Hi! I'm the lead software developer on Virtual Manager. You know me from the blog by my club name FC Sunnyvale.
One of the intentions of the GDPR is to create more openness and clarity about how companies handle your personal information. However, there are many cases where the technical and legal concepts can be misleading when you read a document like this one as a layman.
Therefore, I've added in a few info boxes, where I explain the meaning of some of the techincal and legal terms in plain English.
So if you want to know once and for all exactly what a cookie is and what you can do with it, then read on.
1. Data responsibility
Playonic ApS is the data controller.
Contact: Playonic ApS
Address: Brovej 20A, 8800 Viborg, Denmark
Company reg. no.: 29778701
Phone.: +45 87250110
2. Personal information processing
We process the information you voluntarily give us when you create your club or edit your profile. We also collect data regarding your logins.
If you choose to use Facebook or Google to create your club, then they send us your email, your full name and a link to your public profile picture.
The data we use includes the following:
- Email address and/or profile from Facebook eller Google (for logins)
- An encrypted password
- Transaction information (if you buy products from us)
- Birth date and gender (if you choose to tell us)
- Cell phone number (if you pay for services using your phone)
- Any information, that you provide us with when you contact support
The purpose of handling your email address and/or profile from Facebook eller Google, is to let you log onto the site.
We also use your email to send you receipts for your purchases, reset your password and send you any mail-notifications that you choose to subscribe to.
Your email address is only visible to Playonic ApS employees.
You may choose to receive email-notifications about game updates, absense and achievements on the Settings page. You can always withdraw your consent.
The legal basis for the processing is Article 6(1) of the EU General Data Protection Regulation. 1, points a, b and f.
When you visit the website, we receive your IP address and certain information about the device you're using, such as the type of browser and operating system.
Your IP and information about your device are basic technical information that is always exchanged between your device and any server on the net that you are accessing. This is required to coordinate the transfer of the content you see and to customize it for your device. We save the IP address and time of logins to secure against illegal access to our systems or violation of the game rules.
The legal basis for the processing is Article 6(1) of the EU General Data Protection Regulation. 1, point f.
Why do you get my IP and information about my device?
The developer explains:
When you download a page, image, or any other kind of file from the web, your device and the server the file is located on, exchange some basic information in order to coordinate the transfer.
This information is sent automatically by your device and ISP, and it is a basic prerequisite for the functioning of the Internet and the World Wide Web.
What is an IP address?
An IP address is a number that might look something like this: 184.108.40.206. An IP address is what allows 2 devices on the web to communicate with each other.
Most people do not have a fixed IP address. Usually, you get a new one if you turn your internet router off and on again. If you are browsing on a mobile or from a school or workplace, you will often have an IP address that is shared by hundreds or thousands of others at the same time.
Only your ISP can connect an IP address with you personally, and they only give out that information if the police comes knocking with a court order in hand. Nevertheless, an IP address is defined in the law as "personal information" and that's why we have to mention it here.
Knowing your IP address does not mean that we know anything about you personally. At most, you can look up an IP address and see which ISP or company it belongs to.
What do you know about my device?
Your browser (internet application) sends a small bit of text to every server on the web that you access. The text contains some basic information about the browser itself, and sometimes the operating system of your device.
Here's an example of what my own laptop at work sends:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
The only thing that the line tells you is that I'm using the Firefox browser version 60 on a Mac with the Mac OS X 10.13 operating system.
The browser also informs the pages you visit certain other technical details. You can see what information your browser sends on this page: https://www.whatismybrowser.com
When you buy a product or write to us on the website, we collect the information you provide, such as name, email address, phone number, method of payment, and information about the IP address from which your order was made. If you pay by credit card, we get information about the type of your card and the last 4 digits of the card number.
Payment information is never processed directly by Playonic ApS, but by trusted payment service providers over an encrypted connection.
The main purpose is to receive payment and deliver the service you have purchased. Another purpose of processing this information is that we must comply with certain legal requirements, mainly for accounting purposes.
We save the 4 last digits of the card number to help you with any payment issues.
For purchases, we collect the IP address in order to prevent fraud, and as documentation for the Danish Customs and Tax Administration.
The legal basis for the processing is Article 6(1) of the EU General Data Protection Regulation. 1, b, c and f.
You have the option to enter your date of birth and gender, but it is optional. If you do, your age and gender will appear on your manager profile, which is visible to everyone.
You can also register your mobile phone number on the page. The mobile number will be used if you buy shoutbox messages by SMS, so that we can link the message to the correct club and show your club name and logo. We also use the number to help you with payment issues, or if you've lost both your password and email address to your club and would like to restore your access.
Your mobile number is only visible to employees at Playonic ApS.
Storage of information
Your personal information is kept for as long as it is necessary in order to fulfill the purpose, unless otherwise required by law, including accounting regulations that require us to store transaction information for 5 years.
When you write to us via the support system, your inquiry will first be answered by other managers who volunteer on the site. Our volunteers are not allowed to process personal information so you should not write such in your inquiry.
If personal information is necessary in order to help you, then you should wait until your ticket has been forwarded to one of our employees. In that case there will be a text stating either:
Your support ticket was forwarded to Administrator
Your support ticket was forwarded to Developer
Once your ticket has been forwarded to an employee, it can no longer be read by volunteers.
If you select "Payment Issues" when you open a support ticket, it is sent directly to an employee.
3. Who do we share personal information with
Personal information provided on virtualmanager.com is only processed by employees of Playonic ApS, as well as trusted third parties.
We use external partners for technical operations and website improvements, data backup and email sending. These partners only process information on our behalf and may not use it for their own purposes.
Below you can see which companies are involved and read how the information is used:
Our web servers and database are hosted by Outforce A/S at Strandvejen 7, 5500 Middelfart, Denmark. Therefore, all of our data is stored on devices that they own.
Yes, the name of the town is actually 'Middelfart'... quit smirking and move on :P
Every night we backup our entire database for safety reasons. We compress and encrypt the backup and then upload it to Amazon S3, which is a file storage service.
Freeway ApS owns 50% of Playonic. The accountants at Freeway ApS handle all our accounts and therefore they must have access to information about purchases and transactions.
We use Google Mail for employee email addresses and our support email. If you write to us, your mail will end up in our inbox in GMail. If our employees discuss a case that concerns you over email - for example, in case of payment issues - these emails may also contain personal information.
We use Google Analytics for anonymous collection of visitor statistics. For this purpose, Google receives anonymous IP addresses where the last 3 digits have been removed.
If you use Google to login to Virtual Manager, Google will obviously know that you've visited our site.
If you use Facebook to login to Virtualmanager, Facebook will obviously know that you have visited our site.
Link Mobility Group
Link Mobility is our provider of SMS services and SMS payments. If you pay by SMS, they will of course know your phone number.
SendGrid is a service for sending email. Newsletters and automatic mails such as receipts and reminders are sent through SendGrid. We obviously need to tell them your email address so that they know where to send the message.
Some of these data processors are established in the United States. The necessary guarantees for the transfer of information to the United States are secured through the data processor's certification under the EU-U.S. Privacy Shield Framework, in accordance with Article 45 of the EU General Data Protection Regulation.
A copy of Google LLC's certification can be found here
A copy of Facebook Inc.'s certification can be found here
A copy of SendGrid Inc.'s certification can be found here
A copy of Amazon Inc.'s certification can be found here
4. Your rights
As data controller, we are required to inform you of your rights.
The right to access and the right to data portability
You are entitled at any time to request information about, among other things, what information we have registered about you, the purpose of the registration, which categories of personal information and recipients of information there may be, as well as information about where the information originates from.
You are entitled to receive a copy of the personal information about you that we handle, and in certain cases, you have the right to obtain personal information provided to you by us in a structured, commonly used and machine-readable format and to transfer this information to another data controller.
If you want a copy of your personal information, you can request a data export on the Data Export page
Right to rectification
You are entitled to have incorrect personal information about yourself corrected. If you notice that there are errors in the information we have registered about you, you may have the option to correct them. Under "Settings" you have the option to change email address, password, and e-mail notification options. Under Manager Profile you have the option to change or delete the data you have provided about gender, age and phone number.
The right to be forgotten
In some cases you have the right to have all or some of your personal information deleted by us, for example, if you no longer wish to have a profile with us and we do not have any other legal basis to continue the processing. To the extent that continued processing of your information is necessary, for example in order to comply with our legal obligations or for legal requirements to be established, enforced or defended, we are not required to delete your personal information.
The right to restrict processing to storage
You may, in certain cases, have the right to limit processing of your personal information to only storage, for example, if you believe that the information we process about you is incorrect.
The right to object
You have the right at any time to object to our processing of your personal information.
The right to revoke consent
You have the right at any time to revoke a consent that you have given us to a given processing of personal information - in other words, to delete your profile. If you wish to revoke your consent, please contact us through the support system. You may be asked to prove that you are the rightful owner of the profile so that we can ensure that third parties who have accessed your login cannot delete your account.
The right to appeal
You are entitled at any time to file a complaint with your local data protection agency about our processing of your personal information.
We use "cookies", which is a small bit of text that is stored on your computer, mobile phone, or other device for the purpose of recognizing it, remembering settings, performing statistics, and targeting ads. Cookies can not contain malicious code such as viruses.
About these cookies... can I get a really simple explanation?
The developer explains:
I can best explain cookies with an example:
- Let's say you you call your local pizza place and order two number 15s with extra cheese.
- The pizza guy says, "Alright, we'll be there in 20 minutes. Your order number is 42"
- You write down '42' on a scrap of paper
- After half an hour the pizzas still haven't arrived so you call to ask them what's taking so long: "Hi, my order number is 42, and I'm still waiting for my pizzas."
- The pizza guy finds order number 42 and tells you they'll be 15 minutes late.
- When you finally have your pizzas, you crumble up the note with '42' written on it and throw it out.
In this example, your scrap of paper with the number 42 written on it corresponds to a cookie, and that's not even an oversimplified explanation of what cookies are.
When your device contacts a server online to retrieve a page, some graphics or anything else, the server can give it a bit of text and ask it to remember it - just as the pizza guy did in the example when he gave you the order number 42.
The next time you contact the same server, your device sends this bit of text back - same as when you gave them the number 42 when you called to ask where your pizzas were.
One important detail is that your device only sends a cookie back to the same server that gave it to you in the first place. You wouldn't call the bank and tell them order number of your pizzas.
And, just like you threw out the paper scrap, you can always delete the cookies that are on your device.
Now you know everything a cookie can do.
Visitor data: We use Google Analytics to track the number of visits, number of pageviews, peak times, etc.
Measuring the effectiveness of our advertising: We advertise Virtual Manager through Facebook and on Google AdWords. We'd like to know if that money is well-spent. Therefore, we use tools from these companies that give us insight into whether the people who click on a Virtual Manager ad actually also sign up and whether or not they buy something later on. These services can also choose to show more Virtual Manager ads to people who have once been on our front page to remind them that we still exist. This is called 'remarketing'. These features require that they set a cookie.
Login via social networks: You can use Facebook, Google, and other social networks to login to Virtualmanager.com. These partners will put cookies on your device if you use their service to log in to Virtual Manager.
Advertising: Banner ads on the site are provided by the following companies:
1260 Copenhagen K
29-31 Saffron Hill
London EC1N 8SW
How do targeted ads work?
The developer explains:
It is necessary for us to show ads on the page in order to keep the site running.
Targeted advertisements are probably the most controversial topic when it comes to privacy, so they require a separate explanation.
Let me make it clear: We do not send information that you have given us to any advertisers.
When you see an ad on our site, it's not retrieved from our own server, but from the advertising agency's (or their partners') servers.
If you have followed my technical explanations, you can actually deduce how it works.
The only data that advertisers get is the same data that I previously explained that your device, browser, and ISP automatically sends every time you download any content from the web - and which is a basic requirement for the functioning of the internet.
Our system has no contact with the advertisers and we do not send them any information about you. When you see an advertisement, you communicate directly with the advertiser - it does not go through us, and the ads are not associated with your Virtual Manager account. They do know, of course, that you saw the advertisement on www.virtualmanager.com.
If you write a post in our forum and put a picture of a funny cat wearing a frog hat, which is downloaded from another site, you have done the same thing we do when we put ads on our page. Anyone who reads your post has, in a legal sense, had their personal information disclosed because their browser exchanges technical information with the server that the image is retrieved from.
When you contact the advertisers' servers, it also means that they can place a cookie that your device will send back to them when you see more ads from the same advertiser.
So if we imagine that you see an ad on our site and they send you a cookie with the number 42, then they start building a profile on "number 42". They do not know anything about you personally - they only know you as "number 42" and the fact that you have visited our site.
If you then visit another website where you see an ad from the same advertiser, you again retrieve the ad content directly from the advertiser - not from that website. The advertiser then says: "Hey! Here's number 42. He, she or it has previously been on Virtual Manager, so he, she or it probably likes football and / or online games." And then they'll probably show you an ad that has something to do with one of those things.
The other site you visit does not know that you have visited Virtual Manager.
If the site you're on has something to do with cars, then the advertiser adds "interested in cars" to "number 42"'s profile, but they still don't know who you are.
If you delete the cookie they've placed, then it's like you've never existed.
One exception is if some of the ads come from Google. If you're signed in to your Google account and you see a Google ad somewhere online, then they might know you personally. However, Google is very open about what information they collect about you and they make it easy for you to see and correct the interests they've guessed that you have or completely turn off targeted advertising. You can do that on this page: https://adssettings.google.com