SUPPLEMENTARY PRIVACY NOTICE - GUESS THE PLAYER GAME
Supplement to the OneFootball Website Privacy Policy available here.
This notice supplements the OneFootball Website Privacy Policy ("Main Policy") and applies specifically to the "Guess the Player" game and its associated features, including Digital Collectibles (NFTs). In the event of conflict between this notice and the Main Policy, this notice prevails for the Game. Capitalised terms have the same meaning as in the Main Policy or the Guess the Player Terms of Service.
1. Controller
The data controller for all processing described in this notice is OneFootball Capital GmbH, Donaustraße 44, 12043 Berlin, Germany (registered at Amtsgericht Charlottenburg, HRB 131613 B). Contact: legal@onefootball.com.
2. Categories of Personal Data Processed
In connection with the Game, we process the following categories of personal data:
a) Account and identity data (sourced from your existing OneFootball account): username, email address, account ID, country of residence, and age/date of birth where provided for age verification purposes.
b) Gameplay data: daily challenge participation records, answers submitted (correct and incorrect), game results, streaks, leaderboard rankings, in-game points ($PLAYER), and timestamps of activity.
c) Digital Collectible and blockchain data: wallet address(es) you connect or provide for minting; transaction hashes; token IDs; minting timestamps; and on-chain transfer history. You acknowledge that wallet addresses, once associated with your account in our systems, may constitute personal data in our off-chain records.
d) Age verification data: where you provide documentary proof of age (e.g., government-issued identity document), we process only the information necessary to confirm that you meet the minimum age requirement (18+). We do not retain a copy of the document beyond the verification process unless required by law.
e) Technical and usage data: IP address, device type and operating system, browser type, session data, error logs, and referral source. This data is also processed under the Main Policy.
f) Communications data: the content of any support requests, complaints, or other correspondence you send us in connection with the Game.
3. Purposes and Legal Bases
We process your personal data for the following purposes:
To provide and operate the Game, including recording your daily results and maintaining streaks, we process your account information, gameplay data, and technical information. This processing is necessary for the performance of our contract with you and is based on Article 6(1)(b) GDPR.
Where you request the minting of a Digital Collectible (NFT), we process the information necessary to create the NFT and associate it with your account and wallet. This processing is required to fulfil our contractual obligations to you and is based on Article 6(1)(b) GDPR.
To verify that users are at least 18 years old and to enforce age-related access restrictions, we process account information and age verification data. This processing is necessary to comply with applicable legal obligations, including Section 4 of the German Youth Protection Act (Jugendschutzgesetz – JuSchG) and Section 5 of the Interstate Treaty on the Protection of Minors in the Media (Jugendmedienschutz-Staatsvertrag – JMStV), and is therefore based on Article 6(1)(c) GDPR. To the extent age verification is necessary for providing access to the Game, processing may also be based on Article 6(1)(b) GDPR.
To detect fraud, prevent abuse, and maintain the security and integrity of the Platform, we process account information, gameplay data, blockchain-related information, and technical data. This processing is based on our legitimate interests in protecting the Platform, ensuring fair gameplay, and safeguarding the rights and interests of other users pursuant to Article 6(1)(f) GDPR.
We also use gameplay and technical data to analyse how the Game is used and to improve existing features and develop new functionality. Wherever possible, such data is aggregated or pseudonymised. This processing is based on our legitimate interests in improving and developing the Platform in accordance with Article 6(1)(f) GDPR.
If you contact us with a support request, complaint, or enquiry, we process the information you provide, together with relevant account information, in order to respond and assist you. Such processing is necessary for the performance of our contract with you and, where applicable, for our legitimate interests in providing effective customer support pursuant to Articles 6(1)(b) and 6(1)(f) GDPR.
We may also process personal data where necessary to comply with legal obligations, including tax, accounting, regulatory, and judicial requirements. Such processing is based on Article 6(1)(c) GDPR.
To keep you informed about important aspects of the Game, including changes to the Game, account-related notifications, and security alerts, we may send you service communications. This processing is necessary for the performance of our contract with you and is based on Article 6(1)(b) GDPR.
Where you have provided your consent, we may use your contact information to send you marketing communications regarding the Game, Digital Collectibles, and related features, services, or promotions. Such processing is based on your consent pursuant to Article 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future.
4. Special Notice: Blockchain Data and the Right to Erasure
When a Digital Collectible is minted, certain data (including your wallet address, the token ID, and the transaction hash) is recorded on a public, decentralised blockchain. This on-chain data is technically immutable: the Company has no ability to alter, delete, or restrict access to data recorded on the blockchain.
You should be aware of the following before minting:
Your wallet address will be publicly visible on the blockchain and permanently associated with the minted token.
The Company's ability to fulfil an erasure request (Art. 17 GDPR) is limited to the personal data we hold in our off-chain systems (e.g., the association between your wallet address and your OneFootball account). We will delete or pseudonymise that off-chain association upon a valid erasure request, but we cannot remove the wallet address or transaction history from the blockchain itself.
You are advised not to use a wallet address that is otherwise directly linked to your real-world identity if you wish to minimise your on-chain footprint.
This limitation does not affect your other data subject rights in respect of off-chain data we control.
5. Recipients and Third-Party Sharing
We share personal data with the following categories of recipients in connection with the Game:
a) Blockchain infrastructure and smart contract providers: technical partners responsible for deploying and operating the smart contracts used for minting. These providers process wallet addresses and on-chain transaction data as part of their infrastructure services.
b) Analytics providers: pseudonymised gameplay and usage data may be shared with analytics partners to support game improvement. These providers act as processors under a data processing agreement.
c) Age verification service providers (if applicable): where third-party age verification is used, data is shared only to the extent necessary to confirm eligibility.
d) Legal and regulatory authorities: where required by applicable law, court order, or regulatory instruction.
e) Successor entities: in the event of a merger, acquisition, or asset sale, personal data may be transferred to the acquiring entity, subject to the same protections as described in this notice and with prior notification to users in accordance with the Terms of Service.
We do not sell personal data related to the Game to third parties.
6. International Data Transfers
Where personal data is transferred to recipients outside the European Economic Area (EEA), we ensure an adequate level of protection by means of one or more of the following: an adequacy decision by the European Commission; standard contractual clauses adopted by the European Commission (Art. 46(2)(c) GDPR); or another appropriate safeguard under Chapter V GDPR. Details of applicable transfer mechanisms are available on request at legal@onefootball.com.
Note: public blockchain networks are by nature globally distributed. On-chain data (wallet addresses, token metadata) is not subject to transfer controls in the traditional sense, as it is accessible publicly worldwide. You should take this into account before minting.
7. Retention Periods
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to comply with legal obligations, resolve disputes, enforce our agreements, and protect our legal rights.
Account information and gameplay data are generally retained for the duration of your account. Following account deletion, we may retain such information for up to three years where necessary to establish, exercise, or defend legal claims.
Where age verification is required, any copies of identification documents that may be collected during the verification process are deleted promptly once verification has been successfully completed. In any event, such copies are not retained for longer than 30 days.
Records relating to NFT minting activities that are stored off-chain are retained for the duration of your account and for up to three years following account deletion in order to maintain appropriate records and address potential legal or regulatory requirements.
Please note that blockchain transactions and other data recorded on a public blockchain are generally immutable and cannot be modified or deleted. As a result, on-chain data may remain publicly accessible indefinitely and is not under our control. Further information can be found in Section 4 above.
Correspondence relating to support requests, complaints, and customer enquiries is generally retained for three years following the resolution of the relevant matter.
Technical logs and similar operational data are typically retained for up to 90 days. However, where such information is required for the investigation of security incidents, fraud, abuse, or other unlawful activities, it may be retained for a longer period where necessary.
Records relating to marketing consents are retained for as long as the relevant consent remains valid and, following withdrawal of consent, for up to three years in order to demonstrate compliance with applicable data protection requirements.
8. Your Rights
As a data subject under the GDPR, you have the following rights in respect of personal data we process about you in connection with the Game:
Right of access (Art. 15): to obtain a copy of your personal data and information about how it is processed.
Right to rectification (Art. 16): to have inaccurate personal data corrected.
Right to erasure (Art. 17): to request deletion of your personal data, subject to the limitations described in § 4 above and applicable retention obligations.
Right to restriction of processing (Art. 18): to request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20): to receive your personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
Right to object (Art. 21): to object to processing based on legitimate interests (Art. 6(1)(f)); we will cease processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent (Art. 7(3)): where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
Right to lodge a complaint: you have the right to lodge a complaint with the competent supervisory authority. The lead supervisory authority for OneFootball Capital GmbH is the Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, mailbox@datenschutz-berlin.de.
To exercise any of the above rights, please contact us at privacy@onefootball.com or by post at the address in § 1. We will respond within one month of receipt of your request (Art. 12(3) GDPR), extendable by a further two months for complex or numerous requests with prior notification.
9. Automated Decision-Making and Profiling
The Game does not use automated decision-making or profiling that produces legal or similarly significant effects within the meaning of Art. 22 GDPR. Game outcomes are determined by your own input; no automated eligibility determination affecting your legal position is made solely by automated means.
10. Changes to this Notice
We may update this notice from time to time. Material changes will be communicated in accordance with § 16 of the Guess the Player Terms of Service. The current version is always accessible within the Game and on the OneFootball Platform.