PLATFORM PRIVACY POLICY
Last updated: June 23, 2024
This privacy policy (“Privacy Policy” or “Policy”) describes how Overwolf Ltd. (“Overwolf”, “we”, “us”, or “our”) collect, use, process, share and disclose certain information, including your personal information when you, a user (“End User”) of:
- the Overwolf client platform, which is available for download at the Overwolf website located at www.overwolf.com (“Overwolf Platform”);
- the Curseforge application (which is also available for download from Overwolf Platform and shall be referred to as the “Curseforge Application”), the Curseforge website located at https://www.curseforge.com/ (“Curseforge Website”), and any Curseforge in-game respective services (“Curseforge”);
- any other applications or services that are owned and developed by us and distributed and available to access and download through the Overwolf Platform and/or other Overwolf’s Sites which are managed and operated by Overwolf (“Sites”).
Overwolf Platform, Curseforge, Sites, and other Services (as defined within our Overwolf Platform Terms of Use) shall be collectively referred to in these Terms as the “Services”.
This Privacy Policy shall not apply in the following cases:
- You are a visitor of our online informative and promotional website located at https://www.overwolf.com/. Please see our Website Privacy Policy for more information on how your personal information will be collected and processed by us.
- You are a Developer using any of the following: (i) App Developer Console; (ii) App Platform Electron; and (iii) CurseForge App Electron. Please see our Developer Privacy Policy for more information on how your personal information will be collected and processed by us.
This Privacy Policy, which is incorporated by reference to Overwolf Platform Terms of Use (together the “Terms”), governs our processing practices when you access, use, and engage with our Services, as defined herein.
Please note that this privacy policy governs solely the Services, and in case you download, install, and access certain applications through our Services, such applications may be subject to additional collection and processing of Personal Information by the owner and developer of that certain application. We urge you to review the applicable privacy policy of the application for more information.
Overwolf participates in the IAB Transparency & Consent Framework and complies with its Specifications and policies. Overwolf’s CMP number within the framework is 246.
Overwolf's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
1. PRIVACY NOTICE
1.1 POLICY AMENDMENTS:
We reserve the right to amend this Policy from time to time, at our sole discretion. The most recent version of the Policy will always be posted on our website at: Overwolf Platform Privacy Policy. The updated date of the Policy will be reflected in the “Last Modified” heading. We will provide notice to you if these changes are material, and, where required by applicable law, we will obtain your consent. Any amendments to the Policy will become effective within 30 days upon the display of the modified Policy. We recommend you review this Policy periodically to ensure that you understand our most updated privacy practices.
1.2 CONTACT INFORMATION AND DATA CONTROLLER INFORMATION:
Overwolf Ltd. is incorporated under the laws of Israel, and it is the controller of your Personal Data.
You may contact us and our DPO as follows:
Data Protection Officer: dpo@overwolf.com or support@overwolf.com.
By mail: Sapir Tower, 40 Tuval St. Ramat Gan, Israel, 5252247.
Representative for data subjects in the EU and UK Contact Information:
We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact. Prighter gives you an easy way to exercise your privacy-related rights (e.g., requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://prighter.com/q/13682628040.
1.3 DATA SETS WE COLLECT AND FOR WHAT PURPOSE:
You can find here information regarding the purposes for which we process your personal data as well as our lawful basis for processing, the definition of “personal” and “non-personal” data, and how it is technically processed.
Non-Personal Data
During your interaction with our Services, we may collect aggregated, non-personal non-identifiable information, which may be made available or gathered via your access to and use of the Services (“Non-Personal Data”). We are not aware of the identity of the user from which the Non-Personal Data is collected. The Non-Personal Data being collected may include your aggregated usage information and technical information from your device, such as: the type of browser or device you use, language preference, time and date stamp, country location, etc.
Personal Data
We may also collect from you, directly or indirectly, during your access or interaction with the Services, individually identifiable information, namely information that identifies an individual or may, with reasonable effort, be used to identify an individual (“Personal Data”). The types of Personal Data that we collect as well as the purpose for processing and the lawfulness are specified in the table below.
We do not knowingly collect or process any Personal Data constituting or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning a person's health or data concerning a person’s sex life or sexual orientation (“Special Categories of Personal Data”).
We may collect different categories of Personal Data and Non-Personal Data from you, depending on the nature of your interaction with the Services provided through to you, as detailed above. If we combine Personal Data with Non-Personal Data, the combined information will be treated as Personal Data or for as long as it remains combined.
The table below details the processing of Personal Data, the purpose, lawful basis, and processing operations:
| DATA SET | PURPOSE AND OPERATIONS | LAWFUL BASIS |
|---|---|---|
| Online Identifiers: Online Identifiers and Usage Data: When you access our Services, we collect certain online identifiers such as: IP address, cookie ID, similar unique online identifiers, advertising ID, tags (“Online Identifiers”). We may further collect information related to your use and interaction with our Services such as directing campaigns and URLs, pages viewed, access time and date, duration, clickstream, etc. (“Usage Data”). | We process such data through our or third-party cookies and tracking technologies for analytic, marketing and advertising purposes. For example, we process this data to understand how End Users use our Services, as well as to measure effectiveness of our features and content. We further use this data to track conversions from ads and understand the effectiveness of our promotional campaigns, and remarket to people who have taken some action on the Services. In addition, Usage Data related to Services helps us to better understand our business, analyze our operations, maintain, improve, design, and develop the Service and new products, conduct statistical analysis purposes, to test and improve our offers, decide how to improve the Service based on the results obtained from this processing. In addition, we process such data for operation, Services’ functionality, security and fraud prevention purposes, debugging purposes and to resolve technical problems. | Where we collect such data for analytic and advertising purposes, we process the data based on your consent which we will obtain through our cookie notice or consent management settings. You may withdraw consent at any time by using the cookie preference settings or the consent management settings (CMP). Where we collect such data for operations and security, we process your data based on our legitimate interest. |
| Contact Information: If you voluntarily contact us, you may be required to provide us with certain information such as your name, job title, company name, email address (“Contact Information”) and any additional information you decide to share with us. | We will use this data to respond to your inquiry. | We process such Contact Information subject to our legitimate interest. We may keep such correspondence if we are legally required to. |
| Support: If you contact us for support, we will process your Contact Information and any other information you provide us with. | We process the information solely to provide you with the technical support needed. | Processed for the purpose of fulfilling our contract obligations. |
| Registration Information: If you are required to register and create an Account (as such defined in our Terms), we will collect the Personal Data that you are required to provide us during the registry process, such as your email address, or by registration using your Google, LinkedIn, Twitter, Facebook, Reddit, or Discord account. In case you decide to register and create account by connecting your Google account we will use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. Please note that signing up is not mandatory and you can use the Services without an Account (unless for Subscriptions, as detailed in our Terms). You represent and warrant that you will not provide us with inaccurate, misleading or false information. | This information will be processed for the purpose of performing our contract with you, to set up your account with us and enable you to use our Services. In addition, we may process your Personal Data for our legitimate interests, for example, to send you marketing and promotional messages and offers related to our Services. You are able to unsubscribe from receiving such correspondence from us by contacting us at: dpo@overwolf.com. Please note that if you choose to unsubscribe from direct marketing, we may still retain your contact details and send you relevant service-related information such as invoices and subscription rates. | The registration information is processed to perform our contract with you and the direct marketing is subject to our legitimate interest. |
| Billing information: As part of the Services, you may provide us with your payment details including credit card and bank account information. | We may use this information for billing purposes, for the purpose of enabling you to use the Services. We may use a third-party service provider in order to process your payment. We do not store or retain your actual billing information and all of such processing is done through the third-party processor. | We process this information for the purpose of performing our contract with you. |
| Advertisement Data: In an effort of delivering advertising we will collect the following Data from End User: 1. Unified ID (as detailed below) 2. Technical Information such as, device type, operating system, graphics card etc. 3. Active application/s, processes or windows’ data within the End User’s device. 4. Preference string such as TCF String. 5. Ad calls, which include referred URL, zip code, approximate location, Online Identifier. In certain cases End User that interacts with our Services will be assigned with a unique ID (“Unified ID”). The Unified ID will enable us to customize the Service and content as well as enhance your experience. We may use services of LiveRamp, The Trade Desk or others, in order to generate and make use of the Unified ID. For more information, please See the Unified ID section Below. | We may process the Advertisement Data for the following purposes: 1. Store and/or access information on a device that allows us to recognize the End User each time it interacts or connects with our Partner’s assets (i.e. app or website), for one or several of the purposes presented here. 2. Use limited data to select advertising such as the End User’s website or app, non-precise location, device type or the content such End User is (or has been) interacting with. 3. Create and improve End User’s profiles for presenting End-Users with more relevant advertising based on their possible interests. 4. Use the profile detailed above in order to provide End Users with personalized advertising. 5. Measure advertising performance based on the End-User’s interaction with such ad (i.e. Saw the ad, clicked etc.) which allows our partners to understand the relevance of advertising campaigns. - Deliver and present advertising and content, Certain information (like an IP address or device capabilities) is used to ensure the technical compatibility of the content or advertising, and to facilitate the transmission of the content or ad to your device. - Ensure security, prevent and detect fraud, and fix error in order to ensure that systems and processes work properly and securely. | Our legal basis for processing of the Advertisement Data is depending on the specific purpose of the processing activities: 1. Store and/or access information on a device – End User’s consent 2. Use limited data to select advertising – End User’s consent 3. Create profiles for personalized advertising – End User’s consent 4. Use profiles to select personalized advertising – End User’s consent 5. Measure advertising performance – Legitimate interest 6. Deliver and present advertising and content - Legitimate Interest 7. Ensure security, prevent and detect fraud, and fix error - Legitimate Interest When we are the controller of the Advertisement Data it is processed subject to the end users’ consent which will be provided through the applicable consent management or cookie notice. In certain aspects of our Service, we act as the “data processor” or “service provider”, in which we will rely on our Partner to obtain the necessary lawful basis for processing the end user personal data. |
Note: The table is referred to but not provided in the content. In Markdown, tables can be created with pipes and hyphens, but since it's not given, it's likely skipped.
Please note that the actual processing operation per each purpose of use and lawful basis detailed in the table above may differ. Such processing operation usually includes a set of operations made by automated means, such as collection, storage, use, disclosure by transmission, erasure, or destruction. The transfer of personal data to third-party countries, as further detailed in the Data Transfer Section, is based on the same lawful basis as stipulated in the table above.
In addition, we may use certain Personal Data to prevent potentially prohibited or illegal activities, fraud, misappropriation, infringements, identity thefts, and any other misuse of the Services and to enforce the Terms, as well as to protect the security or integrity of our databases and the Services, and to take precautions against legal liability. Such processing is based on our legitimate interests.
1.4 OUR LEGITIMATE INTEREST CLAIM (DISCLOSURE AS REQUIRED BY TCF 2.2):
In addition to the information provided in the section above, we want to take a moment to explain the legitimate interest at stake when we process End User Data, as it directly impacts the services we provide to our Partners. In most cases when we, or our partners, deliver interest-based, cross-contextual advertisements that cater to your interests and preferences, we will base the processing of Personal Data on consent, as detailed in the table above, and transfer your preference to our partners. However, when we use certain data, which includes Personal Data such as Online Identifiers, for improving the services, or technically delivering the ads, we do so based on our legitimate interest which is essential to the sustainability of our platform and services. This processing should be expected by End Users. We understand that privacy is of utmost importance, and we are committed to protecting your rights. We adhere to applicable privacy standards and regulations, provide transparent information about our data processing practices, and you have the ability to control your preferences and opt out. We want to assure you that we conduct a careful balancing test to ensure that our legitimate interest does not unduly infringe upon your rights and freedoms.
1.5 HOW WE COLLECT YOUR INFORMATION:
Depending on the nature of your interaction with us, we may collect the above-detailed information from you, as follows:
- Automatically, when you interact with our Services, including through the use of Cookies (as detailed below) and similar tracking technologies.
- When you voluntarily choose to provide us with information, such as when you contact us, all as detailed in this Policy.
- From third-parties, such as our Partners, active applications, etc.
1.6 COOKIES AND SIMILAR TECHNOLOGIES:
We use “cookies” (or similar tracking technologies) when you access and use our Services. The use of cookies is a standard industry-wide practice. A “cookie” is a small piece of information that a website assigns and stores on your computer while you are viewing a website. Cookies can be used for various purposes, including allowing you to navigate between pages efficiently, as well as for statistical purposes, analytic purposes, and marketing. You can find more information about our use of cookies here.
1.7 UNIFIED ID
When you use our Services, we may share with LiveRamp and its group companies (or other similar service providers) information that we collect from you or your device, such as your hashed email (not your true email but the hashed version of it, in pseudonymous form that will not allow anyone to retrieve it), IP address, or information about your browser or operating system, with any of the following, acting as “joint controllers” (as applicable and defined in the GDPR).
LiveRamp uses this information to create an online identification code that we may store in our first-party cookie for our use in online, in-app, and cross-channel advertising. This may be shared with advertising companies to enable interest-based and targeted advertising. LiveRamp uses this information to create an online identification code for the purpose of recognizing you on your devices. This code does not contain any of your directly identifiable personal data and will not be used by LiveRamp to re-identify you.
Detailed information on LiveRamp’s data processing activities is available in LiveRamp’s privacy policy https://liveramp.com/privacy/. You have the right to withdraw your consent or opt-out to the processing of your personal data at any time https://liveramp.com/opt_out/.
1.8 DATA SHARING – CATEGORIES OF RECIPIENTS WE SHARE PERSONAL DATA WITH:
We share your data with third parties, including our Partners or service providers that help us provide our Services. You can find here information about the categories of such third-party recipients.
| CATEGORY OF RECIPIENT | DATA THAT WILL BE SHARED | PURPOSE OF SHARING |
|---|---|---|
| Advertisers | Online Identifiers and Advertisement Data. | Enabling the Advertisers, detailed here, to display ads or content that best suit such web-page, as a part of our Services. |
| Developers | Insights on ad campaigns | As part of our Services we provide our Developers with reports that include measurements data of ads and other information on how effective the campaign is, the applicable revenues, the number of views or clicks the ad generated and where, etc. |
| Service Providers | All data | We may disclose Personal Data to our service providers, contractors and third parties, including, but not limited to, our cloud and hosting provider, analytics and marketing providers, payment processors, recruitment providers, CRM systems, Salesforce, etc. The service providers are limited by contracts which restrict their use of the data and require implementing security measures. They process the data solely to provide the needed services and are prohibited from using your Personal Data for any purposes other than providing us with requested services. |
| Any Acquirer of Our Business | All data | We may share Personal Data in the event of a corporate transaction (e.g., sale of a substantial part of our business, merger, consolidation, or asset sale). In such cases, our affiliated companies or the acquiring company will assume the rights and obligations as described in this Policy. |
| Governmental Agencies or Authorized Third Parties | Subject to law enforcement authority request. | We may disclose certain data to law enforcement, governmental agencies, or authorized third parties in response to a verified request related to terror acts, criminal investigations, alleged illegal activity, or any other activity that may expose us, you, or any other user to legal liability. Such disclosures are made solely to the extent necessary to comply with the request. |
When we share information with services providers and Partners, we ensure they only have access to such information that is strictly necessary for us to provide the Services. These parties are required to secure the data they receive and to use the data for pre-agreed purposes only while ensuring compliance with all applicable data protection regulations (such service providers may use other non-personal data for their own benefit).
1.9 DATA RETENTION:
In general, we retain the Personal Data we collect for as long as it remains necessary for the purposes set forth above, all under the applicable regulation, or until you express your preference to opt out, where applicable.
Other circumstances in which we will retain your Personal Information for longer periods of time include:
- where we are required to do so in accordance with legal, regulatory, tax, or accounting requirements,
- for us to have an accurate record of your dealings with us in the event of any complaints or challenges, or
- if we reasonably believe there is a prospect of litigation relating to your Personal Data.
Please note that except as required by applicable law, we will not be obligated to retain your data for any particular period, and we may delete it for any reason and at any time, without providing you with prior notice of our intention to do so.
1.10 SECURITY MEASURES:
We work hard to protect the Personal Data we process from unauthorized access, alteration, disclosure, or destruction. We have implemented physical, technical, and administrative security measures for the Services that comply with applicable laws and industry standards, such as encryption using SSL, minimizing the amount of data that we store on our servers, restricting access to Personal Data to Overwolf employees, contractors, and agents, etc. Note that we cannot be held responsible for unauthorized or unintended access beyond our control, and we make no warranty, express, implied, or otherwise, that we will always be able to prevent such access.
Please contact us at: dpo@overwolf.com if you feel that your privacy was not dealt with properly, in a way that was in breach of our Privacy Policy, or if you become aware of a third party's attempt to gain unauthorized access to any of your Personal Data. We will make a reasonable effort to notify you and the appropriate authorities (if required by applicable law) in the event that we discover a security incident related to your Personal Data.
1.11 INTERNATIONAL DATA TRANSFER:
Our data servers in which we host and store the information are located in the US and Ireland AWS. The Company’s HQ are based in Israel in which we may access the information stored on such servers or other systems such as the Company’s ERP, CRM, Salesforce, and other systems. In the event that we need to transfer your Personal Data out of your jurisdiction, we will take appropriate measures to ensure that your Personal Data receives an adequate level of protection as required under applicable law. Furthermore, when Personal Data that is collected within the European Economic Area (“EEA”) is transferred outside of the EEA to a country that has not received an adequacy decision from the European Commission, we will take necessary steps in order to ensure that sufficient safeguards are provided during the transferring of such Personal Data, in accordance with the provision of the standard contractual clauses approved by the European Union. Thus, we will obtain contractual commitments or assurances from the data importer to protect your Personal Information, using contractual protections that EEA and UK regulators have pre-approved to ensure your data is protected (known as standard contract clauses), or rely on adequacy decisions issued by the European Commission. Some of these assurances are well-recognized certification schemes.
1.12 USER RIGHTS
We acknowledge that different people have different privacy concerns and preferences. Our goal is to be clear about what information we collect so that you can make meaningful choices about how it is used. We allow you to exercise certain choices, rights, and controls in connection with your information. Depending on your relationship with us, your jurisdiction, and the applicable data protection laws that apply to you, you have the right to control and request certain limitations or rights to be executed.
You may exercise any or all of your above rights in relation to your Personal Data by filling out the Data Subject Request (“DSR”) by using the following link: https://support.overwolf.com/en/support/tickets/new or by sending us an e-mail to dpo@overwolf.com.
Certain rights can be easily executed independently by you without the need to fill out the DSR Form:
- You can correct the Contact Information, payment information, Partner information, or Account Information at any time, through the account settings.
- You can opt-out from receiving our emails by clicking the “unsubscribe” link.
- You can withdraw consent for processing Online Identifiers and Behavior Data, for analytics or marketing purposes, at any time by using the cookie settings on the OW Platform.
You have the right to lodge a complaint with the EU Member State supervisory authority if you are not satisfied with the way in which we handled the complaint.
For additional rights under various jurisdictions, please refer to Section 2 “JURISDICTION-SPECIFIC NOTICES” herein below.
1.13 OPT OUT OPTIONS
Interest-Based Advertising ("IBA"): We do not sell your Personal Data. We may “share” your Personal Data with third parties for personalized advertising purposes. If you wish to opt-out from the sharing of your personal data with third parties for the purpose of cross-contextual interest-based advertising, there are many ways to do so, as further detailed below. Please note that even if you opt-out, you may still see personalized ads based on information other companies and ad networks have collected about you, if you have not opted out of sharing with them.
For IBA opt-out options on desktop and mobile websites, please visit:
- Digital Advertising Alliance (US): https://www.aboutads.info/choices/
- Digital Advertising Alliance (Canada): https://youradchoices.ca/en/tools
- Digital Advertising Alliance (EU): https://www.youronlinechoices.com/
- Network Advertising Initiative: https://optout.networkadvertising.org/?c=1
Further, you can opt out through the privacy settings on our Services. Additional information on opt-out rights and means are available here (Deletion of accounts and Data) and here (Exporting Your Data).
1.14 ELIGIBILITY AND CHILDREN PRIVACY:
The Services are not intended for use by children (the phrase "child" shall mean an individual that is under the age defined by applicable law, which concerning the EEA is under the age of 16, and with respect to the US, under the age of 13), and we do not knowingly process children's information. We will discard any information we receive from a user that is considered a "child" immediately upon discovering that such a user shared information with us. Please contact us at: dpo@overwolf.com if you have reason to believe that a child has shared any information with us.
JURISDICTION-SPECIFIC NOTICES:
2.1 ADDITIONAL NOTICE TO CALIFORNIA RESIDENTS
This section applies only to California residents. Pursuant to the California Consumer Privacy Act of 2018 (“CCPA”) effective November 2020, and as amended by the CPRA, effective January 1, 2023.
Please see the CCPA Privacy Notice which discloses the categories of personal information collected, purpose of processing, source, categories of recipients with whom the personal information is shared for a business purpose, whether the personal information is sole or shared, the retention period, and how to exercise your rights as a California resident.
2.2 ADDITIONAL NOTICE TO COLORADO RESIDENTS
Under the Colorado Privacy Act (“CPA”), if you are a resident of Colorado, acting only as an individual or household context (and not in a commercial or employment context, as a job applicant or as a beneficiary of someone acting in an employment context), your rights with respect to your personal data are described below.
“Personal Data” as defined in the CPA means: “information that is linked or reasonably linkable to an identified or identifiable individual” and does not include any of the following: publicly available information, de-identified or aggregated consumer, and information excluded from the CPA scope, such as: Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) or 42 CFR Part 2- “Confidentiality Of Substance Use Disorder Patient Records”, Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or and the Driver’s Privacy Protection Act of 1994, Children’s Online Policy Protection Act of 1998 (COPPA), Family Educational Rights and Privacy Act of 1974, national Security Exchange Act of 1934, higher education data, and employment data.
Sensitive Data includes (i) racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation; (ii) genetic or biometric data that can be processed to uniquely identify an individual; or (iii) child data. We do not process or collect any sensitive data.
Section 1.3 “DATA SETS WE COLLECT AND FOR WHAT PURPOSE” of the Privacy Policy describes our collection and processing of personal data, the categories of personal data that are collected or processed, and the purposes. Additionally, in Section 1.7 “DATA SHARING – CATEGORIES OF RECIPIENTS WE SHARE PERSONAL DATA WITH” details the categories of third parties the controller shares with for business purposes.
2.2.1 YOUR RIGHTS UNDER CPA:
Herein below, we will detail how consumers can exercise their rights, and appeal such decisions, or if Overwolf sells the personal data, or sells the personal data for advertising and how to opt-out.
| Right to Access/ Right to Know | You have the right to confirm whether and know the Personal Data we collected on you | You can exercise your right by reviewing this Privacy Policy, in case you would like to receive the Personal Data please file your request by using the following link: https://support.overwolf.com/en/support/tickets/new or by sending us an e-mail to dpo@overwolf.com to receive a copy of your data |
| Right to Correction | You have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data. | You can exercise this right directly through your account, by filling a request using the following link: https://support.overwolf.com/en/support/tickets/new or by sending us an e-mail to dpo@overwolf.com. |
| Right to Deletion | You have the right to delete the Personal Data, this right is not absolute and in certain circumstances we may deny such request. We may deny your deletion request, in full or in part, if retaining the information is necessary for us or our service provider(s) for any of the following reasons: (1) Complete the transaction for which we collected the Personal Data, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you; (2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities; (3) Debug products to identify and repair errors that impair existing intended functionality; (4) Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law; (5) Comply with the law or legal obligation; (6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent; (7) Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us; (8) Make other internal and lawful uses of that information that are compatible with the context in which you provided it. We will delete or de-identify personal information not subject to one of these exceptions from our records and will direct our processors to take similar action. | If you would like to delete your Personal Data please file your request by using the following link: https://support.overwolf.com/en/support/tickets/new or by sending us an e-mail to dpo@overwolf.com. You do not need to create an account with us to submit a request to know or delete. |
| Right to Portability | You have the right to obtain the personal data in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance. | If you would like to receive the Personal Data please file your request by using the following link: https://support.overwolf.com/en/support/tickets/new or by sending us an e-mail to dpo@overwolf.com to receive a copy of your data. We will select a format to provide your Personal Data that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance. |
| Right to opt out from selling Personal Data | You have the right to opt out of the sale of your Personal Data for the purposes of targeted advertising, sale to a third party for monetary gain, or for profiling in furtherance of decisions that produce legal or similarly significant effects concerning you or any other consumer. You may authorize another person acting on your behalf to opt out, including by broad technical tools, such as DAA, NAI, etc. | Overwolf does not sell your personal information, so we do not offer an opt out. We may “share” personal information with third parties for personalized advertising purposes. You may indicate your choice to opt-out of the sharing of your personal data with third parties for personalized advertising on third party sites as detailed in Section 1.13 OPT OUT OPTIONS. To opt out from the use of cookies on our website, please click the “do not sell or share my personal information” in the footer of the website which will enable you to customize the use of cookies on our website. |
| Right to opt out from Targeted Advertising | ||
| Right to opt out from Profiling | We do not profile you, thus we do not need to provide an opt-out. | |
| Right to Appeal | If we decline to take action on your request, we shall so inform you without undue delay, within 45 days of receipt of your request. The notification will include a justification for declining to take action and instructions on how you may appeal. If we deny the appeal, you may contact the Colorado Attorney General using this link: https://coag.gov/office-sections/consumer-protection/ or (720) 508-6000. | Not more than 60 days after receipt of an appeal we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reason for the decisions. |
| Duty not to violet the existing laws against discrimination or non-discrimination | Such discrimination may include denying a good or service, providing a different level or quality of service, or charging different prices. | We do not discriminate our users. |
2.2.2 HOW TO SUBMIT A REQUEST UNDER CPA?
Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your Personal Data. If the DSR is submitted by someone other than the consumer about whom information is being requested, proof of authorization (such as power of attorney or probate documents) will be required.
We will respond to your request within 45 days after receipt of a verifiable Consumer Request and for no more than twice in a twelve-month period. We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, you may appeal our decision within a reasonable period by contacting us at dpo@overwolf.com and specifying your wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint as follows: Colorado AG at https://coag.gov/file-complaint/.
If you have an account with us, we may deliver our written response to that account or via email at our sole discretion. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. You do not need to create an account for submitting a request.
Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
2.3 ADDITIONAL NOTICE TO VIRGINIA RESIDENTS
Under the Virginia Consumer Data Protection Act, as amended (“VCDPA”), if you are a resident of Virginia acting in an individual or household context (and not in an employment or commercial context), you have the following rights with respect to your Personal Data.
"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. "Personal data" does not include de-identified data or publicly available information. Personal Data does not include de-identified data or publicly available data, and information excluded from the scope such as: HIPAA, GBPA, non-profit entities, higher education, employment data, and FCRA, Driver's Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, Farm Credit Act.
The VCDPA requires Overwolf to disclose the categories of data processing and the purpose of each category, as detailed in Section 1.3 “DATA SETS WE COLLECT AND FOR WHAT PURPOSE” of the Privacy Policy, the categories of data shared, and the third parties with whom it is shared, as detailed in Section 1.8 “DATA SHARING – CATEGORIES OF RECIPIENTS WE SHARE PERSONAL DATA WITH”. Disclosure of sale of data or targeted advertising is detailed in Section 1.12 OPT OUT OPTIONS above. Further, the table above under Section 2.2 “ADDITIONAL NOTICE TO COLORADO RESIDENTS” details the rights you have under VCDPA and how you may exercise your rights.
2.3.1 HOW TO SUBMIT AN APPEAL UNDER VCDPA?
We shall respond to your request within 45 days of receipt. We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, you may appeal our decision within a reasonable period by contacting us at dpo@overwolf.com and specifying your wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the Virginia Attorney General at https://www.oag.state.va.us/consumercomplaintform.
We shall provide information in response to your request free of charge, up to twice annually, unless requests are manifestly unfounded, excessive, or repetitive. If we are unable to authenticate your request using commercially reasonable efforts, we may request additional information reasonably necessary to authenticate you and your request. If we cannot authenticate you and your request, we will not be able to grant your request.
2.4 ADDITIONAL NOTICE TO CONNECTICUT RESIDENTS
Under the Connecticut Data Privacy Act, Public Act No. 22-14 (the “CDPA”), if you are a resident of Connecticut, acting in an individual or household context (and not in a commercial or employment context or as a representative of a business, non-profit, or governmental entity), your rights with respect to your personal data are described below.
"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include de-identified data or publicly available information. It further does not include information excluded from the scope such as: HIPAA, GBPA, non-profit entities, higher education, employment data, and FCRA, Driver's Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, Farm Credit Act.
The categories of personal data processed, purpose of processing, are detailed in Section 1.3 “DATA SETS WE COLLECT AND FOR WHAT PURPOSE”, categories of personal data shared with third parties, and categories of third parties with whom data is shared, are detailed in Section 1.7 “DATA SHARING – CATEGORIES OF RECIPIENTS WE SHARE PERSONAL DATA WITH”. Disclosure of sale of data or targeted advertising is detailed in Section 1.12 OPT OUT OPTIONS above.
Instructions on how to exercise your rights are detailed in the table above under Section 2.2 “ADDITIONAL NOTICE TO COLORADO RESIDENTS” which details the rights you have under CDPA and how you may exercise your rights.
2.4.1 HOW TO SUBMIT AN APPEAL UNDER CDPA?
We shall respond to your request within 45 days of receipt. The response period may be extended once by an additional 45 days when reasonably necessary, taking into account the complexity and number of requests, and we will inform you of such extension within the initial 45-day response period, together with the reason for the extension.
If we decline to take action on your request, we shall inform you without undue delay, within 45 days of receipt of your request. The notification will include a justification for declining to take action and instructions on how you may appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the Connecticut Attorney General at https://www.dir.ct.gov/ag/complaint/ or (860) 808-5318.
We shall provide information in response to your request free of charge, up to twice annually, unless requests are manifestly unfounded, excessive, or repetitive. If we are unable to authenticate your request using commercially reasonable efforts, we may request additional information reasonably necessary to authenticate you and your request. If we cannot authenticate you and your request, we will not be able to grant your request.
2.5 ADDITIONAL NOTICE TO UTAH RESIDENTS (effective January 2024)
Under the Utah Consumer Privacy Act (the “UCPA”), if you are a resident of Utah, acting in an individual or household context (and not in a commercial or employment context), your rights with respect to your personal data are described below. “Personal Data" refers to data that is linked or reasonably linkable to an identifiable individual, and does not include de-identified data and publicly available data.
The categories of personal data processed, purpose of processing, are detailed in Section 1.3 “DATA SETS WE COLLECT AND FOR WHAT PURPOSE”, categories of personal data shared with third parties, and categories of third parties with whom data is shared, are detailed in Section 1.7 “DATA SHARING – CATEGORIES OF RECIPIENTS WE SHARE PERSONAL DATA WITH”. Disclosure of sale of data or targeted advertising is detailed in Section 1.12 OPT OUT OPTIONS above.
Further, the table above under Section 2.2 “ADDITIONAL NOTICE TO COLORADO RESIDENTS” details the rights you have under CDPA and how you may exercise your rights.
2.6 NOTICE TO NEVADA RESIDENTS
Nevada law allows Nevada residents to opt out of the sale of certain types of personal information. Subject to several exceptions, Nevada law defines “sale” to mean the exchange of certain types of personal information for monetary consideration to another person. We currently do not sell personal information as defined in Nevada law. However, if you are a Nevada resident, you still may submit a verified request to opt out of sales, and we will record your instructions and incorporate them in the future if our policy changes. You may send opt-out requests to dpo@overwolf.com.