PRIVACY POLICY

At Kalypso Media, we value your privacy and are committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data when you use our websites, online services, mobile apps, and related products (collectively, the “Services”).

We collect and process personal data to provide you with a seamless and personalized experience, to comply with legal obligations, and to improve our Services. Personal data includes any information that can identify you directly or indirectly, such as your name, contact details, IP address, or user behavior.

This privacy policy applies to all processing of personal data in connection with our services, regardless of whether such data is collected online or offline. Where links lead to third-party websites or services that are not operated or controlled by us, their respective privacy policies apply. We recommend that you review those privacy policies before sharing any personal data with such third parties. For all personal data we collect – regardless of the method of collection – we provide the necessary information in accordance with Article 13 of the GDPR.

If you have any questions or concerns about how we handle your personal data, please feel free to contact our Data Protection Officer at dataprotectionofficer@kalypsomedia.com.

1. Controller

Kalypso Media Group GmbH
Wilhelm-Leuschner-Strasse 11-13

67547 Worms, Germany
Email: info@kalypsomedia.com

For further legal information, please refer to our legal notice (including authorized representatives and company registration details).

2. Data Protection Officer

Mr. Werner Merl

Data Protection Officer, cert. TÜV, Dipl.-Wirtsch.-Ing. (TH)

Email: dataprotectionofficer@kalypsomedia.com

Address: Rödl IT Secure GmbH, Dep. data protection „Kalypso Media Group“, Äußere Sulzbacher Straße 100, 90491 Nuremberg, Germany

3. Hosting via WIX.com

Our website is hosted by WIX.com Ltd., Nemal St. 40, Tel Aviv, Israel. When you visit our website, the following personal data is automatically collected:

IP address
Date and time of access
Browser and operating system used
Pages visited
Referrer URL
HTTP status
Amount of data transferred

This data is technically necessary to display the website correctly and to ensure its stability and security. The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest in the provision and operation of the website).

This access data is generally stored by WIX for the duration of your use and, for security and logging purposes, for up to 12 months, unless a longer retention period is legally required.

WIX uses a multi-cloud strategy to deliver website content efficiently and securely, utilizing:

Amazon Web Services (AWS)
Google Cloud Platform (GCP)
WIX’s own data centers
Fastly’s global content delivery network (CDN)

As a result, technical data (such as IP addresses) may be processed via servers located in Israel, the USA, and other countries, depending on the user’s location and CDN routing. The main data processing takes place in Israel and the United States.

Israel has been recognized by the European Commission as providing an adequate level of data protection (Art. 45 GDPR).
For data transfers to the USA, WIX relies on the EU-U.S. Data Privacy Framework (DPF), to which WIX is certified.
For any additional third countries, WIX uses appropriate safeguards as defined in Art. 46 GDPR, especially Standard Contractual Clauses (SCCs).

We have concluded a valid data processing agreement (DPA) with WIX in accordance with Art. 28 GDPR. WIX contractually ensures that any subcontractors are engaged in compliance with the GDPR.

For more information on how WIX handles personal data, please refer to: https://wix.com/about/privacy

4. Consent Management via Usercentrics

We use the Consent Management Platform (CMP) provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, to obtain, store, and manage your consent for the use of cookies and for data processing by Google in compliance with the Google Consent Mode.

When you visit our website, a consent banner is displayed. In this process, Usercentrics collects and processes the following data:

Consent status (granted or denied)
Timestamp of the decision
Browser and device information
Anonymized IP address
Consent ID
URL of the page visited

This information is stored in a consent cookie on your device and additionally processed on servers operated by Usercentrics within the European Union, in order to fulfil our legal obligation to document consent in accordance with Art. 7(1) GDPR.

The consent data is stored for a period of 13 months, unless you withdraw your consent or delete the cookie beforehand.

Legal basis:

Art. 6(1)(c) GDPR in conjunction with § 25(2)(2) TDDDG for technically necessary cookies and for obtaining legally required consent.
Art. 6(1)(a) GDPR for the transfer of data to Google based on your voluntary consent.

We have concluded a data processing agreement (DPA) with Usercentrics in accordance with Art. 28 GDPR. Data processing takes place exclusively within the European Union. No data is transferred to third countries.

For more information on how Usercentrics handles personal data, please visit: https://usercentrics.com/en/privacy-policy/

5. GeoIP Use via country.is

We use the country.is API, operated by Line of Flight B.V., Netherlands, to determine the visitor’s country based on their IP address in real time. This enables us to personalize your user experience with region-specific content. Only the country code is transmitted to us; the IP address itself is neither stored nor retained by country.is.

Since WIX does not provide us access to visitors’ IP addresses in the backend, this solution is necessary.

The country.is API is delivered via the Content Delivery Network (CDN) of Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Technical data (e.g., IP address) may be transmitted to the USA in this process. Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF). The transfer is based on the adequacy decision pursuant to Art. 45 GDPR.

We have concluded a Data Processing Agreement with Cloudflare in accordance with Art. 28 GDPR. Data processing serves exclusively to ensure the performance, security, and integrity of our website.

We currently do not maintain a separate data processing agreement (DPA) with Line of Flight B.V. The country.is service only provides real-time country code lookup and does not store personal data permanently.

The processing is based on our legitimate interest under Art. 6(1)(f) GDPR: We require the country code to enable technical functionality such as displaying correct shop prices.

No data transfer to third countries occurs, as the provider is based in the EU and does not store data externally.

Purposes of GeoIP data use:

Display of region-specific age ratings

Legal basis: Art. 6(1)(c) GDPR (legal obligation to comply with age rating laws)
Display of region-specific storefront links

We link to the following storefronts that distribute our video games:
- Steam
- Epic Games Store
- GOG.com
- PlayStation Store
- Microsoft Store
- Nintendo eShop
The selection of the appropriate store link (EU or US) is based on GeoIP data.

This processing is necessary to provide the service properly and to prevent users from being directed to incorrect or unavailable regional shops.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
Consent is not required for this purpose.
Selection of the appropriate GetResponse newsletter form

The newsletter signup button links to external GetResponse forms (German or English), which are not embedded directly on our site. GeoIP data only determines which link is shown. No personal data is transmitted to GetResponse before the user explicitly consents on the external form.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
No consent is required for this purpose.
Display of correct currencies and regional product prices in our webshop

Based on GeoIP data, we display prices and currencies tailored to the user’s region. This is necessary for contract fulfillment and improves usability.

Legal basis: Art. 6(1)(b) GDPR (contract performance) or alternatively Art. 6(1)(f) GDPR (legitimate interest).
Consent is not required.

Service Providers:

Line of Flight B.V., Netherlands (operator of country.is)
Cloudflare, Inc., USA (CDN service provider – DPF-certified)

Privacy Policies of Providers:

country.is: https://country.is
Cloudflare: https://www.cloudflare.com/privacypolicy/

6. Creation and Management of User Accounts and Social Login

Certain functions on our website require registration and the creation of a user account. Registration can be done either via classic email and password or conveniently through social login with Google or Facebook.

Classic Registration:

Only an email address and a password are required to register. Additionally, a reCAPTCHA check is performed to prevent automated registrations.

Users can also purchase our products as guests without creating an account. The user account mainly serves to provide an overview of purchases and access to the internal support contact form.

The collection and processing of personal data during account creation, as well as its storage, is carried out by the service provider WIX.com Ltd., located at 500 Terry A Francois Blvd, San Francisco, CA 94158, USA, acting as our data processor.

Personal data collected during account creation includes:

Email address
Password

Optional data can be added after registration:

First and last name
Address
Payment information
Phone number
Other information necessary for the functionality of the account (if provided)

Social Login:

We offer you the option to log in to our services using your existing Google or Facebook account ("Social Login"). For this, we use:

Google Sign-In, provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Facebook Login, provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland

When you use this feature, certain personal data—including your name, email address, and profile picture—is transmitted from the respective provider to us. We use this data solely for registration and authentication purposes on our platform.

The providers thereby receive information about your use of our service and may combine it with other data from your profile. Further information on data processing by Google and Meta can be found in their privacy policies:

Google: https://policies.google.com/privacy
Meta (Facebook): https://www.facebook.com/privacy/policy

Legal basis:

Data processing is based on your consent (Art. 6(1)(a) GDPR) for the use and data transfer to the social media partners. Alternatively, when using social login, Art. 6(1)(b) GDPR (performance of a contract) may apply, as login is part of registration and contract fulfillment.

You can revoke your consent at any time by removing the social login access, deleting your user account with us, or switching to classic email/password login.

Note on processing by WIX:

WIX stores and processes personal data on servers in the EU and the USA, based on a valid data processing agreement and data protection standards recognized by the EU (e.g., Standard Contractual Clauses). For more information on WIX’s privacy practices, please visit: https://de.wix.com/about/privacy

7. Use of Google Services

a) Google Fonts

We use Google Fonts to display text in a consistent and visually appealing way. According to the current implementation by WIX, all fonts are served directly from WIX servers, meaning no IP address or other personal data is transmitted to Google.

Data transfer: No data is sent to Google or other third parties.
Legal basis: Not applicable, as no personal data is processed.
Storage duration: Not applicable.

b) Google Analytics

We use Google Analytics with IP anonymization, exclusively based on your explicit consent (Art. 6(1)(a) GDPR).

Storage duration: Data is retained for up to 14 months (depending on the configuration in Analytics).
Legal basis: Your consent under Art. 6(1)(a) GDPR.
DPA: A Data Processing Agreement (DPA) has been concluded with Google via WIX.
Additional data use by Google: Google may process the data for its own purposes (e.g. service improvement), which is outside of our control.

c) Google reCAPTCHA v2

We use Google reCAPTCHA v2 to protect our web forms from automated access (e.g. bots).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and integrity of our website).
Integration via WIX: The tool is embedded by WIX, typically triggered when suspicious behavior is detected or interactive elements are used.
Data transfer: Technical data (e.g. IP address, device/browser information) is sent to Google Ireland Ltd.
DPA: Google is bound by a DPA provided via WIX.
Third-country transfer: Google is certified under the EU-U.S. Data Privacy Framework (DPF). Data transfer is based on the adequacy decision according to Art. 45 GDPR.

More info: https://policies.google.com/privacy

8. Newsletter (GetResponse)

We offer you the option to subscribe to our newsletter. The registration process is handled via an external form provided by GetResponse S.A., Arkonska 6, 80-387 Gdańsk, Poland.

Based on your region (determined via GeoIP), you are redirected to either the German or English version of the signup form.

We use the double opt-in procedure, meaning you will only receive newsletters after confirming your email address.

Processing & storage:
GetResponse processes and stores your data solely for the purpose of sending newsletters.
Your data will be stored as long as you remain subscribed. After unsubscribing or withdrawing your consent, your data will be deleted within 30 days, unless legal retention obligations require otherwise.

Data processing within the EU:
GetResponse is based in the EU and states that all data is stored and processed exclusively within the EU/EEA.

Legal basis:
Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time with future effect via the unsubscribe link included in every newsletter.

Data Processing Agreement:
We have signed a Data Processing Agreement (DPA) with GetResponse in accordance with Art. 28 GDPR.

More information on GetResponse's privacy practices: https://www.getresponse.com/legal/privacy

9. Contact Forms

Our public contact form collects the following data from you to process your inquiry:

Email address
Subject of the inquiry
Your message

These fields are mandatory (legal basis: Art. 6(1)(b) and (f) GDPR).

All other information provided in this form is voluntary and processed only with your consent (Art. 6(1)(a) GDPR).

Our internal support form, available only to logged-in users, collects the following mandatory fields necessary to process hardware- and game-related support requests:

First and last name
Email address
Additional mandatory fields marked with *

10. Online Shop (WIX Stores) & Payment Processing

We collect order data, name, address, email, payment details. Data is shared with payment providers (PayPal, WIX Payments) for transaction processing. Card data is not stored.

Legal basis: Art. 6(1)(b) GDPR

11. Security

Our website is hosted on the Wix platform, which provides built-in TLS/SSL encryption to secure data transmission. Additionally, we implement appropriate technical and organizational measures—both through Wix’s security infrastructure and our own practices—to protect your personal information from unauthorized access, loss, or misuse.

12. Your Rights

As a data subject in connection with the aforementioned processing activities and subject to the legal limitations, you have, in particular, the right to

Access (Art. 15 GDPR)
Rectification (Art. 16 GDPR)
Erasure (Art. 17 GDPR)
Restriction of processing (Art. 18 GDPR)
Data portability (Art. 20 GDPR) and
Object to processing based on the legitimate interests of Kalypso Media Group or its partners (Art. 21 GDPR)
Not to be subject to decisions based solely on automated processing (Art. 22 GDPR)
Withdraw your given consents with effect for the future (Art. 7(3) GDPR)
Claim compensation for damages in case of violations of the GDPR (Art. 82 GDPR)

To exercise these rights, please contact the data controller with a corresponding request or the data protection officer. Their addresses can be found above under sections 1 and 2. To simplify the related processes, we kindly ask you to send these requests by email or via our contact form.

Contact: dataprotectionofficer@kalypsomedia.com

13. Right to Complain

If you believe that your data is being processed unlawfully, you have the right to lodge a complaint with a data protection supervisory authority of your choice.

If you have any concerns or reasons for complaint regarding our processing of personal data, we kindly ask you to first contact the data controller and/or the data protection officer, so that we can promptly review your complaint and take appropriate remedial action.

The data protection authority responsible for you in Germany can be found at the following link: BfDI - State Authorities (www.bfdi.com, Contact with State Authorities).
The data protection authority responsible for Kalypso Media Group GmbH can be reached at the following address:

The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate,
P.O. Box 30 40, 55020 Mainz,
email: poststelle@datenschutz.rlp.de,
web: https://www.datenschutz.rlp.de

14. Changes to this Privacy Policy

We reserve the right to update this privacy policy in case of changes to the website, due to legal requirements, or changes to our services and data processing activities.

Last updated: June 2025