§1. General Provisions

1. The Data Administrator, as defined under Article 4(4) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter GDPR), is Blublu Ltd. with its registered office in Laski Wielkie, at Laski Wielkie 1, 19-314 Kalinowo, Tax ID: 8481880265, REGON: 389600589, registered in the National Court Register under KRS number: 0000914871, District Court in Olsztyn, VIII Economic Department of the National Court Register, share capital 5,000 PLN.

2. Data Administrator's email address: blublu.main@gmail.com.

3. In accordance with Article 32(1) of the GDPR, the Administrator adheres to the principles of data protection and applies appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, modification, unauthorized disclosure, or unauthorized access to personal data processed in connection with its business activities.

4. The scope of data processed by the Data Administrator is always adequate to the purpose for which the data was collected.

5. When using the App, no user's personal data is collected, stored, or processed that would allow the identification of their identity.

6. The mobile application does not require permissions for additional data or access to functions on the mobile device that would allow the identification of the user's identity.

7. The provision of personal data by the user is always voluntary and may occur as part of any correspondence conducted with the user, particularly during the complaint process (e.g., name and surname, email address).

8. The Data Administrator does not collect and process personal data from children. "Children" refers to persons under the age of 13, or older (e.g., 16) if the personal data protection regulations applicable in their place of residence so provide. The Data Administrator does not knowingly collect personal data from children. If it is found that a child has provided personal data, it will be immediately removed from the Data Administrator's resources. The legal guardian is obligated to contact the administrator upon discovering that a child has provided personal data so that the administrator can take necessary actions.

§2. Purpose and Legal Basis for Data Processing

The Administrator processes personal data solely for the purposes related to handling the complaint process, based on a legal obligation imposed on the Data Administrator in accordance with applicable legal provisions (Article 6(1)(c) of the GDPR) or for the purpose of contacting users, particularly in response to inquiries directed to the Data Administrator, which is their legitimate interest (Article 6(1)(f) of the GDPR).

§3. Data Recipients. Transferring Data to Third Countries

1. The recipients of the personal data processed by the Data Administrator may include subcontractors – entities that the Data Administrator uses for data processing, such as hosting service providers, technical caretakers of the Application.

2. Personal data will not be transferred to an entity located outside the European Economic Area.

3. The user acknowledges that their personal data may be processed by the Google service provider, especially during purchases within the Application. Google receives data directly from the user without the mediation of the Data Administrator. Google's data processing rules are available at Google Privacy Policy.

§4. Data Retention Period

The Data Administrator stores personal data processed for the purposes mentioned in §2 for a period of 30 days from the last contact with the user. In the case of processing personal data in disputed situations with the user, the personal data may be stored for no longer than the limitation period specified by the provisions of the Civil Code for the given type of claim.

§5. Rights of the Data Subject

1. Every individual whose data is processed has the right to:

• Access - to obtain confirmation from the administrator whether their personal data is being processed. If data is being processed, the individual has the right to access that data and receive the following information: the purpose of processing, categories of personal data, information about the recipients or categories of recipients to whom the data has been or will be disclosed, the data retention period or the criteria for determining it, and the right to request rectification, erasure, or restriction of personal data, as well as to object to such processing (Art. 15 GDPR);
• Receive a copy of the data – to obtain a copy of the data being processed. The first copy is free of charge, and the administrator may charge a reasonable fee for additional copies, based on administrative costs (Art. 15, Par. 3 GDPR);
• Rectification - to request the correction of inaccurate personal data or completion of incomplete data (Art. 16 GDPR);
• Erasure - to request the deletion of their personal data if the administrator no longer has a legal basis for processing or if the data is no longer necessary for processing purposes (Art. 17 GDPR);
• Restriction of Processing - to request the restriction of personal data processing (Art. 18 GDPR) when:
  • the individual questions the accuracy of the personal data - for a period allowing the administrator to verify the accuracy of this data,
  • the processing is unlawful, and the individual opposes the erasure of the data, requesting the restriction of its use instead,
  • the administrator no longer needs the data, but it is required by the individual for the establishment, exercise, or defense of legal claims,
  • the individual has objected to processing - until it has been established whether the legally justified grounds on the part of the administrator override those of the individual objecting;
• Data Portability - to receive the personal data concerning them in a structured, commonly used, machine-readable format and to transmit those data to another administrator if the data is processed based on the individual's consent or a contract with them and if the data is processed in an automated manner (Art. 20 GDPR);
• Objection - to object to the processing of their personal data for the legally justified purposes of the administrator, for reasons related to their specific situation, including profiling. The administrator will then assess the existence of valid legally justified grounds for processing, which override the interests, rights, and freedoms of the data subjects, or the grounds for establishing, exercising, or defending claims. If, according to the assessment, the interests of the individual are more significant than those of the administrator, the administrator is obliged to cease processing for those purposes (Art. 21 GDPR).

2. To exercise the aforementioned rights, the individual should contact the administrator using the provided contact details and inform them of which right and to what extent they wish to exercise.

3. The individual has the right to lodge a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection in Warsaw.

§6. Automated Data Processing. Profiling

The personal data of Application users will not be processed automatically or through profiling.

§7. Ads in the Application

1. The Application uses Google AdSense, a system for displaying ads from Google Inc. and other advertisers.

2. Data such as user activity, identifiers, and device geolocation are used to provide personalized advertising services (e.g., displaying a banner ad with content the user is potentially interested in). Information about the user may be used by Google AdSense and its trusted advertising content partners.

3. Google AdSense provides advertisers with information about the effectiveness of their ads but does not disclose any personal data of the user. Google AdSense ensures the security of these data throughout the ad display process.

4. Google AdSense independently determines the nature and provider of the ads displayed to the user. Ad providers in the Application may include:

• AdMob,
• AdColony,
• Applovin,
• Facebook Audience Network,
• Unity Ads.

5. Detailed terms of service and privacy policy for Google AdSense are available at Google AdSense Terms & Privacy.

§8. Analytical Services

The Data Administrator in the Application uses external analytical service providers to provide services, conduct analyses and research, including tools that enable campaign effectiveness and revenue analytics. These providers usually also collect data through their own SDK sets. Below is a list of providers implementing analytical SDKs through the Application:

• GameAnalytics: GameAnalytics Privacy,
• Unity Ads: Unity Ads Privacy,
• Google Ads: Google Ads Privacy,
• Google Apps, Tools and Analytics: Google Privacy.