Meta Nanos logo

DATA PROTECTION DECLARATION

Last update: 25.11.2022

Nano Meta Games GmbH ("we") operates the website https://www.metananos.com ("Website") as well as various social media profiles and is the controller under data protection law for any and all data processing operations outlined subsequently. This Data Protection Declaration covers

(i) the above mentioned Website and

(ii) all social media presences outlined under point 8 (collectively "Social Media Presences").

Thank you for your interest in our Website and/or our Social Media Presences. The protection of your privacy is very important to us and we would like to inform you accordingly about your rights and opportunities in order to effectively support a trusting business relationship. Our data protection practice is in accordance with the General Data Protection Regulation of the European Union ("GDPR") in conjunction with the Austrian Data Protection Act (Datenschutzgesetz) and other relevant legal provisions.

The following Data Protection Declaration is intended to provide you with comprehensive information in the sense of Art 13 GDPR on how we deal with your data and what rights you have. Information may be either collected directly from you by means of input and dispositions or due to accessing one of our offers.

You are not obliged to provide data. Upon accessing our Website automatically processed data are non-personal or only stored for a very short period of time (see in particular point 2.1). However, in case you decide to make use of our services (i.e., registering a user account to play virtual games), you have to provide us certain of your data, which are necessary for the execution of the respective contract.


Contact and information on the responsible party for data processing operations


Responsible in the sense of Art 4 Z 7 GDPR:

Meta Nano Games GmbH

Liebenauer Hauptstraße 2-6

8041 Graz


Contact:

Tel: +43 6644 88 18 81

E-Mail: dataprivacy@metananos.com

Web: https://www.metananos.com


OVERVIEW

1. Definitions and interpretation

2. Data processing operations

2.1 Processing of access data when visiting our Website

2.2 Contacting

2.3 Registering of access data when visiting our Website

2.4 Meta Nanos Ambassador

2.5 Newsletter

2.6 Web analysis and tracking: third-party solutions

3. Storage and tracking technologies

3.1 Cookies

3.2 Local/session storage

3.3 Tracking pixel

4. Link to third-party sites

5. Third-party services

5.1 General explanations

5.2 Overview and brief summary

5.3 Individual third-party services

5.3.1 Microsoft Azure PlayFab

5.3.2 Google Services

5.3.2.1 Google Analytics

5.3.2.2 Google Fonts

5.3.3 Meta pixel

5.3.4 Hotjar

6. Data transfer and recipients

7. Rights of the data subject

8. Social media presences

8.1 Facebook

8.2 Instagram

8.3 Twitter

8.4 Discord

8.5 LinkedIn

8.6 TikTok

8.7 Telegram

8.8 YouTube

1. Definitions and interpretation

Data protection laws are generally relevant in case any processing of personal data is concerned. The terms used within the scope of this Data Protection Declaration are defined in and by the GDPR. As such, the broad definition of processing (Art 4 item 2 GDPR) of personal data means any operation or set of operations performed on personal data. Any information allowing us or third parties to potentially identify you in person can be considered your personal data, which makes you a data subject (Art 4 item 1 GDPR) within this context.

The following terms are particularly relevant for a better understanding of this Data Protection Declaration:

Controller

Definition: Natural or legal person or other body which has decisive influence on the processing of personal and is therefore subject to data protection obligations.

Regulation: Art 4 item 7 GDPR Art 24 GDPR

Joint Controllers

Definition: Controllers, which process personal data in common interest and have each at least partly a decisive influence on decisions made in this regard.

Regulation: Art 26 GDPR

Processor

Definition: External service provider which processes personal data on behalf of the controller and is contractually bound to its instructions. The processor thereby acts as a kind of extended arm of the controller.

Regulation: Art 4 item 8 GDPR Art 28 GDPR

Recipient

Definition: Generally, every natural or legal person or other body outside of the organisation of the controller to which data being subject to the controller's responsibility are disclosed.

Regulation: Art 4 item 9 GDPR

Legal basis

Definition: Condition determined by law that constitutes an authorisation to lawfully process personal data.

Regulation: Art 6 para 1 GDPR

Transfer to third countries

Definition: Transfer of personal data to countries outside of the EU respectively EEA through which they are detracted from the sole control of the GDPR due to stronger ties to the legal system of such third country. This might take place where data are disclosed to a recipient that (i) has its seat/residency in such third country or (ii) maintains a server there on which personal data are processed.

Regulation: Chapter V GDPR

Adequacy decision

Definition: A resolution of the European Commission through which the adequacy of the data protection level in a third country is acknowledged, and consequently a transfer of data is possible without further restrictions.

Regulation: Art 45 GDPR

Appropriate safeguards

Definition: Various instruments which allow the transfer of personal data into a third country for which an adequacy decision does not exist. As far as third-country transfers by us are based on appropriate safe-guards, you may request a copy thereof by contacting us under dataprivacy@metananos.com.

Regulation: Art 46 GDPR

2. Data processing operations

In the subsequent section, data processing operations that may occur when accessing or using our Website are described in detail. Within this context, we provide you with information on the essen-tial elements of each data processing operation, namely (a) type and extent (when and how), (b) purpose (why) as well as (c) the storage period of your data (how long).

Moreover, we inform you about the legal basis which we use to justify the respective data processing operation as required by the GDPR. The following chart provides you with a first overview of possible legal bases, which we use in this regard:

Consent

Definition: You have given us your consent prior to the beginning of the data processing op-eration and for the specific occasion, which therefore authorises us to process your data. (For the right to with-draw your previously given con-sent at any time, see point 7.)

Regulation: Art 6 para 1 lit a GDPR

Performance of a contract

Definition: The processing of your data is necessary for the performance of a contract con-cluded with you or to take steps prior to entering into a contract with you at your request.

Regulation: Art 6 para 1 lit b GDPR

Legitimate interests

Definition: The processing of your data is (i) necessary for the purposes of legitimate interests pursued by us or a third party and (ii) we have considered your conflicting interests and fundamental rights and freedoms accordingly. (For the right to object, see point 7.)

Regulation: Art 6 para 1 lit f GDPR

2.1 Processing of access data when visiting our Website

(a) Type and extent of data processing: You can visit our Website without providing any personal information. When you access our Website, only certain access data are processed automatically in so-called server logfiles. In par-ticular, the following data are processed in this context: (i) name of visited website; (ii) browser type/version used; (iii) operating system of the user; (iv) previously visited website (referrer URL); (v) time of the server request; (vi) data volume transferred; (vii) host name of the access-ing computer (IP address used). This information does not allow us to identify you personally. However, IP addresses are considered personal data within the meaning of the GDPR.

(b) Legal basis and purpose: The purpose of this data processing operation is to establish and maintain technical security in regards of our Website, to improve the Website's quality and to generate non-personal statisti-cal information. The processing is based on our legitimate interest (Art 6 para 1 lit f GDPR) in achieving the mentioned purposes. (For the right to object, see point 7.)

(c) Storage period: Currently, no server logfiles are stored. In case server logfiles are stored in the future, we will aim at automatically deleting them after thirty one (31) days, at the latest.

2.2 Contacting

(a) Type and extent of data processing: When contacting us via the contact information provided on the front page of this Data Pro-tection Declaration respectively on our Website, we will use your data as indicated in order to process your contact request and deal with it. The data processing involved is necessary to issue a response in respect of your request, as we would otherwise not be able to contact you.

(b) Legal basis and purpose: Purpose of the data processing is to enable us an exchange with users of the Website. We an-swer your request based on our legitimate interest (Art 6 para 1 lit f GDPR) in maintaining a properly functioning contact system, which is a prerequisite for the provision of any services. (For the right to object, see point 7.) In case of repeated contact requests, we may also store your data for cultivating existing/returning contacts, which you will be informed of in accord-ance with the requirements of data protection law.

(c) Storage period: We delete your requests as well as your contact data if the request has been answered conclu-sively. Your data are, in general, stored for a period of six (6) months and subsequently erased if we do not receive follow-up requests and if the data must not be further processed for dif-ferent purposes.

2.3 Registering a user account; connecting your wallet; playing games

(a) Type and extent of data processing: In case you decide to make use of our services (i.e., down-loading/installing games via our Website and playing them via the respective client), you have to register a user account by providing us the respective details as indicated in the course of the registration process; potentially, you may provide further data being not strictly necessary for contract execution (if applicable, the voluntary nature of such indications will be expressly highlighted). Once registered, you can use your login credentials (user name/email, password) in or-der to access your account. As a registered user, you may download the games offered via our Website.

In order to play one of the offered games, you may have to connect your wallet via the respective function on our Website in order to see and use your META NANOs NFTs. For this purpose, we use the third-party extension and wallet service "Metamask" provided by ConsenSys Soft-ware, Inc., 49 Bogart St #22, Brooklyn, NY 11206, USA. Please note that we merely enable you to connect your wallet on your own to use our services. In this regard, we receive your public address that particularly allows us to determine which META NANOs NFTs you own. ConsenSys Software, Inc. acts as independent controller in respect of its processing of your personal data; in any case, ConsenSys Software, Inc. will receive Connection Data in the sense of point 5.1 in case you decide to connect your wallet (including the information that you have visited and used our Website). For more information on ConsenSys Software, Inc.'s data processing practice in regards to Metamask, please review its privacy policy under https://consensys.net/privacy-policy/.

Games offered on our Website can be played via the respective client provided by us. You need to download the respective files beforehand an install them on your end device. To realise the gameplay, we use the "Microsoft Azure PlayFab" service - this includes generating analytical in-formation about your playing behaviour and success (see point 5.3.1). Certain relevant game data will be disclosed to other players as well - such disclosure follows the purpose of improving the quality and features of our games by enabling users to effectively compete with each other ("Social Feature").

(b) Legal basis and purpose: Processing of your data in the course of registering accounts, connecting your wallet and/or subsequently playing our games follows the purpose of realising our business activity and ena-bling us to render our services to Website users; this is necessary for performance of the respec-tive contract concluded with us respectively to take steps at your request prior to entering into a contract (Art 6 para 1 lit b GDPR).

Any additional processing of voluntarily indicated data serves the purpose of providing additional services or facilitating communication, and it is based on our legitimate interest in offering such additional services or in facilitating communications in line with the usual expectations towards a gaming service and the wishes the user expressed by voluntarily indicating said data (Art 6 para 1 lit f GDPR).

Data processing in regards to the Social Feature is based on our legitimate interest in making our games more interesting and allowing an effective exchange between our users for the purpose of offering a comprehensive and successful service (Art 6 para 1 lit f GDPR). (For the right to ob-ject interest-based processing, see point 7).

(c) Storage period: Data which we process in relation to the registration of a user account will be stored for the du-ration of existence of said account and erased afterwards within six (6) months. However, in case users are inactive for a continuous period of five (5) years, the related user account will be automatically deleted. At any time, you may expressly request deletion of your user account by contacting us using the contact options indicated on the front page of this Data Protection Declaration. Longer storage periods may apply where we need your data in the course of the exercise or defence of legal claims.

2.4 Meta Nanos Ambassador Program

(a) Type and extent of data processing: We offer our community to support our company via our so-called "Meta Nanos Ambassador Program". In case you are familiar with Meta Nanos and NFT gaming in general and wish to assist us in getting better on a daily basis, you may provide us with your data; after reviewing your re-quest, we may contact you and offer you to become one of our ambassadors. The respective form to be used for contacting us in this regard is linked in the footer of our Website under "Ambassador Program". Via the form, you have to provide us the respective details as indicated (e.g., contact data, certain skills and experience, role you would be interested in); you may provide further data being not strictly necessary in this regard (the voluntary nature of such indica-tions will be expressly highlighted).

Please note that we use the service "Google Docs" to provide you with the form for our ambassador program. In regards to the EEA region, the service is offered by Google Ireland (cf. point 6). Please be aware that you will be forwarded to the Google Docs page when clicking on the respective link on our Website. Google Ireland acts as our processor in the sense of Art 28 GDPR when it comes to the processing of any data you manually provide via the form. However, we have no influence of automatic processing of your data or storage technologies used in the course of Google Docs. Thus, you may be subject to additional processing of your data in Google Ireland's sphere of influence. In regards to a possible transfer of your data to third countries within this context, please review our explanations under point 5.3.2 which apply correspondingly.

(b) Legal basis and purpose: We process your data provided via the ambassador form on the basis of taking steps at your request prior to potentially entering into a contract (Art 6 para 1 lit b GDPR) for the purpose of evaluating your suitability to act as one of our ambassadors.

(c) Storage period: Your data will be stored until we make a decision on your requested participation in our ambassador program; afterwards, we shall erase your data within seven (7) months. However, in case you are selected to participate in the program, your data will be processed further for this purpose; in such case, we will provide you additional information in line with the requirements of the individual case.

2.5 Newsletter

(a) Type and extent of data processing: You may subscribe to our newsletter via the Website. To do so, you must provide your email address. The newsletter provides you with news about our company and services; it will solely be sent to email addresses having been indicated by interested users themselves. If you no longer wish to receive the newsletter, you can of course unsubscribe (i.e., withdraw your pre-viously given consent) at any time by clicking on the button to unsubscribe at the end of each newsletter or by notifying us of your wish via the contact address specified on our Website and on the front page of this Data Protection Declaration. We also use the newsletter for statistical evaluations in connection with your personal data and assess the performance of the newslet-ter by analysing opening and click behaviour as well as information on the technical deliverabil-ity of the newsletter.

For delivery of the newsletter, we use the newsletter service "MailChimp", which is operated by The Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA. Hence, your voluntarily provided data will be saved on servers of The Rocket Science Group LLC; in particular, that might entail processing of your data in the USA. Your data will solely be used to deliver the newsletter you have subscribed to. The Rocket Science Group LLC acts as our processor in this context and is strictly bound to our instructions.

(b) Legal basis and purpose: The data mentioned above are processed in the form of a newsletter for direct marketing and are necessary to send the newsletter and contact you in the correct manner. A newsletter or other electronic advertisements will in no case be sent without your prior consent, which we obtain in accordance with Art 6 para 1 lit a GDPR via the registration mask on our Website.

Each and every analysis of the newsletter's performance is conducted for the purpose of evaluating success and reach on the legal basis of our legitimate interest in producing newsletter statistics that are easy to handle and effective in marketing terms in a cost efficient manner (Art 6 para 1 lit f GDPR; for the right to object, see point 7).

(c) Storage period: All data having been collected for the delivery of the newsletter shall be erased within seven (7) days after a potential cancellation of the subscription, as long as no legal retention periods demand otherwise and the data are not lawfully processed for other purposes as well.

2.6 Web analysis and tracking; third-party solutions

(a) Type and extent of data processing: On our Website, we analyse user behaviour and use respectively provide solutions for different purposes by utilising different third-party software tools. The specific services and their functionality are briefly described under point 5.2; information in greater detail for each service can be found under point 5.3

(b) Legal basis and purpose: Within the framework of the respective service, we use collected data in order to generate statistics, analytical reports and other information, that allows us to draw conclusions on user experience and personalise our offer. The relevant legal basis is stated in the description of the respective service.

(c) Storage period: We store generated data in accordance with the requirements and possibilities stipulated by the relevant service for as long as it is necessary to fulfil the respective processing purpose.

3. Storage and tracking technologies

3.1 Cookies

If you give us your express consent pursuant to Art 6 para 1 lit a GDPR, so-called "cookies" are used on our Website (you may withdraw you previously given consent at any time [see "right to withdraw" under point 7]); in case you decline to provide us with your consent, we shall limit our use of cookies to those cookies being technically necessary and essential for the proper functioning of our Website (see below) and process your data on the basis of our accompanying legitimate interest (Art 6 para 1 lit f GDPR), as far as personal data are involved (for the right to object, see point 7).

Cookies are small data sets that are stored and managed on your end device by your browser. They help us to make our offer more user-friendly. They are placed by a web server and sent back to it as soon as a new connection is established in order to recognize the user and his settings. In this sense, a cookie is a small local text file that assigns a specific identity consisting of numbers and letters to your end device.

In most cases, cookies do not contain personal data. Furthermore, cookies cannot access or interact with data stored locally on your device under any circumstances. For example, cookies can enable you to access and navigate websites faster and more efficiently. Cookies help to maintain the functionality of websites with regard to state of the art functions and user experience (e.g., by saving the resolution of a requesting device so that a website can be displayed correctly); on the other hand, they are also used for targeted and cost saving marketing measures. Moreover, we use cookies to personalize contents and ads, offer social media features and analyses traffic on our website. Furthermore, we share information regarding your interaction with our website with our partners for social media, advertisement and analytics. Our respective partners may combine this data with other sets of data that have either been provided by you or collected in the course of the use of their services. Cookies that are stored on your end device due to your visit of our Website can be set either directly by us or by third parties who provide services for us (third-party cookies). The actual content of a specific cookie is always determined by the website that created it.


Cookies always contain the following information:

- name of the cookie;

- name of the server the cookie originates from;

- ID number of the cookie;

- an end date at the end of which the cookie is automatically deleted.

Cookies can be differentiated according to type and purpose as follows:

- Necessary/essential cookies: Such cookies are required for the operation of the Website and are essential to navigate the Website and to use its full range of functions (e.g., to access protected areas of the digital appearance). Without these cookies, Websites cannot function properly on many occasions. Furthermore, - from a legal point of view - all cookies which are absolutely necessary for us for other reasons in order to be able to provide our services, may be categorized essential if the respective services were expressly requested by you. Necessary cookies are always first-party cookies. They can only be deactivated in the settings of your browser by rejecting all cookies without exception (see below) and are also used on our Website legally permissible without obtaining prior consent.are also used on our Website legally permissible without obtaining prior consent.

- Functionality cookies: These cookies allow websites to remember information that affects the way a website behaves or looks, like preferences in the language settings or the geographical region from which the website is accessed.

- Performance cookies: These types of cookies allow website operators to understand how visitors interact with their website by collecting and analyzing information about user behavior anonymously. In particular, the following information may be stored: (i) accessed subpages (duration and frequency); (ii) order of pages visited; (iii) search terms used having led to the visit of the respective website; (iv) mouse movements (scrolling and clicking); (v) country and region of access. These cookies allow to determine what a user is interested in and thereby adapt the content and functionality of the website to individual user needs.

- Tracking cookies: These cookies allow tracking of visitors when accessing Websites. The intention behind this is to display advertisements that are relevant and appealing to the respective user and therefore have more value for the publisher and the third-party advertiser. This can be achieved by analyzing user behavior and display of personalized advertising based on the interests determined. Among other things, they collect information about previously visited websites.

With regard to the storage period cookies can be further differentiated as follows:

- Session cookies: Such cookies will be deleted without any action on your part as soon as you close your current browser session. Such cookies, for example, allow you to remain logged in to your password protected customer account during navigation on websites by assigning you a specific session ID.

- Persistent cookies: Such cookies (eg to save your language settings) remain stored on your end device until a previously defined expiration date or until you have them manually removed. Among other things, they enable cross session user tracking.


Furthermore, cookies may be differentiated by their subject of attribution:

- First-party cookies: Such cookies are used by ourselves and placed directly from our Website. Browsers generally do not make them accessible across domains which is why the user can only be recognized by the page from which the cookie originates.

- Third-party cookies: Such cookies are not placed by the website operator itself, but by third parties when visiting a specific Website, in particular, for advertising purposes (eg to track surfing behavior). They allow, for example, to evaluate different page views as well as their frequency.

Most browsers automatically accept cookies. However, you have the option to customize your browser settings so that cookies are either generally declined or only allowed in certain ways (eg, limiting refusal to third party cookies). However, if you change your browser's cookie settings, our Website may no longer be fully usable. Via your browser you furthermore have the possibility to delete all cookies saved on your end device, which is equal to a withdrawal of your consent.

3.2 Local/session storage

If you have given us your explicit prior consent according to Art 6 para 1 lit a GDPR (cf. point 7 for information on the right to withdraw your previously given consent) after accessing our Website, we use storage capacity of your browser software in order to enhance the usability of our Website, its user friendliness and our service in general (for example to save your language settings). Therefore, we use the so called local/session storage to store certain data on your end device, whereby your browser software maintains a separate local/session storage for each domain. Besides yourself, only we are able to access the data we are processing in this context. Under no circumstances, third parties/websites will be able to access any of such data; however, such data may be saved on our account by our partners (third party providers) on your end device. In contrast to "cookies", this method is safer and faster because data are not transferred automatically to the respective server with every HTTP request, but stored by your browser software. Additionally, a greater volume of data (at least 5 megabytes) can be stored compared to cookies (a maximum of 4096 bytes).

Since functionalities are similar to cookies, please consider the information under point 3.1. Further, please be aware that local storage data has no expiry date and will remain on your end device even after you have closed your browser session (similar to persistent cookies). Data in the session storage however only remains stored for the duration of the respective browser session (similar to session cookies).

Manually removing data from local storage or session storage works within the settings of most browsers in exactly the same way as manually removing cookies, since cookies are usually combined with other website data within this option (e.g., "Cookies and other website data"); in this respect, reference is made to the explanations under point 3.1. If the browser software you are using summarizes cookies and other website data in this way, blocking cookies also blocks access to the local storage or session storage (which can also lead to restrictions on the use of our Website). If you deactivate JavaScript, the local storage or session storage can no longer be used by us either, but this can generally lead to considerable restrictions on use.

3.3 Tracking pixel

We also use so called tracking pixels (also: pixel tags or web beacons) to collect certain data via our Website. Tracking pixels are transparent images which are practically invisible as they consist of a single pixel. The tracking pixel is placed on a server and loaded therefrom as soon as a respective subpage of our Website is accessed. On our Website, tracking pixels are solely used by third parties contracted by us to provide certain services. They allow us to track that a subpage is accessed as well as any subsequent user activity on this page. By means of the tracking pixel, in particular, the following information can be collected: (i) operating system used; (ii) browser type/version used; (iii) time of access; (iv) user behaviour on the visited page; (v) IP address and approximate location of the user.

Tracking pixels are used on our Website on the basis of our legitimate interest (Art 6 para 1 lit f GDPR; for the right to object, see point 7) in analysing user accesses in a state of the art manner. As a tracking pixel is merely an image loaded from a server, its lifetime is limited to your current browser session. However, information collected via a tracking pixel may be subsequently stored in cookies (see point 3.1).

4. Links to third-party sites

On our Website and in this Data Protection Declaration, we use links to the websites of third parties. These are, among other things, links to our presences in social networks (e.g., Twitter). If you click on one of these links, you will be forwarded directly to the respective website. For the website operators it is only evident that you have accessed our Website. However, please be aware that accessing third-party sites results in additional processing of your data in the sphere of the respective third party! Accordingly, we refer you, in general, to the separate data protection declarations of these websites. For further information on our processing of your data in connection with our Social Media Presences, please review point 8.

5. Third-party services

5.1 General explanations

Purpose of processing: In order to optimise our Platform for its intended purposes, provide necessary or useful functions in regards to an economically viable pursuit of our business activity as well as to make available services to users that are usually expected in our line of business, we utilise a variety of services on our Platform which are rendered by third-party service providers and subsequently described below.

Processing roles: Unless stated otherwise, the respective third-party service provider acts as our processor in the sense of Art 28 GDPR and subsequently provides its services in our name and on the basis of a corresponding agreement. However, some of the engaged third-party service providers may (also) receive data as independent controllers for their own purposes, in particular for the optimisation of their services. Regardless of their specific processing role, they are in any case considered recipients of some of your data, since the use of the respective service on our Platform requires the processing of your data by the corresponding service provider.

Necessary processing: From a purely technical perspective, certain data are transferred when visiting any website, and generally shared with all implemented services. These data in their entirety amount to a digital fingerprint (browser fingerprint) which you leave in the course of your online activities - and can be used to draw certain conclusions about you or your end device.

In this regard, the following categories of "Connection Data" can be distinguished, which are (possibly) transferred to the server of which the Platform or a specific file is requested.

(i) Implicit Connection Data (automated, obligatory and unsolicited transfer):
  • IP address of the accessing computer;
  • user agent (browser type and version, operating system);
  • accessed site (URL);
  • site from which the user accessed (referrer URL);
  • time of access;
  • language settings.
(ii) Explicit Connection Data (transferred if intended by the source code of the respective service)
  • Screen resolution;
  • Colour depth;
  • time zone;
  • touch screen support;
  • time of access;
  • browser plugins.

Furthermore, most of the respective services use storage technologies (cf. point 3).

Transfer to third countries: The mentioned service providers are respectively their server landscape is located outside of the EU/EEA, or they use (further) processors to render their services to which this applies. Possible transfers of your data within this context into the legal sphere of such third parties, as far as no adequacy decision of the European Commission in the sense of Art 45 GDPR is in place, are based on standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the European Commission - unless otherwise stated. You may request a copy of standard contractual clauses concluded by us via the contact information provided on the front page of this Data Protection Declaration.

5.2 Overview and brief summary

Subsequently, you can find a brief summary of services used as well as accompanying basic legal information.

If you press on the name of one of the services, you will be transferred to the data protection declaration of the respective service provider. Please be aware that accessing third-party sites results in additional processing of your data in the sphere of the respective third party (cf. point 4).

Service: PlayFab

Processing operation: Processing user data via Microsoft Azure cloud computing platform

Purpose: Backend framework to enable basic platform functions

Legal basis: Contract performance (Art 6 para 1 lit b GDPR); Legitimate Interest (Art 6 para 1 lit f GDPR)

Google Tag Manager

Processing operation: Processing of Connection Data

Purpose: Managing website tags to implement third-party services

Legal basis: Legitimate Interest (Art 6 para 1 lit f GDPR)

Google Analytics

Processing operation: Processing of Connection Data; processing user activities via storage technologies

Purpose: Analysing user behaviour on the Platform

Legal basis: Consent (Art 6 para 1 lit a GDPR)

Google Fonts

Processing operation: Processing of Connection Data

Purpose: Embedding digital fonts into the Website

Legal basis: Legitimate Interest (Art 6 para 1 lit f GDPR)

Meta pixel

Processing operation: Processing of Connection Data; processing user activities via storage technologies

Purpose: Analysing user behaviour on the Website

Legal basis: Consent (Art 6 para 1 lit a GDPR)

Hotjar

Processing operation: Processing of Connection Data; processing user activities via storage technologies

Purpose: Analysing user behaviour on the Website

Legal basis: Consent (Art 6 para 1 lit a GDPR)

5.3 Individual third-party services

5.3.1 Microsoft Azure PlayFab

In order to realise the gaming service on our Website, we use the backend system "PlayFab" via the Microsoft Azure platform. This framework is provided to us by Microsoft Ireland (cf. point 6).

We use PlayFab in particular for the following:
  • to operate the games available on our Website;
  • to analyse gaming data and behaviour;
  • to improve gaming experience.

Gaming will be hosted on the Microsoft Azure platform leading to your data processed within this context being stored on servers of Microsoft Ireland. Microsoft Ireland has implemented several data security functions and allows customers to further improve the protection of user data. Consequently, we strive to reach the best possible protection of your data while still providing you a great experience.

We use PlayFab and Microsoft Azure for the purpose of being able to perform the contract you concluded with us when registering on the Website to play the offered games (Art 6 para 1 lit b GDPR). Without the framework of PlayFab and Microsoft Azure, we would not be able to offer our service to you. Any additional analysis of gaming data and player behaviour when launching and playing our games is conducted for the purpose of evaluating the use of our services in order to receive feedback on the reception and effectiveness of our offerings - this allows us to continuously improve our services as well as our marketing approach; such analysation is based on our legitimate interest in collecting the relevant data we need to maintain and improve service quality (Art 6 para 1 lit f GDPR; for the right to object, see point 7).

Outsourcing of processing activities by Microsoft Ireland to third parties such as group companies may take place, wherefore a processing of your data in the US, in particular by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA is possible. Any transfer your data within this context into the legal sphere of such third parties, as far as no adequacy decision of the European Commission in the sense of Art 45 GDPR is in place, are based on standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the European Commission.

Please also review the Microsoft privacy statement for information in greater detail on how data protection is handled: https://privacy.microsoft.com/en-us/privacystatement.

5.3.2 Google Services

The following services are provided by Google Ireland (cf. point 6).

Google Ireland intends to process data of users of the EEA region, where possible, in data centres situated in Europe; however, an outsourcing of processing activities to third parties such as group companies may take place, wherefore a processing of your data in the US, in particular by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA is possible. An overview of Google's data centres can be viewed at: https://www.google.com/about/datacenters/inside/locations/?hl=en. Any transfer your data within this context into the legal sphere of such third parties, as far as no adequacy decision of the European Commission in the sense of Art 45 GDPR is in place, are based on standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the European Commission.

For further information on data usage by Google Ireland and affiliated companies as well as your options in terms of settings and objection, please review the data protection declaration of Google underhttps://policies.google.com/privacy?hl=en.

5.3.2.1 Google Tag Manager

On our Website, we use the Google Tag Manager ("GTM"), a service which allows us to manage website tags via a dedicated interface. Within this context, we are able to embed code snippets such as tracking code or tracking pixel into our Website without having to directly modify the source code. GTM does not collect or store data but merely transfers them. GTM does not use cookies or similar technologies, acting solely as a tool for managing other tools and services in the course of our online offer. GTM resolves other tags, which in turn may collect data. However, GTM does not access these data (simply making a request to the corresponding Google servers).

We use GTM on the basis of our legitimate interest (Art 6 para 1 lit f GDPR) consisting of an efficient and economically viable administration of the services implemented on our Website (for the right to object, see point 7). Processing follows the purpose of being able to implement services on our Website as effectively as possible.

5.3.2.2 Google Analytics

Our Website uses the web analysis and online marketing tool of Google Ireland, namely "Google Analytics", which enables us to analyses how you use this Website (e.g., the time you spend on a subpage of our Website or which link are being clicked). Tracking is performed via the JavaScript library analytics.js provided by Google Ireland. Google Analytics uses first-party cookies, which may be stored on your end device after consenting accordingly.

In the context of the application of Google Analytics, your Connection Data (cf. point 5.1) are transferred to Google servers. Based on our instructions, Google Ireland will use the information collected to analyse the use of our Website, draft reports on website activities and provide us with further services connected to the use of our Website and the Internet. We base the utilisation of Google Analytics on your prior consent (Art 6 para 1 lit a GDPR; for the right to withdraw your previously given consent at any time, see point 7). The data concerning the use of our Website are deleted automatically after the retention period of fourteen (14) months, which we provided for, has expired.

The IP address transferred by your browser in the context of Google Analytics is not merged with other Google data. In order to protect you as comprehensively as possible, we utilise IP anonymization by extending the code of our Website by "anonymizeIP". This ensures masking of your IP address, wherefore all data concerned are collected anonymously. Only in exceptional cases will the full IP address be transferred to a Google server and shortened there.

With the procedure described under point 3.1, you can prevent the storage of cookies by a corresponding setting of your browser software (possibly limited to third party cookies). You can also prevent Google Ireland from collecting data generated by cookies and relating to your use of the Website (including your IP address) and from processing this data by downloading an appropriate browser plug-in (available for Microsoft Internet Explorer 11, Google Chrome, Mozilla Firefox, Apple Safari and Opera) and installing it (https://tools.google.com/dlpage/gaoptout?hl=en).

5.3.3 Meta pixel

Within our offer, we use the "Meta pixel", a Meta business tool. In regards to the EEA region, Meta Ireland (cf. point 6) acts as the controller for the Meta pixel from a data protection point of view. The Meta pixel is implemented on our Website as a JavaScript code snippet and allows us to track the activities of website users. Certain actions performed by a user are defined as so called events and analysed by means of the Meta pixel (in particular, access of a specific subpage of our Website, i.e., button click data); this allows us, for example, to determine the efficacy of the Website's structure as well as the effectiveness of our advertising measures (conversion tracking). The Meta pixel is used for statistical as well as marketing purposes, in order to continuously optimise our offer.

The Meta pixel collects event data as defined, all information present in HTTP headers (i.e., Connection Data in the sense of point 5.1) as well as a pixel ID and cookie information. Those data are exchanged with Meta Ireland. Our usage of the Meta pixel and, thus, the data exchange with Meta Ireland is solely limited to event data; a transfer of hashed contact information (e.g., within the framework of Facebook Custom Audiences) does not take place. The tracking is carried out via first-party and third-party cookies as well as tracking pixels (see point 3). We base the utilisation of Meta Pixel on your prior consent (Art 6 para 1 lit a GDPR; for the right to withdraw your previously given consent at any time, see point 7).

The data are stored and processed by Meta Ireland on our behalf; Meta Ireland only uses data itself, especially to personalize functions and content (including advertisements and recommendations), after the data have been aggregated with data from other advertisers or other Meta products. Overall, non-personal clusters are formed that are stored for a longer period. If you have created a Facebook account and are logged in, you can manage your Facebook advertising personalization preferences here: www.facebook.com/settings?tab=ads.

Outsourcing of processing activities by Facebook Ireland to third parties such as group companies may take place, wherefore a processing of your data in the US, in particular by Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA is possible. Any transfer your data within this context into the legal sphere of such third parties, as far as no adequacy decision of the European Commission in the sense of Art 45 GDPR is in place, are based on standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the European Commission.

5.3.4 Hotjar

If you give us your consent in the sense of Art 6 para 1 lit a GDPR, we use the web analysis tool of Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta ("Hotjar"), through which we are able to analyse the usage of our Website. (For the right to withdraw your previously given consent at any time, see point 7.) For this reason, we implement a corresponding tracking code on our Website, upon which Hotjar collects and analyses specific data.

The collected data, which includes your Connection Data (cf. point 5.1), are transferred to Hotjar servers in Ireland and in general automatically deleted after a storage period of one (1) year.

Hotjar uses various cookies; further information can be found at https://help.hotjar.com/hc/en-us/articles/115011789248-Hotjar-Cookies. You can prevent the collection of your data through Hotjar by following the steps laid out at: https://www.hotjar.com/legal/compliance/opt-out. Please also note the data protection declaration of Hotjar: https://www.hotjar.com/legal/policies/privacy/.

6. Data transfer and recipients

For the purposes explained in this Data Protection Declaration, we will transfer your (personal) data to the following recipients or make them available to them:

Within our organisation, your data will be provided to those entities or employees who need them to fulfil their contractual or legal obligations and for data processing that is based on our legitimate interests.

Furthermore, (external) processors deployed by us receive your data if they need such data to provide their respective services (whereby the mere possibility to access personal data is sufficient). All processors are contractually obliged to keep your data confidential and to process it only within the scope of service provision. This includes the following categories of recipients:

(I) Amazon Internet Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxxemburg.

(ii) The Rocket Science Group LLC d/b/a Mailchimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA ("Mailchimp"), as indicated in clause 1.3(a).

(iii) Microsoft Ireland Operations Limited ("Microsoft Ireland"), One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (as provider of the backend platform "PlayFab" used for the realisation of our gaming service as indicated under point 5.3.1);

(iv) Google Ireland Limited ("Google Ireland"), Gordon House, 4 Barrow Street, Dublin, Ireland (concerning our use of the service "Google Docs" as indicated under point 2.4[a] as well as "Google Analytics" as indicated under point 5.3.2);

(v) Meta Platforms Ireland Ltd. ("Meta Ireland"), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (concerning our use of the service "Meta Pixel" as indicated under point 5.3.3);

(vi) Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta, as indicated in clause 3.1.3.

Additionally, we may transfer your data to independent controllers, as far as this is necessary in the course of our business activity in order to provide our services or if we are under legal obligation to do so. Also, ConsenSys Software, Inc., 49 Bogart St #22, Brooklyn, NY 11206, USA may receive certain of your data as independent controller in case you decide to connect your wallet via the respective function on our Website (cf. point 2.3).

Lastly, we are joint controllers in the sense of Art 26 GDPR with the service providers described under point 8 when accessing and interacting with our respective Social Media Presences.

Some of the mentioned recipients are respectively their server landscape is located outside of the EU/EEA, or they use (further) processors to render their services to which this applies. Possible transfers of your data within this context into the legal sphere of such third parties, as far as no adequacy decision of the European Commission in the sense of Art 45 GDPR is in place, are based on standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the European Commission of which you may request a copy via the contact information provided on the front page of this Data Protection Declaration.

3.2 Links to third-party sites

On our Website we use links to the websites of third parties. These are, in particular, reference links leading to our permanent partners as well as links to our presences in social networks (eg Facebook). If you click on one of these links, you will be forwarded directly to the respective page. For the website operators it is only evident that you have accessed our Website. Accordingly, we refer you, in general, to the separate privacy policies of these websites. For further information on our processing of your data in connection with our social media presences, please review point 4.

7. Rights of the data subject

A central aspect of data protection regulations is the implementation of adequate options allowing you to dispose of your own personal data, even after processing of said personal data has already commenced. For this purpose, a series of rights of the data subject are set in place. We shall comply with your corresponding requests to exercise your rights as described below without undue delay and in any event within one (1) month of receipt of the request. Please direct your request to the contact options provided on the front page of this Data Protection Declaration:

(i) access to and further information on your personal data processed by us (right of access; Art 15 GDPR).

(ii) correction incompletely or incorrectly recorded data (right to rectification, Art 16 GDPR).

(iii) deletion of data, which (i) is not required for the purposes recorded, (ii) is illegally processed or (iii) needs to be deleted due to a legal obligation or revocation of consent (right to erasure, Art 17 GDPR).

(iv) Temporary limitation of processing under specific conditions (right to restriction of processing, Art 18 GDPR).

(v) right to withdraw your consent in relation to processing of your data at any time; Please consider that processing activities which were based on valid consent before withdrawal do not become illicit retroactively and a withdrawal of consent solely effects future processing activities, Art 7 para 3 GDPR).

(vi) right to object to data processing at any time on grounds relating to your particular situation; this applies to all cases of data processing based on our legitimate interests (Art 6 para 1 lit f GDPR) (balance of interests, Art 21 para 1 GDPR).

(vii) right to obtain your data, which is processed by us for the fulfillment of contractual obligations, in order to precontractual measures on your request or on the basis of your consent in a structured, common and machine readable format or upon request directly communicated to another controller (right to data portability, Art 20 GDPR).

(viii) right to lodge a complaint with the relevant national supervisory authority in relation to the processing of your data; please consider the requirements for such complaint in Austria are based on Section 24 DSG and shall be submitted to the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, Austria, dsb@dsb.gv.at (e-mail), +43 1 52 152-0 (phone).

8. Social media presences

For the purpose of promoting our business activity and our service offer, we maintain presences in various social networks. The processing of your data in this context is based on our legitimate interest (Art 6 para 1 lit f GDPR; for the right to object, see point 7) in expanding our reach as well as providing additional information and means of communication to users of social networks. In order to reach said purposes at the best possible rate, we may utilise functions provided by the respective service provider to measure our reach in detail (access statistics, identification of returning users, etc.).

In the course of accessing any of the online presences outlined subsequently, we process the general information being evident due to your profile in the respective network as well as additional continuance, contact or content data, as far as you provide us with such data by interacting with our online presence and its contents. We do not store those data separately outside of the respective social network.

Since we jointly decide with the relevant service provider (respectively entity expressly outlined as controller) upon purposes and means of data processing in the course of a respective online presence, we are to be considered joint controllers in the sense of Art 26 GDPR. The provider of each social network mentioned shall act as the primary point of contact with regard to all general and technical questions in respect of our online presences; this also applies to fulfilling rights of the data subjects in the sense of point 7. However, in case of requests concerning the specific operation of our online presences, your interactions with them or information published/collected via such channels, we shall be the primary point of contact; point 7 as well as other stipulations in this Data Protection Declaration apply correspondingly.

Some of the subsequent service providers are respectively their server landscape is located outside of the EU/EEA in countries for which no adequacy decision of the European Commission in the sense of Art 45 GDPR is in place, or they use processors to render their services to which this applies. Please be aware that we have no influence if or to which extent such transfers take place when using the respective network. You can find the relevant information on how each service provider handles third-country transfers (which might include data of you provided in the course of interacting with our Social Media Presences) in the relevant data protection information of such service provider (cf. the respective links under each subsequent subsection). Mostly, those service providers utilise standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the European Commission in order to justify their transfers.

8.1 Facebook

The social network "Facebook" is operated by Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA and its group companies. Controller from a data protection point of view with regard to the EEA region is Meta Ireland (cf. point 6). In respect of the operation of our Facebook fan page "Meta Nanos" (https://www.facebook.com/profile.php?id=100083012820676&sk=about), we are joint controllers in the sense of Art 26 GDPR with Meta Ireland.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by Facebook in order to personalise and maintain our Facebook fan page. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://www.facebook.com/terms) as well as the separate data pro-tection declaration (https://www.facebook.com/policy.php) and consider the settings options in your Facebook account. In regards to any information provided by us via mechanisms made available by Facebook (posts, shares, etc.), we are naturally fully responsible.

8.2 Instagram

The social network "Instagram" is operated by Instagram, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA, which is part of the Meta group. Controller from a data protection point of view with regard to the EEA region is Meta Ireland (cf. point 6). In respect of the operation of our Instagram page "metananos" (https://www.instagram.com/metananos/), we are joint controllers in the sense of Art 26 GDPR with Meta Ireland.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by Instagram in order to personalise and maintain our Instagram account. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://help.instagram.com/581066165581870) as well as the separate data protection declaration (https://help.instagram.com/519522125107875) and consider the settings options in your Instagram account. In regards to any information provided by us via mechanisms made available by Instagram (postings, stories, etc.), we are naturally fully responsible.

8.3 Twitter

The social network "Twitter" is operated by Twitter, Inc., 1355 Market Street Suite, 900 San Francisco, CA 94103, USA and its group companies. Controller from a data protection point of view with regard to the EEA region is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland ("Twitter International"). In respect of the operation of our Twitter account "META NANOs" (https://twitter.com/MetaNanos), we are joint controllers in the sense of Art 26 GDPR with Twitter International.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by Twitter in order to personalise and maintain our Twitter account. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://twitter.com/de/tos) as well as the separate data protection declara-tion (https://twitter.com/de/privacy) and consider the settings options in your Twitter account. In regards to any information provided by us via mechanisms made available by Twitter (Tweets, etc.), we are naturally fully responsible.

8.4 Discord

The communication network "Discord" is operated by Discord, Inc., 444 De Haro Street, Suite 200, San Francisco, California, 94107 United States ("Discord Inc."). VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland is its representative in relation to data protection in the EEA in accordance with Art 27 GDPR. In respect of the operation of our Discord channel "META NANOS" (https://discord.gg/dnbRVBNfCb), we are joint controllers in the sense of Art 26 GDPR with Discord Inc.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by Discord in order to personalise and maintain our Discord channel. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://discord.com/terms) as well as the separate data protection declaration (https://discord.com/privacy) and consider the settings options in your Discord account. In regards to any information provided by us via mechanisms made available by Discord (postings, etc.), we are naturally fully responsible.

8.5 LinkedIn

The social network "LinkedIn" is operated by LinkedIn Corporation, 1000 W. Maude Ave, Sunnyvale, CA 94085, USA. For the EEA region, LinkedIn is operated and data processing is controlled by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn Ireland"). In respect of the operation of our LinkedIn account, we are joint controllers in the sense of Art 26 GDPR with LinkedIn Ireland.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by LinkedIn in order to personalise and maintain our LinkedIn account. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://www.linkedin.com/legal/user-agreement?_l=en_EN) as well as the separate data protection declaration (https://www.linkedin.com/legal/privacy-policy) and consider the settings options in your LinkedIn account. In regards to any information provided by us via mechanisms made available by LinkedIn (postings, chats, etc.), we are naturally fully responsible.

8.6 TikTok

The video platform "TikTok" is operated by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland as well as TikTok Information Technologies UK Limited, One London Wall, 6th Floor, EC2Y 5EB, London, England in the EEA region ("TikTok Europe"). In respect of the operation of our TikTok account "metananos" (https://www.tiktok.com/@metananos), we are joint control-lers in the sense of Art 26 GDPR with TikTok Europe.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by TikTok in order to personalise and maintain our TikTok account. Hence, please carefully review the terms which the service provider prescribes for the use of the video platform (https://www.tiktok.com/legal/terms-of-service?lang=de-DE) as well as the separate data protection declaration (https://www.tiktok.com/legal/privacy-policy-eea?lang=de) and consider the settings options in your TikTok account. In regards to any information provided by us via mechanisms made available by TikTok (postings, chats, etc.), we are naturally fully responsible.

8.7 Telegram

The instant messaging service "Telegram" is controlled by Telegram Messenger, Inc. from a data protection point of view. Representative in the sense of Art 27 GDPR for the EEA region is Telegram UK Holdings Ltd., 71-75 Shelton Street, Covent Garden, London, England, WC2H 9JQ. In respect of the operation of our Telegram channel "META NANOs Chat" (@MetaNanosCommunity), we are joint controllers in the sense of Art 26 GDPR with Telegram Messenger, Inc.

Please note that we have no influence on the programming and design of Telegram; thus, we can only use the options provided by Telegram in order to personalise and maintain our Telegram channel. Hence, please carefully review the separate data protection declaration (https://telegram.org/privacy?setln=en) and consider the settings options in your Telegram account. In regards to content provided by us, we are naturally fully responsible.

Within your Telegram account, you can use the function "@GDPRbot" in order to (i) request a copy of all of your personal data stored by Telegram and/or (ii) pose questions to the provider.

8.8 YouTube

Controller of the video platform "YouTube" for the EEA region is Google Ireland (cf. point 6). In respect of the operation of our YouTube channel "META NANO's" (https://www.youtube.com/channel/UCVPplF2h2-s50ggMPDfLpzw), we are joint controllers in the sense of Art 26 GDPR with Google Ireland.

Please note that we have no influence on the programming and design of YouTube; thus, we can only use the options provided by YouTube in order to personalise and maintain our YouTube channel. Hence, please carefully review the terms which the service provider prescribes for the use of the video platform (https://www.youtube.com/t/terms) as well as the separate data protection declara-tion (https://policies.google.com/privacy?hl=en-GB&gl=uk) and consider the settings options in your YouTube account. In regards to videos and content provided by us, we are naturally fully responsible.