Personal Data Protection Policy

Last update: 4th February 2025

Preamble

Asmodee attaches the utmost importance and care to the protection of your Personal Data.

Please read the following carefully to understand our policy and practices regarding information collected through the Site.

This personal data protection policy (hereinafter the “Policy“) contains the minimum rules that Financière Amuse BidCo, a French company with its registered office at Quartier Villaroy, 18 rue Jacqueline Auriol, 78280 Guyancourt, France and registered with the Versailles Trade and Companies Register under number 815 143 904 (hereinafter ” Asmodee “), ” We “) has established with regard to the protection of Personal Data so that the collection, use, storage and disclosure of Personal Data is carried out in a fair, transparent and secure manner.

This Policy sets out our approach to the processing of Personal Data (“Personal Data” or “Data“) about you that we collect from you or that third parties lawfully communicate to us as well as the purposes of such processing. It also describes your rights in relation to our processing of your Personal Data.

As a data controller, or its equivalent, within the meaning of the Personal Data Regulations, we are required to collect Personal Data from you in the context of the use of your Account allowing you to access all the content of the Applications and to use the Services under a single identity.

Definitions

The following terms, whether used in the singular or plural in this Policy, shall have the following meanings:

“Application(s)“: refers to the websites, mobile games, computer games and games accessible online, published by Financière Amuse BidCo and/or its Subsidiaries as well as by its Partners;

“Account“: refers to the unique account accessible on the Website asmodee.net through the User’s personal and confidential identifiers that he or she may not communicate to a third party, and from which he or she can access the Platform and the Applications;

“Personal Data“: refers to any information that relates to or an identified or identifiable natural person or information that can be used to identify you (or your household), either alone or in combination with other information available on the Platforme.;

“Affilate(s)”: means any legal entity that directly or indirectly controls or is controlled by or under common control with Financière Amuse Bidco .;

“Asmodee Group“: refers to all companies or entities controlled directly or indirectly by Financière Amuse TopCo SAS. Control of an entity means the possession, directly or indirectly, of the power to direct or cause to be directed the management or policies of such entity, whether through ownership of the voting securities, by contract, or otherwise;

” Partner(s)”: refers to companies that are not Subsidiaries that publish websites, mobile games, computer games or games accessible online;

“Platform“: refers to the platform accessible from the account.asmodee.net or api.asmodee.net website;

“Policy“: means this Privacy Policy;

“Product(s)“: refers to the physical product(s) marketed on the Asmodee Platform and on the Asmodee Group Applications connected to the Asmodee Platform and on its Partners’ Applications, in particular games;

“Personal Data Regulations “: refers to all relevant laws and regulations governing the processing of Personal Data, such as the EU Regulation No.°2016-679 of the European Parliament Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (known as “GDPR”)., Canada’s Personal Information Protection and Electronic Documents Act (known as “PIPEDA”), and the California Consumer Protection Act of 2018 (known as the “CCPA”);

“Service(s)“: refers to the service(s) offered by the Platform and by the Applications of our Subsidiaries, and by the Applications of our Partners who use the Platform, including access to online games, online tournaments and the creation of various content by Users (avatars, game scenarios, stories, etc.);

“User“: refers to the natural person, whose minimum age is in accordance with local law, browsing the Platform from his/her Terminal and whose processing of his/her Personal Data is governed by the Policy.

“Terminal(s)“: refers to the hardware equipment(s) (computer, tablet, smartphone, phone, etc.) used by the User to use the Platform or the Products.

What Personal Data do we collect about you?
For what purposes is your Data used by Asmodee?
How long do we keep your Personal Data?
Is Personal Data transferred outside the European Union?
Security of Your Personal Data
What are your rights?
Data fate in the event of death
How to contact us?
Changes to the Policy

Who is responsible for the processing of your Personal Data?

Financière Amuse BidCo, whose registered office is located at Quartier Villaroy, 18 rue Jacqueline Auriol, 78280 Guyancourt, France, registered with the Versailles Trade and Companies Register under number 815 143 904 is the data controller of your Personal Data. We may, depending on the case, act as a processor of the processing of your Personal Data implemented by our Subsidiaries and/or Partners.

Minimum age

Preserving the safety and privacy of children is very important to us. In accordance with this, we do not direct our Services towards children. Therefore, we do not process Personal Data from children without checking their digital age which may vary from a country to another and obtaining their guardian’s consent on their behalf if they do not have the minimum age required to provide their Personal Data to us. Our company undertakes to obtain this consent before any collection or use of Personal Data. Holders of parental responsibility are invited to monitor the use that minors in their care make of our online services and to support them in protecting their privacy. If you believe that we have received information from a person protected under child protection laws where necessary parental consent was not obtained, please notify us immediately, and we will take reasonable steps to securely remove such information.

How do We collect your Personal Data?

We collect your Personal Data in the following ways:

directly from the User when the User uses our webSite and services (by filling in various forms on the Site, by communicating directly with Us);
indirectly from our Affilialtes or Partners;
automatically when the User access or use the Site (technical data, IP address, information relating to his/her browsing, etc.).

What Personal Data do we collect about you?

Personal Data that you provide directly to us

We collect the following Personal Data about you:

Identifiers : your first and last name, pseudonym and gender. Some Data, such as your nickname, is made public to allow your community to find you in our servicesLogin data such as your email address to create an account and log in to your account, your country of residence,
Internet or network activity : Data you provide on the Apps or Services when you play our online games: your profile information, games, game statistics, ranking and game history, and some of which may be visible both in-game and to non-game players. When playing Applications involving multiple Users, please note that certain Personal Data will be made public and therefore accessible to other Users, such as your Username, statistics and game performance data. The data of the Content published in the context of chats and forums may also be made public to Users and Internet users.
Data of the content communicated on the Applications or Services (in particular through contact forms or other functionalities of the Site).
Data you submit in connection with support requests;
Commercial or customer records: Data relating to your behavior and reputation: game levels reached, rewards, rankings, game missions completed, statistics such as game time, as well as data related to bugs and malfunctions;
We also collect and process Data that you voluntarily provide to us to receive email alerts, receive our newsletter, or to receive early access to our games, participate in competitions or competitions, or when you contact us through our customer service.
Data when you register for a competition: name, surname, username, postal and email addresses

We do not collect any Personal Data that is considered “sensitive” under the Personal Data Regulations, in particular data relating to your state of health or that would reveal your alleged racial or ethnic origin, your political opinions, your religious or philosophical beliefs or your trade union membership.

Personal Data We Collect Automatically

Each time you visit our Site, we automatically collect (but where required, with your consent) certain data and information about you and/or your computer or electronic device through the use of “cookies”. This information includes:

the IP address automatically assigned to your computer when you use the Internet;

the type of internet browser you are using;

the type of operating system and device you use to access the Site;

the domain name of your Internet service provider;

the web page you came from;

your country of residence and language;

the pages and features you visit and access on our Site, as well as the time spent on those pages.

Your game experience, duration, time of use, trials, progress, results, and saved preferences

When you access, visit and/or use our Site, we may therefore track your visit and collect certain data relating to your use of the Products and Services and your activity on the Site. To learn more about our use of cookies, please read our Cookie Policy, available here

For what purposes is your Data used by Asmodee?

For a more in-depth understanding of the different processing operations we may carry out, we suggest that you click on each purpose listed below. You will thus obtain a detailed description of the sub-purposes, the Personal Data concerned, the legal bases justifying this processing and the duration of storage of your data.

We would like to draw your attention to the fact that some data may be kept for longer periods than those indicated below to enable us to meet our legal obligations, defend our rights in the event of a liability claim or for the exercise of legal rights. In this case, your Personal Data will be archived and stored for the period imposed by the applicable regulations or for the duration of the applicable legal statute of limitations.

When your Personal Data is no longer required, We ensure that it is deleted or anonymised.

We process your Personal Data for the following purposes. Whenever we process your Personal Data, we do so on the basis of a lawful “justification” (or legal basis) for processing, which we have identified in the table below.

Purposes	Explantation and legal basis	Retention periods
To log in to your Account and allow you to access the Applications under a single identity.	This processing is necessary for the performance of the contract concluded between you and Asmodee.	Retention of data necessary for account management until the account is deleted. For the purpose of proof of deletion, the following are kept for 3 years: the surname, first name, email, date and channel of deletion of the account from the date of deletion.
To enable you to use the Services	This processing is necessary for the performance of the contract concluded between you and Asmodee.
To provide you with commercial information regarding (i) similar Products and Services of Asmodee and/or Partners, (ii) the Asmodee Group and/or (iii) Partners.	This processing is based on your consent.	Until you unsubscribe through your account;• or by using the unsubscribe links provided for this purpose in the newsletters;• or, if no customer account is associated with your email address, 3 years after your last interaction (i.e. opening) with an email sent to you by us.
To provide you with personalized social media advertisements (using as a unique identifier the same email address you may have provided for the creation of your user accounts both on Asmodee and on social media platforms).	Asmodee relies on your consent in order to carry out the intended processing.	Until deleted by the user or objected to (managed automatically by social networks)
To improve our customer knowledge.	We consider that we have a legitimate interest in understanding our customers in order to be able to develop relevant products and services.
To comply with any applicable law, court order, legal process, or the requirements of a regulatory body.	This processing is necessary for compliance with legal obligations.
To enforce our legal rights and obligations and for any legal proceedings involving you, initiated by or against you.	We consider it to be in our legitimate interests to protect our organisation against any breach of a legal obligation owed to it and to defend ourselves in the event of a dispute.
To protect the rights of third parties.	This processing is necessary for compliance with the legal obligations to which Asmodee is subject. This processing is also necessary for the purposes of the legitimate interests pursued by Asmodee. We consider that we have a legitimate interest in ensuring that our activities do not violate the rights of third parties.
In anticipation of and/or in connection with a commercial transaction such as a merger, acquisition, restructuring or sale of the companies that make up the Asmodee Group	We consider it to be in our legitimate interest to be able to make informed decisions about the future of our company, in order to preserve and develop our business activities.	During the due diligence period and until the deed is signed
To improve our marketing campaigns	We consider it to be in our legitimate interests to understand which marketing channels enable us to implement effective marketing campaigns. However, where the law requires Asmodee to obtain your consent to measure the effectiveness of our campaigns, Asmodee will rely on your consent before proceeding with the required processing.
Detecting, preventing and combating fraud and cybercrime Keeping our site secure	Performance of the service (contract) Legitimate interest (fight against counterfeiting, fight against fraud, fight against cybercrime, …)	Logs used to ensure the security of the Services are kept for a period of 1 year from their recording. In order to protect against any dispute, We may keep certain information for up to 5 years from the date of registration.
Responding to Your requests to exercise rights	Legal obligation	One (1) in the event of exercising the right of access, erasure, portability, limitation or rectification. Six (6) years in the event of exercising the right to object.

Where the processing is based on our legitimate interest, we will make sure to take into account any potential impact that the use of your data may have on you. If we believe that your interest or fundamental rights and freedoms override our legitimate interest, then we will not use your Personal Data on this basis and we will ask you for specific consent.

We do not use personal information for purposes that are incompatible with the purposes for which it was originally collected, unless the purpose has been subsequently approved by you.

Who do we transmit your data with?

The Personal Data that we collect may be transmitted in order to ensure the purposes listed in Section titled «For what purposes is your Data used by Asmodee?» :

To the authorized personnel of Asmodee;
To our Affiliates . We may disclose Personal Data to companies in which we hold shares as necessary for the purposes described in this Policy.
To our Partners,
Technical service providers participating in the achievement of the purposes described in Section titled «For what purposes is your Data used by Asmodee?, such as cloud storage. They act as our “processors”. and are required to implement appropriate security measures in order to protect the Personal Data in their possession. They are also bound by a strict confidentiality agreement, and by specific contractual clauses relating to “how” and “when” they are authorized to use your Personal Data on our behalf.
To social networks, in particular Meta®, which can also determine “why” and “how” your Personal Data is used. Meta has its own privacy policy and cookie policy. Therefore, remember that the Personal Data you give them will be subject to their rules and not ours.
To the police authorities in the context of judicial requisitions concerning the fight against fraud or to the administrative and judicial authorities authorized for the search and identification of the perpetrator of an offence in strict compliance with the legal provisions.
To tournament organizers to verify participants’ identities, enable their tournament participation, and to facilitate the recording of final scores in order to ensure fair play and for the smooth operation of tournaments.

Please note that this list is not exhaustive and that there may be other instances where we share your Personal Data with third parties, where it is in Our legitimate interests, permitted by applicable law or where it is necessary to comply with a legal obligation to which We are subject.

How long do we keep your Personal Data?

Asmodee retains the Personal Data it collects only for the time necessary for the purposes of the processing and in accordance with the applicable legislation. The Data collected by Asmodee will therefore be kept for the time necessary to achieve the purposes described above, plus the period of the legal statute of limitations.

Once the retention periods have expired, we will ensure that your Personal Data is anonymised or deleted.

Unless you give you a specific instruction (provided that such special instruction is reasonable and practicable by us), we will delete all your Personal Data, in the event of your death, at the end of the applicable retention period and the applicable requirements, or at the request of a beneficiary and upon proof of his or her status as beneficiary and of your death and in accordance with the section titled “FATE OF DATA IN THE EVENT OF DEATH”.

For data processing implemented through cookies and trackers, please consult the cookie policy here</.

Is Personal Data transferred outside the European Union?

We operate worldwide and may transfer your Personal Data to other companies in the Asmodee Group or to partners around the world. We want you to have the best service and customer experience, whether online or in person, anywhere in the world. For this purpose, your Personal Data may be transferred outside the European Economic Area. Regarding the flow of your Data to the United States, national legislation ensures an adequate level of protection of Personal Data transferred from the European Union to organizations located in the United States when they take the steps to comply with the obligations arising from the Data Privacy Framework. Therefore, data transfers can be carried out freely to companies on the Data Privacy Framework list.

When the recipient is located in a country whose legislation has not been the subject of an adequacy decision by the European Commission, we ensure that the transfer is governed by the European Commission’s standard contractual clauses which guarantee an adequate level of protection of the privacy and fundamental rights of individuals, equivalent guarantees and/or, where applicable, appropriate technical and organisational measures.

Security of Your Personal Data

We implement appropriate technical and organizational measures to protect your Personal Data against accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorized access to such Data.

However, we do not control all the risks associated with the operation of the Internet and draw your attention to the existence of possible risks inherent in its operation.

We also monitor how our service providers process your Personal Data, so that they provide sufficient guarantees that appropriate data security measures are in place.

Password Security

We take all necessary precautions to ensure the secure storage of your password associated with your Account (storage encrypted by a strong one-way algorithm).

However, the security of this password also depends on its design.

Also, we remind you that your password, to be valid, must be sufficiently complex and difficult to guess, even by someone who knows you well. When creating your AsmoConnect account via the Internet, we offer you a password quality analysis tool whose recommendations we ask you to follow.

Security of transactions and communications

All communications between the Applications and the Platform are carried out securely using the SSL/TLS protocol, materialized by the appearance of a small padlock icon or equivalent in Internet browsers. This protocol protects you from snooping during transfers of Personal Data between the Applications and the Platform.

Security of storage of Personal Data

The Platform stores Personal Data on highly secure media both logically (encrypted hard drives) and physically (secure access datacenters).

What are your rights in relation to your Personal Data?

Depending on the Personal Data Regulation applicable to you, you may have one or more of the following rights and exercise them personally or through a legal representative acting on your behalf. We are committed to protecting your rights and enabling you to exercise them.

You can exercise your rights over your Personal Data at any time, i.e.:

▪ obtain information about the processing of your data;

▪ request access to your Personal Data, provided that this does not infringe on the rights and freedoms of others;

▪ request that certain Data concerning you be rectified (for example, if it needs to be updated or is incorrect) or that it be deleted;

▪ object to the processing of your Personal Data or request the restriction of such processing;

▪ request the portability of your Personal Data;

▪ Define instructions for the processing of your Data after your death

In the interest of confidentiality and protection of your Personal Data, we will need to identify you in order to respond to your request for a right of access. To do this, in case of reasonable doubts about your identity, you may be asked to attach to support your application, a copy of an official identity document, such as an identity card or passport. In this case, a black and white copy of one of these documents is sufficient.

If you need further information about your rights or how to exercise any of your rights, or if you have a complaint or question about our data protection practices, you can contact our Data Protection Officer at: DPO@asmodee.com

Or by mail to the following address:

FINANCIERE AMUSE BIDCO

Data Protection Officer

18 rue Jacqueline Auriol

78180 GUYANCOURT

France

In the United States and Canada, you can appeal an adverse decision by sending an e-mail to us at DPO@asmodee.com. You also have the right to lodge a complaint with your local regulator (the list of authorities is available on the website of the European Data Protection Board ( Membres | European Data Protection Board) r attorney general if you are not satisfied with our responses to your requests or how we manage your personal information. However, we encourage you to contact us first so we can address your concerns directly.

You have an absolute right to object to the subscription to our different newsletters : you can therefore request, free of charge and at any time, to no longer receive commercial communication from us.

You can exercise these rights at any time and free of charge, except in the case of manifestly unfounded or excessive requests (in particular due to their repetitive nature). In this exceptional case, we reserve the right, in accordance with the applicable Personal Data Regulations, to require the payment of a reasonable fee (indexed to the administrative costs of your request) or to refuse your request.

Data fate in the event of death applying to French Data Subjects:

In accordance with the provisions of Article 85 of the Loi Informatique et Libertés, we inform you that, as a natural person:

You have the right to set guidelines for us regarding the retention, erasure and disclosure of your Personal Data after your death;
You may change or revoke these guidelines with us at any time;
You may designate a person responsible for the execution of these directives, who will have the right after your death, to read these directives and to request their implementation from us.

You are also informed that if you do not send Asmodee specific instructions on the fate of your Personal Data, your heirs may exercise after your death the rights relating to the retention, deletion and communication of your Personal Data to the extent necessary for the organization and settlement of your estate as well as for Asmodee to take your death into account.

Changes to the Policy

We may change this Policy from time to time. Where appropriate, we will notify you by changing the date at the bottom of this Policy and, in some cases, we will provide additional notices (e.g. by posting a statement on the home pages of our Site or by sending you an email). We encourage you to review the Privacy Policy whenever you interact with us to stay informed about our Personal Data protection practices, and to stay informed about the methods you can use to control the use of your Personal Data and protect your privacy.