CD PROJEKT S.A. Privacy Policy
Last updated: 2nd October 2018


Overview:


  1. This document explains what data is collected in connection with CD PROJEKT RED games and services.
  2. It also explains how we use that data, where we store it, and how we protect it.
  3. In short:
    • in order for you to play our games or use our services we need to process some of your data. Should we need to process your data for any other purpose than offering you our games and services, we will always ask you for your consent in advance.
    • Some partners, such as e.g. GOG, help us in developing our games and services (e.g. forums) and we may share limited data with them – but only for our own purposes.
    • We will not share your data for third party advertising purposes
  4. Finally, it explains your rights in relation to your personal data.

Hello! This Privacy Policy is where we explain how your personal data is collected, stored or used, and what happens to it when you're using CD PROJEKT RED games and services. Like with our User Agreement, we have put together two versions: a full text version which is legally binding and also section summaries, which will hopefully make the legal language sound a bit more accesible. You will need to agree to this Privacy Policy before you use a CD PROJEKT RED game or service for the first time. If you have any questions you can contact us at privacy@cdprojektred.com.
Here we go !

FULL TEXT

QUICK SUMMARY

1.

WHO WE ARE

1.1

We are CD PROJEKT S.A., a company incorporated in Poland which is the data controller under European Union data protection legislation. Hereafter, we will call ourselves “CD PROJEKT RED” as CD PROJEKT RED is the team behind the video games within CD PROJEKT S.A. You may contact us via email at privacy@cdprojektred.com or by mail: CD PROJEKT S.A., Jagiellońska 74, 03-301 Warsaw Poland.

Hello, we're CD PROJEKT RED and we are based in Poland. You can find our contact details here!

1.2

To protect all the personal data in a better and more efficient way, we designated Data Protection Officer (or DPO) who is responsible for the oversight and implementation of the data protection strategy and ensures compliance with necessary legal requirements. You can contact our DPO at the following email address: dpo@cdprojektred.com

In case of any questions or doubts concerning personal data protection, please contact our Data Protection Officer (contact details opposite).

2

WHAT THIS PRIVACY POLICY GOVERNS

2.1

This Privacy Policy applies to: all our websites, games, forums, social media channels, customer and technical support and any other services we provide to you (Hereafter, the term "CD PROJEKT RED services" will refer to all of these elements).

This Privacy Policy explains the different kinds of data we collect from you when you're using CD PROJEKT RED games and services. We fully comply with privacy laws.

2.2

Specifically, this Privacy Policy governs personal data (or, as called in the United States, “personally identifiable information”) and non-personal data (or, as in the United States, “non-personally identifiable information”), which we collect from you when you're using CD PROJEKT RED services. ("Personal data" basically means data, which, on its own or in combination with other data, can be used to identify you).

2.3

We respect your right to privacy and will only process personal data in accordance with applicable legislation in the EU and other countries where we offer our games and services.

3

PROTECTING CHILDREN

3.1

We recognize we have a special obligation to protect personal data obtained from children. We do not and will not knowingly collect personal data from any child under 16 without consent from their parent or guardian. If you are a parent or guardian and are concerned about the transfer of personal data about your child, please contact privacy@cdprojektred.com.

If you are under 16 and would like to use our services, a consent from your parent or guardian is necessary.

4

INFORMATION WE COLLECT

4.1

When you use CD PROJEKT RED services, we may collect the following data if relevant (how we use it is described later in this document):

  1. Your name and surname,
  2. Your email address,
  3. Any username (such as a forum username) used to identify yourself in any of our services
  4. Details of your digital platform account regarding our games (such as a GOG Galaxy account, if you have one), but not any financial details,
  5. IP address
  6. Technical details about any device which you use to access our services, including: Internet and/or network connection ; any mobile device identifier; your operating system, browser type or other software; or your hardware or other technical details. This is technical data about our users and their actions and patterns which does not provide personal data,
  7. Details of your use of our services including, but not limited to: metrics data about when and how you use the services; traffic data; and your geographical location data,
  8. Details about your use of social networking and our services (if you have linked our services to a social networking account). This may potentially include certain data from Facebook or other social networks (including access to your friends list as well as aggregated non-personal analytics data about our users) strictly in accordance with Facebook's and other networks' terms and conditions – in the extent necessary to provide you with all functions of CD PROJEKT RED games and services; and
  9. Any other data which you supply us via our services,

When you use our services, we collect basic data about you and your activity.

4.2

In case you use our forums, we may additionally process data generated automatically through your activity in the forum: date of last activity, subscribed threads, favorite posts, achievements in the forum, redpoints (points on the forum), private messages and posts.

We may also collect additional optional data via forum: contact data (messengers), website address, biography, location, interests, profession, avatar, user's preferred language.

4.3

If you take part in Gwent esports competition (Gwent Ranked Play and Gwent Masters tournaments) we may process your Gwent-related data we receive from our sister company GOG (who is responsible for providing you access to GWENT: The Witcher’s Card Game on PC), in particular:

  1. your GOG username and avatar
  2. Gwent-ID
  3. Log of user activity within Gwent (login time, logout time, log of matches played, number of wins and losses, gathered experience points,)
  4. your card collection and decks
  5. Matchmaking Rating (MMR) and faction Matchmaking Ratings (fMMRs)
  6. IP address
  7. Country

If you take part specifically in Gwent Masters esports tournaments and events – we may additionally process your data used only in context of your participation in these events, in particular:

  1. passport/ID number, issuer of the document, photo/scan of the document, citizenship,
  2. your date of birth
  3. bank account details for prize payment
  4. your image if you participate in a Gwent tournament
  5. place of birth
  6. correspondence address
  7. your father’s and mother’s names
  8. data on your participation in official and authorized Gwent events
  9. Crown Points (points used in Gwent Masters rankings)

If you take part in Gwent esports competition, we may need some more data about you, which we will receive from GOG or directly from you.

4.4

If you contact our technical support (directly or using crash reporting functionalities in our games or services), we may process other data required to help you with any queries or support matters, such as data collected in crash logs that are gathered by your device or the technical parameters of the device you use to play.

If you contact technical support they may ask you to provide them with some additional data, including your crash logs or the technical details of the device you use.

4.5

For the purposes of competitions organized by CD PROJEKT RED, we may process additionally your correspondence address, phone number, social networks identifiers, image of yourself, bank account number.

If you participate in competitions organized by us, we may need some additional data about you.

4.6

We may also collect some non-personal data about our users (statistical information on usage of our games and services, information on devices used to connect to them) in order to better understand how our games and services are used and to improve them based on this knowledge.

4.7

In order to play our games and use our services, we need to process data provided above. In case you do not agree to provide us with the above-mentioned data, you will not be able to play our games participate in competitions or use other services.

The above data is necessary for us to provide you with our services.

4.8

Cookies. We and our partners also collect data about you via cookies. You can find out more about this in our Cookie Policy here: https://regulations.cdprojektred.com/en/cookie_policy . The Cookie Policy forms part of this Privacy Policy

Check our Cookie Policy to find out what sorts of cookies we use to support our services.

5

HOW DATA ABOUT YOU IS COLLECTED

5.1

We may collect and process data about you in the following ways:

  • data you give us via CD PROJEKT RED services;
  • data given when you contact us or report a problem with CD PROJEKT RED services;
  • data about your activity as a user of our services (in addition to your IP address, country of origin, purchases, account of in-game virtual goods and currencies) - is collected automatically;
  • data we receive about you from GOG due to your participation in Gwent esports competition;
  • we may also ask you to complete surveys that we use for research purposes. However, your response to surveys is not required. We may collect this data via CD PROJEKT RED services or trusted partners connected with us for optional services such as surveys or polls.

We collect and process data that you give us in connection with our games and services or that we receive in connection with your activity within the game.

5.2

A quick word about payment details (if/when you use them): We will not receive or store any of your payment details, this is fully handled by the relevant payment platform an/or payment method/processor.. If/when you make any purchases in CD PROJEKT RED services, we are notified by the payment processor once the transaction takes place and then ensure you receive your purchase. We do not, however, receive any of your actual payment details. We only keep the data concerning transaction dates, currencies, value and the products of transaction.

We do not collect any of your payment details. We only receive data that a purchase took place and ensure you receive what you purchased. The only data we store includes transaction dates, currencies, value and products of transaction.

6

WHY DO WE USE YOUR DATA (LEGAL BASIS FOR DATA PROCESSING)

6.1

When we process personal data about you, we do so only as necessary to provide CD PROJEKT RED the services you use (i.e. to perform the agreement between us), to meet our legal obligations or to fulfill the so-called “legitimate interests” of CD PROJEKT RED, or in accordance with the other cases described in the section “How is your data used?”.

To clarify, by legitimate interests we mean lawful purposes that could be reasonably expected (protecting the security of the data we process, marketing CD PROJEKT RED games and services as well as ensuring our marketing is relevant for you, conducting anti-cheat analysis and anti-fraud checks). When we rely on the legitimate interest, we consider and balance any potential impact on you and your rights. For other purposes, we will ask for your consent and you will be entitled to withdraw this consent at any time with no impact on the validity of the processing before your consent has been withdrawn.

In order for you to play our games and use our services we need to process some of your data. Should we need to process your data for any other purpose, we will always ask you for your consent in advance. You will always have the right to withdraw your consent at any time.

6.2

When we transfer your data outside the European Economic Area, we do so on the basis of a variety of legal mechanisms, as described in “Trusted Partners”.

7

HOW DO WE HANDLE YOUR PERSONAL INFORMATION

7.1

Where do we store it? The data we collect from you is stored on our secure servers in Europe or – only if necessary - by those of our Trusted Partners as described below. We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction or damage. We will take all reasonably necessary steps to ensure that your data is treated securely and in accordance with this Privacy Policy.

We will store your data on our secure servers in Europe or on those of our Trusted Partners. We will do our best to keep your data secure.

7.2

How long are we going to store your data? We will retain your personal data only for as long as needed in order to fulfill the purposes outlined in this Privacy Policy. In certain special cases, a longer retention period might be required by law, such as for tax reasons, accounting purposes or other legal requirements and obligations. When we will no longer require your personal information in order to provide our game related services to you, we will either delete it or anonymize it:

  • we will keep data that is associated with the services you use for the duration of the agreement to access the services (ex. CD PROJEKT forum). Following account closure, limited data that we collect about you will still be retained for an additional few years for tax, legal or accounting purposes;
  • we will keep your Gwent-related data we receive from you or from GOG for the duration of the agreement for participation in Gwent esports competition (e.g. until you close your Gwent account or inform us directly you no longer want to participate in the competition). Following that, we will retain some of your data for an additional few years for tax, legal and accounting purposes;
  • if you contact us and don’t use our services, we will retain correspondence with you as long as necessary to assist you , followed by a period necessary for legal or accountability purposes;
  • for marketing purposes, we will store data as long as we have valid consent, without undue delay and no later than within 30 days from the moment we receive a request to unsubscribe.

In general, we will store your data until you use our services. After that we may still use limited data about you for tax, legal or accounting reasons.

8

HOW IS YOUR INFORMATION USED?

8.1

Your data may be used for the following purposes:

  • To carry out our obligations arising from any agreements between you and us.
  • To provide you with marketing information (including personalized and targeted marketing emails), which we feel may interest you. For example, we may send you newsletters or emails about CD PROJEKT services (of course, this is optional and we will ask you for permission first).
  • To provide you with products or services that you request from us.
  • To communicate with the users of our services
  • To allow you to participate in interactive features of CD PROJEKT RED services when you choose to do so.
  • To allow you to participate in Gwent esports competition.
  • To notify you about changes to CD PROJEKT RED services.
  • To maintain, improve or modify CD PROJEKT RED services.
  • To conduct competitions organized by the CD PROJEKT (including contact with participants, evaluation of applications, distribution of prizes, payment of tax on prizes).
  • To calculate conversion rates and other elements of CD PROJEKT RED services’ performance.
  • For tax, legal and accounting purposes.
  • For the accountability purposes as defined by EU legislation (GDPR).
  • To target and personalize our marketing communications, offers and advertisements that we display on our websites and services as well as those of third parties based on the combined data we have collected about you.

We will use your data to operate CD PROJEKT RED services and continue to improve them, as well as to communicate with you (e.g. via newsletters or emails).

8.2

Whenever we’re personalizing or targeting our marketing communications, offers and advertisements, we may profile your personal data, which means that we may use the data we collect to adjust the communication addressed to you to meet your needs. In such cases, we do not, however, use your personal data for profiling, which would constitute automated decision-making that could affect your legal situation (i.e. we do not use algorithms to make decisions which would have an impact on your individual legal rights or affect your legal status or rights under the agreement between us. For example we do not make automatic offers based on your behaviour in the game) .

If you decide that you no longer want to receive personalized offers, product recommendations from us, or any advertising news at all, you can object to this service at any time.

We gather data about when and how you use CD PROJEKT RED services in order to offer you the best service possible. However, we will never make automatic decisions based on profiling that could affect your legal situation (e.g. automatic offers or discounts based on your behavior in the game).

8.3

We might process some aggregated and general non-personal data on user behaviour (e.g. sales per region) with third party partners who work with us to provide CD PROJEKT RED services to you (for example, with payment providers) in order to support, improve or amend CD PROJEKT RED services. We may also share non-personal data with data analysis services to help us run CD PROJEKT RED services.

Sometimes we may have to share anonymised, non-personal data like operating system type in order to run our services. Fear not, as mentioned above, everything’s anonymised, so you can never be identified.

9

DATA SHARING

9.1

Please remember that any communications you have via CD PROJEKT RED services (e.g. via private messages or CD PROJEKT RED forums or via social media) may reveal details about you. Also, any data you post publicly using CD PROJEKT RED services will be publicly available to CD PROJEKT RED users and others. We are not responsible for your use of any private personal data which you choose to make available via CD PROJEKT RED services, or the activities of other users or other third parties to whom you give or make available your data.

When you're using CD PROJEKT RED services you have the option to share your own personal data with others or publicly. But be aware that you are responsible for this type of data sharing.

10

THIRD PARTY INFORMATION COLLECTION AND EXTERNAL SERVICES

10.1

CD PROJEKT RED services may, from time to time, contain links to and from the websites or services of third parties. Our Privacy Policy does not extend to these external sites or companies, so please refer directly to their privacy policies.

You may find third party links in CD PROJEKT RED services, or we might direct you to third parties. They may collect data from you in accordance with their own privacy policies. Please be sure to take a look at them.

10.2

Some services may involve interacting with our sister company, GOG, or potentially with other trusted partners of CD PROJEKT RED. For example you could set up a GOG account to access services like The Witcher forums. In order to do this, we may need to share some of your personal data with our trusted partners.

We provide some services via trusted partners like GOG (our sister company) – we will share some data with them.

11

OUR TRUSTED PARTNERS

11.1

We may share your data with the following Trusted Partners, who were engaged by us to help deliver our services and functionalities to you. Please rest assured that we always provide our partners with the minimum data necessary for them to achieve the purpose of their cooperation with us. They may have access to limited data about you and process it on our behalf for only the purposes set out below (they are formally called “Data Processors”):

  • GOG sp. z o.o. – our sister company, who hosts our forums and supports us in Gwent esports competition;
  • CD PROJEKT Inc. – our daughter company that helps us market in the United States;
  • Our partners who provide us with internal management and data-sharing tools;
  • Our partners who help us in data analysis by providing us with analytical tools;
  • Our partners who help us manage our newsletters and email communications by providing us with email marketing tools;
  • Our professional advisors who assist with legal, tax, audit or accounting matters;
  • Advertising partners for the purpose of personalized and targeted marketing (for example, to inform via advertisements on websites you visit about our services you may enjoy).

We sometimes share data with our Trusted Partners. They usually take care of stuff like data analytics, internal management tools or support us in marketing activities.

11.2

When required by law, we may also share your data with the police or other government authorities (including your IP address and details of suspected unlawful or fraudulent activity such as unauthorized use of payment methods and security risk scores).

11.3

Your data may be processed, stored and transferred to countries outside your country of residence and beyond the European Economic Area (EEA), such as Switzerland or the United States. Privacy laws in these countries may not offer the same level of protection as in your country or in the EEA. But whenever we share your personal data outside the EEA, we will do so on the basis of EU standard contractual clauses or the Privacy Shield Framework, which are lawful measures to transfer your data and establish adequate protection of your personal data.

Whenever we share your personal data outside Europe, we make sure that the data is duly protected.

12

PUSH NOTIFICATIONS

12.1

If you use our mobile games then, with your prior approval, we may send push or local notifications to your mobile device to give you updates regarding those games. You can manage this, normally from your device’s Settings section.

We can use mobile push notifications if you approve it.

13

OTHER STUFF

13.1

Please be aware that we are subject to various laws and may be required to release personal data to comply with law enforcement and other legal requirements.

We may be required to comply with law enforcement requests to release personal data.

13.2

In the unlikely event of a reorganization or merger of CD PROJEKT RED we may transfer personal data to an involved third party who will protect to at least the same level as we do in this privacy policy.

In the event of any reorganizations, acquisitions, etc., your personal data will still be protected to at least the same level as it is right now.

14

YOUR RIGHTS

14.1

You have the right to object to the processing of your personal data in certain situations and for marketing purposes at any time. You can do so by contacting us on the email address: privacy@cdprojektred.com.

You have a number of rights regarding your personal data. They include the rights to request data how your personal data is used, to access your data, to make amendments in it, to have us delete all of you data, to restrict the processing of your data or to have your data transferred to another entity. In any case you can always send an email to privacy@cdprojektred.com or dpo@cdprojektred.com and we will do our best to support you.

14.2

You have the following additional rights:

  • You have the right to access data held about you;
  • You may contact us to request that we delete your personal data from our system;
  • You may ask us to rectify/correct your personal data, if appropriate.
  • You may ask us to restrict the processing of your data;
  • You have the right to transfer your data to another entity;
  • You have the right to file a complaint with a data protection authority.

You can exercise these rights by contacting us at privacy@cdprojektred.com

14.3

In case of any concerns or questions about your privacy, please do contact us and we will do our best to assist you. You can reach us at: privacy@cdprojektred.com or contact our Data Protection Officer at dpo@cdprojektred.com. If, however, you feel we have not satisfactorily dealt with your concern, you can report it to your local data protection authority or the Polish regulator - the President of Polish Office of Data Protection - Prezes Urzędu Ochrony Danych Osobowych ("PUODO") in Poland.

14.4

Under California law, California residents who have an established business relationship with us may choose to opt out of disclosure of personal informationdata about them to third parties for direct marketing purposes.

14.5

If you would like to exercise any of these rights or have any queries regarding them, contact: privacy@cdprojektred.com

15

CHANGES TO THIS PRIVACY POLICY

15.1

We may change this privacy policy if we deem it necessary, such as for legal reasons or to reflect changes in our services. If we do so, we will make the altered Privacy Policy available online and update the “Last Updated” date.

We can change this Privacy Policy, but if we do, we will put the changed version online. Changes will take effect 30 days after we have made the updated version public.

15.2

Once we change the Privacy Policy, it will become legally binding on you 30 days after we post it online. During that period, you are welcome to contact us if you have specific questions about the changes.

15.3

Unfortunately, if you don't agree to those changes (regardless of whether you email us), we must ask you to cease using our CD PROJEKT RED games and services. We're sorry we have to say that, but we hope you'll appreciate that we need to have everyone using it observing the same rules so our services can function properly. That's why we encourage you to get in contact if you have queries.

Please feel free to contact us if you have any questions regarding the changes.

16

USER AGREEMENT

16.1

We would also like to remind you that our User Agreement has more data about how we operate CD PROJEKT RED services and it has a number of sections, which apply to this Privacy Policy too. You can read it at link.