GDPR Faq

GDPR Faq

Last updated December 17th 2018

 

Q.      The data is in accordance with GDPR?

 

Yes. Both our terms and conditions and privacy policy are in accordance with GDPR. These are available here https://lululab.org/terms and here https://lululab.org/privacy

 

Continuing to use LuluLab products constitutes acceptance of these policies.

 

Q.      What is GDPR?

 

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

          

Q.      What kind of data does LuluLab collect?

 

We collect personal data from all players. Tracking answers made inside the game, plasyer profile and performance of the game using the external tool GameAnalytics.

 

Q.      What is personal data?

 

According to GDPR, personal data is:

 

“Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

 

Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.”

 

This means that not only is personally identifiable information like the user’s name, email address, or device ID (IDFA/GAID) personal data, but any data we can associate with one person, even if we cannot identify that person in the real world.

 

The most important consequence of this is that any data associated with one individual (or an ID referring to one individual, even if it is a randomly generated ID) is personal data – including actions they have taken in a game, such as starting the tutorial, picking a character, beginning or ending a session.

 

 

Q.      What is our status under GDPR?

 

Because we both store and process the data we collect (i.e. via segmentation, A/B tests, etc.) we are both a data processor and a data controller under GDPR.

          

Q.      Are we allowed to collect this data?

 

Yes, as long as the user player has consented to their data being collected and used for analytics and marketing purposes.

 

Q.      How do we get consent to collect this data?

 

We will ask for consent before the player starts the game and before any data has been sent to us or storage local – this will be in the form of accepting our new privacy policy and terms of service which detail the types of data we collect and the ways they are used. This consent must be provided on an opt-in basis. Under GDPR, consent is: “Consent must be freely given, specific, informed and unambiguous. Informed consent means that you must be given information about the processing of your personal data”.

 

Q.      How do we verify that we have consent?

 

Checking a checkbox before starting playing the game. This will allow the player to play and us to collect the data.

The use by under age of 16 is given by the government, NGO or schools using our products, that previous the under age start the game already unlock it. If the user is on mobile platforms any other that deals directly with the user (e.g. mobile) the parent or legal guardian from the child must consent via email the creation of the profile and all collection of data. 

 

Q.      Do we store records of consent?

 

We do not store any consent data.

 

Q.      Can we transfer personal data outside of EU territories?

 

Yes, if in the future we need additional safeguards and those can be found only in servers outside EU we could be able to transfer all the data.

 

Q.      Do we have any restrictions on data retention?

 

According to GDPR, data must be stored for as little time as possible, and individuals must be clearly informed for how long their data will be retained.

 

GDPR specifies:

 

“You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).

 

Your company/organisation should establish time limits to erase or review the data stored.

 

By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.).

 

Your company/organisation must also ensure that the data held is accurate and kept up-to-date.”

 

All collected data will be stored in our servers for the time period of at least two years. This is due external tools we use and possible auditions on the collected data or revise any analyses done internally.