This General Data Protection Regulation (GDPR) Compliance Policy (“GDPR Policy”) describes how the GDPR applies to your use of this interactive web application (the “Site”) and what we’ve done to ensure compliance and give you more control over your data.
Leading up to the implementation of the GDPR (the new EU privacy law since 25 May 2018), we have been hard at work building numerous features that give users more control of the data that is stored on our platform. We have designed and enabled these features for all our user, regardless of whether the GDPR specifically impacts them.
This compliance policy presents to you how the GDPR will apply to your use of the site and what we have done to ensure we are compliant with the new rules.
What is the General Data Protection Regulation (GDPR)?
The GDPR is a regulation designed to harmonize data privacy laws throughout the European Union (EU). This new regulation offers individuals in the EU greater transparency and control over how their personal data is used and make companies handling personal data accountable for their choices. Even businesses that are not based in the EU must comply with the GDPR if they are collecting and processing personal data of individuals located in the EU.
This Site's Role as a Data Controller and Data Processor
If your data processing activities fall under the scope of the GDPR, one of the first question you should ask yourself is “Am I a data controller or a data processor?". The answer to this question will help you determining what are your compliance obligations under the GDPR. The controller is the organization the determines the purposes and means of processing. As an experience-host user of this site, you operate as the controller when using our products and services. You have the responsibility for ensuring that the personal data you are collecting is being processed lawfully and that you are using processors, such as this site, that provide sufficient guarantees to meet key requirements of the GDPR.
This site is considered a processor. We act on the instructions of the user-host controller of the joined interactive experience, which come in the form of Experience creation, execution, management, and removal. Similar to controllers, processors are expected to comply with the GDPR.
As an end-user participant of an interactive experience on this site, your data will be collected to participate. This GDPR compliance policy will further explain your rights and how you can control, view, export, and remove any personal collected data.
On which legal basis can you collect and process personal data?
As a processor, we rely on our customers to ensure that personal data are collected on the basis of one of the GDPR lawful grounds for processing. You, as a host controller, can collect personal data based on one of the following legal basis: (i) consent; (ii) processing is the necessary for the performance of a contract you have with the data subject; (iii) processing is necessary for compliance with a legal obligation; (iv) you need to protect the vital interest of the data subject or of another person; (vi) you (or another third party) have a legitimate interest to process personal data and this is not overridden by the interests, rights and freedoms of the data subject.
What about Site’s sub-processors?
Processors may leverage other third-parties in the processing of personal data. These entities are commonly referred to as “sub-processors". The site uses cloud infrastructure providers like Wix, Amazon Web Services, Rackspace, and SoftLayer to host the site. As required under the GDPR, we have put in place appropriate measures with our sub-processors that will allow us to secure the personal data we process on your behalf. If you are one of our customers, we will provide you with an exhaustive list of the sub-processors we use.
How do we support you in dealing with data subject rights?
As part of the GDPR, EU data subjects can access their personal data, correct, remove or export them. They also have the right to restrict the processing of their personal data.
We have designed our platform with several self-service features that our customers can leverage to assist in reviewing the personal data stored on our platform to respond to data requests.
In particular, these features are designed to support the right to data portability, right to access, and right to be forgotten.
When we, as a processor, receive directly a request from a data subject, we will engage the respective customer within seven days to respond to the data subject request (unless otherwise required by law).
What personal data does this site collect and how is it used?
We are committed to be transparent in how we handle and process personal data. As one of our host-users or participant-users, you should be aware of how we handle personal data on your behalf.
Participant-User Personal Sign-In Data
When a participant-user signs into an interactive experience (e.g. escape game, Geo Race, and/or trivia game, for example) they may be asked for their first name, last name, email, phone number, age, address, and/or additional custom lead capture fields.
Participant-User Personal Sign-In Data may be collected for some experience types at a minimum as necessary functional information. For example, a trivia game must collect a nickname, first name, or handle in order to display a participant's score in the rankings. Additional lead capture fields may be requested by the host-user for their lead capture purposes for later marketing and/or analysis.
Participant-User Response Data
When a participant-user responds to an interactive experience such as answering a poll question, answering a trivia question, sending a text-based answer to a question, or submitting a text-based social wall post.
The participant-user's submission must be collected in order perform analysis and essential functionality of the site. For example, compiling all participant-users' votes for a poll, or computing scores for all participant-users' trivia game responses, or displaying a social wall of all participant-user's text responses.
Beyond immediate use within the site for basic functionality, participant-users' responses may be viewed and exported by the host-user for their own marketing and analysis purposes. This data can include all interactive experiences a participant user has interacted in, which questions in each experience a participant-user has responded to, and what answers and responses a participant-user sent.
How Can the Participant-User Manage Their Data?
All participant-users can manage any and all of their personal data by clicking the upper-right-hand corner menu and accessing the various actions including:
Viewing all collected Sign-In data
Viewing all collected Response data
Exporting all collected Sign-In Data
Exporting all collected Response data
Removing all collected Sign-In data (by removing their account)
Removing all collected Response data
Removing all collected data (by removing their account)
Removing their participant-user account completely
Executing any of the data removal functions will permanently remove the participant-user data from all site servers and host-user experiences. The host-user will lose all of the participant-user's collected responses and their personal Sign-In Lead Capture data if the participant-user chooses to remove them. When a participant-user removes their any of their collected data they may sacrifice essential functional elements in any of their joined interactive experiences. For example, removing one's responses in a trivia game will result in losing your score and ranking in that trivia game. Also, for example, removing one's personal Sign-In data may result in being immediately removed from any joined interactive experiences if those experiences required a certain personal Lead Capture data field by the host user.
Participant-users removal of personal data is at their own risk of negative consequences in any joined interactive experiences.
How Can the Participant-User Remove Their Account?
All participant-users can remove and permanently delete their account and thus remove any and all of their personal data by clicking the upper-right-hand corner menu and selecting the appropriate action.
How have we engaged in complying with the GDPR?
As a processor, we have specific obligations under the GDPR. In this section, we highlight how we handle personal data and what efforts we are making to ensure you, as one of our customers, can trust us.
In our efforts to comply with the GDPR, we have conducted a detailed risk analysis of all applications that may process personal data of individuals located in the EU. Based on the result of such analysis, we have put in place appropriate measures that allow us to comply with the new requirements.
First of all, we have gathered a dedicated team of data protection and security specialists who review the site's processing of personal data and ensure we have always privacy in mind.
Our incredible team has taken many proactive steps towards compliance with the GDPR:
We have implemented or are working on new policies and procedures to be able to detect personal data breaches and notify our customers without undue delay to ensure they meet the breach notification requirements of the GDPR.
We have developed procedures to be able to deal with the requests we receive from data subjects and inform you of such requests.
We have reviewed and updated the security policies and controls we have in place. These are continually tested and evolve in line with changing regulations and governance requirements.
We have appointed a Data Protection Officer, who will be in charge of compliance with the GDPR across our business.
We carry out regular data protection training for our employees and staff.
We created and maintain a record of pour data processing activities.
The above are only some of the steps we have taken in our path towards GDPR compliance, which is an ongoing exercise that we are engaged in.
How do we ensure personal data are legally transferred outside of the EEA?
The GDPR does not require that data processing activities are limited to the EU but regulates the transfer of personal data outside of the European Economic Area (EEA). In order to do that, the GDPR provides for different transfer mechanisms.
The EU-US Privacy Shield is one of the lawful mechanisms to transfer data between the EU and the US. This site is self-certified to the EU-US Privacy Shield Framework maintained by the US Department of Commerce (Privacy Shield). You can inspect our certification in the Privacy Shield list of the US Department of commerce by searching for “Boardroom Breakout" here https://www.privacyshield.gov/list.
In addition to the Privacy Shield, our DPA includes the EU Standard Contractual Clauses, which are another a valid mechanism for the transfer of data outside of the EEA. The Standard Contractual Clauses are model clauses published by the EU commission and designed to facilitate transfers of personal data from a data exporter located in the EEA and a data importer located outside of the EEA.
What is a Data Processing Agreement and do we need one?
If you are a data controller, the GDPR requires that you enter into an agreement with your data processors. This agreement is referred to as “Data Processing Agreement" and sets out how a controller and a processor meet the requirements of the GDPR. We have this document on file for our data processors.
Does the GDPR impact businesses outside of the EU?
In many cases, yes. Even businesses that are not based in the EU are considered to be in scope of the GDPR if they are collecting personal data on EU residents.
Does the GDPR require data to be stored in the EU?
The GDPR does not require that data processing be limited to the EU. The EU-US Privacy Shield is one of several valid lawful mechanisms to transfer data between the EU and the US. In addition to Privacy Shield, the Site's Data Processing Agreement includes the EU Model Clauses, which is also a valid mechanism for the lawful transfer of data between the EU and US.
How does the GDPR impact personal data collected before May 25th, 2018?
The GDPR applies to all personal data, even if it was collected before May 25, 2018.
If there are any questions regarding this GDPR compliance policy you may contact us using the information below.
1599 Meadowview Dr.
Corinth, TX 76210
United States of America