PERSONAL DATA PROCESSING POLICY

POLICY ON THE PROCESSING OF PERSONAL DATA OBTAINED THROUGH THE WEBSITE https://creepyjar.com/

(the website of the company Creepy Jar S.A. based in Warsaw)

 

We make the utmost effort to protect your privacy and personal information. In order to implement the above, we operate on the basis of the most modern standards and technologies to ensure the security of personal data, including, in particular, minimizing the risk of interception of personal data by third parties, unauthorized modification, loss or damage.

 

Please read the Policy before submitting any data.

 

By using our website, you accept the Policy, which includes information about the manner, scope and purpose of obtaining and processing your Personal Data.

 

We would like to inform you that you can visit our website without disclosing your Personal Data. In this case, we only collect data about your visits to our site (cookies), including in particular your IP address, browser type, operating system name. They are used for statistical purposes only and do not allow association with your person.

 

I. GENERAL PROVISIONS

1. The purpose of the Policy is to explain the principles under which Personal Data is processed and to discuss the basic rights of persons whose Data is processed by the Controller,

2. Terms used in the Policy mean:

 

Controller, Company

Creepy Jar S.A., based in Warsaw, Poland (zip code: 01-360) at ul. Człuchowska 9, registered in the District Court for the City of Warsaw in Warsaw, XIV Economic Department of the National Court Register under the number KRS 0000666293

 

Data, Personal data

personal data which is information about an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person

 

Person,

Persons natural person(s) whose Data is Processed by the Controller Policy this Personal Data Processing Policy

 

Processing

an operation or set of operations performed on Personal Data or sets of Personal Data by automated or non-automated means, such as collecting, recording, organizing, structuring, storing, adapting or modifying, downloading, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or linking, limiting, deleting or destroying

 

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)
( OJ.EU.L.2016.119.1  as amended)

 

Act

act of 10 May 2018 on the protection of personal data ( Dz.U.2018.1000  as amended)

 

II. PERSONAL DATA CONTROLLER

1. The Controller of the Personal Data provided to the Company by the website is the Company.

2. Contact with the Controller is possible through the Company’s mailing address, i.e. ul. Człuchowska 9, 01- 360 Warsaw, as well as via e-mail address: privacy@creepyjar.com and at tel: +48 22 300 08 25.

3.    The Controller shall ensure that the Data is collected only to the extent necessary for the indicated purpose and only for the period of time for which it is necessary.

4.    The Controller shall ensure that the Data entrusted to it is Processed in accordance with the provisions of the GDPR and the Act, based on the Controller’s internal documentation.

 

III. TYPE OF PERSONAL DATA

1.    The Controller processes Personal Data necessary for the specific purpose of Processing, in particular, IP address, browser type, operating system name, number of visits.

2.    Provision of Data is voluntary. In the case of cookies, each Person has the right to refuse to provide data by this means, as well as to configure the scope of data provided to the Controller through cookies.

 

IV. SCOPE, DURATION AND PURPOSES OF PERSONAL DATA PROCESSING

1.    Scope and source of Data
a.    The Controller obtains Data directly from a Person by collecting data as part of the visitor’s cookies  https://creepyjar.com/ .
b. The Controller also obtains Data from Microsoft Corporation, in connection with the Controller’s release of games for the XboX platform.

2.    Purpose of the Processing

In the case of Data collected via cookies, the Controller processes the Data in order to keep statistics on website visits and to improve the experience of users visiting the website (legal basis: Article 6(1)(a) of the GDPR, Article 6(1)(f) of the GDPR).

In the case of Data obtained from Microsoft Corporation, the Controller shall process the Data solely for the purpose of correcting bugs that appear in games released by the Controller.

3.    Data retention period

Personal Data will be kept for the period of Creepy Jar S.A.’s existence. The Controller will process Personal Data during the period of maintaining the ongoing relationship, or until the consent to Data Processing is withdrawn. In the case of Data Processing based on the legitimate interest of the Controller, the Data will be Processed for a period of time that allows the fulfillment of this interest or until an effective objection to the Data Processing is made. Data received from Microsoft Corporation will be kept for 30 days after receipt and will then be deleted.

The Processing period may be extended within the limits of the law in case the Processing of Personal Data is necessary for the investigation or defense against claims.

After the Processing period, the Data will be deleted or anonymized.

 

V. DATA RECIPIENTS

Personal data obtained by the Controller in the form of cookies will not be transferred to external entities.

 

VI. TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA

The Controller does not transfer Personal Data to recipients from third countries, i.e. countries outside the European Economic Area.

 

VII. AUTOMATED DECISION-MAKING

The Controller does not make decisions in an automated manner in individual cases, in particular, Personal Data will not be subject to profiling.

 

VIII. RIGHTS OF DATA SUBJECTS

1. Subject to the situations stipulated by law, Data Subjects have:
a. the right to access the content of their Data and to receive a copy thereof;
b. the right to rectify inconsistencies or errors in the Processed Data or to supplement them;
c. the right to information about the Processed Data including the purposes and grounds for the Processing;
d. the right to restrict the Processing of Personal Data;
e. the right to withdraw consent at any time without affecting the lawfulness of the Processing, as long as the Processing is carried out on the basis of consent;
f. the right to delete Personal Data;
g. the right to portability of Personal Data;
h. the right to object to the Processing;
i. the right to lodge a complaint to the supervisory authority, i.e. the President of the Office for Personal Data Protection, if the Processing of Personal Data is found to violate the law, including the GDPR.

2. Requests to exercise the above rights should be submitted in writing or electronically to the addresses
indicated in the Policy.

 

IX. DATA SECURITY

1. The Controller is committed to ensuring the security of the Personal Data entrusted to it.

2. The Controller:
a. ensures transparency of the Data Processing;
b. informs about the Data Processing at the time of its collection, except in situations where it is not obliged to do so under separate regulations;
c. ensures that the Data is collected only to the extent necessary for the indicated purpose and Processed only for the period of time it is necessary,
d. ensures the confidentiality of the Data by access to the Data only by authorized persons.

3. In a situation where, despite the security measures taken, a breach of the protection of Personal Data has occurred and the breach could result in a high risk of violation of the rights and freedoms of Data Subjects, the Controller shall immediately inform Data Subjects of such event.

 

IX. FINAL PROVISIONS

1. The Policy is reviewed on an ongoing basis and updated as necessary.

2. The current version of the Policy is effective as of 28 September 2021.

We would like to inform you that the Controller of your personal data is a company operating under the name of CREEPY JAR SPÓŁKA AKCYJNA with its registered office in Warsaw (postal code 01-360), at ul. registered in the District Court for the City of Warsaw in Warsaw, XIII Economic Department of the National Court Register under the number KRS 0000666293, with a share capital of PLN 679,436.00 fully paid up, NIP 1182136414, REGON: 366335731 (hereinafter referred to as Controller).

 

For matters related to personal data, you can contact the Controller via the following address: privacy@creepyjar.com.

 

Categories of personal data processed by the Controller:


The Controller processes personal data necessary for the specific purpose of processing, in particular IP address, browser type, operating system name, number of visits to the website, e-mail address, name or nickname, device ID, steam ID in case of uploading recording files.

 

Personal data will be processed by the Controller, in particular:


1) on the basis of Article 6 (1) (a) of the GDPR, i.e. on the basis of a separate consent, for the purpose of:


a) direct marketing of the Controller’;s own services – direct marketing may be carried out by the Controller by means of electronic communication (e.g. SMS, MMS, e-mail), telecommunications
terminal equipment (telephone);

 

2) on the basis of Article 6 (1) (b) and (c) of the GDPR for the purpose of:


a) taking action prior to the conclusion of a contract at the request of the data subject or performance of
a contract to which the data subject is a party (the data necessary to conclude a contract are indicated on the contract form),
b) fulfillment of a legal obligation incumbent on the Controller (e.g. fulfillment of obligations arising from trading in the Controller's shares on a regulated market operated by the Stock Exchange);

 

3) on the basis of Article 6 (1) (f) of the GDPR, i.e. the legitimate interest of the Controller, for the purpose of:


a) marketing of own products or services,
b) organizing and conducting marketing campaigns,
c) conducting correspondence with players,
d) enforcement or security of claims,
e) conducting analyses of the quality of services provided;

 

The period for which personal data will be retained:


1) personal data processed in connection with the performance of the contract will be processed until the expiration of the statute of limitations for claims under the contract;

 

2) personal data processed for the purpose of fulfilling a legal obligation incumbent on the Controller will be kept for the period indicated by relevant regulations, such as tax regulations;

 

3) personal data processed for the purpose of marketing the Controller's own services on the basis of legitimate legal interest, will be processed until the data subject objects;

 

4) personal data processed on the basis of a separate consent will be kept until revoked.

 

Rights of the personal data subject:


1) the right to access the content of your personal data, i.e. the right to obtain confirmation as to whether the Controller is processing your data and information regarding such processing,


2) the right to rectification of data if the data processed by the Controller is incorrect or incomplete,


3) the right to request the Controller to delete the data;


4) the right to demand from the Controller to restrict data processing;


5) the right to data portability, i.e. the right to receive personal data provided to the Controller and send it to another controller,


6) the right to object to the processing of data on the basis of the legitimate interest of the Controller or to processing for direct marketing purposes,


7) the right to lodge a complaint with the Polish supervisory authority or the supervisory authority of another European Union member state with jurisdiction over the data subject’s habitual residence or work or over the place of the alleged violation of the GDPR,


8) the right to withdraw consent at any time (without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal),


9) The right to obtain human intervention on the part of the Controller, to express one’s opinion and to challenge a decision based on automated data processing.

 

The rights mentioned in items 1)-6) and items 8)-9) above can be exercised, among other things, by contacting us at the email address provided above or the Controller’s address.


Categories of recipients of data (entities processing personal data on behalf of the Controller:

 

business partners, accounting offices, law firms, postal operators, carriers, document archiving companies, partners providing technical services (e.g., development and maintenance of IT systems and websites).