Privacy statement

Hattrick Ltd, a company with its registered address at Suite 4, 2nd Floor, The West Wing, Montarik House, 3 Bedlam Court, Gibraltar GX111AA, publisher of the website Hattrick.org and the Hattrick app (available from the Apple App store and the Google Play store) has created this privacy statement in order to comply with the prevailing data protection laws and demonstrate our firm commitment to privacy.

1.

Hattrick

1.1. Hattrick is a data controller within the meaning of the General Data Protection Regulation. Further details about us and how to contact us appear below.
1.2. We collect personal data from you when you contact us, use our website or apps, when you make purchases in our shop, and when you provide us with your personal data directly.
1.3. We have legal obligations to you to inform you of:
a. The personal data which we collect from you
b. How we use your personal data
c. The purposes for which we process your personal data
d. The legal basis for processing your personal data
e. Who we share your personal data with
f. Where we store your personal data, and what protections we have in place for it
g. Where we send your personal data, and
h. where applicable
i. the existence of automated decision-making and profiling (the logic, the significance and the envisaged consequences)
ii. whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
iii. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract,
i. the periods for which we retain your personal data
j. your rights under the General Data Protection Regulation
1.4. We set this information out below for you.

2.

How we process your Personal Data

2.1. Personal data is information that identifies you as a person, either directly or indirectly.
2.2. It includes personal data
a. that has been submitted to our system by you (such as name and e-mail when signing up,
b. about you contained in messages sent through our contact forms or to our e-mail accounts), and
c. data that has been created or logged automatically by our systems (by registering the IP address, app version or browser signature you use during your visits to our site and app.
2.3. When we process your personal data, we:
a. do so lawfully, fairly and in a transparent manner
b. collect it for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
c. limit our collection to what is adequate and relevant to what is necessary in relation to the purposes for which they are processed
d. take reasonable steps to keep it accurate and up to date having regard to the purposes for which they are processed
e. keep it in a form where we can identify you for no longer than is necessary, for the purposes for which it is processed
f. process it in a manner that ensures appropriate security of the personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. We use appropriate technical or organisational measures to do so.

3.

Personal data collected

3.1. The types of personal data we may collect from you when you contact us, register and use our game and apps, or visit our website includes:
Category of Personal Data Personal Data Reason for Collection/Retention Period
Registration Data Email address, country of residence, login name, age as at registration, alias and password. This data is required to open and maintain an account. It is always retained, also if your account turns inactive, to facilitate a new team application under the same account in the future. It will be erased if you explicitly withdraw your consent.
User Profile Your manager presentation text, favourite football team, team logo. This data is optional. It is also stored until you withdraw your consent.
Geolocation Your geographical position. This data is used by the Hattrick app when a user initiates a connection to a Hattrick Local Circle. The geolocation data is not retained by Hattrick after the user has been matched to a Local Circle.
Purchase Data Credit card number, address, bank account identifiers and PayPal payment details are passed directly to our payment processors when using the Hattrick shop. This data is required to make any purchase. We do not actually receive them. This data is required to make any purchase. We do not store credit card information ourselves, but we do keep transaction data on file (type of order placed, amount spent, refunds) for a period of at least 10 years for legal and accounting reasons.
Information automatically logged IP address, login times, app version, browser signature, Supporter status. This data is necessary for us to maintain legitimate business interests such as to serve ads, perform website analytics, and carry out fraud prevention. It is automatically deleted after 90 days.
3.2. Please help us keep your personal data up to date and let us know when it changes.
3.3. Also, game data: Any information created by the Hattrick game engine is non-personal information. This includes match orders placed, matches played, match statistics, players scouted, nicknames given, transfers made, achievements earned, titles won, and many other things. It also includes team names. This kind of data is out of the scope of privacy regulations. If you exercise your right to be forgotten, this data will be anonymised.

4.

Why we collect personal data

4.1. We need to collect personal data from you to communicate with you, to be able to offer you the services you request, and to be able to verify your age.
4.2. Without your personal data
a. our website would not function properly;
b. we could not provide you with our game;
c. we could not respond to you if you have any questions;
d. we could not comply with our legal obligations;
e. we could not maintain our legitimate business operations;
4.3. As a user in Hattrick you are able to communicate with others through many communication channels. You then have the opportunity to also share information about yourself.
4.4. Information sent by way of e-mail, chat messages, contact forms or internal Hattrick messages to Hattrick representatives or game volunteers. It will be treated with confidentiality and deleted on your request.
4.5. Personal data shared through public settings, such as a Hattrick press release, blog posts, guestbook messages or forum posts, can be shared and stored by anyone and is outside Hattrick control.
4.6. Information posted to the public parts of Hattrick (forums, guestbooks, press releases) is never deleted automatically. It is an important part of the game history. If you exercise your right to erase your personal data, your forum posts will only be anonymised.
4.7. We do not knowingly supply our services to those under 13 years of age. We will require parental consent of those that are between the ages of 13 and 16.

5.

Where do we obtain your personal data

5.1. We primarily obtain personal data about you directly from you, when you register and through your continued use of the website;
5.2. Other users of Hattrick may also post information relating to you on our forums, in guestbooks, press announcements, the Hattrick messaging system or in the Hattrick chat. Such information could contain personal details

6.

How we use your personal data

6.1. We process your personal data for the following purposes, where we have a legal basis to do so:
a. Communications - Verify your identity and age
- Contact you when necessary
- Understand your requests and needs
- Seek and understand your views, opinions or comments
- Notify you of changes to our services, staff, and other role holders
- Send you communications which have been requested
- Send you communications required by law
- Communicate with others about your queries, rights, entitlements
b. Gaming - Allow others to communicate with you on our gaming platform
- Display information about you and your teams, for instance, your team status which may be visible on your profile;
- Personalise the gaming experience
- Allow you to share information about your use of the platform through a third-party social media service, if you connect your account through that service (which you can turn off at any time) and to provide you with better recommendations
- Monitor and analyse trends, usage, and activities in connection with our Platform
- Enable use of the Local Circle feature in the Hattrick app
c. Advertising - Provide content, features, or sponsorships that match member profiles or interests;
- Facilitate contests and other promotions;
- Combine with information that we collect for the purposes described in this Privacy Policy; and
- Carry out any other purposes described to you at the time that we collected the information
d. Operations - Deliver our services to our customers
- Administer our agreements with customers
- Management and resource planning
- Process payments
- Host chat rooms, forums, message boards and news groups
- Manage the performance of our gaming platform
- Send you offers you may be interested in
- Invite you to participate in surveys
- Update you on your performance in our games
- Inform you of our system status and downtime
- Send you security updates on our systems
e. Administration - Maintain our own accounts and records
- Audit our accounts and records
6.2. We use your personal data for the following reasons:
a. You have given us your consent in writing for the purposes for which you provided your personal data
b. We need to take steps to form a contract with you and perform a contract with you
c. We need to comply with a legal obligation other than with you;
d. We or someone else has a legitimate interest other than where your interests or fundamental rights and freedoms would be overridden.
6.3 We believe we have legitimate interests to process your personal data to:
a. Administer contracts with you and others
b. Enable us to meet our legal and statutory obligations to you and others
c. Ensure compliance with our policies and procedures
d. Conduct data protection assessments and audits
e. Prevent, detect, investigate and address fraud, corruption and misconduct by you and others
f. Ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
g. Value and sell our business
6.4. We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
6.5. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

7.

Data Sharing

7.1. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
7.2. Other game users are able to view your User Profile data as part of the playing the game and any participation you have in our forums or chat rooms.
7.3. We otherwise limit access to your personal information to those employees, agents, contractors and other third parties who need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. When we do send them personal data or make it available to them, we minimise it. In many cases, we are able to pseudonymise it and sometimes anonymise it so that they do not tell who you are.
7.4. They are:
a. Gamemasters and Moderators. Information shown by us to our volunteers about other users is anonymized and does thus not constitute personal data. However, all volunteers enter into an agreement to protect personal data about users if any such data would be offered to them by users through contact forms, forums or e-mail.
b. Payment processors. (Worldline, PayPal)
c. Our accountants and auditors
d. Legal advisors
e. Website hosting infrastructure companies
f. Cloud storage providers
g. Advertising networks
Data Breaches
7.5. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
7.6. We also may have cause to share your personal information with:
a. telecommunications providers, such as providers that provide telephone, instant messaging services, post and couriers;
b. computer systems service providers, including IT security personnel
c. regulatory authorities.
7.7. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Marketing
7.8. We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms.
Promotional Offers from Us
7.9. We may use your Contact Details, User Profile to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.
7.10. You will receive marketing communications from us if you have requested information from us or purchased products or services from us or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not opted out of receiving that marketing.
Third Party Marketing
7.11. We will get your express opt-in consent before we share your personal data with any company for marketing purposes.
Opting Out
7.12. You can ask us to stop sending you marketing messages at any time by selecting options in your online profile [or emailing us]. We include opt-out links on all marketing messages.
7.13. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.
7.14. There are some messages that you are not able to opt-out of, such as security messages.

8.

Automated Decision Making

8.1. Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.
8.2. We do not automate decision making in a way that effects your legal rights or has legal consequences for you.
8.3. Where we are allowed to use automated decision-making:
a. where we have notified you of the decision and given you 21 days to request a reconsideration.
b. where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
c. in limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
8.4. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

9.

Data Storage

9.1. We transfer your personal data outside the EEA as follows:
Country Basis for Transfer
Switzerland Adequacy Decision
9.2. We will transfer personal information we collect about you in order to perform our contract with you. There is an adequacy decision by the European Commission in respect of the named country above.
Access to our Services from Outside the EEA
9.3. When you access your account, only your game alias is visible to other users. Your alias is part of your public profile on our gaming platform.
9.4. If you are outside the EEA and wish to use our services, you will be in a country that has data protection laws that are different to the laws of the EEA. Those countries may not be as protective as those in the EEA. We have taken appropriate safeguards to require that your information will remain protected in accordance with this Privacy policy.
9.5. If you do not want your name visible to other users, please choose a game alias which is not your name.

10.

Data Security

10.1. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to your personal information to those employees, agents, contractors and other third parties who need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
10.2. We store all information that you provide to us on secure servers.
10.3. We train employees regarding our data privacy policies and procedures, and permit authorised employees to access information on a need to know basis, as required for their role.
10.4. We use firewalls designed to protect against intruders and test for network vulnerabilities.
10.5. Where you have a password which enables you to use our services you are responsible for keeping this password complex, secure, and confidential. If you would like to update or change your password, you may select the "Forgot your password?" link on the login page. You will be sent an email that allows you to reset your password.
10.6. However, no method of transmission over the internet or method of electronic storage is completely secure.
10.7. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

11.

Retention of your Data

11.1. We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
11.2. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
11.3. By law we have to keep basic information about our customers (including contact, identity, financial and transaction data) for six years after they cease being customers for tax purposes.
11.4. In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. We will retain and securely destroy your personal information (as the case may be) in accordance with applicable laws and regulations.
11.5. In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with our data retention policy.

12.

Rights of access, correction, erasure, and restriction

12.1. You have a series of rights under the General Data Protection Regulation.
12.2. Not all apply in all circumstances. Under certain circumstances, you have the right to:
a. Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
b. Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
c. Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
d. Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
e. Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
f. Request the transfer of your personal information to another party.
12.3. If you would like to exercise any of these rights, please contact us using the details below. We will need to verify your identity before we are able to release any personal data to you.

13.

Withdrawal of Consent

13.1. Where you may have provided your consent for us to process your personal data and/or transfer your personal data for a specific purpose, you can withdraw it at any time.
13.2. To withdraw your consent, please contact us using the e-mail privacy@hattrick.org, using the GDPR option in our contact form, or by visiting the Preferences page on Hattrick, where your privacy controls are located. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

14.

About Us

14.1. Hattrick is a company formed in Gibraltar with registered company number 89526 and registered offices at Suite 4, 2nd Floor, The West Wing, Montarik House, 3 Bedlam Court, Gibraltar GX111AA.
14.2. Hattrick has under the Gibraltar Data Protection Ordinance of 2004 registered as Data Controller with the Gibraltar Data Protection Commissioner (https://www.gra.gi/data-protection).
14.3. Hattrick is responsible for the personal data we hold and use.
14.4. The person responsible for data protection at Hattrick is Johan Gustafsson.
14.5. If you are dissatisfied with the way we process your personal data, you have the right to complain to the Gibraltar Data Protection Commissioner.
14.6. They may be contacted at https://www.gra.gi/data-protection/data-prote865478ction-test-form-184r56.
14.7. We would prefer to try and resolve any difficulties between us and make them right before you approach the ICO. Please consider contacting us in the first instance.

15.

Changes to this Privacy Statement

15.1. We may need to change this privacy policy from time to time.
15.2. We will communicate any changes to the privacy policy on our website or by e-mail.

 
Server 071