Privacy Policy

EXTERNAL PRIVACY NOTICE
EPIC GAMING LTD.

1. Epic Gaming
1.1 We are Epic Gaming Ltd., having our registered office at Unit 3 Greenfield Farm Industrial Estate, Congleton, Cheshire, CW12 4TR, United Kingdom (“Epic Gaming”, “we”, “us” or “our”). Unless expressly stated otherwise, we, including our affiliated companies, are the “controller” for the processing of personal data as described in this Privacy Notice (“the Privacy Notice”).

2. Objective of this Privacy Notice
2.2 This Privacy Notice describes why and how Epic Gaming processes your personal data, with which parties Epic Gaming shares your personal data and which rights you have with respect to your personal data.

3. Personal data we may collect and process

3.1 Personal data – Epic Gaming may collect and process the following personal data from you in the following instances:

a) When you interact with us by registering for the GameSafe platform and using our services:

- - Identity data, such as: your full name(s), date of birth, country of residence, nationality and other non-mandatory identity data you provide by choice;
  - Contact data, such as: your e-mail address; and
  - Other data, such as: your profile picture, social media profiles and game replays

Purpose: We only use the these categories of personal data to register you on our GameSafe platform and to offer our services to you. Furthermore, the use of the data may be necessary to fulfil a legal obligation.
Legal ground: Article 6 (1) (b) GDPR.

b) When you participate in the GameSafe Festival we may need to contact you and/or verify your identity:

- - Identity data, such as: your full name(s), date of birth, country of residence, nationality and other non-mandatory identity data you provide by choice;
  - Contact data, such as: your e-mail address; and
  - Other data, such as: your profile picture, social media profiles and game replays.

Purpose: We only use the these categories of personal data to contact you pursuant to your participation in the GameSafe Festival and/or verify your identity.
Legal ground: Article 6 (1) (b) GDPR.

c) For marketing purposes, we may collect the following data:

- - Identity data, such as: your full name(s);
  - Contact data, such as: your e-mail address;
  - Other data, such as: your social media profile.

Purpose: With your consent, we will process your personal data for marketing purposes based on your marketing preferences. You can withdraw your consent to this at any time with effect for the future.
Legal ground: Article 6 (1) (a), Article 7 GDPR.

d) When you use our website, we may collect the following data:

You can visit the publicly accessible areas of our websites without providing any personal information. However, each time you access a website, the web server only automatically saves a so-called server log file, which contains, the name of the requested file, your IP address, the date and time of the request, the amount of data transGameSafeed and the requesting provider (access data).

These access data are evaluated exclusively for the purpose of ensuring trouble-free operation of the site and improving our offer. This serves to protect our legitimate interests in the correct presentation of our website offer, which outweigh our interests in accordance with Article 6 (1) (f) GDPR.

In order to make visiting our website attractive and to enable the use of certain functions, we use technologies including so-called cookies on our websites. We also use other tools (e.g. analytics tools). The (personal) data that we collect in this context as well as the purposes of our further processing and the legal bases are described in our cookie policy, please see our cookie policy which can be found through this https://gamesafe.nspcc.org.uk/cookies.

3.2 Source of personal data – We solely collect and receive your personal data necessary for the purposes as set out in paragraph 3.1 above from you or as generated by participating in our services. No other sources, including public sources, are used unless explicitly stated otherwise.

(Categories) of personal data	Retention period
Personal data processed when you interact with us by registering for the GameSafe platform and using our services	Two years after the last interaction between you and us or the last time you have made use of our services. Shorter retention periods may apply if the processing of specific personal data is no longer reasonably necessary.
Personal data processed when you participate in the GameSafe platform, including identity verification	Two years after the last interaction between you and us. Shorter retention periods may apply if the processing of specific personal data is no longer reasonably necessary.
Personal data processed for marketing purposes	Two years after the last interaction between you and us or the last time you have made use of our services. Shorter retention periods may apply if the processing of specific personal data is no longer reasonably necessary.
Personal data processed when you visit our website	No longer than reasonably necessary. Please see our cookie policy for the exact retention periods.
Other personal data	Six months, or shorter if the processing of specific personal data is no longer reasonably necessary.

3.3 Retention periods – Personal data are retained for the duration as shown in the below overview, unless we are required by statutory law to retain your personal data for a longer period of time. Any personal data which is not included in the overview below, will not be retained longer than necessary to fulfill the purpose for which it was collected.

4. Third parties, recipients and transfers
4.1 We may share your personal data with third parties (“recipients”) if necessary for one or more of the purposes set forth below. The following categories of recipients may, if necessary, have access to your personal data:

- - Affiliated companies within the group, if necessary for compliance, internal reporting, audit or security purposes, or for the performance of an agreement with data subjects;
  - Our accountants, legal advisors and other professional service providers engaged by us as necessary;
  - Government agencies, courts, supervisory authorities, law enforcement or intelligence agencies, if we have a legal obligation to provide your personal data to them;
  - Suppliers of IT services which we rely on for our systems;
  - Third parties in the context of (preparing for) a merger or acquisition of the company; and
  - Other third parties necessary for the provision of the services.

4.2 Epic Gaming may transfer or provide access to your personal data to these partners in order to register you for the GameSafe platform and to provide the services. When we transfer your personal data to our partners, we strive to keep the transfer of personal data to a minimum and limit the transfer to that which is strictly necessary. The possible recipients of are:

Recipient	Purpose	Legal ground
Microsoft*	We use Office365 for our emails and day-to-day office software, meaning that any emails you send to us as well as our working documents will be stored on Microsoft’s servers.	Depending on specific circumstances: Article 6 (1) (a), Article (6) (1) (b), Article (6) (1) (f) GDPR.
Sendgrid*	Sendgrid sends out emails through the website.	Depending on specific circumstances: Article 6 (1) (a), Article (6) (1) (b) GDPR.
Microsoft Azure, AWS	The tournament website and its database is stored on AWS services and is located in the Paris data center.	Article (6) (1) (b) GDPR.
Discord*	Discord is the day-to-day live communications tool for league ops team members.	Article (6) (1) (b) GDPR.
Steam	While we send no data to Steam itself, Steam does provide us with your steamID64 when you link your account. No other information is stored.	Article (6) (1) (b) GDPR.

4.3 Our business is global with affiliates and service providers located around the world. As such, personal data may be stored and processed in countries outside the European Economic Area (EEA). Organisations marked with a * may store personal data on servers outside of the EEA. When your personal data is transferred to countries outside the EEA which may not have the same data protection laws as the country you initially provided your personal data, we will ensure or take reasonable steps to ensure your personal data is handled securely in line with the applicable data protection laws and EU standard contractual clauses. More information regarding the EU standard contractual clauses, as well as the original provisions can be found through this link.

5. Rights of data subjects
5.1 Depending on the relevant circumstances, the GDPR may grant you the following rights:

- - The right to be informed about the processing of your personal data;
  - The right to access your personal data;
  - The right to rectification of your personal data;
  - The right to request the erasure of your personal data from Epic Games;
  - The right to request Epic Games to restrict the processing of personal data;
  - The right to object to the processing;
  - The right to data portability;
  - The right to file a complaint with a relevant supervisory authority; and
  - Where processing is based on consent: the right to withdraw such consent at any time, without such withdrawal affecting the lawfulness of the processing prior to the withdrawal.

5.2 Epic Gaming does not carry out automated decision-making, including profiling, as referred to in Article 22(1) and 22(4) of the GDPR.

6. Security of personal data
6.1 Epic Gaming is committed to secure the processing of your personal data, by relevant maintaining administrative, technical and physical controls with are designed to protect your personal data against loss or theft, as well as against any unauthorised access, risk of loss, disclosure, copying, misuse or modification. Therefore, we implement security measures where appropriate and applicable, such as, but not limited to:

- - Pseudonymisation and encryption of personal data;
  - The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  - The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and
  - A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure security of processing.

7. Changes
7.1 Epic Games may change this Privacy Notice from time to time. Please see the website for any updates and always read our most recent Privacy Notice before providing any personal data to us.

8. Questions
8.1 Do you have any questions, concerns or comments about this Privacy Notice or Epic Games’ processing of your personal data? Please contact us on [email protected].