Hero Forge® GDPR Privacy Policy Addendum

Effective Date: This GDPR Privacy Policy Addendum was last updated as of January 1, 2023.

Introduction

This GDPR Privacy Addendum supplements the information in the Sky Castle Privacy Policy and applies to Personal Data about individuals located in the European Economic Area. For purposes of this GDPR Privacy Addendum, Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This GDPR Privacy Addendum (the “GDPR Privacy Addendum”) supplements the information contained in the Sky Castle Privacy Policy and applies solely to all users of our Site who are located in the European Economic Area. We adopt this GDPR Privacy Addendum to comply with the General Data Protection Regulation (2016/679) and any implementing acts of the foregoing by any of the member states of the European Economic Area, the United Kingdom, or Switzerland (“GDPR”) and any terms defined in the GDPR or our Privacy Policy have the same meaning when used in this GDPR Privacy Addendum. This GDPR Privacy Addendum takes precedence over anything contradictory in our Privacy Policy.

Data Controller, Data Protection Officer, and Representative

Sky Castle Studios, LLC is the data controller of the Personal Data you provide on or through our Site.

We may be contacted in any manner set forth below in the “Contact Information” section of this GDPR Privacy Addendum.

Lawful Basis for Processing Your Personal Data

We have a lawful basis for our processing of your Personal Data, including processing for our legitimate interests (when balanced against your rights and freedoms), as required by law, and with your consent.

If you are in the European Union, the processing of your Personal Data is lawful only if it is permitted under the applicable data protection laws. We have a lawful basis for each of our processing activities as set forth more fully below:

Purpose/Activity	Type of data	Lawful basis for processing
Purpose/Activity To register you as a new customer	Type of data Identity Contact	Lawful basis for processing Performance of a contract with you
Purpose/Activity To process and deliver your order or subscription including: Manage payments, fees and charges; Collect and recover money owed to us	Type of data Identity Contact Financial Transaction Marketing and Communications	Lawful basis for processing Performance of a contract with you Necessary for our legitimate interests (including to recover debts due to us)
Purpose/Activity To manage our relationship with you which will include: Notifying you about changes to our terms or privacy policy; Asking you to leave a review or take a survey	Type of data Identity Contact Profile Marketing and Communications	Lawful basis for processing Performance of a contract with you Necessary to comply with a legal obligation Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
Purpose/Activity To deliver direct marketing to you	Type of data Identity Contact Profile Usage Marketing and Communications Tracking Technical	Lawful basis for processing For most direct marketing communications, we rely on consent based on our privacy policy, however there are situations in which it is in our legitimate interests to use your personal data in this way
Purpose/Activity To enable you to take part in a prize draw, competition or complete a survey	Type of data Identity Contact Profile Usage Marketing and Communications	Lawful basis for processing Performance of a contract with you Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
Purpose/Activity To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	Type of data Identity Contact Technical Tracking	Lawful basis for processing Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise) Necessary to comply with a legal obligation
Purpose/Activity To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you	Type of data Identity Contact Profile Usage Marketing and Communications Technical Tracking	Lawful basis for processing Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
Purpose/Activity To use data analytics to improve our website, products/services, marketing, customer relationships and experiences	Type of data Technical Tracking Usage	Lawful basis for processing Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
Purpose/Activity To make suggestions and recommendations to you about goods or services that may be of interest to you	Type of data Identity Contact Technical Usage Profile	Lawful basis for processing Necessary for our legitimate interests (to develop our products/services and grow our business)
Purpose/Activity To prevent and detect unlawful acts	Type of data Identity Contact Financial Transaction Technical Tracking	Lawful basis for processing Necessary for our legitimate interests (to protect our business and our customers by way of undertaking fraud monitoring and suspicious transaction monitoring) Necessary to comply with a legal or contractual obligation to share personal data for the purposes of law enforcement
Purpose/Activity In order to resolve legal claims or disputes involving you or us	Type of data All relevant data categories, depending on the nature of the allegation or claim	Lawful basis for processing Necessary to bring or defend a claim

Automated Decisions Making

We generally do not use your Personal Data with any automated decision making processes.

We do not use your Personal Data with any automated decision making process, including profiling, which may produce a legal effect concerning you or similarly significantly affect you.

Your Rights Regarding Your Information and Accessing and Correcting Your Information

You may have certain rights under applicable data protection laws, including the right to access and update your Personal Data, restrict how it is used, transfer certain Personal Data to another controller, withdraw your consent at any time, and the right to have us erase certain Personal Data about you. You may also have the right to complain to a supervisory authority about our processing of your Personal Data.

Applicable data protection laws may provide you with certain rights with regards to our processing of your Personal Data.

• Access and Update. You may notify us through the Contact Information below of any changes or errors in any Personal Data we have about you to ensure that it is complete, accurate, and as current as possible. We may not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect.
• Restrictions. You may have the right to restrict our processing of your Personal Data under certain circumstances. In particular, you can request we restrict our use of it if you contest its accuracy, if the processing of your Personal Data is determined to be unlawful, or if we no longer need your Personal Data for processing but we have retained it as permitted by law.
• Portability. To the extent the Personal Data you provide us is processed based on your consent and that we process it through automated means, you may have the right to request that we provide you a copy of, or access to, all or part of such Personal Data in structured, commonly used and machine-readable format. You also have the right to request that we transmit this Personal Data to another controller, when technically feasible.
• Withdrawal of Consent. To the extent that our processing of your Personal Data is based on your consent, you may withdraw your consent at any time by selecting “Do not Sell or Share My Personal Information” from the menus.. You may also withdraw your consent to send you updates by clicking the unsubscribe link at the bottom of an update that you receive from us. Withdrawing your consent will not, however, affect the lawfulness of the processing based on your consent before its withdrawal, and will not affect the lawfulness of our continued processing that is based on any other lawful basis for processing your Personal Data.
• Right to be Forgotten. You may have the right to request that we delete all of your Personal Data. We will only delete your Personal Data when we no longer have a lawful basis for processing your Personal Data or after a final determination that your Personal Data was unlawfully processed. We may not accommodate a request to erase information if we believe the deletion would violate any law or legal requirement or cause the information to be incorrect. In all other cases, we will retain your Personal Data as set forth in this policy. In addition, we cannot completely delete your Personal Data as some data may rest in previous backups. These will be retained for the periods set forth in our disaster recovery policies.
• Complaints. You may have the right to lodge a complaint with the applicable supervisory authority in the country you live in, the country you work in, or the country where you believe your rights under applicable data protection laws have been violated. However, before doing so, we request that you contact us directly in order to give us an opportunity to work directly with you to resolve any concerns about your privacy.

How You May Exercise Your Rights. You may exercise any of the above rights (when applicable) by contacting us through any of the methods listed under Contact Information below. If you contact us to exercise any of the foregoing rights, we may ask you for additional information to verify your identity. We reserve the right to limit or deny your request if you have failed to provide sufficient information to verify your identity or to satisfy our legal and business requirements. Please note that if you make unfounded, repetitive, or excessive requests (as determined in our reasonable discretion) to access your Personal Data, you may be charged a fee subject to a maximum set by applicable law.

Consent to Processing of Personal Data in the United States

We may process your Personal Data outside of your home country, including to the United States. We only do this when we are legally permitted to do so and when we have appropriate safeguards in place to protect your Personal Data.

If you are a resident of the European Economic Area (“EEA”), in order to provide our Site and legal updates to you, we may send and store your Personal Data outside of the EEA, including to the United States. Accordingly, your Personal Data may be transferred outside the country where you reside or are located, including to countries that may not or do not provide an equivalent level of protection for your Personal Data. Your information may be processed and stored in the United States and United States federal, state, and local governments, courts, or law enforcement or regulatory agencies may be able to obtain disclosure of your information through the laws of the United States. By using our Site, you represent that you have read and understood the above and hereby consent to the storage and processing of your Personal Data outside the country where you reside or are located, including in the United States.

Your Personal Data is transferred by us to another country only if it is required or permitted under applicable data protection law and provided that there are appropriate safeguards in place to protect your Personal Data. The European Commission has determined that the transfer of Personal Data pursuant to the Standard Contractual Clauses may provide for an adequate level of protection of your Personal Data. Under these Standard Contractual Clauses, you have the same rights as if your data was not transferred to such third party.

The Sites are not directed to children under the age of sixteen (16). If you are under sixteen (16), do not provide your Personal Information on or to the Site. We do not knowingly collect on the Site any Personal Information from children under sixteen (16). If a parent or guardian becomes aware of his or her child has provided us with Personal Information without their consent, please contact us at: [email protected].

Data Retention Periods

We may retain your Personal Data. We will retain your Personal Data for as long as you have an account or profile with us. In some instances, we may keep it after you no longer have an account or profile with us, for example we may keep it:

• on our backup and disaster recovery systems;
• for as long as necessary to protect our legal interests;
• to comply with other legal requirements; and
• for data that has been aggregated or otherwise rendered anonymous in such a manner that you are no longer identifiable, indefinitely.

Contact Information:

You may contact us at [email protected] to exercise any of your rights under the GDPR.

In the event that you wish to make a complaint about how your Personal Information is being processed by the Company or third parties, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and the Company’s data protection representatives.

To contact our data protection representative:

VeraSafe Netherlands BV
Keizersgracht 555
1017 DR Amsterdam
Netherlands
+420 228 881 031

Changes to this GDPR Privacy Addendum

We reserve the right to amend this GDPR Privacy Addendum at our discretion and at any time and at any time and as described in our Privacy Policy. When we make changes to this GDPR Privacy Addendum, we will post the updated notice on the Site and update the notice’s effective date. Your continued use of our Site following the posting of changes constitutes your acceptance of such changes.