Last update on: December 17, 2019
This Policy sets out the minimum rules that Asmodee Digital (hereinafter "Asmodee", "we", "us", "our") has established with regard to the protection of Personal Data so that the collection, use, storage, and communication of Personal Data are carried out in a fair, transparent, and secure manner.
This Policy defines our approach to the processing of your Personal Data that we collect from you or that third parties lawfully communicate to us and the purposes of such processing. It also sets out your rights with regard to our processing of your Personal Data.
We are required, as a data controller within the meaning of the Personal Data Regulations, to collect Personal Data from you in connection with the use of your Account allowing you to access all content of the Applications and to use the Services under a single identity.
In connection with your use of the Services of our Partners' Applications, we may also process your Personal Data on their behalf as a subcontractor within the meaning of the Personal Data Regulations.
The following terms, whether used in the singular or plural form in this Policy, shall have the following meanings:
"Application(s)": shall refer to websites, mobile games, computer games, and games accessible online, published by Asmodee Digital and/or its subsidiaries and partners;
"Intermediate Storage": shall refer to the transfer of Personal Data that is still of administrative interest to us (such as in the event of litigation and/or legal obligation) into a separate database, logically or physically separated and to which, in any event, access is restricted. This storage is an intermediate step before the deletion or anonymization of the relevant Personal Data;
"Account": shall refer to the sole account accessible on the website asmodee.net through the User's personal, confidential credentials that he/she may not communicate to a third party, and from which he/she can access the Platform and the Applications;
"Personal Data": shall refer to the User's personal data, under the Personal Data Regulations, collected and processed in connection with the use of the Platform and Applications.
"Subsidiary(-ies)": shall refer to any company or entity that directly or indirectly controls or is controlled by or under common control with Asmodee Digital. Control of an entity shall mean having, directly or indirectly, the authority to direct or cause to be directed the management or policies of such entity, whether by ownership of voting securities, by contract or otherwise.
"Partner(s)": shall refer to the companies publishing the websites www.daysofwonder.com, www.fantasyflightgames.com, www.plaidhatgames.com, www.asmodeena.com, community.fantasyflightgames.com, store.us.asmodee.com and www.zmangames.com;
"Platform": shall refer to the platform accessible from the website account.asmodee.net or api.asmodee.net;
"Product(s)": shall refer to the physical product(s) marketed on Asmodee's Platform and on its Partners' Applications, including games;
"Personal Data Regulations": shall refer to French Act No. 78-17 of January 6, 1978 on information technology, data files, and civil liberties (Loi relative à l’informatique, aux fichiers et aux libertés), amended pursuant to EU Regulation of April 27, 2016 published in the Official Journal of the European Union on May 4, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR", General Data Protection Regulation);
"Service(s)": shall refer to the service(s) provided by the Platform and by our Partners’ Applications who use the Platform, including access to Chats and/or information groups as well as Forum(s) where Users can discuss among themselves, access to online games, online tournaments and create various content (avatars, game scripts, stories, suggestions, comments, etc.);
"User/You": shall refer to the natural person, whose minimum age is in accordance with local legislation, navigating on the Platform from his/her Terminal and whose processing of his/her Personal Data is governed by the Policy. As such, the User guarantees, in the event that he/she is younger than the required age, that he/she has obtained the consent of the holder of parental authority with regard to the processing of his/her Personal Data;
"Terminal(s)": shall refer to the physical equipment (computer, tablet, smartphone, telephone, etc.) used by the User to use the Platform or Products.
Asmodee Digital, whose registered office is located at 18, rue Jacqueline Auriol, 78280 Guyancourt, France, registered with the Versailles Trade and Companies Register (Registre du Commerce et des Sociétés de Versailles) under number 818 058 216, is the controller of your Personal Data. We may, as the case may be, act as a subcontractor of the processing of your Personal Data carried out by the Partners.
Preserving the safety and privacy of children is very important to us. We do not voluntarily collect or use Personal Data from persons under the minimum age required by local legislation (e.g., 15 years old in France) without the consent of both the child and the holder(s) of parental responsibility.
You also confirm that you are at least of the required age or older when you provide your Personal Data in connection with the use of our Products or Services and/or those of our Partners. If you are under the required age, you must ask your parents or legal guardian for permission to provide us with your Personal Data. To do so, please contact us using the details indicated in Article 9 below.
We collect the following Personal Data about you:
Identifying information such as your name and surname, date of birth, and gender,
Data relating to your personal life such as your e-mail address, country of residence, postal code,
Your data related to the transactions you carry out,
Your login data when using the Applications or the Services (time and place of your activities, username, and IP address),
Content data communicated on the Applications or Services (in particular through Chats, Forums, Posts on forums, messages, or other functionalities).
We do not collect any Personal Data that is considered "sensitive" under the Personal Data Regulations, in particular data relating to your state of health or that would reveal your alleged racial or ethnic origin, your political views, your religious or philosophical beliefs, or your trade union membership.
We process your Personal Data for the following purposes. Whenever we process your Personal Data, we do so on the basis of a legal "justification" (or legal basis) for processing, which we have identified in the table below.
|In order for you to log in to your Account and be able to access the Applications under a single identity.||This processing is necessary for the performance of the agreement made between you and Asmodee.|
|To allow you to use the Services and in particular to communicate content on our Partners' Applications.||This processing is necessary for the performance of the agreement made between us and our Partners on behalf of whom we act as a subcontractor.|
|To provide you with business information about Asmodee’s and/or Partners’ Products and Services.||We consider it in our legitimate interest to keep our customers informed about our Products and Services, as this helps us ensure the sustainability and growth of our businesses. However, where the law requires Asmodee to obtain your consent before sending you such information, Asmodee will rely on your consent to proceed with the processing.|
|To improve our understanding of our customers.||We consider that it is our legitimate interest to understand our customers so that we can develop relevant products and services|
|For us to comply with any applicable law, court order, legal process, or the requirements of a regulatory body.||This processing is required to comply with our legal obligations.|
|To enforce our legal rights and obligations and for any legal proceedings involving you, initiated by or against you.||We consider it in our legitimate interest to protect our organization against any breach of a legal obligation due to it and to defend ourselves in the event of a dispute.|
|To protect the rights of third parties.||This processing is required to comply with the legal obligations to which Asmodee is subject. Such processing is also necessary for the legitimate interests pursued by Asmodee. We consider it in our legitimate interest to ensure that our activities do not violate the rights of third parties.|
|In anticipation of and/or in connection with a business transaction such as a merger, acquisition, restructuring, or sale.||We consider it in our interest to be able to make decisions about the future of our company in an informed manner, in order to preserve and develop our business activities.|
As a matter of principle, your Personal Data is only kept for as long as necessary to achieve the purposes for which it was collected.
Thus, when creating your Account, your identification data (surname, name, date of birth) as well as your personal data (e-mail address, country of residence) is kept for a period of seven (7) years, in the so-called active database, from the date you last logged in.
Data related to the Services use (login data: time and place of your activities, username and IP address, data of the content communicated) is kept for a period of three (3) months, in the so-called active database, from the date you last logged in.
Moreover, we may keep some of your data for a longer period of time, in particular when we are required to do so by law or when such data is required to prove a right or contract. This applies especially to your transaction data (invoices relating to the purchase of games and other Products), the number of transactions you have conducted as well as the date and time of these transactions).
In this case, your Personal Data will be stored and kept for a period of five (5) years in compliance with the standard limitation period.
This data will also be kept in Intermediate Storage for a period of ten (10) years, in compliance with our tax and accounting obligations.
Once the storage periods have expired, we will ensure that your Personal Data is anonymized or deleted.
We are committed to ensuring the security of your Personal Data and we have established information system security policies as well as appropriate technical rules and measures to protect it from unauthorized access, modification, use, and disclosure or unlawful destruction or accidental loss.
All our Partners, employees, Subsidiaries, consultants, and data subcontractors who have access to Personal Data and are involved in its processing are required to preserve its confidentiality.
We shall take all necessary precautions to ensure the secure storage of your password associated with your Account (storage encrypted by a strong one-way algorithm).
However, the security of this password also depends on its design.
Also, we remind you that for your password to be valid, it must be sufficiently complex and difficult to guess, even by someone who knows you well. When creating your Asmodee.net account via the Internet, we offer you a password quality analysis tool whose recommendations we ask you to follow.
All communications between the Applications and the Platform are carried out in a secure manner using the SSL/TLS protocol, identified by the appearance of a small padlock icon or equivalent in Internet browsers. This protocol protects you against spying during Personal Data transfers between Applications and the Platform.
Security of the storage of personal data
The Platform stores Personal Data on highly secured medium both logically (encrypted hard drives) and physically (secure access data centers).
In accordance with the Personal Data Regulations, you have a number of rights to your Personal Data. Each of these rights is further detailed below:
Withdrawal of consent. At any time, you may revoke your consent to any processing of your Personal Data based on your consent.
Access. You may ask us to confirm whether we are processing your Personal Data and, if so, to provide you with the following information:
the purposes of the processing;
the types of Personal Data;
the recipients or types of recipients to whom the Personal Data has been or will be communicated;
where possible, the intended storage period of the Personal Data or, where this is not possible, the criteria used to determine this period;
the existence of the right to request the rectification or deletion of Personal Data, or a limitation on the processing of Personal Data, or the right to object to such processing;
the right to file a complaint with the supervisory authority for personal data (in France, the CNIL);
when Personal Data is not collected from you, any information available regarding their source of information;
the existence of automated decision-making, including profiling, and, at least in such cases, relevant information about the rationale, as well as the importance and expected consequences of such processing for you.
Where Personal Data is transferred to a third country or an international organization, you have the right to be informed of the relevant safeguards with regard to the transfer.
We provide you with a copy of the Personal Data that is subject to processing.
We may charge a reasonable fee based on administrative costs for any additional copies you request from us or if you request that Personal Data be transmitted in paper and/or physical formats.
When you make your request electronically, the information will be provided to you in an electronic form that is commonly used, unless you otherwise request.
Your right to obtain a copy of your Personal Data must not infringe on the rights and freedoms of others.
Rectification. You have the possibility to have your Personal Data rectified promptly if it is incorrect. You also have the option of having your Incomplete Personal Data completed, including by providing a supplementary declaration.
Deletion. You may ask us to delete your Personal Data promptly in the following cases:
when it is no longer required for the purposes for which it was collected;
you have revoked your consent and there is no other legal basis for the processing;
following the exercise of your right to object;
your Personal Data has been unlawfully processed;
or to comply with a legal obligation. We are not obliged to comply with your request to delete your Personal Data, in particular if its processing is necessary to comply with a legal obligation or to recognize, exercise, or defend legal rights.
Limitation. You may ask us to limit the processing of your Personal Data (i.e., to retain it without using it) where:
its accuracy is disputed;
its processing is unlawful but you do not want it to be deleted;
it is still required for the recognition, exercise, or defence of legal claims;
we verify the existence of compelling reasons for exercising your right to object. We may continue to use your Personal Data following a request for restriction: with your consent; for the recognition, exercise, or defence of legal rights; or to protect the rights of any other natural or legal person.
Portability. You may ask us to provide you with your Personal Data in a structured format, commonly used and readable by a machine, or you may request that it be transmitted directly to another controller, but only if:
the processing is based on your consent;
within the performance of an agreement made with you and that the processing is automated.
The right to the portability of your Personal Data must not infringe on the rights and freedoms of others.
Right to object. You may at any time, for reasons related to your specific situation, object to the processing of your Personal Data based on our legitimate interest. We will then no longer process Personal Data, unless we demonstrate that there are compelling and legitimate grounds for processing that prevail over your interests and your rights and freedoms, in whichcase we may keep them for the purpose of recognizing, exercising, or defending legal rights.
You may at any time object to the processing of your Personal Data for the purpose of prospecting.
Digital will. You may define guidelines (general or specific) regarding the treatment of your Personal Data after your death, including the storage, deletion, and disclosure of your Personal Data, which guidelines may also be registered with a "certified digital trusted third party". These guidelines may designate a person to carry them out; otherwise, your heirs will be designated.
In the absence of any directive, your heirs may contact us to:
access to the processing of Personal Data allowing "the planning and arrangement of the deceased's estate";
receive communication of "digital property" or "data similar to family memories, transmissible to heirs";
have your Account on the Platform closed and oppose the further processing of your Personal Data.
In any case, you have the possibility of informing us, at any time, that you do not wish your Personal Data to be communicated to a third party in the event of death.
For more information about your rights, to exercise your rights or for any question regarding the protection of your Personal Data, please contact us at https://asmodee.helpshift.com/a/asmodee-net/
In order to assert your rights under the terms referenced above and in the event that Asmodee has doubts about the applicant, Asmodee may ask you to prove your identity by specifying your surname, name, and e-mail address, and submitting a copy of a valid proof of identity along with your request.
You will receive an answer within a maximum of one (1) month following the date of receipt of the request.
If required, this period may be extended to two (2) months by Asmodee, who will inform you of the response in consideration of the complexity and/or number of requests.
In the event of a request to delete your Personal Data and/or in the event of the exercise of your right to request the deletion of your Personal Data, Asmodee may, however, retain it in the form of an Intermediate Storage for the time necessary to meet its legal obligations, or for probationary purposes during the relevant limitation period.
We may amend this Policy from time to time, for instance to take into account legal changes, technological advances, and good business practices.