CD PROJEKT S.A. Privacy Policy

1.1. We are CD PROJEKT S.A., a company incorporated in Poland which is the data controller under European Union data protection legislation. Hereafter, we will call ourselves “CD PROJEKT RED” as CD PROJEKT RED is the team behind the video games within CD PROJEKT S.A. You may contact us via email at privacy@cdprojektred.com or by mail: CD PROJEKT S.A., Jagiellońska 74, 03-301 Warsaw Poland.1.1

1.2. To protect all the personal data in a better and more efficient way, we designated Data Protection Officer (or DPO) who is responsible for the oversight and implementation of the data protection strategy and ensures compliance with necessary legal requirements. You can contact our DPO at the following email address: dpo@cdprojektred.com

2.1. This Privacy Policy applies to: all our websites, games, forums, social media channels, customer and technical support and any other services we provide to you (Hereafter, the term "CD PROJEKT RED services" will refer to all of these elements).

2.2. Specifically, this Privacy Policy governs personal data (or, as called in the United States, “personally identifiable information”) and non-personal data (or, as in the United States, “non-personally identifiable information”), which we collect from you when you're using CD PROJEKT RED services. ("Personal data" basically means data, which, on its own or in combination with other data, can be used to identify you).

2.3. We respect your right to privacy and will only process personal data in accordance with applicable legislation in the EU and other countries where we offer our games and services.

3.1. We recognize we have a special obligation to protect personal data obtained from children. We do not and will not knowingly collect personal data from any child under 16 without consent from their parent or guardian. If you are a parent or guardian and are concerned about the transfer of personal data about your child, please contact privacy@cdprojektred.com.

4.1. When you use CD PROJEKT RED services, we may collect the following data if relevant (how we use it is described later in this document):
1. Your name and surname,
2. Your email address,
3. Any username (such as a forum username) used to identify yourself in any of our services,
4. Details of your digital distribution platform account regarding our games (such as a GOG Galaxy account), if you have one, but not any financial details,
5. Technical details about any device which you use to access our services, including: Internet and/or network connection (including IP address); any mobile device identifier; your operating system, browser type or other software; or your hardware or other technical details.
6. Information regarding your use of our services, including, but not limited to: metrics data about when and how you use the services; traffic data; and your geographical location data. This is technical data about our users and their actions and patterns which does not contain personal data,
7. Details about your use of social networking services and our services (if you link our services to a social networking service account or you interact with our profiles in social networks). This may potentially include certain data from Facebook or other social networks (including access to your friends list as well as aggregated non-personal analytics data about our users) strictly in accordance with Facebook's and other networks' terms and conditions – in the extent necessary to provide you with all functions of CD PROJEKT RED games and services; and
8. Any other data which you supply us via our services.

4.2. In case you use our forums, we may additionally process data generated automatically through your activity in the forum: date of last activity, subscribed threads, favourite posts, achievements in the forum, redpoints (points on the forum), private messages and posts.

We may also collect additional optional data via forum: contact data (instant messaging identifiers), website address, biography, location, interests, profession, avatar, user's preferred language.

4.3. If you take part in Gwent esports competition (Gwent Ranked Play and Gwent Masters tournaments) we may process your Gwent-related data we receive from our sister company GOG (who is responsible for providing you access to GWENT: The Witcher’s Card Game), in particular:
• your GOG username and avatar;
• Gwent-ID;
• Log of user activity within Gwent (login time, logout time, log of matches played, number of wins and losses, gathered experience points,);
• your card collection and decks;
• Matchmaking Rating (MMR) and faction Matchmaking Ratings (fMMRs);
• IP address;
• Country;

If you take part specifically in Gwent Masters esports tournaments and events – we may additionally process your data used only in context of your participation in these events, in particular:
• passport/ID number, issuer of the document, photo/scan of the document, citizenship,
• your date of birth
• bank account details for prize payment
• your image if you participate in a Gwent tournament
• place of birth
• correspondence address
• your father’s and mother’s names
• data on your participation in official and authorized Gwent events
• Crown Points (points used in Gwent Masters rankings)

4.4. If you contact our technical support (directly or using crash reporting functionalities in our games or services), we may process other data required to help you with any queries or support matters, such as data collected in crash logs that are gathered by your device or the technical parameters of the device you use to interact with CD PROJEKT RED services.

4.5. For the purposes of competitions organized by CD PROJEKT RED, we may process additionally your correspondence address, phone number, social networks identifiers, image of yourself, bank account number.

4.6. Moreover, if you agree for us to do so, we may also collect some non-personal data about you (in-depth statistical information on usage of our games and services, information on devices used to connect to them) in order to better understand how our games and services are used and to improve them based on this knowledge.

4.7. In order to enable you to play our games and use our services, we need to process data provided above (with exception of data described in point 4.6). Without providing us with the above-mentioned data, you may be unable to play our games participate in events and competitions or use other services.

4.8. Cookies. We and our partners also collect data about you via cookies. You can find out more about this, as well as manage consents you gave, by following the link to “Cookie Declaration” you will find in the footer of our websites.

5.1. We may collect data about you directly from you in the following cases:
a. if you give us your data via CD PROJEKT RED services;
b. when you contact us;
c. if you report a problem with CD PROJEKT RED services;
d. if you give us your data due to your participation in Gwent esports competition;
e. we may also ask you to complete surveys that we use for research purposes. However, your response to surveys is not required. We may collect this data via CD PROJEKT RED services or Trusted Partners cooperating with us in e.g. conducting surveys or polls.

5.2. We may collect data about you indirectly (automatically due to your activity or from third parties) in the following cases:
a. due to your activity as a user of our services (this includes your IP address, country of origin, purchases, account of in-game virtual goods and currencies) - collected automatically;
b. data we receive about you from GOG due to your participation in Gwent esports competition.

5.3. A quick word about payment details (if/when you make any payments): We will not receive or store any of your payment details, this is fully handled by the relevant payment service provider. If/when you make any purchases in CD PROJEKT RED services, we are notified by the payment processor once the transaction takes place and then ensure you receive your purchase. We do not, however, receive any of your actual payment details. We only keep the data concerning transaction dates, currencies, value and the subject of the transaction.

6.1. We process you data in order to provide you with CD PROJEKT RED services you use and to carry out our obligations arising from any agreements between you and us, including:
a. to provide you with products or services that you request from us;
b. to allow you to participate in interactive features of CD PROJEKT RED services;
c. to conduct competitions organized by the CD PROJEKT RED (including contact with participants, evaluation of applications, distribution of prizes, payment of tax on prizes);
d. to allow you to participate in Gwent esports competition;

Moreover, we process your data when we are required to do so under applicable law:

e. for tax, legal and accounting purposes;
f. for the accountability purposes as defined by EU legislation (GDPR);

We may also process you data for our legitimate interest or legitimate interest of third parties:
g. to communicate with you as the user of our services;
h. to notify you about changes to CD PROJEKT RED services;
i. to maintain, improve or modify CD PROJEKT RED services;
j. to calculate conversion rates and other elements of CD PROJEKT RED services’ performance;

In specific cases we will process your data based on your consent, if you give it to us (you can withdraw your consent at any time with no impact on the validity of the processing before your consent has been withdrawn):

k. to provide you with marketing information (including personalized and targeted marketing emails) regarding goods and services you request from us or which we feel may interest you – for example, we may send you newsletters regarding our services;
l. to target and personalize our marketing communications, offers and advertisements that we display on our websites and websites of third parties, as well as services based on the combined data we have collected about you.

6.2. We may profile your personal data in case of personalizing or targeting our marketing communications, offers and advertisements. It means that we may use the data we collect to adjust the communication addressed to you to meet your needs. In such cases, we do not use algorithms to make decisions that could affect your legal situation (e.g. we do not make automatic offers based on your behaviour in the game).

If you decide that you no longer want to receive personalized offers, product recommendations from us, or marketing information, you can object to this service at any time.

6.3. We may process and provide our partners who help us with providing CD PROJEKT RED services (e.g. payment providers or entities performing data analytics) with some aggregated and general non-personal data on user behaviour (e.g. sales per region).

7.2. How long are we going to store your data? We will retain your personal data only for as long as needed in order to fulfil the purposes outlined in this Privacy Policy. When we will no longer need your personal data, we will either delete it or anonymize it.

7.3. Specific storage periods:
a. we will keep data associated with the services you use for the duration of the agreement regarding access to the given service (ex. CD PROJEKT RED forum). After the end of your use of a given service, limited data that we collected about you – to the extent and for the duration required by applicable law – will still be retained for tax, legal or accounting purposes;
b. we will keep your Gwent-related data we receive from you or from GOG for the duration of the agreement for participation in Gwent esports competition (e.g. until you close your Gwent account or inform us directly you no longer want to participate in the competition). Following that, similarly to point a above, we will retain some of your data for an additional few years for tax, legal and accounting purposes;
c. if you contact us and you don’t use our services, we will retain correspondence with you as long as necessary to respond to your query, followed by a period necessary for legal or accountability purposes;
d. we will store data processed for marketing purposes until you withdraw your consent; after that we will remove your data without undue delay and no later than within a month from the moment you have withdrawn your consent.

8.1. Please remember that any communication you have via CD PROJEKT RED services (e.g. via private messages, CD PROJEKT RED forums or social media) may reveal details about you. Any data you post publicly using CD PROJEKT RED services will be available to CD PROJEKT RED users and others. We are not responsible for your use of any private personal data which you choose to make available via CD PROJEKT RED services, or the activities of other users or other third parties to whom you give or make available your data.

9.1. CD PROJEKT RED services may, from time to time, contain links to the websites or services of third parties. Our Privacy Policy does not extend to these external sites or companies, so please refer directly to their privacy policies.

9.2. Some services may involve interacting with our sister company, GOG, or potentially with other Trusted Partners. For example you could set up a GOG account to access services like the forum. In order to do this, we may need to share some of your personal data with our Trusted Partners.

10.1. We may share your data with our trusted partners (“Trusted Partners”), who help us deliver our services and functionalities to you. Please rest assured that we always provide our Trusted Partners only with the data necessary for them to achieve the purpose of their cooperation with us. They may process it on our behalf only for the purposes set out below:
a. GOG sp. z o.o. – our sister company, who provides us with technological support, in particular hosts our forums and supports us in Gwent esports competition;
b. CD PROJEKT Inc. – our daughter company that helps us in marketing activities in the United States;
c. Our partners who provide us with internal management and data-sharing tools;
d. Our partners who help us in data analysis by providing us with analytical tools;
e. Our partners who help us manage our newsletters and email communications by providing us with email marketing tools;
f. Our professional advisors who assist us with legal, tax, audit or accounting matters;
g. Advertising partners supporting us in scope of personalized and targeted marketing (for example providing tools allowing us to adjust adjusting the displayed ads to your interests).

10.2. When required by law, in specific situations we may share your data with the police or other government authorities (including your IP address and any details regarding potential violation of law).

10.3. Your data may be processed outside your country of residence and beyond the European Economic Area (EEA), e.g. in the United States, United Kingdom or Canada. Privacy laws in these countries may not offer a similar level of protection as in your country or in the EEA. In such cases we ensure the adequate level of protection of your personal data and base our activity on the lawful data transfer measures, such EU standard contractual clauses.

11.1. If you use our mobile games then, with your prior approval, we may send push or local notifications to your mobile device to give you updates regarding those games. You can manage this, normally from your device’s Settings section.

12.1. You have the right to object to the processing of your personal data in certain situations and for marketing purposes at any time. You can do so by contacting us at the email address: privacy@cdprojektred.com.

12.2. You have the following additional rights:
a. You have the right to access data held about you;
b. You may ask us to rectify/correct your personal data, if appropriate.
c. You may contact us to request that we delete your personal data from our system;
d. You may ask us to restrict the processing of your data;
e. You have the right to transfer your data to another entity;
f. You have the right to file a complaint with a data protection authority.
You can exercise these rights by contacting us at privacy@cdprojektred.com or by using dedicated tools (like “Unsubscribe” button in our newsletters).

12.3. In case of any concerns or questions about your privacy, please do contact us. You can reach us at: privacy@cdprojektred.com or contact our Data Protection Officer at dpo@cdprojektred.com. If, however, you feel we have not satisfactorily dealt with your concern, you can report it to your local data protection authority or the Polish regulator – the President of the Polish Office of Data Protection – Prezes Urzędu Ochrony Danych Osobowych in Poland.

13.1. If you visit our profiles in social networking portals Facebook or LinkedIn, we process your personal data regarding your acitivity in these profiles as a part of collective statistical data. In this context, together with an operator of respective social networking portal, we act as joint controllers. Specific rules of this cooperation are described in respective joint controllership agreement. Regardless of the content of these agreements, you can execute your rights both in relation to us, as well as operator of a given social networking portal. You can find more details below.

13.2. Facebook: Facebook Ireland Ltd., with its registered office at 4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Republic of Ireland. Content of the joint controllership agreement available at: https://www.facebook.com/legal/terms/page_controller_addendum

13.3. LinkedIn: LinkedIn Ireland Unlimited Company with its registered office at Wilton Place, Dublin 2, Republic of Ireland. Content of the joint controllership agreement available at: https://legal.linkedin.com/pages-joint-controller-addendum

14.1. We may change this privacy policy if we deem it necessary, for example for legal reasons or to reflect changes in our services. If we do so, we will make the amended Privacy Policy available online and indicate the date of the last update.

15.1. We would also like to remind you that our User Agreement has more information on how you can use CD PROJEKT RED services. You can read it here.