TaleWorlds Notice of Privacy (for the EU/EEA)

Last revised: [03 August 2018]

TaleWorlds provides this Privacy Policy to inform you of our policies and procedures regarding the processing of Personal Data of users of (i) our websites located at https://www.taleworlds.com (our “Site”), including any services, features and content accessible or downloadable from the Site, and (ii) any other TaleWorlds application, service or product licensed, downloaded or otherwise accessed by such users through third party websites or sources ((i) and (ii) collectively, the “Service”).

We are committed to protecting and respecting your privacy. This Privacy Policy (“Policy”) describes how we treat information that you provide to us or that we collect about you.

By “Personal Data”, we refer to data that relates to you as an identified or identifiable natural person. Personal Data include your name, your address, your telephone number, your email address, your age, your gender, or a part of your credit card number, for instance. Anonymous information, which we are not in a position to relate to you, does not qualify as Personal Data.

1. Controller’s name and contact details

Controller in the sense of the General Data Protection Regulation (GDPR) and other data protection or data privacy laws in the Member States of the European Union or the European Economic Area and other guidelines with a data protection nature regarding the Services is:

Taleworlds Entertainment İkisoft Yazılım Bilgi Ve İletişim Eğitim Tekn. Ve Hizm. Elek. San. Ve Tic. LTD. ŞTİ
Universiteler Mahallesi, Ihsan Dogramaci Bulvari no: 27
06800, ODTU Teknokent, Galyum Blok
Cankaya/Ankara, Turkey
Email: [email protected]

The Controller is called “TaleWorlds”, “we”, “our” and “us” in this Policy.

The Representative of TaleWorlds pursuant to Art. 27 of the GDPR is: Rivacy GmbH
Hammerbrookstr. 90
20079 Hamburg
Phone: [telephone number]
Email: [email protected]

2. Contact details of the Data Protection Officer (DPO)

The Data Protection Officer of TaleWorlds may be contacted at [email protected]

3. General information on our data processing

We process Personal Data only when necessary for the performance of a contract with you, when processing is necessary for compliance with a legal obligation we are subject to, or based on our legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of you which require the protection of your Personal Data. This section applies to all detailed processing activities listed below.

3.1 Information Security

We and our employees understand the need for user privacy, and we maintain reasonable and appropriate security procedures to protect your information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data. Access to user data is strictly limited to specific individuals who are trained to respect user privacy. The access given to these employees is restricted to their need for such information for business purposes. A log of those who accessed the data is maintained and monitored to prevent security breaches.

3.2 Third-party information storage

We may share Personal Data with vendors or agents working on our behalf for the purposes described in this Policy. For example, we may hire companies to assist with protecting and securing our systems or services. Any vendor or agent that we retain must comply with our data privacy and security requirements and are not allowed to use Personal Data they receive from us for any other purpose. Like us, they will never barter, trade, or sell access to your Personal Data. We remain responsible and liable under data protection laws if third-party agents we engage to process Personal Data on our behalf do so in a manner inconsistent with the applicable data protection laws, unless we prove that we are not responsible for the event giving rise to the damage.

3.3 Children

We recognise that we have a special obligation to protect personal information obtained from children. We will not knowingly collect personal information from any child, or process such information, without parental consent. For the purpose of this Policy, a child means any individual who is under the age of 16 (or the minimum legal age to consent to the collection and processing of personal information where this is different under applicable law).

3.4 Retention periods

We will retain your Personal Data only as long as it is necessary to fulfil the respective purpose, unless we are required by law to store your Personal Data longer.

3.5 Automated Decision-Making

We do not use automated-decision making, including profiling.

4. Use of our Site

On our Site, we gather information either directly from you (e.g., when you provide certain information to us) or indirectly (e.g., through our Site’s technology).

4.1. Information collected indirectly

We indirectly collect a variety of information through your interaction with and use of our Sites. This information may include, but is not limited to, browser settings, data collected through automated electronic interactions, application usage data, demographic information, geographic or geo-location information, statistical and aggregated information (“Other Information”). The processing is necessary for the purpose of our legitimate interests in accordance with Article 6(1)(f) of the GDPR, as we need this information to keep user data safe by detecting certain threats, and to provide you with the best possible experience.

Statistical or aggregated information does not directly identify a specific person, but it may be derived from Personal Data. For example, we may aggregate Personal Data to calculate the percentage of users in a particular country.

If we combine Other Information with Personal Data, we will treat the combined information as Personal Data.

4.1.1 Tracking Data

Website traffic volume and patterns, such as the number of visitors to a given website or page on a daily basis is typically referred to as “Tracking Data”. This type of indirectly collected information is gathered through various means, such as an IP address, which is a number that is automatically assigned to your computer whenever you are surfing the Web. Web servers, the computers that “serve up” web pages, automatically identify your computer by its IP address. When you visit any of our Sites, our servers log your computer’s IP address.

To obtain these Tracking Data, we use third party analytics providers. The Third Party Analytics Providers use “Cookies”, which are text files placed on your computer, to help us analyse how users use our Sites. The information generated by the Cookie about your use of our Sites, including your IP address, will be transmitted to and stored by Third Party Analytics Providers’ servers. On our behalf, the Third Party Analytics Providers will use this information for the purpose of evaluating your use of our Sites, compiling reports on website activity, and providing other services relating to website activity. The Third Party Analytics Providers will not associate your IP address with any other data held by them.

You may find information on our Third Party Analytics Provider in section 8 below and a list of Cookies used by them in section 9 below.

4.1.2 Our Cookies

Other types of indirectly collected information are stored in Cookies from us.

Some of our Sites use Cookies simply to store your account details so that you do not need to re-enter your information when re-joining our Sites. The use of Cookies is standard on the internet. Although most Web browsers automatically accept Cookies, the decision of whether to accept or not is yours. You may adjust your browser settings to prevent the reception of Cookies, or to provide notification whenever a Cookie is sent to you. You may refuse the use of Cookies by selecting the appropriate settings on your browser. However, please note that if you do this, you may not be able to access the full functionality of our Sites. Cookies placed by us will expire when you terminate the website session or after a reasonable period of inactivity.

You may find a list of the Cookies used in section 9 below.

4.1.3 Third-party Cookies

Additionally, we may use third-party advertising companies to serve ads on our behalf. These companies may use Cookies and action tags to measure advertising effectiveness. You can still decide whether you want to accept these Cookies. You may adjust your browser settings to prevent the reception of third-party Cookies, or to provide notification whenever such third-party Cookies are sent to you. We use the following third-party Cookies:

You may find a list of Cookies used in section 9 below.

4.2. Information collected directly

We also collect Personal Data and other information that you voluntarily provide. It is entirely your decision to provide the requested information. However, certain features of our Sites may not be available in this case.

We keep all information collected directly confidential, and will only use the information for the particular purpose it is collected for. We will seek your specific permission for any additional use. We will never barter, trade, or sell access to your information without your specific consent.

4.2.1 User Accounts

When setting up an account on one of our Sites (“User Account”), you may be asked to provide Personal Data including, but not limited to, your name, email address, and your phone number. If you choose to purchase any products, services, access codes or other items for sale by us, you will be asked to provide payment details and your full address for billing purposes.

As a user of our Sites, we may obtain your Personal Data when you register to use our Site or services and products or when you provide feedback about our products or services. The processing is necessary to perform the contract with you according to Article 6(1)(b) of the GDPR. As a user, we will use your Personal Data, unless otherwise prohibited by law, for the following purposes:

To provide you with the products and services you request.

To communicate with you about your account or transactions with us and send you information about features on our sites or changes to our policies.

To provide support including, but not limited to, product updates, product patches and fixes and other similar communications.

Furthermore, we will use your Personal Data for our legitimate interests according to Article 6(1)(f) of the GDPR to notify you about information about features on our Sites, new product releases and service developments and to advertise our products and services in accordance with this Policy.

Any User Account data will only be stored until you decide to terminate your User Account. In case we are obliged to further store your Personal Data due to statutory retention requirements, your Personal Data will be barred for further use by us and only stored until such retention periods expire.

4.2.2 Personal Data provided by other means

Personal Data provided by you on our Sites by other means, e.g., via contact forms, will be stored in our service database and retained for the period necessary to fulfil the business our contractual obligations to you in accordance with Art. 6(1)(b) of the GDPR, unless a longer retention period is required by law.

4.3 Third country transfers

We transfer Personal Data for hosting purposes to the USA. This transfer is safeguarded by Data Processing Agreements with data protection guarantees and the EU-US Privacy Shield, as the recipients are certified under this framework.

To receive a copy of the respective safeguards, please contact us at [email protected]

5. Our Games

This section provides information on how we we treat information that you provide to us or that we collect about you in regard to our games: “Mount & Blade”, “Mount & Blade: Warband”, “Mount & Blade: With Fire and Sword”, “Mount & Blade: Napoleonic Wars”, “Mount & Blade: Warband – Viking Conquest Reforged Edition”, and “Mount & Blade II: Bannerlord” (our “Games”).

When you are playing one of our Games, we process your IP address, and metrics on how you use our games, this is information on how long you play our Games and how you play them. We will also process game events, like achievements, milestones or other timestamps within the game.

This Personal Data is necessary for us to provide you with the Games and their full functionality. The legal basis for processing the data is our contract with you (Art. 6(1)(b) of the GDPR). Where the processing exceeds the necessity to fulfil our contract (when analysing how you use our game for the purpose of enhancing your game experience), the legal basis is our legitimate interest (Art. 6(1)(f) of the GDPR) to improve the Games for your future enjoyment.

For billing purposes, we process your name, your email and postal address and your credit or debit card number, depending on which payment you choose. The basis for the processing of this Personal Data is also our contract with you (Art. 6(1)(b) of the GDPR), and our legal requirement to store this information for tax reasons (Art. 6(1)(c) of the GDPR).

The provision of all of the Personal Data is a contractual requirement, as we may not provide you with our Games or to carry out any payments by you.

We transfer Personal Data for billing purposes to the USA. This transfer is safeguarded by Data Processing Agreements with data protection guarantees and the EU-US Privacy Shield, as the recipients are certified under this framework.

To receive a copy of the respective safeguards, please contact us at [email protected]

6. Job applications

This section describes how we process Personal Data you submit through our Site for job applications as further described below. Personal Data includes your name, address, education, contact details, current job title and employer, attachments (such as CV, cover letter), and possibly your passport details.

Any personal data you provide to us will be used to process your application for the specific position you have applied for. The processing of your personal data is based on Art. 6(1)(b) of the GDPR. We need your Personal Data in order to conduct the recruitment process, and we will not be able to consider you for a job offer when you do not provide us with your Personal Data.

7. Your rights

You have the right to access your Personal Data that we hold about you and to correct, update, amend, suppress, delete or otherwise modify any Personal Data where it is inaccurate, or has been processed in violation of the applicable data protection regulations, unless we have to keep the Personal Data for legitimate business or legal purposes. When updating your Personal Data, we may ask you to verify your identity before we can act upon your request.

You may object to the use or processing of your Personal Data or withdraw consent to use your Personal Data at any time.

You have the following rights:

The right to require free of charge (i) information whether your Personal Data is retained and (ii) access to and/or (iii) duplicates of the Personal Data retained. However, if the request affects the rights and freedoms of others or is manifestly unfounded or excessive, we reserve the right to charge a reasonable fee (taking into account the administrative costs of providing the information or communication or taking the action requested) or refuse to act on the request;

The right to request proper rectification, removal or restriction of your Personal Data;

Where processing of your Personal Data is based on legitimate interests according to Article 6(1)(f) of the GDPR, the right to object on grounds relating to your particular situation at any time. If you object we will no longer process your Personal Data unless there are compelling and prevailing legitimate grounds for the processing or the data is necessary for the establishment, exercise or defence of legal claims;

Where processing of your Personal Data is either based on your consent or necessary for the performance of a contract with you and processing is carried out by automated means, the right to receive the Personal Data concerning you in a structured, commonly used and machine-readable format or to have your Personal Data transmitted directly to another company, where technically feasible (data portability);

Where the processing of your Personal Data is based on your consent, the right to withdraw your consent at any time without impact to data processing activities that have taken place before such withdrawal or to any other existing legal justification of the processing activity in question; and
The right not to be subject to any automatic individual decisions which produces legal effects on you or similarly significantly affects you.
To exercise the rights referred to above, please contact us at [email protected] You may take legal actions in relation to any breach of your rights regarding the processing of the Personal Data, as well as to lodge complaints with the competent authority.

8. Google analytics

Google Analytics is a web analysis service of Google LLC. (https://www.google.de/contact/impressum.html) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google"). We use this service in order to adapt our site to your needs and to constantly improve it. The information generated by the Cookie about your use of this website (e.g. browser type/version, operating system used, URL of the previously visited page, IP address, time of server request) are transmitted to a Google server in the USA and stored there. The user profiles are created in pseudonymized form.

The information obtained enables us to evaluate the use of our website and to record website activities. In addition, Google provides other services related to the use of the website and the Internet in order to conduct market research and to be able to design our website in line with requirements. The information may be passed on to third parties if this is required by law or if third parties process this data on behalf of the company. Your IP address will be anonymized (IP masking) and in no case merged with other Google data.

You can prevent the aforementioned processing by Google and the collection of your data relating to the use of the website (including your IP address) by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=en). This link also provides further information on deactivating and correctly installing the browser add-on.

For more information about Google Analytics' privacy practices, please visit https://support.google.com/analytics/answer/6004245?hl=en.

We use the "Google Analytics" service as described on the basis of our legitimate interest (Art. 6 (1) lit. f DS-GVO).

9. Which Cookies we use or third parties use.

Some of the data processing operations about which we inform you in this Policy require that we or third parties set Cookies. You can find a detailed list of these Cookies below:

Cookie Vendor Purpose Opt-Out/Objection Retention Period
ASP.NET_SessionId TaleWorlds Used for log in function. Keeps user logged in to the site. - Immediately expired
__RequestVerificationToken TaleWorlds A token kept as a security measure to prevent cross-site request forgery (CSRF) attacks - Immediately expired
TWCookie TaleWorlds Cookie set by forum during login.  - Immediately expired
PHPSESSID TaleWorlds A general purpose PHP identifier used to maintain user session variables. - Immediately expired
__cfduid CloudFlare Used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. - 24 Hours
tfw_exp Twitter This Cookie is set due to Twitter integration and sharing capabilities for the social media. - 24 Hours
_ga Google This Cookie is used to distinguish users. (2 years)
_gid Google This Cookie is used to distinguish users. 24 hours
_gat Google This Cookie is used to throttle the request rate. 1 minute

10. Changes to this Policy

We may change this Policy from time to time for various reasons such as changes to reflect in law and regulation, changes in industry practices and technological developments.