Privacy Policy

Privacy Notice

Effective from May 25, 2018
Last updated November 08, 2024

Change history

November 08, 2024 – inclusion of Zen Pinball World

October 24, 2024 – amendments for Pinball M

May 16, 2024 – inclusion of CastleStorm VR, amendments for Pinball FX

October 26, 2023 – inclusion of Minigolf Galaxy

Sep 05, 2023 – inclusion of Pinball M

May 20, 2022 – general review and clarification

March 30, 2022 – inclusion of Pinball FX and related services

January 20, 2021 – general review and clarification

December 3, 2020 – general review and clarification

February 11, 2020 — added California Consumer Privacy Act disclosures

Sep 19, 2019 – added Dread Nautical application, specifying the scope of the present Privacy Notice

Sep 13, 2019 – added the title Star Wars™ Pinball (Nintendo Switch)

Jan 09, 2019 – added the title Williams™ Pinball, added 3rd party SDK Fabric, updated 3rd party SDK Crashlytics

We collect and process personal data only in accordance with the General Data Protection Regulation (Regulation 2016/679/EU of the European Parliament and of the European Council) as adopted by member nations and their respective prevailing laws and regulations.

We send direct marketing letters (newsletters) exclusively on the basis of specific consent. We may send system messages even without a consent. You must be at least 16 years old to register to our newsletter.

We store data as safely as possible.

We disclose personal data to third parties exclusively on the basis of a consent; however, we collect and transfer statistical data (excluding personal data) on usage habits to third parties.

You are required to declare that you accept the Privacy Notice (this document) and/or user agreement (EULA – where applicable, there we ask for it) to install, use, play, and/or access ZEN Studios’ online services, games and/or applications. It is important that you must be at least 13 years old to accept the Privacy Notice and/or EULA, but if you are under 16, your parent or guardian is required; therefore, we ask you to have your parents or guardian help you during registration. During registration, ZEN Studios will ask for your parent’s or guardian’s consent to your statement, which will require your parent’s or guardian’s email address and allows him or her to do so. We will not email anything to your parents or guardian other than the information required for his or her consent.

Our users may request information regarding their data stored; furthermore, each user may require the erasure of his/her personal data (collected and stored upon his/her consent) at any time, by contacting us through our contact details.

Introduction

ZEN Studios Software Developer Limited Liability Company (registered seat: H-1027 Budapest, Ganz utca 16. floor 2, company reg. no.: 01-09-691205, tax number: 12532630-2-41) (hereinafter referred to as the Service Provider, controller) hereby submits itself to the following privacy notice.

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation), with special regard to Sections (32), (39) and (58) as well as Article 12 therein, declare that the data subject (hereinafter referred to as the user) shall be informed prior to the commencement of data processing whether the legal basis of data processing is the consent of the data subject, mandatory provision or technical requirements.

Before processing operations are carried out, the data subject shall receive clear and detailed information of all aspects concerning the processing of his/her personal data, such as the purpose for which his/her data is required, the legal basis of data processing, the persons or entities that are data controllers or data processors of your data, and the duration of data processing.

Pursuant to EUP and Regulation 2016/679, users shall be informed that if obtaining the consent of the user is impossible or entails excessive costs, the processing of personal data is allowed if:

1. processing is necessary for compliance with a legal obligation to which the controller is subject, or
2. it is necessary for the enforcement of the controller’s or a third party’s legitimate interest, and the enforcement of such interest is proportionate to the restriction of the data subject’s right to the protection of personal data.

The information provided to the user shall cover his or her rights and remedy options related to data processing.

If providing information to users is impossible or entails excessive costs (in this case on a website), information may be provided by the publication of the following information:

(a) the fact that data are collected, (b) data subjects involved, (c) the purpose of the collection of personal data, (d) duration of data processing, (e) possible controllers entitled to become aware of the personal data, (f) provision of information to data subjects on their rights and remedies available to them related to data processing, and (g) if there is a location for the data protection registration of data processing, the registration number of data processing.

This privacy policy concerns data processing activities carried out on the following websites: http://www.pinballfx.com, blog.zenstudios.com, forum.zenstudios.com, www.bethesdapinball.com, www.castlestorm.com, www.infiniteminigolf.com, www.kickbeat.com, www.marvelpinball.com, www.starwarspinball.com, www.zenpinball.com, www.dreadnautical.com and the applications referred to in this privacy notice, and is based on the above criteria.

The Privacy Notice is available on the following website: http://blog.zenstudios.com/zen_privacy_policy.html

Amendments to the Privacy Notice enter into effect upon their publication on the above website.

Terms, definitions

data subject/User: natural person that is or that can be directly or indirectly identified based on any specific personal data, who contacts the Service Provider through an application or website, or in any other (online or offline) way.

personal data: information relating to the user—especially the name, identifier, and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the user, and the consequences that can be drawn from the information related to the data subject;

data controller: natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or have it executed by a data processor;

the data controller in this case: ZEN Studios Software Developer Limited Liability Company (registered seat: HU-1027 Budapest, Ganz utca 16. floor 2, EUID: HUOCCSZ.01-09-691205, community VAT number: HU12532630)

data controlling: any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronizing or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans);

data processing: carrying out technical tasks in relation to data processing operations, irrespective of the method or instrument used in performing those operations, and of its application, provided that the technical tasks are performed on data;

data processor: any natural or legal person or organisation without legal personality processing the data on the grounds of a contract concluded with the controller, including contracts concluded pursuant to legislative provisions;

data protection officer:  Service Provider does not employ a dedicated data protection officer (the head of the company /managing director/ is responsible for data protection)

personal data breach: the unlawful processing or process of personal data, in particular the illegitimate access, alteration, transfer, disclosure, deletion or destruction as well as the accidental destruction or damage.

Data collection, the scope of data, purpose(s) of data processing

In line with Articles 12, 13 and 14, the following shall be defined with respect to the registration and use of application:

1. the fact that data are collected,
2. data subjects involved,
3. the purpose of the collection of personal data,
4. duration of data processing,
5. possible controllers entitled to become aware of the personal data,
6. provision of information to data subjects on their rights available to them related to data processing.

The following data are recorded and stored by the Service Provider upon the start and while using the games and/or applications:

Data subjects involved: Every User using or otherwise accessing Service Provider’s game(s), application(s).

The duration of data processing and the deadline for the deletion of data are indicated in the table. The possibilities introduced in games and/or applications (virtual payment, virtual goods purchased, achievements and trophies, etc.) require the continuous identification of users. After the termination of the game and or application, personal data will be deleted within the end of the year.

Possible controllers entitled to become aware of the personal data: the managing director, the developers of the given game and/or application and (if needed) the customer service may process personal data in accordance with the above principles.

Legal ground of data processing: the performance of the contract (Article 6 (1)(b) of the GDPR) and legitimate interest (Article 6 (1)(d) of the GDPR), identification and follow-up of users, Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market and paragraphs 1 and 2 of Article 13 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector:

The service provider may – for the purpose of providing the service – process personal data indispensable for providing the service for technical reasons. Should other conditions be identical, the service provider shall select and operate the means applied in the course of providing information society service at all times, so that personal data be processed only if it is absolutely indispensable for providing the service or achieving other objectives stipulated in this Act, and only to the required extent and duration.

The following data are recorded and stored by the Service Provider upon the start and while using or accessing the website and/or Customer Support and/or Forum and/or Mailing List:

We ask users not to provide personal information in their username or email address.

Data subjects involved: Each User using or otherwise accessing Service Provider’s application(s), websites, forum/blog/mailing list and customer service.

The duration of data processing and the deadline for the deletion of data are indicated in the table. The storage of data of a continued conservation period is necessary for the provision of more effective solutions to Users’ problems and answers to Users’ questions, to keep the forum contents and to operate the mailing list. After the termination of the forum or mailing list, personal data will be deleted within five (5) years.

Possible controllers entitled to become aware of the personal data: the managing director, the developers of the given application and (if needed) the customer service, blog administrators (who are the employees of the Service Provider) may process personal data in accordance with the above principles.

Legal ground of data processing: the performance of the contract (Article 6 (1)(b) of the GDPR) and legitimate interest (Article 6 (1)(d) of the GDPR), identification and follow-up of users, Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market and paragraphs 1 and 2 of Article 13 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector:

The service provider may – for the purpose of providing the service – process personal data indispensable for providing the service for technical reasons. Should other conditions be identical, the service provider shall select and operate the means applied in the course of providing information society service at all times, so that personal data be processed only if it is absolutely indispensable for providing the service or achieving other objectives stipulated in this Act, and only to the required extent and duration.

Collection and transfer of data concerning the use and statistical data

The Service Provider informs the Users that during the use of the applications it collects and transfers to third parties identifiers and statistical data automatically.

The fact that data are collected, personal data involved:

The Service Provider informs the Users that during the use of the Dread Nautical application it doesn’t collect and/or transfer to third parties identifiers and/or statistical data.

Data subjects involved: Each user using the applications.

Purpose of data processing: Identification of users, follow-up of users’ habits and the provision of advertisement services.

Duration of data processing, deadline for the deletion of data: The table indicates the duration of data processing the date of erasure shall be the end of third year following the termination of product support.

Possible controllers entitled to become aware of the personal data: use of the data by the controller does not qualify as processing of personal data, as the Service Provider has no further information necessary to the identification of the user no connection between such data will be made.

Legal ground of data processing: It is not necessary to obtain the data subject’s consent, if the exclusive purpose of the use of the data is transmission of communication via the electronic telecommunications network, or if it’s essential for the service provider to provide services related to information society.

Metrics – pseudo-anonymized data of usage

The Service Provider informs the Users that during the use of the games and/or application it does collect and/or transfer to third parties identifiers and/or statistical data of usage and users behaviour (hereafter referred to as: metrics).

These game and/or application usage data will be pseudo-anonymized by the Service Provider, and the data used to identify the user will be removed. The resulting data (metrics) will be analysed and used to improve the game and/or application. The pseudo-anonymised data cannot be decrypted and it is no longer possible to identify the user.

Data subjects involved: Each user using the games and/or applications.

Purpose of data processing: follow-up of users’ habits and improving services.

Duration of data processing, deadline for the deletion of data: the duration of data processing the date of erasure shall be the end of year following the termination of product support.

Possible controllers entitled to become aware of the personal data: use of the data by the controller does not qualify as processing of personal data, as the Service Provider has no further information necessary to the identification of the user no connection between such data will be made.

Legal ground of data processing: It is not necessary to obtain the data subject’s consent, if the exclusive purpose of the use of the data is transmission of communication via the electronic telecommunications network, or if it’s essential for the service provider to provide services related to information society.

Processing of cookies

The fact that data are collected, personal data involved: unique identification number, dates and times

Data subjects involved: All users visiting the website.

Purpose of data processing: Identification of users and follow-up of visitors.

Duration of data processing, deadline for the deletion of data: In case of session cookies, data processing shall terminate once the website visit is finished.

Possible controllers entitled to become aware of the personal data: The use of cookies does not qualify as processing of personal data.

Provision of information to data subjects on their rights available to them related to data processing: the Users may delete cookies under menu item usually called ‘Data Protection’ in the Tools/Settings menu of their browser.

Legal ground of data processing: It is not necessary to obtain the data subject’s consent, if the exclusive purpose of the use of cookies is transmission of communication via the electronic telecommunications network, or if it is necessary for the provision of services explicitly requested by the subscriber or user related to information society.

Other cookies

The controller uses the remarketing code of Facebook. In this respect we provide the following information: duration of cookies: 20 days; purpose of data processing: Personalization of Facebook advertisements; further information: http://hu-hu.facebook.com/help/cookies/

Use of Google Adwords conversion tracking

The controller uses the online ad programme called “Google Adwords”, and within its framework it uses Google’s conversion tracking service. Google conversion tracking is the analysing service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; „Google“).

When a User reaches a website via a Google ad, a cookie necessary for conversion tracking is stored on his or her computer. The validity of these cookies is limited; therefore, they do not contain any personal data, and Users cannot be identified by them.

When the User browses on certain pages of the website, and the cookie has not expired, Google and the data controller may see that the User has clicked on the ad.

All Google AdWords clients receive different cookies; therefore, they cannot be tracked via the websites of the clients of AdWords.

Information which have been obtained with the use of conversion tracking cookies aim to prepare conversion statistics for the clients of AdWords who opt for conversion tracking. This is how clients receive information on the number of users clicking on their ad and directed to the website having a conversion tracking label. However, they cannot receive information based on which any of the users may be identified.

If you do not wish to participate in conversion tracking, then you may refuse it by blocking the option to install cookies in your browser. After this, you will not figure in statistics related to conversion tracking.

Further information and the privacy policy of Google may be found at the following website: www.google.de/policies/privacy/

Application of Google Analytics

The websites of ZEN Studios uses the application of Google Analytics which is the web analysing service of Google Inc. (“Google”). Google Analytics uses ‘cookies’, text files which are saved on your computer, thus helping analysis of the use of the webpage visited by the User.

Information created with cookies related to the website used by the User are generally stored on a Google server located in the US. By website activation of IP-anonymization, Google shortens the IP-address of Users in advance in the Member States of the EU or EEA.

The transfer of the full IP-address is only transferred to a Google server located in the US in special cases. On behalf of the operator of this website, Google will use such information to evaluate how the User used the website, to prepare reports for the operator of the website related to the activity of the website, and to perform further services related to the use of the website and the internet.

Within the framework of Google Analytics, IP-address transferred by the User’s browser is not linked to other data of Google. You may prevent the storage of cookies by choosing the appropriate setting on your browser, however, please note that in this case, it may occur that not all the functions of the website will be fully available to you. You may also prevent Google from collecting and processing the User’s data related to the use of the website (including IP-address), if you download and install the following browser plug-in. https://tools.google.com/dlpage/gaoptout?hl=hu

Newsletter (mailing list), DM activity

In accordance with Section 6 of Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising, the User may grant his or her explicit and prior consent to that the Service Provider contact him or her with its promotions and other messages at the contact details provided at registration.

Being aware of the provisions of this Privacy Notice, the User may also grant his or her consent to the processing of his or her personal data necessary for sending promotions by the Service Provider.

The Service Provider may not send unsolicited promotions, and the User may unsubscribe from such promotions and newsletters free of charge, without indicating his or her reasons, at any time. In this case, the Service Provider shall delete all personal data of the User necessary for the sending of promotions from its data base, and may not continue to send its promotions to the User. The User may unsubscribe from promotions and newsletters by clicking on the link in the message.

Purpose of data processing: sending of electronic messages which contain any promotions to the data subjects, provision of information on news, products, discounts, new functions, etc.

Duration of data processing, deadline for the deletion of data: data processing lasts until withdrawal of the data subject’s consent, that is until unsubscription.

Possible controllers entitled to become aware of the personal data: employees of the data controller may process personal data in accordance with the above principles.

Data processor employed during data processing: MailChimp – The Rocket Science Group LLC. dpo@mailchimp.com.

The Rocket Science Group LLC d/b/a MailChimp Attn. Privacy Officer (privacy@mailchimp.com) 675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308 USA

Further information and the privacy policy of MailChimp may be found at the following website: https://mailchimp.com/legal/privacy/

Legal ground of data processing: the voluntary consent of the user, Article 6 (1) (a) of GDPR, Section 6 (5) of Act XLVIII of 2008 on the Essential Conditions of and Certain Limitations to Business Advertising:

The advertiser, the advertising service provider and the publisher of advertising shall keep records of the personal data of the natural persons granting their consent thereto (to the extent and in the scope determined in such consent). The data recorded into this registry with respect to the addressee of the advertisement may only be processed in line with the content of the consent and until the withdrawal thereof; furthermore, such data may be transferred to third parties upon the prior consent of the user thereto.

Social networking websites

The fact that data are collected, personal data involved: Name of the person registered on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc. and the public profile picture of the user.

The scope of users: All data subjects who have registered on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc, and have liked the website.

Purposes of data collection: Sharing or liking, promoting certain contents, products, discounts of the website or the website itself on the social networking websites.

Duration of data processing, deadline for the deletion of data, possible controllers entitled to become aware of the personal data, and rights related to data processing available to data subjects: users may refer to the social networking website in question for information on the source of data, their processing, and the manner of transfer and its legal ground. Data processing is carried out on the social networking websites; therefore, the provisions of the social networking website in question shall cover the duration, manner of data processing, as well as options to delete or modify data.

Legal ground of data processing: the data subject’s voluntary consent to data processing on the social networking websites.

Customer service and other data processing activities

Should any question occur in the course of using the services of the controller, or should the data subject have any problems, he/she may contact the controller through the contact points indicated on the website (phone, e-mail, social media pages etc.).

The incoming e-mails, messages, the data provided via phone, Facebook etc., together with the name, e-mail address of and other data provided voluntarily by the inquiring party shall be deleted by the controller after maximum 5 years of the date of data provision.

We shall provide information on any data processing not listed in this information note upon recording the relevant data.

Upon the exceptional request of a competent authority or other organs (authorized to submit such request by the prevailing laws and regulations), the Service Provider shall provide information, disclose or transfer data and make available certain documents.

In such cases, provided that the requesting party has defined the specific purpose of request and the scope of the requested data, the Service Provider shall make available the personal data for the requesting party to such an extent essential for the achievement of the purpose of request.

Zen Studios data security

The controller shall design and implement the data processing measures in a way that ensures the protection of data subjects’ data on the highest level that is technically feasible and available.

The controller shall implement adequate safeguards and appropriate technical and organizational measures to protect personal data (by using passwords and protection against viruses), as well as adequate procedural rules to enforce the provisions of the Information Act and other regulations concerning confidentiality and security of data processing.

Data shall be protected by the controller by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.

Suitable technical solutions shall be introduced by the controller to prevent the interconnection of data stored in these filing systems and the identification of the data subjects. In order to prevent the unauthorized access to, the unauthorized change and publication or use of the data, the controller shall provide for the evolvement and operation of a suitable IT- and technical environment, for the controlled selection and monitoring of its employees participating in the provision of services, for the issuance of detailed operation, risk management and service provision procedural guidelines.

On the basis of the above, the service provider shall make available the data processed by it for the data subject, ensure the authenticity and verification thereof, as well as to provide for the certification of the unchanged nature of data.

The IT system of the controller and its server service provider is to ensure protection against computing fraud, espionage, computer viruses, spams, hacks and other attacks.

The rights of users

The user may request the Service Provider to give information on the processing of his/her personal data, to rectify, block or erase the data processed, save where processing is rendered mandatory.

Information on the User’s rights related to data processing: the User may initiate the erasure or amendment of his/her personal data in the following ways: by post, addressed to the Service Provider’s registered seat, to the attention of the customer service or by e-mail sent to support@zenstudios.com, via phone at number +36 1 780 4679.

The right of the users in connection with mailing lists’ and newsletters’ data processing: Data subjects may unsubscribe from mailing lists and/or newsletters at any time, free of charge.

Upon the user’s request the controller shall provide information concerning the data relating to him/her, including those processed by a data processor on its behalf or according to his/her notice, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and the conditions and effects of the data incident and measures taken with a view to eliminate them and – in case of data transfer – the legal basis and the recipients.

The Service Provider as data controller – by means of an internal data protection officer should they have appointed one and with a view to control measures relating to data incidents and to inform data subjects – shall keep records containing the personal data affected, the personal scope affected by the data incident, the time, circumstances and effects of the data incident and measures taken to eliminate thereof as well as other information determined by law.

With a view to verifying legitimacy of data transfer and for the information of the data subject, the Service Provider as data controller shall maintain a transmission log, showing the date of time of transmission, the legal basis of transmission and the recipient, description of the personal data transmitted, and other information prescribed by the relevant legislation on data processing.

Upon the user’s request the Service Provider shall provide information concerning the data processed by it, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor (if any) and on its activities relating to data processing, and –in case of data transfer – the legal basis and the recipients thereof. The Service Provider shall provide the information in written and easily understandable form as soon as possible after the submission of the request but not later than within 1 (one) month. The provision of information shall be free of charge.

Where a personal data is deemed inaccurate, and the correct personal data is at the controller’s disposal, the Service Provider shall rectify the personal data in question.

Instead of deletion, the Service Provider shall block personal data if User requests so, or if the violation of User’s legitimate interests by deletion is reasonable assumable from the available information. The blocked personal data may only be processed as long as the aim of data processing that prevented the deleting of the personal data exists.

The Service Provider shall erase the personal data if processing it is unlawful, if it is requested to do so by the User, if the data processed is deficient or erroneous—and it cannot be rectified lawfully—provided that erasure is not prohibited by law, the purpose of the processing no longer exists, the deadline for storing the data set forth in the law has expired or it is ordered by court or by the National Authority for Data Protection and Freedom of Information.

If the accuracy of an item of personal data is contested by the data subject and its accuracy or inaccuracy cannot be ascertained beyond doubt, the data controller shall mark that personal data for the purpose of referencing.

When a data is rectified, blocked, marked or erased, the data subject and all recipients to whom it was transmitted for processing shall be notified. Notification is not necessary if, with regard to the purpose of the processing, it does not harm the legitimate interests of the data subject.

If the data controller refuses to comply with the data subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request or rectification, blocking or erasure is based shall be communicated in writing, within 1 (one) month of receipt of the request. Where rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority.

Right to restriction of processing: the user have the right to request the restriction of processing of his/her personal data. Doing so may prevent the controller from being able to provide legal services to the user. In this case, the respective data will be marked and may only be processed by the controller for certain purposes.

Right to data portability: the user have the right to receive the personal data concerning him/her which he/she has provided to the controller in a structured, commonly used and machine-readable format and the right to transmit that personal data to another entity without hindrance from the controller.

The user can object to the processing of his or her personal data if the processing (or transmission) of the personal data is only necessary for the Service Provider to perform its legal obligation, to pursue the legitimate interests of either the Service Provider, the data recipient or a third party, except if processing is a legal obligation, if the use and transmission of the personal data occurs for direct marketing, polling surveys or scientific research, in any other case determined in the respective laws.

As soon as possible after filing the request but not later than within 1 (one) month thereafter, the Service Provider shall investigate the objection, shall make a decision about the justification thereof, and inform the applicant about the decision in writing. If, according to the findings of the Service Provider, the data subject’s objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.

Should the User disagree with the Service Provider’s decision taken on the basis of the above, he may seek a judicial remedy against it within 30 days of its communication. The court shall hear such cases in priority proceedings.

In case of infringement committed by the controller, the concerned data subject (user) may turn to the national data protection authority having competence at his/her address of residence (DPAs -http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm), or to the authority having competence at the seat of the Service Provider:

The official authority according to the registered office of the Service Provider:
(Hungarian) National Authority for Data Protection and Freedom of Information

H- 1055 Budapest, Falk Miksa utca 9-11..

Mailing address: 1363  Budapest, Pf.: 9.

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Judicial remedy

The burden of proof to show compliance with the law lies with the data controller. The lawfulness of data transfer shall be certified by the data receiving party. The regional courts shall have the competence to decide in such cases. The court case may be initiated before the court having jurisdiction either at the place of the temporary or the permanent residence of the data subject. Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such actions. The Authority may intervene in the action on the data subject’s behalf.

When the court’s decision is in favour of the plaintiff, the court shall order the controller to provide the information, to rectify, block or erase the data in question, to annul the decision adopted by means of automated data-processing systems, to respect the data subject’s objection, or to disclose the data requested by the data recipient.

If the court rejects the petition filed by the data recipient, the controller shall be required to erase the data subject’s personal data within 3 days of delivery of the court ruling. The controller shall erase the data even if the data recipient does not file for court action within a determined time limit.

The court may order publication of its decision, indicating the identification data of the controller as well, where this is deemed necessary for reasons of data protection or in connection with the rights of large numbers of data subjects under protection.

Compensation and restitution

If the data controller, by unlawful data processing or by breaching data security rules, violates the personal rights of the data subject, the latter may demand restitution from the data controller.

The data controller shall be liable for damages caused by the data processor and s/he will be liable to pay restitution for personal rights violations as well. The controller shall be released from liability for damages and from paying restitution if s/he demonstrates that the damage or the violation of personal rights were brought about by reasons beyond his/her data processing activity.

No compensation shall be paid, and no restitution may be demanded where the damage or the violation of rights was caused by intentional or seriously negligent conduct on the part of the aggrieved party or the data subject.

Miscellaneous provisions, information

The information was prepared with due regard to the following laws and regulations:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market;

Directive 2009/22/EC of the European Parliament and of the Council of 23 April 2009 on injunctions for the protection of consumers’ interests;

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Regulation (EU) No 524/2013 of the European Parliament and of the Council of 21 May 2013 on online dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC;

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union;

Furthermore, the laws and regulations of the country of residence of the Service Provider (Hungary), in particular:

Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as Infotv.)

Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (in particular Section 13/A)

Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices Against Customers;

Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising (in particular Section 6)

Act XC of 2005 on the Freedom of Electronic Information

Act C of 2003 on Electronic Communications (in particular Section 155)

opinion no. 16/2011 on the EASA/IAB recommendation concerning the approved practices of behaviour-based online marketing

recommendation of the European Data protection Body (EDPB) and the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) concerning the data protection requirements of preliminary information

PLEASE REVIEW THE FOLLOWING IF YOU ARE A CALIFORNIA RESIDENT:

California Consumer Data Rights

ZEN Studios Software Developer Limited Liability Company (registered seat: H-1027 Budapest, Ganz utca 16. floor 2, company reg. no.: 01-09-691205, tax number: 12532630-2-41) complies with the California Consumer Privacy Act of 2018 (CCPA), effective January 1, 2020. This landmark piece of legislation secures new privacy rights for California consumers.

Pursuant to CCPA we are required to give you the option to opt-out of sales concerning your data as such is defined pursuant to California Civil Code 1798.135. If you would like to opt out, please click the link below.

OPT-OUT: DO NOT SELL MY PERSONAL INFORMATION
http://blog.zenstudios.com/optout.html

Categories of Data we Collect and their Uses

In addition to the details provided in tables provided in above, we collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

Personal information does not include:

• Publicly available information from government records.
• De-identified or aggregated consumer information.
• Information excluded from the CCPA’s scope, like:
• health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
• personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

We obtain the categories of personal information listed above from the following categories of sources: Identifiers; biometric data; Internet or other similar network activity

• Directly from our end users. For example, from customers who engage us for customer support or to provide customer feedback.
• Indirectly from our end users. For example, through information we collect from our end users in the course of providing customer support to them.
• Directly and indirectly from activity on our website or in our games. For example, from APIs and cookies (described above) embedded in our website or games to measure game metrics and progress, play time per level, and other information related to improving our products.
• From third-parties that interact with us in connection with the services we perform. For example, from third party analytics or anti-cheat providers, or to ad mediators for the purpose of providing personalized advertising and marketing customized to you.

All such Personal Information is used as otherwise described in our Privacy Policy.

Sharing Personal Information

We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose: Identifiers; Internet or other similar network activity

We disclose your personal information for a business purpose to the following categories of third parties:

• Our affiliates.
• Service providers.
• Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you.
• Our vendors.

Your Rights and Choices

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

• The categories of personal information we collected about you.
• The categories of sources for the personal information we collected about you.
• Our business or commercial purpose for collecting or selling that personal information.
• The categories of third parties with whom we share that personal information.
• The specific pieces of personal information we collected about you (also called a data portability request).

We generally do not sell our player data. However, if we do sell your personal information for a business purpose, we will also disclose to you:

• The personal information that each category of recipient purchased; and
• disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service providers to:

• Complete any transaction for which we collected the personal information, provide a product or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
• Debug products, including our website and games, to identify and repair errors that impair existing intended functionality.
• Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
• Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
• Comply with a legal obligation.
• Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

E-mailing us at: support@zenstudios.com

Calling us at: +36 1 780 4679

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.