The protection of your personal data is the declared aim of Gamium Corporation Pte. Ltd. (hereinafter referred to as Gamium). Data protection has a particularly high priority for Gamium and is carried out in accordance with the relevant legal provisions. With this statement we would like to inform you about the processing of your personal data at Gamium in order to fulfil our information obligations according to Art. 12 et seq. of the General Data Protection Regulation (GDPR).
1. Responsible body
Responsible for data processing within the meaning of data protection law is:
Gamium Corporation Pte. Ltd.
25th North Bridge Road
Managing directors authorized to represent the company: Alberto Rosas, Alejandro Rosas
Data Protection Officer
If you have any questions regarding data protection, please contact our data protection officer:
Markets Prolive 360, S.L.
2. Personal data
3. Data processing on our website
3.1 Temporary usage data (log files): Whenever you use our website, our platform or our apps, we process connection data that is automatically transmitted to enable you to visit the website or use the app. This connection data includes meta and communication data, website accesses, and other data generated via a website or when using an app such as IP address, IP location, type and version of the terminal device used, information on the mobile network used, time zone settings, operating system and platform.
The data processing of this connection data is absolutely necessary to enable the visit of the website, the platform or the use of the app, to ensure the permanent integrity, confidentiality and availability of our systems, for general administrative maintenance of our systems and for support, billing and fraud prevention purposes. The connection data is temporarily stored in internal log files for the purposes described above and the content is limited to what is necessary.
The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, insofar as the page view occurs in the course of the initiation or execution of a contract, and otherwise Art. 6 para. 1 lit. f of the GDPR due to our legitimate interest in enabling website access and app use, in the permanent integrity, confidentiality and availability of our systems, in the administration of our systems and in support, billing and fraud prevention.
The log files are generally stored for four weeks and then anonymized[SC1] [AR2] . Exceptionally, individual log files and IP addresses are kept longer in order to prevent further attacks from this IP address in the event of cyber-attacks and/or to take action against the attackers by way of criminal prosecution.
3.2 Contact: You have various options for contacting us, such as by e-mail, or via the contact form on our website. In this context, we process the data you provide when contacting us (e.g. e-mail address, address) exclusively for the purpose of communicating with you.
The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, insofar as your information is required to answer your enquiry or to initiate or execute a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in answering enquiries to us.
The data we collect when you contact us will be automatically deleted after we have fully processed your enquiry, unless we still need your enquiry to fulfil contractual or legal obligations (see section 12 “Duration of data storage”).
3.3 Registration: You have the option of registering with an account for our login area in order to use our services. We have highlighted the data that you are required to enter by marking them as mandatory fields. Registration is not possible without this data[SC3] [AR4] . The following data must be processed as part of the registration:
- E-mail address
- Web3 Address (either provided as non-custodial or generated as part of the login process)
In your Gamium account you can also store further data, such as:
- First and last name
- Date of birth
- Telephone numbers
- Bank details
- Payment data and tax information
- Identity documents
- Financial information
- Information from customer loyalty programmes
- Overview of devices in use
The legal basis for processing the data required for registration (mandatory fields) is Art. 6 para. 1 lit. b DSGVO. For all other data, the legal basis is our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO to enable you to individualize, customize and change your account, or your consent pursuant to Art. 6 para. 1 lit. a DSGVO, insofar as you have given it to us.
4. Data processing when using our services
The legal basis for the processing of your data by Gamium is the fulfilment of the existing contract of use between you and us (Art. 6 para. 1 lit. b GDPR), unless another legal basis is explicitly mentioned below.
For some services of Gamium you can also deposit special categories of personal data according to Art. 9 para. 1 GDPR, in particular health data. The legal basis for the processing of this data is your explicit consent (Art. 6 para. 1 lit. a GDPR in conjunction with Art. 9 para. 2 lit. a GDPR).
We also process your data internally in anonymized form for statistical purposes[SC5] [AR6] in order to be able to draw conclusions about user behavior and performance.
The legal basis for processing this data is our legitimate interest in improving our services and evaluating partner performance (Art. 6 para. 1 lit. f GDPR).
In addition, we conduct satisfaction surveys or ask for your feedback on our services and inform you about our offers, in each case with your prior consent.
The legal basis for the processing of this data is your express consent (Art. 6 para. 1 lit. a GDPR).
4.1 Identification/Ident: When you use the “Identify” service, you have various options for identifying yourself to us. The data processing depends on (1) the chosen identification method (see sections 4.2 to 4.7) and (2) the chosen document.
For identity cards, passports and electronic residence titles, we process as far as available:
- Family name and maiden name
- First name(s)
- Order name, artist name, nickname
- Day and place of birth
- Eye colour
- Facial image
- Date of issue
- Validity date
- Document type
- Document number
- Serial number
- Access number (CAN)
- Issuing authority.
You can also use the “ID” service to simplify identification with partners. If you use services with partners that require certain identifications (e.g. driving license with a car sharing provider), you can use your verified documents stored in your Gamium account for this purpose. When you connect your Gamium account to such a partner, we share the relevant information and documents with the relevant partner to fulfil the contract.
4.5 Photo-Ident: If you choose the Photo-Ident identification method, we will carry out an identity check using automated algorithms. For identification via Photo-Ident, an end device with a camera and microphone is also required, and the corresponding authorizations must be granted for Photo-Ident. In addition, photo identification via a mobile device requires the receipt of text messages and/or the reading of QR codes. The photo ID procedure can be used for identity cards, passports, electronic residence titles and driving licenses.[AR7]
4.7 Company data: Should you opt for the identification method Company Account, we will carry out an identification of your company. In this process, the person authorized for the company is identified (see sections 4.2 to 4.6) and activated as the holder of the company account. Subsequently, previously identified employees of the company are verified by the authorized person after their consent and also activated for the company account. For this purpose, we process as far as available:
- General company data
- E-mail address and role of staff[AR8]
4[SC9] .8 Authentication/Access: The “Authentication” service allows you to log in or authenticate directly with our partners using your Gamium account.
We only process your Gamium authentication means and account information (e.g. username and password, e-mail link, Gamium PIN or biometric methods) that are required for authentication with the partner. Which personal data is required at the partner depends on the respective partner, this can be e.g. e-mail addresses, user names or also IBAN (e.g. for logging in to online banking)[SC10] [AR11] .
We endeavor to protect the privacy of the Personal Information we hold in our records, but unfortunately, we cannot guarantee complete security. The safety and security of your Personal Information also depends on you. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time. Your Wallet is protected by your password, private key, and/or seed phrase, and we urge you to take steps to keep this and other Personal Information safe by not disclosing your security credentials or leaving your Wallet open in an unsecured manner. We further protect your Personal Information from potential security breaches by implementing certain technological security measures including encryption, firewalls, and secure socket layer technology. We also seek to protect Personal Information by refraining from collecting Personal Information where possible. However, these measures do not guarantee that your Personal Information will not be accessed, disclosed, altered or destroyed by a breach of such firewalls and secure server software. By using our Services, you acknowledge that you understand and agree to assume these risks.
We do not and will never store your wallet password, private key, or seed phrase to your wallet. If you lose access to both your password and seed phrase, we will be unable to help you access your wallet, and any assets held in the wallet may be permanently irretrievable.
We may use any aggregated data derived from or incorporating your Personal Information after you update or delete it, but not in a manner that would identify you personally.
6. Data processing due to legal requirements
In certain constellations, we process personal data because we are legally obliged to do so. In these cases, the processing is carried out exclusively insofar as this is necessary to comply with the corresponding legal obligations, the legal basis of the data processing is Art. 6 para. 1 p. 1 lit. c GDPR, insofar as no other legal basis is expressly stated below.
Should you decide to store verified data collected through an identification process with a third party in your Gamium account for future use, data that we do not process on the basis of a legal obligation may be processed together to the same extent as data that is subject to legal processing obligations. This applies in particular to personal data that is technically inseparable from the document files that must be kept by law.
The legal basis for the processing of this data is our legitimate interest (Art. 6 para. 1 lit. f GDPR). This consists of the user-friendly provision of our services as well as enabling the storage of the above-mentioned verified data for the purpose of repeated usability by you.
Furthermore, Gamium is legally entitled and obliged to process identity documents according to ZAG.[SC12] [AR13]
In particular, Gamium is legally obliged to process your personal data in the following cases:
6.1 Money laundering: If you use or wish to use the Gamium Payment
or Gamium Bank Ident services,
the payment initiation service or the account information service, we are required by law to collect and process
your personal data for money laundering prevention purposes. For this purpose, we process transaction and master
data (name, place of birth, date of birth, nationality and residential address or, if there is no fixed abode with
legal residence in the European Union and the postal address at which the contractual partner as well as the person
appearing to the obligated party can be reached We are legally obliged to keep this data for a period of five years.[SC14] [AR15]
6.3 Terror and sanctions lists and politically exposed persons:
If you use the services Gamium Payment, Gamium Bank Ident, the payment initiation service or the account information service, we are legally obliged to check your first and last name against current EU terrorism and sanctions lists and to ensure whether you are a “politically exposed person”. We are legally obliged to keep this data for a period of five years[SC16] [AR17] .
6.4 Commercial and tax law: Furthermore, we are legally obliged to retain personal data in order to comply with commercial and tax law obligations even after the end of a business relationship. The corresponding retention periods are between six and ten years.
6.5 Disclosure to courts and authorities: Within the scope of the provisions set out in this section 5 or due to other legal regulations, we disclose personal data to courts and authorities insofar as we are legally obliged to do so.
7. Use of the Gamium App
In this section we inform you about the processing of personal data when using the Gamium App.
7.1 Use of app tools (scripts, API, SDK): Our app uses programming codes (so-called scripts), programming interfaces (so-called API), software development kits (SDK) and comparable technologies (collectively “tools”), which are offered either by ourselves or by third parties and may be able to access the identification numbers stored in the mobile end device such as the device ID. Currently, only Tools that directly serve the technical provision and security of the App and are absolutely necessary are used. No optional tools are used.
7.2 App permissions: When using the Gamium App and for using the 2-factor authentication (2FA), a smartphone with the minimum required version of the mobile operating system is required. Depending on the choice of service, the following accesses may be required:
- Read memory contents
- Change or delete memory contents
- Read memory contents
- Change or delete memory contents
- Take pictures and record videos
- Record audio
WLAN connection information
- Retrieve WLAN connections
- Retrieve data from the Internet
- Retrieve network connections
- Pair with Bluetooth devices
- Face ID function (iOS only)
- Fingerprint function
- Change network connectivity
- Control light display
- Access to networks
- Change audio settings
- Control near field communication
- Control vibrating alarm
- Deactivate hibernation
- Activate and use push notifications
You can configure the respective permissions as desired, but please note that certain permissions are required to use some services.
8. Cookies on our website
8.1 Essential or Strictly Necessary Cookies. These Cookies are required for providing you with features or services that you have requested. For example, certain Cookies enable you to log into secure areas of our Services. Disabling these Cookies would make certain features and services unavailable. Functional Cookies. Functional Cookies are used to record your choices and settings regarding our Services, maintain your preferences over time and recognize you when you return to our Services. These Cookies help us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
8.2 Performance/Analytical Cookies. Performance/Analytical Cookies allow us to understand how visitors use our Services. They do this by collecting information about the number of visitors to the Services, what pages visitors view on our Services and how long visitors are viewing pages on the Services. Performance/Analytical Cookies also help us measure the performance of our advertising campaigns in order to help us improve our campaigns and the Services' content for those who engage with our advertising.
You can decide whether or not to accept Cookies through your internet browser's settings. Most browsers have an option for turning off the Cookie feature, which will prevent your browser from accepting new Cookies, as well as (depending on the sophistication of your browser software) allow you to decide on acceptance of each new Cookie in a variety of ways. You can also delete all Cookies that are already on your device. If you do this, however, you may have to manually adjust some preferences every time you visit our website and some of the Services and functionalities may not work.
9. Online presence in social networks
We maintain online presences in social networks in order to communicate there with customers and interested parties, among others, and to provide information about our products and services. The users’ data is usually processed by the social networks concerned for market research and advertising purposes. In this way, usage profiles can be created based on the interests of the users. For this purpose, cookies and other identifiers are stored on the computers of the data subjects. Based on these usage profiles, advertisements, for example, are then placed within the social networks but also on third-party websites.
As part of the operation of our online presences, it is possible that we may access information such as statistics on the use of our online presences provided by the social networks. These statistics are aggregated and may include, in particular, demographic information (e.g. age, gender, region, country) as well as data on interaction with our online presences (e.g. likes, subscription, sharing, viewing of images and videos) and the posts and content distributed via them. This may also provide information about the interests of users and which content and topics are particularly relevant to them. This information may also be used by us to adapt the design and our activities and content on the online presence and optimize it for our audience. Please see the list below for details and links to the social network data that we, as operators of the online presences, can access. The collection and use of these statistics are generally subject to joint responsibility. Where applicable, the relevant agreement is listed below.
The legal basis for data processing is Art. 6 para. 1 lit. f GDPR, based on our legitimate interest in effective information and communication with users, and Art. 6 para. 1 lit. b GDPR, in order to stay in contact with and inform our customers, as well as to carry out pre-contractual measures with interested parties.
Where you have an account with the social network, it is possible that we may see your publicly available information and media when we access your profile. In addition, the social network may allow us to contact you. This may be, for example, via direct messages or via posted articles. The content communication via the social network and the processing of the content data is thereby subject to the responsibility of the social network as a messenger and platform service.
For the legal basis of the data processing carried out by the social networks under their own responsibility, please refer to the data protection information of the respective social network. The following links will also provide you with further information on the respective data processing and the options to object.
We would like to point out that data protection requests can be asserted most efficiently with the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly. You can also contact us with your request. In this case, we will process your request and forward it to the provider of the social network.
10. Recipients of data
You have the option to transfer all, or part of your data stored in your Gamium account to our Gamium partners for certain purposes. Such transfer of your data will only be carried out by Gamium at your request and with your express consent. After the transfer of your data to a Gamium partner, the processing of your data will take place under the responsibility of the Gamium partner. The Gamium partner is then the responsible party according to Art. 4 No. 7 GDPR.
The data we collect will only be passed on if there is a legal basis for this under data protection law in the specific case, in particular if:
- you have given your express consent to this in accordance with Art. 6 para. 1 lit. a GDPR,
- the disclosure is necessary for the assertion, exercise or defense of legal claims pursuant to Art. 6 para. 1 lit. f GDPR and there is no reason to assume that you have an overriding interest worthy of protection in not having your data disclosed,
- we are legally obliged to disclose data pursuant to Art. 6 para. 1 lit. c GDPR, in particular if this is necessary for legal prosecution or enforcement due to official requests, court decisions and legal proceedings, or
- this is legally permissible and required in accordance with Art. 6 para. 1 lit. b GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that take place at your request.
In order to be able to offer you all functions at Gamium, we also use selected service providers who process data on our behalf. We only pass on data to service providers carefully selected by us and instructed in writing within the framework of legally permissible order processing. These only receive the data that is necessary for the fulfilment of the order and process it exclusively on our instructions. This includes the following categories of commissioned processors: Identification service providers, software developers, hosters of servers, cloud storage and mails, technical service providers, service providers for mail dispatch and newsletter dispatch, ticket system providers, customer support, content management system providers, customer relationship management providers, as well as web analytics service.
11. Sharing of Personal Data
Gamium processes your data on servers within the European Union. This also applies to service providers commissioned by us for data processing.
In rare individual cases, e.g., when using our support, your data may be transferred to so-called third countries (outside the European Union or the European Economic Area) or personal data may be processed there.
We share your personal data as needed to fulfill the purposes described in this Policy and as permitted by applicable law. We may share your personal fata in the following circumstances:
- Within Our Corporate Organization. We may share information between and among Gamium subsidiaries and affiliated companies for purposes of KYC/CDD checks, fraud detections, decision making, customer support, and other business purposes.
- When We Work with Service Providers. We may share your information with service providers that provide us with support services, such as secure website hosting, cloud storage, information technology maintenance, transaction monitoring, network infrastructure, payment processing, security, fraud detections, KYC/CDD checks, customer support and analytics.
- With Payment Processors. Upon your authorization, we may share your personal data with financial institutions that we partner with to process payments.
- With Our Professional Business Advisors. We may share your personal data with our professional advisors who provide banking, legal, compliance, and other consulting services in order to complete required legal audits of our operations, or otherwise comply with our legal obligations.
- Corporate Transactions. We may disclose personal data to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which personal data held by us is among the assets transferred. By engaging with us or using our Services, you understand and agree to our assignment or transfer of rights to your personal data.
- As Required by Law. We may disclose your information if we believe that the disclosure is required by law, if we believe that the disclosure is necessary to enforce our agreements or policies, in response to valid requests by public authorities (e.g., a court or a government agency), or if we believe that the disclosure will help us protect the rights, property, or safety of Ramp or our customers.
- With Your Consent. We may disclose your personal data for any purpose with your consent. For example, to other data controllers whose terms of service you consented to.
Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the standard contractual clauses of the European Union or binding internal data protection regulations.
Where this is not possible, we base the transfer of data on exceptions to Art. 49 GDPR, in particular your express consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures.
If a third country transfer is provided for and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. When obtaining your consent, you will also be informed of this.[SC18] [AR19]
12. Duration of data storage
We store your data for the duration of the existence of your Gamium account. As long as your Gamium account exists, the user contract between you and Gamium also exists. However, you can delete your Gamium account at any time and thereby terminate the contract between you and Gamium. This also applies to services that can be considered separately, such as COVID Pass and driving licence. We will then delete your data unless we are legally obliged to continue to store or retain it or we have a legitimate interest in continuing to store it, for example to defend ourselves against legal claims or to enforce our own legal claims. A storage obligation may arise, for example, from legal requirements for the use of the Gamium Payment function “Gamium Payment” or from tax or commercial law regulations. If the data is still required to process outstanding transactions, it will be deleted at the earliest after these transactions have been processed.
13. No automated decision making and profiling
The processing of your personal data by us is not related to automated decision making or profiling (unless explicitly stated otherwise, see e.g., clause 4.4. “Gamium Payment”).
14. Data security
All data stored by us, or any order processors are protected against unauthorized access, loss and modification using current security standards. For this purpose, extensive technical and organizational security precautions are applied with a standard that at least corresponds to the legal requirements.[AR20]
15. Your rights
You have the following rights with respect to us regarding the data relating to you:
- Right to information about your stored personal data, its origin and possible recipients and the purpose of the data processing (Art. 15 GDPR),
- Right to rectification of inaccurate data or erasure of processed data (Art. 16 and 17 GDPR), unless there are statutory retention periods (see point 12.),
- Right to restriction of processing (Art. 18 GDPR),
- Right to withdraw your consent. We will then no longer continue the processing based on this consent for the future. The lawfulness of the processing carried out on the basis of the consent until the revocation is not affected by the revocation. (Art. 7 GDPR),
- Right to data portability (Art. 20 GDPR),
- Right to object within the framework of the legal requirements. Should the data processing by us be based on legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. You may object to the processing of your data for direct marketing purposes at any time, even without giving reasons (Art. 21 GDPR).
You have the right to revoke your consent at any time. This means that we will no longer process the data based on this consent in the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it is a matter of objecting to the processing of data for direct marketing purposes, you have a general right of objection, which will also be implemented by us without giving reasons.
If you wish to exercise your right of revocation or objection, it is sufficient to send an informal message to the above contact details.
To exercise your rights, please send us an informal message (see 1. responsible body)