I installed new droid version and got screen with new terms of game use.
This terms are not compliant with all privacy laws that I know including US, Europe (GDPR), China and Israel.

The purposes of my data use are wrote in complex language. All purposes are united in one "accept/discard" item.
And more, more, more...
All these contradict with laws!!!

I installed new droid version and got screen with new terms of game use.
This terms are not compliant with all privacy laws that I know including US, Europe (GDPR), China and Israel.

The purposes of my data use are wrote in complex language. All purposes are united in one "accept/discard" item.
And more, more, more...
All these contradict with laws!!!


You’re 12 days to early to complain about that one

Edit: GDPR that is

Breaking The law, breaking the law.

Breaking The law, breaking the law.

Thanks, stuck in my head now, lol.

Why do deca need full rights to call, to my contacts, to my picture ...

Why do deca need full rights to call, to my contacts, to my picture ...

Exactly! They break your rights!

Why do deca need full rights to call, to my contacts, to my picture ...


Most companies who seek contact info, phone, pictures; do so too spam you and them.....

Some very unscrupulous companies sell your data on the dark web.....

It seems like I quit at the right time.

Hi guys!

There seem to be some confusion around all this topic. The permission pop-up on Android is a different thing from the new policy window. One is required for the apps to use Android devices, while the second is a simple text explaining to all of you what is happening with your data on our servers.

Android permissions tend to look scary as they are worded in a strange way. For example, you will get a pop-up asking you to authorize the app to access contacts, but his function covers several permissions:

CONTACTS

READ_CONTACTS
WRITE_CONTACTS
GET_ACCOUNTS

In this specific case, this permission will allow us to read, write and access accounts. We only use the get_accounts function as this is a necessary step for accessing your Facebook account and generating a profile (in case Facebook can no longer be accessed) if a player wishes to use this login method.

Similarly, phone access gives the following permissions:

PHONE

READ_PHONE_STATE
READ_PHONE_NUMBERS
CALL_PHONE
ANSWER_PHONE_CALLS
READ_CALL_LOG
WRITE_CALL_LOG
ADD_VOICEMAIL
USE_SIP
PROCESS_OUTGOING_CALLS

The most important for us here is to read the phone state. For example, collecting data if you're using WiFi or Mobile networks, or collecting the device type, etc...

You can view how Android permissions function at the following link: https://developer.android.com/guide/topics/permissions/overview

I hope this clarifies the topic :)


Karrazz

Thank you, Karrazz, for clarification.
You differentiate exactly but GDPR requires strongly to obtain consent for use and processing of personal data. GDPR requires full transparency as well. Therefore, we expect to see explicit purpose of our data collection, processing and use.
Privacy policy does not cover all these requirements.
In addition, don't forget about data transfer out of EU. You need to obtain consent for such transfer as well and provide target country and purpose of the transfer.

There should be no data collection at all in a game.

Hey guys!

There's a big difference between personal data and standard data. Let me explain what we're talking about here:

@WBS: All games will log a certain amount of data, and that's perfectly normal. Without those data, publishers/developers wouldn't be able to provide you with better games over the time.
For example, a lot of games will have flags all over the progression. They will count the amount of times a specific quest was started and completed. This gives them an idea of how successful the quest was.

Now when we're speaking about data collection, most companies will collect a certain amount of data. The most classic one is the operating system of the user. Knowing if you're playing on Android or iOS, if you have windows 8 or 10. This is very useful for companies to know how many people are using which, and providing updates and fixes for their playerbase.

@Annihilator2: That's where we introduce the difference with Personal Data. Personal Data is basically any type of Data that would somehow relate to your identity as a person, or ordered along with such Data. For example, when you signup for a new game, in most cases they would ask for a username and an email. While the Username (pseudo) is not considered personal, the fact that it is ordered in the database along with your email, it becomes part of your personal data.

As mentioned in the Privacy Update, we basically collect user IDs (like your Google ID/Device ID), IP address (which gives us a rough idea of the location and allows you to connect to online services), and keep track of payment information (transaction IDs). The only time we really collect an identifiable information would be if a user connects through Facebook. The game will then log your Facebook name and gender and use these information to fill a virtual form. All these are necessary steps for us to link accounts/save files to our database and make sure you that what you see in game is your current progress (as in seeing your items, buildings, etc).

In the case of third country transfer, this is a very specific article that also includes transfer to international organisations. In the case of Modern War, the Controller is GREE. GREE has the right to pass the data to Processors, which is not a data transfer as the Processor is processing data on behalf of the controller (contract). Note: processors are still required to be compliant ;)


Karrazz

Gree still own this bag of **** ?
I do not belive you, there are no need to have full control on a phone. If you do not use it.

Hi @solper,

Indeed, GREE remains the owner (we're currently using GREE's forums to discuss this :) )

For permissions, it's a bit more complexe than that. This is how it is designed on Google's side. If we need access to the phone state, we would need the Phone permission which includes all the above permissions. Should you download an app that meddles with your phone calls, it will require the same set of permissions.

That's just how Android was built.

Google only has a handful of permissions, but it includes most functions for your phone. Here's the global list:

CALENDAR
CAMERA
CONTACTS
LOCATION
MICROPHONE
PHONE
SENSORS
SMS
STORAGE

In the case of Modern War, we only use Contacts, Storage and Phone.

If you only need read permissions, why not use READ_CONTACTS?
Does not CONTACTS give rights to CREATE, READ, UPGRADE and DELETE. But I am not a phone developer :)

To read contacts information we will need access to the CONTACTS permission group. This will in turn prompt you with the standard android message "Allow Modern War to access your contacts", which is exactly the same message as if I requested the WRITE_CONTACTS permission.

https://i.gyazo.com/ce8068f45b174b1a79d256c7e01fd15d.png

Regarding GDPR.

Do you store GameCentre/Google Play ID (as that's an email)?
Do you link IOS to Android, thus linking potential personal details?
When someone raises a ticket/issue, this has to be done via email, and can also be enriched with more details via the online portal. Are these emails associated with the accounts?
How long do you store customer emails?
When you read a players contacts do you at any stage save any of the information down?
If a player decides to quit, can you advise how they can go about wiping their account.. Futher more can you advise are we can ensure all personal details are erased ..including archived emails?

Also I was on the beta program. Are Gree also storing archived details of people in that program?

Hi @OlapDev,

I'll try to answer the best I can to your questions:

Do you store GameCentre/Google Play ID (as that's an email)?
No. All Google and Apple IDs are saved as a 8 to 9 digit ID. Only Google/Apple are able to tell which email is associated to the account. We use this ID to link your in game account to your device's account in order to allow you to retrieve your game details on any device connected with those Apple/Google accounts.

Do you link IOS to Android, thus linking potential personal details?
Accounts have a history of devices used. While we do not link personal details, we log the device model, OS version, and last time used. This is important for us as some of the account data (database stored) are stored differently if it's iOS or Android.

When someone raises a ticket/issue, this has to be done via email, and can also be enriched with more details via the online portal. Are these emails associated with the accounts?
How long do you store customer emails?
Customer service uses a tool (Zendesk) that is not directly connected to the game database. On the other hand, when an email is sent via the game, it will extract a small set of data for the costumer service to directly investigate the account before providing an appropriate answer. On the other hand, if you send a ticket manually by email, this extraction does not occur.

Also, all emails are kept saved in order to keep history of services provided, issues encountered. This is necessary for us to review and improve our service's quality.

The information logged are the following:
Timestamp (Time at which the information was logged)
Player Name
Player ID (your in game ID)
Game Center ID/Google Play ID
Guild ID
Device ID
Device Model
Account Creation Date
Client Name
Client Version
Client Build
Game Data Version
Client Properties
Server Properties


When you read a players contacts do you at any stage save any of the information down?
The only times where we need to read contacts is when a player decides to uses his Facebook account to login. In that case, the game will log:
- Gender
- Facebook ID
- Facebook Username
- Timezone

The information are used to fill a virtual form and create an ingame account to link to.

If a player decides to quit, can you advise how they can go about wiping their account.. Futher more can you advise are we can ensure all personal details are erased ..including archived emails?
All players have the right to request for disclosure, correction or deletion of their personal information (among others). If a player wants to express any of these rights, all they need to do is contact the customer service while explaining their demand. Their ticket will be forwarded to the right people and we will comply with the request without delays.
If you simply wish to stop the collection of data, all you need to do is uninstall the app from your device.

Also I was on the beta program. Are Gree also storing archived details of people in that program?
Regarding requests for specific personal information collected in the past, it is best to contact the Data Protection Officer or Controller. Please find bellow both details:

Data Protection Officer
GREE, Inc.
Roppongi Hills Mori Tower, 6-10-1 Roppongi, Minato-ku,
Tokyo,
Japan
dpo@gree.net

Controller of your personal information and its contact
Funzio Games, Inc.
Roppongi Hills Tower, 6-10-1 Roppongi Minato-ku,
Tokyo, 106-6112 Japan
https://games.gree-support.net/hc/en-us


I hope this clarifies your questions!


Karrazz

Controller of your personal information and its contact
Funzio Games, Inc.
Roppongi Hills Tower, 6-10-1 Roppongi Minato-ku,
Tokyo, 106-6112 Japan
https://games.gree-support.net/hc/en-us

How can that be?
Funzio was subsumed into Gree.
Funzio ceased to exist upon its acquisition by Gree, insofar as US authorities say


https://techcrunch.com/2012/05/08/funzio-was-making-5m-in-sales-per-month-when-it-sold-to-gree-for-210m/

Funzio Games was indeed purchased by GREE a while back. The Funzio games are now handled by the Funzio team at GREE.

The information given above are points of contacts at GREE regarding data protection officers and the current data controller.

I am not sure if Gree are having a final laugh with their approach to GDPR, the only privacy information available before downloading the game is a privacy link in the store - this takes you to the Gree Corporation website, I had to search for the privacy policy (bottom of their website and updated a few days ago) and it looks like they access everything and share with everyone LOL...

https://corp.gree.net/jp/en/privacy/


Some interesting points from the policy:

The Company collects Information from Information Providers in the following circumstances:

- When joining and/or registering for the Services.

- When creating or editing a profile page in the Services.

- When Users use the Services (including clicking buttons, downloading applications or opening links).

- When contacting the Company's support services or when inquiring about job opportunities.

- When registering with the Company's developer centre to develop applications.

- Through Information Providers' Internet browser history information folder at preset intervals set on Information Providers' Internet browser.

- Through web browser cookies.


At the time of registration, the Company may collect, in addition to the Information obtained at the time of Guest User registration, the following Information: name, sex, nickname, email address, password, date of birth and other membership Information.

In addition, the Company may collect the Information contained in or available on friend invitations, diaries, communities, message boards, profile photographs, other photographs, User mail, and User's short comments.

The Company may also collect IP addresses, the kind of devices being used, the language setting of those devices, the kind, versions and access history of browsers being used, and the versions of applications being used.

The Company may also collect Information related to such Users' behaviour such as which advertisement is displayed to such Users, and clicks on or installs of such advertisements or purchase history in Applications. The Information will enable the Company to analyse Users' preferences but will not identify individuals.

The Company may share aggregate or de-identified Information about Users with advertisers, publishers, business partners, sponsors, Developers and other third parties. In addition, the Company may disclose Information in the following circumstances:

When Company uses the services of third-party service providers to provide services such as website hosting, data analysis, payment processing, credit card processing, order fulfillment, infrastructure and network provision (including cloud storage and cloud computing), IT services, support and maintenance, customer service, email delivery services, auditing services and other similar services.

By providing Information to the Company, the Information Provider shall be deemed to have consented to (a) the acquisition, storage, processing, transfer and retention of Information by the Company in accordance with this Privacy Policy, (b) the storage and processing of the Information Provider's Information in any country where the Company or its affiliates may use facilities (including cloud storage and cloud computing operated by third parties) or in which the Company engages service providers, and (c) the transfer of Information to countries outside of the Information Provider's country of residence, including the United States, which may have different data protection rules than in the Information Provider's country of residence.

Correction and Deletion of Information - The Company shall use reasonable efforts to not alter the Information provided by Information Providers.

In the event that the Information Provider contacts the Company (using the Contact Information provided at the end of this Privacy Policy) and requests the disclosure, correction and/or deletion of other Information, the Company, after confirming that the request was made by the Information Provider, will attempt to comply with the request to the extent possible and as soon as reasonably practicable.

Choices Regarding Use of Information for Marketing Purposes - The Company gives Users many choices regarding the Company's use and disclosure of Users' Information for marketing purposes. Users may opt-out from (or choose not to opt in where we ask for Users' consent in advance) having Users' Information used for the following purposes.

- Receiving Electronic Communications from the Company.

- Sharing of Users' Information with Subsidiaries and Other Affiliates for their Marketing Purposes.

- Sharing of Users' Information with Unaffiliated Third Parties for Their Marketing Purposes.

- Distributing targeted advertisement.


We are implementing continuous improvements to provide ad services which are relevant to users' interests. Based on your past ad viewing/clicking activity, we will deliver the most suitable advertisement for you. For this purpose, we need to acquire the following information.

- Information on your history of websites visited and apps used.

- Information to identify the device that you use.

- IP address and other information on your connection path.


Throughput the privacy statement it refers to using the contact and information form at the bottom of the page - this is actually a link which takes you to a page of Japanese text.

It doesn't matter what the app developer has access to. What matters is what data leaves the device, which the OS has no control over. You can give access to all your contacts and do basically whatever I want with them on the device without violating GDPR. However, if you send one of those contacts name, email, Id, etc to a server somewhere then you're breaking the law

Also intent. It isn't about what is technically in access permits. It is about what app developer intends to do. The app developer must explain what the app wants to do with the data it has access to regardless of technical capability said to consent to intent is legally binding.

For example, one first says give access to contacts so I can display to show various funny statistics about users contacts birthday dates (how many days until what weekdays are most numerous etc.) and store statistics there off, so it doesn't have to recalculate every time.

Technically Android might give access to the full contact card, but the minute app accesses the phone number or other non-consented parts of contact, the app has just breached GDPR. Or the moment the app decides to send the birthdays to a cloud server to have backups. The developer didn't ask for consent to extradite the data from the device, even if app technically have access rights internet access and contacts information.

The most straightforward example is this forum, it is not a secure site (https) and holds personal data on all its members - so putting aside the fact that consent would have been required by 25th May for the activities Gree list in their privacy policy - our data isn't even on a secure website.

I won't mention the numerous breaches of data and poor security on their hosting servers.

Be honest and transparent.

Funzio Games was indeed purchased by GREE a while back. The Funzio games are now handled by the Funzio team at GREE.

The information given above are points of contacts at GREE regarding data protection officers and the current data controller.

Did not GREE sell to DECA and told the community that?

Did not GREE sell to DECA and told the community that?

Nope. Gree use Deca as a managed service to continue the development and maintenance. Gree still own the gane