Privacy Notice

Effective from May 25, 2018

We collect and process personal data only in accordance with the General Data Protection Regulation (Regulation 2016/679/EU of the European Parliament and of the European Council) and the prevailing laws and regulations.

We send direct marketing letters (newsletters) exclusively on the basis of a specific consent. We may send system messages even without a consent.

We store data as safely as possible.

We disclose personal data to third parties exclusively on the basis of a consent; however, we collect and transfer statistical data (excluding personal data) on usage habits to third parties.

Our users may request information regarding their data stored; furthermore, each user may require the erasure of his/her personal data (collected and stored upon his/her consent) at any time, by contacting us through our contact details.

Introduction

ZEN Studios Software Developer Limited Liability Company (registered seat: H-1027 Budapest, Ganz utca 16. floor 2, company reg. no.: 01-09-691205, tax number: 12532630-2-41) (hereinafter referred to as the Service Provider, controller) hereby submits itself to the following privacy notice.

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation), with special regard to Sections (32), (39) and (58) as well as Article 12 therein, declare that the data subject (hereinafter referred to as the user) shall be informed prior to the commencement of data processing whether the legal basis of data processing is the consent of the data subject, mandatory provision or technical requirements.

Before processing operations are carried out, the data subject shall receive clear and detailed informed of all aspects concerning the processing of his/her personal data, such as the purpose for which his/her data is required, the legal ground of data processing, the person entitled to become data controller or data processor, the duration of data processing.

Pursuant to EUP and Regulation 2016/679, users shall be informed that if obtaining the consent of the user is impossible or entails excessive costs, the processing of personal data is allowed if:

a) processing is necessary for compliance with a legal obligation to which the controller is subject, or
b) it is necessary for the enforcement of the controller’s or a third party’s legitimate interest, and the enforcement of such interest is proportionate to the restriction of the data subject’s right to the protection of personal data.

The information provided to the user shall cover his or her rights and remedy options related to data processing.

If providing information to users is impossible or entails excessive costs (in this case on a website), information may be provided by the publication of the following information:

(a) the fact that data are collected, (b) data subjects involved, (c) the purpose of the collection of personal data, (d) duration of data processing, (e) possible controllers entitled to become aware of the personal data, (f) provision of information to data subjects on their rights and remedies available to them related to data processing, and (g) if there is a location for the data protection registration of data processing, the registration number of data processing.

This privacy policy regulates data processing activities carried out on the following websites: http://www.pinballfx.com, blog.zenstudios.com, forum.zenstudios.com, www.aliensvspinball.com, www.ballsofglory.com, www.bethesdapinball.com, www.castlestorm.com, www.idrbattleheroes.com, www.infiniteminigolf.com, www.kickbeat.com, www.marvelpinball.com, www.pokershowvr.com, www.southparkpinball.com, www.starwarspinball.com, www.zenpinball.com, https://blog.zenstudios.com/?page_id=8135, https://blog.zenstudios.com/?page_id=7420, https://blog.zenstudios.com/?page_id=7762, https://blog.zenstudios.com/?page_id=7239 and is based on the above criteria.

The policy is available on the following website: http://blog.zenstudios.com/zen_privacy_policy.html

 

Amendments to the policy enter into effect upon their publication on the above website.

 

Terms, definitions

data subject/User: natural person that is or that can be directly or indirectly identified based on any specific personal data, who contacts the Service Provider through an application or website, or in any other (online or offline) way.

personal data: information relating to the user—especially the name, identifier, and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the user, and the consequences that can be drawn from the information related to the data subject;

data controller: natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or have it executed by a data processor;

the data controller in this case: ZEN Studios Software Developer Limited Liability Company (registered seat: HU-1027 Budapest, Ganz utca 16. floor 2, EUID: HUOCCSZ.01-09-691205, community VAT number: HU12532630)

data controlling: any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronizing or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans);

data processing: carrying out technical tasks in relation to data processing operations, irrespective of the method or instrument used in performing those operations, and of its application, provided that the technical tasks are performed on data;

data processor: any natural or legal person or organisation without legal personality processing the data on the grounds of a contract concluded with the controller, including contracts concluded pursuant to legislative provisions;

data protection officer: The managing director of the Service Provider

data protection officers: the manager responsible for the given field, employed by the Service Provider, the head of the customer service

personal data breach: the unlawful processing or process of personal data, in particular the illegitimate access, alteration, transfer, disclosure, deletion or destruction as well as the accidental destruction or damage.

 

Data collection, the scope of data, purpose(s) of data processing

In line with Articles 12, 13 and 14, the following shall be defined with respect to the registration and use of application:

a) the fact that data are collected,
b) data subjects involved,
c) the purpose of the collection of personal data,
d) duration of data processing,
e) possible controllers entitled to become aware of the personal data,
f) provision of information to data subjects on their rights available to them related to data processing.

Upon the start and during the term of use of the applications, the following data are recorded and stored by the Service Provider:

Applications

Personal data

Legal basis

purpose of data processing

duration of data storage

source

Planet Minigolf

Playstation Network identifier (PSN ID)

performance of contract

identification of the user


PSN shall transmit

Infinite MiniGolf

Gamer Server identifier (Game Server ID)

performance of contract

identification of the user


To be generated by Service Provider

user’s name

performance of contract

identification of the user


to be provided by the user

Device identifier (Device ID)

performance of contract /legitimate interest

identification of the device

1 month

automatic recording

IPv4/6

performance of contract /legitimate interest

identification of the device

1 month

automatic recording

Platform user identifier

performance of contract /legitimate interest

identification of the user

1 month

automatic recording

Generated user identification

performance of contract

identification of the user

1 month

To be generated by Service Provider

Independence Day Resurgence: Battle Heroes

Platform type

performance of contract /legitimate interest

identification of the device


Apple, Google, Amazon -

automatic recording

Platform user identifier

performance of contract /legitimate interest

identification of the user


Apple, Google, Amazon -

automatic recording

Platform username

performance of contract

identification of the user


Apple, Google, Amazon -

automatic recording

intra-game friend list

performance of contract

identification of friends


to be provided by the user

CastleStorm Free to Siege

Gamer Server identifier (Game Server ID)

performance of contract

identification of the user


To be generated by Service Provider

user’s name

performance of contract

identification of the user


to be provided by the user

CastleStorm (Nintendo Switch)

Device identifier (Device ID)

performance of contract /legitimate interest

identification of the device

1 month

automatic recording

IPv4/6

performance of contract /legitimate interest

identification of the device

1 month

automatic recording

Platform user identifier

performance of contract /legitimate interest

identification of the user

1 month

automatic recording

Generated user identification

performance of contract

identification of the user

1 month

To be generated by Service Provider

Star Wars Pinball (iOS, Android),

Aliens vs. Pinball, Portal Pinball, Bethesda Pinball

Device identifier (Device ID)

performance of contract /legitimate interest

identification of the device

1 month

automatic recording

IPv4/6

performance of contract /legitimate interest

identification of the device

1 month

automatic recording

Android: Google Game Services user identifier

performance of contract /legitimate interest

identification of the user

1 month

automatic recording

iOS: Game Center user ID

performance of contract /legitimate interest

identification of the user

1 month

automatic recording

Generated user identification

performance of contract

identification of the user


To be generated by Service Provider

iOS: Game Center username

performance of contract

identification of the user


to be provided by the user

Android: Google Game Services username

performance of contract

identification of the user


to be provided by the user

Facebook identifier

performance of contract

identification of the user


to be provided by the user

Facebook username

performance of contract

identification of the user


to be provided by the user

Zen Pinball (iOS, Android)

Device identifier (Device ID)

performance of contract /legitimate interest

identification of the device

1 month

automatic recording

IPv4/6

performance of contract /legitimate interest

identification of the device

1 month

automatic recording

Android: Google Game Services user identifier

performance of contract /legitimate interest

identification of the user

1 month

automatic recording

iOS: Game Center user ID

performance of contract /legitimate interest

identification of the user

1 month

automatic recording

Generated user identification

performance of contract

identification of the user

1 month

To be generated by Service Provider

iOS: Game Center username

performance of contract

identification of the user


to be provided by the user

Android: Google Game Services username

performance of contract

identification of the user


to be provided by the user

Pinball FX3

Device identifier (Device ID)

performance of contract /legitimate interest

identification of the device

1 month

automatic recording

IPv4/6

performance of contract /legitimate interest

identification of the device

1 month

automatic recording

Generated user identification

performance of contract

identification of the user

1 month

To be generated by Service Provider

Platform user identifier

performance of contract /legitimate interest

identification of the user


automatic recording

Platform username

performance of contract

identification of the user


to be provided by the user

Pinball FX2 VR

Device identifier (Device ID)

performance of contract /legitimate interest

identification of the device

1 month

automatic recording

IPv4/6

performance of contract /legitimate interest

identification of the device

1 month

automatic recording

Platform user identifier

performance of contract /legitimate interest

identification of the user

1 month

automatic recording

Generated user identification

performance of contract

identification of the user


To be generated by Service Provider

Bob’s Burgers Pinball, Family Guy Pinball, Archer Pinball, American Dad! Pinball, The Walking Dead Pinball, Marvel Pinball (iOS, Android)

Generated user identification

performance of contract

identification of the user


To be generated by Service Provider

iOS: Game Center username

performance of contract

identification of the user


to be provided by the user

Android: Google Game Services username

performance of contract

identification of the user


to be provided by the user

Facebook identifier

performance of contract

identification of the user


to be provided by the user

Facebook username

performance of contract

identification of the user


to be provided by the user



Website / e-mail

Personal data

Legal basis

purpose of data processing

duration of data storage

source

Pinball cabinet support request form


name

performance of contract

identification of the user

2 months

filling out user forms

email

performance of contract

identification of the user

2 months

filling out user forms

picture (of device)

performance of contract / legitimate interest

checking of authorization

2 months

filling up/ filling out user forms

Customer Support mailing

name

performance of contract

settlement of ticket

continuous in address book

user / receipt of e-mail

email

performance of contract

settlement of ticket

continuous in address book

user / receipt of e-mail

Sales information

performance of contract

settlement of ticket

2 months

user / receipt of e-mail



Website / e-mail

Personal data

Legal basis

purpose of data processing

duration of data storage

source

Forum

name

consent, performance of contract

use of the forum, identification of the user

continuous (cancelling of registration)

user

filling out the data sheet

email

consent, performance of contract

use of the forum, identification of the user

continuous (cancelling of registration)

user

filling out the data sheet

MSN ID

consent, performance of contract

use of the forum, identification of the user

continuous (cancelling of registration)

user

filling out the data sheet

date of birth

consent, performance of contract

use of the forum, identification of the user

continuous (cancelling of registration)

user

filling out the data sheet

language

consent, performance of contract

use of the forum, identification of the user

continuous (cancelling of registration)

user

filling out the data sheet

profile picture

consent, performance of contract

use of the forum, identification of the user

continuous (cancelling of registration)

user

filling out the data sheet, uploading of picture

Mailing list

name

consent, performance of contract

sending newsletter

continuous (cancelling of registration)

user

subscription

email

consent, performance of contract

sending newsletter

continuous (cancelling of registration)

user

subscription

IP address

consent, performance of contract

sending newsletter

continuous (cancelling of registration)

automatic data recording

at the beginning of use

statistics

consent, performance of contract

sending newsletter

continuous (cancelling of registration)

automatic data recording

continuously

Blog

name

consent, technical necessity

Use of blog comment

continuous (cancelling of registration)

user

Posting comments

email

consent, technical necessity

Use of blog comment

continuous (cancelling of registration)

user

Posting comments

IP address

consent, technical necessity

Use of blog comment

continuous (cancelling of registration)

automatic data recording

Posting comments

Blog Admin

name

consent, technical necessity

Blog administration

continuous (cancelling of registration)

Administrator

Registration

email

consent, technical necessity

Blog administration

continuous (cancelling of registration)

Administrator

Registration

profile picture

consent, technical necessity

Blog administration

continuous (cancelling of registration)

user

Registration


Neither the username, nor the e-mail shall necessarily contain personal data, but if the User provides such data as a part of the username or e-mail address, he/she consents to the processing of these data by the Service Provider.

Data subjects involved: Each User, using the application(s), websites, forum/blog/mailing list and customer service.

The duration of data processing and the deadline for the deletion of data are indicated in the table. The storage of data of a continued conservation period is necessary for the provision of more effective solutions to Users’ problems and answers to Users’ questions, to keep the forum contents and to operate the mailing list.

Possible controllers entitled to become aware of the personal data: the managing director, the developers of the given application and (if needed) the customer service, blog administrators (who are the employees of the Service Provider) may process personal data in accordance with the above principles.

Information on the User’s rights related to data processing: the User may initiate the erasure or amendment of his/her personal data in the following ways:

by post, addressed to the Service Provider’s registered seat, to the attention of the customer service or by e-mail sent to support@zenstudios.com, via phone at number +36 1 780 4679.

Legal ground of data processing: the performance of the contract (Article 6 (1)(b) of the GDPR) and legitimate interest (Article 6 (1)(d) of the GDPR), identification and follow-up of users, Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market and paragraphs 1 and 2 of Article 13 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector:

The service provider may – for the purpose of providing the service – process personal data indispensable for providing the service for technical reasons. Should other conditions be identical, the service provider shall select and operate the means applied in the course of providing information society service at all times, so that personal data be processed only if it is absolutely indispensable for providing the service or achieving other objectives stipulated in this Act, and only to the required extent and duration.

 

Collection and transfer of data concerning the use and statistical data

The Service Provider informs the Users that during the use of the applications it collects and transfers to third parties identifiers and statistical data automatically.

The fact that data are collected, personal data involved:

Data base / partner

The concerned applications

data

source

purpose of data processing

legal ground for data processing

duration of data processing

data controller / data processor

3rd party SDK
-
Photon Networking

Disco Dodgeball - REMIX

Xbox One:
For authentication: XSTSToken (time-depending code generated by the platform, from which the xboxlive identifier may be decrypted)
Shared information: OnlineID/GamerTag (public xboxlive identifier), XboxLiveId (individual and private xboxlive identifier)
IP address

automatic data recording

operation of service

technical necessity




Exit Games servers

3rd party SDK
-
Photon Networking

PS4:
For authentication: OnlineID (public psn identifier), AuthCode (time-dependent non-individual code generated by the platform)
Shared information:
OnlineID, AccountId (individual and private psn identifier)
IP address

automatic data recording

operation of service

technical necessity




Exit Games servers

3rd party SDK
-
Photon Networking

Nintendo Switch:
Shared information: NickName (public nintendo identifier), NsaId (individual and private nintendo identifier)
IP address

automatic data recording

operation of service

technical necessity




Exit Games servers











3rd party SDK
-
Flurry

Zen Pinball, Zen Pinball – eSports Edition, Aliens vs. Pinball, Bethesda Pinball, Star Wars Pinball, Bob’s Burgers Pinball, Family Guy Pinball, Archer Pinball, American Dad! Pinball, The Walking Dead Pinball, Marvel Pinball, Portal Pinball

IP4/IP6

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

Yahoo! servers

3rd party SDK
-
Flurry

Device ID

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

Yahoo! servers

3rd party SDK
-
Google Analytics

Independence Day Resurgence, Independence Day Battle Heroes

IP4/IP6

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

Google servers

3rd party SDK
-
Google Analytics

Device ID

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

Google servers

3rd party SDK
-
AppsFlyer

Aliens vs. Pinball, Bethesda Pinball, Independence Day Resurgence, Independence Day Battle Heroes

IP4/IP6

automatic data recording

survey of user habits

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

AppsFlyer servers

3rd party SDK
-
AppsFlyer

Device ID

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

AppsFlyer servers











3rd party SDK
-
Vungle

Pinball FX2 (Windows 10)

IP4/IP6

automatic data recording

advertisement services

legitimate interest / consent
(EULA/PP pop-up)

Acceptance of privacy policy

termination of product support

+ 3 years

Vungle servers

3rd party SDK
-
Vungle

Device ID

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

Vungle servers

3rd party SDK
-
AdColony

Aliens vs. Pinball, Bethesda Pinball, Zen Pinball, CastleStorm – Free to Siege

IP4/IP6

automatic data recording

advertisement services

legitimate interest / consent
(EULA/PP pop-up)

Acceptance of privacy policy

termination of product support

+ 3 years

AdColony servers

3rd party SDK
-
AdColony

Device ID

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

AdColony servers

3rd party SDK
-
UnityAds

Aliens vs. Pinball, Bethesda Pinball, Zen Pinball, CastleStorm – Free to Siege

IP4/IP6

automatic data recording

advertisement services

legitimate interest / consent
(EULA/PP pop-up)

Acceptance of privacy policy

termination of product support

+ 3 years

Unity servers

3rd party SDK
-
UnityAds

Device ID

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

Unity servers

3rd party SDK
-
Chartboost

Aliens vs. Pinball, Bethesda Pinball

IP4/IP6

automatic data recording

advertisement services

legitimate interest / consent
(EULA/PP pop-up)

Acceptance of privacy policy

termination of product support

+ 3 years

Chartboost servers

3rd party SDK
-
Chartboost

Device ID

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

Chartboost servers

3rd party SDK
-
Google AdMob

Zen Pinball

IP4/IP6

automatic data recording

advertisement services

legitimate interest / consent
(EULA/PP pop-up)

Acceptance of privacy policy

termination of product support

+ 3 years

Google servers

3rd party SDK
-
Google AdMob

Device ID

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

Google servers

3rd party SDK
-
IronSource

Bethesda Pinball, Aliens vs. Pinball, Independence Day Battle Heroes, Independence Day Resurgence, CastleStorm – Free to Siege

IP4/IP6

automatic data recording

advertisement services

legitimate interest / consent
(EULA/PP pop-up)

Acceptance of privacy policy

termination of product support

+ 3 years

IronSource servers

3rd party SDK
-
IronSource

Device ID

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

IronSource servers

3rd party SDK
-
Leadbolt

Aliens vs. Pinball, Bethesda Pinball

IP4/IP6

automatic data recording

advertisement services

legitimate interest / consent
(EULA/PP pop-up)

Acceptance of privacy policy

termination of product support

+ 3 years

Leadbolt servers

3rd party SDK
-
Leadbolt

Device ID

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

Leadbolt servers

3rd party SDK
-
AdDuplex

Pinball FX2 (Windows 10)

IP4/IP6

automatic data recording

advertisement services

legitimate interest / consent
(EULA/PP pop-up)

Acceptance of privacy policy

termination of product support

+ 3 years

AdDuplex servers

3rd party SDK
-
AdDuplex

Device ID

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

AdDuplex servers

3rd party SDK
-
TapJoy

CastleStorm – Free to Siege

IP4/IP6

automatic data recording

advertisement services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

TapJoy servers

3rd party SDK
-
TapJoy

Device ID

automatic data recording

survey of users’ habits, development of products and services

legitimate interest

Acceptance of privacy policy

termination of product support

+ 3 years

TapJoy servers

3rd party SDK
-
Crashlytics

Independence Day Battle Heroes, Independence Day Resurgence, Bethesda Pinball

We insert platform ID into crash reports

automatic data recording
Platform API (iOS, Android)

survey of user habits, monitoring of stability

legitimate interest




Fabrix servers

 

Data subjects involved: Each user using the applications.

Purpose of data processing: Identification of users, follow-up of users’ habits and the provision of advertisement services.

Duration of data processing, deadline for the deletion of data: The table indicates the duration of data processing the date of erasure shall be the end of third year following the termination of product support.

Possible controllers entitled to become aware of the personal data: use of the data by the controller does not qualify as processing of personal data, as the Service Provider has no further information necessary to the identification of the user no connection between such data will be made.

The right of the Users in connection with data processing: the Users are entitled to gain information on the scope of their data processed.

Legal ground of data processing: It is not necessary to obtain the data subject’s consent, if the exclusive purpose of the use of the data is transmission of communication via the electronic telecommunications network, or if it’s essential for the service provider to provide services related to information society.

 

Processing of cookies

The fact that data are collected, personal data involved: unique identification number, dates and times

Data subjects involved: All users visiting the website.

Purpose of data processing: Identification of users and follow-up of visitors.

Duration of data processing, deadline for the deletion of data: In case of session cookies, data processing shall terminate once the website visit is finished.

Possible controllers entitled to become aware of the personal data: The use of cookies does not qualify as processing of personal data.

Provision of information to data subjects on their rights available to them related to data processing: the Users may delete cookies under menu item usually called ‘Data Protection’ in the Tools/Settings menu of their browser.

Legal ground of data processing: It is not necessary to obtain the data subject’s consent, if the exclusive purpose of the use of cookies is transmission of communication via the electronic telecommunications network, or if it is necessary for the provision of services explicitly requested by the subscriber or user related to information society.

 

Other cookies

The controller uses the remarketing code of Facebook. In this respect we provide the following information: duration of cookies: 20 days; purpose of data processing: Personalization of Facebook advertisements; further information: http://hu-hu.facebook.com/help/cookies/

 

Use of Google Adwords conversion tracking

The controller uses the online ad programme called “Google Adwords”, and within its framework it uses Google’s conversion tracking service. Google conversion tracking is the analysing service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; „Google“).

When a User reaches a website via a Google ad, a cookie necessary for conversion tracking is stored on his or her computer. The validity of these cookies is limited; therefore, they do not contain any personal data, and Users cannot be identified by them.

When the User browses on certain pages of the website, and the cookie has not expired, Google and the data controller may see that the User has clicked on the ad.

All Google AdWords clients receive different cookies; therefore, they cannot be tracked via the websites of the clients of AdWords.

Information which have been obtained with the use of conversion tracking cookies aim to prepare conversion statistics for the clients of AdWords who opt for conversion tracking. This is how clients receive information on the number of users clicking on their ad and directed to the website having a conversion tracking label. However, they cannot receive information based on which any of the users may be identified.

If you do not wish to participate in conversion tracking, then you may refuse it by blocking the option to install cookies in your browser. After this, you will not figure in statistics related to conversion tracking.

Further information and the privacy policy of Google may be found at the following website: www.google.de/policies/privacy/

 

Application of Google Analytics

The websites of ZEN Studios uses the application of Google Analytics which is the web analysing service of Google Inc. (“Google”). Google Analytics uses ‘cookies’, text files which are saved on your computer, thus helping analysis of the use of the webpage visited by the User.

Information created with cookies related to the website used by the User are generally stored on a Google server located in the US. By website activation of IP-anonymization, Google shortens the IP-address of Users in advance in the Member States of the EU or EEA.

The transfer of the full IP-address is only transferred to a Google server located in the US in special cases. On behalf of the operator of this website, Google will use such information to evaluate how the User used the website, to prepare reports for the operator of the website related to the activity of the website, and to perform further services related to the use of the website and the internet.

Within the framework of Google Analytics, IP-address transferred by the User’s browser is not linked to other data of Google. You may prevent the storage of cookies by choosing the appropriate setting on your browser, however, please note that in this case, it may occur that not all the functions of the website will be fully available to you. You may also prevent Google from collecting and processing the User’s data related to the use of the website (including IP-address), if you download and install the following browser plug-in. https://tools.google.com/dlpage/gaoptout?hl=hu

 

Newsletter (mailing list), DM activity

In accordance with Section 6 of Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising, the User may grant his or her explicit and prior consent to that the Service Provider contact him or her with its promotions and other messages at the contact details provided at registration.

Being aware of the provisions of this policy, the User may also grant his or her consent to the processing of his or her personal data necessary for sending promotions by the Service Provider.

The Service Provider may not send unsolicited promotions, and the User may unsubscribe from such promotions and newsletters free of charge, without indicating his or her reasons, at any time. In this case, the Service Provider shall delete all personal data of the User necessary for the sending of promotions from its data base, and may not continue to send its promotions to the User. The User may unsubscribe from promotions and newsletters by clicking on the link in the message.

Purpose of data processing: sending of electronic messages which do not contain any promotions to the data subjects, provision of information on news, products, discounts, new functions, etc.

Duration of data processing, deadline for the deletion of data: data processing lasts until withdrawal of the data subject’s consent, that is until unsubscription.

Possible controllers entitled to become aware of the personal data: employees of the data controller may process personal data in accordance with the above principles.

Data processor employed during data processing: MailChimp - The Rocket Science Group LLC. dpo@mailchimp.com.

 

The Rocket Science Group LLC d/b/a MailChimp Attn. Privacy Officer (privacy@mailchimp.com) 675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308 USA

Further information and the privacy policy of MailChimp may be found at the following website: https://mailchimp.com/legal/privacy/

The right of the users in connection with data processing: Data subjects may unsubscribe from newsletters at any time, free of charge.

Legal ground of data processing: the voluntary consent of the user, Section 5 (1) of the Privacy Act, Section 6 (5) of Act XLVIII of 2008 on the Essential Conditions of and Certain Limitations to Business Advertising:

The advertiser, the advertising service provider and the publisher of advertising shall keep records of the personal data of the natural persons granting their consent thereto (to the extent and in the scope determined in such consent). The data recorded into this registry with respect to the addressee of the advertisement may only be processed in line with the content of the consent and until the withdrawal thereof; furthermore, such data may be transferred to third parties upon the prior consent of the user thereto.

 

Social networking websites

The fact that data are collected, personal data involved: Name of the person registered on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc. and the public profile picture of the user.

The scope of users: All data subjects who have registered on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc, and have liked the website.

Purposes of data collection: Sharing or liking, promoting certain contents, products, discounts of the website or the website itself on the social networking websites.

Duration of data processing, deadline for the deletion of data, possible controllers entitled to become aware of the personal data, and rights related to data processing available to data subjects: users may refer to the social networking website in question for information on the source of data, their processing, and the manner of transfer and its legal ground. Data processing is carried out on the social networking websites; therefore, the provisions of the social networking website in question shall cover the duration, manner of data processing, as well as options to delete or modify data.

Legal ground of data processing: the data subject’s voluntary consent to data processing on the social networking websites.

 

Customer service and other data processing activities

Should any question occur in the course of using the services of the controller, or should the data subject have any problems, he/she may contact the controller through the contact points indicated on the website (phone, e-mail, social media pages etc.).

The incoming e-mails, messages, the data provided via phone, Facebook etc., together with the name, e-mail address of and other data provided voluntarily by the inquiring party shall be deleted by the controller after maximum 5 years of the date of data provision.

We shall provide information on any data processing not listed in this information note upon recording the relevant data.

Upon the exceptional request of a competent authority or other organs (authorized to submit such request by the prevailing laws and regulations), the Service Provider shall provide information, disclose or transfer data and make available certain documents.

In such cases, provided that the requesting party has defined the specific purpose of request and the scope of the requested data, the Service Provider shall make available the personal data for the requesting party to such an extent essential for the achievement of the purpose of request.

 

Zen Studios data security

The controller shall design and implement the data processing measures in a way that ensures the protection of data subjects’ data on the highest level that is technically feasible and available.

The controller shall implement adequate safeguards and appropriate technical and organizational measures to protect personal data (by using passwords and protection against viruses), as well as adequate procedural rules to enforce the provisions of the Information Act and other regulations concerning confidentiality and security of data processing.

Data shall be protected by the controller by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.

Suitable technical solutions shall be introduced by the controller to prevent the interconnection of data stored in these filing systems and the identification of the data subjects. In order to prevent the unauthorized access to, the unauthorized change and publication or use of the data, the controller shall provide for the evolvement and operation of a suitable IT- and technical environment, for the controlled selection and monitoring of its employees participating in the provision of services, for the issuance of detailed operation, risk management and service provision procedural guidelines.

On the basis of the above, the service provider shall make available the data processed by it for the data subject, ensure the authenticity and verification thereof, as well as to provide for the certification of the unchanged nature of data.

 

The IT system of the controller and its server service provider is to ensure protection against computing fraud, espionage, computer viruses, spams, hacks and other attacks.

 

The rights of users

The user may request the Service Provider to give information on the processing of his/her personal data, to rectify, block or erase the data processed, save where processing is rendered mandatory.

Upon the user’s request the controller shall provide information concerning the data relating to him, including those processed by a data processor on its behalf or according to his/her notice, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and the conditions and effects of the data incident and measures taken with a view to eliminate them and –in case of data transfer – the legal basis and the recipients.

The Service Provider as data controller – by means of an internal data protection officer should they have appointed one and with a view to control measures relating to data incidents and to inform data subjects – shall keep records containing the personal data affected, the personal scope affected by the data incident , the time, circumstances and effects of the data incident and measures taken to eliminate thereof as well as other information determined by law.

With a view to verifying legitimacy of data transfer and for the information of the data subject, the Service Provider as data controller shall maintain a transmission log, showing the date of time of transmission, the legal basis of transmission and the recipient, description of the personal data transmitted, and other information prescribed by the relevant legislation on data processing.

Upon the user’s request the Service Provider shall provide information concerning the data processed by it, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor (if any) and on its activities relating to data processing, and –in case of data transfer – the legal basis and the recipients thereof. The Service Provider shall provide the information in written and easily understandable form as soon as possible after the submission of the request but not later than within 25 days. The provision of information shall be free of charge.

Where a personal data is deemed inaccurate, and the correct personal data is at the controller’s disposal, the Service Provider shall rectify the personal data in question.

Instead of deletion, the Service Provider shall block personal data if User requests so, or if the violation of User’s legitimate interests by deletion is reasonable assumable from the available information. The blocked personal data may only be processed as long as the aim of data processing that prevented the deleting of the personal data exists.

The Service Provider shall erase the personal data if processing it is unlawful, if it is requested to do so by the User, if the data processed is deficient or erroneous—and it cannot be rectified lawfully—provided that erasure is not prohibited by law, the purpose of the processing no longer exists, the deadline for storing the data set forth in the law has expired or it is ordered by court or by the National Authority for Data Protection and Freedom of Information.

If the accuracy of an item of personal data is contested by the data subject and its accuracy or inaccuracy cannot be ascertained beyond doubt, the data controller shall mark that personal data for the purpose of referencing.

When a data is rectified, blocked, marked or erased, the data subject and all recipients to whom it was transmitted for processing shall be notified. Notification is not necessary if, with regard to the purpose of the processing, it does not harm the legitimate interests of the data subject.

If the data controller refuses to comply with the data subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request or rectification, blocking or erasure is based shall be communicated in writing, within twenty-five (25) days of receipt of the request. Where rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority.

 

Legal remedy

The user can object to the processing of his or her personal data if the processing (or transmission) of the personal data is only necessary for the Service Provider to perform its legal obligation, to pursue the legitimate interests of either the Service Provider, the data recipient or a third party, except if processing is a legal obligation, if the use and transmission of the personal data occurs for direct marketing, polling surveys or scientific research, in any other case determined in the respective laws.

As soon as possible after filing the request but not later than within 15 days thereafter, the Service Provider shall investigate the objection, shall make a decision about the justification thereof, and inform the applicant about the decision in writing. If, according to the findings of the Service Provider, the data subject’s objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.

Should the User disagree with the Service Provider’s decision taken on the basis of the above, he may seek a judicial remedy against it within 30 days of its communication. The court shall hear such cases in priority proceedings.

In case of infringement committed by the controller, the concerned data subject (user) may turn to the national data protection authority having competence at his/her address of residence (DPAs -http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm), or to the authority having competence at the seat of the Service Provider:

National Authority for Data Protection and Freedom of Information

H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: H-1530 Budapest, Postafiók: 5.

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

 

Judicial remedy

The burden of proof to show compliance with the law lies with the data controller. The lawfulness of data transfer shall be certified by the data receiving party. The regional courts shall have the competence to decide in such cases. The court case may be initiated before the court having jurisdiction either at the place of the temporary or the permanent residence of the data subject. Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such actions. The Authority may intervene in the action on the data subject’s behalf.

When the court’s decision is in favour of the plaintiff, the court shall order the controller to provide the information, to rectify, block or erase the data in question, to annul the decision adopted by means of automated data-processing systems, to respect the data subject’s objection, or to disclose the data requested by the data recipient.

If the court rejects the petition filed by the data recipient, the controller shall be required to erase the data subject’s personal data within 3 days of delivery of the court ruling. The controller shall erase the data even if the data recipient does not file for court action within a determined time limit.

The court may order publication of its decision, indicating the identification data of the controller as well, where this is deemed necessary for reasons of data protection or in connection with the rights of large numbers of data subjects under protection.

 

Compensation and restitution

If the data controller, by unlawful data processing or by breaching data security rules, violates the personal rights of the data subject, the latter may demand restitution from the data controller.

The data controller shall be liable for damages caused by the data processor and s/he will be liable to pay restitution for personal rights violations as well. The controller shall be released from liability for damages and from paying restitution if s/he demonstrates that the damage or the violation of personal rights were brought about by reasons beyond his/her data processing activity.

No compensation shall be paid, and no restitution may be demanded where the damage or the violation of rights was caused by intentional or seriously negligent conduct on the part of the aggrieved party or the data subject.

 

Miscellaneous provisions, information

The information was prepared with due regard to the following laws and regulations:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market;

Directive 2009/22/EC of the European Parliament and of the Council of 23 April 2009 on injunctions for the protection of consumers' interests;

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Regulation (EU) No 524/2013 of the European Parliament and of the Council of 21 May 2013 on online dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC;

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union;

Furthermore, the laws and regulations of the country of residence of the Service Provider (Hungary), in particular:

Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as Infotv.)

Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (in particular Section 13/A)

Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices Against Customers;

Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising (in particular Section 6)

Act XC of 2005 on the Freedom of Electronic Information

Act C of 2003 on Electronic Communications (in particular Section 155)

opinion no. 16/2011 on the EASA/IAB recommendation concerning the approved practices of behaviour-based online marketing

recommendation of the European Data protection Body (EDPB) and the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) concerning the data protection requirements of preliminary information