1 Data privacy means mutual trust at SPITCH
When SPITCH set out to create a high-quality daily fantasy sports game with interesting prize winnings, we knew that we needed important partners, namely our users.
We work with you to make a new gaming experience possible for you and offer you an attractive sum of money as the winner with the best strategies. SPITCH wouldn’t be able to exist without you. This partnership is also reflected in the way we handle your personal data. Since SPITCH is an experience of cooperative action, it’s a matter of course for us to collaborate with you when it comes to protecting your personal data.
This policy is made compliant with the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
2 The Data Controller is SPITCH
We are pleased that you are visiting the Website of SPITCH Ltd. (hereinafter referred to as ‘SPITCH’), of No. 2, Geraldu Farrugia Street, Zebbug, ZBG 4351, Malta, email: firstname.lastname@example.org, a company registered in the Commercial Register of the District Court of Malta under the No. C 89594 (SPITCH Limited), and we thank you for your interest in SPITCH.
3 Collection and storage of personal data as well as the nature and purpose of use
As part of operating the Website, we collect your personal data. ‘Personal Data’ shall mean any information from which you can be directly or indirectly identified, including your name, email address, home address, mobile number, debit/credit card data and date of birth.
3.1 Access to the SPITCH Website and app
3.1.1 Log files
Each time access is made to our Website www.spitch.live and our app, data is sent by the respective Internet browser on your respective terminal device to the server of our Website/application and temporarily stored in log data files, otherwise known as ‘log files’.
The data sets stored in this way contain the following data which are stored up until automatic erasure:
- Date and time of the retrieval,
- Name of the site retrieved,
- IP address of the inquiring device,
- Information on the terminal device used (operating system/platform, version of the operating system, mobile phone model, app version, browser version)
- Message if access was successful,
- Referrer URL (source URL, from which you arrived at our Website),
- Data quantity transferred,
- Loading time,
- Product and version information of each browser used, and
- Name of your access provider.
The IP address is saved and automatically and immediately anonymised solely for the purpose of combatting misuse and for detecting and eliminating errors.
The legal basis for processing the IP address is Article 6(1)(f) GDPR. We have a legitimate interest in guaranteeing the smooth establishment of a connection, convenient use of our Website and evaluation of system security and stability.
The legal basis for processing data is Article 6(1)(1)(f) GDPR. Our legitimate interest is based on the data collection purposes listed above. Under no circumstances do we use the data collected to draw conclusions on you as a data subject.
3.1.2 Cookies, tracking and social media plug-ins
We use so-called cookies, tracking tools, targeting procedures and social media plug-ins for our Website and app. Detailed information about the precise procedure involved and the manner in which your data is used in each case is provided below in Chapter 3.5.1.
3.2 Data processing upon conclusion of a contract
Whenever you register for an Account at SPITCH and/or enter into a further contract with us, we shall process the data necessary for concluding the contract, for its performance, or for terminating the contract with you.
This includes the following data:
- First name, last name
- Delivery address
- Email address
- Date of birth
- Information about the transactions you undertake
- Log file including player game history e.g. game name, debit posting date/time etc
- Details of payment cards used
- Records of your discussions with our Customer Care services teams
The legal basis for such is Article 6(1)(a) and (b) GDPR, i.e., you make the data available to us upon the basis of the respective contractual relationship between you and us (e.g. managing your user account, concluding a sales contract). To process your email address if you make a purchase, we are also required to send you an electronic order confirmation as per the legal obligations stipulated in the German Civil Code (BGB) (Article 6 (1)(c) GDPR).
To the extent that we do not use your data for further advertising purposes (see 3.5 SPITCH online presence and Website optimisation), we shall store the data collected as necessary for fulfilment of the contract for the term of the contract. After expiration of this time period, we shall retain the information about the contractual relationship, which must be retained in accordance with commercial and tax law, for the legally defined time periods. During this time period, the data shall only be processed again in the event of a review by the financial administration.
Furthermore, for concluding the purchase contract, the following data processing is necessary:
Your payment data shall be shared with the payment service provider engaged by us in order to process the payment(s). The respective data shall be transferred solely for the respective purposes and shall be erased after successful payment.
3.3 SPITCH won’t send you any unsolicited advertising
As part of the Account registration process, you will have the opportunity to choose whether or not to receive information on offers and promotions from us. Unless you have informed us at the time of setting up your Account that you do not wish to receive promotional material, we will send you such communications until you inform us that you no longer wish to receive them. SPITCH will only send you offers and information tailored to your needs if there is a corresponding legal basis for this, for example, after obtaining your consent for the specific purpose (Article 6 (1) (a) GDPR).
3.3.1 Update your marketing preferences
You may update your marketing preferences at any time by:
If you are receiving emails, you may click on the “unsubscribe” link in an email and follow the instructions to opt-out of receiving marketing material.
If you are receiving text messages, you may follow the instructions to unsubscribe to opt-out of receiving marketing material.
Contacting us at email@example.com to object to the use of your personal data for any of the aforementioned purposes at any time and free of charge with effect for the future. If you file an objection, your data will be blocked for further promotional data processing. We would like to point out that in exceptional cases advertising material may still be sent even after receipt of your objection. Due to the lengthy lead time it takes to handle the selection, this can occur due to technical reasons and does not mean that we have not implemented your objection.
On our Website, we offer you the opportunity to subscribe to our newsletter in order to provide you with up-to-date information. We use the so-called double opt-in procedure (DOI procedure) to ensure that no mistakes are made while entering the email address: after you have entered your email address into the registration field and granted your consent to receiving our newsletter, we will send you a confirmation link to the email address you provided to us. Only when you click on this confirmation link will your email address be added to our mailing list for the distribution of our newsletter (Article 6(1)(a) GDPR).You can revoke your consent at any time with effect for the future by sending a notification to firstname.lastname@example.org or by using the option to unsubscribe provided at the bottom of each newsletter.
3.3.3 Recommendations sent via email
We email existing customers recommendations on a regular basis. You will receive these recommendations from us even if you have not subscribed to the newsletter. We use the email you provided to us upon making your purchase to advertise our own products. The legal basis for this processing of data is Article 6 (1)(f) GDPR.
Notice of right of objection
You can revoke your consent at any time with effect for the future by sending a notification to email@example.com or by using the option to object to recommendation emails, without incurring any charges other than the basic costs of transmitting messages.
Whenever you register for contests organised by SPTICH, we collect, save and process your name, mailing address, email address and telephone number, if necessary, for the purpose of carrying out the contest and communicating with you in regard to the contest. We immediately erase your data after contest completion. Detailed information can be found in the respective terms and conditions of participation for the respective contest. The legal basis for data processing in this case is either Article 6(1)(b) GDPR, i.e. the processing of your data is necessary for the fulfilment of the agreement on your participation in the contest. Or the legal basis for this processing of your data is Article 6(1)(a) GDPR, i.e. provision of your consent.
3.4 Disclosure of data to third parties
- any third party which assists us in providing the Services, including, but not limited to, payment processors, customer services representatives and chat moderators as further detailed below;
- any third party which can assist us in verifying the accuracy of your personal data, including financial institutions and credit reference agencies;
- any third party which assists us in monitoring use of our Services, including the detection and prevention of fraud and collusion;
- any advisers auditing any of our business processes or who have a legitimate need to access such information for the purpose of advising us;
- any law enforcement body which may have any reasonable requirement to access your personal data; and
- any potential purchaser of SPITCH Ltd‘s business or any investors in it (including in the event of insolvency).
3.4.1 Payment processing
SPITCH uses an external identity provider for authentication purposes. SPITCH uses a ‘delegation of authentication’ procedure. For login purposes, SPITCH uses the software module Auth0 (further information available at: https://auth0.com/terms/ and https://auth0.com/privacy/) and then sends Auth0 the user’s email address and password.
3.4.3 Sending emails
Mailjet may retrieve the recipient’s data in pseudonymous form, i.e. without any association to a user, in order to optimise or improve their own services, for example, for the technical optimisation of sending communication and the presentation of newsletters or for statistical purposes. The email service provider, however, does not use our newsletter recipients’ data in order to write to them personally or to share the data with third parties.
3.4.4 Content Delivery Networks (CDN)
SPITCH uses a CDN (Content Delivery Network) called ‘Cloud CDN’ provided by Google LLC. A CDN makes it possible, in particular, to shorten the loading time of the Website and app or certain content, for example, by sending files from a very fast server that’s located as close as possible to you. Processing is carried out in order to shorten the loading time of our Website. Processing is required to safeguard the overriding legitimate interests of the controller (Article 6(1)(f) GDPR).
3.4.5 Disclosure to third parties on the basis of legal obligations and legitimate interests
SPITCH may need to work with credit rating agencies, fraud detection agencies and anti-money laundering agencies to meet our regulatory and legal obligations in the course of processing your SPITCH account and any account-related transactions.
The purpose of this communication is intended for the:
- Assessment of whether you are a politically exposed person (PEP) or a person who is subject to financial sanctions.
- Assessment of whether your personal details resemble those of persons suspected of money laundering or fraud.
- Electronic verification of your personal data by comparing it with third-party databases.
Where payment service providers request such information in connection with fraud-related issues, we shall share such personal data provided that the request for information is aimed at safeguarding your rights and/or the legitimate interests of the company to protect itself against fraudulent activity.
3.4.6 Disclosure to regulatory authorities
In order to comply with our legal obligations, the Malta Gaming Authority (MGA), the Financial Investigations and Analysis Unit (FIAU), the Sanctions Monitoring Board or other competent law enforcement agencies may request that SPITCH disclose data, which may require that we share all personal data, evidence, payment and gaming transaction history, communication history and other information we have available on you. The competent authority may determine the method to be used to share data over which we have no control.
3.4.7 Other reasons for sharing data
Your personal data is not transmitted to third parties for purposes other than those shown below.
We share your personal data with third parties only if:
- You have given your express consent to do so pursuant to Article 6(1)(1)(a) GDPR.
- Disclosure is necessary in accordance with Article 6(1)(1)(f) in order to assert, exercise or defend legal claims, and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data.
- In the event that a legal obligation exists for disclosure pursuant to Article 6(1)(1)(c) GDPR.
- This is lawful and it is necessary pursuant to Article 6(1)(1) (b) for concluding contractual relationships with you.
3.5 SPITCH online presence, Website optimisation and the app
3.5.1 General information about cookies
Most of the cookies used by us are deleted again after the end of the browser session (so-called session cookies). In addition, we use temporary cookies to optimise user-friendliness. These are stored on your terminal device for a specified period of time. If you then visit our Website again to use our services, the system automatically detects that you have already visited us and what entries and settings you have made, so that you do not have to enter all this information again. The data processed by the cookies is required for the stated purposes in order to safeguard our legitimate interests as well as those of third parties pursuant to Article 6 (1)(1)(f) GDPR.
Of course, you can configure your browser in such a manner that it does not save our cookies on your terminal device. The help function in the menu bar of most web browsers explains how to prevent your browser from accepting new cookies, provided that you set up your browser to notify you whenever you receive a new cookie, or how you can delete all of the cookies already received and block any additional ones.
If these cookies and/or the information they contain personal data, the legal basis for data processing is Article 6(1)(f) GDPR. Our interest in optimising our website is to be regarded as justified in the sense of the aforementioned provision.
3.5.2 Google Analytics
For the purpose of a design tailored to your demands and for the purpose of continuous optimisation of our website, we use Google Analytics, a web analysis service of Google Inc. (‘Google’), as per Article 6 (1)(f) GDPR. Google Analytics uses so-called ‘cookies’, text files that are stored on your computer and facilitate an analysis of your use of the website. In this context, pseudonymised user profiles are created and cookies are used. The information about your use of this website is generated by the cookie, such as browser type/version, operating system used, referrer URL (the site previously visited), host name of the accessing computer (IP address), and time of server enquiry.
On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports about website activities, and to render additional services affiliated with the website use and the Internet use vis-à-vis the website operator. The IP address transferred by your browser within the framework of Google Analytics is not merged with other data from Google. You can use a corresponding setting on your browser software to prevent cookies from being stored; however, we would like to point out that in this case you may not be able to use all the features of this website to their full extent. Moreover, you can prevent the recording of the data generated by the cookie and related to your use of the website (incl. your IP address) by Google as well as the processing of such by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
3.5.3 Google Adwords
This website uses Google AdWords. Google AdWords is an online advertising program from Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (‘Google’). We use the remarketing function of the Google AdWords service here. This remarketing function enables us to show interest-based ads to users of our website on other websites within the Google Display Network (on Google itself, ‘Google ads’ or on other websites). To do this, we analyse the interaction of users on our website, for example, the offers in which users have shown an interest. Targeted advertising can then be presented to users on other websites after they have visited our website. To do this, Google saves an identifier in the browsers of users who visit certain Google services or websites in the Google Display Network. This identifier, known as a ‘cookie’, records the visits of these users. It uniquely identifies a web browser on a specific computer but does not identify any individual. No personal data is saved. The legal basis for this processing of data is Article 6 (1)(f) GDPR.
3.5.4 Google AdWords conversion tracking
We also use the conversion tracking feature of the Google AdWords service. When you click on an ad placed by Google, a conversion tracking cookie is stored on your computer or terminal device. These cookies become invalid after 30 days and contain no personal data. As such, they cannot personally identify any user. We use the information collected with the conversion tracking cookie to generate conversion statistics for AdWords customers who have opted for conversion tracking.
3.5.5 Option to object/opt-out
In addition to the deactivation methods previously described, you can generally prevent such technologies by activating a corresponding cookie setting in your browser. You also have the option to deactivate preference-based advertising by using the preference manager which is available here.
3.5.7 Google Firebase Analytics
SPITCH uses Google Firebase Analytics. Firebase Analytics is a service which makes it possible to collect and analyse app usage data from smartphones. When you use the app, selected actions are encrypted for this purpose and then shared in pseudonymous form with Firebase Analytics in order to analyse general user behaviour in terms of efficiency, etc. and in the course of the evaluation to draw conclusions on how to continuously improve the app.
3.5.8 Firebase Remote Config
The SPITCH app uses Firebase Remote Config so we can modify the app on installed terminal devices, without you having to completely re-install it from the app store whenever changes are made. Your device information, language settings and country settings are transferred to Google in the USA and processed there for this purpose.
Information about how Remote Config works can be found at: https://firebase.google.com/products/remote-config/.
3.5.9 Use of Fabric (including Crashlytics)
On our app, we use Fabric and Crashlytics, web analysis services operated by Twitter Inc. 795 Folsom St., Suite 600, San Francisco, CA 94107 (‘Twitter’), in order to improve our app and rectify errors, for example, system crashes. The data collected is provided to us in anonymous form and become the property of Twitter. We are notified about crashes and only see the line of code that caused the crash, the type of mobile terminal device and installed operating system, the amount of free memory and flash memory, and whether the operating system has been ‘jailbroken’. We use this data to reproduce the error as best as possible and then fix it in a future release.
Information on the data which Fabric saves is provided in Fabric’s Terms and Conditions (https://fabric.io/terms).
3.5.10 Push notifications
4 Usage of web fonts
We use Google Web Fonts on our website to display font types in a standardised manner. The required web fonts (font types) are loaded by your browser when you access the website server, in order to display the texts and font types correctly. During this process, your browser establishes a connection to Google’s servers, whereby Google is made aware that our website is being visited by a terminal device with your IP address. The use of Google Web Fonts and the data processing associated with this is used in our interest in displaying our website in an appealing manner. The legal basis is Article 6(1)(f) GDPR.
If your browser does not support the displaying of web fonts, a standard font is used instead.
5 Social Media
5.1 Use of Facebook Social Plugins
5.2 Use of Instagram social plug-ins
5.3 Use of Twitter plug-ins (e.g. ‘Twitter’ button)
6 Recipients outside the EU or EEA
With the exception of the processing set forth herein, we do not share your personal data with any recipients headquartered outside of the European Union or the European Economic Area. The processing activities set forth herein include a data transfer to the servers of providers of tracking or targeting technology commissioned by us. These servers are located in the USA. Where we transfer your personal data outside of the EU or EEA, we will put in place adequate measures to ensure that your personal data is kept secure.
The adequate measures shall include:
- transferring data to a jurisdiction which the European Commission recognises as providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data. The data transfer is carried out in accordance with the principles of the so-called ‘Privacy Shield’,
- transfers pursuant to standard contractual clauses in accordance with European Commission decisions on transferring personal data.
7 Your rights
In addition to the right to withdraw your consent given to us, you also have the following rights, when the respective legal conditions are extant:
- in accordance with Article 15 GDPR, to request access to your personal information processed by as, together with information about your personal data. In particular, you may request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the source of your data if the data has not been collected by us;
- in accordance with Article 16 GDPR, to demand the immediate correction of incorrect or incomplete data;
- in accordance with Article 17 GPDR, to request the erasure of your personal data stored by us, as far as no legal or contractual retention periods or other legal obligations or rights for further storage are to be observed by us;
- in accordance with Article 18 GDPR, to restrict the processing of your data if you dispute the accuracy of the data, the processing is unlawful, but you reject its erasure; the data controller no longer requires the data but you need it to assert, exercise or defend legal claims or if you have filed an objection to the processing in accordance with Art. 21 GDPR;
- in accordance with Article 20 GDPR, the right to data portability, i.e. the right to receive selected data stored by us about you in a common, machine-readable format, or to request the transfer to another controller;
- the right to lodge a complaint with a supervisory authority or seek judicial remedy. You can usually contact the supervisory authority at your normal place of residence or your workplace or where we are headquartered.
The aforementioned rights which you are entitled to in relation to us can be asserted at firstname.lastname@example.org.
7.2 Right of objection
If your personal data is processed on the basis of legitimate interests in accordance with Article 6 (1)(1)(f), you have the right in accordance with Article 21 GDPR to object to the processing of your personal data if grounds for this relating to your particular situation exist or the objection is to direct marketing. In the latter case, you have a general right of objection that will be executed by us without having to name a specific situation.
Should you wish to assert your right to revocation or objection, simply send an email to email@example.com.
Insofar as we process data based on the consent you granted us, you have the right to revoke such consent at any time. The revocation of consent does not render invalid the data processing performed on the basis of consent until the time of revocation.
7.3 Apply for rights
Where you make a request in respect of your rights we will require proof of identification. We may also ask that you clarify your request. We will aim to respond to any request within one month of verifying your identity, with a possibility to extend this period for particularly complex requests in accordance with applicable law. If we receive repeated requests or have reason to believe requests are being made unreasonably, we reserve the right not to action the request, provided that a justification shall be given to you within the time periods specified in the GDPR.
Please be aware that while we will try to accommodate any request you make in respect of your rights, they are not absolute rights. This means that we may have to refuse your request or may only be able to comply with it in part.
In accordance with applicable law, we reserve the right to withhold personal information if disclosing it would adversely affect the rights and freedoms of others.
8 Data security
We are committed to ensuring that your personal data is secure. We use appropriate technical and organisational safeguards to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continually improved as new technology becomes available.
8.1 Data security on our Website
When you visit our Website, we use the common SSL (Secure Sockets Layer) method combined with the highest level of encryption your browser supports. A 256 bit connection is used in most cases.
If your browser does not support a 256 bit connection, we will use 128-bit v3 technology instead. This means that all the information sent between your computer and our secure computer environment is encrypted or scrambled so that no one can read it in transit. You can recognise whether a particular page of our website is transferred in encrypted form by the key or padlock symbol on your browser’s bottom status bar.
Unfortunately, the transmission of information via the internet is not completely secure. If you believe your Personal Data has been compromised, please contact us at firstname.lastname@example.org.
9 Retention of your personal data
9.1 Basis of storage
We will retain your personal data for the minimum period necessary for us to provide you with the Services and to comply with our legal and regulatory obligations. We will retain your personal data for as long as your Account is active or otherwise for a limited period of time needed to fulfil the purposes for which such personal data was initially collected, unless otherwise required by law.
9.2 Storage time
Accordingly, your personal data will be retained for a minimum of five (5) years following the closure of your Account (if applicable) or the last activity made on your Account. Where it is no longer necessary for us to process your personal data, we will erase your information sooner.
9.3 Extension of the storage times
The above retention times may be extended when it is necessary for compliance with a legal obligation, to investigate a crime, handle a claim or resolve a complaint.
10 Data Protection Officer
SPITCH Ltd. has appointed a Data Protection Officer (“DPO”) who is responsible for all matters relating to privacy and data protection. The DPO can be reached at the following address: email@example.com.
11 Contact Us
You may contact our Customer Services Team at firstname.lastname@example.org.