Privacy Policy www.crytek.com

This Privacy Policy describes how your personal information is collected, used, and shared when you visit www.crytek.com – (the "Site").

Who we are

The controller of this Site in terms of the General Data Protection Regulation ("GDPR") is:

• Crytek GmbH, Hugo-Junkers-Strasse 3, 60386 Frankfurt am Main, Germany, info@crytek.com - Managing Director: Avni Yerli

Contact data of our Data Protection Officer

DPO
Crytek GmbH, Hugo-Junkers-Strasse 3, 60386 Frankfurt am Main, Germany
privacy@crytek.com

Which personal data we process and for what purposes

In terms of Art. 4 No. 1 GDPR Personal data includes any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Definitions:

To simplify this information, we group the following data into a definition. When we name the definition below, we refer to this group of data attributes.

“Device information”:

• Information about the web browser you're using
• IP address
• Time zone
• Information on web products or pages that you view.
• Information regarding redirects/which website or search terms referred you to the Site.
• Internet service provider,
• referring/exit pages
• date/time stamps

“Order information”:

• Email address
• Full name
• Payment information – all payment information is collected and processed by the following third-party vendors – PayPal and Stripe.
• Billing address
• Shipping address

“Personal Information”:

When we talk about "Personal Information" in this Privacy Policy, we are talking both about Device Information and Order Information.

In addition to the data listed above, we might process further personal data as outlined below.

Webserver Log Files

Crytek collects data as follows when a user visits this site. We collect the following data which can be assessed as being personal data:

• device information

We use the device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example to identify malfunctions of the website and to analyse how our customers browse and interact with the site). We regard those interests as legitimate interest under Art. 6 (1) lit. f GDPR since it is in our and the interest of the visitors of our site that this site is safe.

CloudFlare

Cloudflare services are integrated on our website. This service helps us to provide our website with high performance worldwide. When these Cloudflare services are called up, the device information described above is transmitted to Cloudflare.

The legal basis for this data processing is our legitimate interest since it is in our and the interest of the visitors of our website that this website is safe.

In relation to us Cloudflare, Inc, 101 Townsend St, San Francisco, CA 94107, USA, acts as a data processor within the meaning of the GDPR. We have entered into a data processing agreement with Cloudflare. In addition, any transfer of personal data is covered by the European Union's standard contractual clauses. Cloudflare, Inc. is certified under the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework.

Cookies

“Cookies” are data files that are placed on your device or computer by your browser and often include an anonymous unique identifier. These cookies are used to temporarily store information during your visit ("session") to our website and to read it during the course of your visit or when you return later. We distinguish between technically necessary cookies and other cookies (which are set for marketing purposes, for example).

We process technically necessary cookies on the basis of our legitimate interest under Art. 6 (1) lit. f GDPR to ensure the functionality of the website. All other cookies are processed. We only process all other cookies after you have given your consent (GDPR Art. 6 (1) lit. a), which you can give via a cookie banner when you visit our website.

For more information about cookies, and how to object enable cookies, visit Cookie Policy page.

When a user signs up for our newsletter

When you subscribe to our Crytek newsletter you give your consent to receive our newsletter with information to Crytek, our products and services and that your email address will be stored for this purpose. We process the following data for this processing activity:

• email address

After submitting your email address you will receive a confirmation email with a link which has to be clicked in order to confirm your subscription. Only after such confirmation you will receive our newsletter, which will be sent out from time to time. Your email address will only be used for this purpose.

You are entitled to withdraw your consent at any time without any reason by clicking at a respective “unsubscribe" link included in each newsletter.

We use MailChimp a service of Rocket Science Group LCC, 675 Ponce De Leon Ave NE Ste 5000 Atlanta, GA, USA to send our newsletter when you sign up for a newsletter subscription. We have entered into a data processing agreement with Mailchimp. In addition, any transfer of personal data is covered by the European Union's standard contractual clauses. You can review MailChimp's privacy policy at mailchimp.com/legal/privacy. Rocket Science Group LCC is certified under the EU-U.S. Privacy Framework and the Swiss-U.S. Privacy Framework.

The legal basis for the use of personal data with regard to send you newsletter(s) is Art. 6 (1) lit (a) GDPR as you have given us your consent.

Administration of your Crytek account:

On our website we offer the possibility to create a Crytek user account. This account is used for different purposes and is a prerequisite for using our webshop and for using our support:

When a user chooses to sign up and log into crytek.com we process following personal data:

• Nick name
• Email

In some cases, Crytek user account services running under the domain gface.com are used to manage the Crytek user account. This domain is in our possession. Data processing under this domain is considered internal.

Since the Crytek user account essentially serves to support services that are used within the framework of a contract, we consider the data processing for the user account to be necessary for the fulfilment of a contract or for the implementation of pre-contractual measures. Therefore, the legal basis for processing is GDPR Art. 6 para. 1 lit. b.

Google reCaptcha

Within the user account Google reCaptcha is used to confirm the authenticity during registration, resend activation, login, password reset and within the contact form. With this service, we try to detect and fend off attacks on our services by machines.

When the Google service is accessed, the "Device information" described in the "Web server log files" section are processed.

We consider it to be in our legitimate interest to use the services to prevent damage to our website and our servers. The legal basis for the use of Google ReCaptcha is therefore GDPR Art. 6 para. 1 lit. f).

The data recipient in terms of Google reCaptcha is:

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

as data processor. For this purpose we have concluded a data processing agreement with Google. Google LLC, headquartered in California, USA.. Google is certified under the EU-U.S. Privacy Framework and the Swiss-U.S. Privacy Framework.

A transfer of data to the USA cannot be excluded.

For more information about Google services terms of use and Google's privacy policy, please visit:

https://policies.google.com/terms?hl=en&fg=1
https://policies.google.com/privacy?hl=en&fg=1.

Purchases in our shop

When using our webshop we process following personal data:

• Order information.

Order information is gathered when you make or attempt to make a purchase through the Site.

How we use Order information

Crytek will not transmit your personal data to third parties unless it is necessary according to the law or in order to fulfill your contract. In case of a purchase we provide payment services to our users we use third party service providers and this might include the transmission of personal data

• STRIPE https://stripe.com/en-de/privacy
• PAYPAL https://www.paypal.com/en/webapps/mpp/ua/privacy-full

The Order information gathered from you is gathered as it is necessary to fulfill our contract(s) with you (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). The legal basis is the fulfilment of the contractual obligations (Art. 6 (1) lit. b GDPR).

If you order a product/service your email address may also be used in order to contact you in the case of future deals/sales, in the form of emails/newsletters, and is a legitimate interest under Art. 6 (1) lit. f GDPR. You are entitled to object against the usage of your data for advertisement purposes at any time by sending an email to shop@crytek.com.

Order information such as your billing address, shipping address and payment information may be used to screen our orders for the potential risk of fraud, as a legitimate interest under Art. 6 (1) lit. f GDPR.

CRYTEK does not collect/keep private payment information such as credit card details. These data are being requested in an inline frame from stripe domain, meaning Crytek has no access to this data.

Job Application

If you apply for a job at Crytek some personal data is necessary to assess whether your qualification matches the job profile. The processing of the respective data is legally based on Art. 6 (1) (b) GDPR as a necessary step to potentially conclude an employment agreement. If you agree to a longer retention period the legal basis is Art. 6 (1) (a) GDPR. Further, data processing activities (e.g. personality tests) are based on your consent (Art. 6 (1) (a) GDPR.

Certain personal data is necessary for the specific application process. Generally we will need your:

• Full name
• Contact details
• Qualifications, certificates, testimony and job experience
• In some cases personality test or IQ-test

The access to your personal data is restricted to certain people inside Crytek on a "need-to-know" – basis. This will be members of the HR department, team leads/directors and – sometimes – subject matter experts which are stakeholders of the job.

Within our application process we use software of the service provider based in the USA: Lever, Inc., 155 5th Street, 6th Floor, San Francisco, CA 94103. With regard to us Lever serves as a data processor in terms of the GDPR. We have concluded a data processing agreement with Lever. In addition any transfer of personal data is safeguarded by Standard Contractual Clauses as provided by the European Union. Employ Inc. Including the entity Lever Inc. is certified under the EU-U.S. Privacy Framework and the Swiss-U.S. Privacy Framework.

We will store your personal data during the application process and a period of six months after the end of the application process.

Based on your explicit consent we will store your personal data for a period up to three years in order to review your qualifications for future job opportunities.

Data processing with YouTube videos

We use components (videos) of the company YouTube, LLC 901 Cherry Ave, 94066 San Bruno, CA, USA (hereinafter: "YouTube"), a company of Google Inc, Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "Google"), on our websites on the basis of consent pursuant to Art. 6 (1) lit. a DSGVO.

Before you can view a YouTube video on our site, you will be asked for your consent. By clicking on "PLAY VIDEO", you consent to the data processing and to the setting of cookies. After the consent, a connection to the YouTube servers will be established and in the process the content will be displayed on the website by notifying your browser. In addition, a cookie is stored on your computer.

We use the "enhanced privacy mode" option provided by YouTube. According to the information provided by YouTube, in "extended data protection mode" your data - in particular which of our Internet pages you have visited as well as device-specific information including the IP address - is only transmitted to the YouTube server in the USA when you watch the video. By calling up the video, you consent to this transmission.

If you are logged in to YouTube at the same time, this information will be assigned to your YouTube member account. You can prevent this by logging out of your member account before visiting our website.

When you continue to view this or other videos, you must consent to the processing of the data again in each case. You can delete the cookie generated by youtube-nocookie.com via your browser setting under "Privacy and security".

Crytek GmbH has no influence on the type and scope of the data processed by Google, the type of processing and use or the transfer of this data to third parties. Nor does it have any effective control options in this respect.

Further information on data protection in connection with YouTube can be found in Google's privacy policy.

Web Analytics

For the analysis of the traffic on our website we use Google Analytics.

When you visit our website for the first time, you will be asked to accept or reject cookies for web analysis. If you have given your consent, this website uses Google Analytics, a web analysis service of Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

Scope of processing

Google Analytics uses cookies that enable an analysis of your use of our website. The information collected by the cookies about your use of this website is usually transferred to a Google server in the USA and stored.

We use the function 'anonymizeIP' (so-called IP-Masking): Due to the activation of IP-anonymization on this website, your IP-address will be shortened by Google within member states of the European Union or in other signatory states of the Agreement on the European Economic Area. Only in exceptional cases the full IP address will be transferred to a Google server in the USA and shortened there. The IP address transmitted by your browser within the framework of Google Analytics is not merged with other data from Google.

During your website visit the following data will be collected:

• the pages you call up, your "click behaviour"
• Achievement of "website goals" (conversions, e.g. newsletter registrations, downloads, purchases)
• Your user behavior (for example clicks, dwell time, bounce rates)
• Your approximate location (region)
• Your IP address (in abbreviated form)
• technical information about your browser and the end devices you use (e.g. language settings, screen resolution)
• Your internet provider
• the referrer URL (via which website/advertising medium you came to this website)

Purposes of processing

On behalf of the operator of this website, Google will use this information to evaluate your pseudonymous use of the website and to compile reports on website activity. The reports provided by Google Analytics serve to analyse the performance of our website and the success of our marketing campaigns.

Recipient

The data recipient is

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

as data processor. For this purpose we have concluded a contract with Google. Google LLC, headquartered in California, USA, and, if applicable, US authorities can access the data stored at Google. Google is certified under the EU-U.S. Privacy Framework and the Swiss-U.S. Privacy Framework.

A transfer of data to the USA cannot be excluded.

Duration of storage

The data sent by us and linked to cookies is automatically deleted after 14 months. Data is automatically deleted once a month as soon as the storage period is reached.

You can prevent the collection of data generated by the cookie and related to your use of the WebSite (including your IP address) to Google and the processing of this data by Google by

• not giving your consent to the setting of the cookie or
• downloading and installing the browser add-on to disable Google Analytics (https://tools.google.com/dlpage/gaoptout?hl=en)

By setting your browser software accordingly you can also prevent the storage of cookies. If your browser is set to refuse all cookies, the functionality of this and other websites may be limited.

Legal basis and right of withdrawal

Your consent is the legal basis for this data processing, Art.6 para.1 S.1 lit. a GDPR. You can withdraw your consent at any time with effect for the future by changing your selection in the cookie settings Customize privacy preferences.

For more information about Google Analytics terms of use and Google's privacy policy, please visit

https://marketingplatform.google.com/about/analytics/terms/gb/ and https://policies.google.com/?hl=en.

Customer support

Support chat tool Intercom

We offer support for our services e.g. our video games.. Personal data which will be processed in such support request depends on the kind of requests. We have integrated a chat tool on our website for this purpose. The provider of this chat tool is Intercom Inc. 55 2nd Street, 4th Floor, San Francisco, CA 94105, USA

When using Intercom, the data you enter in the chat console is transmitted, as well as your IP address and communication timestamp. All this data is transmitted in encrypted form using TLS/SSL encryption and is also stored on the servers using 256-bit encryption. As we operate internationally, the data is stored internationally. We have concluded a data processing agreement with Intercom Inc. with the standard contractual clauses for international data traffic provided by the European Commission. Intercom Inc. is also certified for international data traffic under the EU-US Privacy Shield. Details on Intercom's compliance with European data protection law can be found at https://www.intercom.com/help/en/articles/1385437-how-intercom-complies-with-gdpr.

Technical usage information

Additional hardware and software information helps us to recreate the technical issues reported by the user to provide information e.g. in the case of a crash or error and respond to inquiries. Examples of this are information such as traceroutes, IP addresses of your devices, performance characteristics of your devices, game information (like SteamID, GamerID, XBOX ID).

The legal basis for data processing with Intercom in support is our user agreement for the respective games (GDPR Art. 6 para.1 S.1 lit. b).

On this website we have integrated a plugin from Intercom, which allows users to enter the chat. When the plugin is loaded, Device information (see above) is transmitted to the Intercom servers. This integration is based on our legitimate interest in providing users with a quick and easy way to get support. The legal basis is therefore GDPR Art. 6 para.1 S.1 lit. f).

User and business inquiries and feedback

Users and other interested parties can contact us by email. Any information you include in your email (e.g. name, email adress etc,) is used to process the respective inquiry and to get in contact with you. The legal basis hereto is Art. 6 (1) lit. a GDPR since you consent to such processing by submitting you request/message.

The recipients of Personal Data

We have already named the recipients of data processing in the description of the individual processing activities. Essentially, these are the internal offices at Crytek, but also service providers that we use. In addition to the recipients mentioned above, there are also the following recipients:

Our services are hosted by our hosting provider (LeaseWeb Deutschland GmbH, Kleyerstraße 75-87, 60326 Frankfurt am Main- https://www.leaseweb.com/legal.

Any service providers that come in contact with your personal data are required to comply with the same relevant data protection regulations. Upon request we may provide copies of relevant contract unless it is prohibited by contractual obligations and/or applicable law.

Transfer of personal data to a third country or international organisation

As listed in detail above in the description of the individual processing activities, data transfers are made to the following international organizations:

• Google LLC., USA
• Lever, Inc., USA
• Intercom Inc., USA
• Rocket Science Group LCC, USA
• Cloudflare, inc. USA

How long is your Personal Data stored?

In principle, Crytek stores data in accordance with statutory retention periods, e.g. under commercial and tax law.

If you have given us your consent, we will process and store the data until you withdraw your consent or ask us to delete the data.

If no statutory retention periods are specified and the processing is not based on consent, we have defined retention periods that are based on the respective purpose of the data processing or have been recommended by supervisory authorities.

The following retention periods are defined:

Webserver Log Files – 6 months
Cookies – different retentions periods defined, please visit our Cookie Policy page
Newsletter - When you subscribe to our Newsletters, we (actually Mailchimp) store your email address until you unsubscribe.
Crytek account - We will store your data as long as your Crytek user account exists. In addition, there might be minimum retention periods stipulated by applicable law which Crytek has to comply to.
Purchases in our shop - When you place an order through the Site, we will maintain your Order Information for our records as long as this data is necessary to fulfill the purpose for which it was collected and/or as long as we are obliged by law.
Job Application – 6 months after the end of the application process (please see description above)
Web Analytics - 14 months (please see description above)

Behavioural Advertising

Visits to social media portals and websites can be used to collect information about you and add it to an advertising profile. As a result, you may be shown advertisements that match your surfing behaviour. Even if we do not use advertisements on our website, we would like to inform you, how you can opt out of targeted advertising by using the links below and in your cookie preferences:

• Google: https://www.google.com/settings/ads/anonymous
• Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads

Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance's opt-out portal at: http://optout.aboutads.info/.

DO NOT TRACK

Please note that we do not alter our Site's data collection and use practices when we see a Do Not Track signal from your browser.

YOUR RIGHTS

At any time, you have the right to:

Request access to your personal data processed by us within the scope of Art. 15 GDPR.

Request that your data be corrected if these are incorrect in terms of Art. 16 GDPR.

Request that your data be deleted if the legal grounds exist in terms of Art. 17 GDPR.

Request the restriction processing of your data, if the conditions are met in accordance with Art. 18 GDPR.

Request to port your personal data in a structured, commonly used and machine-readable format within the scope of Art. 20 GDPR.

Object to the further processing, if the processing is based on our legitimate interest in accordance with Art. 21 GDPR.

If the processing of your personal data is based on consent, you have the right to withdraw your consent at any time with effect for the future.

Lodge a complaint with a supervisory authority in a member state of the European Union. The supervisory authority responsible for us is:

The Hessian Commissioner for Data Protection and Freedom of Information
P.O. Box 3163
65021 Wiesbaden
Germany
Telephone: +49 611 1408 - 0
Fax: +49 611 1408 - 900
E-mail: poststelle@datenschutz.hessen.de

To contact us about any of the foregoing rights, please send us an email to privacy@crytek.com.

In case of a confidential request, please email our Data Protection Officer directly: dpo@crytek.com.

Consequences of non-provision, objection or withdrawal

If you object, restrict, or otherwise refuse the processing of your personal data mentioned above and/or ask us for a deletion, you might not be able to continue to use our services.

Please also note that in certain cases we must comply with defined retention period (see above).

Additional information for transparency

HOW DO WE PROTECT YOUR DATA

All user data is stored on secure servers protected by firewalls and antivirus software.

We have implemented technical and organizational measures intended to protect the security and confidentiality of your Data against any accidental loss and any unauthorized access, use, modification or disclosure.

CHANGES

We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.

MINORS

The Site is not intended for individuals under the age of 18.

CONTACT US

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by email at privacy@crytek.com