This is the Crystal Dynamics, Inc. and Eidos Interactive Corporation General Privacy Notice. If you are located anywhere other than the United States, this General Privacy Notice applies to you. If you are located in the United States, please see the U.S. Privacy Notice at https://www.crystald.com/legal/privacy.
General Privacy Notice
Last Updated: September 5, 2022
Hi. We’re Crystal Dynamics, Inc. and Eidos Interactive Corporation (“we,” “our,” or “us” – for contact details see below under Section 13), each an independent controller. You probably know us from the entertainment content we develop, publish, distribute and license, including: TOMB RAIDER®, DEUS EX®, THIEF®, and LEGACY OF KAIN®.
Please take the time to read this Privacy Notice, as it explains how we process and protect your personal data (referred to as “personal information” in some jurisdictions).
2. HOW & WHEN WE COLLECT YOUR PERSONAL DATA
From the moment you begin interacting with us, we are collecting personal data. Sometimes the personal data we collect is provided by you and sometimes it is collected automatically.
You give us data if and when you: register or update a user account with us, use our paid-for services, play one of our games, enter one of our tournaments, apply for a job with us, attend an interview or assessment, opt-in to receive our marketing messages, subscribe to our mailing lists, call us, email us, live chat with us online, chat to us in-game, make a purchase from us, enter one of our prize draws or competitions, answer one of our surveys, fill in a form, conduct a search or post content on our website, interact with other users on our online services, register to attend our events, ‘follow’, ‘like’, or post to or interact with our social media accounts.
We collect your data automatically if and when you: access our website pages, interact with other users on our online services, open an email from us, login to a user account that you register with us, play our games online, live chat with us, message us or other users in-game or make a purchase from us.
3. TYPES OF PERSONAL DATA WE COLLECT
Depending on the specific services you use and how you interact with us, we may collect various types of personal data as further described in this section.
a) Contact Details: Your name, address, telephone number and email address.
b) Account Profile Data: Your name, email address, birth date, gender, username and password.
c) Financial Data: Your bank account number, credit/debit card details, currency, amount paid, electronic payment processor details and billing address.
d) Identifiers Relating to You: Your birth date, IP address, login information, social media username(s), browser type and version, Internet service provider, date and time of access request, time zone difference to Greenwich Mean Time (GMT), access status/HTTP status code, data volume transferred, websites from which you come to our website, websites accessed through our websites, time zone setting, browser plug-in types, geolocation information, operating system and version, cookies and cookie IDs, Google AdID, Apple IDFA and other unique device IDs.
e) Data On How And When You Use Our Websites: Your URL clickstreams (the path you take through our site), products/services you view or purchase, page response times, download errors, how long you stay on our pages, what you do on those pages and other actions.
f) Data On How You Purchase And Use Our Games And Services: Your gaming platform, game version, mobile and hardware identifiers, device event information, crash reports, language or subtitle options, game scores, game metrics, achievements, rankings, play time, feature usage, player performance and progression, purchases, time zone, timestamp, session duration, wish lists, challenges or gifts sent to other players and number of friends on the platform.
g) Survey Data: Any data that you decide to provide to us when you complete one of our surveys.
h) Application Data (only when you apply for job roles with us): Name, email address, employment history, references, education history, results of pre-employment screening and background checks, relevant experience, achievements, skills and qualifications and the outcome of any interviews or tests that are part of the recruitment process.
i) Data Recorded At Live Events: Photographs and videos (including audio) of you.
j) Personal Data Provided To Us By Third Parties:
Game Platforms: Nickname, username, user ID, friends list, email address, geolocation, language, user preferences, date of birth and games you have played. Mobile Platform Providers and App Stores: Username, device ID, purchase history and geo-location. When you log in with your Facebook account: Account ID, email address and friends playing the same game. When you link a user account that you register with us to a Game Platform Account: Account ID, nickname, user ID, email address and our games which you are playing.
k) What about special categories of data / sensitive data?
If you have been selected to participate in an accessibility-related player research group, we may ask for health data related to your accessibility needs for the purpose of analysing accessibility as it relates to our game development. Otherwise, we do not actively collect any “special categories of data” about you (data that is intended to identify your racial or ethnic origin, political opinions, religious/philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data about your sexual life or orientation). The same applies to personal data relating to criminal convictions and offences or alleged offences. Please don’t send us your unsolicited special categories of data or post them anywhere on our services.
l) What about children’s data?
You must be at least 14 years old to use any of our services or games, as we do not target our games to children under 14 and do not knowingly collect any personal data from any person under 14. If you think we have unintentionally collected personal data from someone under the age of 14, please let us know by contacting us at the email address at the end of this document.
4. WHY & HOW WE USE YOUR PERSONAL DATA
We will use your personal data only for certain specified reasons and only when we have a lawful basis to do so. Which of the following reasons is applicable to you depends on the type of relationship we have with you and how we interact with you. For example, we will not use your personal data for the purpose of processing payments unless you’ve made, or attempted to make, a purchase from us.
a) Registering your account
When you sign up to use our services or register a user account with us, we will use the details you provide on your account registration form to process your registration and provide the services you’ve agreed to receive.
If you are located in the EU/EEA or the UK, our legal basis for this use of your personal data is: performance of contract.
b) Keeping our websites and gaming services running
Providing you our games and services online, access to our websites, login authentication, age verification, remembering your settings, processing payments, populating leaderboards, hosting and back-end infrastructure and keeping our websites and services secure.
If you are located in the EU/EEA or the UK, our legal bases for this use of your personal data are: performance of contract, to comply with our legal obligations, and legitimate interests to keep our services running.
c) Enabling you to communicate with other users
Certain parts of our websites and online services enable you to communicate and interact with other users. We will use personal data you have provided us to enable these interactions and communications on our websites and online services.
If you are located in the EU/EEA or the UK, our legal basis for this use of your personal data is: performance of contract.
d) Processing payments
We will use your personal data to process payments for our goods and services. If your bank provides account update services and you have registered your payment card number or expiry date in our systems, we may automatically update this information when it changes.
If you are located in the EU/EEA or the UK, our legal basis for this use of your personal data is: performance of contract.
e) Targeted advertising
Through cookies, clear GIFs, web beacons and tracking pixels we will use your personal data to deliver relevant advertisements and offers to you and measure the effectiveness of the advertising and offers. These technologies connect your behaviour across different websites, mobile apps and devices and enable tailored advertising to be served to your game, web browser, or mobile device. Please also see below under Section 8 regarding cookies and our Cookies Notice (links below).
If you are located in the EU/EEA or the UK, our legal basis for this use of your personal data is: your consent.
f) Social media
We will use your personal data to communicate with you if you message us, respond to our posts, “like” our posts, tweet or retweet us or otherwise interact with us directly on social media platforms. We also analyse social media postings and trends to understand customer sentiment about our games and services.
If you are located in the EU/EEA or the UK, our legal basis for this use of your personal data is: our legitimate interests in promoting our brand and communicating with interested individuals.
g) Anti-cheat, anti-tampering, fraud, and unauthorised and unlawful activity detection, prevention and investigation
We use the personal data you provide us and the personal data we collect about you to enforce our rules and policies, protect our customers and business, maintain the competitive integrity of our games, and investigate and respond to fraudulent, unauthorised or illegal activity on or related to our current or future services. We may also use your information for machine learning behavioural predictions to detect and prevent fraudulent activities on our services.
If you are located in the EU/EEA or the UK, our legal bases for this use of your personal data are: our legitimate interests to operate a safe and lawful business or where we have a legal obligation to do so.
h) Community and customer support
When you use our communities or customer support, we will use your personal data for handling enquiries or complaints, troubleshooting and solving technical issues over live chat, phone, email and in-game chat, making necessary changes to our products and services and monitoring your participation in our forums and all parts of our services that allow you to publicly post information or interact with other users.
If you are located in the EU/EEA or the UK, our legal bases for this use of your personal data are: performance of contract, our legitimate interests to provide you with customer service, our legitimate interests in providing the correct products and services to our website users or to comply with our legal obligations.
i) Improving and continually developing our games, services and websites
We carry out surveys and analytics and research on in-game data collection and related metrics to understand how our customers are playing games and the effectiveness of our marketing campaigns. We also use your personal data to undertake player segmentation (profiling), cheat detection and prevention, machine learning (we sometimes use carefully selected third parties to do this on our behalf), general management of our websites, traffic optimisation and heat mapping (including through the creation of animated representations) of your usage of our websites.
If you are located in the EU/EEA or the UK, our legal bases for this use of your personal data are: performance of contract; consent or our legitimate interests in learning about the types of people who are interested in our games, websites, and services; to keep our games, online services, and websites updated and relevant; and to develop our business, understand how our customers play our games, and inform our marketing strategy.
To evaluate your suitability for a role that you have applied for we will use your personal data to verify your application details, academic qualifications and work experience, perform background checks, review and audit our recruitment processes and its outcomes and identify any future employment opportunities that you may be suitable for.
If you are located in the EU/EEA or the UK, our legal basis for this use of your personal data is: performance of contract or our legitimate interests to recruit new employees or contractors.
k) Contests, prize draws, and tournaments
When you participate in our contests, prize draws, tournaments or other promotional events we run from time to time, should you decide to participate in them, we will use your personal data to process your entry as well as to communicate with you and award and send you certain prizes or rewards, either digitally or physically, if you have qualified to receive them. In some cases our promotional events may have a “leaderboard,” entry list, or similar element, in which case we may display your name or other information you submitted on such a publicly accessible list. Some contests, prize draws, and tournaments will also involve publicly displaying your entry in media throughout the world.
If you are located in the EU/EEA or the UK, our legal bases for this use of your personal data are: your consent or performance of contract.
l) Live Events
When you attend or join our live events, we may photograph you and record videos in which you, your appearance, or your voice may be recognisable.
If you are located in the EU/EEA or the UK, our legal bases for this use of your personal data are: consent or our legitimate interests if you are a guest at the event or consent or performance of contract if you are a contestant.
m) Digital marketing and advertising
If you are located in the EU/EEA or the UK, our legal bases for this use of your personal data is: consent and to the extent consent is not required our legitimate interests to provide you with marketing communications or advertising where we may lawfully do so.
n) Direct marketing
Where you have consented, we will use your personal data to send you communications about our services, products and features that you have agreed to receive directly via email. We also use machine learning to predict the effectiveness of direct marketing campaigns for our customers and to tailor campaigns and direct marketing communications, including through purchase history and game play behavioural analysis.
If you are located in the EU/EEA or the UK, our legal bases for this use of your personal data is: your consent.
o) Participation in investigations and proceedings (including judicial proceedings)
Under very specific circumstances, we will process your personal data and share it with third parties (including law enforcement bodies) in order to respond to or investigate fraudulent, unauthorised or criminal (or potentially fraudulent, unauthorised or criminal) activity on or related to our systems, services, or events, including the unauthorized disclosure of non-public information related to current or future services. We may also be required by law to disclose your personal data to the police or to another law enforcement, regulatory, government or other public body in your country of origin or elsewhere, including upon receiving a legally valid request to do so. We may also be required by law to disclose your personal data to third parties in response to a court order, subpoena, or other compulsory process.
If you are located in the EU/EEA or the UK, our legal bases for this is legal obligation or legitimate interest.
5. WHAT THE DIFFERENT LEGAL BASES MEAN
This section explains what the legal bases we rely on for processing your personal data actually mean (as applicable in your local jurisdiction).
You have provided consent for us to process your personal data for a specific purpose (if you are located in the EU/EEA Art. 6 (1) a GDPR). You have the right to withdraw this consent at any time.
b) Performance of Contract
We need to process your personal data for us to fulfil our contractual relationship with you or in order to take steps at your request prior to entering into a contract (if you are located in the EU/EEA Art. 6 (1) b GDPR).
c) Legitimate interests
We need to process your personal data for our legitimate interests, or the legitimate interests of a third party, e.g., in conducting and managing our business and our relationship with you, except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular when the data subject is a child (if you are located in the EU/EEA Art. 6 (1) f GDPR). When we use your personal data for our legitimate interests, we take into account any potential impact that such use may have on you.
d) Legal obligation
We have a legal obligation under applicable law to process your personal data (if you are located in the EU/EEA Art. 6 (1) c GDPR).
6. KEEPING YOUR PERSONAL DATA SECURE
We treat your personal data with care and take reasonable steps to protect it, including the use of physical, technical and administrative safeguards to protect your personal data from unauthorised access, use or disclosure.
For this reason, we secure access to all transactional areas of our websites and apps, restrict access to your personal data, secure and tokenise transactional information and regularly monitor our systems for possible vulnerabilities and attacks.
If you believe your personal data has been breached, please contact us at the email address at the end of this document.
7. RECIPIENTS WITH WHOM WE SHARE PERSONAL DATA
Depending on the purpose for which we collect your personal data or the nature of our interaction with you, we may use third parties to process some of your personal data (for example, we engage third parties to process information about your purchases and use of our games). We require that these third parties use only the information they need to perform their specific services as specified in our contract with them. If we stop using any such third party’s services, we require that your personal data held by them is either securely and permanently deleted or rendered irreversibly anonymous. In all cases, we apply measures to keep your data safe and your privacy protected.
We share your personal data with third-party IT companies who support our website, online services and other business systems, payment services providers who process your payments for goods and services, fraud detection, investigation and prevention companies who help us detect, investigate and prevent cheating, abuse, fraud, tampering or other unauthorised use of or disclosure of non-public information about our current and future services and direct marketing companies who help us manage our electronic communications with you.
We may share your personal data with Google, Facebook and other third-party advertising partners so they can show you our products and services that might be of interest to you while you are on a social media platform, browsing the internet or playing our mobile games (see above under Section 4(e)). For example, if you provide us with your email address we may share it with Facebook so that you can receive tailored advertising from us when you use Facebook, and so that other users of Facebook who share similar interests to you can also receive tailored advertising from us.
We may share your personal data with governmental authorities, courts, external advisors, and similar third parties that are public bodies or with other (private) third parties as required or permitted by applicable law (see above under Section 4(o)).
Please have a look at our Cookies Notice (available at http://www.crystald.com/legal/cookie for Crystal Dynamics, Inc. and at https://www.eidosmontreal.com/cookies for Eidos Interactive Corp.) for more information.
9. WHERE YOUR PERSONAL DATA IS PROCESSED
We are a global organisation, so we sometimes will share your personal data with our other offices, or with other third parties and suppliers, who are located outside your country and the European Economic Area (“EEA“) or may have relevant operations outside of your country and the EEA, such as in the USA, where the data protection laws may provide a different level of protection compared to the laws in your jurisdiction.
When it is necessary for us to transfer your personal data out of the EEA and/or the UK, we will do so only when the transfer is authorised under applicable law, including when the transfer is made to a country the European Commission has deemed to have adequate data protection laws. The countries which provide an adequate level of data protection from a European data protection law perspective currently include Andorra, Argentina, Canada, Faeroe Islands, Guernsey, the State of Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland and the Eastern Republic of Uruguay. With regard to data transfers to other recipients outside the EEA we provide appropriate safeguards, in particular, by way of entering into data transfer agreements adopted by the European Commission (e.g., based on standard contractual clauses) with the recipients or taking other measures to provide an adequate level of data protection, where this is required under applicable law.
10. HOW LONG WE KEEP YOUR DATA
We store personal data as long as necessary to fulfill the respective purposes. When we no longer need personal data to comply with our contractual or legal obligations, we will securely destroy or irreversibly anonymise your personal data. We will deviate from this general policy only if we have to fulfill legal or official obligations (e.g., statutory retention obligations, including statutory retention periods which can result from commercial and tax law—for example, in the EU or Germany, the retention periods are typically between six and ten years for contracts, notifications and business letters) or if we need it to preserve evidence within a statute of limitation.
11. YOUR RIGHTS OVER YOUR PERSONAL DATA
Under applicable data protection law, you have the right, in addition to the right to withdraw your consent at any time (the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal), to make a complaint to a data protection supervisory authority. In addition, you may be entitled to the following rights (though these rights may be restricted by national law). To exercise your rights, please contact us using the contact details provided under 14 below.
a) Your right of access
You may have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, if that is the case, to request access to the personal data. The right of access includes, among other things, access to the purposes of the processing, the categories of the personal data is being processed, and the recipients or categories of recipient to whom the personal data is being disclosed. However, this right is not unrestricted as the rights of other persons may limit your right of access.
In certain circumstances, you have the right to receive a copy of the personal data processed by us. For further copies requested by you, we charge a reasonable fee, where relevant calculated on the basis of administrative costs
b) Your right to rectification
You have the right to request that we rectify information you think is inaccurate or complete information you think is incomplete. This right always applies.
c) Your right to erasure
You have the right to request that we erase your personal data in certain circumstances.
d) Your right to restriction of processing
You have the right to request that we restrict the processing of your personal data in certain circumstances. In that case, the data concerned will be marked and only processed by us for certain purposes.
f) Your right to data portability
Subject to certain conditions, you have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and the right to transmit that data to a different controller without hindrance from us.
g) Right to object
Subject to certain conditions, you have the right to object at any time to the processing of your personal data by us on grounds arising from your particular situation, and we can be required not to process your personal data any longer.
If personal data is processed for direct marketing purposes, you have an additional right to object at any time to the processing of personal data in relation to you for the purpose of such marketing. This also applies to profiling where this is connected to direct marketing. In that case, we will no longer process the applicable personal data for these purposes.
12. CHANGES AND UPDATES TO THIS PRIVACY NOTICE
As our services and products change from time to time, you should expect this Privacy Notice to change as well. We reserve the right to amend this Privacy Notice at any time, for any reason. We will make all reasonable endeavours to notify you of any changes. We may also email periodic reminders of this Privacy Notice of any material changes to this Privacy Notice. Nevertheless, you should check here regularly to see the current Privacy Notice that is in effect and any changes that may have been made to it.
13. ANY QUESTIONS? CONTACT US
You made it to the end! We hope you enjoyed reading this Privacy Notice and we commend you on your dedication to understanding how we handle your personal data and your rights to control it. If this Privacy Notice hasn’t answered all your questions, or if you have any comments or ideas about how we can make this Privacy Notice even better, or if you wish to file a complaint, or make any request authorized by this Policy, please don’t hesitate to contact us at the following mailing address or email:
For Crystal Dynamics:
Crystal Dynamics, Inc.
2855 Campus Drive, Suite 200
San Mateo, CA 94403
United States of America
PrivacyNotice [at] crystald.com
For Eidos Interactive:
Eidos Interactive Corp.
400 de Maisonneuve West,
5th floor, Montréal, Québec,
Canada, H3A 1L4
PrivacyNotice [at] eidosmontreal.com