We, SlinDev GmbH ("SlinDev", "we", "us"), would like to inform you about our processing of your personal data in accordance with the General Data Protection Regulation ("GDPR").

Our privacy policy is modular in structure. It consists of General Notices for any processing of personal data and processing situations (I.) and Special Notices, the content of which refers only to the processing situation indicated therein (II. - VI.). To find the parts relevant to you, please refer to the following structure:

I. General Notices

  1. Responsible Party
    The responsible party in the sense of the GDPR and other national data protection laws of the member states as well as other data protection provisions is:
    SlinDev GmbH
    Waldingstraße 2
    22391 Hamburg
    Email: [email protected]
    Website: www.slindev.com

  2. Legal Bases for the Processing of Personal Data
    We process some of your personal data on the basis of the following legal grounds:
    1. Consent of the Data Subject
      Insofar as we obtain the consent of the data subject for certain purposes, Art. 6(1)(a) of the GDPR is the legal basis.
    2. Fulfillment of Contractual Obligations
      Insofar as processing is necessary for the performance of a contract to which you are a party, Art. 6(1)(b) of the GDPR is the legal basis. This also applies to processing operations necessary for the performance of pre-contractual measures.
    3. Legal Requirements and Obligations
      Insofar as processing is necessary for compliance with a legal obligation to which we are subject, Art. 6(1)(c) of the GDPR is the legal basis.
    4. Protection of Legitimate Interests
      Insofar as processing is necessary for the protection of our legitimate interests or those of a third party and your interests, fundamental rights, and freedoms do not override the aforementioned interest, Art. 6(1)(f) of the GDPR is the legal basis.

  3. Retention and Deletion of Personal Data
    Personal data will be deleted or locked as soon as there is no longer a purpose or legal basis for processing.

  4. Recipients of Personal Data
    Internally, only those departments process personal data that require it for the fulfillment of their processing purposes. This also applies to the processors, service providers, and agents employed by us. All departments and individuals working with personal data are bound by data secrecy and have been instructed on the sensitive handling of such data.

    Personal data is only disclosed to third parties if this is in accordance with data protection regulations. In particular, individuals employed for the execution of our business operations (e.g., banks, tax advisors, service providers for computer and IT services) as well as state authorities/agencies may receive your personal data, as far as this is necessary for the fulfillment of a legal obligation.

  5. Data Processing in Third Countries
    Our services sometimes require the processing of personal data in countries outside the EU/EEA ("third countries") by our processors. In cases where personal data is processed and no data protection level equivalent to European standards exists in the country, which has not been confirmed by an adequacy decision pursuant to Art. 45(3) GDPR by the EU Commission, we have established appropriate guarantees in the sense of Art. 46 GDPR with the affected processors by concluding EU standard contractual clauses. A copy of the EU standard contractual clauses can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN. Where data processing in a third country occurs, we will point this out in the following.

  6. Rights of the Data Subject
    If your personal data is being processed, you are a data subject within the meaning of the GDPR, and you have the following rights against us as the controller:
    1. Right to Access
      According to Art. 15 of the GDPR, you have the right to request information about the personal data processed by us. Specifically, you can...
      • Information about the purposes of processing,
      • the category of data,
      • the categories of recipients to whom your data has been or will be disclosed, including information if the personal data is transferred to a third country or an international organization (in this context, you can request to be informed about the appropriate guarantees according to Art. 46 GDPR),
      • the planned duration of storage,
      • the existence of a right to rectification, erasure, restriction of processing, or objection,
      • the existence of a right to lodge a complaint, the source of your data if they were not collected from us,
      • as well as information on the existence of automated decision-making including profiling according to Art. 22(1) and Art. 22(4) GDPR and – at least in these cases – meaningful information about the involved logic, as well as the significance and the envisaged consequences of such processing for the data subject.
    2. Right to Rectification
      According to Art. 16 of the GDPR, you have the right to have your personal data corrected and/or completed if it is inaccurate or incomplete. We must make the correction without undue delay.
    3. Right to Restriction of Processing
      According to Art. 18 of the GDPR, you have the right to request the restriction of processing of your data, as long as the accuracy of the data is contested by you or the processing is unlawful.
      If the processing has been restricted, you will be informed by us before the restriction is lifted.
    4. Right to Erasure
      According to Art. 17 of the GDPR, you have the right to the erasure of your personal data, provided that the processing is not necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims.
    5. Right to Notification
      If you have asserted the right to rectification, erasure, or restriction of processing against us, we are obligated to communicate the rectification, erasure of personal data, or restriction of processing to all recipients to whom the personal data have been disclosed, unless this proves to be impossible or involves disproportionate effort.
    6. Right to Data Portability
      According to Art. 20 of the GDPR, you have the right to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format, or to request the transmission of that data to another controller.
    7. Right to Object
      According to Art. 21 of the GDPR, you have the right to object to the processing if it is carried out on the basis of Art. 6(1) (e) or (f) of the GDPR.
    8. Right to Withdraw Consent
      According to Art. 7(3) of the GDPR, you have the right to withdraw your consent to the processing of personal data at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
    9. Right to Lodge a Complaint with a Supervisory Authority
      According to Art. 77 of the GDPR, you have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data.

II. Supplementary Notices for Data Processing When Visiting the Website

We are responsible for our websites www.slindev.com, www.grabvr.com and www.grabvr.quest as well as their subpages ("Website"). By using our websites, personal data is processed. Below, we provide detailed information about the data processing activities that take place.

  1. Provision of the Website and Creation of Log Files
    When accessing our websites, we automatically collect data and information from the user's end device (known as log files).

    Data Processors
    To provide our websites, we use the data processors Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA) and Linode LLC (249 Arch St. Philadelphia, PA 19106, USA), with whom we have each concluded a data processing agreement. This agreement ensures that personal data is processed exclusively on our behalf. Cloudflare and Linode offer sufficient guarantees in terms of Art. 46 ff. GDPR by concluding EU standard contractual clauses and by registering in the EU/US Data Privacy Framework.

    Processed Information & Duration of Processing
    The following information is processed during website visits:

    • Information about the browser type and version used
    • The operating system of the end device
    • The user's Internet service provider
    • The IP address of the end device
    • Date and time of access

    The log files are deleted at the latest within seven days.

    Purpose of Processing & Legal Basis
    The data is required for displaying the web pages on the user's end device, ensuring its functionality, and analyzing any malfunctions. Additionally, the data helps us in optimizing the web pages and ensuring the security of our information technology systems.

    The legal basis is Art. 6(1)(f) GDPR. The collection of log files is essential for the operation of the websites. Consequently, there is no option for the user to object to this data collection.


  2. Online Presences in Social Media
    We maintain online presences within social networks and platforms to communicate with active customers, prospects, and users there and to inform them about our services.

    We have set up a link to the Facebook website, operated by Meta Platforms Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). No further data exchange with Facebook occurs on our site.

    We have set up a link to the GitHub website, operated by GitHub, Inc., 88 Colin P Kelly Jr St, San Francisco, CA 94107 ("GitHub"). No further data exchange with GitHub occurs on our site.

    We have set up a link to the website of X (formerly "Twitter"), operated by Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland ("X"). No further data exchange with X occurs on our site.

    We have set up a link to the "feedly" website, operated by feedly, Inc., 285 Hamilton Avenue, Suite 250, Palo Alto CA 94301, USA ("feedly"). No further data exchange with feedly occurs on our site.

    When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines of the respective operators apply. Unless otherwise stated in our privacy notices, we process users' data if they communicate with us within the social networks and platforms, e.g., by writing posts on our online presences or sending us messages.


III. Supplementary Notices for Users of the Game “GRAB”

We are responsible for the services accessible through our native app "GRAB" (hereafter referred to as "App"). By using these services, personal data is processed. Below, we provide detailed information about the data processing activities that take place.

  1. Data Processors
    To provide our services, we use the services of our processors listed below, with whom we have each concluded a data processing agreement that ensures personal data is processed exclusively on our behalf.
    • Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA ("Cloudflare"). Cloudflare provides sufficient guarantees according to Art. 46 ff. GDPR by concluding EU standard contractual clauses and by registering in the EU/US Data Privacy Framework.
    • Epic Games, Inc., 620 Crossroads Blvd., Cary, NC 27518, USA ("Epic Games"). Epic Games provides sufficient guarantees according to Art. 46 ff. GDPR by concluding EU standard contractual clauses.
    • Modulate, Inc., 212 Elm St., Suite 300, Somerville, MA 02144 (“Modulate”). Modulate provides sufficient guarantees according to Art. 46 ff. GDPR by concluding EU standard contractual clauses.

  2. Processed Data
    The registration required for the use of our services is generally carried out via the respective platform (especially Meta, Steam, SideQuest, Pico) through which the user can obtain our app. The following personal data are processed by us as the controller for the app during the use of the app:

    • Player profiles consisting of:

      • Player name (public)
      • Player ID on the respective platform (Steam, Meta, Pico) (internal)
      • Player ID (public)
      • List of levels created by the player (public)
      • List of favorited levels (accessible only to the player themselves)
      • List of purchased items (accessible only to the player themselves)
      • Active player colors and selected items to display to other players (public)
      • Current and previous warnings and bans (if existent), consisting of the time, duration, and nature of the violation (internal, but a current ban is public without further details)
      • Number of previous violations (internal)
      • The players role (giving additional permissions) within the game and related services (e.g. moderator) (public)
      • Access token, valid for 1 hour, authenticating the player in the backend (accessible only to the player themselves)

    • Leaderboard for each level:

      • Player name (public)
      • Player ID (public)
      • Player's best time in the level (public)

    • Level statistics for each level:

      • Player ID (internal)
      • Player's best time in the level (internal)
      • Information on whether the player has reached the end of the level or not (internal)
      • Information on whether the player liked the level or not (players are asked at the end of the level) (internal)

    • Moderation:

      • Reporting player's ID (internal)
      • Reported player's or level's ID (internal)
      • Time of the report (internal)

    • Rate Limiting and DDOS Protection:

      • IP address (internal)

    • Multiplayer:

      • Player ID on the respective platform (Steam, Meta, Pico) (internal)
      • Player ID in Epic's system (public)
      • Player's IP address to connect players with each other (public)
      • Game data is encrypted and exchanged directly between players, partially via servers from Epic Games.

    • Voice chat:

      • Voice is encrypted and transmitted between players, but not stored except for possibly brief caching

    • Game data is processed by each player multiple times per second, but not permanently stored, or only stored on the players' devices and only until the game ends:

      • Player head positions
      • Player hand positions
      • Player's position in the game
      • Player name
      • Player ID assigned by Epic Games
      • Player ID assigned by GRAB
      • Interactions
      • Language

    • Modulate - ToxMod (voice moderation):

      • Voice recordings are immediately deleted if no possible violation was detected. Otherwise, data is stored for up to 2 months. In a few cases, voice with anonymized metadata is stored and used for AI training purposes.
      • Player ID
      • Player ID in the ToxMod system
      • Rough location of the player
      • Player's language
      • AI estimation of the player's age and gender (for the purpose of assessing and mitigating the risk of gender- or age-specific offenses such as grooming)
      • Type and number of the player's violations
      • AI estimates of the nature of the violation, mood and emphasis of words
      • Context of the violation: language from other players before and after the violation, and the IDs of all who could have heard the violation
      • Transcript of the voice recordings

    The purpose of the processing is to provide our contractually owed services to users. The legal basis for the processing is the user contract; Art. 6(1)(b) GDPR. The data is processed for the duration of the user contract, unless there is a purpose and a legal basis for storage beyond this period. This includes statutory retention periods (Art. 6(1)(c) GDPR) as well as storage for the assertion or defense of civil claims based on overriding legitimate interests (Art. 6(1)(f) GDPR).

  3. Analytics
    We process data within the game for the purpose of creating analyses and reports about our business activities. The following personal data is processed when using the app:

    • General statistics on various interactions with the backend:

      • Player ID (internal)
      • Time of action (internal)
      • Type of interaction: level published, level updated, item purchased, player logged in, level played, level ended, new player created (internal)

    • General statistics on player behavior in the game:

      • Player ID (internal)
      • Time of action (internal)
      • Type of interaction: button pressed, tutorial started, respawned, checkpoint placed, and other similar things (internal)
      • Context of interaction, for example "first play" if it is the first time a player is playing GRAB (internal)
      • Additional information for interaction, for example "lava" if the user respawned due to touching lava (internal)

    • General statistics:

      • Number of active servers
      • Number of current players
      • Location of players based on IP address

    We use these statistical data exclusively for the purposes of game optimization and error detection. The analysis is not used for other purposes such as marketing campaigns or similar activities. The personal data processed in this context will be deleted after three months.

    The generation of statistical information is based on our overriding legitimate interest in evaluating and assessing our game, Art. 6(1)(f) GDPR.

    For the analysis, we use the processors Cloudflare, Epic Games, and Modulate.


IV. Supplementary Notices for Communication with Us

The following notices apply to any communication with us.

If the communication occurs within a contractual relationship or another contractual arrangement, the data processing is also governed by the supplementary notices under V.

If the communication aims at an application with us, the data processing is also governed by the supplementary notices under VI.

  • You can contact us by phone, email, or other means.

    • Processed Information & Duration of Processing
      In addition to your contact details such as phone number or email address, we process the personal data that you provide to us during the communication process.

      The data will be deleted – unless there is another reason for processing – as soon as the matter has been resolved with you.

    • Purpose of Processing & Legal Basis
      The personal data is processed exclusively for the purpose of handling the inquiry and in case of follow-up questions.

      If the communication is aimed at concluding a contract, then the legal basis for processing is Art. 6(1)(b) GDPR.

      In all other cases, Art. 6(1)(f) GDPR is the legal basis. Your interest does not outweigh our interest in responding to your inquiry; since you have contacted us, a response is also in your interest, and you are aware that we need to process your personal data to respond to your inquiry.


V. Supplementary Notices for Contract Partners

Additionally, the following notices apply to you if we are in a contractual relationship.

  • Processed Information & Duration of Processing
    The specific data processed about you depends on the tasks within the contractual relationship. We use personal information exclusively for the purpose for which it was provided to us. These may include personal details (name, address, and other contact details, date and place of birth). In addition, this may also include order data (e.g., payment order), data from the fulfillment of our contractual obligations (e.g., sales data in payment transactions), information about your financial situation (e.g., creditworthiness data), advertising and sales data, and other data comparable to the categories mentioned.

    The personal data will be deleted as soon as the contractual relationship with you has ended and there is no other reason for further processing.

  • Purpose of Processing & Legal Basis
    The processing is mainly for the purpose of establishing and executing the contractual relationship; the legal basis is Art. 6(1)(b) GDPR.

    In addition, we also process your data partly due to our legitimate interest, namely for the purposes of contact and communication management, economic efficiency controls, contract and project management, and ensuring the operation of information and telecommunication systems. The legal basis is Art. 6(1)(f) GDPR.

    Furthermore, as a company, we are bound by various legal obligations that must be fulfilled based on applicable laws and regulations. The legal basis for processing to fulfill legal requirements and obligations is Art. 6(1)(c) GDPR. This includes, among other things, tax-related retention obligations.


VI. Supplementary Notices for Applicants

Additionally, the following notices apply to you if you apply for a position with us.

  • Processed Information & Duration of Processing
    We process the personal data that we receive from you through your application.

    The personal data will be deleted after six months if no employment relationship is established. If an employment relationship is established, the data will be further processed for this purpose.

  • Purpose of Processing & Legal Basis
    We collect and process the personal data of applicants for the purpose of handling the application process.

    The legal basis for processing personal data is § 26 BDSG (German Federal Data Protection Act). If we conclude an employment contract with you, the transmitted data will be further processed for the purpose of handling the employment relationship; in this case, the legal basis remains § 26 BDSG in particular.

    If no employment contract is concluded, the application documents will be deleted unless such deletion is opposed by any other legitimate interests of the controller. Another legitimate interest in this sense could be, for example, the obligation to provide evidence in a procedure under the German General Equal Treatment Act (AGG).