Language:
PRIVACY POLICY – WE WERE HERE FRIENDSHIP
Version 1.0 – May 2022

1. Total Mayhem Games
We Were Here Friendship is a video game developed and published by TMG Studios B.V. We are a Dutch company that is globally active. We store our data on servers in the European Economic Area, unless stated otherwise below.
We process your personal data when you play the Game (as defined below). In this Privacy Policy we summarize when and how we collect, use and secure your personal data, as well as your rights to your data under U.S. and International Law, including but not limited to the EU Directive 2002/58/EC and the EU General Data Protection Regulation (“GDPR”), the U.S. Children’s Online Privacy Protection Act (“COPPA”), and the California Consumer Privacy Act (“CCPA”), and the choices you have associated with that data. This Privacy Policy applies to the Game (including without limitation enhancements thereto or future DLC), and the Game’s content, services, patches, or updates thereto (collectively the "Game") where this Privacy Policy is referenced, regardless of how you access or use the Game.
This Privacy Policy describes:

• The information we may collect, how we may collect such information and the purposes of our collection;
• How we may use and with whom we may share such information;
• How you can access and update your information; and
• How we protect the information we may store about you.

Disclosure to California Residents: In our efforts to comply with applicable regulation, we ask and advise that California residents review the CCPA Disclosure section at the end of this Privacy Policy. Although we do not sell end user data, we will provide notice if at any time those circumstances change.

2. General
We may change provisions of this Privacy Policy from time to time. If we do that, we will inform you of the changes. However, we also advise you to check for yourself from time to time whether the Privacy Policy has been changed.

3. Which personal data do we collect and for which purposes?
There are a number of ways in which we can collect your personal data if you are a player of our Game. Below we explain which personal data we may collect from you. The personal data is processed according to your role and to the different processing purposes. The data retention period also differs depending on the processing goal. Note that should there be any legal changes to the possible data retention periods, these legal changes will take precedence over the periods mentioned in this Privacy Policy.
A. To be able to provide you the Game and the intended experience, we process the personal data mentioned below. Our processing ground is the performance of a contract with you.

If you play our Game, we process the following personal data until you request removal of your account or personal data. Our purpose is to provide you with the Game. This data is processed by PlayFab of Microsoft Azure. They may process your personal data in the United States, although we did conclude a data processing agreement and standard contractual clauses with them.

● Your Steam-ID, Epic-ID, Xbox-ID and/or Playstation-ID, depending on the platforms you use to play our game
● Your game progression
● Your PlayFab account-ID (linked via your platform account)
● Your PlayFab friends list

To provide matchmaking services, we process the following personal data for the duration of the play session. This data is processed by Photon. They may process your personal data in the United States, although we did conclude a data processing agreement and standard contractual clauses with them.

● User-ID
● IP-address

If you use our voice chat functionality, we process your voice chat without storing it. This data is processed by Unity. They may process your personal data in the United States, although we did conclude a data processing agreement and standard contractual clauses with them.

B. To be able to provide you with account migration services between platforms, we process the personal data mentioned below until you request removal of your account. Our processing ground is the legitimate interest of us to be able to provide you with this functionality and your legitimate interest to be able to use this functionality. Use of the functionality is completely optional and you can request removal of this personal data at any time by deleting your account or sending an e-mail to info@totalmayhemgames.com.

● Account-ID
● Username
● Password
● E-mail address

C. To be able to improve our Game, we process the personal data mentioned below as you play our Game. Our processing ground is our legitimate interest to improve our Game. If you do not wish for us to process the information mentioned below, you can opt-out through the settings in our Game or send us an e-mail at info@totalmayhemgames.com.

We use diagnostics and analytics software of Unity to process the following personal data up to 30 days after collecting the personal data. This data is processed by Unity. They may process your personal data in the United States, although we did conclude a data processing agreement and standard contractual clauses with them.

● Date and time of playing (including how long certain parts of the game took)
● User-ID
● Session-ID
● The platform used to play the game
● Game version
● Server region in which you play
● General location (province and country) based on your IP-address

If you participate in our beta-testing program, we process the personal data mentioned below up to 30 days after release of the tested beta-version on Steam. Our processing ground is our legitimate interest to improve our Game. Participation in the beta is completely optional, as well as providing the information below.

● Forms as filled in by you and the information contained therein
● Screenshots shared by you

4. Sharing personal data
We may use so-called data processors to process your personal data on our behalf. We conclude data processing agreements with these processors, to assure they only process your personal data on our instruction.
We use the following types of processors:
● companies that provide storage of (personal) data and database management and maintenance;
● software providers;
● research firms and providers of analytical software to improve our services;
● hosting provider(s).

If you provide additional information to these processors yourself, we are not responsible for this. It is wise to inform yourself properly about the processor and his company before you provide your personal data.

Sharing data with your consent
We may also share personal data with others if you give us permission to do so. For example we can cooperate with other parties to offer you specific services or offers. If you register for these services or marketing offers, we may provide your name or contact details if they are necessary to provide that service or contact you. Before we do this, you will always be expressly asked for your consent.

Sharing based on our legal responsibility
We may also share personal data with third parties if this is:
1. necessary to comply with our legal obligations;
2. necessary to comply with legal requests from authorities;
3. is required to respond to any legal claims;
4. necessary to protect the rights, property or safety of us, our users, our employees or the public;
5. is required to protect ourselves or our users against fraudulent, abusive, inappropriate or unlawful use of our services.

We will immediately notify you if a government agency makes a request that relates to your personal data, unless we are not allowed to do so on the grounds of the law.

Merger or sale (part) of the company
It may happen that we disclose, share or transfer your personal data when we transfer part of our business. Examples include (negotiations about) a merger, sale of parts of the company or obtaining loans. We will of course try to limit the impact for you as far as possible by transferring personal data only when necessary and anonymizing where possible.

5. Protection of personal data
Protecting your personal data is of the utmost importance for us. We have therefore taken appropriate technical and organizational security measures in order to protect your personal data. These measures include, but are not limited to:
- We only engage trusted providers of databases to store data, which have taken adequate physical and electronic measures to minimize the risk of unauthorized access, loss or misuse of personal data.
- We use TLS (Transport Layer Security) technology to encrypt sensitive information or personal data, such as account passwords.
- We make backups of personal data.
- Sensitive information is stored encrypted.
- Vulnerabilities in the software are dealt with as quickly as reasonably possible.
We would like to point out that we cannot guarantee absolute security when sending personal data via the internet or storing personal data. We advise you to take this into account before sharing personal data.

6. Links to third party sites
Our Game may contain links to other websites and services. These third party websites and services can collect and retain information about you. If you provide your personal data to third parties, then we are not involved. We have no control over these sites or the activities of the third parties. In that case, the privacy policy of the third party applies. We are not responsible for the content of the privacy policy of these parties and the way in which these parties deal with personal data. We encourage you to review their privacy and security practices and policies before you provide personal information to them.

7. Children’s Privacy
We take children’s privacy very seriously, and we do not directly or knowingly collect any personal data from end users deemed to be children under their respective national laws through our Game. We strive to comply with the Children’s Online Privacy Protection Act of 1998, the U.S. law that protects the privacy and information of children. We strongly encourage parents and guardians to learn more about this important regulation. For more information, you can visit: https://epic.org/privacy/kids/#introduction. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from children without verification of parental consent, we take steps to remove that information from our servers.
If you are under the age of 13 and using our Game, please have a parent or guardian nearby to provide any information we may request, including an e-mail address or platform specific username, as applicable.

8. Your rights
We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your personal data.

You may update, correct, or provide additional information to your personal data by resubmitting your information or contacting us directly. If you are correcting information provided to a third party please correct your information via the methods and direction provided by the applicable third party.

If you wish to be informed what personal data we may hold about you and if you want it to be removed from our systems, please contact us via the contact email listed below.

You have the right:
• To know what personal information we maintain about you;
• To receive a copy of your personal information in a structured, commonly used and machine-readable or commonly used electronic format on request;
• To update and modify personal information is incorrect or incomplete;
• To object to our processing of your personal information when collection is based on a legitimate interest; and
• To delete or restrict how we use your personal information, but this right is determined by applicable law and may impact your access to our Game.

Please note that we may ask you to verify your identity before responding to such requests.

GDPR
Under the GDPR, individuals residing in the EU and other territories that have adopted GDPR compliance or comparable regulation have certain rights with regard to their personal data. The rights that we describe below are not absolute rights. We will always consider whether we can reasonably meet your request. If we cannot meet your request, or if it would be at the expense of the privacy of others, we can refuse your request. If we refuse a request, we will let you know and explain our reasons.

Right of access
You have the right to request which personal data we process about you. You can also ask us to provide insight into the processing grounds, relevant categories of personal data, the (categories of) recipients of personal data, the retention period, the source of the data and whether or not we use automated decision making.
You may also request a copy of your personal data that we process. Do you want additional copies? Then we can charge a reasonable fee for this.

Right to rectification
If the personal data processed by us about you is incorrect or incomplete, you can request us to adjust or supplement the personal data.
If we grant your request, we will, to the extent reasonably possible, inform the parties to whom we provide information.

Right to erasure
Do you no longer want us to process certain personal data about you? Then you can request us to delete certain (or all) personal data about you. Whether we will delete data depends on the processing ground. We only delete data that we process on the basis of a legal obligation or for the performance of the agreement if the personal data is no longer necessary. If we process data based on our legitimate interest, we will only delete data if your interest outweighs ours. We will make this assessment. If we process the data on the basis of consent, we will only delete the data if you withdraw your consent. Have we accidentally processed data or does a specific law require that we delete data? Then we will delete the data. If the data is necessary for the settlement of a legal proceeding or a (legal) dispute, we will only delete the personal data after the end of the proceedings or the dispute.
If we grant your request, we will, to the extent reasonably possible, inform the parties to whom we provide information.

Restriction of processing
If you dispute the accuracy of personal data processed by us, if you believe that we have processed your personal data unlawfully, if we no longer need the data or if you have objected to the processing, you can also request us to restrict the processing of that personal data. For example, during the time that we need to assess your dispute or objection, or if it is already clear that there is no longer any legal ground for further processing of those personal data, but you still have an interest in us not deleting the personal data. If we limit the processing of your personal data at your request, we may still use that data for the settlement of legal proceedings or a (legal) dispute.

Right to data portability
At your request, we may transfer the data that we automatically process to execute the agreement or based on your consent, to you or another party designated by you. You can make such a request at reasonable intervals.

Automated individual decision making
We do not take decisions based solely on automated processing.

Right of restriction of processing and withdrawal of permission
If we process data on the grounds of a legitimate interest, you may object to the processing. If we process data on the basis of your consent, you may withdraw that consent. For more information, please refer to the relevant processing purposes above.

Exercising your rights
You can send a request for access, correction, deletion, data transfer of your personal data or request for withdrawal of your consent or objection to the processing of your personal data to info@totalmayhemgames.com.
To prevent abuse, we may ask you to identify yourself adequately in the case of a written request for access, rectification or erasure.
We strive to process your request, complaint or objection within a month. If it is not possible to make a decision within a month, we will inform you of the reasons for the delay and the time when the decision is expected to be made (no longer than 3 months after receipt).

Dutch Data Protection Authority
Do you have a complaint about our processing of your personal data? Please contact us. We are naturally happy to assist you. If we cannot come to a solution, you are also entitled to submit a complaint to the national privacy authority, in this case the Dutch Data Protection Authority. For this you can contact the Dutch Data Protection Authority via https://autoriteitpersoonsgegevens.nl.

9. Contact
If you have questions, concerns or comments about this Privacy Policy or our data processing, please contact us via e-mail on info@totalmayhemgames.com.

California Consumer Data Rights

TMG Studios B.V. complies with the California Consumer Privacy Act of 2018 (CCPA) as amended, that secures specific privacy rights for California consumers.

Categories of Data We Collect and Their Uses
In addition to the details provided in our Privacy Policy, we may collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“Personal Information”). In particular, we have collected the following categories of Personal Information from consumers within the last twelve (12) months:




Personal Information does not include:
• Publicly available information from government records.
• De-identified or aggregated consumer information.
• Information excluded from the CCPA's scope, like:
1. Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
2. Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.

We may obtain the categories of Personal Information listed above from the following categories of sources:
• Directly from our end users. For example, from end users who provide feedback to us, or in the event that you contact us with questions regarding this Privacy Policy.
• Indirectly from our end users. For example, through information we collect in the event that you contact us with questions regarding this Privacy Policy.
• Directly and indirectly from activity through the Game. For example, from APIs, and other information related to improving our Game.
• From third parties that interact with us in connection with the Game we perform.

All such Personal Information is used as otherwise described above in our Privacy Policy.

Sharing Personal Information
We may disclose your Personal Information to a third party for a business purpose. When we disclose Personal Information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract.

In the preceding twelve (12) months, we have disclosed the following categories of Personal Information for a business purpose;
Identifiers and Internet or other similar network activity.

Your Rights and Choices
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past twelve (12) months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
• The categories of Personal Information we collected about you;
• The categories of sources for the Personal Information we collected about you;
• Our business or commercial purpose for collecting that Personal Information;
• The categories of third parties with whom we share that Personal Information; and
• The specific pieces of Personal Information we collected about you (also called a “data portability” request).

We generally do not sell end user data. However, if we do sell your Personal Information for a business purpose, we will also disclose to you:
• The Personal Information that each category of recipient purchased; and
• Disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained.

Deletion Request Rights
You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service providers to:
● Complete any transaction for which we collected the Personal Information, provide a product or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
● Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
● Debug products, including our Game, to identify and repair errors that impair existing intended functionality;
● Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
● Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.);
● Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent;
● Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
● Comply with a legal obligation; or
● Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us at info@totalmayhemgames.com.

Requests must include "California Privacy Rights Request" in the first line of the description and include your name, street address, city, state, and ZIP code.

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a twelve (12) month period. The verifiable consumer request must:
• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative; and
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.


Response Timing and Format
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to ninety (90) days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the twelve (12) month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.


Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
• Deny you goods or services;
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
• Provide you a different level or quality of goods or services; or
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.