Original Effective Date: December 10, 2023

Last Updated: July 29th, 2024

Cygames, Inc., as well as its subsidiaries and affiliated entities (“Cygames,” “we,” or “us”), takes the protection of your personal data very seriously. The following privacy policy (the “Privacy Policy”) will provide you with information about personal data that we collect and how it is processed and used.

PLEASE READ THIS PRIVACY POLICY CAREFULLY BECAUSE, BY USING THE SERVICES, YOU CONSENT TO THE TERMS AND CONDITIONS OF THIS PRIVACY POLICY AND TO OUR PROCESSING OF PERSONAL DATA FOR THE PURPOSES STATED BELOW. IF YOU DO NOT AGREE WITH THE TERMS AND CONDITIONS OF THIS PRIVACY POLICY, PLEASE DO NOT USE THE SERVICES.

In order to ensure the secure processing of your personal data, we have implemented all safeguards required by law.

1. Scope of This Privacy Policy

This Privacy Policy applies only to services related to “Shadowverse: Worlds Beyond” controlled by Cygames (the “Services”).

2. Personal Data Collected (Categories and Sources of Personal Data)

We may collect the following personal data:
  • Your name, address, and email address, if you provide them to us
  • Whether you are currently using the Services or you are still considering using the Services, and if you are currently using the Services, the version of the Services you are using
  • Your Internet Protocol (IP) address, cookies, and other online identifiers
  • Your behavioral data on the internet including browsing history and information on your interaction with a website
  • Your date of birth and/or telephone number if necessary for us to provide the Services
  • Device information
  • Countries/areas where you live
  • Log information
  • Your account names associated with the Services’ game platform
  • Contents of your inquiries, including problems you experience, if you contact us to make inquiries
  • Inferences drawn from personal data to create your profile reflecting a person’s preferences or behavior and the like
  • Other personal data required to provide the Services (you will be notified separately of the category of data if required under applicable data protection regulations)

Personal data is collected directly from you, collected indirectly from service providers and platforms and other third parties, or inferred from collected data.

3. Cookies

We use cookies in the Services.

Cookies are small text files that websites send to your device for the purpose of keeping records. Cookies identify your device and, typically, your web browser. Some cookies are necessary to operate our website (e.g., establishing sessions), while other cookies provide enhanced functionality, gather analytical data to improve performance, enable us or our AdTech partners to deliver personalized advertisements by tracking you across the Internet, or enable sharing via social media.

You can choose whether to allow us or third parties (e.g., our analytics, AdTech, and social media partners) to set cookies which are not strictly necessary for the functioning of our website via the cookie banner and settings provided on our website.

Please be aware that when we talk about “cookies,” this term also includes other technologies (such as pixel tags and web beacons) which have the same purpose as the cookies described in this Privacy Policy.

First-party cookies are put on your device directly by the website you are visiting.

Third-party cookies are placed on your device, not by the website you are visiting, but by a third party such as an advertiser or a provider of analytics software.

Permanent cookies remain on your device when the website is closed and will be used on subsequent visits to our website.

Session cookies are temporary and expire once you close your browser (or once your session ends).

If you would like to know the details of our use of cookies or change settings for the use of cookies, please refer to our Cookies Settings.

You may also set most browsers to notify you if you receive a cookie, or you may choose to block cookies with your browser. If you do so, you may not be able to take advantage of the personalized features enjoyed by other users of the Services.

Cookies Settings

4. Use of Tracking and Similar Tools Provided by Third Parties

We engage in targeted advertising and use advertisers to serve advertisements on and off our Services. These third parties use cookies and similar technologies to collect or receive information from our Services and elsewhere on the Internet and use that information to provide you with targeted ads. You may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out via their official website (https://optout.networkadvertising.org/?c=1), or of companies participating in the Digital Advertising Alliance program by opting out here: https://optout.aboutads.info/?c=2&lang=EN. You can also use the Digital Advertising Alliance mobile app, available on the App Store, Google Play, and Amazon’s Appstore, to control interest-based advertising on apps on your mobile device. Mobile app guidance is available here: https://digitaladvertisingalliance.org/app.

Additionally, we use Google Analytics. Google Analytics is a web analytics service provided by Google LLC (“Google”) which collects anonymous statistical and analytical information about how our users use the Services. For example, Google gathers and aggregates data on page views and clicks within the Services. These analytics are not used to track your journey to other websites or to identify you. The information generated by the Google Analytics cookies about your use of the Services (including your IP address) will be transmitted to and stored by Google on servers in the United States.

You can find a more detailed account of Google’s privacy policy here: https://policies.google.com/privacy?hl=en.

Instructions on opting out of Google Analytics using a specific plug-in is available at the following link: https://tools.google.com/dlpage/gaoptout. Note that this opt-out is specific to Google activities.

5. Your Choice regarding Online Tracking

Our online services are not designed to respond to “Do Not Track” requests from browsers. However, you may communicate your privacy preference via the Global Privacy Control opt-out preference signal. To install Global Privacy Control, which is a device-specific browser or browser extension, please visit their official website (https://globalprivacycontrol.org/).

6. Use of Personal Data

We may process your personal data for the purposes described below:
  • To deliver content such as games, video, and music; and provide related services
  • To develop services; compile statistics, analysis, and questionnaires; and conduct other marketing activities intended to improve services
  • To contact and communicate with you to respond to your inquiries and complaints
  • To provide you with special offers, campaign information, updated information and other new services, newsletters, and any other information from Cygames or other third parties
  • To complete a transaction or service requested by you
  • To fulfill marketing or promotional purposes
  • To allow you to share the link to our contents on social networking services
  • To improve the Services
  • To create and publish content that is the most relevant to you
  • To notify you about a change to this Privacy Policy or the Terms of Service, if necessary
  • To resolve disputes with you
  • For other purposes of use as separately disclosed

Provision of your personal data is mandatory in some cases, such as for a statutory reason, contractual requirement, or a requirement necessary to enter into a contract. We may be unable to provide our service to you if you don’t provide such personal data.

7. Disclosure to Third Parties

We may share or disclose your personal data specified in Article 2 (Personal Data Collected (Categories and Sources of Personal Data)) to the extent necessary with or to third parties for the following purposes:
  • To provide the Services to you, we may disclose your personal data to service providers. Service providers are agents or independent contractors which provide the Services on behalf of us (including those involved in the organization of e-sports competitions), help us develop and maintain the Services, and provide other administrative services to us. Such service providers include ExPlay, Inc., and Keywords International Co., Ltd.
  • In addition, to store and manage data on servers, we may use Amazon Web Services, Inc. (“AWS”), and other cloud service providers to process your personal data. We may also disclose your personal data to service providers who provide services to evaluate the effects of advertisement. When engaging service providers, we enter into agreements for the protection of personal data with the delegated parties and request consent to the terms and agreements thereof so as to safely manage personal data.
  • Data collection by social-networking-service providers and video distribution platforms: Buttons through which you can share our content on social media or video links to video distribution platforms may be embedded in our websites. In this case, the social-networking-service providers and video distribution platforms may obtain your personal data.
  • To comply with laws and regulations, we may share personal data when necessary or in the good-faith belief that such action is necessary under the requirements of a law or regulation, a legally binding court order, or a governmental order from an investigative agency or competent regulatory authority that is issued with due process, to protect and defend our rights or property or both, or to act in urgent circumstances when it is necessary to protect the life, body, or property of a person, and the consent of the identified individual is difficult to obtain.
  • We may share or disclose personal data with or to third parties as part of any corporate reorganization process including, but not limited to, mergers, acquisitions, and sales of all or substantially all of our assets.

8. Security

No data transmissions over the Internet can be guaranteed to be 100% secure. Consequently, we cannot ensure or warrant the security of any information that you transmit to us, and you understand that any information that you transfer to Cygames is transmitted at your own risk. Cygames specifies rules for the protection of personal data, and incorporates appropriate administrative, technical, organizational, and physical security measures that are required under applicable regulations. We use firewalls to protect your information from unauthorized access, disclosure, alteration, or destruction. However, please note that this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of said firewalls and secure server software.

If we learn of any security systems breach, we may attempt to notify you electronically so that you can take the appropriate protective measures. By using the Services or providing personal data to us, you agree that we can communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Services. We may post a notice on our Services if a security breach occurs. We may also send an email to you at the email address you have provided to us.

9. Rights of Data Subjects

We respect the rights you have under the personal data protection regulations applicable to you. You may demand the disclosure of, correction of, addition to, or deletion in the content of; stoppage or elimination of usage of; or stoppage of third-party provision of your personal data or disclosure of records for the provision of your personal data to third parties pursuant to the Act on the Protection of Personal Information of Japan. In addition to these rights, other rights may be granted to you under the applicable personal data protection regulations of other countries, as may be applicable. For example, in accordance with personal data protection regulations of an applicable country, you may be granted the following rights, and if the conditions prescribed by such personal data protection regulations are satisfied, we will comply with your exercise of such rights.
  • Access to your personal data:
    The right to obtain confirmation from us on whether your personal data has been or is being processed, and if it has been or is being processed, the right to access the relevant personal data and specific related information.
  • Correction of your personal data:
    The right to modify incorrect personal data regarding you without unreasonable delay and the right to complete your personal data that is incomplete.
  • Deletion of your personal data:
    The right to delete personal data related to you without unreasonable delay.
  • Restriction on the processing of your personal data:
    The right to restrict the processing of your personal data.
  • Objecting to the processing of your personal data:
    The right to file an objection to the processing of your personal data if it affects your rights.
  • Withdrawal of consent:
    The right to withdraw your consent on which we rely to process your personal data. However, your withdrawal of consent does not affect the lawfulness of processing conducted based on your consent before its withdrawal.
  • Data portability:
    The right to receive your personal data in a structured and generally machine-readable form, and the right to transfer the data to third parties without interference from us.

If you wish to exercise any of the foregoing rights, please inquire with us using the contact information stated in Article 16 (Contacting Us). In order to confirm your identity, it may be necessary for us to ask for specific information from you. In addition, in order to streamline correspondences from us, we may contact you to ask for additional information in connection with your inquiry.

Further, you may directly file a complaint with the relevant supervisory agency in connection with our processing of your personal data.

10. Accounts Information

Access to your account and our Services is sometimes only possible through the use of an individual user ID and password. To protect the confidentiality of personal data, you must keep your password confidential and not disclose it to any other person. Please note that we will never ask you to disclose your password in an unsolicited phone call or email. CYGAMES IS NOT RESPONSIBLE FOR ACTIONS TAKEN REGARDING YOUR ACCOUNT WHILE A USER IS LOGGED IN USING YOUR USER ID AND PASSWORD.

11. Retention Period

We retain personal data for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for compliance and protection purposes.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

12. International Transfer of Information

Personal data which you choose to provide to us will be stored in Japan. We may transfer (by any means including sending or allowing access) that information to countries or areas outside of the country or area where you live in accordance with applicable laws and regulations. At this moment, we transfer personal data to Japan and the United States. In addition, our service providers also use cloud servers provided by AWS, and your personal data may be processed in any of the regions or edge locations stated in the page below:

https://aws.amazon.com/about-aws/global-infrastructure/regions_az/

Such personal data may be processed by such parties for the term necessary to fulfill purposes specified in Article 7 (Disclosure to Third Parties).

13. Third-Party Services

This Privacy Policy applies solely to information collected on the Services. The Services may contain links to other web services. We are not responsible for the privacy practices or the contents of these other web services.

14. Changes to This Privacy Policy

We reserve the right to change this Privacy Policy from time to time. When we do, we will also revise the “last updated” date at the top of this Privacy Policy. For some changes to this Privacy Policy we may attempt to obtain your consent before implementing the change by placing a notice on the Services. The continued use of the Services following such notice will be viewed as consent to such changes unless otherwise specified.

15. Our Policy regarding Children

We do not knowingly collect or solicit personal data from anyone under the age of 13. If you are under 13, please do not send any personal data, and please ask for help from your parents and other legal guardians. If we learn that we have collected personal data from a child under the age of 13 without legal grounds, we will delete the information as quickly as possible. If you believe that we may have any information from or about a child under the age of 13 without legal grounds, please contact us by email at .

16. Contacting Us

If you have any questions about this Privacy Policy, our privacy practices, or regarding information on or the correction, blockage, or deletion of data, please contact us by email at .

Addendum for residents of the European Economic Area and the UK

For residents of the European Economic Area and the UK, the following shall also apply.

1. Legal Basis for Processing

We will always process your personal data based on one of the legal bases provided for in the GDPR (Articles 6 and 7). We process your personal data for the purposes stipulated in the following paragraphs based on the legal grounds listed below.

(a) Performance of a contract (Article 6(1)(b) of the GDPR)

We process your personal data for the following purposes because it is necessary for the performance of a contract or in order to take steps at the request of the data subject (that is, you) prior to entering into a contract:
  • To deliver content such as games, video, and music; and provide related services
  • To contact and communicate with you to respond to your inquiries and complaints
  • To complete a transaction or service requested by you
  • To notify you about a change to this Privacy Policy or the Terms of Service, if necessary

(b) Legitimate interests (Article 6(1)(f) of the GDPR)

We process your personal data for the following purposes because it is necessary to do so in order to pursue our legitimate interests (Article 6(1)(f) of the GDPR):
  • To develop services; compile statistics, analysis, and questionnaires; and conduct other marketing activities intended to improve services
  • To fulfill marketing or promotional purposes
  • To improve the Services
  • To create and publish content that is the most relevant to you
  • To allow you to share the link to our contents on social networking services
  • To process strictly necessary cookies
  • To resolve disputes with you

(c) Consent (Article 6(1)(a) of the GDPR)

We process your personal data for the following purposes based on your consent (Article 6(1)(a) of the GDPR):
  • To process cookies (except for strictly necessary cookies) as well as your personal data obtained through such cookies
  • To provide you with special offers, updated information and other new services and other services, newsletters, and any other information from Cygames or other third parties

2. Overseas Transfer of Personal Data

If an adequacy decision is made with respect to a third country, we share or disclose your personal data to a person in that third country on the basis of the adequacy decision (Article 45 of the GDPR). For transfer to Japan, we will transfer your personal data based on adequacy decision to Japan (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019D0419&from=EN).

If no adequacy decision is made with respect to a third country, we share or disclose your personal data to a person in that third country by executing with the transferee the standard data protection clauses (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) (Article 46(2)(c) and (5) of the GDPR) approved by the European Commission.

3. Your Rights

You have the following rights:
  • Obtaining information regarding data processing: You have the right to obtain from us all necessary information regarding our processing of data concerning you (Articles 13 and 14 of the GDPR).
  • Access to personal information: You have the right to obtain confirmation from us as to whether or not personal information concerning you is being processed, and, where that is the case, to access personal information and certain information (Article 15 of the GDPR).
  • Rectification and erasure of personal information: You have the right to have us rectify inaccurate personal information concerning you without undue delay and have incomplete personal information completed by us (Article 16 of the GDPR). You also have the right to have us erase personal information concerning you without undue delay when certain conditions are met (Article 17 of the GDPR).
  • Restricting processing of personal information: You have the right to restrict our processing of personal information concerning you when certain conditions are met (Article 18 of the GDPR).
  • Objection to processing of personal information: You have the right to object to our processing of personal information concerning you when certain conditions are met (Article 21 of the GDPR).
  • Personal information portability: You have the right to receive personal information concerning you in a structured, commonly used, and machine-readable format, and to transmit those data to another controller without hindrance from us, when certain conditions are met (Article 20 of the GDPR).
  • Right to withdraw your consent: You have the right to withdraw your consent at any time by the means separately specified at the time we obtain your consent. However, your withdrawal of consent does not affect the lawfulness of processing conducted based on your consent before its withdrawal.
  • Freedom from automated decision-making: You have the right to not be subject to automated (no human involvement) decision-making which produces legal effects or significant effects on you, when certain conditions are met (Article 22 of the GDPR). In addition, regarding our processing of your personal information, if you live in the EEA, you may lodge a complaint directly with the relevant supervisory authority (see here for a list: https://edpb.europa.eu/about-edpb/about-edpb/members_en), or if you live in the United Kingdom, you may lodge a complaint directly with the Information Commissioner’s Office.

4. EEA and UK Representatives

For data protection matters, we have appointed Bird & Bird GDPR Representative Services SRL as our representative in the EEA and Bird & Bird GDPR Representative Services UK as our representative in the UK.

You can contact them by email at the addresses listed below. Your message will be forwarded to appropriate members of their data privacy teams.

EEA Residents: EUrepresentative.Cygames@twobirds.com
UK Residents: UKrepresentative.Cygames@twobirds.com

Addendum for residents of California

For residents of California, the following shall also apply.

1. Notice at Collection

This addendum contains disclosures required by the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”). We may collect or process various categories of personal data described under the CCPA (“California Personal Data”). Information on the categories of California Personal Data collected and/or whether we sell or share California Personal Data is contained in Sections 2 (Categories of California Personal Data Collected by Us) and 5 (Recipients of California Personal Data) below. Information on the length of time the business intends to retain California Personal Data is contained in Section 6 (Retention Period) below.

Information on your rights regarding your California Personal Data is contained in Section 8 (Your Rights concerning California Personal Data) below.

2. Categories of California Personal Data Collected by Us

We have collected the following categories of California Personal Data from and about you in the preceding 12 months:
  1. Identifiers including names, unique personal identifiers, cookies, online identifiers, Internet Protocol addresses, email addresses, account names and passwords, postal addresses, telephone numbers, dates of birth, or other similar identifiers
  2. Personal data categories contained in customer records including names, bank account numbers, credit card numbers, debit card numbers, or any other payment and financial information
  3. Commercial information including records of services purchased, obtained, or considered; or other purchase or consumption histories or tendencies
  4. Internet or other similar network activities including browsing history, device information, and information on your interaction with a website
  5. Geolocation data which may be broad location information, but not precise geolocation information
  6. Inferences drawn from personal data to create your profile reflecting a person’s preferences or behavior and the like

3. Categories of Sources of California Personal Data

In the past 12 months we have collected the California Personal Data specified in Section 1 of this Addendum from the categories of sources as specified in Article 2 (Personal Data Collected (Categories and Sources of Personal Data)) of the Privacy Policy.

4. Use of California Personal Data

We use California Personal Data for the purposes set forth in Article 6 (Use of Personal Data) of the Privacy Policy.

Our business purposes for the use of California Personal Data include:
  1. auditing our interactions with you;
  2. ensuring security and integrity;
  3. debugging;
  4. short-term, transient uses, including non-personalized advertising;
  5. enabling service providers to perform the Services on our behalf;
  6. advertising and marketing the services, except for cross-context behavioral advertising;
  7. internal research for technological improvement;
  8. verifying or maintaining the quality or safety of services or devices that are owned, manufactured, manufactured for, or controlled by us, and for improving, upgrading, or enhancing services or devices that are owned, manufactured, manufactured for, or controlled by us; and
  9. other operational purposes, purposes for which we provide additional notice, purposes disclosed elsewhere in this Privacy Policy, or purposes compatible with the context in which the personal information was collected.

Our commercial purposes for the use of California Personal Data include advancing commercial or economic interests, such as by inducing consumers to buy or subscribe to goods or services, or enabling or effecting, directly or indirectly, a commercial transaction including distributing targeted advertising.

5. Recipients of California Personal Data

We have not disclosed California Personal Data to anyone other than service providers under the CCPA.

We have sold/shared the following categories of California Personal Data to the following categories of recipients for the business and commercial purposes listed in Section 4 (Use of California Personal Data) above in the preceding 12 months, namely for purposes of distributing targeted advertising.

Category of California Personal Data Category of third parties sold/shared to
Identifiers Third-party Internet advertising networks that provide you with relevant Internet-based advertisements across the Internet
Personal data contained in customer records N/A
Commercial information Third-party Internet advertising networks that provide you with relevant Internet-based advertisements across the Internet
Internet or other similar network activity Third-party Internet advertising networks that provide you with relevant Internet-based advertisements across the Internet
Geolocation data Third-party Internet advertising networks that provide you with relevant Internet-based advertisements across the Internet
Inferences drawn from personal data Third-party Internet advertising networks that provide you with relevant Internet-based advertisements across the Internet

6. Retention Period

We retain California Personal Data for the period explained in Article 11 (Retention Period) of this Privacy Policy.

7. Sensitive Personal Information

We do not use or disclose sensitive personal information for any purpose beyond those for which it was provided.

8. Your Rights concerning California Personal Data

California residents have certain rights with respect to California Personal Data we collect. If you are a California resident, you may exercise the following rights regarding your California Personal Data, subject to certain exceptions and limitations:
  • The right to know the categories and specific pieces of California Personal Data we collect, use, disclose, sell, and share about you; the categories of sources from which we collected your California Personal Data; our purposes for collecting, selling, or sharing your California Personal Data; the categories of your California Personal Data that we have either sold or disclosed for a business purpose; and the categories of third parties with which we have shared California Personal Data.
  • The right to request that we delete the California Personal Data we have collected from you or maintain about you.
  • The right to correct inaccurate California Personal Data we maintain about you.
  • The right to opt out of our sale(s) and sharing of your California Personal Data. We obtain opt-in consent before selling or sharing any California Personal Data. Cygames may sell or share California Personal Data of children under the age of 16 years, but Cygames obtains opt-in consent.
  • The right to opt out of profiling, except under certain exceptions under local law.
  • The right to receive your California Personal Data in a structured and generally machine-readable form, and the right to transfer the data to third parties without interference from us.
  • The right not to receive discriminatory treatment for the exercise of the privacy rights conferred by the CCPA.
  • Shine the Light. Under California’s “Shine the Light” law (Civil Code § 1798.83), you, as a California resident, may ask us to request a list of the categories of personal data (if any) we disclosed to third parties for their own direct marketing purposes in the preceding calendar year and the names and addresses of those third parties. You may also ask us to refrain from sharing your personal data with third parties for their marketing purposes.

To exercise the above rights except for the right to opt out of our sale(s) or sharing of your California Personal Data, please contact us using the information in Article 16 (Contacting Us) of the Privacy Policy and submit the required verification information described below.

To opt out of sales or the sharing of your California Personal Data, please select and implement either of the following measures:

  • Visit the Your Privacy Choices page available here.
  • We support the Global Privacy Control opt-out preference signal, and interpret such signals as requests for opt-out of sales and the sharing of your California Personal Data. To install Global Privacy Control, please visit their official website (https://globalprivacycontrol.org/).

Verification procedures and necessary information: We may request that you provide additional information to verify your identity or to correctly understand, evaluate, and respond to your request, but you are not required to create an account with us in order to have it fulfilled. We ask you to provide specific California Personal Data for our records and reference. We will require you to provide, at a minimum, your name and email address.

Authorized agent: If you are a California resident, you may designate an authorized agent to submit requests on your behalf by designating such an agent in writing. We may require the agent to provide us with proof that you have authorized the agent to make requests on your behalf prior to accepting requests from the agent.

Addendum for residents of South Korea

For residents of South Korea, the following shall also apply.

If we use consent as the legal ground to process personal data, then after you withdraw your consent to the processing, we will stop processing your personal data unless there is another legal basis for such processing (e.g., statutory retention periods).