Privacy Statement
Our Privacy Policy
At Merkur Media GmbH ("we" / "us"), we take your data privacy seriously. As such, we're committed to making it easy for you to understand what we do with your data. This privacy policy is an overview over what data we collect, why we collect and process it and what choices you have to control what you share. We'd also like to inform you what legal rights you have in regards to your personal data, as well as who to contact about enforcing those rights.
We use the term "personal data" in the sense of Article 4 of the General Data Protection Regulation ("GDPR").
If you want to opt-out of web analytics, jump to the relevant section using this link: Right of objection
Who we are
Merkur Media GmbH is a German company and belongs to the Gauselmann Group, a family run enterprise that has supplied the world with gambling products for over 60 years. You can find us here:
Merkur Media GmbH
Merkur Allee 1-15
32339 Espelkamp
Germany
Who this privacy policy applies to
This privacy policy applies to you if you are a visitor of Merkur24, regardless which platform you're using our services through (mobile, desktop).
What personal data do we collect?
We collect personal data from you when you register an account with us.
We process the following categories of data:
Data for access management (credentials)
e.g. email address, password (but also e.g. Facebook identifier if you connect your Facebook account)
Customisation data
e.g. your display name, your avatar
Data about your game progress
e.g. your level, quest status, the number of in-game currency you have
Data about your preferences
e.g. whether you subscribed to our newsletter
Device data
e.g. device ID, operating system, browser string
Data about your online behaviour
e.g. logins, gameplay, clicks
Data about individual payments in our games
e.g. if you buy in-game currency using our shop
Network data
e.g. IP address, referrer
Localisation data
e.g. country of origin, language
Personally identifiable data
e.g. address, date of birth
Affiliate information
e.g. banner ads you clicked on to reach us
The way we process these data, why and on what legal basis we do this are explained in the section What do we process your data for?
Sensitive data
Sensitive data in the GDPR are the so-called "special categories of personal data", e.g. on your racial or ethnic origin, your health, or your political opinions.
We do not intentionally collect any sensitive data from you.
That said, we cannot control what content you put into messages you write through our website (e.g. to other users, or when you create a support ticket). While we strive to protect any privacy implied by such a transfer, we cannot differentiate a particularly sensitive message from any other kind of message you may choose to write. Please be aware such messages are not afforded any additional protection.
Data from children
We do not collect any information on children. You need to be a legal adult to play our games.
What do we process your data for?
We only process a user’s personal data in compliance with the relevant and pertinent data protection regulations. This means that a user’s data shall only be processed if the user has given his or her legal permission for us to do so. This is the case especially then when data processing is required in order for us to be able to provide our contractual and online services, or when required by law, we are in possession of the consent of the user, and when it is collected for the sake of our legally legitimate interests (i.e. interest in the analysis, optimization, and economic operation and safety of our online product as per Article 6 (1) (f) of the GDPR, in particular with regard to range measurement, the creation of profiles for advertising and marketing purposes, as well as the collection of access data and the use of the services of third-party providers).
We feel obligated to point out that Art. 6 (1) (a) and Art. 7 of the GDPR serve as the legal basis for consent, Art. 6 (1) (b) of the GDPR serves as the legal basis for processing for the performance of services and the performance of contractual measures, Art. 6 (1) (c) of the GDPR serves as the legal basis for processing in order to fulfill our legal obligations, and Art. 6 (1) (f) of the GDPR serves as the legal basis for processing in order to safeguard legitimate interests.
Enabling gameplay
(contractual fulfillment; Article 6.1.b GDPR)
Our game platform cannot function without certain data. In order for you to have any meaningful progress in your gameplay, we need to be able to reliably differentiate you from other users of our website, which is why we ask you to register an account. When you log in, we compare your login credentials against those we have on file, and maintain your customisation data and game progress.
Your display name, avatar, and certain elements of your progress are made public within our game platform (e.g. for in-game leaderboards, or to broadcast certain wins). You can change your display name and avatar at any time.
Additionally, your country and language is used to provide you with a localisation of our website - we will try to serve you content in your language and our in-game shop in your local currency.
Payments and invoices
If you want to buy in-game currency in our in-game shop, your interaction will usually be with third-party payment processors. In either case, if a payment was successful, we get this information as a digital invoice, which we store to fulfil legal requirements (Article 6.1.c GDPR), to retain them in the case of legal dispute (legitimate interest; Article 6.1.f GDPR), and to optimise our web presence for you (legitimate interest; Article 6.1.f GDPR).
These invoices contain data on what item you purchased, how much you paid for the item and what method you used to pay us with. We do not store information that could be used to make a payment on your behalf, unless you have given us a separate explicit, specific permission for this to ease your payment process (by enabling QuickPay; contractual fulfillment; Article 6.1.b GDPR).
On our website we use the services of the it-security-provider Risk.Ident GmbH. Every communication between us and Risk.Ident only happens for the purpose of preventing fraud cases whilst using our website.
Data storage: Risk.Ident collects and processes specific data from our users, via cookies and tracking technology, about the features of the device used by the customer (“device related data”), raw data out of the TCP/IP connection and data about the usage of our website. Thereby Risk.Ident also collects and processes the IP-address of the user. However, this is encrypted within a few seconds at Risk.Ident. The information will be saved in a databank by Risk.Ident for risk prevention purposes.
Data retrieval: When the user signed a contract that entails risk related terms on our websites e.g. by creating a user account for the purchase of certain items we retrieve a risk score from the databank of Risk.Ident. The risk score was deposited there for the device used by the customer. The risk score is based inter alia on information
a) whether the user’s device has communicated or communicated, current or past, via a proxy connection,
b) whether the device recently has dialed in via various internet service providers,
c) whether the device has shown or showed a frequently changing geo reference,
d) how many internet transactions have been executed via the device in the recent past (we cannot detect which kind of transaction it was), and
e) how probable it is, that the device, deposited in the Risk.Ident-databank, actually is the device of the user.
The outcome of this risk score supports us in the purpose of preventing fraud attempts.
Data transmission: Furthermore, we transmit data to Risk.Ident to the extent of our knowledge that a user committed or attempted to commit fraud to us. Risk.Ident receives the information about this fact as well as the specific device related data of the user.
As part of our fraud protection measures (also known as anti-frau measures), all person-related master data, communication information, contractual master data, customer histories, contract billing data, and payment information are provided to the Risk.Ident GmbH for processing.
Direct marketing
(Legitimate interest; Article 6.1.f GDPR)
We offer our players the ability to optionally subscribe to our newsletter to keep them up to date with current events. Our existing customers will also be receiving game-related information per email. You can easily unsubscribe to all advertising-related mails at any time, either via the unsubscribe link in our emails or by changing your email preferences in your account.
Should you have provided us with your postal address, you will receive postal mail from us on certain occasions or for special campaigns. You can object to receiving such postal mail at any time by either contacting our customer service or sending us an email at service[at]whow[dot]net (service@whow.net).
Security and fraud prevention
(legitimate interest; Article 6.1.f GDPR)
To help secure our website and to prevent fraud, we store data such as your IP address and certain device information when you access our website and interact with it.
Your device data and IP address information is stored and logged to allow fraud and data security forensic investigation. Your IP address information is also processed automatically by our network devices - this infrastructure is needed to serve our website, but also to deny access to IP addresses known to be in use by malicious actors.
Due to the nature of this interest, we cannot offer you a means to opt-out of this processing, as this would undermine its purpose (and in some cases, an opt-out is technically impossible - e.g. we cannot exempt your IP address from processing by our network devices).
If you object to this processing, we ask that you please do not use our website.
Optimisation of website and campaigns
(legitimate interest; Article 6.1.f GDPR)
To optimise our marketing campaigns and our website, we track information about your behaviour and preferences. These data are pseudonymised and stored separately from your account data. While they are stored on an individual basis, these data are only available to the employees that must work with these data, and they are reported on only in aggregate.
Over the course of campaign optimisation, we share some of these data with third-party trackers by embedding a tracking pixel on our website.
Please refer to the section Web and App Analytics for further information about these trackers and how you can opt-out of them.
Automated decisions
We do not use your personal data for any automated individual decision-making that would have legal or otherwise similarly significant effects on you.
Any effects of automated decisions based on your personal data are confined to our game platform. For example, we may use your purchase information (frequency and amount) to give you automated, customised discounts in-game.
How long do we store your data?
For data that we store for legal reasons, we retain the data as long as legally required of us (up to ten years).
For data that we store in consideration of legal disputes, we retain the data as long as legally permissible. This may be up to 30 years.
For logs storing network data, we delete the data in regular intervals - the exact time varies based on configuration rules (which may prune the logs based on size rather than a fixed time), on whether the data was part of a snapshot that landed in a backup, and on whether the logs are part of a set of logs that are routinely forwarded to a central log repository, but will not exceed 2 years.
Facebook Audience Targeting and Pay User Tracking
We make use of the Facebook Audience Targeting and Pay User Tracking function to target and optimize our advertising measures. Information about user behavior at our website and the purchasing of virtual goods are processed accordingly in order to display personalized advertising put out by the Facebook network. This process only takes place once you've provided your expressed explizit consent (Art. 6, Para. 1 lit. a GDPR). You can withdraw your consent at any time via our Consent Management Platform (CMP). Please visit https://www.facebook.com/privacy/explanation to find out more about the data processing conducted by Facebook.
Information regarding your rights
Merkur Media GmbH is headquartered in the European Union. We are committed to complying to the General Data Protection Regulation (GDPR). This affords you several inherent rights to your personal data.
You have the right to...
...request access to your personal data (Article 15 GDPR) in a portable format (Article 20 GDPR),
...request correction of your personal data (Article 16 GDPR),
...request restriction of the processing of your personal data (Article 18 GDPR),
...request deletion of your personal data (Article 17 GDPR),
...withdraw consent for your processing of data, when we do this in accordance with a legitimate interest (Article 7.3 and Article 21 GDPR),
...lodge a complaint with a supervisory authority (Article 77 GDPR).
You can easily delete your data in the settings for your account. For all other requests, please contact us either through the support widget on our website, or by contacting us via email (info@whow.net). If you contact us through a means other than the support widget, please understand that we may need to ask you to prove your identity - after all, you wouldn't want a random stranger to get access to your data, and neither do we.
Note that it may take up to a month for us to process a request of yours. Should there be any delay, we will of course let you know.
You can find additional legal information in the Articles 7.3, 15 – 21 and 77 of the GDPR.
Instructions for deleting your player data and/or your player account
Web version:
* Log into the respective player account using your player account information
* Then open your profile by clicking on your profile pic
* Scroll down until you reach the point "Delete account" and confirm this selection
* Enter your password to confirm deletion
Mobile version:
* Please start the app
* Select "Help" in the menu on the right side
* Scroll down to the end of the screen that pops up and select "Delete account"
* Confirm this selection by once again pressing on "Delete account"
Please denote that any and all deletions will require a few days to process. Should you wish to cancel or revoke your deletion request, please proceed step by step through the instructions provided above and object to the respective deletion.
Your right to access, correct and erase your personal data
(Articles 15, 16, 17 and 20 GDPR)
At any time, you can request information on whether your personal data is processed by Merkur Media or not, what the conditions of such processing are, and to receive a copy of your personal data. More specifically, you can request information about:
the purposes for which the data is processed,
the categories of personal data that is processed,
the categories of recipients with whom we have shared the data,
the intended duration of storage,
your rights in regards to this data (correction, erasure, restriction, withdrawal of consent, and lodging a complaint with the supervisory authority),
the source of the data in cases where we did not obtain it from your direct interactions with us,
and the existence of any automated decision-making based on this data, including profiling, and your right to request meaningful information about the algorithms involved.
If you make this request electronically, the information will be provided in a commonly used electronic form. Should you make this request several times, Merkur Media may ask a fee of you to cover administrative costs.
You also have the right to instruct us to correct any personal data that is inaccurate.
Lastly, you have the right to ask us to erase your personal data, if there are no legal reasons for us to retain it (such as freedom of expression, legal requirements, public interest or if required as evidence in legal disputes) and one of the following reasons applies:
your personal data is no longer necessary considering the purposes for which it was collected or processed;
you wish to revoke your consent having served as the basis for the processing and there is no other basis justifying such processing;
your personal data has been the subject of unlawful processing;
your personal data should be erased pursuant to a legal requirement.
When we delete data that we've shared with third parties, we will also contact those third parties and ensure that your data are erased there as well.
When we delete data that we've made public over the course of offering our services to you, we will, to the degree feasible, contact any third party providers that may have this information cached to forward your request to them.
Right to the restriction of processing of personal data
(Article 18 GDPR)
You can assert your right to limit the processing of your personal data when:
you contest the accuracy of your personal data, during the time necessary to verify the accuracy of such data;
the processing of your personal data is unlawful but you oppose the erasure thereof and instead demand the limitation of processing;
when we no longer need your personal data but you still need such personal data for the establishment, exercise or defense of legal claims.
Right to personal data portability
(Article 20 GDPR)
You have the right to receive personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit such data to another controller without hindrance from Merkur Media GmbH.
Whenever this is technically feasible, you may request that your personal data be transmitted directly to another data controller by Merkur Media GmbH.
Right to revoke consent
(Article 7.3 and 21 GDPR)
We only process your personal data with your consent, unless the data processing is otherwise required (see section Are you required to share your personal data with Merkur Media GmbH?).
If you have a registered account with us, you may revoke your consent at any time by changing the settings associated with your account (or by deleting your account outright, if you prefer). If you do not have a registered account with us, please refer to the Web and App Analytics section for the means of opting-out of other data collection.
Please note that a revocation of your consent does not affect the lawfulness of processing carried out prior to such revocation.
Right to file a complaint with your supervisory authority
(Article 77 GDPR)
If, despite our efforts to protect the confidentiality of your personal data, you consider that your rights have not been respected, you have the right to file a complaint with the national data protection authority in your country.
Objection against the processing of your data for direct marketing
When you register an account with us, you have the option to subscribe to our newsletters. You can opt-out of our newsletters at any time using the unsubscribe links provided in the email footers, or in your account settings.
Web and App Analytics
To improve our website and apps, to correct errors, to optimise the site and our campaigns used to promote it, we store pseudonymised data about our visitors' behaviour on our website and use several tracking services to assist us (on basis of Article 6.1.f GDPR).
These services either use cookies (desktop) or device IDs (mobile) to allow them to correlate the behavioural data they collect (for example to tell us how long the average user spent on our site, or how great a percentage of users that visited our site registered an account with us).
Data exchanged may be information on when you registered an account with us, from where you came (which banner you clicked or which game site you play our games on), your device parameters (e.g. operating system, brand), your user ID in our games, page impressions (time and page identifier) or payments you make.
The trackers use these data either to craft approximate behavioural profiles of you (enabling them to supply better marketing targeting to the users of their service), or to permit us to pay our campaigns by registration events or paying users rather than impressions ("performance marketing").
Right of objection
Should you object to the use of this pseudonymised processing of your data, your opt-out options are:
For web and our online tracking of and to the endpoints we manage, please refer to the cookie preference settings in the following by clicking the cookie button.
Your browser will need to accept cookies for the opt-out process to work.
For mobile, for tracking to end-points controlled by us, please refer to the settings in the application itself. We use Firebase Crashlytics (a Google product) for error reporting; you can use the settings to opt-out of the error reporting functionality as well.
Since you may also interact with the other trackers that we use on other people's websites, opting out of the trackers on a single website will probably not do what you intended. To better enable you to opt-out of the tracking services effectively, this section contains an overview of all trackers we use and where you can opt-out of them.
The opt-out options of many tracking services can also be found on https://youronlinechoices.eu/, which provides a unified and central opportunity for you to opt-out of various tracking services. That site can also help you if you want to review your online choices for other providers not used by us.
Unless otherwise noted (be it here or on our tracking partners' opt-out pages), your browser will need to accept cookies for the opt-out process to work.
Adality
Adality is based in Germany and offers an opt-out on https://adality.de/privacy.html.
AdCell
AdCell is based in Germany and offers an opt-out on https://www.adcell.de/datenschutz (German).
AppNexus
AppNexus is based in the US, is committed to the Privacy Shield Framework and offers an opt-out on https://www.xandr.com/privacy/platform-privacy-policy/.
AppsFlyer (for Mobile)
AppsFlyer is based in the US, is committed to the Privacy Shield Framework and offers an opt-out on https://www.appsflyer.com/legal/opt-out/.
Bing
Bing is run by Microsoft, who is based in the US, is committed to the Privacy Shield Framework, and offers an opt-out on https://account.microsoft.com/privacy/ad-settings/signedout.
Crimtan
Crimtan is based in the UK and offers an opt-out on https://www.crimtan.com/cookies/opt-out/.
Dynamic Yield
Dynamic Yield is based in the US, is committed to the Privacy Shield Framework and offers an opt-out on https://www.dynamicyield.com/privacy-policy/ (in the section 'Accessing and Modifying Information and Communication Preferences').
Facebook Analytics
Facebook is based in the US, is committed to the Privacy Shield Framework and offers opt-out instructions on https://www.facebook.com/help/568137493302217.
Flashtalking
Flashtalking is based in the US, is committed to the standards imposed by the GDPR and offers an opt-out on https://www.flashtalking.com/privacypolicy/ (in the section 'Opting out of Interest-Based Advertising').
Google
Google are based in the US and are committed to the Privacy Shield Framework.
Google Ads (a/k/a Google Remarketing) and AdMob
Google offers opt-out instructions for Google Ads and AdMob on https://adssettings.google.com/authenticated.
Google Analytics
Google offers opt-out instructions for Google Analytics on https://tools.google.com/dlpage/gaoptout. Your IP address is masked when it is sent to Google Analytics. For further information, see https://www.google.com/analytics/terms/.
HasOffers
HasOffers is run by TUNE, which is based in the US, is committed to the Privacy Shield Framework and offers opt-out instructions on https://optoutmobile.com/.
InfoOnline
InfoOnline is based in Germany and offers an opt-out on https://optout.ioam.de/optout.php (German).
ÖWA
ÖWA is based in Austria and offers an opt-out on https://optout-at.iocnt.net/ (German).
Outbrain
Outbrain is based in the UK and in the US, has GDPR contractual clauses between their UK and US branches and offers an opt-out on https://www.outbrain.com/privacy/#advertising_behavioral_targeting.
Plista
Plista is based in Germany and offers an opt-out on https://www.plista.com/opt-out/ (in the section 'Set opt-out').
Seznam.cz
Seznam.cz is based in the Czech Republic and offers an opt-out on https://www.seznam.cz/reklama/ (Czech).
Taboola
Taboola is based in the US, is committed to the principles of the European Interactive Digital Advertising Alliance and offers an opt-out on https://www.taboola.com/policies/privacy-policy.
The Trade Desk
The Trade Desk is based in the US, is committed to the Privacy Shield Framework and offers an opt-out on http://www.adsrvr.org/opt-out.html.
TradeLab
TradeLab is based in France and offers an opt-out on https://tradelab.com/en/privacy/ (in the section 'Should You No Longer Wish To See These Personalized Ads').
Voluum
Voluum is run by Codewise, who is based in Poland, and offers an opt-out on https://voluum.com/end-user-privacy-policy/ (in the section 'Opt-out').
Security
We make use of the widespread SSL (Secure Socket Layer) encryption method to deliver our site securely when you visit it, in conjunction with the highest level of encryption supported by your browser.
You can tell when any single page at our website is transmitted in encrypted form by the closed presentation of the lock (or key) symbol in your browser’s status bar.
We also take appropriate technical and organizational security measures to protect your data against destruction, accidental or intentional manipulation, partial or total loss, or against the unauthorized access by third parties. Our security measures are continuously improved upon in accordance with technological developments.
Further information
If you have any questions or concerns about data privacy, you can contact us at dataprotection@merkur24.com.