PRIVACY POLICY

FLARIE PRIVACY POLICY

1. GENERAL

1.1) Privacy and data protection is important to us at Flarie AB, reg. no 556856-2747 (“Flarie”, “we”, “us” or “our”). This privacy policy (“Privacy Policy”) aims to inform you about our processing of your personal data, and what rights you have as a data subject. Flarie’s processing of personal data is carried out in accordance with applicable legislation, including the general data protection regulation (“GDPR”).

1.2) This Privacy Policy (including all its appendices) applies to the personal data we may process in connection with (i) your use or access of any of our services, including for example, but not limited to, our website https://flarie.com/, its associated domains, and any related platform software provided by Flarie, our game manager tool “Flarie Studio” and our mobile software application “Flarie” (the “Services”, “Platform” or “App”), (ii) customer contracts and engagements, and (iii) business contacts and engagements.

1.3) For clarification, this Privacy Policy applies if you: (i) are a commercial customer or business partner (or prospective customer or business partner) to us, (ii) are a representative and/or employee of a party mentioned in the foregoing item (i) herein; (iii) are a non-commercial user of our Services or are otherwise affected by our Services, (iv) have subscribed to receive our newsletter, receives other communication from us and/or attend our events.

1.4) In connection with your use or access of our Services, we will collect and process your personal data as a controller in accordance with this Privacy Policy. However, content in our Services is either made available directly by us or by a third-party associated with us (a “Flarie Partner”). When accessing content made available directly or indirectly by a Flarie Partner (such as games), the relevant Flarie Partner mentioned in connection with such content will process personal data that you provide in connection thereto as a controller, and a separate privacy policy provided by such Flarie Partner will apply. Flarie may act as a data processor to the relevant Flarie Partner, being the owner of such content that you wish to access. Any such processing of your personal data by us as processors will occur subject to a separate data processing agreement between Flarie and the relevant Flarie Partner, in accordance with the GDPR. For the avoidance of doubt, Flarie Partners are separately responsible as controllers for their processing of your personal data, including providing you with the necessary data processing information prior to its processing of your personal data in accordance with applicable laws (including the GDPR). We have no control over and assume no responsibility for the content, privacy policies, processing, or practices of any Flarie Partner.

1.5) Set forth below in this Privacy Policy is a general description of how we process your personal data, and the tables in Appendix A (for commercial users) and Appendix B (for non-commercial users) sets out the details hereof including but not limited to the types of personal data as well as each separate processing activity conducted by us in relation to your personal data.

1.6) If you wish to receive additional information on the processing of your personal data, you are welcome to contact us at privacy@flarie.com.

2. personal data we process

2.1) Personal data refers to information which, directly or indirectly, may be associated with a living natural person.

2.2) We generally process the following main categories of personal data (i) contact information, (ii) service account information, (iii) marketing preferences, (iv) user related data and browsing and device usage information, and (v) correspondence with customer services and feedback. The table in Appendix A, Section 2 therein, sets out the details of the categories and types of personal data we process as well as how such data is obtained by us if you are a commercial user; and the table in Appendix B, Section 2 therein, sets out the corresponding details if you are a non-commercial user.

2.3) We will not specifically ask you to provide us with special categories of personal data and will not process such personal data unless we have a legitimate interest to do so. Processing of special categories of personal data is subject to special security measures according to GDPR. Special categories of personal data are for example, but not limited to, racial or ethnic origins, sexual orientation, political opinions, religious beliefs etc. When using our Services, you may choose to provide us with any category of personal data. However, you hereby agree not to provide us with any special categories of personal data when using our Services.

2.4) The personal data that Flarie processes is either provided (i) directly by you in connection with your use of our Services, (ii) automatically through your use of our Services, (iii) by the company which you represent (if applicable), and which uses our Services, (iv) by third parties with whom we collaborate, (v) automatically generated by our security and integrity monitoring systems. We may also, if necessary subject to any of our purposes for the processing, collect personal data from private and public registers, publicly accessible sources as well as from public authorities.

2.5) You are responsible for any personal data obtained, published or shared with us (whether via the App, Platform or otherwise), including such personal data which you have obtained from a third party. You shall also be able to confirm that you have such third party’s’ consent to provide such personal data to us (if applicable).

2.6) Depending on the device you use when accessing our Services via our App, the App may request certain permissions that allows the application to access your personal data on your device. Permissions must always be granted by you before such information is accessed and processed by the App and includes, but is not limited to, camera permission, precise location permission (continuous) and reminders permission. In order to revoke these permissions, we refer you to your devices’ settings. Note that revoking of such permissions might impact the proper functioning of the App and the Service.

3. Legal Basis and purposE of the processing

3.1) We process personal data for various purposes. However, we must always have a lawful basis (i.e., a reason prescribed by law) for processing your personal data. The tables in Appendix A and Appendix B, Sections 3 therein, sets out the purpose for the processing of the relevant category of your personal data including the corresponding lawful basis thereto.

3.2) We process personal data in accordance with this Privacy Policy (i) to fulfil our obligations in accordance with an agreement with you (or with the company which you represent, if applicable), (ii) to fulfil legal obligations pursuant to applicable legislation, (iii) if we have a legitimate interest to process the personal data, and/or (iv) if we have your consent to process your personal data. For specific processing activities, more than one lawful basis may be applicable.

3.3) If we process your personal data for any specific purpose which requires your consent under the GDPR, or any other legislation, we will obtain your consent in advance. The consent will contain information about the specific processing activity. If you have provided your consent to a specific processing activity of your personal data, you can always withdraw such consent (see Section 8.2 below regarding your rights). If you withdraw your consent, we will no longer store or process your personal data for that specific purpose.

3.4) If we process personal data for any specific purpose upon which we have a legitimate interest, we always prior thereto and in each individual case conduct an assessment of the balance of interests in order to for example evaluate whether our legitimate interest is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data in accordance with GDPR. We only process personal data based on our legitimate interest if we make the assessment that our legitimate interest is not overridden by the interests and rights of the relevant data subject.

4. Security MEasures; impact assessment

4.1) Personal data will always be processed confidentially and protected by appropriate security measures. Flarie ensures that companies that process and/or manage personal data on our behalf, uses a high level of security measures in order to protect your personal data. However, please note that, in relation to any personal data you submit to us online, we cannot guarantee the security of data sent to us in this way. Transmission of data over the internet is at your own risk. You are responsible for keeping any passwords you use to access our platforms safe.

4.2) If we are to process personal data in a way that is likely to lead to a high risk for data subjects’ freedoms and rights, we will carry out a data protection impact assessment, in accordance with the GDPR, before we initiate such processing. In such assessment will (i) systematically review the envisaged processing operation and its purpose, (ii) make an assessment of the necessity and proportionality of the processing operations in relation to the purposes, (iii) an assessment of the risks of the data subjects rights and freedoms, (iv) ensure that the measures taken meet the requirements according to the GDPR. We only use processes subject to a data protection impact assessment pursuant to the GDPR that have been approved by us subject to such assessment as described herein. The use of such processes that have been subject to a data protection impact assessment are monitored and reassessed continuously by us in accordance with our internal routines from time to time.

5. external parties we use

5.1) We may disclose your personal data to external parties with whom we collaborate for the purpose of performing our Service and/or conducting our business. However, we will always ensure that we enter into agreements with each such relevant party, to whom we disclose your personal data, in accordance with GDPR. We may also disclose your personal data when we have a legal obligation to do so, e.g., due to anti-money laundering legislation, tax legislation, court orders or requests from government authorities.

5.2) Further details of the categories of external parties whom we disclose your personal data to, as well as the purpose and lawful basis in each such case are set out in Appendix C hereto. If you wish to receive any additional information on the disclosure of your personal data to such external parties, you are welcome to contact us at privacy@flarie.com.

6. Processing of your data outside EU/EEA

6.1) In order to perform our Services and/or conduct our business, we may transfer and store personal data in countries outside the EU/EEA (“Third Countries”), in accordance with Appendix D hereto. Such transfer occurs when (i) we use a personal data processor established in a Third Country, or (ii) data is stored on a cloud service or a server based in a Third Country.

6.2) When Flarie transfers personal data to Third Countries we will take reasonable legal, technical and organizational measures to ensure that your personal data is adequately protected, at the same level as it would have been within EU/EEA through the use of relevant safeguards. For the avoidance of doubt, such transfer as referred to herein will only include the type of personal data relevant for the purpose of the processing.

6.3) Regardless of what is stated in this Section about the relevant protective measures taken, you acknowledge and agree that transfers to and storing of personal data in a Third Country may entail a risk that the personal data cannot be protected at the same level as within the EU/EEA.

6.4) Further details regarding the relevant safeguards used by us to protect the transfer of your personal data are set out in Appendix D. If you wish to receive any additional information on the transfer of your personal data to a Third Country, you are welcome to contact us at privacy@flarie.com.

7. storage and deletion of personal data

7.1) Personal data will only be stored for a limited period of time and no longer than necessary in order for us to fulfil the purposes of the processing (see Appendix A and Appendix B, Sections 3 therein), or for as long as we are required to store the information according to applicable legislation and relevant guidelines. This will depend on a number of factors, including for example (i) the laws and regulations that we are required to follow, (ii) whether we are in a legal or other type of dispute with each other or a third party, (iii) the type of information that we hold about you, (iv) whether we are asked by you or a regulatory authority to keep your personal data for a valid reason. If processing of your personal data is no longer necessary, it will be erased in accordance with our erasure procedure from time to time. We make the assessment in each case regarding if we are entitled to store your personal data, which you can find more information about in Appendix A and Appendix B, Sections 3 therein.

7.2) Depending on the relevant purpose of the processing of your personal data, we may store it in accordance with what is specified in the following:

  • Personal data processed as a result of an agreement between you and Flarie are stored during the term of the agreement and a maximum of ten (10) years thereafter due to statute of limitation;
  • Personal data we store as a result of applicable legislation such as anti-money laundering and accounting legislation are normally stored for five (5) respective seven (7) years;
  • Should we no longer have a legal obligation for the processing of the personal data, the data is stored as long as necessary in order to fulfil each applicable purpose of the processing (normally we erase or anonymise the personal data three (3) months thereafter), more information hereto is set out in Appendix A and Appendix B, Sections 3 therein.

7.3) If we are processing your personal data based on the legal obligations, as described in Section 7.2(ii) above, we cannot delete the personal data even if you were to request such action. Should we no longer be required to save your personal data due to a legal obligation, we will make an assessment whether we are in need of the data in order to safeguard our interest in any legal or other type of dispute.

If Flarie is subject to liquidation or bankruptcy or if Flarie’s customer database is transferred to a third party conducting similar activities as Flarie, Flarie shall thereafter erase your personal data, provided however that Flarie is not required to store the information according to applicable legislation and relevant guidelines. If Flarie is subject to a merger, acquisition, reorganization or similar process, Flarie will continue the processing of your personal data pursuant to this Privacy Policy unless otherwise is specifically announced to you in connection with such process.

8. your rights as a data subject

8.1) Flarie is the controller for the processing of your personal data in accordance with this Privacy Policy, and as a data subject you have certain rights as regards your personal data. The rights are however not absolute, meaning that there are exceptions to some of the rights where we cannot proceed and fulfil your request.

8.2) As a data subject, you have the following rights (you will find more information about your rights as a data subject at the webpage of Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) (“IMY”):

  • Right to withdraw your consent – meaning that you have the right to at any time withdraw your consent where Flarie process your personal data based on your consent by submitting a request in accordance with Section 8.6 below. In such event, we will no longer store or process your personal data for the relevant purpose;
  • Right to access – meaning that you have the right to request a confirmation of our processing of your personal data, to receive information about the processing, access the personal data in question, and the right to obtain a copy of your personal data;
  • Right to rectification – meaning that you have the right to have any incorrect personal data about you as a data subject corrected by us;
  • Right to erasure – meaning that you have the right to have your personal data erased under certain circumstances. This right is limited, and we may be obligated to save your personal data in accordance with applicable law;
  • Right to object – meaning that you have the right to object to Flarie’s processing of your personal data under certain circumstances (for example you may object to processing of your personal data if we base such processing on our legitimate interest and you have the right at any time to object to Flarie’s processing of your personal data for direct marketing purposes etc.);
  • Right to restricted processing – meaning that you have the right to have Flarie restrict the processing of your personal data, but not delete it, if you find that the processing is in conflict with applicable law or that we no longer are in need of your personal data for a specific purpose; and
  • Right to data portability – meaning that you may request that Flarie provides you with a copy of your personal data we process in order to fulfil an agreement with you, or based on your consent, in order to (if it is technically feasible) transfer your personal data to another data controller.

8.3) If you feel that our processing of your personal data does not comply with GDPR, and applicable data protection legislation, you are entitled to lodge a complaint with IMY. You will find more information about your right to lodge a complaint at IMY’s webpage.

8.4) You may unsubscribe from our newsletters or similar communication at any time, by using your right to object in accordance with Section 8.2(v) above. In such event we will no longer store or process your personal data for such purposes, and we will cease to provide you with such marketing materials.

8.5) You have a right to object to automated individual decision making, including profiling, if a decision result in legal consequences or otherwise have similar significant effects for you. Flarie does not conduct automated individual decision making, including profiling, that result in legal consequences or otherwise have similar effects on you. You will find more information about the right to object to an automated decision at IMY’s webpage.

8.6) Any requests by you as a data subject to us under this Privacy Policy shall be sent to us at: privacy@flarie.com. Requests will be handled as soon as possible, but no later than within one (1) month from the date which Flarie received the request.

9. Children

Our Services are directed to users being eighteen (18) years or older. However, children being thirteen (13) years and older may receive access to our Service provided that they have their legal guardian(s) consent to access our Services. We do not and will not knowingly collect information from any unsupervised person under the age of thirteen (13). If the conditions in this Section 9 are not fulfilled or if you do not accept this Privacy Policy, you may not use the Service. If you are a legal guardian and learns that your child has submitted personal data to Flarie without your consent, we ask that you contact us on the address stated in Section 8.6 above so that you can exercise your rights to, inter alia, rectification or erasure.

10. links to third party sites

Our Platform and App may contain links to third party sites. If you click on a third party link, you will be directed to that site. Note that these external sites are not operated by Flarie and, therefore, we strongly advise you to review the privacy policy of these websites. We have no control over, and assume no responsibility for the content, privacy policies, or practices of any third party sites or services.

11. ADS AND SPONSORED CONTENT

Flarie uses the content that you submit in our Services, including your personal data, in order to select and personalize the content and ads that we show you in our Services. However, in order to protect your privacy and personal data in accordance with this Privacy Policy, we will always use anonymized data when we are in contact with marketing agencies and similar third parties.

12. COOKIES

Flarie and our partners may use cookies and similar technologies on the Platform as well as in the App for the purpose of providing and updating its Service and to improve the user experience. For information on how Flarie uses cookies and similar technologies, we refer to our Cookie Policy. The latest version of the Cookie Policy will always be available on the Platform as well as in the App and we advise you to review the Cookie Policy periodically for any changes.

13. AMENDMENTS and additions

Flarie has the right to amend this Privacy Policy from time to time without giving prior notice to such change. Should any change affect the processing of personal data, which is based on your consent, Flarie shall collect a new consent from you regarding such processing. The latest version will always be available on the Platform as well as in the App and we advise you to review the Privacy Policy periodically for any changes.

14. Contact Details

Flarie AB, registered at the Swedish Companies Registration Office, with registration number 556856-2747, has its head office at Hornsgatan 24, 118 20 Stockholm, Sweden.

Flarie has a customer service team which administer privacy and data protection enquiries. You can reach our team at privacy@flarie.com.

Flarie complies with Swedish data protection laws. For more information about Flarie please visit our website (www.flarie.com).

APPENDIX A – DETAILS OF OUR PROCESSING OF YOUR PERSONAL DATA (COMMERCIAL CUSTOMERS OR BUSINESS PARTNERS)

1. This Appendix A includes a description of the details of our processing of your personal data and applies if you:

  • are customer (and thus a user of, for example, the Service “Flarie Studio”, subject to the Flarie General Terms of Service) or such prospective customer to us;
  • are a business partner or prospective business partner to us;
  • are a representative and/or employee of any of the parties in (i)-(ii) above herein;
  • come in contact with us or are otherwise affected by our Services as a commercial party; and/or
  • have subscribed to receive our newsletter, receives other communication from us and/or attend our events.

2. The personal data we process, attributable to the data subjects listed in Section 1 above in this Appendix A, falls into the following main categories:

  • contact information;
  • service account information;
  • marketing preferences;
  • user related data and browsing and device usage information; and
  • correspondence with customer services and feedback.

The following table sets out the specifics regarding the type of personal data of each such main category, as well as how we will obtain it.

CATEGORY OF PERSONAL DATA TYPE OF PERSONAL DATA HOW WE RECEIVE THE PERSONAL DATA
Contact information • name (given name and surname)
• postal address
• e-mail address
• phone number
• place of work
• job title organization contact information		 • provided by you
• provided by the organization you represent
• obtained by us from publicly available resources (if applicable)
Service account information • login details to your or your organization’s user account in the Service
• account settings
• purchase or subscription history
• other information you chose to upload in the Service		 • provided by you
• provided by the organization you represent
Marketing preferences • your chosen marketing communications preferences • provided by you
User related data and browsing and device usage information • device information and log data, including for example IP-address, language settings, webpage settings, mobile connection, operation system, platform, screen resolution, and similar information regarding your device settings
• user related data automatically generated when using and interacting with the Service, including for example log data with detailed information about your use, time for access, pages displayed, as well as information on updates, sites, work created and how these are distributed and edited over time		 • provided by you directly
• provided by you indirectly and automatically when using our Services (i.e. from your device)
• generated by our systems for security and integrity monitoring purposes
Correspondence with customer services and feedback • recorded phone calls, chat conversations, and/or e-mail correspondence with us
• correspondence and feedback from you regarding the Service		 • provided by you directly or indirectly upon your contact with our customer service team
• provided by you directly

We process your personal data under this Appendix A of the Privacy Policy for the purposes and on the lawful basis as specified in the following table.

PURPOSE TREATMENT CATEGORY OF PERSONAL DATA LEGAL BASIS STORAGE PERIOD
Administer and perform our Services or commercial undertakings in accordance with agreements with our customers, Flarie Partners and other business partners. • Entering, preparing and negotiating customer agreements with you / your organization regarding the provision of our Service
• Entering, preparing and negotiating partner agreements with you / your organization
• Establishing you / your organization as a client in our systems
• Administering Service subscriptions and Service provisions
• Administering payment of fees from you / your organization
• Conducting any other commitments towards you / your organization in accordance with the relevant agreement between us and you / your organization
• Administering and resolving any claims or disputes with you in respect to our Services or business
• Other treatments related to any of the above items		 All categories mentioned in the table in Appendix A, Section 2. Fulfilment of an agreement – the processing is necessary in order to fulfil our obligations pursuant to a separate customer or partner agreement with you / your organization (Article 6(1)(b) GDPR). During the term of the agreement with you / your organization. When we no longer have a legal basis (i.e., if the agreement is terminated) or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time.

More information regarding our rights and obligations to save your personal data is set out in Section 7.
Communicating with you in order to administrating and performing our Services and our business, including providing you with information (not marketing) in an electronic format. • Providing you with relevant information regarding the use or provision of the Services
• Responding to your / your organization’s queries regarding our Services or our business
• Identifying you / your organization
• Resolving any complaints or disputes with you / your organization		 All categories mentioned in the table in Appendix A, Section 2. Fulfilment of an agreement – the processing is necessary in order to fulfil our obligations pursuant to a separate customer or partner agreement with you / your organization (Article 6(1)(b) GDPR). During the term of the agreement with you. When we no longer have a legal basis or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time.

More information regarding our rights and obligations to save your personal data is set out in Section 7.
Sending newsletters, information, offers and marketing of our Services on our internal platforms as well as on external platforms. (This may include a transfer of your data to external marketing service providers in accordance with Appendix C, Section (v) therein.) • Sending newsletters to you
• Provide you with offers relating to our products, Services, systems etc.
• Provide you with information relating to our Services, products, systems etc.		 • name
• e-mail address
• job title
• place of work
• marketing preferences
• Service account information (e.g., account settings, purchase or subscription history)		 Legitimate interest – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to carry out our interest to market our Services, provide you with information offers etc. (which you at any time may object to). We ensure that the processing is necessary in order to fulfil the interest and that such interest overrules your rights not to have your data processed for this purpose.

Consent – we will obtain your express consent to provide you with newsletters, offers etc. if required by us pursuant to applicable marketing legislation. You may withdraw your consent to such processing. More information about your rights as a data subject are set out in Section 9.		 During the term of the agreement with you / your organisation or when you inform us that you no longer have an interest in this type of processing or withdraw your consent (if applicable).

More information regarding our rights and obligations to save your personal data is set out in Section 7.
Fulfilling our legal obligations, strive to prevent crime, investigate whether a crime or contract breach (of the customer or partner agreement) has been committed towards us, and safeguarding our interests in a dispute. • Control that users (including customers and/or partners) of our Services comply with the terms of our Service, as well as applicable legislation
• Perform necessary auxiliary functions such as error monitoring or detecting unusual or unlawful user behaviour in our Services
• Complying with our obligations according to applicable laws and regulations, court and/or official decisions (e.g., Tax Act, Accounting Act, Money Laundering and Terrorist Financing (Prevention) Act, etc.)
• Prevent, report or investigate fraud and other illegal activities
• Prevent, control and report unauthorized use of the Services, phishing, spam, other activities not allowed according to our terms of use for the Service
• Control and report abnormal use of the Service and suspicions of manipulation of the Service
• Improvements of our IT-environment in order to prevent frauds and attacks		 All categories mentioned in the table in Appendix A, Section 2. Fulfilling a legal obligation – necessary pursuant to applicable law (Article 6(1)(c) GDPR) e.g., Tax Act, Accounting Act, Terrorist Financing (Prevention) Act. If the relevant personal data is not processed by us, we cannot fulfil our legal obligations.

Fulfilment of an agreement – the processing is necessary in order to fulfil our obligations pursuant to a separate customer or partner agreement with you / your organization (Article 6(1)(b) GDPR).

Legitimate interest (if the above is not applicable) – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to prevent abuse or misuse of our Service, prevent and investigate crimes towards us and safeguard our interests in the event of a dispute.		 During the time we have the data in our systems, for example to fulfil the agreement with you / your organisation or in order to fulfil a legal obligation.

More information regarding our rights and obligations to save your personal data is set out in Section 7.
Evaluating and improving our Services, business, and systems (including analysing web traffic and keeping track of user behaviour). • Anonymizing your personal data as necessary in order to obtain the purpose of the processing hereunder
• Adapting our Services and systems in order to make them more customer friendly and improve the user experience
• Preparing data and reports for the purpose of improving our Services, assortment, policies, operations, etc.
• Give our customers the opportunity to influence our Services, systems, assortment, etc.		 All categories mentioned in the table in Appendix A, Section 2. Legitimate interest – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to fulfil our interest of evaluating and improving our Services, business, systems, assortment, etc. We ensure the processing hereunder is necessary to achieve the purpose and our interest overrules your right not to have your data processed for this purpose. By anonymizing data concerning you, we also ensure that we use personal data to an extent as minimal as possible. If you prefer more information about how the assessment has been made, you can always contact us (see our contact details in Section 15). During the time we have the data in our systems, for example to fulfil the agreement with you / your organization or in order to fulfil a legal obligation.

More information regarding our rights and obligations to save your personal data is set out in Section 7.
Administrating and performing merger, acquisition, reorganization, reconstruction, asset transfer (including our customer database) or similar processes where we and/or our customer data base is the target, meaning that we may share your data with external parties according to Section (iv) in Appendix C of the Privacy Policy (i.e., potential buyers of the business or assets). • Carrying out a merger, acquisition, reorganization, asset transfer (including our customer database)
• Fulfilling an agreement with a counterparty (providing similar activities as Flarie) in such process
• Ensuring the counterparty in such process continues the processing of your personal for the same purposes and in the same way as described in this Privacy Policy (unless otherwise is announced to you)		 All categories mentioned in the table in Appendix A, Section 2 Legitimate interest – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to facilitate an acquisition or reorganization process. I.e., we have assessed that our interest to do so is overridden by your legitimate interests and rights of not having the data processed. However, such transfer of your personal data requires the overtaking party is conducting similar activities as Flarie. We make sure that the processing this entails is necessary in order to fulfil the relevant interest. You have a right to object to this type of processing, due to circumstances in each relevant case. If you prefer more information about how the assessment has been made, you can always contact us (see our contact details in Section 15). During the time we have the data in our systems, for example to fulfil the agreement with you or in order to fulfil a legal obligation.

More information regarding our rights and obligations to save your personal data is set out in Section 7.
Transfer your personal data to suppliers, sub-suppliers, professional advisors and authorities (the purpose varies depending on the recipient, see the relevant Sections in Appendix C) of the Privacy Policy. Transferring your personal data to our suppliers, sub-suppliers, professional advisors and authorities. All categories mentioned in the table in Appendix A, Section 2. Varies depending on the relevant external party (see Appendix C of the Privacy Policy for more details hereto). During the term of the agreement with you. When we no longer have a legal basis or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time.

More information regarding our rights and obligations to save your personal data is set out in Section 7.
Transfer of your personal data (if you are a representative of an organization) to accounting service providers, payment service providers and other financial institutions (see Section (vi), in Appendix C of the Privacy Policy). Administer payments of fees from your organization regarding your organization’s order of our Service. • contact information (such as name and e-mail address)
• job title		 Fulfilment of an agreement – the processing is necessary in order to fulfil our obligations pursuant to an agreement with your organization (Article 6(1)(b) GDPR). Primarily when the purchase is initiated and performed but also during the period we have your data in our systems. When we no longer have a legal basis or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time.

More information regarding our rights and obligations to save your personal data is set out in Section 7.

APPENDIX B – DETAILS OF OUR PROCESSING OF YOUR PERSONAL DATA (NON-COMMERCIAL USERS)

1. This Appendix B includes a description of the details of our processing of your personal data and applies if you:

  • are a non-commercial user of our Services (and thus a user of, for example, our Platform Software subject to the Flarie General Platform Software Terms); and/or
  • come in contact with us or are otherwise affected by our Services as a non-commercial user.

2. The personal data we process, attributable to the data subjects listed in Section 1 above in this Appendix B, falls into the following main categories:

  • contact information;
  • user related data and browsing and device usage information; and
  • correspondence with customer services and feedback.

The following table sets out the specifics regarding the type of personal data of each such main category, as well as how we will obtain it.

CATEGORY OF PERSONAL DATA TYPE OF PERSONAL DATA HOW WE RECEIVE THE PERSONAL DATA
Contact information • e-mail address
• phone number
• other contact information you provide on the Platform		 • provided by you
• obtained by us from third parties with whom we collaborate, such as Flarie Partners (if applicable)
• obtained by us from publicly available resources (if applicable)
User related data and browsing and device usage information • device information and log data, including for example IP-address, UUID, language settings, webpage settings, mobile connection, operation system, platform, screen resolution, and similar information regarding your device settings
• user related data automatically generated when using our Platform Software, including data that you post or upload in the Services, including for example log data with detailed information regarding your use of our Services, time for access and pages displayed, what games you have played and/or opened, your scores, how many times you played a specific game on our Platform, category of games you are interested in and/or have played, communication with other users of our Services and Flarie Partners etc.
• account-related information and identifiers (such as player ID, username, user ID or other login identifiers, as applicable) as well as data generated through monitoring for fraud prevention or anti-cheat purposes (e.g., detection of irregular use or breach of applicable terms)		 • provided by you directly
• provided by you indirectly and automatically when using our Services (i.e. from your device)
• generated by our systems for security and integrity monitoring purposes
Correspondence with customer services and feedback • recorded phone calls, chat conversations, and/or e-mail correspondence with us
• correspondence and feedback from you regarding the Service		 • provided by you directly or indirectly upon your contact with our customer service team
• provided by you directly

3. We process your personal data under this Appendix B of the Privacy Policy for the purposes and on the lawful basis as specified in the following table.

PURPOSE TREATMENT CATEGORY OF PERSONAL DATA LEGAL BASIS STORAGE PERIOD
Administer and perform our Services to you (as a non-commercial user) in accordance with our General Software Terms & Conditions (the “Software Terms”) or other agreement between Flarie and non-commercial users. • Entering an agreement with you
• Establishing and identifying you as a user of our Services and/or Platform Software (as defined in the Software Terms)
• Technically make available the Platform Software and provide the Service to you in accordance with the agreement between us
• Administering requests and claims from you regarding the Platform Software or other Services (including responding, identifying you, and resolving such requests and/or claims)
• Conducting any other commitments towards you in accordance with the agreement between us
• Other treatments related to any of the above items		 All categories mentioned in the table in Appendix B, Section 2. Fulfilment of an agreement – the processing is necessary in order to fulfil our obligations pursuant to an agreement with you (Article 6(1)(b) GDPR). You will find the Software Terms at [link]. During the term of the agreement with you. When we no longer have a legal basis (i.e., if we no longer have a legitimate interest or if the agreement is terminated) or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time.

More information regarding our rights and obligations to save your personal data is set out in Section 7.
Communicating with you in order to administrating and performing our Platform Software, other Services, and our business, including providing you with information (not marketing) in an electronic format. • Providing you with relevant information regarding the use or provision of the Platform Software or other relevant Services that you use
• Responding to your queries regarding our Services, including Platform Software, or our business
• Identifying you
• Resolving any complaints or disputes with you		 All categories mentioned in the table in Appendix B, Section 2. Fulfilment of an agreement – the processing is necessary in order to fulfil our obligations pursuant to an agreement with you (Article 6(1)(b) GDPR). You will find the Software Terms at [link]. During the term of the agreement with you. When we no longer have a legal basis or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time.

More information regarding our rights and obligations to save your personal data is set out in Section 7.
Fulfilling our legal obligations, strive to prevent crime, investigate whether a crime has been committed towards us, and safeguarding our interests in a dispute. • Control that users of our Services comply applicable legislation
• Complying with our obligations according to applicable laws and regulations, court and/or official decisions (e.g., Tax Act, Accounting Act, Money Laundering and Terrorist Financing (Prevention) Act, etc.)
• Prevent, report or investigate fraud and other illegal activities such as phishing, spam, other activities not allowed according to our Software Terms, other terms (if applicable), or applicable law
• Improvements of our IT-environment in order to prevent frauds, attacks and other unlawful behaviour		 All categories mentioned in the table in Appendix B, Section 2. Fulfilling a legal obligation – necessary pursuant to applicable law (Article 6(1)(c) GDPR) e.g., Tax Act, Accounting Act, Terrorist Financing (Prevention) Act. If the relevant personal data is not processed by us, we cannot fulfil our legal obligations.

Legitimate interest (if the above is not applicable) – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to prevent abuse or misuse of our Service, prevent and investigate crimes towards us and safeguard our interests in the event of a dispute.		 During the time we have the data in our systems, for example to fulfil the agreement with you or in order to fulfil a legal obligation.

More information regarding our rights and obligations to save your personal data is set out in Section 7.
Detect and prevent prohibited, unlawful and/or unusual user behaviour and investigate whether a contract breach has been conducted towards us or our partners (including safeguarding our interests if such use or breach is detected). • Control that users of our Services comply with the Software Terms and other relevant agreements (if applicable)
• Identify, prevent, control, restrict, take enforcement actions, and report unauthorized use of the Services (including the Platform Software), phishing, spam, other activities not allowed according to our Software Terms, other terms (if applicable), or applicable law
• Control and report abnormal use of the Services (including the Platform Software), and suspicions of manipulation of the Services (including the Platform Software)
• Perform necessary auxiliary functions such as error monitoring or detecting unusual or unlawful user behaviour, including monitoring, investigating, restricting, and taking enforcement actions in relation to unusual, suspicious, or unauthorized user behaviour of the Service (including the Platform Software)
• Improvements of our IT-environment in order to prevent frauds and attacks		 All categories mentioned in the table in Appendix B, Section 2. Fulfilment of an agreement – the processing is necessary in order to fulfil our obligations pursuant to an agreement with you (Article 6(1)(b) GDPR). You will find the Software Terms at [link].

Legitimate interest (if the above is not applicable) – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to prevent abuse or misuse of our Service, prevent and investigate crimes towards us and safeguard our interests in the event of a dispute.		 During the time we have the data in our systems, for example, to fulfil the agreement with you, to fulfil a legal obligation or to conduct our legitimate interest.

More information regarding our rights and obligations to save your personal data is set out in Section 7
Evaluating and improving our Service, business, and systems (including analysing web traffic and keeping track of user behaviour). • Anonymizing your personal data as necessary in order to obtain the purpose of the processing hereunder
• Adapting our Services and systems in order to make them more user friendly and improve the user experience
• Preparing data and reports for the purpose of improving our Services, assortment, policies, operations, etc.
• Give our users the opportunity to influence our Services, systems, assortment, etc.		 All categories mentioned in the table in Appendix B, Section 2. Legitimate interest – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to fulfil our interest of evaluating and improving our Services, business, systems, assortment, etc. We ensure the processing hereunder is necessary to achieve the purpose and our interest overrules your right not to have your data processed for this purpose. By anonymizing data concerning you, we also ensure that we use personal data to an extent as minimal as possible. If you prefer more information about how the assessment has been made, you can always contact us (see our contact details in Section 15). During the time we have the data in our systems, for example to fulfil the agreement with you or in order to fulfil a legal obligation.

More information regarding our rights and obligations to save your personal data is set out in Section 7.
Administrating and performing merger, acquisition, reorganization, reconstruction, asset transfer (including our user database) or similar processes where we and/or our user data base is the target, meaning that we may share your data with external parties according to Section (iv) in Appendix C of the Privacy Policy (i.e., potential buyers of the business or assets). • Carrying out a merger, acquisition, reorganization, asset transfer (including our customer database)
• Fulfilling an agreement with a counterparty (providing similar activities as Flarie) in such process
• Ensuring the counterparty in such process continues the processing of your personal for the same purposes and in the same way as described in this Privacy Policy (unless otherwise is announced to you)		 All categories mentioned in the table in Appendix B, Section 2. Legitimate interest – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to facilitate an acquisition or reorganization process. I.e., we have assessed that our interest to do so is overridden by your legitimate interests and rights of not having the data processed. However, such transfer of your personal data requires the overtaking party is conducting similar activities as Flarie. We make sure that the processing this entails is necessary in order to fulfil the relevant interest. You have a right to object to this type of processing, due to circumstances in each relevant case. If you prefer more information about how the assessment has been made, you can always contact us (see our contact details in Section 15). During the time we have the data in our systems, for example to fulfil the agreement with you or in order to fulfil a legal obligation.

More information regarding our rights and obligations to save your personal data is set out in Section 7.
Transfer your personal data to suppliers, sub-suppliers, professional advisors and authorities (the purpose varies depending on the recipient, see the relevant Sections in Appendix C of the Privacy Policy (to clarify, only sections (i)-(iv) therein applies to you as a non-commercial user).) Transferring your personal data to our suppliers, sub-suppliers, professional advisors and authorities. All categories mentioned in the table in Appendix B, Section 2. The legal basis varies depending on the relevant external party (see Appendix C of the Privacy Policy for more details hereto). During the term of the agreement with you. When we no longer have a legal basis or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time.

More information regarding our rights and obligations to save your personal data is set out in Section 7.

APPENDIX C – EXTERNAL PARTIES WE USE

External parties with whom we collaborate to provide the Service

Description of the external parties: Suppliers and sub-suppliers are organisations that process the personal data they receive from us on our behalf (i.e. personal data processors). Examples of such suppliers are software and data storage providers, email providers, analyse system providers, website service providers, other IT services providers and business consultants.

Purpose and legal basis: We need access to the services and functionalities from other organisations that we cannot provide ourselves in order to provide our Services (including the Platform and App). We have a legitimate interest to get access to these services and functionalities and we assure that the treatment it entails, is necessary in order to fulfil the interest in question. In this case, our interests have been deemed overruled by individuals’ interests of not having their data processed. You always have a right to object to such processing due to circumstances in each relevant case, and you will find more information about your rights hereto in Section 8 in the Privacy Policy.

Authorities

Description of the external parties: We may have to provide necessary information to authorities such as the Police, Tax Agency, and other authorities and courts.

Purpose and legal basis: Provision of your personal data to authorities will be made if we have a legal requirement to do so and in certain cases if you ask for it, if it is necessary in order to administer tax deductions, prevent crimes etc. Depending on the authority and purpose, the legal basis is (i) a legal obligation, (ii) fulfil an agreement with you / your organisation, (iii) legitimate interest to protect ourselves from crimes or unauthorized use of our Services.

Professional advisors

Description of the external parties: We may have to provide necessary information to our professional advisors (such as legal and financial advisors and other experts).

Purpose and legal basis: Provision of your personal data to such advisors or experts are made when we are in need of legal or financial advice. Depending on the purpose, the legal basis is (i) legitimate interest to examine our legal obligations, (ii) legitimate interest to protect ourselves from crimes, (iii) legitimate interest to protect ourselves in a dispute, or (iv) fulfil an agreement with you / your organisation.

Potential buyer of Flarie’s business or assets

Description of the external parties: Should Flarie or its shareholders wish to sell the business or assets, Flarie may have to provide your personal data to a potential buyer in such transaction. Personal data of Flaries users or customers may have to be transferred in the event an essential segment of Flarie’s assets is purchased by a third party buyer.

Purpose and legal basis: We have a legitimate interest of being able to perform transactions of our business or assets and we make sure that the processing of your personal data such transaction may entail is necessary in order to fulfil the interest in question. In this case, our interests have been deemed overruled by individuals’ interests of not having their data processed. You always have a right to object to such processing due to circumstances in each relevant case, and you will find more information about your rights hereto in Section 8 of the Privacy Policy.

Marketing service providers

Description of the external parties: We use marketing service providers in order to conduct direct marketing and marketing campaigns of our Services on our internal platforms as well as external platforms, provided that you have given your express consent to receive such marketing form us (if you are not a previous customer to us).

Purpose and legal basis: Provision of your personal data to such marketing service providers is made when you have provided your consent to receive marketing and newsletters from us, if you are not already a customer to us or user of our Services. If you previously have used or are using our services as a user or customer, we base the transfer and processing on our legitimate interest to market our Services, provide you with information, offers etc. which you at any time may object to. Further, you always have a right to withdraw your consent to such processing, and you will find more information about your rights hereto in Section 8 of the Privacy Policy.

Accounting service providers, payment service providers and other financial institutions

Description of the external parties: External parties that provide its services to us in order to (i) carry out and administer payments from our clients (organizations), as well as (ii) assisting us with our accounting obligations. If you represent an organization that is a client to us, we may share your name, job title, and e-mail address to such external parties, if necessary.

Purpose and legal basis: We need access to the services and functionalities from such external parties in order to administer payments from our clients (organizations) as well as to perform our accounting obligations. Some payment service providers also collect and use your personal data independently in accordance with their own data protection information. The legal basis is to fulfil an agreement with the organization which you represent.

APPENDIX D – THIRD COUNTRY TRANSFERS

Subject to Section 6 in the Privacy Policy, we transfer personal data to the following Third Countries (i.e., countries outside the EU/EEA), based on the referred to appropriate safeguard pursuant to GDPR:

  • United Kingdom – the country is subject to an adequacy decision pursuant to GDPR Article 45 and we therefore do not take any further steps pursuant to GDPR Article 45 specifically, other than continuously monitoring that the adequacy decision remains in force; and
  • United States of America - the country is subject to an adequacy decision by the European Commission under Article 45 of the GDPR provided that the organizations in the U.S. to which personal data is transferred are certified under the EU-U.S. Data Privacy Framework. Organizations in the U.S. certified under this framework have committed to adhering to its principles, ensuring a level of personal data protection that is essentially equivalent to the protection offered within the EU. The organizations in the U.S. to which Flarie transfers personal data under this Privacy Policy are currently certified and fall under the EU-U.S. Data Privacy Framework. Since an adequate level of protection currently exists for all third-country transfers hereunder, we do not take any additional measures under Article 45 of the GDPR, other than continuously monitoring that the adequacy decision remains valid and that each recipient maintains valid certifications and thus fulfills their commitments under the EU-U.S. Data Privacy Framework.

If a potential transfer of personal data to any of the countries referred to above in this Appendix D can neither be lawfully based on an adequacy decision nor any of the exceptions in GDPR Article 49, we always take the following additional steps prior to such transfer to ensure compliance with EU level of protection of personal data:

  • make an assessment whether the transfer tool we rely on is effective in practice (in light of the law in the relevant third country);
  • adopt supplementary security measures which we have deemed are effective for the set of transfer to the specific Third Country, such measures are for example but not limited to (i) contractual measures, (ii) organizational measures, and/or (iii) encryption or pseudonymisation of the personal data;
  • conduct any identified procedural steps (if applicable); and
  • continuously monitor developments in the relevant Third Country and re-evaluate the initial assessment and decisions for the transfer to the relevant country accordingly.

If you wish to receive any additional information on the transfer of your personal data to a Third Country, you are welcome to contact us at any time. Our contact details can be found in Section 14 in the Privacy Policy.