Privacy Policy of Koboldgames GmbH

Version as of January 1, 2025

In this privacy policy, we, Koboldgames GmbH (hereinafter referred to as Koboldgames, we, or us), explain how we collect and otherwise process personal data. This is not an exhaustive description; other privacy policies, terms and conditions, contractual documents, and similar documents may govern specific matters.

If you provide us with personal data of other individuals (e.g., family members, colleagues), please ensure that these individuals are aware of this privacy policy and only share their personal data with us if you are authorized to do so and if such personal data is accurate.

1 Representative

The entity responsible for the data processing as described in this privacy policy is Koboldgames, unless we have informed you differently in certain cases. You can notify us of any data protection related concerns using the following contact details:

Koboldgames GmbH
Technopark Aargau
Badenerstrasse 13
5200 Brugg
privacy@koboldgames.ch

2 Collection and Processing of Personal Data

2.1 Definitions

Personal data refers to any information relating to an identified or identifiable individual. A data subject is a person whose personal data is being processed. Processing encompasses any handling of personal data, regardless of the means and procedures used, including the storage, disclosure, acquisition, collection, deletion, storage, alteration, destruction, and use of personal data.

The European Economic Area (EEA) comprises the European Union (EU) as well as the Principality of Liechtenstein, Iceland and Norway. The EU General Data Protection Regulation (GDPR), the Federal Act on Data Protection (FADP), and the Ordinance to the Federal Act on Data Protection (DPO) refer to the processing of personal data as the processing of personal data.

2.2 Legal Basis

This privacy policy is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (DPA), and the Ordinance to the Federal Act on Data Protection (DPO). Whether and to what extent these laws apply depends on the individual case.

We process personal data in accordance with at least one of the following legal bases:

• Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data to perform a contract with the data subject or to take pre-contractual measures.
• Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to safeguard our legitimate interests or those of third parties, provided that the fundamental rights and freedoms of the data subject do not override these interests. Legitimate interests include, in particular, our interest in providing our services on a permanent, user-friendly, secure, and reliable basis, promoting them as needed, ensuring information security, protecting against abuse and unauthorized use, enforcing our legal claims, and complying with Swiss law.
• Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under the laws of EEA member states.
• Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data to carry out a task in the public interest.
• Art. 6 para. 1 lit. a GDPR for processing personal data with the consent of the data subject.
• Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another natural person.

2.3 Type, Scope, and Purpose

We process the personal data necessary to conclude and perform our contracts with customers and business partners. Such personal data may fall into the categories of basic and contact data, browser and device data, content data, metadata, and usage data, location data, sales, contract, and payment data.

We process personal data primarily only with the consent of the data subject unless processing is permitted for other legal reasons, such as to perform a contract with the data subject, take pre-contractual measures, safeguard our predominant legitimate interests, where the processing is evident from the circumstances, or after prior notification. Consent given may be revoked at any time, but this does not affect data processing already carried out.

Within this framework, we particularly process information that a data subject voluntarily provides when contacting us, for example, by mail, email, contact form, social media, or phone. We may store such information, for instance, in an address book or similar tools. If you provide us with personal data about third parties, you must ensure that data protection is ensured for such third parties and that the accuracy of such personal data is guaranteed.

Furthermore, we process personal data of you and other individuals, as permitted and as deemed appropriate, also for the following purposes where we (and occasionally third parties) have a legitimate interest consistent with the purpose:

• Offering and further developing our offerings, services, websites, apps, and other platforms
• Communication with third parties and handling their inquiries (e.g., applications, media inquiries)
• Reviewing and optimizing procedures for needs analysis to enable direct customer approach
• Advertising and marketing (including event execution), as long as you have not objected to the use of your data (you can object to us sending you promotional messages at any time if you are an existing customer)
• Market and opinion research, media monitoring
• Ensuring our operations, especially IT systems, websites, apps, and other platforms
• Assertion of legal claims and defense in legal disputes and official proceedings
• Prevention and investigation of crimes and other misconduct (e.g., internal investigations, data analyses for fraud prevention)

Personal data from applications is processed only to the extent necessary to assess suitability for an employment relationship or for the subsequent execution of an employment contract. The personal data required for conducting an application procedure is derived from the requested or provided information, for example, within a job description. Applicants have the option to voluntarily provide additional information for their respective applications.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect during the provision of our services, as long as and to the extent that such processing is legally permitted. These data include:

• Information from public registers, information we learn in the context of official and legal proceedings
• Information in connection with your professional functions and activities (so we can, for example, enter into and execute transactions with your employer)
• Information about you contained in correspondence and meetings with third parties
• Creditworthiness information (if we transact with you personally)
• Information about you provided by persons in your environment (family, advisors, legal representatives, etc.) so we can conclude or execute contracts with you or involving you. This includes:
  • References
  • Delivery addresses
  • Authorizations
  • Information to comply with legal requirements such as anti-money laundering and export restrictions
  • Information from banks, insurance companies
  • Information from our distribution and other contractual partners to use or provide services to you (e.g., completed payments, completed purchases)
• Information from media and the internet about you (where appropriate, e.g., in the context of an application, press review, marketing/sales, etc.)
• Data related to the use of our website

2.4 Retention Periods for your Personal Data

We process and retain your personal data as long as required for the performance of our contractual obligation and compliance with legal obligations or other purposes pursued with the processing, i.e. for the duration of the entire business relationship (from initiation and execution to the termination of a contract) as well as beyond this duration in accordance with legal retention and documentation obligations. Personal data may be retained for the period during which claims can be asserted against our company or insofar as we are otherwise legally obliged to do so or if legitimate business interests require further retention (e.g., for evidence and documentation purposes). As soon as your personal data are no longer required for the above-mentioned purposes, they will be deleted or anonymized, to the extent possible. In general, shorter retention periods of no more than twelve months apply for operational data (e.g., system logs).

2.5 Processing of Personal Data by Third Parties, Including Abroad

We may have personal data processed by commissioned third parties or process it together with third parties, or with the help of third parties, or transfer it to third parties. Such third parties are providers whose services we use. This particularly involves the following entities:

• Our service providers (e.g., banks, insurance companies), including order processors (e.g., IT providers)
• Customers
• Authorities, offices, or courts in Switzerland and abroad
• Media
• Public, including visitors to websites and social media
• Other parties in potential or pending legal proceedings

We ensure adequate data protection even with such third parties.

Such third parties are generally located in Switzerland and the European Economic Area (EEA). However, such third parties may also be located in other countries and territories worldwide, provided their data protection laws are considered adequate by the Federal Data Protection and Information Commissioner (FDPIC) and – if and to the extent the EU General Data Protection Regulation (DSGVO) applies – by the European Commission, or if adequate data protection is ensured for other reasons, such as by an appropriate contractual agreement, especially based on standard contractual clauses, or by corresponding certification. For third parties in the United States of America (USA), certification under the Privacy Shield can ensure adequate data protection.

If such third parties are located in a country without adequate legal data protection, we contractually obligate them to comply with applicable data protection (using the revised standard contractual clauses of the European Commission), unless the recipient is subject to a legally accepted set of rules to ensure data protection and unless we cannot rely on an exception. An exception may apply for example in case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if you have consented or if data has been made available generally by you, and you have not objected against its processing.

3 Rights of Data Subjects

You have the right under the applicable data protection law, as provided therein (e.g., under the GDPR), to access, correct, delete, restrict data processing, and otherwise object to our data processing, as well as to receive certain personal data for transfer to another entity (data portability).

However, please note that we reserve the right to enforce statutory restrictions, for example, if we are obliged to retain or process certain data, have an overriding interest (if we may invoke this), or require the data to assert claims. If costs are incurred for you, we will inform you in advance. We have already informed you about the possibility of revoking your consent in Section 2.5. Note that exercising these rights may conflict with contractual agreements and result in consequences such as early termination of the contract or associated costs. We will inform you in advance where this is not already contractually regulated. Exercising such rights generally requires clear proof of identity (e.g., a copy of an ID where your identity is not otherwise clear or verifiable). You can contact us to assert your rights at the address provided in Section 1. Each data subject also has the right to enforce their claims in court or file a complaint with the competent data protection authority. The competent data protection authority of Switzerland is the Federal Data Protection and Information Commissioner.

4 Data Security

We take appropriate and suitable technical and organizational measures to ensure data protection and data security. However, despite such measures, the processing of personal data on the Internet can always have security gaps. We can therefore not guarantee absolute data security.

Access to our online offer is carried out using transport encryption (SSL / TLS, particularly with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers mark transport encryption with a padlock in the address bar.

Access to our online offerings is subject – as is basically the case with all internet usage – to incidental and suspicion-independent mass surveillance and other monitoring by security authorities in Switzerland, the European Union (EU), the United States of America (USA), and other countries. We cannot directly influence the corresponding processing of personal data by intelligence services, law enforcement agencies, and other security authorities.

5 Use of our Website

5.1 Cookies

We may use cookies on our website. Cookies, both our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies), are text data stored in your browser. Cookies cannot execute programs or transmit malware such as trojans and viruses.

Cookies may be temporarily stored in your browser as session cookies during your visit to our website or for a certain period as so-called permanent cookies. Session cookies are automatically deleted when you close your browser. Permanent cookies allow, among other things, your browser to be recognized on your next visit to our website and thereby, for example, measure the reach of our website. Permanent cookies can also be used for online marketing.

You can disable or delete cookies in your browser settings at any time, in whole or in part. Most browsers are set to accept cookies by default. We use permanent cookies only to save user settings (e.g., language, auto-login).

5.2 Server Log Files

We may collect the following information for each access to our website, provided this information is transmitted from your browser to our server infrastructure or determined by our web server: date and time, including time zone, internet protocol (IP) address, access status (HTTP status code), operating system, including user interface and version, browser, including language and version, accessed pages and content, including transmitted data volume, and the last website visited in the same browser window (referrer).

We store such information, which may also constitute personal data, in server log files. This information is necessary to provide our online offerings on a permanent, user-friendly, and reliable basis and to ensure data security and thus, particularly, the protection of personal data, either by third parties or with the help of third parties.

5.3 Third-Party Services

We use YouTube and Google Maps to embed videos and map information on our website. Cookies are also used. YouTube is a service of the American Google LLC. For users in the European Economic Area (EEA) and Switzerland, the Irish Google Ireland Limited is responsible. Further information on the type, scope, and purpose of data processing can be found in the Google Privacy and Security Principles, the Google Privacy Policy, the Guide to Privacy in Google Products (including YouTube), the Information on how Google uses data from sites or apps that use Google services, and the Information on Google Cookies. Additionally, there is the option to object to personalized advertising.

We use Umami to analyze how our website is used, including measuring the reach of our website and the success of links from third parties to our website. Umami is free software and a service of the American Umami Software, Inc. This service does not require cookies. Processed data is anonymized and transmitted securely. Further information on functionality and data protection applied can be found in the Umami documentation and the Umami blog.

6 Social Media

We are present on social media platforms and other online platforms to communicate with interested parties and inform them about our offerings. Personal data may also be processed outside Switzerland and the EEA.

The general terms and conditions (ToC) and terms of use, as well as privacy policies and other provisions of the respective operators of such online platforms, also apply. These provisions provide information, in particular, on the rights of data subjects, including the right to access.

Users of social media platforms can use their respective user accounts to log in or register for our online offerings (social login). The respective conditions of the social media platforms, such as general terms and conditions (ToC), terms of use, or privacy policies, apply.

7 Final Provisions

We may amend this privacy policy at any time without prior notice. The current version published on our website shall apply. If the privacy policy is part of an agreement with you, we will inform you of any updates by email or other appropriate means.