’s website or in games. This applies even if XRCOO or an authorized representative of XRCOO has been notified, either orally or in writing, of the possibility of such damages. Please note that in certain jurisdictions, limitations on implied warranties or limitations of liability for consequential or incidental damages may not be enforceable, and as such, these limitations may not apply to you.
Accuracy of materials
The materials presented on XRCOO’s website and in games may contain technical, typographical, or photographic errors. XRCOO does not guarantee the accuracy, completeness, or currency of any of the materials on its website or in games. XRCOO reserves the right to make changes to the materials on its website or in games at any time without prior notice. However, XRCOO does not have an obligation or commitment to update the materials.
XRCOO has not reviewed all of the websites linked to its own website or in its games and therefore cannot be held responsible for the content of any such linked sites. The inclusion of any link does not indicate endorsement by XRCOO of the linked website. Users access linked websites at their own risk.
XRCOO reserves the right to modify these terms of service for its website or games at any time, without prior notice. By using the website or playing games, you agree to be bound by the most recent version of these terms of service.
These terms and conditions are governed by and constructed in accordance with the laws of Poland. By using the website or playing games, you agree to irrevocably submit to the exclusive jurisdiction of the courts in that particular state or location.
You understand and agree that VR Club Live Team cannot be held liable, either directly or indirectly, for any physical or psychological harm, as well as any property damage that may occur while using its website or games. However, it is important to prioritize safety. Please exercise caution and ensure that you do not put yourself at risk of harm.