CD PROJEKT S.A. Privacy Policy

Last updated: 30th November 2020

Overview:

1. This document explains what data is collected in connection with CD PROJEKT RED games and services.
2. It also explains how we use that data, where we store it, and how we protect it.
3. In short:
• in order for you to play our games or use our services we need to process some of your data. Should we need to process your data for any other purpose than offering you our games and services, we will always ask you for your consent in advance.
• Some partners, such as e.g. GOG, help us in developing our games and services (e.g. forums) and we may share limited data with them – but only for our own purposes.
• We will not share your data for third party advertising purposes
4. Finally, it explains your rights in relation to your personal data.

Hello! This Privacy Policy is where we explain how your personal data is collected, stored or used, and what happens to it when you're using CD PROJEKT RED games and services. Like with our User Agreement , we have put together two versions: a full text version, which is legally binding, and also section summaries, which will hopefully make the legal language sound a bit more accessible. You will need to agree to this Privacy Policy before you use a CD PROJEKT RED game or service for the first time. If you have any questions you can contact us at privacy@cdprojektred.com. Here we go!

FULL TEXT
QUICK SUMMARY

1. WHO WE ARE

1.1. We are CD PROJEKT S.A., a company incorporated in Poland which is the data controller under European Union data protection legislation. Hereafter, we will call ourselves “CD PROJEKT RED” as CD PROJEKT RED is the team behind the video games within CD PROJEKT S.A. You may contact us via email at privacy@cdprojektred.com or by mail: CD PROJEKT S.A., Jagiellońska 74, 03-301 Warsaw Poland.1.1

Hello, we're CD PROJEKT RED and we are based in Poland. You can find our contact details here!

1.2. To protect all the personal data in a better and more efficient way, we designated Data Protection Officer (or DPO) who is responsible for the oversight and implementation of the data protection strategy and ensures compliance with necessary legal requirements. You can contact our DPO at the following email address: dpo@cdprojektred.com

In case of any questions or doubts concerning personal data protection, please contact our Data Protection Officer (contact details opposite).

2. WHAT THIS PRIVACY POLICY GOVERNS

2.1. This Privacy Policy applies to: all our websites, games, forums, social media channels, customer and technical support and any other services we provide to you (Hereafter, the term "CD PROJEKT RED services" will refer to all of these elements).

This Privacy Policy explains the different kinds of data we collect from you when you're using CD PROJEKT RED games and services. We fully comply with privacy laws.

2.2. Specifically, this Privacy Policy governs personal data (or, as called in the United States, “personally identifiable information”) and non-personal data (or, as in the United States, “non-personally identifiable information”), which we collect from you when you're using CD PROJEKT RED services. ("Personal data" basically means data, which, on its own or in combination with other data, can be used to identify you).

2.3. We respect your right to privacy and will only process personal data in accordance with applicable legislation in the EU and other countries where we offer our games and services.

3. PROTECTING CHILDREN

3.1. We recognize we have a special obligation to protect personal data obtained from children. We do not and will not knowingly collect personal data from any child under 16 without consent from their parent or guardian. If you are a parent or guardian and are concerned about the transfer of personal data about your child, please contact privacy@cdprojektred.com.

If you are under 16 and would like to use our services, consent from your parent or guardian is necessary.

4. INFORMATION WE COLLECT

4.1. When you use CD PROJEKT RED services, we may collect the following data if relevant (how we use it is described later in this document):
1. Your name and surname,
2. Your email address,
3. Any username (such as a forum username) used to identify yourself in any of our services,
4. Details of your digital distribution platform account regarding our games (such as a GOG Galaxy account), if you have one, but not any financial details,
5. Technical details about any device which you use to access our services, including: Internet and/or network connection (including IP address); any mobile device identifier; your operating system, browser type or other software; or your hardware or other technical details.
6. Information regarding your use of our services, including, but not limited to: metrics data about when and how you use the services; traffic data; and your geographical location data. This is technical data about our users and their actions and patterns which does not contain personal data,
7. Details about your use of social networking services and our services (if you link our services to a social networking service account or you interact with our profiles in social networks). This may potentially include certain data from Facebook or other social networks (including access to your friends list as well as aggregated non-personal analytics data about our users) strictly in accordance with Facebook's and other networks' terms and conditions – in the extent necessary to provide you with all functions of CD PROJEKT RED games and services; and
8. Any other data which you supply us via our services.

When you use our services, we collect basic data about you and your activity.

4.2. In case you use our forums, we may additionally process data generated automatically through your activity in the forum: date of last activity, subscribed threads, favourite posts, achievements in the forum, redpoints (points on the forum), private messages and posts.

We may also collect additional optional data via forum: contact data (instant messaging identifiers), website address, biography, location, interests, profession, avatar, user's preferred language.

4.3. If you take part in Gwent esports competition (Gwent Ranked Play and Gwent Masters tournaments) we may process your Gwent-related data we receive from our sister company GOG (who is responsible for providing you access to GWENT: The Witcher’s Card Game), in particular:
• your GOG username and avatar;
• Gwent-ID;
• Log of user activity within Gwent (login time, logout time, log of matches played, number of wins and losses, gathered experience points,);
• your card collection and decks;
• Matchmaking Rating (MMR) and faction Matchmaking Ratings (fMMRs);
• IP address;
• Country;

If you take part specifically in Gwent Masters esports tournaments and events – we may additionally process your data used only in context of your participation in these events, in particular:
• passport/ID number, issuer of the document, photo/scan of the document, citizenship,
• your date of birth
• bank account details for prize payment
• your image if you participate in a Gwent tournament
• place of birth
• correspondence address
• your father’s and mother’s names
• data on your participation in official and authorized Gwent events
• Crown Points (points used in Gwent Masters rankings)

If you take part in Gwent esports competition, we may need some more data about you, which we will receive from GOG or directly from you.

4.4. If you contact our technical support (directly or using crash reporting functionalities in our games or services), we may process other data required to help you with any queries or support matters, such as data collected in crash logs that are gathered by your device or the technical parameters of the device you use to interact with CD PROJEKT RED services.

If you contact technical support they may ask you to provide them with some additional data, including your crash logs or the technical details of the device you use.

4.5. For the purposes of competitions organized by CD PROJEKT RED, we may process additionally your correspondence address, phone number, social networks identifiers, image of yourself, bank account number.

If you participate in competitions organized by us, we may need some additional data about you.

4.6. Moreover, if you agree for us to do so, we may also collect some non-personal data about you (in-depth statistical information on usage of our games and services, information on devices used to connect to them) in order to better understand how our games and services are used and to improve them based on this knowledge.

If you agree for us to do so, we may collect telemetry data about your use of our games and services.

4.7. In order to enable you to play our games and use our services, we need to process data provided above (with exception of data described in point 4.6). Without providing us with the above-mentioned data, you may be unable to play our games participate in events and competitions or use other services.

The above data is necessary for us to provide you with our services.

4.8. Cookies. We and our partners also collect data about you via cookies. You can find out more about this, as well as manage consents you gave, by following the link to “Cookie Declaration” you will find in the footer of our websites.

Check our Cookie Declaration to find out what sorts of cookies we use to support our services.

5. FROM WHERE WE COLLECT DATA ABOUT YOU

5.1. We may collect data about you directly from you in the following cases:
a. if you give us your data via CD PROJEKT RED services;
b. when you contact us;
c. if you report a problem with CD PROJEKT RED services;
d. if you give us your data due to your participation in Gwent esports competition;
e. we may also ask you to complete surveys that we use for research purposes. However, your response to surveys is not required. We may collect this data via CD PROJEKT RED services or Trusted Partners cooperating with us in e.g. conducting surveys or polls.

We collect and process data that you give us in connection with our games and services.

5.2. We may collect data about you indirectly (automatically due to your activity or from third parties) in the following cases:
a. due to your activity as a user of our services (this includes your IP address, country of origin, purchases, account of in-game virtual goods and currencies) - collected automatically;
b. data we receive about you from GOG due to your participation in Gwent esports competition.

We collect and process data we receive due to your activity within our games or services.

5.3. A quick word about payment details (if/when you make any payments): We will not receive or store any of your payment details, this is fully handled by the relevant payment service provider. If/when you make any purchases in CD PROJEKT RED services, we are notified by the payment processor once the transaction takes place and then ensure you receive your purchase. We do not, however, receive any of your actual payment details. We only keep the data concerning transaction dates, currencies, value and the subject of the transaction.

We do not collect any of your payment details. We only receive data that a purchase took place and ensure you receive what you purchased. The only data we store includes transaction dates, currencies, value and subject of the transaction.

6. PURPOSES AND LEGAL BASES FOR DATA PROCESSING

6.1. We process you data in order to provide you with CD PROJEKT RED services you use and to carry out our obligations arising from any agreements between you and us, including:
a. to provide you with products or services that you request from us;
b. to allow you to participate in interactive features of CD PROJEKT RED services;
c. to conduct competitions organized by the CD PROJEKT RED (including contact with participants, evaluation of applications, distribution of prizes, payment of tax on prizes);
d. to allow you to participate in Gwent esports competition;

Moreover, we process your data when we are required to do so under applicable law:

e. for tax, legal and accounting purposes;
f. for the accountability purposes as defined by EU legislation (GDPR);

We may also process you data for our legitimate interest or legitimate interest of third parties:
g. to communicate with you as the user of our services;
h. to notify you about changes to CD PROJEKT RED services;
i. to maintain, improve or modify CD PROJEKT RED services;
j. to calculate conversion rates and other elements of CD PROJEKT RED services’ performance;

In specific cases we will process your data based on your consent, if you give it to us (you can withdraw your consent at any time with no impact on the validity of the processing before your consent has been withdrawn):

k. to provide you with marketing information (including personalized and targeted marketing emails) regarding goods and services you request from us or which we feel may interest you – for example, we may send you newsletters regarding our services;
l. to target and personalize our marketing communications, offers and advertisements that we display on our websites and websites of third parties, as well as services based on the combined data we have collected about you.

We will use your data for various purposes, aimed at allowing you to use our services or arising from our legal obligations or legitimate interest. In specific cases we will process your data based on your consent (which you can withdraw at any time).

6.2. We may profile your personal data in case of personalizing or targeting our marketing communications, offers and advertisements. It means that we may use the data we collect to adjust the communication addressed to you to meet your needs. In such cases, we do not use algorithms to make decisions that could affect your legal situation (e.g. we do not make automatic offers based on your behaviour in the game).

If you decide that you no longer want to receive personalized offers, product recommendations from us, or marketing information, you can object to this service at any time.

We may use profiling in order to offer you the best service possible and provide you the most suitable communication. However, we will never make automatic decisions based on profiling that could affect your legal situation.

6.3. We may process and provide our partners who help us with providing CD PROJEKT RED services (e.g. payment providers or entities performing data analytics) with some aggregated and general non-personal data on user behaviour (e.g. sales per region).

Sometimes we may have to share aggregated, anonymised data, like user’s operating system type in order to run our services.

7. HOW DO WE HANDLE YOUR PERSONAL INFORMATION

7.2. How long are we going to store your data? We will retain your personal data only for as long as needed in order to fulfil the purposes outlined in this Privacy Policy. When we will no longer need your personal data, we will either delete it or anonymize it.

In general, we will store your data as long as you use our services. After that we may still use limited data about you for tax, legal or accounting reasons.

7.3. Specific storage periods:
a. we will keep data associated with the services you use for the duration of the agreement regarding access to the given service (ex. CD PROJEKT RED forum). After the end of your use of a given service, limited data that we collected about you – to the extent and for the duration required by applicable law – will still be retained for tax, legal or accounting purposes;
b. we will keep your Gwent-related data we receive from you or from GOG for the duration of the agreement for participation in Gwent esports competition (e.g. until you close your Gwent account or inform us directly you no longer want to participate in the competition). Following that, similarly to point a above, we will retain some of your data for an additional few years for tax, legal and accounting purposes;
c. if you contact us and you don’t use our services, we will retain correspondence with you as long as necessary to respond to your query, followed by a period necessary for legal or accountability purposes;
d. we will store data processed for marketing purposes until you withdraw your consent; after that we will remove your data without undue delay and no later than within a month from the moment you have withdrawn your consent.

8. DATA SHARING

8.1. Please remember that any communication you have via CD PROJEKT RED services (e.g. via private messages, CD PROJEKT RED forums or social media) may reveal details about you. Any data you post publicly using CD PROJEKT RED services will be available to CD PROJEKT RED users and others. We are not responsible for your use of any private personal data which you choose to make available via CD PROJEKT RED services, or the activities of other users or other third parties to whom you give or make available your data.

When you are using CD PROJEKT RED services you have the option to share your own personal data with others or publicly. But be aware that you are responsible for this type of data sharing.

9. THIRD PARTY INFORMATION COLLECTION AND EXTERNAL SERVICES

9.1. CD PROJEKT RED services may, from time to time, contain links to the websites or services of third parties. Our Privacy Policy does not extend to these external sites or companies, so please refer directly to their privacy policies.

You may find third party links in CD PROJEKT RED services. They may collect data from you in accordance with their own privacy policies. Please be sure to take a look at them.

9.2. Some services may involve interacting with our sister company, GOG, or potentially with other Trusted Partners. For example you could set up a GOG account to access services like the forum. In order to do this, we may need to share some of your personal data with our Trusted Partners.

We provide some services via Trusted Partners like GOG –we will share some data with them.

10. OUR TRUSTED PARTNERS

10.1. We may share your data with our trusted partners (“Trusted Partners”), who help us deliver our services and functionalities to you. Please rest assured that we always provide our Trusted Partners only with the data necessary for them to achieve the purpose of their cooperation with us. They may process it on our behalf only for the purposes set out below:
a. GOG sp. z o.o. – our sister company, who provides us with technological support, in particular hosts our forums and supports us in Gwent esports competition;
b. CD PROJEKT Inc. – our daughter company that helps us in marketing activities in the United States;
c. Our partners who provide us with internal management and data-sharing tools;
d. Our partners who help us in data analysis by providing us with analytical tools;
e. Our partners who help us manage our newsletters and email communications by providing us with email marketing tools;
f. Our professional advisors who assist us with legal, tax, audit or accounting matters;
g. Advertising partners supporting us in scope of personalized and targeted marketing (for example providing tools allowing us to adjust adjusting the displayed ads to your interests).

We sometimes share data with our Trusted Partners. They usually take care of stuff like data analytics, internal management tools or support us in marketing activities.

10.2. When required by law, in specific situations we may share your data with the police or other government authorities (including your IP address and any details regarding potential violation of law).

10.3. Your data may be processed outside your country of residence and beyond the European Economic Area (EEA), e.g. in the United States, United Kingdom or Canada. Privacy laws in these countries may not offer a similar level of protection as in your country or in the EEA. In such cases we ensure the adequate level of protection of your personal data and base our activity on the lawful data transfer measures, such EU standard contractual clauses.

Whenever we share your personal data outside Europe, we make sure that the data is duly protected.

11. PUSH NOTIFICATIONS

11.1. If you use our mobile games then, with your prior approval, we may send push or local notifications to your mobile device to give you updates regarding those games. You can manage this, normally from your device’s Settings section.

We can use mobile push notifications if you approve it.

12. YOUR RIGHTS

12.1. You have the right to object to the processing of your personal data in certain situations and for marketing purposes at any time. You can do so by contacting us at the email address: privacy@cdprojektred.com.

You have a number of rights regarding your personal data. They include the rights to request information on how your personal data is processed, to access your data, to make amendments in it, to have us delete your data, to restrict the processing of your data or to have your data transferred to another entity. In any case you can always send an email to privacy@cdprojektred.com or dpo@cdprojektred.com.

12.2. You have the following additional rights:
a. You have the right to access data held about you;
b. You may ask us to rectify/correct your personal data, if appropriate.
c. You may contact us to request that we delete your personal data from our system;
d. You may ask us to restrict the processing of your data;
e. You have the right to transfer your data to another entity;
f. You have the right to file a complaint with a data protection authority.
You can exercise these rights by contacting us at privacy@cdprojektred.com or by using dedicated tools (like “Unsubscribe” button in our newsletters).

12.3. In case of any concerns or questions about your privacy, please do contact us. You can reach us at: privacy@cdprojektred.com or contact our Data Protection Officer at dpo@cdprojektred.com. If, however, you feel we have not satisfactorily dealt with your concern, you can report it to your local data protection authority or the Polish regulator – the President of the Polish Office of Data Protection – Prezes Urzędu Ochrony Danych Osobowych in Poland.

13. SOCIAL MEDIA – JOINT CONTROLLERSHIP

13.1. If you visit our profiles in social networking portals Facebook or LinkedIn, we process your personal data regarding your acitivity in these profiles as a part of collective statistical data. In this context, together with an operator of respective social networking portal, we act as joint controllers. Specific rules of this cooperation are described in respective joint controllership agreement. Regardless of the content of these agreements, you can execute your rights both in relation to us, as well as operator of a given social networking portal. You can find more details below.

13.2. Facebook: Facebook Ireland Ltd., with its registered office at 4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Republic of Ireland. Content of the joint controllership agreement available at: https://www.facebook.com/legal/terms/page_controller_addendum

13.3. LinkedIn: LinkedIn Ireland Unlimited Company with its registered office at Wilton Place, Dublin 2, Republic of Ireland. Content of the joint controllership agreement available at: https://legal.linkedin.com/pages-joint-controller-addendum

14. CHANGES TO THIS PRIVACY POLICY

14.1. We may change this privacy policy if we deem it necessary, for example for legal reasons or to reflect changes in our services. If we do so, we will make the amended Privacy Policy available online and indicate the date of the last update.

We can change this Privacy Policy. If we do so, we will make the amended version available online and indicate the date of the last update.

15. USER AGREEMENT

15.1. We would also like to remind you that our User Agreement has more information on how you can use CD PROJEKT RED services. You can read it here.