Privacy Policy

We, Mimimi Games GmbH (hereinafter „Mimimi“ or “we”), inform you according to the General Data Protection Regulation (hereinafter „GDPR“) about our processing of personal data (art. 4 para. 1 GDPR).

Our privacy policy is modular. It includes general information about our processing of personal data (I.) and information for specific processing-purposes (II. et seqq.):

I. General Information
II. Website
III. Games
IV. Communication with us
V. Information for applicants

I.     General Information

1.    Controller

The controller within the meaning of the GDPR and other national data protection laws of EU countries and other data protection laws is:

Mimimi Games GmbH
(formerly known as Mimimi Productions UG (haftungsbeschränkt))
Hohenlindener Str. 4
81677 München

Tel.: +49 (0) 89 80 911 50 70
Email: mimi@mimimi.games

2.    Data protection officer

Data Protection officer is Prof. Dr. Christian Rauda, attorney and board-certified attorney for information technology law.

GRAEF Rechtsanwälte Digital PartG mbB
Jungfrauenthal 8
20149 Hamburg

Email: dataprotection@mimimi.games

3.    Extent of processing personal data

We generally collect and use personal data of our users only if and to the extent necessary to provide our services. Personal data of our users generally will be processed only if there is a legal basis for it. The categories of personal data processed by us will always be mentioned for the specific purpose of use of the data (see below).

4.    Legal basis for processing personal data

If we obtain the consent of a data subject for processing personal data, the legal basis for processing such personal data is Art. 6 para. 1 let. a) GDPR. If we process personal data that are necessary to perform a contract to which you as the data subject is a party, the legal basis for processing such personal data is Art. 6 para. 1 b) GDPR. The same applies if processing personal data is necessary to perform pre-contractual measures. If processing personal data is necessary to perform a legal obligation of our company, the legal basis for such data processing is Art. 6 para. 1 let. c) GDPR. If processing personal data is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and fundamental freedoms of the data subject do not outweigh that legitimate interest, the legal basis for such data processing is Art. 6 para. 1 let. f) GDPR.

5.    Erasure of data and duration of data storage

Personal data will be erased or blocked as soon as it is no longer needed for the purposes for which it was stored and no other legal basis allows us the processing of the personal data. Personal data may also be blocked if provided for by EU or national regulations, laws, or other provisions to which we are subject. Personal data will also be blocked or erased if recordkeeping obligations under the aforementioned norms expire, unless continued storage of such data is necessary to enter into or perform a contract.

6.    Recipient of personal data

For the processing of personal data we sometimes are in need to provide those personal data to a processor who processes the personal data on our behalf. If we use a processor for a processing-purpose, we inform you about it in the specific section of the privacy policy.

7.    Processing of personal data in third countries

For technical reasons we are sometimes in need to process personal data in countries which are not located in the EU/EEC. We will explicitly inform you about such cases in this privacy policy.

If we process personal data in such countries and those countries do not guarantee adequate level of data privacy protection which is verified by an adequacy decision of the Commission according to art. 45 para. 3 GDPR, we enter into a contract with the processor according to art. 46 GDPR which includes the EU-Standard Contractual Clauses. A copy of those clauses can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN

8.    Rights of the data subjects

If we process your personal data, you are a data subject within the meaning of the GDPR and you have the following rights against us as the controller:

a)    Right to information

You may demand that we confirm whether or not personal data about you are processed by us.

If we do process such personal data, you may demand the following information from the controller:

  • the purposes for which your personal data are processed;
  • the categories of personal data that are processed;
  • the recipients or categories of recipients to whom your personal data have been or will be disclosed;
  • how long we plan to store your personal data or, if that time period cannot be ascertained yet, the criteria used to determine how long we will store your personal data;
  • whether you have a right to rectification or erasure of your personal data, a right to restricted processing by the controller, or a right to object to such processing;
  • whether you have a right to lodge a complaint with a supervisory authority;
  • any available information about the origin of data if they were not collected directly from the data subject; and
  • whether your personal data will be transferred to any third country or international organization; in connection with such transfers you may demand to be informed of appropriate safeguards within the meaning of art. 46 GDPR.
b)    Right to rectification

You have the right against us to have incorrect personal data rectified and/or to have incomplete personal data completed if the personal data we process are incorrect or incomplete. We must rectify data without undue delay.

c)    Right to restricted processing

Under the following conditions you may demand restricted processing of your personal data:

  • if you dispute the correctness of your personal data for a time period that allows the controller to review whether your personal data are correct;
  • if processing is unlawful and you decline to have your personal data erased and instead demand restricted use of your personal data;
  • if the controller no longer needs your personal data for the purposes for which they are processed, but you need such data to assert, exercise, or defend legal rights or claims, or
  • if you have objected to processing of your personal data in accordance with art. 21 para. 1 GDPR and it has not yet been determined whether there are overriding legitimate reasons of the controller.

If processing of your personal data is restricted, such data may – except for their storage – be processed only with your consent, or to assert, exercise, or defend legal rights or claims, to protect the rights of another natural person or legal entity, or for reasons related to an important public interest of the European Union or any member state.

If processing of your personal data has been restricted under the aforementioned conditions, you will be notified by the controller before the restriction is lifted.

d)    Right to erasure
Erasure obligation

You may demand that the controller erase your personal data without undue delay and the controller has an obligation to do so if one of the following reasons applies:

  • your personal data are no longer needed for the purposes for which they were collected or are otherwise processed;
  • you have revoked your consent on which the processing of your data is based in accordance with art. 6 para. 1 let. a) or art. 9 para. 2 let. a) GDPR, and there is no other legal basis for processing your personal data;
  • you have objected to processing of your personal data in accordance with art. 21 para. 1 GDPR and there are no overriding legitimate grounds for processing your personal data, or you object to processing in accordance with art. 21 para. 2 GDPR;
  • your personal data have been processed unlawfully;
  • erasing your personal data is necessary to comply with a legal obligation under European law or member state law to which the controller is subject; or
  • your personal data were collected with respect to offered information society services within the meaning of art. 8 para. 1 GDPR.
Information to third parties

Where the controller has made personal data public and has an obligation under art. 17, para. 1 GDPR to erase such personal data, the controller, taking into account available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing such personal data that the data subject has requested the erasure by such controllers of any links to, or copies or duplicates of, such personal data.

Exceptions

There is no right to erasure if processing personal data is necessary

  • to exercise the right to freedom of expression and information;
  • to comply with a legal obligation which requires processing of your personal data under EU or member state law to which the controller subject, or to perform a task that is in the public interest, or to exercise official authority vested in the controller;
  • for reasons of the public interest in the area of public health within the meaning of art. 9 para. 2 let. f) and i) and art. 9 para. 3 GDPR; or
  • to assert, exercise, or defend legal rights or claims.
e)    Right to notification

If you have exercised your right to rectification, erasure, or restricted processing against the controller, the controller has an obligation to notify all recipients to whom your personal data have been disclosed of such rectification, erasure, or restricted processing, unless this proves impossible or would be associated with unreasonable expense.

You have a right to be informed of all such recipients by the controller.

f)     Right to data portability

You have a right to receive personal data you have made available to the controller in a structured, standard, and machine-legible format. You also have the right to transfer your personal  data to another controller without any interference by the controller to whom the personal data were made available, if

  • processing is based on consent within the meaning of Art. 6 para. 1 let. a) GDPR or Art. 9 para. 2 let. a) GDPR or on a contract within the meaning of Art. 6 para. 1 b) GDPR, and
  • data processing is automated.

In exercising the right to data portability you further have the right to have your personal data transferred directly from one controller to another controller, if and to the extent that this is technically feasible. No rights or freedoms of any other persons may be infringed thereby.

The right to data portability does not apply to processing of personal data that is necessary to perform a task that is in the public interest or to processing of personal data in the exercise of official authority vested in the controller.

g)    Right of objection

You have the right for reasons related to your particular situation to object to processing of your personal data at any time based on art. 6 para. 1 let. e) or f) GDPR; the same applies to any profiling based on the aforementioned provisions.

If you object, the controller will no longer process your personal data, unless the controller can show that there are compelling protected reasons for processing your personal data that override your interests, rights and freedoms, or if your data are processed to assert, exercise, or defend legal rights or claims.

If your personal data are processed for direct advertising purposes, you have a right to object to processing of your personal data for purposes of such advertising at any time; the same applies to any profiling associated with such direct advertising.

If you object to processing of your personal data for purposes of direct advertising, your personal data will no longer be processed for such purposes.

In connection with use of information society services you may exercise your right of objection – regardless of Directive 2002/58/EC – by using automated processes for which technical specifications are used. For this purpose you may send an email to our data protection officer.

h)    Right to revoke consent to data processing

You have a right to revoke your consent to data processing at any time. If you exercise your right of revocation, the lawfulness of data processing that occurs before revocation based on your consent will remain unaffected.

i)     Automated decision in a particular case, including profiling

You have a right not to be subjected to a decision that is made exclusively by means of automated processing – including profiling – if such a decision has legal consequences for you or otherwise substantially impairs your interests. This does not apply if the decision

  • is necessary to enter into or perform a contract between you and the controller,
  • is permitted under EU or member state law to which the controller is subject and such law provides for appropriate safeguards to protect your rights, freedoms, and legitimate interests, or
  • is made with your express consent.

However, such decisions may not be made with respect to special categories of personal data within the meaning of art. 9 para. 1 GDPR, unless art. 9 para. 2 let. a) or g) GDPR applies and appropriate safeguards have been implemented to protect your rights, freedoms, and legitimate interests.

In the first and the last cases above the controller must implement appropriate safeguards to protect your rights, freedoms, and legitimate interests, which must include, at a minimum, a right to have a person acting on behalf of the controller take action, a right to present your own point of view, and a right to contest the decision.

j)     Right to lodge complaint with supervisory authority

ithout prejudice to any other available administrative or judicial remedies, you have a right to lodge a complaint with a supervisory authority, in particular a supervisory authority located in the member state of your habitual residence, at your workplace, or at the place of the purported infringement, if in your opinion the processing of your personal data violates the GDPR.

The supervisory authority where the complaint is lodged will then notify the complainant of the progress and outcome of the complaint, including judicial remedies available under art. 78 GDPR.

II.    Website

The following information about the processing of personal data applies to the websites including their subsites (hereinafter “Websites” or “Website”) mentioned below:

  • mimimi.games
  • shadowgambit.com

If not mentioned explicitly below, the following information apply to all Websites.

1.    Making available the Websites and creating log files

When our Website is accessed, our system will automatically collect data and information from the operating system of the users device accessing the Website.

In this connection the following data will be collected for a limited time period:

  • visited website
  • quantity of data transmitted
  • information about the type and version of the browser used,
  • the operating system of the user,
  • the IP address of the user,
  • the date and time of access, and
  • the websites from which the system of the user arrived on our Website

Such personal data will be stored in log files. Such personal data are needed to ensure the functionality of our Website and analyze any malfunctions. Temporary storage of the IP address for the system is necessary for making the Website available to the terminal device of the user. For this purpose the IP address of the user must be stored for the duration of the session.

For the storage of the personal data we use the servers of Alfahosting GmbH, Edmund-von-Lippenmann-Straße 13-15, 06112 Halle (Saale) in Germany (hereinafter “Alfahosting”). Alfahosting only uses servers in Germany and we have a data processing agreement with them.

The aforementioned purposes also provide the basis of our legitimate interest in data processing within the meaning of art. 6 para. 1 let. f) GDPR. Collecting data to make available the Website and storing data in log files is necessary for operating the Website. Consequently, users have no right to object to the collection or use of such data for the aforementioned purposes.

2.    Cloudflare

For specific services on our websites we use services of Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA (hereinafter „Cloudflare“):

  • mimimi.games: Only for storing of data which stems from the use of Discord.
  • shadowgambit.com: As DNS server for various content from our website.

Cloudflare offers server infrastructure which enables a faster and safer access to data from all over the world because of the proximity to the user. This purpose also provides the basis of our legitimate interest in data processing within the meaning of art. 6 para. 1 let. f) GDPR.

 Cloudflare processes the data in the USA on the basis of EU Standard Contractual Clauses and thus offers sufficient guarantees within the meaning of art. 46 para. 1, para. 2 lit. c) GDPR.

Further information about Cloudflare can be found here: https://www.cloudflare.com/de-de/privacypolicy/. Questions about Cloudflare’s use of data can be asked here: privacyquestions@cloudflare.com.

Cloudflare’s services are provided as commissioned data processing, please address us if you would like to object to the use of the data. We notify you that in the case of an objection you might not be able to use our Website anymore.

3.    Google Analytics/Google Tag Manager

On the basis of a consent within the meaning of art. 6 para. 1 let. a) GDPR we use Google Analytics, a web analysis service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) and use the “Google Tag Manager” to integrate and manage Google’s analysis and marketing services into our website. According to their terms of use, Google reserves the right to use personal data for its own purposes. However, Google will not disclose whether and which personal data is used by Google.

The information generated by a cookie about the use of the website by the user is usually transferred to a Google LLC server in the USA and stored there. Google processes the data in the USA on the basis of EU Standard Contractual Clauses and thus offers sufficient guarantees within the meaning of art. 46 para. 1, para. 2 let. c) GDPR. We only use Google Analytics with activated IP anonymization. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there. Only if you have given your consent will personal data be processed by Google. Further information about the cookies used by Google can be found here.

Google will use the information gained through cookies on our behalf to evaluate the use of our website by users, to compile reports on the activities within this website and to provide us with further services associated with the use of this website and the Internet. The processed data can be used to create pseudonymous user profiles of the users.

You can – in addition to the default setting at the beginning of the use of the website – prevent the storage of the cookies by a corresponding setting of your browser software; you can also prevent the collection of the data generated by the cookie and related to your use of the online offer to Google as well as the processing of these data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout

You can find further information on data use by Google, setting and objection options on the websites of Google: https://www.google.com/intl/de/policies/privacy/partners (“Data use by Google when you use websites or apps of our partners”), https://www.google.com/policies/technologies/ads (“Data use for advertising purposes”), https://www.google.de/settings/ads (“Manage information that Google uses to show you advertising”).

4.    YouTube-Plugin

Within the scope of our online-services (e.g., our blog) the implementation and use of features and content of YouTube via plug-in is possible. YouTube is a video platform service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“YouTube”).

We used a 2-click-option for our Youtube-Plugin. This means, that you have to accept the transport of personal data to the servers of YouTube, before you can see their content. The legal basis for opening a transport-channel to the servers of YouTube is your consent according to art. 6 para. 1 let. a) GDPR.

YouTube can store various cookies on your device after starting a video. With the help of these cookies, YouTube can obtain information about visitors to the website. This information is used, among other things, to gather video statistics, improve the user experience and prevent fraud. The cookies remain on your device until you delete them. The information generated by a cookie about the use of the website by users is usually transferred to a Youtube server in the USA and stored there. Youtube processes the data in the USA on the basis of EU Standard Contractual Clauses and thus offers sufficient guarantees within the meaning of art. 46 para. 1, para. 2 lit. c) DSGVO.

If necessary, after the start of a YouTube video, further data processing operations may be triggered, over which we have no influence. The use of the YouTube-Plugin itself is based on your consent to YouTube (e.g. consent to the storage of cookies), art. 6 para. 1 lit. a DSGVO. Further information about data protection at YouTube can be found in their privacy policy at:  https://policies.google.com/privacy.

5.    Twitter

Within the scope of our online-services (e.g., our blog) the implementation and use of features and content of Twitter via plug-in is possible. Twitter is a social media platform of Twitter Inc, 1355 Market Street, Suite 900 San Francisco, CA 94103 (“Twitter”).

We used a 2-click-option for our Twitter-Plugin. This means, that you have to accept the transport of personal data to the servers of twitter, before you can see their content. The legal basis for opening a transport-channel to the servers of Twitter is your consent according to art. 6 para. 1 let. a) GDPR.

As soon as you agreed to the personal data transfer to Twitter, a connection to the Twitter servers is established and we do not have any influence on further data transfer. For instance, if you are logged in to your Twitter account, you allow Twitter to associate your surfing behavior directly with your personal profile. You can prevent this by logging out of your Twitter account. Furthermore, Twitter can store various cookies on your device after accepting the data transfer. With the help of these cookies, Twitter can obtain information about visitors to the website. This information is used, among other things, to gather statistics, improve the user experience and prevent fraud. The cookies remain on your device until you delete them. The information generated by a cookie about the use of the website by users is usually transferred to a Twitter server in the USA and stored there.

6.    Newsletter

You can register for a newsletter on our website. For this we require your email-address. In addition, we check in compliance with the relevant law whether you are the true holder of the email-address and agreed to receive the newsletter. For this purpose, we send you a validation email. Our newsletter informs about important announcements, exclusive insights into the development and invitations for beta-versions of our new games.

As receiving the newsletter is dependent from your consent according to art. 6 para. 1 let. a GDPR, you may revoke your consent to the collection and storage of your data at any time, without giving reasons. Use the “unsubscribe” link on the bottom of every email or contact us.

For sending the newsletter we use the “MailChimp” service of the online dispatch service Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, U.S.A. (“Rocket Science”). Their privacy policies can be found here: https://mailchimp.com/legal/privacy/. Rocket Science processes the data in the USA on the basis of EU Standard Contractual Clauses and thus offers sufficient guarantees within the meaning of art. 46 para. 1, para. 2 lit. c) DSGVO. The usage of MailChimp is based on our legitimate interests in accordance with art. 6 para. 1 let. f GDPR. We have an interest to see whether the newsletter is opened and which parts of it are read. In this way, we improve our services in the future. We entered into an order-processing contract with Rocket Science. Rocket Science may use the pseudonymized data of recipients to optimize and improve their services, for instance in respect to the technical dispatch of the newsletter or for statistical purposes. Rocket Science does not use the data to send you newsletters themselves and the data will not be transmitted to third-parties.

7.    Online presence in social media

We maintain an online presence on social networks and platforms to communicate with clients, interested parties, and users who are active on those networks, and to be able to inform clients, interested parties, and users of our services.

Our Website therefore links to the website of Facebook, operated by Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, U.S.A., or, if you reside in the EU, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (“Facebook”). Otherwise no data are exchanged with Facebook on our Website.

Our Website also links to the website of Twitter, operated by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, U.S.A. or, if you reside in the EU, Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland.

Our Website also links to the website of Discord Inc., 401 California Dr, Burlingame, CA 94010, U.S.A. (“Discord”).

Our Website also links to the website of Instagram (“Instagram”), operated by Meta Platforms Inc., 1201 Willow Road, Menlo Park, CA, 94025, U.S.A. or, if you reside in the EU, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

When you access the aforementioned networks or platforms, the terms and conditions and data processing policies of the companies that operate those networks or platforms will apply. Unless otherwise provided in our data privacy policy, we will process data of users if they communicate with us through social networks or platforms, e.g., if they post on our Facebook pages, or send us messages.

8.    Web shop

To the avoidance of doubt, we inform you that we have a link to the web shop https://mimimi-campusstore.de/en/

We are neither the controller of that web shop nor are we the contractual party if you purchase products on this shop. The web shop is provided in sole responsibility of the Campus Sportswear GmbH.

III.   Games

The following information about the processing of personal data applies to the games (hereinafter “Games” or “Game”) mentioned below:

  • Shadow Gambit: The Cursed Crew
  • daWindci Deluxe
  • Ooops, Noah is gone!

If not mentioned explicitly below, the following information apply to all games.

1.    Download of the game

a)    Steam

Our Game

  • Shadow Gambit: The Cursed Crew

can be downloaded via the platform Steam. Steam is a service of Valve Corp., having its registered offices at NE 4th St., Bellevue, WA 98004, USA (hereinafter “Steam”). Steam also offers the option of in-game purchases and other services of their own. We have no influence on their data processing and Steam is controller under data protection law and therefore responsible for any processing of personal data on their platform. Their respective terms of use and data protection information apply.

Their privacy policy can be found here: https://store.steampowered.com/privacy_agreement

b)    Epic Games Store

Our Game

  • Shadow Gambit: The Cursed Crew

can be downloaded via the platform of Epic Games Inc. 620 Crossroads Blvd.
Cary, NC USA (hereinafter “Epic”). Epic also offers the option of in-game purchases and other services of their own. We have no influence on their data processing and Epic is controller under data protection law and therefore responsible for any processing of personal data on their platform. Their respective terms of use and data protection information apply.

Their privacy policy can be found here: https://www.epicgames.com/site/en-US/privacypolicy

c)    Xbox

Our Game

  • Shadow Gambit: The Cursed Crew

can be downloaded via the Microsoft store, a service of the Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA (hereinafter “Xbox”). Xbox also offers the option of in-game purchases and other services of their own. We have no influence on their data processing and Xbox is controller under data protection law and therefore responsible for any processing of personal data on their platform. Their respective terms of use and data protection information apply.

Their privacy policy can be found here: https://privacy.microsoft.com/en-gb/privacystatement

d)    PlaystationStore

Our Game

  • Shadow Gambit: The Cursed Crew

can be downloaded via the PlaystationStore, a service of the Sony Interactive Entertainment Europe Limited of 10 Great Marlborough Street, London W1F 7LP, United Kingdom (hereinafter “Playstation”). Playstation also offers the option of in-game purchases and other services of their own. We have no influence on their data processing and Playstation is controller under data protection law and therefore responsible for any processing of personal data on their platform. Their respective terms of use and data protection information apply.

Their privacy policy can be found here: https://www.playstation.com/en-gb/legal/privacy-policy/

e)    Mobile AppStores

Our Games

  • daWindci Deluxe
  • Ooops, Noah is gone!

can be downloaded via the Google and Apple platforms. The platforms also offer the option of in-app purchases and other services of their own. We have no influence on their data processing and they are controller under data protection law and therefore responsible for any processing of personal data on their platform. Their respective terms of use and data protection information apply.

The privacy policy of the Google Play Store can be found here: https://policies.google.com/privacy

The privacy policy oft he Apple AppStore can be found here: https://support.apple.com/en-gb/HT211970

IV.  Communication with us

If you communicate with us, we will process the personal data which is included in your request only for the purpose of handling your request. Legal basis is art. 6 para. 1 let. f) GDPR. The personal data will be deleted if the purpose of your request is fulfilled.

If your communication with us relates to the closing of an agreement, the legal basis for the processing of personal data is art. 6 para. 1 let. b) GDPR.

V.    Information for applicants

We process the personal data of applicants for the purpose of processing the application procedure. The processing may also take place electronically. This is particularly the case when application documents are sent electronically, for example by e-mail.

If we conclude an employment contract with an applicant, the transmitted data is processed for the purpose of handling the employment relationship. In such a case the legal basis is in particular art. 26 Federal Data Protection Act (BDSG).

If no employment contract is concluded with the applicant, the application documents are automatically deleted after notification of the decision, provided that no other legitimate interests of Mimimi oppose deletion. Other legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).