PRIVACY POLICY RPG NEXUS PLATFORM

Your data administrator is Michał Niedojadło running a sole proprietorship CODE HOTBED MICHAŁ NIEDOJADŁO with its registered office in ul. Tadeusza Romanowicza 40/8, 33-100 Tarnów, NIP (TAX ID): 6342935122 (hereinafter also called "RPG NEXUS”).

This Policy explains how RPG NEXUS processes data of persons or legal entities ("User") using the Platform available in the Google Play Store and the App Store ("Platform”).

Personal data means any information in electronic or other form that can be used to identify a natural person.

Please be aware that most of the data processed on the Platform is not personal data due to the inability to identify the User (general data). We may use such data to conduct general analytics and diagnostics of the Platform.

DATA PROCESSING ON THE PLATFORM

RPG NEXUS collects Users' data related to the use of the Platform, including in particular data necessary to maintain the User's account and create or join RPG games events. Simultaneously RPG NEXUS is not responsible for the correctness or legality of the data provided by Users.

Categories of personal data:

1. Identification. Data such as: name, surname, address, age, gender are necessary, establish a subscription purchase process, conduct after-sales service, as well as set up and maintain a user account on the Platform and the proper provision of Services by RPG NEXUS.
2. Contact details. The e-mail address is necessary to place an order and register an account on the Platform. The e-mail address may also be used to provide some of the functionalities of our Platform (e.g. marketing activities).
3. Information included in the event creation process. We have no influence on the content published by you during creation of RPG events (e.g. description). However, if they contain personal data (e.g. name and surname), you must know that due to the technological process of our Platform, these data are processed by us.
4. Platform Information. Data such as access time, number of times accessed, IP address and event information (such as errors, freezes, restarts and upgrades) and other diagnostic, technical, error and usage information such as time and time of using the services.
5. Cookies. We use Cookies on the Platform. These are IT data, usually text files, which are stored on the end device. They usually contain the name of the website they come from, storage time and number.

Purposes of personal data processing and legal basis for processing

1. carrying out the sales process — identification data, contact data - art. 6 sec. 1 letter b) GDPR (necessity to conclude and/or perform the contract);
2. creating and maintaining an account on the Platform— identification details, contact details, sales data - art. 6 sec. 1 letter a) GDPR (consent) and art. 6 sec. 1 letter b) of the GDPR (necessity to conclude and/or perform a contract regarding the maintenance of a user account);
3. provision of services (creation of RPG events) - Information included in the event creation process, identification data, contact details - art. 6 sec. 1 letter b) GDPR (necessity to conclude and/or perform the contract);
4. complaints — identification data, contact details, sales data - art. 6 sec. 1 letter b) GDPR (necessity to conclude and/or perform the contract);
5. issuing invoices and fulfilling fiscal obligations - identification data, contact details, sales data - art. 6 sec. 1 letter c) GDPR (necessity to fulfill its legal obligation);
6. direct marketing — contact data - art. 6 sec. 1 letter a) GDPR (consent);
7. securing information that can be used as legal evidence - identification data, contact details, sales data — art. 6 sec. 1 letter f) GDPR (legitimate interest) - the legitimate interest of the Administrator is to provide information needed in legal proceedings.
8. analytics, including the analysis of data collected automatically when using the Platform, including cookies Information on browsing the websiteStore - Information regarding browsing the Platform, cookies —based on Article. 6 sec. 1 letter a) GDPR (consent) and art. 6 sec. 1 letter f) GDPR (legitimate interest) - the legitimate interest of the Administrator is to learn about the activity of users.

Categories of data recipients

Personal data may be disclosed to our partners and co-workers as well as our advisors, payment service providers, hosting company, accounting, insurance company and marketing agencies.

Transfer of personal data to a third country or international organization

Personal data may be transferred by the Administrator to countries outside the European Economic Area (including the European Union, Norway, Liechtenstein and Iceland), i.e. to entities such as: Google LLC, Facebook Inc.

The transfer of personal data to entities outside the EEA takes place on the basis of consent or to the extent necessary to perform the concluded contract

Entities cooperating with the Administrator whose servers are located in the USA are subject to additional verification in terms of the adequacy decision established in by the European Commission adopted an implementing decision of July 10, 2023 issued on the basis of the Regulation of the European Parliament and of the Council (EU) 2016/679.

Please be advised that in the case of transferring personal data to entities outside the EEA, there is a risk of not ensuring a level of personal data protection equivalent to the one resulting from the GDPR by the countries where these entities are located. Nevertheless, in order to ensure the highest level of protection of personal data, in relations with entities outside the EEA, we also use standard contractual clauses regarding the protection of personal data, approved by the European Commission.

Personal data storage period

Personal data processed within the Platform will be stored:

1. for the duration of the contract – in the case of personal data processed in order to conclude and perform the contract, including the duration of the subscription and in the scope of maintaining the User's account;
2. for a period of 3 years or 6 years + 1 year — in relation to personal data processed in order to establish, pursue and defend claims (the length of the period depends on whether both parties are entrepreneurs or not);
3. for a period of 5 years - in relation to personal data processed in order to meet fiscal obligations;
4. until the consent is withdrawn or the purpose of processing is achieved, but not longer than for 5 years - in relation to personal data processed on the basis of consent;
5. until the objection is successfully raised or the purpose of processing is achieved, but not longer than for 5 years - in relation to personal data processed on the basis of the legitimate interest of the Administrator or for marketing purposes;

Security measures

We make every possible effort to secure Users personal data and protect them from the undesirable actions of third parties. We use all necessary protective measures in terms of protecting our server, connection and website, in particular SSL encryption. We would like to inform you that the actions we have taken may not be sufficient if our customers do not follow the security rules themselves. In particular, each user should keep the login and password to their account on the Platform confidential and not disclose them to third parties

User rights

The User has the following rights in connection with the Administrator’s processing of his/her Personal Data:

1. Right of access to Personal Data – User is entitled to obtain information regarding its processing, in particular information about the purpose of processing and the category of Personal Data processed. The User is also entitled to request a copy of the processed Personal Data.
2. Right to rectify processed Personal Data – the User has the right to correct Personal Data information. In addition, the User also has the right to request the replacement, completion, or deletion of erroneous or misleading information regarding his/her Personal Data.
3. Right to erasure of the User’s Personal Data (the right to be forgotten) – The User may request the deletion of his/her Personal Data. The User has this right only in situations where the Administrator has no other legal basis for further processing.
4. Right to restrict the processing of Personal Data to a specific purpose – if, in the opinion of the User, his or her Personal Data is processed by the Administrator in an inaccurate or unreasonable manner, the User may request that the processing of his or her Personal Data be restricted.
5. Right to portability of Personal Data – the User has the right to receive in a structured, commonly used format the Personal Data provided to the Administrator. The User also has the right to request that his/her Personal Data be sent by the Administrator directly to another administrator, if technically possible.
6. Right to object to processing the User has the right to object to the Personal Data processing.
7. Withdrawal of consent – at any time the User has the right to withdraw the consent he/she has given for the processing of Personal Data. However, the withdrawal of consent does not affect the lawfulness of the processing of Personal Data prior to the withdrawal of consent.
8. Right to lodge a complaint with the competent supervisory authority – the User may lodge a complaint with the President of the Office for Personal Data Protection (address: President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw) if he/she considers that the Administrator is processing Personal Data in a manner inconsistent with the applicable laws.

If the User would like to exercise the above-described rights, he/she is obliged to contact the Administrator in writing at the Administrator’s registered office address or via e-mail:sm@rpgnexus.com. The Administrator will delete the data as requested when:

1. the personal data are no longer necessary for the purposes for which they were collected;
2. the data subject has withdrawn the consent on which the processing is based pursuant to art. 6 sec. 1 letter a) GDPR or art. 9 sec. 2 letter a) GDPR, and there is no other legal basis for processing;
3. the data subject raises an objection pursuant to art. 21 sec. 1 of the GDPR and there are no overriding legitimate grounds for processing;
4. personal data has been processed unlawfully;
5. the personal data must be erased in order to comply with a legal obligation in Union or Member State law to which the controller is subject;

Cookies policy

While using the Platform, in order to improve its functionality, Cookies from other service providers, such as Facebook (Meta) or Google, may be placed on your device through the provided links. Privacy policies and rules for the use of Cookies created by the indicated entities are beyond the control of the Administrator. We recommend that you familiarize yourself with both their privacy policy and the rules of using cookies before using other websites, in particular:
Google: https://policies.google.com/?hl=pl
Facebook: https://www.facebook.com/privacy/explanation

Cookies data collection

We store requests to the server that are recognized by URL addresses and relate to:

• IP address of the end device,
• name of the user's station, if identification is possible via the http protocol,
• username provided in the authorization process,
• information about the user's browser,
• information about errors in the execution of the connection.

The website does not automatically collect any information except for those contained in cookies. We use different types of cookies:

• session - stored on the end device until logging out or leaving the website,
• constant - stored on the end device for the time specified in the cookie parameters or until deleted by the user,
• performance - containing information on how to use the website,
• necessary - necessary for the proper execution of the Platform,
• functional - "remembering" user settings and personalizing the service,
• own - posted by the Administrator,
• third party - originating from a website other than the Platform. Collected mainly for analytical and advertising purposes only if the user expresses appropriate consents.

Other Tracking Technologies

The Administrator may use other tracking technologies than cookies. These technologies are anonymous and based on the analysis of network traffic, as well as communication between many applications. These solutions operate in two standards:

1. FLoC (Federated Learning from Cohorts) is a solution that allows you to create anonymous cohorts based on the interests of users. Once categories of users with similar interests are created, they are processed for advertising purposes. This solution is based on anonymous, aggregated data (not about a specific user, but about the entire cohort to which a given user belongs).
2. FLEDGE is a technology that aims to enable the use of remarketing and advertising targeted to non-standard audiences without sharing data with third parties to track user behavior. FLEDGE operates on the basis of a several-stage process leading to the selection of the advertisement that the user will see and is based on calling appropriate JavaScript codes at individual stages of this process.

The above solutions are not all tracking technologies that may be implemented by the Administrator. Technologies of anonymous web traffic tracking are subject to constant development and may be replaced by new solutions.

Changes to the Privacy Policy

In order to update the information contained in this Privacy Policy and its compliance with applicable law, this Privacy Policy may be changed. The User will be RPG NEXUSfied of any change in the policy through information placed on the Platform. In order to obtain information on how to protect personal data, the Administrator recommends that Users regularly read these Privacy Policy rules. Questions and concerns regarding this Privacy Policy may be submitted by you at: sm@rpgnexus.com