Immutable Privacy Policy

Last update: 14 December 2024

This Privacy Policy sets out our commitment to protecting the privacy of personal information provided to us, or otherwise collected by us, offline or online, including when preparing to provide or providing our platforms to you, including Gods Unchained, our collectible digital card trading game that operates on the Ethereum blockchain, Guild of Guardians, our free to play mobile game, the Immutable X and zkEVM platforms, our marketplace that allows buyers and sellers to trade digital assets, our other downloadable applications and mobile applications, and our websites and other online products and services (Services). In this Privacy Policy we, us or our means Immutable Pty Ltd (ABN 89 626 193 351) and all subsidiaries and group companies of Immutable Pty Ltd.

‍

This Privacy Policy takes into account the requirements of the Privacy Act 1988 (Cth) and the Australian Privacy Principles. In addition to the Australian laws, individuals located in the European Union (EU) and the United Kingdom (UK) may also have rights under the EU General Data Protection Regulation 2016/679 and the UK General Data Protection Regulation (collectively the GDPR). Appendix 1 outlines the details of the additional information and rights that individuals located in the EU and the UK have as well as information on how we process the personal information of individuals located in the EU and the UK. Appendix 2 contains additional information about our use of personal information from individuals who are not covered by the GDPR (i.e. individuals located in Australia, anywhere in the United States, and other locations outside of the UK and EU). Appendix 3 discloses additional information and data rights provided to individuals who reside in specific jurisdictions within the United States that have enacted their own applicable privacy laws.

‍

"Personal information" as used in this Privacy Policy means information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual or an individual who is reasonably identifiable, and includes anything defined as personal information, personal data under the GDPR, personally identifiable information or similar terms under applicable law.

‍

Children’s Data

We do not knowingly collect, solicit, use, or disclose personal information from children under the age of 13. If you are under 13, please do not attempt to register for the Services or send any information about yourself to us. No one under age 13 may provide any personal information to us. If we learn that a child under 13 has provided personal information to us without verification of parental consent, we will delete that information immediately.

‍

We remind and encourage all parents to check and monitor their children’s online activities. Under United States law, parents have the right to review and have deleted any personal information we may have inadvertently collected from their children, and refuse to permit further collection of that information. If you believe that we might have any information from or about a child under 13, please contact us at https://support.immutable.com/hc/en-us

‍

How we collect personal information

We collect personal information in a variety of ways, including:

Directly: 

• Voluntarily We collect personal information which you directly provide to us, including when you sign up to Gods Unchained or Guild of Guardians, or register for Immutable Protocol or another Immutable product or service such as Passport, through the ‘contact us’ form on our websites or when you request our assistance via email, our online chat or over the telephone, or when you attend or participate in any of our sessions, functions, events or activities.
• Automatically We may collect personal information which you indirectly provide to us while interacting with us, such as in emails, over the telephone and in your online enquiries.

• From Third Parties In some circumstances where a third party service provider/data processor (e.g. analytics provider) collects Personal Information from you on our behalf, this may also be considered a direct collection by us. 

Indirectly: 

• From Third Parties: We may also collect personal information from third parties, such as details of your use of our website from our cookie providers and marketing providers (if this is not considered a direct collection by us - see above). See the “Cookies” section below for more detail on the use of cookies.
• From Publicly Available Sources of Information: We may also collect personal information from publicly available sources, such as information from social media accounts and profiles, where relevant to your interactions with us, or to our business or relationship with you.

‍

Personal information

The types of personal information we may collect about you include:

• your name;
• your contact details, including email address and name;
• your Ethereum (and/or other public blockchain) address and wallet, and public blockchain data;
• your credit card or payment details (through our third party payment processor);
• your preferences and/or opinions;
• information you provide to us through customer surveys;
• details of products and services we have provided to you and/or that you have enquired about, and our response to you, including any support requests and any bug reports;
• where you play Gods Unchained or Guild of Guardians, game progression data, such as your game saves and your achievements in the game, and for Guild of Guardians, your age;
• where you participate in Immutable Protocol, your trading data;
• where you connect or use a digital wallet in conjunction with Immutable's products and services (such as Passport), the assets held in that wallet;
• your browser session and geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour, your IP address, and demographic information;
• your connections with others whose personal information we may collect or hold;
• information about your access and use of our Services, including through the use of Internet cookies, your communications with our Services, the type of browser you are using, the type of operating system you are using and the domain name of your Internet service provider;
• additional personal information that you provide to us, directly or indirectly, by submitting forms or through your use of our Services, associated applications, associated social media platforms and/or accounts from which you permit us to collect information; 
• publicly available information from social media accounts, posts and profiles, where relevant to your interactions with us, or to our business or relationship with you; 
• device information, such as mobile device type, mobile number, unauthorised third party applications (which allows us to identify whether our users are gaining an unfair advantage or cheating when using our games), and device specifications; and
• any other personal information requested by us and/or provided by you or a third party.

‍

We may collect these types of personal information directly from you or from third parties.

‍

Collection and use of personal information

We may collect, hold, use and disclose personal information for the following purposes:

• account creation and management
• to enable you to access and use our Services, associated applications (such as the Gods Unchained application, Guild of Guardians application, and Immutable Protocol) and associated social media platforms, and to personalise and customise your experiences using our Services;
• to enable you to perform transactions on the Services;
• where you are playing Gods Unchained or Guild of Guardians, to enable you to communicate with other Services users, including through group conversations and by creating a friend list;
• to contact and communicate with you about our Services;
• for internal record keeping, administrative purposes, invoicing and billing purposes;
• to compare information for accuracy and verification purposes, including (where relevant to our Services) verifying your identity based on information you have provided to us;
• to carry out appropriate administration in relation to our investors, including communicating with corporate regulators;
• for analytics, market research and business development, including to operate and improve our Services, associated applications and associated social media platforms;
• to run promotions, competitions and/or offer additional benefits to you, and to measure the effectiveness of those activities;
• for advertising and marketing, including to send you promotional information about our group’s products and services and information about third parties and their products and services related to Immutable's platform that we consider may be of interest to you, and (where permitted by applicable laws) to facilitate third parties (Immutable partners) directly advertising or communicating with you about their products and services that are built on, integrate, interact with or are otherwise related to Immutable's platform that might be of interest to you, and to allow us to build audience lists of others who may be interested in Immutable's and Immutable partners' products and services in order to advertise and market those products and services to them;
• to investigate, review, mitigate risks associated with, and inform you or appropriate authorities of, any data or other security breach involving your personal information;
• to comply with our legal obligations and resolve any disputes that we may have;
• to identify, prevent and respond to fraud and abuse, and otherwise protect our users, our property and our rights;
• telephone calls to us may be recorded for training and quality assurance purposes; and
• if otherwise notified to you at the time of collection, or in accordance with any agreement you enter into with us. 

‍

We may aggregate personal information for reporting, statistical and analysis purposes, and for business, product and service improvement purposes. This allows us to better inform ourselves and anticipate our users' preferences and requirements, and to monitor and improve the effectiveness of our business, products and services. We may also de-identify information for inclusion in such aggregated databases or reports. 

‍

Purposes for which we will use your personal information - UK and EU

If you are resident in the United Kingdom or the European Union, we have also set out below, in a table format, a description of all the ways we plan to use your Personal Information, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

‍

Note that we may process the same personal information for more than one lawful ground depending on the specific purpose for which we are using your data. 

‍Please contact us if you need details about the specific legal ground we are relying on to process your personal information where more than one ground has been set out in the table below.

‍

Disclosure of personal information to third parties

We may disclose personal information to:

• third party service providers for the purpose of enabling them to provide their services to us, including (without limitation) IT service providers, data storage, web-hosting and server providers, debt collectors, maintenance or problem-solving providers, marketing or advertising providers (including social media partners and other digital and online advertising partners), professional advisors and payment systems operators;

• third parties who integrate our Services into their own products and services, and who may in doing so use your personal information for their own purposes independently of Immutable in circumstances where we are not responsible for the independent use of your personal information by those third parties;
• our employees, contractors and/or related entities (this includes sharing personal information between companies within our group for use and disclosure as described in this Privacy Policy in relation to any Services they may provide to you);
• government agencies or identity verification service providers, who in turn may access third party databases, document issuers, official record holders, DVS and other sources in order to perform identity verification services;
• merchants and the recipients of digital assets to identify you as the sender of the assets and to a party who sends you digital assets in connection with a transfer to you of digital assets;
• our existing or potential agents or business partners;
• sponsors or promoters of any promotions or competition we run;
• anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred;
• debt collection agencies, courts, tribunals and regulatory authorities, in the event you fail to pay for goods or services we have provided to you;
• courts, tribunals, regulatory authorities and law enforcement officers, as required or authorised by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights;
• third parties, including agents or sub-contractors, who assist us in providing information, products, services or direct marketing to you. This may include parties located, or that store data, outside of Australia;
• third parties to collect and process data to provide services to us, such as Google Analytics (see the "Cookies" section below for more information about Google's use of such data) or other relevant businesses. This may include parties that store data outside of Australia, the EU and the UK; and
• any other third parties as required or permitted by law, such as where we receive a subpoena.

‍

Overseas disclosure: Where we disclose your personal information to third parties listed above, or where their or our computer systems including IT servers and website hosts are located overseas, your personal information may be stored, transferred or accessed by those parties or by us outside of Australia, the EU and the UK, including but not limited to, United States of America, United Kingdom, Singapore, European Union (including Ireland, Greece and Italy), New Zealand, Canada, Indonesia and Brazil.

‍

Where we remain responsible for the protection of your personal information, we will only disclose your personal information to countries with laws which protect your personal information in a way which is substantially similar to the Australian Privacy Principles or we will take such steps as are reasonable in the circumstances to protect your personal information in accordance with the Australian Privacy Principles. Where another party with their own relationship with you has collected and uses your personal information for their own purposes or as an 'independent controller' - for example, an app developer who has integrated our Services (such as Passport) into their own products and services, who may use your personal information on the basis of their own separate agreement with you - we are not in control of and will not be responsible for their actions and decisions with respect to your personal information, including whether they disclose it to third parties in countries that do not have substantially similar protection of your personal information as Australian privacy laws.

‍

When transferring your personal information out of the European Economic Area (“EEA”) or the UK, we will use any relevant contractual agreement approved by the competent authorities as a basis for the transfer (e.g. the Standard Contractual Clauses for transfers from the EEA or the International Data Transfer Agreement for transfers from the UK).  Where these contractual agreements are not sufficient to ensure an adequate level of data protection at the recipient, we will implement supplemental safeguards. Please contact us if you would like further information on the specific mechanism used by us when transferring your personal data out of the European Economic Area and/or the United Kingdom.

‍

Your rights and controlling your personal information

Your Choice: Please read this Privacy Policy carefully. If you provide personal information to us, you understand we will collect, hold, use and disclose your personal information in accordance with this Privacy Policy. You do not have to provide personal information to us, however, if you do not, it may affect our ability to  provide  our Services  to  you and/or your use of our Services.

‍

Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this Privacy Policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person’s consent to provide the personal information to us.

‍

Anonymity: Where practicable we will give you the option of not identifying yourself or using a pseudonym in your dealings with us.

‍

Restrict and unsubscribe: We may communicate with you by phone, email, SMS or push notifications, including to inform you about existing and new products and services that may be of interest to you. To object to processing for direct marketing/unsubscribe from our marketing database or opt-out of communications (including marketing communications), please contact us using the details below or opt-out using the opt-out facilities provided in the communication. You may decline marketing messages sent by push notifications by refusing the relevant permission in your device settings. 

‍

Access: You may request access to the personal information that we hold about you. An administrative fee may be payable for the provision of such information. Please note, in some situations, we may be legally permitted to withhold access to your personal information.

‍

Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, incomplete, irrelevant or out of date. Please note, in some situations, we may be legally permitted to not correct your personal information.

‍

Complaints: If you wish to make a complaint, please contact us using the details below and provide us with full details of the complaint. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take in response to your complaint. You also have the right to contact the relevant privacy authority.

‍

Please see Appendix 1 for additional rights and other information available to individuals based in the EU or the UK, and Appendix 2 for additional rights and other information available to individuals based in the United States.  

‍

Storage and security

We will take reasonable steps to ensure that the personal information we collect is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the personal information and protect it from misuse, interference, loss and unauthorised access, modification  and disclosure.

‍

While we are committed to security, we cannot guarantee the security of any information that is transmitted to or by us over the Internet. The transmission and exchange of information is carried out at your own risk. Although we

take measures to safeguard against unauthorised disclosures of information, we cannot assure you that the personal information we collect will not be accessed or disclosed in a manner that is inconsistent with this Privacy Policy.

‍

Cookies, Google Analytics and Web Beacons 

‍

We may use cookies on our online Services from time to time. Cookies are text  files  placed  in  your  computer’s browser to store your preferences. Cookies, by themselves, do not tell us your email address or other personal information. However, they do recognise you when you return to our online Services and allow third parties, such as Google and Facebook, to cause our advertisements to appear on your social media and online media feeds as part of our retargeting campaigns. If and when you choose to provide our online Services with personal information, this information may be linked to the data stored in the cookie and that information could potentially be used to identify you. It may be possible for us to identify you from information collected automatically from your visit(s) to our Services, for example, we will be able to identify you through your user name and password when you log into our Services. Further, if you access our Services via links in an email we have sent you, we will be able to identify you.

‍

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our online Services. At this time, our websites do not respond to “do not track” signals, if received.   

‍

We may use web beacons on our Site from time to time. Web beacons (also known as Clear GIFs) are small pieces of code placed on a web page to monitor the visitor’s behaviour and collect data about the visitor’s viewing of a web page. For example, web beacons can be used to count the users who visit a web page or to deliver a cookie to the browser of a visitor viewing that page.

‍

We may use Google Analytics to collect and process data. To find out how Google uses data when you use third party websites or applications, please see www.google.com/policies/privacy/partners/ or any other URL Google may use from time to time. If you do not want your Site visit data reported by Google Analytics, you can install the Google Analytics opt-out browser add-on. For more details on installing and uninstalling the add-on, please visit the Google Analytics opt-out page at https://tools.google.com/dlpage/gaoptout. 

Digital advertising and custom audiences

We also engage in online digital marketing. This means we may use personal information we know about you to better target ads. This section explains those activities in more detail, as well as your ability to opt out.

Custom audiences

We may use personal information we know about you (such as your name, email address, interests/attributes) to create 'audience lists' (sometimes called a 'custom audience' or 'segment'). These audience lists may contain: (1) individuals we have selected from our own marketing databases for an ad to be shown to; (2)individuals who we or our third party service providers have determined as 'lookalikes' (i.e. they share interests/attributes) based on a 'seed' of personal information that we provide (e.g. the seed may be a list of email addresses of individuals in our marketing databases who we believe are representative of the types of people we want to show an ad to); or (3)individuals who we or our third party service providers have determined as 'lookalikes' based on a 'seed' of information that is not personal information in our hands but may be personal information in the hands of the service provider (such as someone who the provider can identify as a previous visitor to our website, based on data they collect using technology such as cookies).

We use these audience lists to deliver specific ads only to the individuals on those lists, to ensure the ads and offers we show are more likely to be of interest to the people who see them. We may use and disclose those lists for advertising and marketing for our, and Immutable partners', products, services and special offers. When we do this, there may not always be a clear link in the ad shown to a person between the party whose ad is being displayed and Immutable. We will not directly disclose personal information to the Immutable partner in such a case, but may use the personal information we know about individuals who have a relationship with Immutable to build the relevant audience list for us, Immutable partners or our third party advertising service provider to use to display that ad.

The ads we show based on such audience lists may be displayed on our own platforms (such as our websites, games or applications), or on networks or platforms owned by third party advertising service providers such as Meta (Facebook). These audience lists (and therefore some personal information) may be disclosed to such third party advertising service providers so they can identify the appropriate users on their networks or platforms (or create the appropriate 'lookalike' sets) to display the ads to.

Where permitted by applicable laws, we may enable our 'lookalike' audience lists to be used by third party advertising service provider networks/platforms for Immutable partners to have their own ads delivered directly to that audience list. Any personal information in those audience lists will not be disclosed to the Immutable partner, but will be disclosed to the third party advertising service provider to deliver the ads for them.

Opting out from custom audiences

If you do not wish for us to deliver, or to facilitate Immutable partners to deliver, targeted online advertising to you, you may advise us at any time by contacting us using the details below. If you have opted out, where the final selection of each recipient on an audience list is within our control, we will ensure you are excluded from our audience lists and that the ad is not delivered to you based on any personal information we hold about you. You will still see ads, but these will not have been specifically selected for you and may not be as relevant to you.

However, while opting out with us will mean we ask our service providers to not deliver a targeted ad to you based on our audience lists and the personal information we hold, it may not always prevent our third party advertising service providers from using personal information they hold about you to deliver the ads we give to them as targeted online advertising to you. For example, they may show an ad to you because we asked for it to be delivered generally (and not through a custom audience list) to individuals with certain categories of interests. In order to stop those networks and platforms from providing targeted advertising to you where they determine the target audience, you may need to opt out directly via settings available to you on those networks or platforms (for example, for more information on Facebook custom audiences visit https://www.facebook.com/privacy/explanationor to opt-out, go to the Facebookad preferences page).

Advertising networks

We also use network advertisers to serve advertisements on our Services, unaffiliated websites or other media (e.g. social networking platforms). This enables us and network advertisers to target advertisements to you for products and services in which you might be interested. Ad network providers, advertisers, sponsors, and/or traffic measurement services may use pixels, cookies, JavaScript, web beacons(including clear GIFs), Flash LSOs, and other tracking technologies to measure the effectiveness of their ads and to personalise advertising content to you.These pixels, cookies and other technologies are governed by each entity’s specific privacy policy, not this Privacy Policy. Where permitted by applicable laws, and unless you opt out, we may provide these advertisers within formation, including personal information, about you.

Opting out from targeted ads

If you do not wish for us to deliver, or to facilitate third parties to deliver, targeted online advertising to you, you may advise us at any time by contacting us using the details below.

You may also be able to opt out of many ad networks. For example, you may go to the DigitalAdvertising Alliance (DAA) ConsumerChoice Page for information about opting out of interest-based advertising and their choices regarding having information used by DAA companies.You may also go to the Network Advertising Initiative (NAI) Consumer Opt-OutPage for information about opting out of interest-based advertising and their choices regarding having information used by NAI members.

Opting out from one or more companies listed on the DAAConsumer Choice Page or the NAI Consumer Opt-Out Page opt you out from those companies’ delivery of interest-based content or ads to you, but it does not mean you will no longer receive any advertising through our Services or on other websites.  You may continue to receive advertisements, for example, based on the particular website that you are viewing (i.e. contextually based ads). Also, if your browsers are configured to reject cookies when you opt out on a consumer choice website, your opt out may not be effective.

‍

Links to other websites

Our Services may contain links to other websites. We do not have any control over those websites and we are not responsible for the protection and privacy of any personal information which you provide whilst visiting those websites. Those websites are not governed by this Privacy Policy.

‍

Amendments

We may revise this Privacy Policy from time to time. When we update our Privacy Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make. If you do not agree with our changes, please do not use the Services. Your continued use of our Services following the posting of changes to this Privacy Policy and the conclusion of any legally required notice period means you accept those changes. 

‍

For any questions or notices, please contact us at: Immutable Pty Ltd (ABN 89 626 193 351)

privacy@immutable.com 

Contact: https://support.immutable.com/hc/en-us/requests/new

‍

Appendix 1

Additional Information and Rights for Individuals Located in the EU or the UK

Under the GDPR individuals located in the EU or the UK have certain additional rights which apply to their personal information. Personal information under the GDPR is often referred to as personal data and is defined  as  information  relating  to  an identified or identifiable natural person (individual). This Appendix sets out the additional rights we give to individuals located in the EU and the UK, including how we process personal information lawfully, transparently and fairly. Please read the Privacy Policy above and this Appendix carefully and contact us at the details at the end of the Privacy Policy if you have any questions.

‍

What personal information is relevant?

This Appendix applies to the personal information set out in the Privacy Policy above. This includes any sensitive information also listed in the Privacy Policy above which is known as ‘special categories of data’ under the GDPR.

‍

Our commitment to you

Your personal information will:

• be processed lawfully, fairly and in a transparent manner by us;
• only be collected for the specific purposes we have identified in the ‘collection and use of personal information’ clause above and personal information will not be further processed in a manner that is incompatible with the purposes we have identified;
• be collected in a way that is adequate, relevant and limited to what is necessary in relation to the purpose for which the personal information is processed;
• be kept up to date, where it is possible and within our control to do so (please let us know if you would like us to correct any of your personal information);
• be kept in a form which permits us to identify you, but only for so long as necessary for the purposes for which the personal information was collected; and
• be processed securely and in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage.

‍

How we process personal information

We will only use your Personal Information when the law allows us to. Most commonly, we will use your Personal Information in the following circumstances:

‍

• Where we need to perform the contract we are about to enter into or have entered into with you.

‍

• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

‍

• Where we need to comply with a legal obligation.

‍

Generally, we do not rely on consent as a legal basis for processing your Personal Information although we will get your consent before sending third party direct marketing communications to you via email or text message. 

‍

You have the right to withdraw consent to marketing at any time by contacting us or by clicking on the unsubscription link in each marketing email you receive from us.

‍

We will only use your Personal Information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

‍

If you refuse to provide us with certain Personal Information or if you provide us with incomplete or inaccurate information required for the performance of the contract or for compliance with a legal obligation, please be aware that we may not be able to provide or deliver to you all or parts of the service that you require.

‍

We only collect Special Categories of Personal Data where you have given your explicit consent, it is necessary to protect your vital interests or those of other people or where you have deliberately made it public.

‍

See above in the main section of this Privacy Policy (under 'Purposes for which we will use your personal information - UK and EU') to find out more about the types of lawful basis that we will rely on to process your Personal Information.

‍

Data Retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for,

including for the purposes of satisfying any legal, accounting, or reporting requirements.

‍

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information, whether we can achieve those purposes through other means and the applicable legal requirements.

‍

In some circumstances you can ask us to delete your data: see ‘Your legal rights’ below for further information.

‍

In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for analytics, research or statistical purposes in which case we may use this anonymised information indefinitely without further notice to you.

‍

Data Transfers

We may transfer your personal data to third parties located outside of the European Economic Area and the United Kingdom.  We will provide appropriate safeguards for such transfers. 

‍

When transferring personal data out of the European Economic Area or the United Kingdom, we will use either the "Standard Contractual Clauses” as approved by the European Commission or the United Kingdom Government (as applicable) or any other contractual agreement approved by the competent authorities as a basis for the transfer. 

‍

Where these contractual agreements are not sufficient to ensure an adequate level of data protection at the recipient, we will implement supplemental safeguards.

‍

Please contact us if you would like further information on the specific mechanism used by us when transferring your personal data out of the European Economic Area and/or the United Kingdom.

Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal information.

You have the right to:

‍

• Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;

• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us;

• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request;

• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms;

• Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios:

• If you want us to establish the data's accuracy.
• Where our use of the data is unlawful but you do not want us to erase it.
• Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
• You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

• Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

• Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

‍

If you wish to exercise any of the rights set out above, please contact us using the following details: 

privacy@immutable.com 

Contact: https://support.immutable.com/hc/en-us/requests/new  

‍

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

‍

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

‍

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

‍

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

‍

Appendix 2

Use of personal information from individuals not covered by the GDPR

This section provides additional information to the main section of the Privacy Policy, and is applicable to individuals outside of the EU/UK, such as for individuals located in Australia, the United States, and other locations outside of the UK and EU.

‍

How we collect personal information

In addition to the ways set out in the main section of the Privacy Policy, we may also collect Personal Information which you directly or indirectly provide to us while interacting with us, such as when you use any of our websites or Services (including Gods Unchained, Guild of Guardians and Immutable Protocol).

‍

Personal information collected

In addition to the information set out in the main section of the Privacy Policy, the types of information we may collect about you when you visit or use the Services may also include (as described in the Cookies Policy):

• your browser session and geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour, your IP address, and demographic information;
• information about your access and use of our Services, including through the use of Internet cookies, your communications with our Services, the type of browser you are using, the type of operating system you are using and the domain name of your Internet service provider; and
• device information, such as mobile device type, mobile number, unauthorised third party applications (which allows us to identify whether our users are gaining an unfair advantage or cheating when using our games), and device specifications.

‍

Collection and use of personal information

In addition to the information set out in the main section of the Privacy Policy, we may also collect, hold, use and disclose Personal Information for the following purposes:

• if you are a contractor, supplier or service provider to us, to enable us to conduct or administer our relationship with you or your employer, including when you are carrying out activities in connection with our operations or your supply of goods or services to us; 
• if you have applied for employment with us, to consider your employment application; and
• if otherwise required or authorised by law. 

‍

Appendix 3

Additional Rights for Individuals Located in the US

The California Consumer Privacy Rights Act provides California residents with specific rights regarding their personal information. This Appendix sets out additional rights granted to residents of California, as well as to residents of other US jurisdictions such as Virginia and Colorado, as and when those jurisdictions enact applicable privacy legislation from time to time. 

‍

Sale or Share of Your Personal Information

We do not “sell” or “share” your personal information, as the term is defined in the California Privacy Rights Act. 

‍

Data Retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information, whether we can achieve those purposes through other means and the applicable legal requirements.

In some circumstances you can ask us to delete your data: see below in this Appendix for further information.

In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for analytics, research or statistical purposes in which case we may use this anonymised information indefinitely without further notice to you.

‍

Your Right to Access, Delete, and Correct

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and validate your request, we will include a list of your personal information that may have been disclosed and the categories of third parties the information may have been disclosed to.  

You may request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive your request and confirm your identity, we will review your request. We may deny your deletion request if retaining the information is proper and necessary or if an exception allowing us to retain the information applies. 

You may also request that we correct any of your personal information that has become outdated or needs correction for any reason. 

If your request is approved, we will delete, correct, or deidentify the relevant information and will direct our service providers to take similar action.

‍

Exercising Your Rights to Know, Delete or Correct

California residents, and residents of other US jurisdictions that enact applicable privacy laws from time to time, may exercise their rights to know, delete or correct described above by emailing us at privacy@immutable.com. Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information. 

You may only submit a request to know twice within a 12-month period. We endeavor to substantively respond to a Verifiable Consumer Request within forty-five (45) days of its receipt, unless we require an extension. If we reasonably require an extension we will inform you of the reason and extension period.

Non-Discrimination

We will not discriminate against you for exercising any of your data subject rights. 

We do not charge a fee to process or respond to your Verifiable Consumer Request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

‍

California’s Shine the Light Law

California Civil Code Section 1798.83 permits users of our Services that are California residents to request certain information regarding our disclosure of the information you provide through the Services to third parties for their direct marketing purposes. To make such a request, please contact us by email at privacy@immutable.com. 

Any such request must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are only required to respond to one Shine the Light request per consumer each year, and we are not required to respond to requests made by means other than through the e-mail address or mailing address provided in this Policy.

‍

Participation in Financial Incentive Programs

We will notify you in the event we offer any financial incentive for the use of your personal information. Please note that participating in incentive programs is entirely optional, you will have to affirmatively opt-in to the program and you can opt-out of each program (i.e., terminate participation and forgo the ongoing incentives) prospectively by following the instructions in the applicable program description and terms.

‍