Declaração de Privacidade

Our Privacy Policy

At Merkur Media GmbH ("we" / "us"), we take your data privacy seriously. As such, we're committed to making it easy for you to understand what we do with your data. This privacy policy is an overview over what data we collect, why we collect and process it and what choices you have to control what you share. We'd also like to inform you what legal rights you have in regards to your personal data, as well as who to contact about enforcing those rights.

We use the term "personal data" in the sense of Article 4 of the General Data Protection Regulation ("GDPR").

If you want to opt-out of web analytics, jump to the relevant section using this link: Right of objection

Who we are

Merkur Media GmbH is a German company and belongs to the Gauselmann Group, a family run enterprise that has supplied the world with gambling products for over 60 years. You can find us here:

Merkur Media GmbH
Merkur Allee 1-15
32339 Espelkamp
Germany

Who this privacy policy applies to

This privacy policy applies to you if you are a visitor of Merkur24, regardless which platform you're using our services through (mobile, desktop).

What personal data do we collect?

We collect personal data from you when you register an account with us.

We process the following categories of data:

Data for access management (credentials)
e.g. e-mail address, password (but also e.g. facebook identifier if you connect your facebook account)

Customisation data
e.g. your display name, your avatar

Data about your game progress
e.g. your level, quest status, the number of in-game currency you have

Data about your preferences
e.g. whether you subscribed to our newsletter

Device data
e.g. device ID, operating system, browser string

Data about your online behaviour
e.g. logins, gameplay, clicks

Data about individual payments in our games
e.g. if you buy in-game currency using our shop

Network data
e.g. IP address, referrer

Localisation data
e.g. country of origin, language

Personally identifiable data
e.g. address, date of birth

Affiliate information
e.g. banner ads you clicked on to reach us

The way we process these data, why and on what legal basis we do this are explained in the section What do we process your data for?

Sensitive data

Sensitive data in the GDPR are the so-called "special categories of personal data", e.g. on your racial or ethnic origin, your health, or your political opinions.

We do not intentionally collect any sensitive data from you.

That said, we cannot control what content you put into messages you write through our website (e.g. to other users, or when you create a support ticket). While we strive to protect any privacy implied by such a transfer, we cannot differentiate a particularly sensitive message from any other kind of message you may choose to write. Please be aware such messages are not afforded any additional protection.

Data from children

We do not collect any information on children. You need to be a legal adult to play our games.

What do we process your data for?

We only process a user’s personal data in compliance with the relevant and pertinent data protection regulations. This means that a user’s data shall only be processed if the user has given his or her legal permission for us to do so. This is the case especially then when data processing is required in order for us to be able to provide our contractual and online services, or when required by law, we are in possession of the consent of the user, and when it is collected for the sake of our legally legitimate interests (i.e. interest in the analysis, optimization, and economic operation and safety of our online product as per Article 6 (1) (f) of the GDPR, in particular with regard to range measurement, the creation of profiles for advertising and marketing purposes, as well as the collection of access data and the use of the services of third-party providers).

We feel obligated to point out that Art. 6 (1) (a) and Art. 7 of the GDPR serve as the legal basis for consent, Art. 6 (1) (b) of the GDPR serves as the legal basis for processing for the performance of services and the performance of contractual measures, Art. 6 (1) (c) of the GDPR serves as the legal basis for processing in order to fulfill our legal obligations, and Art. 6 (1) (f) of the GDPR serves as the legal basis for processing in order to safeguard legitimate interests.

Enabling gameplay

(contractual fulfillment; Article 6.1.b GDPR)
Our game platform cannot function without certain data. In order for you to have any meaningful progress in your gameplay, we need to be able to reliably differentiate you from other users of our website, which is why we ask you to register an account. When you log in, we compare your login credentials against those we have on file, and maintain your customisation data and game progress.

Your display name, avatar, and certain elements of your progress are made public within our game platform (e.g. for in-game leaderboards, or to broadcast certain wins). You can change your display name and avatar at any time.

Additionally, your country and language is used to provide you with a localisation of our website - we will try to serve you content in your language and our in-game shop in your local currency.

Payments and invoices

If you want to buy in-game currency in our in-game shop, your interaction will usually be with third-party payment processors. In either case, if a payment was successful, we get this information as a digital invoice, which we store to fulfil legal requirements (Article 6.1.c GDPR), to retain them in the case of legal dispute (legitimate interest; Article 6.1.f GDPR), and to optimise our web presence for you (legitimate interest; Article 6.1.f GDPR).

These invoices contain data on what item you purchased, how much you paid for the item and what method you used to pay us with. We do not store information that could be used to make a payment on your behalf, unless you have given us a separate explicit, specific permission for this to ease your payment process (by enabling QuickPay; contractual fulfillment; Article 6.1.b GDPR).

On our website we use the services of the it-security-provider Risk.Ident GmbH. Every communication between us and Risk.Ident only happens for the purpose of preventing fraud cases whilst using our website.

Data storage: Risk.Ident collects and processes specific data from our users, via cookies and tracking technology, about the features of the device used by the customer (“device related data”), raw data out of the TCP/IP connection and data about the usage of our website. Thereby Risk.Ident also collects and processes the IP-address of the user. However, this is encrypted within a few seconds at Risk.Ident. The information will be saved in a databank by Risk.Ident for risk prevention purposes.

Data retrieval: When the user signed a contract that entails risk related terms on our websites e.g. by creating a user account for the purchase of certain items we retrieve a risk score from the databank of Risk.Ident. The risk score was deposited there for the device used by the customer. The risk score is based inter alia on information

a) whether the user’s device has communicated or communicated, current or past, via a proxy connection,

b) whether the device recently has dialed in via various internet service providers,

c) whether the device has shown or showed a frequently changing geo reference,

d) how many internet transactions have been executed via the device in the recent past (we cannot detect which kind of transaction it was), and

e) how probable it is, that the device, deposited in the Risk.Ident-databank, actually is the device of the user.

The outcome of this risk score supports us in the purpose of preventing fraud attempts.

Data transmission: Furthermore, we transmit data to Risk.Ident to the extent of our knowledge that a user committed or attempted to commit fraud to us. Risk.Ident receives the information about this fact as well as the specific device related data of the user.

As part of our fraud protection measures (also known as anti-frau measures), all person-related master data, communication information, contractual master data, customer histories, contract billing data, and payment information are provided to the Risk.Ident GmbH for processing.

Direct marketing

(Legitimate interest; Article 6.1.f GDPR)
We offer our players the ability to optionally subscribe to our newsletter to keep them up to date with current events. Our existing customers will also be receiving game-related information per email. You can easily unsubscribe to all advertising-related mails at any time, either via the unsubscribe link in our emails or by changing your email preferences in your account.

Should you have provided us with your postal address, you will receive postal mail from us on certain occasions or for special campaigns. You can object to receiving such postal mail at any time by either contacting our customer service or sending us an email at service[at]whow[dot]net.

Security and fraud prevention

(legitimate interest; Article 6.1.f GDPR)
To help secure our website and to prevent fraud, we store data such as your IP address and certain device information when you access our website and interact with it.

Your device data and IP address information is stored and logged to allow fraud and data security forensic investigation. Your IP address information is also processed automatically by our network devices - this infrastructure is needed to serve our website, but also to deny access to IP addresses known to be in use by malicious actors.

Due to the nature of this interest, we cannot offer you a means to opt-out of this processing, as this would undermine its purpose (and in some cases, an opt-out is technically impossible - e.g. we cannot exempt your IP address from processing by our network devices).

If you object to this processing, we ask that you please do not use our website.

Optimisation of website and campaigns

(legitimate interest; Article 6.1.f GDPR)
To optimise our marketing campaigns and our website, we track information about your behaviour and preferences. These data are pseudonymised and stored separately from your account data. While they are stored on an individual basis, these data are only available to the employees that must work with these data, and they are reported on only in aggregate.

Over the course of campaign optimisation, we share some of these data with third-party trackers by embedding a tracking pixel on our website.

Please refer to the section Web and App Analytics for further information about these trackers and how you can opt-out of them.

Are you required to share your personal data with Merkur Media GmbH?

There are some data we require from you:

Data needed to fulfill our contractual obligations and the associated services
Data you explicitly make available: Data for access management, Personally identifiable data (where applicable), Data about your preferences (opt-in/opt-out). Data you supply by browsing our website: Network data, Data about your game progress.

Data that we are legally required to store
Data you supply by making a purchase: Data about individual payments in our games.

Data required for security
Data you supply by browsing our website: Device data, Network data.

Without these personal data we cannot provide our services to you.

Automated decisions

We do not use your personal data for any automated individual decision-making that would have legal or otherwise similarly significant effects on you.

Any effects of automated decisions based on your personal data are confined to our game platform. For example, we may use your purchase information (frequency and amount) to give you automated, customised discounts in-game.

How long do we store your data?

For data that we store for legal reasons, we retain the data as long as legally required of us (up to ten years).

For data that we store in consideration of legal disputes, we retain the data as long as legally permissible. This may be up to 30 years.

For logs storing network data, we delete the data in regular intervals - the exact time varies based on configuration rules (which may prune the logs based on size rather than a fixed time), on whether the data was part of a snapshot that landed in a backup, and on whether the logs are part of a set of logs that are routinely forwarded to a central log repository, but will not exceed 2 years.

Where do we store your data and who do we share it with?

Your personal data within Merkur Media GmbHYour personal data is processed only by the people necessary for us to pursue our legitimate interests, or to comply with our contractual or legal obligations.

Your personal data outside of Merkur Media GmbHWe share your data only where it is legally permissible to do so, either when it's required to fulfil contracts you may have with us (Article 6.1.b GDPR) or on basis of legitimate interest (Article 6.1.f GDPR).

We share your personal data only if you have given us permission to do so, in aggregate or anonymised form (preventing the data from being linked to other data you may have supplied elsewhere), or with providers that are contractually obliged to treat your data with care.

We exchange data with providers in the following categories:

Hosting and content distribution providers. These typically have no direct access to our systems, but provide network infrastructure that will necessarily process your IP address to deliver our assets.

Payment providers. When you make a payment through a payment provider, we will get invoice information from these providers. Any payment details needed to actually make a payment on your behalf is handled only by the payment providers, not by us.

Debt collection. When you revoke a payment you made, we may share the information available to us with debt collectors, so that they can get in touch with you on our behalf.

Email marketing service providers. We share your email address, display name, and localisation information, and whether or not you are currently subscribed to our newsletter with our email marketing service providers, so that they can send you relevant emails.

Single sign-on providers. These are only relevant if you're playing our games through their websites or explicitly choose single-sign on options, in which case our interaction with them enables you to sign into our game platform. Should you change your mind about using these, the providers usually offer a way to decouple your single-sign on account from our website (revoking our access to your metadata); for more information, please refer to the providers' documentation.

Business intelligence. We use providers to help us sift through own our tracking data.

Game developers. These create and maintain our casino games for us. As these applications are typically standalone and can simply be embedded in our website "plug-and-play" style, we share only very little information about you with these providers - your IP address, device information, display name and the amount of in-game currency you own.

Crash reporting. Our mobile games embed crash reporting functionality. The crash reports contain only anonymous information. Nonetheless, you can opt-out of this in the settings of the application.

Affiliates, CoBrands and Performance Marketing. To allow brands, partners and campaigns to measure their own effectiveness, we embed various trackers on our website. For details, please refer to the Web and App Analytics section of this privacy policy.

Address verification. Before we send out prizes to a physical address, we first ensure that the address is correct by letting it be processed by an address verification service.

Geolocation. We receive data about the approximate geographical location of IP addresses from geolocation services. (We do not share any information with these services, we are only consumers of this data.)

Support ticket system. We use an external provider to handle our support ticketing for us. Any support ticket you write us through official channels will be stored with this provider.

Video streaming. In some cases, we use video streaming services to show you advertisements. Your impression of these videos is recorded by these services.

The providers we use are either in the European Union, in a country formally deemed safe by the data privacy standards of the European Union, or contractually bound to treat your data with the utmost care. Whenever the process allows, we anonymise or pseudonymise your data.

Under no circumstances do we sell your data to third parties.

Information regarding your rights

Merkur Media GmbH is headquartered in the European Union. We are committed to complying to the General Data Protection Regulation (GDPR). This affords you several inherent rights to your personal data.

You have the right to...

...request access to your personal data (Article 15 GDPR) in a portable format (Article 20 GDPR),

...request correction of your personal data (Article 16 GDPR),

...request restriction of the processing of your personal data (Article 18 GDPR),

...request deletion of your personal data (Article 17 GDPR),

...withdraw consent for your processing of data, when we do this in accordance with a legitimate interest (Article 7.3 and Article 21 GDPR),

...lodge a complaint with a supervisory authority (Article 77 GDPR).

You can easily delete your data in the settings for your account. For all other requests, please contact us either through the support widget on our website, or by contacting us via email (info@whow.net). If you contact us through a means other than the support widget, please understand that we may need to ask you to prove your identity - after all, you wouldn't want a random stranger to get access to your data, and neither do we.

Note that it may take up to a month for us to process a request of yours. Should there be any delay, we will of course let you know.

You can find additional legal information in the Articles 7.3, 15 – 21 and 77 of the GDPR.

Instructions for deleting your player data and/or your player account

Web version:

* Log into the respective player account using your player account information

* Then open your profile by clicking on your profile pic

* Scroll down until you reach the point "Delete account" and confirm this selection

* Enter your password to confirm deletion


Mobile version:

* Please start the app

* Select "Help" in the menu on the right side

* Scroll down to the end of the screen that pops up and select "Delete account"

* Confirm this selection by once again pressing on "Delete account"


Please denote that any and all deletions will require a few days to process. Should you wish to cancel or revoke your deletion request, please proceed step by step through the instructions provided above and object to the respective deletion.

Your right to access, correct and erase your personal data

(Articles 15, 16, 17 and 20 GDPR)
At any time, you can request information on whether your personal data is processed by Merkur Media or not, what the conditions of such processing are, and to receive a copy of your personal data. More specifically, you can request information about:

the purposes for which the data are processed,

the categories of personal data that are processed,

the categories of recipients with whom we have shared the data,

the intended duration of storage,

your rights in regards to this data (correction, erasure, restriction, withdrawal of consent, and lodging a complaint with the supervisory authority),

the source of the data in cases where we did not obtain it from your direct interactions with us,

and the existence of any automated decision-making based on this data, including profiling, and your right to request meaningful information about the algorithms involved.

If you make this request electronically, the information will be provided in a commonly used electronic form. Should you make this request several times, Merkur Media may ask a fee of you to cover administrative costs.

You also have the right to instruct us to correct any personal data that is inaccurate.

Lastly, you have the right to ask us to erase your personal data, if there are no legal reasons for us to retain it (such as freedom of expression, legal requirements, public interest or if required as evidence in legal disputes) and one of the following reasons applies:

your personal data is no longer necessary considering the purposes for which it was collected or processed;

you wish to revoke your consent having served as the basis for the processing and there is no other basis justifying such processing;

your personal data has been the subject of unlawful processing;

your personal data should be erased pursuant to a legal requirement.

When we delete data that we've shared with third parties, we will also contact those third parties and ensure that your data are erased there as well.

When we delete data that we've made public over the course of offering our services to you, we will, to the degree feasible, contact any third party providers that may have this information cached to forward your request to them.

Right to the restriction of processing of personal data

(Article 18 GDPR)
You can assert your right to limit the processing of your personal data when:

you contest the accuracy of your personal data, during the time necessary to verify the accuracy of such data;

the processing of your personal data is unlawful but you oppose the erasure thereof and instead demand the limitation of processing;

when we no longer need your personal data but you still need such personal data for the establishment, exercise or defense of legal claims.

Right to personal data portability

(Article 20 GDPR)
You have the right to receive personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit such data to another controller without hindrance from Merkur Media GmbH.

Whenever this is technically feasible, you may request that your personal data be transmitted directly to another data controller by Merkur Media GmbH.

Right to file a complaint with your supervisory authority

(Article 77 GDPR)
If, despite our efforts to protect the confidentiality of your personal data, you consider that your rights have not been respected, you have the right to file a complaint with the national data protection authority in your country.

Objection against the processing of your data for direct marketing

When you register an account with us, you have the option to subscribe to our newsletters. You can opt-out of our newsletters at any time using the unsubscribe links provided in the e-mail footers, or in your account settings.

Web and App Analytics

To improve our website and apps, to correct errors, to optimise the site and our campaigns used to promote it, we store pseudonymised data about our visitors' behaviour on our website and use several tracking services to assist us (on basis of Article 6.1.f GDPR).

These services either use cookies (desktop) or device IDs (mobile) to allow them to correlate the behavioural data they collect (for example to tell us how long the average user spent on our site, or how great a percentage of users that visited our site registered an account with us).

Data exchanged may be information on when you registered an account with us, from where you came (which banner you clicked or which game site you play our games on), your device parameters (e.g. operating system, brand), your user ID in our games, page impressions (time and page identifier) or payments you make.

The trackers use these data either to craft approximate behavioural profiles of you (enabling them to supply better marketing targeting to the users of their service), or to permit us to pay our campaigns by registration events or paying users rather than impressions ("performance marketing").

Right of objection

Should you object to the use of this pseudonymised processing of your data, your opt-out options are:

For web, for the online tracking to endpoints that we manage, please refer to the cookie preference settings in the following by clicking the cookie button.
Your browser will need to accept cookies for the opt-out process to work.

For mobile, for tracking to end-points controlled by us, please refer to the settings in the application itself. We use Firebase Crashlytics (a Google product) for error reporting; you can use the settings to opt-out of the error reporting functionality as well.

Since you may also interact with the other trackers that we use on other people's websites, opting out of the trackers on a single website will probably not do what you intended. To better enable you to opt-out of the tracking services effectively, this section contains an overview of all trackers we use and where you can opt-out of them.

The opt-out options of many tracking services can also be found on https://youronlinechoices.eu/, which provides a unified and central opportunity for you to opt-out of various tracking services. That site can also help you if you want to review your online choices for other providers not used by us.

Unless otherwise noted (be it here or on our tracking partners' opt-out pages), your browser will need to accept cookies for the opt-out process to work.

Adality
Adality are based in Germany and offer an opt-out on https://adality.de/privacy.html.

AdCell
AdCell are based in Germany and offer an opt-out on https://www.adcell.de/datenschutz (German).

AppNexus
AppNexus are based in the US, are committed to the Privacy Shield Framework and offer an opt-out on https://www.xandr.com/privacy/platform-privacy-policy/.

AppsFlyer (for Mobile)
AppsFlyer are based in the US, are committed to the Privacy Shield Framework and offer an opt-out on https://www.appsflyer.com/legal/opt-out/.

Bing
Bing is run by Microsoft, who are based in the US, are committed to the Privacy Shield Framework, and offer an opt-out on https://account.microsoft.com/privacy/ad-settings/signedout.

Crimtan
Crimtan are based in the UK and offer an opt-out on https://www.crimtan.com/cookies/opt-out/.

Dynamic Yield
Dynamic Yield are based in the US, are committed to the Privacy Shield Framework and offer an opt-out on https://www.dynamicyield.com/privacy-policy/ (in the section 'Accessing and Modifying Information and Communication Preferences').

Facebook Analytics
Facebook are based in the US, are committed to the Privacy Shield Framework and offer opt-out instructions on https://www.facebook.com/help/568137493302217.

Flashtalking
Flashtalking are based in the US, are committed to the standards imposed by the GDPR and offer an opt-out on https://www.flashtalking.com/privacypolicy/ (in the section 'Opting out of Interest-Based Advertising').

Google
Google are based in the US and are committed to the Privacy Shield Framework.

Google Ads (a/k/a Google Remarketing) and AdMob
Google offer opt-out instructions for Google Ads and AdMob on https://adssettings.google.com/authenticated.

Google Analytics
Google offer opt-out instructions for Google Analytics on https://tools.google.com/dlpage/gaoptout. Your IP address is masked when it is sent to Google Analytics. For further information, see https://www.google.com/analytics/terms/.

HasOffers
HasOffers is run by TUNE, who are based in the US, are committed to the Privacy Shield Framework and offer opt-out instructions on https://optoutmobile.com/.

InfoOnline
InfoOnline are based in Germany and offer an opt-out on https://optout.ioam.de/optout.php (German).

ÖWA
ÖWA are based in Austria and offer an opt-out on https://optout-at.iocnt.net/ (German).

Outbrain
Outbrain are based in the UK and in the US, have GDPR contractual clauses between their UK and US branches and offer an opt-out on https://www.outbrain.com/privacy/#advertising_behavioral_targeting.

Plista
Plista are based in Germany and offer an opt-out on https://www.plista.com/opt-out/ (in the section 'Set opt-out').

Seznam.cz
Seznam.cz are based in the Czech Republic and offer an opt-out on https://www.seznam.cz/reklama/ (Czech).

Simplaex
Simplaex are based in German and offer an instant opt-out link on https://tracker.simplaex.net/v1/opt-out.

Taboola
Taboola are based in the US, are committed to the principles of the European Interactive Digital Advertising Alliance and offer an opt-out on https://www.taboola.com/policies/privacy-policy.

The Trade Desk
The Trade Desk are based in the US, are committed to the Privacy Shield Framework and offer an opt-out on http://www.adsrvr.org/opt-out.html.

TradeLab
TradeLab are based in France and offer an opt-out on https://tradelab.com/en/privacy/ (in the section 'Should You No Longer Wish To See These Personalized Ads').

Voluum
Voluum is run by Codewise, who are based in Poland, and offer an opt-out on https://voluum.com/end-user-privacy-policy/ (in the section 'Opt-out').

Security

We make use of the widespread SSL (Secure Socket Layer) encryption method to deliver our site securely when you visit it, in conjunction with the highest level of encryption supported by your browser.

You can tell when any single page at our website is transmitted in encrypted form by the closed presentation of the lock (or key) symbol in your browser’s status bar.

We also take appropriate technical and organizational security measures to protect your data against destruction, accidental or intentional manipulation, partial or total loss, or against the unauthorized access by third parties. Our security measures are continuously improved upon in accordance with technological developments.

Further information

If you have any questions or concerns about data privacy, you can contact us at dataprotection@merkur24.com.