Gwent: The Witcher Card Game
Privacy Policy

Last updated on November 30, 2021

(comes into effect on January 1, 2022; see the previous version here)

Overview:
1. This Privacy Policy explains how we use personal data related to playing GWENT: The Witcher Card Game.
2. You can learn here what data we collect, how and why we use it, who we share it with and where we store it.
3. You can also check the specific rights you have, when it comes to our processing of your data.
4. In short:
● When you decide to play Gwent we will need to collect some of your data.
● We will mostly process your data to let you play Gwent and to make the game as good as possible for all players. Other purposes include legal and accounting stuff.
● We will never sell your data or share it with third parties for their advertising purposes.
● We will share some of your data with our trusted partners who help us operate Gwent.
● You can request that we access, update, move or delete your data or file a GDPR complaint.
● If you have any questions, you can always contact us at privacy@cdprojektred.com.

We have put together a full text version, which is legally binding, and also section summaries, which will hopefully make the legal language more accessible. However, please bear in mind that, by accepting this document, you will be bound by the full version.

FULL TEXT

QUICK SUMMARY

1. WHO WE ARE

1.1 We are CD PROJEKT S.A. (further “CD PROJEKT RED”, as CD PROJEKT RED is the team behind the video games within the company CD PROJEKT S.A.) and GOG sp. z o.o. (further “GOG”), Polish companies acting as joint personal data controllers under EU data protection legislation.

You may contact us via email at privacy@cdprojektred.com or by traditional mail: CD PROJEKT S.A. or GOG sp. z o.o., Jagiellońska 74, 03-301 Warsaw, Poland (we share the same address).

Hello, we're CD PROJEKT RED and GOG and we are based in Poland. You can find our contact details here!

1.2 To protect personal data in a better and more efficient way, we designated a Data Protection Officer (or DPO) who is responsible for the oversight and implementation of the data protection strategy and ensures compliance with necessary legal requirements. You can contact our DPO at the following email address: dpo@cdprojektred.com.

In case of any questions or doubts concerning personal data, please contact our Data Protection Officer (contact details opposite).

2. WHAT THIS PRIVACY POLICY REGULATES

2.1 This Privacy Policy applies to our video game “GWENT: The Witcher Card Game” and all related services, including (not exclusively) playgwent.com website, Gwent user accounts, esports tournaments and other events, customer and technical support, wikis, blogs, and social media services (we will further use the term “Gwent” to talk about all of these together).

2.2 Specifically, this Privacy Policy governs personal data (further “data”) or, as it is called in the United States, “personally identifiable information”, which we collect from you when you are using Gwent. It essentially means information which, on its own, or in combination with other information, can be used to identify you.

2.3 We respect your right to privacy and will only process your data in accordance with applicable legislation in the EU and other countries where we offer our games and services.

This Privacy Policy explains the different kinds of data we collect from you when you're using Gwent. We fully comply with privacy laws.

3. PROTECTING DATA OBTAINED FROM MINORS

3.1 You must be 16 years old or older to register for Gwent and to play it. We do not deliberately process any personal data of minors below 16 years of age.

You must be at least 16 years old to play Gwent.

4. HOW WE COLLECT YOUR DATA

4.1 We may collect or process your data directly from you or through our Trusted Partners (see section 8 “Our Trusted Partners” below). This is basically:
(a) data you give us via Gwent, or which you give to our partners in connection with Gwent;
(b) data you give us when you contact us or report a problem with Gwent;
(c) data about your activity as a user of Gwent (collected automatically);
(d) data you put in our voluntary surveys conducted for research purposes.

We collect and process data that you give us in connection with Gwent or that we receive based on your activity within the game.

4.2 We and our partners also collect data about you via cookies. You can find out more about this, as well as manage your consents, by following the link to “Cookie Declaration” you will find in the footer of our websites.

We use cookies. You can manage your cookie settings under the “Cookie Declaration” link in the footer of our websites.

5. HOW WE USE YOUR DATA

5.1 We may use your data for several purposes, relying on specific legal bases:
(a) to perform the agreement with you (art. 6.1.b GDPR):
● to provide you with Gwent,
● to maintain, improve and develop Gwent,
● to keep the ranking of Gwent players,
● to organize official Gwent Masters events and award points to participants of third-party events,
● to maintain technical support services,

(b) to meet our legal obligations (art. 6.1.c GDPR):
● for tax, legal and accounting purposes
● for the accountability purposes as defined by EU legislation (GDPR)

(c) to fulfill our legitimate interests, i.e. lawful purposes that could be reasonably expected from us in the context of Gwent (art. 6.1.f GDPR):
● to identify incidents of game misuse (anti-cheat analysis, anti-fraud checks),
● to defend from or pursue legal claims,
● to calculate conversion rates and other elements of Gwent performance,

(d) your consent (art. 6.1.a GDPR):
● to provide you with marketing information about products or services that you request from us and which we feel may interest you (newsletters),
● to target and personalize our marketing communication, offers and advertisements that we display on our websites and services as well as those of third parties based on the combined data we have collected about you (profiling).

For potential other purposes, we may also ask for your consent to process your data. Whenever we process your data based on your consent, you are entitled to withdraw your consent at any time. This will not invalidate the processing conducted before the withdrawal.

5.2. When we transfer your data outside the European Economic Area, we do so on the bases described in section 8 “Our Trusted Partners”.

We will use your data to operate Gwent and continue to improve it, as well as to communicate with you (e.g. via newsletters)

5.3 Whenever we’re personalizing or targeting our marketing communications, offers and advertisements, we may profile your data. This means that we may adjust the communication addressed to you basen on the data, to better meet your needs. That being said, we don’t use your data for automated decision-making that could affect your legal situation (i.e. we do not use algorithms to make decisions which would have an impact on your individual legal rights or affect your legal status or rights under the agreement between us). For example, we do not make automatic offers based on your behaviour in the game). You can object to the profiling at any time.

We gather data when and how you play Gwent in order to offer you the best service and most suitable communication possible. However, we will never make automatic decisions based on profiling that could affect your legal situation (e.g. automatic offers or discounts based on your behaviour in the game).

5.4 We might process some aggregated and general non-personal data on user behaviour (e.g. sales per region) with our partners who assist us in the process of running Gwent or, for example, with payment providers. We may also share non-personal data with data analysis services to help us run Gwent. For example, this may happen in case we need information about what kinds of kegs are the most popular in a given region.

5.5 You can check the details of the data we collect about you in section 14 “What Data We Collect” at the end of this Privacy Policy.

Sometimes we share anonymised, non-personal data with our partners.

6. HOW WE HANDLE YOUR DATA

6.1 We store your data on our secure servers in Europe or – if necessary – outside of Europe, on servers managed by our Trusted Partners (see section 8 “Our Trusted Partners” below). We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. We take all reasonably necessary steps to ensure that your data is treated securely and in accordance with this Privacy Policy.

We will store your data on our secure servers in Europe or on those of our Trusted Partners. We will do our best to keep your data secure.

6.2 We will store your personal data for as long as we need it to fulfil the purposes outlined in this Privacy Policy. In more detail:
(a) we will keep the data associated with your Gwent account until you close your Gwent account (i.e. for as long as we have a contract in place);
(b) after that, we may keep some of your data for a longer period, not exceeding 6 years, for tax and/or accounting purposes;
(c) we may also keep some of your data to defend ourselves from or to pursue legal claims, for no longer than 10 years;
(d) we will keep your data used for marketing purposes until you withdraw your consent (unsubscribe) - it may take us up to 30 days to delete the data;
(e) we will keep your data collected from cookies for as long as indicated in the Cookie Declaration (link in the footer of our websites);
(f) when we no longer require your data we will delete or anonymize it.

In general, we will store your data until you close your Gwent account. After that, we may still use limited data about you for tax, legal or accounting reasons.

7. WHO HAS ACCESS TO YOUR DATA

7.1 In general only our authorized personnel have access to your data.

7.2 Some Gwent services may involve interacting with our Trusted Partners. In such cases we may need to share some of your personal data with them.

We provide some services with the help of our Trusted Partners, with whom we may share some of your data.

7.3 Please be aware that we are subject to various laws and may be required to release personal data to comply with law enforcement requests and/or other legal requirements.

We may be required to comply with law enforcement requests to release personal data.

7.4 In the unlikely event of a reorganisation or merger of CD PROJEKT RED, we may transfer personal data to an involved third party. We will make sure that they keep at least the same level of data protection.

In the event of any reorganisations, acquisitions, etc., your data will still be protected to at least the same level as it is right now.

7.5 When you create a Gwent account, some basic data about you (your username, card collection, and statistics) will form a part of your public profile and it will be visible to everyone who views your profile. You can disable this function and the visibility of your profile through your Gwent account settings at any time.

Limited data about you will be visible in Gwent as a part of your public profile. It can be disabled at any time via the privacy settings in your account.

8. OUR TRUSTED PARTNERS

8.1 We may share your data with the following Trusted Partners (formally called “data processors”). We always provide them with just the data that they need to perform their Gwent-related services:
● CD PROJEKT Inc., a CD PROJEKT Group company who helps us with marketing in the United States,
● partners who provide us with software and support ticket system to help us managing your customer support requests (like Zendesk Inc.),
● partners who provide us with error tracking and crash reporting tools,
● partners who provide us with internal management and data-sharing tools,
● partners who help us in data analysis by providing us with analytical tools,
● partners who help us manage our newsletters and email communications by providing us with email marketing tools,
● network and data hosting providers whose services we use to support Gwent infrastructure,
● professional advisors who assist us with legal, tax, audit or accounting matters,
● social media platforms, for the purpose of personalized and targeted marketing.

8.2 When required by law, we may also share your data with the police or other government authorities (including your IP address and details of suspected unlawful or fraudulent activity).

8.3 Gwent account registration involves the use of Google’s reCAPTCHA service. This plugin checks if you are a person in order to prevent the service from being abused by spam bots. Use of the reCAPTCHA service is subject to the Google Privacy Policy and Terms of Use.

8.4 Your data may be processed, stored and transferred to countries outside the European Economic Area (EEA), such as Switzerland or the United States. Privacy laws in these countries may not offer the same level of protection as in your country or in the EEA. But whenever we share your personal data outside the EEA, we will do so on the basis of EU standard contractual clauses or other lawful measures, to ensure security of your data.

Whenever we share your data outside Europe, we make sure that the data is properly protected.

9. THIRD PARTY SERVICES

Gwent may, from time to time, contain or connect you with third party content or services. Our Privacy Policy does not extend to external sites or companies, so please refer directly to their privacy policies.

You may find third party links in Gwent or we might direct you to third parties. They may collect data from you in accordance with their own privacy policies. Please be sure to take a look at them.

10. ARRANGEMENTS BETWEEN CD PROJEKT RED AND GOG

As we are joint controllers of your data, we want to share with you our essential arrangements regarding processing of data:

CD PROJEKT RED is responsible for:
(a) providing you with all necessary information about your data processing,
(b) responding to your requests regarding your data protection rights,
(c) analyzing data, including profiling and targeting communications,
(d) managing and providing access to playgwent.com (including cookie management),
(e) keeping a record of processing activities.

GOG is responsible for:
(a) keeping Gwent accounts and related back-end infrastructure,
(b) storing and backing up your Gwent account data,
(c) providing you with marketing information on our behalf (newsletters),
(d) cooperating with CD PROJEKT RED in responding to your requests.

Each of us is responsible (in their own scope) for:
(a) providing user support regarding the services that we are responsible for,
(b) making sure that we process your data in accordance with applicable laws, on valid legal bases and in accordance with the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability,
(c) informing you and/or relevant data protection authorities about any data breaches,
(d) maintaining adequate technical and organisational security measures for the protection of your data.

11. YOUR RIGHTS AND COMPLAINTS

11.1 You have the right to object to the processing of your personal data at any time, such as for marketing reasons.

11.2 You have the following additional rights:
● You have the right to access data held about you;
● You may contact us to request that we delete your data from our system;
● You may ask us to rectify/correct your data, if appropriate;
● You may ask us to restrict the processing of your data;
● You have the right to transfer your data to another entity;
● You have the right to file a complaint with a data protection authority.

11.3 To exercise your rights or in case of any concerns or questions about your privacy, please contact us and we will do our best to assist you. You can reach us at privacy@cdprojektred.com or contact our Data Protection Officer at dpo@cdprojektred.com.

11.4 If you feel we have not dealt with your concern properly, you can report it to your local data protection authority or the Polish regulator – the President of Polish Office of Data Protection - Prezes Urzędu Ochrony Danych Osobowych ("PUODO") in Poland.

11.5 Under California law, California residents who have an established business relationship with us have the right to request certain data with respect to the types of personal data we have shared with third parties for their direct marketing purposes, and the identities of those third parties within the immediately preceding calendar year, subject to certain exceptions. All requests for such data must be in writing and sent to:

CD Projekt S.A., ul. Jagiellońska 74, 03-301, Warsaw, Poland

This same California law permits us to provide you, in response to your written request, with a cost-free means to choose not to have your data shared rather than providing the above-described data. You may exercise that choice by contacting us at the address listed above.

You have the right to access your data, to make amendments to it, to have us delete all of your data, to restrict the processing of your data, or to have your data transferred to another entity. You can always send an email to privacy@cdprojektred.com and we will do our best to provide support.

12. CHANGES TO THIS PRIVACY POLICY

12.1 We may change this Privacy Policy if necessary, for example for legal reasons or to reflect changes in our services. If we do so, we will make the altered Privacy Policy available online and update the “Last Updated” date.

12.2 Once we change the Privacy Policy, it will become legally binding 30 days after we post it online. During that period, you are welcome to contact us if you have specific questions about the changes.

12.3 If you don't agree to the changes (regardless of whether you contact us), you should stop using Gwent. This stems from the need to have every player observing the same rules, so our services can function properly.

We can change this Privacy Policy, but if we do, we will put the updated version online. Changes will take effect 30 days after we have made the updated version public. Feel free to contact us if you have any questions regarding the changes.

13. USER AGREEMENT

We’d also like to remind you that our Gwent User Agreement has more information about how we operate Gwent.

Just a reminder to check our User Agreement as well.

14. WHAT DATA WE COLLECT

When you sign up for, download, use or play Gwent, or are involved in Gwent esports events (such as the Gwent Masters tournaments) we collect certain data about you.
When you play Gwent we collect basic data about you and your activity on your account:
● email address
● name and surname;
● date of birth
● any username used to identify yourself, avatars
● GOG-ID
● Gwent-ID
● log of user activity within Gwent (login time, logout time, log of matches played, number of wins and losses, gathered experience points)
● account of in-game virtual goods and currencies
● Matchmaking Rating (MMR)
● IP address
● location, language (inferred from your IP address)
● country of origin
● network latency
● users segment identifiers
● data about your device/platform
● any other data which you submit to us through Gwent.

When you buy Gwent in-game content we additionally collect:
● data about purchases made with virtual or real currency (including transaction dates, currencies, transaction value, purchased items)

When you play Gwent we collect basic data about you and your activity on your account. If you engage with us more, for example contact our support or enlist for a Gwent tournament, we may collect additional data.

We do not receive nor store any of your payment details. This is fully handled by the relevant payment platform.

We do not collect your payment details. The only data we store is the transaction time, currency, amount and the purchased assets.

If you contact our technical support we additionally collect:
● other data required to help you with your issue, such as data collected in crash logs that are gathered by your device or the technical parameters of the device you use to play Gwent.
If you take part in a Gwent esports competition (Gwent Ranked Play and/or Gwent Masters tournament) we additionally collect:
● your GOG username and avatar
● Gwent-ID
● log of user activity within Gwent (login time, logout time, log of matches played, number of wins and losses, gathered experience points,)
● your card collection and decks
● Matchmaking Rating (MMR) and faction Matchmaking Ratings (fMMRs)
● IP address
● country

If you take part specifically in Gwent Masters esports tournaments and events – we may additionally process your data used only in context of your participation in these events, in particular:
● passport/ID number, issuer of the document, photo/scan of the document, citizenship
● your date of birth
● bank account details for prize payment
● your image if you participate in a Gwent tournament
● place of birth
● correspondence address
● your father’s and mother’s names
● data on your participation in official and authorized Gwent events
● Crown Points (points used in Gwent Masters rankings)

We need the above data to provide you with Gwent. If you do not agree to provide us with the data, you will not be able to play Gwent, take part in esports tournaments and/or use other services.
When you visit playgwent.com we may collect the following data:
● technical details about any device which you use to access our services, including: Internet and/or network connection (including IP address), country (inferred from your IP address), any mobile device identifier; your operating system, browser type or other software; or your hardware or other technical details;
● data collected via cookies and/or similar tracking technologies.