ENPL

Privacy Policy

Download Privacy Policy (MD)

Privacy Policy of the Game "FindTheMoney"

(Effective from 26 May 2025)

  1. General Information

This Privacy Policy describes how FindTheMoney P.S.A. (referred to as the "Administrator" or "Organizer") collects, uses, and protects the personal data of Users of the mobile game "FindTheMoney" (referred to as the "Game"). We respect

Users' privacy and make every effort to process personal data in accordance with applicable regulations, including Regulation (EU) 2016/679 (GDPR). This Policy applies to all Game Users, regardless of the platform (Android/iOS). Please read its content carefully. If a User does not accept this Privacy Policy, they should refrain from using the Game.

  1. Data Controller and Contact

The Administrator of personal data collected in connection with the use of the Game is:

FindTheMoney P.S.A. with its registered office in Warsaw, ul. Karolkowa 30, 01- 207 Warsaw, Poland, entered into the National Court Register (KRS number: 0001146437), NIP: 5273144841, REGON 540522588 (hereinafter: the "Administrator" or "we").

You can contact us regarding personal data protection:

  • By email: at rodo@findthemoney.win
  • In writing: to the Administrator's registered office address provided above (with the note "Personal Data").

The Administrator may appoint a Data Protection Officer (DPO) if required by law. Information about any DPO and their contact details will be made available to Users (e.g., on the website or in a Policy update). Unless otherwise stated, contact regarding data matters is made directly with the Administrator.

  1. Scope of Data Collected

When you install and use the Game, we may collect the following categories of User personal data:

3.1. Data Provided by the User:

  • Registration Data: If you choose to create an Account (e.g., by providing an email address and password) or later register to withdraw a Prize, we collect data such as: email address, password (stored in encrypted form), first and last name, date of birth, country of residence, residential address (if required for settlements), PESEL number or other identifier (if required by law, e.g., for tax purposes with large winnings), and possibly identity document details (if age/identity verification is needed).

  • Prize Payout Data: When initiating a payout, you provide data necessary for the transfer: e.g., bank account number (IBAN), bank name, or phone number linked to Revolut, and information related to taxation (e.g., tax residency status, residency certificate).

  • Contact Data: If you contact us (e.g., via email, support form), you may provide us with your contact details(email address, phone number) and information contained in the correspondence.

  • Marketing Consents: Information about the consents you've given (e.g., consent to receive newsletters, consent to partner offers) – we store the fact that consent was given and its scope, as well as any subsequent withdrawal.

  • Other Data Voluntarily Provided: e.g., data filled out in surveys, additional contests organized in the game, profile information (if the game allows creating a player profile with additional data, such as a nickname/avatar – though a nickname or avatar doesn't have to be personal data unless it contains your real name/surname).

  • Special Category Data: By design, we do not collect sensitive data (special categories) from Users, such as racial origin, political views, health information, etc. Please do not include such data, for example, in correspondence with us or in your username.

3.2. Data Collected Automatically During Game Use:

  • Technical Identifiers: A unique installation/User identifier assigned by our system, mobile device identifier (e.g., Device ID, Android Advertising ID, or Apple IDFA – depending on device privacy settings), IP address, identifiers of cookies or similar technologies (if used in the application).
  • Device and Connection Information: Device model and manufacturer, operating system version, application version, device language, processor model, screen resolution, mobile network name or internet provider, GPS signal strength, battery status (e.g., for game purposes, to prevent AR mode from activating on low battery), etc.
  • Location Data: Your current geolocation data obtained from device sensors (GPS, Wi-Fi network, BTS) – to the extent that you have granted the application permission to access location. This data is used for game mechanics (showing your position on the map, placing objects). We may record your movement history in the game (e.g., visited zones, distance traveled) for gameplay analysis and fraud detection (e.g., unnaturally fast movements). However, we do not share historical routes or precise location with third parties without a legal basis. You can turn off location access in your device settings at any time, but this will prevent you from using the game in physical mode (and potentially at all, if the game requires location).
  • In-game Activity Data: Events generated by you in the application, such as: logins and logouts, time spent in the game, items collected (keys, chests), prizes opened, interactions with other players (e.g., using a referral code), in- app purchases (what was bought, when, for how much), fuel/drone usage, results of any mini-games or quizzes. We collect this data in our databases to provide the service (e.g., save game progress) and for analytical purposes.
  • Transactional Data (IAP purchases): In the case of in-app purchases, we receive information from Google/Apple about the transaction (e.g., unique transaction ID, product, amount, currency, store country, payment status). However, we do not process financial data such as payment card numbers – this is handled by the payment operator (Google/Apple). We may store a purchase confirmation assigned to your User account to restore purchases or handle complaints.
  • Server Logs: Our servers automatically record technical logs of certain events
    • these may include your IP address, access timestamps, API queries used,
error codes, etc. This data is used to monitor the correct operation of services
and system security.

3.3. Data from External Sources:

  • External Account Login: If you connect your Game account with an external service (e.g., logging in via Google/Facebook/Apple), we receive certain information from your profile from that service provider with your consent – usually your first name, last name, and email address associated with the account (and possibly a profile picture or ID). The scope of data transferred depends on your privacy settings with that provider and the consents you've given when connecting accounts. We use this data solely to authenticate you in the game and (in the case of email) as contact data if needed.
  • Information from Other Players: As part of the Game's mechanics, other players may provide certain information about you, e.g., confirm that they were referred to the game by you (the referral code identifies the referrer's account), or submit complaints about your inappropriate behavior in communication. We also process such data (e.g., the fact that a given User was indicated as inviting a friend – in order to award them a bonus).
  • Analytical Data Providers: We may use analytical tools (e.g., Google Analytics for Firebase, Unity Analytics, etc.) that collect data about your interactions with the application. This data is collected anonymously or pseudonymously (e.g., advertising identifier) and is used to analyze aggregate trends (e.g., number of daily active players, navigation paths within the application). Details regarding the tools used are provided later in this Policy (if applicable).
  1. Purposes of Data Processing and Legal Bases

User personal data is processed for the following purposes and on the following legal bases:

4.1. Providing Game Services (Performance of the Contract with the User):

  • Account and Gameplay Management: To enable the User to use the Game in accordance with the Regulations – i.e., logging in, participating in gameplay, saving game state, awarding prizes, enabling in-app purchases, etc.
    • we process technical data (identifiers, logs) and game activity data.
  • In-Service Communication: Sending push notifications or in-game messages related to the service's operation (e.g., information about a chest appearing nearby, a message about the need to update the application, a message from the game team regarding changes). These actions are necessary to fulfill our contract – providing the application's functionalities.
  • User Support: If the User reports a problem with the game, a complaint, or a request for help, we process their contact data and the content of the submission to resolve the issue.
Legal Basis: Article 6(1)(b) of the GDPR – necessity for the performance of a
contract (the Regulations) or for taking steps at the User's request prior to

entering into a contract. Using the Game constitutes entering into a contract for
the provision of electronic services in accordance with the Regulations.

4.2. Awarding and Settling Prizes (Performance of Contract and Legal Obligation):

  • Prize Eligibility Verification: When requesting a Prize payout, we process the User's identification data (first name, last name, age) to confirm that they meet the conditions (legal age, entitlement to the prize). We may also verify whether the prize was obtained in a manner contrary to the regulations (analysis of game data – as part of the contractual obligation to ensure fair play).
  • Payout Execution: We use payment data (account number, Revolut) to make the prize transfer and address datato issue accounting documents (e.g., prize release proof).
  • Tax Deduction and Fiscal Reporting: In the event of a taxable win – we use User data to remit an advance payment/lump-sum tax (e.g., tax identifier, address for PIT-8AR (a Polish tax form for lump-sum income tax)) and fulfill obligations to the tax office.
Legal Basis: Article 6(1)(b) of the GDPR (performance of the contract –
awarding the prize provided for in the regulations is part of the contract with
the User); and Article 6(1)(c) of the GDPR (fulfillment of a legal obligation
incumbent on the Administrator – e.g., tax regulations, the Gambling Act if
applicable, or other regulations imposing the obligation to record prizes issued
and collect tax).

4.3. Enabling In-App Purchases (Performance of Contract):

  • Transaction Handling and Digital Content Delivery: We process information about your in-app purchases(transaction ID, purchased item, User account) to assign the purchased Virtual Items to your account and make them available in the game.
  • Transaction History: We maintain a record of purchases linked to your User Account (which is necessary, for example, to restore purchased items after reinstalling the game or to resolve any complaints regarding missing items).
Legal Basis: Article 6(1)(b) of the GDPR – performance of the contract
(delivering ordered digital services in exchange for a fee is the fulfillment of
the contract between the User and us, concluded by accepting the purchase in
the Store).

4.4. Fraud Detection and Security (Legitimate Interest of the Administrator):

  • Anti-Cheat Monitoring: We analyze technical data and gameplay data (e.g., movement speed, simultaneous logins from different cities, attempts to modify the application detected by security mechanisms) to identify violations of the Regulations, abuses, or hacks into our systems.
  • Financial Abuse Prevention: Before paying out larger amounts, we may verify the User's account history and their activities for suspicious patterns
(e.g., money laundering through the game is unlikely, but mass account
creation and generation of fictitious prizes – we try to detect such things).
  • System Security and Debugging: We use data in server logs to detect application errors, unauthorized access attempts, DDoS attacks, etc. This may include automatically blocking specific IP addresses or devices that violate system integrity.
Legal Basis: Article 6(1)(f) of the GDPR – the legitimate interest of the
Administrator in ensuring fair gameplay, protecting its business model from
fraud, and ensuring the IT security of the service. These actions also benefit all
Users, as they maintain the Game in a balanced and secure manner.

4.5. Direct Marketing of Own Products/Services (Consent or Legitimate Interest):

  • Newsletter, Emails, and Marketing Notifications: With your consent (expressed by checking the appropriate option), we use your contact data (email address, possibly phone number for SMS or consent for push notifications) to send commercial information regarding the Game and other products and services of FindTheMoney P.S.A. (e.g., new functionalities, promotions for players, invitations to test other applications).
  • Offer Personalization: We may use data about your activity in the game (e.g., engagement level, favorite mode, purchases made) to tailor the content of marketing communications to your potential interests (profiling for marketing purposes). For example, a User who frequently uses drone mode may receive a promotional offer for Fuel packs. However, such profiling is only done with consent (resulting from marketing consent – also including consent for profiling for such purposes). Lack of consent means that the User will not be subject to such profiling and will not receive personalized offers, only general communications (or none at all).
  • Legal Basis: Article 6(1)(a) of the GDPR – your voluntary consent to the processing of data for direct marketing purposes. In some cases, own marketing to existing users can be based on legitimate interest (Article 6(1)(f) of the GDPR, so-called soft opt-in), however, in our case, due to the lack of a prior business relationship before game registration, we still ask for explicit consent. The User can withdraw marketing consent at any time – see point 8.

4.6. Marketing of External Partners (Consent):

If you provide separate consent to receive marketing information from the Administrator's business partners, your contact data may be used to send such information or shared with a selected partner (e.g., game prize sponsor) for a one-time offer. For example, we may send an email on behalf of a game tournament sponsor, advertising their services, only if you have consented to it. Without consent, such communications will not occur.

Legal Basis: Article 6(1)(a) of the GDPR – User consent. Lack of consent for
external partners does not affect other aspects of the game and does not prevent
you from receiving information from us (if you have consented to our
marketing). This consent can be withdrawn at any time.

4.7. Product Analysis and Development (Legitimate Interest):

  • Game Usage Statistics: We process aggregate and anonymized (or pseudonymized) data about how Users use the application to better understand which features are popular, where difficulties occur, how the game community develops, etc. For example, we measure the number of daily active Users, retention (how many people return to the game), typical in-game routes, the percentage of Users who made a purchase, etc. This information helps us improve the Game, adjust gameplay, and plan new features.
  • Tests and Improvements: We use data on application errors and crashes (crash reports) to diagnose problems and fix them in subsequent updates. These may be reports generated by systems like Firebase Crashlytics containing, for example, phone model, OS version, error stack trace, but generally without personal data.
  • Market Research (Anonymous): In some cases, we may ask users to voluntarily fill out a survey regarding game satisfaction or preferences (e.g., for a small in-game reward). Survey data is then analyzed in aggregate. If the survey collects contact or personal data, we treat it according to the purpose (e.g., if it's a contest – data for a prize).
Legal Basis: Article 6(1)(f) of the GDPR – the legitimate interest of the
Administrator in improving its products and services by understanding User
needs and the effectiveness of offered features. Whenever possible, we use
anonymized or at least aggregated data for analysis that does not identify
specific individuals.

4.8. Fulfillment of Legal Obligations (Legal Obligation):

  • Accounting and Tax Obligations: We store documentation related to transactions (IAP purchases) and awarded Prizes for the required period (e.g., 5 tax years) and provide it to tax authorities if requested. This may include personal data of winners of larger Prizes for tax recording purposes.
  • Compliance with Game/Contest Regulations: If state authorities (e.g., Ministry of Finance, court) request information regarding promotions and prizes organized by us, we must provide it based on law.
  • Legal Summons and Proceedings: In the event of a legally justified request from law enforcement authorities or a court (e.g., an order to secure data), we are obliged to provide specific data from the system (e.g., a given User's login history).
Legal Basis: Article 6(1)(c) of the GDPR – fulfillment of a legal obligation
incumbent on the Administrator.

4.9. Establishment, Exercise, or Defense of Claims (Legitimate Interest):

In the event of a dispute with the User or other legal conflict, we may process personal data to the extent necessary to determine the circumstances of the case, pursue our claims (e.g., against fraudsters), or defend against claims (e.g., if the User brings a claim against us).

Legal Basis: Article 6(1)(f) of the GDPR – our legitimate interest in protecting
our rights, ensuring the possibility of defense, and clarifying any disputes.
  1. Sharing Data with Third Parties

We respect User privacy, which is why we do not sell or rent their personal data to third parties. Data may only be shared with third parties under the limited circumstances described below:

5.1. Processors (Service Providers):

We use external companies that assist us in providing services and may process personal data solely on our instructions and on our behalf (based on a data processing agreement). Such entities include:

  • Hosting and server infrastructure providers: storing the database and game servers (e.g., a cloud server provider). They may potentially have access to data, but they use it only for maintaining and managing the infrastructure.
  • Analytical service providers and development tools: e.g., Google Firebase (Analytics, Crashlytics), which collects aggregated statistics and error reports on our behalf; Unity Analytics; etc. Personal data here is generally pseudonymized (e.g., device identifier).
  • Push notification and email providers: e.g., an email sending service (if we use one) that processes email addresses and message content for newsletter distribution; push notification servers (Firebase Cloud Messaging/Apple Push Notification) – although they generally only receive a device token and message content, without other data.
  • Technical payment partners: Google and Apple in the scope of confirming in-app transactions (they receive transaction data and account pseudonym, but they, as controllers, process e.g., credit card data – we do not receive this). For payouts: banks or payment operators through which we make transfers – e.g., our bank will receive the recipient's data and the transfer amount. We do not have a typical processing agreement with these entities (they are separate controllers, e.g., a bank), but the data transfer results from the necessity to perform transactions at the User's request.
  • Other subcontractors: e.g., accounting firms settling taxes on prizes, law firms handling our cases (they may have access to documentation containing personal data in case of a dispute), IT companies servicing the application, etc. Each such entity only has access to the data necessary to perform its service and is obligated to maintain confidentiality.

5.2. Public Authorities:

We may disclose certain data if we are legally obligated to provide it to public authorities, such as:

  • Law enforcement agencies, courts, or other government institutions – upon their legally justified request (e.g., as part of criminal or administrative proceedings).
  • Tax authorities – to the extent required by tax regulations (e.g., providing a list of promotional lottery winners, if the game were considered such a lottery, or presenting accounting documents during an audit).

In such situations, we verify the legal basis of the request and provide only the required data.

5.3. Marketing Partners (with consent):

As mentioned, if the User gives separate consent, we may provide their contact details (e.g., email address) to our commercial partner for the purpose of sending them a one-time marketing message or adding them to the partner's mailing list. For example, if company X is the sponsor of a selected prize pool and the User agrees to receive offers from them, we may provide their email address to company X, limiting the use of this data only to the scope covered by the consent (e.g., sending a newsletter). The partner then becomes a separate controller of this data and is responsible for processing it in accordance with the law – we, in turn, ensure that such a company is reliable and we enter into an agreement with them guaranteeing one-time or limited use of the data in accordance with the purpose. Lack of consent means no such sharing.

5.4. Social Media Connections:

The Game may offer integration with social media (e.g., a function to share results on Facebook, login via Google/Facebook). If the User uses these options, certain data may be shared with these services – e.g., information that they are playing our game, their achievements (if they decide to share them), a list of playing friends (if the friends feature is implemented). Such sharing occurs with the User's consent and action (e.g., clicking "share on Facebook") and is subject to the privacy policies of those services.

5.5. Change of Ownership or Restructuring:

In the event that FindTheMoney P.S.A. undergoes a transformation process, such as a merger, acquisition by another entity, sale of the business or its part related to the Game – User data may become part of the transferred assets. The new owner will be able to continue using the data for purposes identical to those described in this Policy (or purposes for which the User has separately consented), of course, in compliance with all applicable regulations. In such an event, we will inform Users about the change of data controller, if it occurs.

5.6. Public Visibility of Certain Data:

We point out that some information elements may be visible to other players within the game itself, which can be considered limited data sharing: for example, if the User chooses a player nickname, it may be visible in the ranking; if they write a message in the game chat – others in the game will see it (along with their nickname). We

recommend not using personal data as a nickname (e.g., full name and surname) or providing contact details in the chat, as this information becomes available to the community and the Administrator does not have full control over it (although we strive to moderate and remove personal data appearing publicly to protect User privacy).

  1. Transfer of Data to Third Countries

As a rule, we strive to process Users' personal data within the territory of the European Economic Area (EEA). Nevertheless, some external services we use may involve transferring data outside the EEA, for example:

  • Google Firebase and other Google services: Google may store data (analytics, error logs) on servers located outside the EEA (e.g., in the USA). However, Google participates in the EU-US Data Privacy Framework(successor to the Privacy Shield) or uses standard contractual clauses approved by the European Commission, which ensures an adequate level of data protection comparable to the EU.
  • Apple (App Store, iCloud): Apple, Inc. is headquartered in the USA, although European users' iCloud data is usually stored in Europe. In case of transfer to the USA, Apple is also covered by an appropriate GDPR compliance mechanism (e.g., standard contractual clauses).
  • Servers and cloud services: If we use AWS (Amazon Web Services) or Azure, these companies have a global infrastructure. We choose data centers in the EU whenever possible. However, if data is transferred outside the EEA for backup or global support, it is done based on compliance mechanisms (Amazon and Microsoft are also covered by standard clauses and/or adequacy decisions).
  • Payment partners: For example, Revolut is a company headquartered in the UK (outside the EEA, but the UK has the status of a country ensuring an adequate level of personal data protection under the European Commission's decision of 28.06.2021). If other fintechs from outside the EEA are used, we will ensure they apply appropriate safeguards.
  • Other entities: Any potential transfer, e.g., to sponsors in countries outside the EEA (if the User consents), will only occur after ensuring appropriate mechanisms (e.g., a US sponsor will sign standard contractual clauses before receiving the User's email).

In every case of data transfer to a third country (outside the EEA), we ensure that one of the conditions from Chapter V of the GDPR is met: either a decision stating an adequate level of protection, or standard contractual clauses, possibly other permitted instruments (codes of conduct, binding corporate rules). In the absence of these, we will ask for the User's explicit consent or such a transfer will be necessary for the performance of the contract (e.g., international payment). The User has the right to obtain a copy of the safeguards applied during the transfer – please contact us for this purpose (point 2).

  1. Data Retention Period

We will store Users' personal data only as long as necessary to achieve the purposes outlined in this Policy, unless a longer retention period is required or permitted by law. Below are the main principles regarding data retention periods:

  • Account and Profile Data: We store data associated with your User Account (email address, nickname, game data) for the entire period the account is active. After your account is deleted or after a prolonged period of inactivity [e.g., 2 years], data may be deleted or anonymized, unless we need to retain it for other reasons (e.g., accounting). Typically, if there's no login for 2 years, we consider the account inactive and may delete it (after prior email notification, if possible).
  • In-App Transaction Data: Information about IAP purchases may be stored for the duration of the account's existence (to allow purchase restoration). Financial documentation of these transactions (reports from Google/Apple) is stored separately in accounting for the required 5 years (in accordance with tax regulations).
  • Prize Payout Data: Personal data related to payouts (e.g., first name, last name, address, tax ID, proof of payout) must be stored for the period required by tax and accounting law – in Poland, generally 5 years from the end of the year in which the tax transaction occurred (e.g., payout in 2025 – data until the end of 2030). After this period, documents containing the data will be destroyed or anonymized.
  • Anti-Fraud Register Data: Information about bans and regulation violations (e.g., that a specific device was banned for cheating) may be retained indefinitely in an internal database (for the purpose of preventing future violations). However, the attribution of this information to the personal data of a specific person (if, for example, they provided an email) will disappear with the deletion of their personal data from the account.
  • Technical Logs: Server logs containing IP and system events are usually stored for a period of up to [e.g., 30-90 days], unless they contain information needed for further investigation of abuses – in which case they may be kept until the case is closed.
  • Marketing Data: o If you have consented to marketing communication, we will process your contact data for this purpose until you withdraw your consent. After withdrawal of consent, we will not send further messages – but information that a given email address has unsubscribed may be retained so as not to re-add it to the list (blocking list). o Data transferred to a partner based on consent – the partner will store it according to their policy; we will delete our copy after transfer (unless we need proof of consent transfer).
  • Correspondence and Submissions: Emails and support submissions are stored as long as necessary to handle the matter, and after it's closed, they are archived for up to 2 years in case of reopening the matter or their usefulness for future similar issues.
  • Google/Facebook Login Data: If you connect your account with Google/Facebook, we do not store, for example, access tokens longer than necessary for session authorization. We store the account identifier in that
service to enable subsequent logins – we delete it when you disconnect or
delete your account.
  • Evidence in Disputes: In case of an ongoing dispute, we may retain all relevant data until the final resolution of the case and the expiration of claims (e.g., until the statute of limitations expires or a judgment is enforced).

After the appropriate periods, the data will be securely deleted or permanently anonymized (deprived of characteristics allowing identification). In the case of anonymization, we may still use aggregated, non-identifying statistics (e.g., total number of payouts made in 2023-2025, etc.).

  1. User Rights Regarding Personal Data

In accordance with the GDPR, Users have the following rights related to the processing of their personal data by the Administrator:

  • Right of access to data (Art. 15 GDPR): You have the right to obtain confirmation as to whether we are processing your personal data, and if so, to access that data and receive information including the purposes, categories of data, recipients, planned retention period, your rights, data sources (if not from the data subject), and any automated decision-making. You can request a copy of your personal data (the first copy is free, subsequent copies may incur an administrative fee).
  • Right to rectification of data (Art. 16 GDPR): If you notice that your data we process is incorrect or incomplete, you have the right to request its correction or completion. In many cases, you can correct profile data yourself through account settings (e.g., change email address); otherwise, we will correct it at your request.
  • Right to erasure of data "right to be forgotten" (Art. 17 GDPR): You have the right to request the erasure of your personal data, especially when: (a) the data is no longer necessary for the purposes for which it was collected, (b) you have withdrawn consent for processing and there is no other legal basis, (c) you successfully object to processing (see below), (d) the data has been unlawfully processed, or (e) it must be erased to comply with a legal obligation. Please remember, however, that we may not always be able to immediately erase all your data – for instance, there may be a legal obligation to continue storing it (data concerning paid-out prizes – for tax purposes) or another overriding basis (e.g., legal interest in defending against claims). In such a situation, we will inform you about the extent to which we cannot fulfill the request and why. We also point out that data deletion usually means account deletion and loss of access to the Game – as stated in the Regulations. If you still have unpaid Prizes, we will not be able to issue them after data deletion, as we will lose the ability to identify and contact you.
  • Right to restriction of processing (Art. 18 GDPR): You can request that we restrict the processing of your data (meaning we only store it, possibly performing minimal operations with your consent or to protect claims), if: (a) you contest the accuracy of the data – for a period allowing us to verify it; (b) the processing is unlawful, but you object to erasure and instead request restriction; (c) we no longer need the data, but you need it for the establishment, exercise, or defense of claims; or (d) you have objected to
processing – pending verification whether our legitimate grounds override your
objection. When processing is restricted, we will only be able to process this
data (apart from storing it) with your consent or for the establishment/exercise
of claims, for the protection of the rights of another natural or legal person, or
for reasons of important public interest. We will inform you before lifting such
restriction.
  • Right to data portability (Art. 20 GDPR): To the extent that we process your data based on consent or a contract (Art. 6(1)(a) or (b) GDPR) and by automated means – you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (e.g., CSV, JSON). You can also request that we transmit this data directly to another controller, where technically feasible. This right does not apply to data processed based on other grounds (e.g., legitimate interest) or data that we have created based on your activities (e.g., internal analyses).
  • Right to object to processing (Art. 21 GDPR): You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data which we base on our legitimate interest (Art. 6(1)(f) GDPR) – e.g., profiling for anti-cheat or analytical purposes. Upon receiving an objection, we will consider whether there are compelling legitimate grounds for the continued processing that override your interests, rights, and freedoms, or whether the data is necessary for the establishment, exercise, or defense of claims. If not, we will cease such processing. If the objection concerns processing for direct marketing purposes, you have the right to object at any time, and we will immediately cease such processing (there is no "particular situation" requirement here – marketing is always your choice). You can object to marketing, for example, by clicking the unsubscribe link in the footer of a received message or by changing your account settings.
  • Right to withdraw consent: If any of your data is processed based on your consent (e.g., marketing consent, consent to share with a partner, consent for background location data if required), you have the right to withdraw such consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal (meaning previously sent emails or location processing until withdrawal were legal). After withdrawal, we will cease processing data to the extent covered by that consent. Marketing consent can be withdrawn as above (unsubscribe, settings), location consent – by changing device settings, other consents – by contacting us.
  • Right not to be subject to automated decision-making (Art. 22 GDPR): As a rule, we do not make decisions about Users based solely on automated processing that produce legal effects concerning them or similarly significantly affect them. Certain Game functions (e.g., automatic account suspension upon detection of irregularities) may appear to be an automatic decision – however, final decisions on imposing, for example, a permanent ban, are reviewed by personnel. If you believe that a fully automated decision has been made in your case without human intervention and you disagree with it, you have the right to appeal it and request reconsideration with human involvement.

To exercise your rights, please contact us (contact details in point 2). We will fulfill your requests as soon as possible, no later than within one month of receipt (in complex cases, this period may be extended to 2 months, of which we will inform you). Please note that before fulfilling certain requests, we will need to properly verify

your identity (to ensure that the person making the request is who they claim to be and has the right to access that data). Verification may involve, for example, logging into your account and sending a message from the application, or providing us with certain reference information.

If you believe that the processing of your personal data violates legal provisions, you have the right to lodge a complaint with a supervisory authority. In Poland, the competent authority is the President of the Personal Data Protection Office (UODO), address: ul. Stawki 2, 00-193 Warsaw. You can also report the matter to the authority in the EU country where you live or work, if different from Poland.

  1. Data Security

We make every effort to ensure an appropriate level of security for your data. To this end, we have implemented the following measures and practices:

  • Technical measures: We have applied security measures such as encryption of communication between the application and the server (HTTPS/TLS protocols), encryption of sensitive data in the database (e.g., passwords stored using strong bcrypt hash functions), firewalls and intrusion detection systems protecting our servers, regular software updates and vulnerability verifications. Data stored on your device (e.g., login token) is secured by operating system mechanisms (application sandbox).
  • Organizational measures: Only authorized employees/collaborators who need access to perform their duties have access to Users' personal data (the "need-to-know" principle). These individuals are obligated to maintain confidentiality. We maintain access logs to systems containing data to monitor any unauthorized attempts. We regularly train our team on data protection and security.
  • Data minimization: We collect only the data that we genuinely need for the stated purposes. Whenever possible, we use pseudonymization or anonymization (e.g., for statistical analyses, we use aggregated data, not full data of specific individuals).
  • Backups: We perform encrypted database backups to be able to restore data in case of failure or error (this is also a security element – preventing data loss). Access to backups is restricted, and they are stored securely.
  • Risk assessment: We continuously assess data threats (e.g., the possibility of an application attack) and adjust security measures. We have incident response procedures – in the event of a personal data breach that could result in a risk to Users' rights, we will notify Users and the supervisory authority accordingly, in accordance with Articles 33-34 of the GDPR.
  • User-side security: Remember that you also play a role in protecting your data. Ensure the security of your device: use a screen lock, do not share it with strangers, and keep your software updated. Do not publicly share your personal data within the game (e.g., in chat). If you use a login and password, keep your password confidential and do not use the same password as for other services. We will never ask you for your password in a message; be wary of phishing attempts impersonating us. If you suspect that an unauthorized person has gained access to your account, notify us immediately.
  1. Cookies and Tracking Technologies

The mobile game may locally use certain technical mechanisms similar to cookies (e.g., storing a session token in the device's memory). However, this is not a website, so traditional browser cookies do not apply here, with the exception of our informational website (if one exists, e.g., a website with regulations), which may use cookies for basic purposes (e.g., remembering language settings).

Within the mobile application itself:

  • We use Firebase Analytics and potentially similar tools, which may utilize the device's advertising identifier (Advertising ID on Android / IDFA on iOS) or its own analytical identifier to track in-app activity. This identifier is pseudonymous and can be reset in your device settings. On iOS, you can completely block tracking (ATT - App Tracking Transparency, where the app will ask for permission to access IDFA; we will display such a request if Apple's rules for Analytics require it). On Android, you can disable ad personalization and reset the identifier in your privacy settings.
  • Push notifications tokens: Your device generates a token (a string of characters) for receiving push notifications. We store this token linked to your account to send notifications. This token can be considered a technical identifier; if you don't want to receive push notifications, you can disable them in the app or system settings – in that case, we won't use it.
  • GPS/Bluetooth/WiFi: These are not cookies, but it's worth mentioning – the game uses GPS and potentially BT/WiFi (e.g., to improve location accuracy). You can always disable these at the system level, though it will limit the game's functionality.

Currently, we do not use cross-app tracking mechanisms (between different applications) beyond standard analytical functions. We also do not share analytical data with external advertisers (the game does not feature classic third-party ads; it relies on its own mechanisms).

If, in the future, we introduce technologies that may collect additional information (e.g., integration with Facebook SDK for sharing, which may set certain tokens), we will inform you in this Policy.

  1. Final Provisions
  2. Privacy Policy Updates: We may periodically update this Privacy Policy due to changes in our data processing practices or legal regulations. We will inform Users of any significant changes through an appropriate notice (e.g., in the application upon login or on our website), and the amended Policy will be marked with a new effective date. We encourage you to regularly review the Policy to stay up-to-date on how we protect User data.
  3. Contact and Additional Information: If you have any questions regarding this Policy or general privacy issues within the Game, please contact the Administrator

(contact details in point 2 above). We are happy to clarify any doubts and respond to feedback – User privacy is very important to us, and we constantly strive to raise our protection standards.

Thank you for taking the time to read the Privacy Policy. We wish you enjoyable and safe gameplay in FindTheMoney!

Back to Home