Privacy Policy

Current as of October 2025

A. Foreword

We, Sheronyx (owner Pascal Scherrer) (hereinafter collectively referred to as “the company,” “we,” or “us”), take the protection of your personal data seriously and would like to take this opportunity to inform you about data protection when using our app.

Since the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) came into force, we have obligations under data protection law to ensure the protection of the personal data of the person affected by the processing. The data subject is also referred to below as “customer,” “user,” “you,” or “data subject.”

Insofar as we decide alone or jointly with others on the purposes and means of data processing, we are particularly obliged to inform you transparently about the nature, scope, purpose, duration, and legal basis of the processing (Articles 13 and 14 GDPR). In this privacy policy, we explain how we process your personal data.

B. General

1. Definitions

Based on Art. 4 GDPR, this privacy policy is based on the following definitions:

  • “Personal data” (Article 4(1) GDPR) means any information relating to an identified or identifiable natural person (“data subject”). A person is identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data, or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Identifiability may also be achieved by linking such information or other additional knowledge. The origin, form, or embodiment of the information is irrelevant (photos, video, or audio recordings may also contain personal data).
  • “Processing” (Art. 4 No. 2 GDPR) is any operation involving personal data, whether or not with the aid of automated (i.e., technology-based) procedures. This includes, in particular, the collection (i.e., procurement), recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning, combining, restricting, erasing or destroying personal data, as well as changing the original purpose or purpose for which the data was processed.
  • “Controller” (Art. 4 No. 7 GDPR) is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • “Third party” (Art. 4 No. 10 GDPR) is any natural or legal person, public authority, agency, or other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or processor, are authorized to process personal data; this also includes other legal entities belonging to the group.
  • “Processor” (Art. 4 No. 8 GDPR) is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller, in particular in accordance with the controller’s instructions (e.g., IT service providers). In terms of data protection law, a processor is not a third party.
  • “Consent” (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Changes to the privacy policy

(1) In the context of the further development of data protection law and technological or organizational changes, our data protection information is regularly reviewed for the need for adaptation or supplementation. You will be informed of any changes.
(2) This privacy policy is current as of October 2025.

C. Information about the processing of your data

1. Collection of personal data relating to you

When you use our app, we collect personal data about you. In doing so, we endeavor to limit processing to what is necessary for the provision and operation of the app.

2. Legal basis for data processing

(1) By law, any processing of personal data is prohibited in principle and is only permitted if the data processing falls under one of the following justifications:

  • Art. 6 (1) (a) GDPR (“Consent”): Where the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unequivocal affirmative action that he or she consents to the processing of personal data relating to him or her for one or more specific purposes;
  • Art. 6 (1) (b) GDPR: If processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Art. 6 (1) (c) GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject (e.g., a statutory retention obligation);
  • Art. 5 (1) (d) GDPR: Processing is necessary to protect the vital interests of the data subject or another natural person;
  • Art. 6 (1) sentence 1 lit. e GDPR: If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Art. 6 (1) (f) GDPR (“legitimate interests”): If processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which are likely to result in the personal data being erased or restricted (in particular where the data subject is a child).

The storage of information in the end user’s terminal equipment or access to information already stored in the terminal equipment is only permitted if it is covered by one of the following justifications:

  • Section 25 (1) TTDSG: If the end user has given their consent on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6 (1) (a) GDPR;
  • § 25 (2) No. 1 TTDSG: If the sole purpose is to carry out the transmission of a message via a public telecommunications network; or
  • Section 25 (2) No. 2 TTDSG: If storage or access is absolutely necessary for the provider of a telemedia service to be able to provide a telemedia service expressly requested by the user.

(2) We specify the applicable legal basis for each of the processing operations we carry out below. Processing may also be based on several legal bases.

3. Data collected during download

(1) When downloading this app, certain personal data required for this purpose is transmitted to the relevant app store (e.g., Apple App Store or Google Play).
(2) In particular, the email address, user name, customer number of the downloading account, individual device identification number, payment information, and the time of the download may be transmitted to the app store during the download.
(3) We have no influence on the collection and processing of this data; it is carried out exclusively by the app store you have selected. Accordingly, we are not responsible for this collection and processing; the responsibility for this lies solely with the app store.

4. Data collected during use

(1) We can only make our app available to you if certain personal data required for the operation of the app is collected when you use it.

(2) We only collect this data if it is necessary for the fulfillment of the contract between you and us (Art. 6 (1) (b) GDPR). Furthermore, we collect this data if it is necessary for the functionality of the app and your interest in the protection of your personal data does not outweigh our legitimate interest (Art. 6 (1) (f) GDPR) or if you consent to the collection and processing (Art. 6 (1) (a) GDPR).

(3) We collect and process the following data from you for the following purposes on the basis described below:

Overview of collected data

  • Device information when the game is launched (via Unity Authentication)
    Content: IP address, device ID, device type, settings, app version, PlayerID, operating system.
    Purpose: To enable technical operation of the app (Art. 6 (1) (b) GDPR).
    Storage: EU (Belgium, Netherlands), backup in the USA (Iowa).
  • Login via Apple Game Center (via Unity Authentication)
    Content: Apple Game Center ID, name, email (if shared with Apple).
    Purpose: Technical operation of the app (Art. 6 (1) (b) GDPR).
    Storage: EU (Ireland) and USA.
  • Login via Google Play Games (via Unity Authentication)
    Content: Google Play Games ID, name, email (if shared with Google).
    Purpose: Technical operation of the app (Art. 6 (1) (b) GDPR).
    Storage: EU (Belgium, Finland) and USA.
  • Player profile management (via Unity Player Management)
    Content: Player ID, scores, progress.
    Purpose: Technical operation of the app (Art. 6 (1) (b) GDPR).
    Storage: EU (Belgium, Netherlands), backup in the USA (Iowa).
  • Public leaderboard display (via Unity Leaderboards)
    Content: Player ID, display name, score, timestamp.
    Purpose: Technical operation of the app (Art. 6 (1) (b) GDPR).
    Storage: EU (Belgium, Netherlands), backup in the USA (Iowa).
  • Usage analytics (via Unity Analytics)
    Content: Device data, usage duration, crash reports, country, language.
    Purpose: Improve stability and gameplay experience (Art. 6 (1) (a) GDPR).
    Storage: EU (Belgium, Netherlands), backup in the USA (Iowa).

(4) If the processing of the data requires the storage of information on your end device or access to information already stored on the end device, § 25 (1), (2) No. 2 TTDSG forms the legal basis for this.

5. Period of data storage

(1) We will delete your personal data as soon as it is no longer required for the purposes for which it was collected or used (see C. 4.). If there are legal retention obligations or overriding legitimate interests (e.g., to assert, exercise, or defend legal claims), the data will not be deleted until these obligations or interests expire, but will be blocked for other processing. We generally store your personal data for the duration of the usage or contractual relationship via the app. Storage is generally carried out on servers within the European Union; any transfers are governed by F. 1., 2. and 3. Technical log data (e.g., IP addresses) is only stored by Unity Technologies AsP for a short period of time, and in any case for no longer than 30 days.

(2) Storage may continue beyond the specified period in the event of a (threatened) legal dispute with you or other legal proceedings.
(3) Third parties employed by us (see F. 4.) will store your data on their system for as long as is necessary in connection with the provision of the service for us in accordance with the respective order.
(4) Legal requirements for the storage and deletion of personal data remain unaffected by the above (e.g., Section 257 of the German Commercial Code (HGB) or Section 147 of the German Fiscal Code (AO)). When the storage period prescribed by law expires, the personal data will be blocked or deleted, unless further storage by us is necessary and there is a legal basis for this.

6. Data security

We take appropriate technical and organizational measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access. In doing so, we take into account the state of the art, the costs of implementation, the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of data subjects. Our security measures are regularly reviewed and continuously adapted and improved in line with technological developments.

7. No automated decision-making (including profiling)

We do not intend to use the personal data you have provided for automated decision-making (including profiling).

8. Change in the purpose of the respective processing

(1) Your personal data will only be processed for purposes other than those described if this is permitted by law or if you have consented to the changed purpose of data processing.
(2) In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes prior to further processing and provide you with all further relevant information.

D. Responsibility for your data and contacts

1. Responsible party and contact details

(1) The controller responsible for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR is:
Pascal Scherrer
Imberstraße 12
76227 Karlsruhe
info@sheronyx.com

(2) Please contact this body if you wish to exercise your rights as described in Chapter G or if you have any other questions or suggestions.

2. Data collection when contacting us

(1) If you contact us by email or via a contact form, we will store your email address, your name, and all personal data transmitted in the course of contacting us in order to review and process your inquiry and to enable us to respond accordingly.
(2) The data will be deleted as soon as the purpose for storage no longer applies. If this conflicts with statutory retention periods, the data will not be deleted; instead, processing will be restricted and the data will only be retained to fulfill the retention obligations.

E. Data processing by third parties

1. Contract data processing

(1) Individual functions of our app are provided by external service providers. These are only active according to our instructions and are contractually obliged to comply with data protection regulations in accordance with Art. 28 GDPR.
(2) The following categories of recipients, which are generally processors, may have access to your personal data:

  • Service providers for the operation of our app and the processing of data stored or transmitted by the systems (e.g., for data center services, payment processing, IT security). The legal basis for the transfer is then Art. 6 (1) (b) or (f) GDPR, unless the recipients are processors;
  • Government agencies or authorities, insofar as this is necessary to fulfill a legal obligation in accordance with Art. 6 (1) (c) GDPR;
  • Persons employed to carry out our business operations (e.g., auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or mergers) in accordance with Art. 6 (1) (b) or (f) GDPR.

(3) Furthermore, we only disclose your personal data to third parties if you have given your express consent in accordance with Art. 6 (1) (a) GDPR.

2. Requirements for the transfer of personal data to third countries

(1) Within the scope of our business relationship, it may be necessary to transfer or disclose your personal data to third-party companies. These recipients may also be located in countries outside the European Economic Area (EEA), i.e., in third countries. Such processing is carried out exclusively for the purpose of fulfilling our contractual and business obligations and maintaining our business relationship with you; the legal basis is Art. 6 (1) lit. b or lit. f in conjunction with Art. 44 ff. GDPR. We will inform you about the respective details of the transfer below at the relevant points.

(2) The European Commission has determined, by means of adequacy decisions, that certain third countries have a level of data protection comparable to that of the European Economic Area (EEA) (a current list of these countries and copies of the decisions can be found at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). In other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of corresponding legal requirements. In these cases, we ensure appropriate safeguards to guarantee an adequate level of protection, in particular through: binding corporate rules (Art. 47 GDPR), standard contractual clauses of the European Commission pursuant to Art. 46 (2) (c) GDPR (2021 version), recognized codes of conduct pursuant to Art. 40 GDPR, or certifications pursuant to Art. 42 GDPR.

3. Legal obligation to transfer certain data

Under certain circumstances, we are obliged by law to transfer or disclose lawfully processed personal data to third parties, in particular to public authorities; this is done in order to fulfill a legal obligation pursuant to Art. 6 (1) (c) GDPR and only to the extent required by law.

4. List of our contract data processors

For the operation of the app, we currently use the following service providers as contract data processors, with whom the following agreements form the basis:

List of contract data processors

  • Unity Technologies ApS
    Nørre Voldgade 82, 1358 Copenhagen, Denmark — DPO@unity3d.com
    Purpose: Player Authentication, Leaderboards, and Analytics (Art. 6 (1) (b), (a) GDPR).
    Data: PlayerID, device data, scores, timestamps, crash reports.
    Storage: EU (Belgium, Netherlands), backups in the USA (Iowa).
    Agreement: Standard Contractual Clauses of the European Commission — unity.com/legal/unity-data-processing-addendum-dpa
  • Apple Inc.
    One Apple Park Way, Cupertino, CA 95014, USA — apple.com/de/privacy/contact
    Purpose: Game Center login (Art. 6 (1) (b) GDPR).
    Data: Apple Game Center ID, name, email (if shared).
    Storage: EU (Ireland) and USA.
    Agreement: Standard Contractual Clauses — apple.com/legal/privacy
  • Google Ireland Ltd.
    Gordon House, Barrow Street, Dublin 4, Ireland — dpo-google@google.com
    Purpose: Play Games login (Art. 6 (1) (b) GDPR).
    Data: Google Play Games ID, name, email (if shared).
    Storage: EU (Belgium, Finland) & USA.
    Agreement: Standard Contractual Clauses — policies.google.com/privacy/frameworks

F. Your rights

1. Right to information

(1) You have the right to obtain from us information about your personal data within the scope of Art. 15 GDPR.
(2) To do so, you must submit a request either by email or by post to the addresses given above (see D. 1.).

2. Right to object to data processing and revoke consent

(1) In accordance with Art. 21 GDPR, you have the right to object to the processing of personal data concerning you at any time. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing serves to assert, exercise, or defend legal claims.
(2) Pursuant to Art. 7 (3) GDPR, you have the right to withdraw your consent once given at any time, if you have given such consent. As a result, we will no longer be allowed to continue processing data based on this consent in the future.
(3) In this regard, please contact the contact point specified above (see D. 1.).

3. Right to rectification and erasure

(1) If personal data concerning you is inaccurate, you have the right under Art. 16 GDPR to request that we correct it without delay. Please contact the above-mentioned contact point (see D. 1.) with any such request.
(2) Under the conditions of Art. 17 GDPR, you have the right to request the erasure of personal data concerning you. Please contact the above-mentioned contact point (see D. 1.) with any requests in this regard. You are particularly entitled to the right to erasure if the data in question is no longer necessary for the purposes of collection or processing, if the data storage period (see C. 5.) has expired, if there is an objection (see F. 2.), or if there has been unlawful processing.

4. Right to restriction of processing

(1) Pursuant to Art. 18 GDPR, you have the right to request that we restrict the processing of your personal data.
(2) Please contact the above-mentioned contact point (see D. 1.) with any requests in this regard.
(3) You have the right to have the processing of your personal data restricted, in particular (i) for the duration necessary to verify the accuracy of the data if the accuracy of the data is disputed between you and us; (ii) for the duration of the clarification of whether the conditions for a right of objection under F. 2 are met, if this is disputed between you and us; and (iii) if you have a right to erasure under F. 3 and you request restriction of processing instead of erasure.

5. Right to data portability

(1) Pursuant to Art. 20 GDPR, you have the right to receive from us the personal data concerning you that you have provided to us in a structured, commonly used, machine-readable format.
(2) Please contact the above-mentioned contact point (see D. 1.) with any requests in this regard.

6. Right to lodge a complaint with the supervisory authority

(1) Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority regarding the collection and processing of your personal data.
(2) You can contact the competent supervisory authority at the following address:
State Commissioner for Data Protection and Freedom of Information
Lautenschlagerstraße 20, 70173 Stuttgart
Poststelle@lfdi.bwl.de / poststelle@lfdi.bwl.de-mail.de
0711/615541-0

Annex 1 – Switzerland (nDSG / Swiss Federal Act on Data Protection)

Applicable to users located in Switzerland.

This section supplements the main Privacy Notice and addresses specific requirements under the Swiss Federal Act on Data Protection (revDSG/nDSG), which entered into force on 1 September 2023.

Controller

The controller responsible for data processing in relation to users in Switzerland is the same entity identified in Section D.1 of this Privacy Notice:

Pascal Scherrer
Schulstraße 17
76437 Rastatt
Germany
(info@sheronyx.com)

Applicable Legal Framework

The processing of your personal data is governed by the Swiss Federal Act on Data Protection (nDSG) where applicable. Where the nDSG provides for requirements equivalent to those of the GDPR, the provisions set out in the main body of this Privacy Notice apply correspondingly.

Cross-Border Data Transfers

Personal data may be transferred to countries outside Switzerland, including to the United States of America (e.g., via Unity Technologies ApS and Apple Inc., as identified in Section E.4).

Where the recipient country does not ensure an adequate level of data protection recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC), we ensure an appropriate level of protection by means of the standard contractual clauses approved by the European Commission (applied correspondingly under Swiss law), or other suitable safeguards.

Your Rights under Swiss Law

You have the following rights in relation to your personal data processed under the nDSG:

  • Right of access (Art. 25 nDSG)
  • Right to rectification (Art. 32 nDSG)
  • Right to erasure and restriction of processing (Art. 32 nDSG)
  • Right to data portability where processing is carried out by automated means (Art. 28 nDSG)
  • Right to object to processing, in particular for purposes of direct marketing

To exercise any of these rights, please contact the controller at the address set out in Section D.1.

Supervisory Authority

If you believe that the processing of your personal data violates Swiss data protection law, you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC):

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
3003 Berne
Switzerland
https://www.edoeb.admin.ch

Annex 2 – United Kingdom (UK GDPR / Data Protection Act 2018)

Applicable to users located in the United Kingdom.

This section supplements the main Privacy Notice and addresses specific requirements under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Controller

The controller is Pascal Scherrer, Schulstraße 17, 76437 Rastatt, Germany (info@sheronyx.com). As the controller is not established in the UK, users in the United Kingdom may also contact us directly at the address above for any data protection queries.

Legal Bases for Processing

The legal bases for processing under the UK GDPR mirror those set out in the main Privacy Notice (UK GDPR Art. 6). References to “GDPR” in the main notice are to be read as references to the UK GDPR for users in the United Kingdom.

International Data Transfers

Transfers of personal data from the UK to third countries (including the USA, as described in Section E.4 of this Privacy Notice) are carried out on the basis of the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable, or on the basis of an adequacy decision by the UK Secretary of State.

Your Rights

You have the following rights under the UK GDPR:

  • Right of access (UK GDPR Art. 15)
  • Right to rectification (UK GDPR Art. 16)
  • Right to erasure (UK GDPR Art. 17)
  • Right to restriction of processing (UK GDPR Art. 18)
  • Right to data portability (UK GDPR Art. 20)
  • Right to object (UK GDPR Art. 21)
  • Rights in relation to automated decision-making and profiling (UK GDPR Art. 22); note that we do not engage in automated decision-making or profiling.

To exercise your rights, please contact info@sheronyx.com.

Supervisory Authority

You have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
https://ico.org.uk
Tel: 0303 123 1113

Annex 3 – United States of America

Applicable to users located in the United States.

This section supplements the main Privacy Notice and addresses applicable U.S. state and federal privacy law requirements.

A. General U.S. Disclosures

Categories of Personal Information Collected

We collect the following categories of personal information, as described in detail in Section C.4 of this Privacy Notice:

  • Identifiers (e.g., device ID, IP address, PlayerID, Apple/Google Game Center ID, email address where shared)
  • Internet or other electronic network activity information (e.g., app usage data, crash reports, timestamps)
  • Geolocation data (country-level, derived from IP address)
  • Inferences drawn from the above to create a profile related to app performance

Purposes of Collection

Personal information is collected to operate and maintain the app, manage player profiles and leaderboards, and (with your consent) to improve the app through analytics.

Sale or Sharing of Personal Information

We do not sell your personal information to third parties for monetary consideration. We do not share your personal information with third parties for cross-context behavioural advertising purposes.

Retention

We retain personal information for the duration of your use of the app or as otherwise described in Section C.5 of this Privacy Notice.

B. California Privacy Rights (CPRA / CCPA)

Applicable to residents of California.

Under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), California residents have the following rights:

  1. Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share personal information.
  2. Right to Delete: You have the right to request the deletion of personal information we have collected from you, subject to certain exceptions.
  3. Right to Correct: You have the right to request correction of inaccurate personal information.
  4. Right to Opt Out of Sale/Sharing: As stated above, we do not sell or share personal information for cross-context behavioural advertising. No opt-out is therefore required; however, you may submit a request to confirm this at any time.
  5. Right to Limit Use of Sensitive Personal Information: We do not process sensitive personal information as defined under the CPRA beyond what is permitted without the right to limit.
  6. Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights.

How to Submit a Request

To exercise your rights, please contact us at:

  • Email: info@sheronyx.com
  • We will respond to verifiable consumer requests within 45 days, with a possible extension of a further 45 days where necessary.

Authorised Agent

You may designate an authorised agent to make a request on your behalf. We may require written proof of authorisation.

Shine the Light

California residents may request information about disclosures of personal information to third parties for direct marketing purposes under California Civil Code § 1798.83. We do not disclose personal information for such purposes.

C. Other U.S. State Privacy Rights

Applicable to residents of Virginia, Colorado, Connecticut, Texas, Utah, and other states with comprehensive privacy legislation.

Residents of certain U.S. states (including but not limited to Virginia, Colorado, Connecticut, Texas, and Utah) may have rights similar to those described for California residents above, including rights of access, correction, deletion, portability, and opt-out from targeted advertising, profiling, and sale. We do not engage in the sale of personal information or targeted advertising.

To exercise applicable rights, please contact us at info@sheronyx.com. Where your state law provides for an appeals process, you may appeal our decision regarding your request by contacting us at the same address.

D. Children’s Privacy (COPPA)

This app is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us at info@sheronyx.com so that we may delete it promptly.

Annex 4 – Canada (PIPEDA / Provincial Privacy Laws)

Applicable to users located in Canada.

This section supplements the main Privacy Notice and addresses requirements under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

Principle of Accountability

We are responsible for personal information under our control and have designated info@sheronyx.com as the point of contact for privacy-related matters in Canada.

Purposes of Collection

We collect, use, and disclose personal information only for the purposes identified in Section C.4 of this Privacy Notice, or for purposes a reasonable person would consider appropriate in the circumstances.

Consent

We obtain your consent to the collection, use, or disclosure of personal information, except where permitted or required by law. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

Cross-Border Transfers

Your personal information may be transferred to, and processed in, countries outside Canada, including the USA and EU member states, as described in Sections E.2 and E.4. We ensure that appropriate contractual safeguards are in place.

Your Rights

You have the right to access your personal information held by us and to challenge its accuracy. To do so, please contact info@sheronyx.com.

Supervisory Authority

If you have unresolved concerns, you may lodge a complaint with:

Office of the Privacy Commissioner of Canada (OPC)
30 Victoria Street
Gatineau, Québec K1A 1H3
https://www.priv.gc.ca

Annex 5 – Brazil (LGPD)

Applicable to users located in Brazil.

This section supplements the main Privacy Notice and addresses requirements under Brazil’s Lei Geral de Proteção de Dados (LGPD – Law No. 13,709/2018).

Controller (Controlador)

Pascal Scherrer, Schulstraße 17, 76437 Rastatt, Germany; info@sheronyx.com.

Legal Bases for Processing (Hipóteses Legais)

Personal data is processed on the following legal bases under the LGPD:

  • Execution of a contract (Art. 7(V) LGPD) – for data necessary to operate the app
  • Consent (Art. 7(I) LGPD) – for analytics data
  • Legitimate interest (Art. 7(IX) LGPD) – where applicable and proportionate

Your Rights (Art. 18 LGPD)

Brazilian users have the right to:

  • Confirmation of the existence of processing and access to your data
  • Correction of incomplete, inaccurate, or outdated data
  • Anonymisation, blocking, or deletion of unnecessary or excessive data
  • Portability of your data to another service provider
  • Deletion of personal data processed on the basis of consent
  • Information about public and private entities with which data has been shared
  • Withdrawal of consent at any time

To exercise your rights, please contact info@sheronyx.com.

International Transfers

International transfers are made subject to appropriate safeguards, including standard contractual clauses consistent with LGPD requirements.

Supervisory Authority

Autoridade Nacional de Proteção de Dados (ANPD)
https://www.gov.br/anpd

Annex 6 – China (PIPL)

Applicable to users located in the People’s Republic of China.

This section supplements the main Privacy Notice in accordance with the Personal Information Protection Law of the People’s Republic of China (PIPL, effective 1 November 2021).

Personal Information Controller (个人信息处理者)

Pascal Scherrer, Schulstraße 17, 76437 Rastatt, Germany; info@sheronyx.com.

Legal Bases for Processing

Under PIPL, personal information is processed on the following bases:

  • Individual consent (Art. 13(1) PIPL) – for all processing described in Section C.4, including analytics
  • Performance of a contract (Art. 13(2) PIPL) – for data necessary to operate the app

We obtain your separate and explicit consent for:

  • Transfer of your personal information to third-party service providers (Section E.4)
  • Cross-border transfer of your personal information outside the PRC

Cross-Border Data Transfers

Your personal information may be transferred to servers located outside the PRC (including in Belgium, the Netherlands, Ireland, and the USA), as described in Section E.4. Such transfers are carried out on the basis of a Standard Contract filed with the Cyberspace Administration of China (CAC) in accordance with Art. 38(1)(iii) PIPL, or another mechanism permitted under PIPL.

You will be informed of the identity of the overseas recipient, the country of destination, the processing purposes, and the means of exercising your rights overseas prior to any such transfer.

Processing of Minors’ Personal Information

We do not knowingly process personal information of individuals under the age of 14. If we discover that personal information of a minor under 14 has been collected, we will delete it promptly.

Your Rights (Art. 44–50 PIPL)

You have the right to:

  • Access and copy your personal information
  • Correct inaccurate personal information
  • Delete personal information under certain circumstances
  • Withdraw consent (without affecting the lawfulness of processing prior to withdrawal)
  • Obtain a copy of your personal information (data portability)
  • Receive an explanation of automated decision-making rules

To exercise your rights, please contact info@sheronyx.com.

Annex 7 – Japan (APPI)

Applicable to users located in Japan.

This section supplements the main Privacy Notice in accordance with Japan’s Act on the Protection of Personal Information (APPI), as amended (effective April 2022).

Business Operator Handling Personal Information

Pascal Scherrer, Schulstraße 17, 76437 Rastatt, Germany; info@sheronyx.com.

Purposes of Use

Personal information is used for the purposes described in Section C.4 of this Privacy Notice: to operate the app, manage player data, display leaderboards, and (with consent) to improve the app through analytics.

Third-Party Provision

Personal information is provided to third-party service providers (Section E.4) as data processors acting under our instructions. Where required by APPI, we maintain records of third-party provisions and will disclose these upon request.

Cross-Border Transfers

Where personal information is transferred to countries outside Japan (including the USA and EU member states), we ensure that the overseas recipient has implemented a personal information protection system that meets standards equivalent to those required under APPI, or we obtain your consent to the transfer after providing information about the protection system in place in the destination country.

Your Rights

You have the right to request:

  • Disclosure of retained personal information held about you
  • Correction, addition, or deletion of inaccurate personal information
  • Suspension of use or erasure of personal information processed in violation of APPI
  • Suspension of provision to third parties

To exercise your rights, please contact info@sheronyx.com.

Supervisory Authority

Personal Information Protection Commission (PPC)
https://www.ppc.go.jp

Annex 8 – South Korea (PIPA)

Applicable to users located in the Republic of Korea.

This section supplements the main Privacy Notice in accordance with South Korea’s Personal Information Protection Act (PIPA).

Personal Information Controller

Pascal Scherrer, Schulstraße 17, 76437 Rastatt, Germany; info@sheronyx.com.

As the controller is not established in Korea, [note: if the app is systematically offered to Korean users, a local representative (Art. 39-11 PIPA) may be required — this must be assessed and implemented separately].

Purposes and Items of Processing

Personal information (including device identifiers, PlayerID, usage data, and analytics data where consented) is processed for the purposes described in Section C.4.

Retention and Destruction

Personal information is retained for the period described in Section C.5 and is then destroyed without delay.

Third-Party Provision

Personal information is provided to the processors listed in Section E.4, acting under our instructions and subject to data processing agreements.

Cross-Border Transfers

Personal information is transferred to countries outside Korea (including Belgium, the Netherlands, Ireland, and the USA) as described in Section E.4.

Such transfers are made on the basis of your consent or another lawful mechanism under PIPA, after informing you of: the recipient’s identity, the country of destination, the dates and methods of transfer, the items of personal information transferred, the purposes of use by the recipient, and the retention/destruction period.

Your Rights

You have the right to:

  • Request access to your personal information
  • Request correction of inaccurate data
  • Request deletion of personal information
  • Request suspension of processing
  • Withdraw consent

To exercise your rights, contact info@sheronyx.com.

Supervisory Authority

Personal Information Protection Commission (PIPC)
https://www.pipc.go.kr

Annex 9 – Singapore (PDPA)

Applicable to users located in Singapore.

This section supplements the main Privacy Notice in accordance with Singapore’s Personal Data Protection Act 2012 (PDPA), as amended.

Organisation Responsible for Personal Data

Pascal Scherrer, Schulstraße 17, 76437 Rastatt, Germany; info@sheronyx.com.

Purposes of Collection, Use, and Disclosure

Personal data is collected, used, and disclosed for the purposes described in Section C.4: to operate the app, manage player profiles and leaderboards, and (with your consent) to conduct analytics.

Consent

By using the app, you consent to the collection, use, and disclosure of your personal data in accordance with this Privacy Notice. You may withdraw consent at any time by contacting info@sheronyx.com, subject to legal or contractual restrictions. Withdrawal of consent may affect our ability to provide the app to you.

Overseas Transfer

Personal data may be transferred to countries outside Singapore (including Belgium, the Netherlands, Ireland, and the USA). We ensure that such recipients provide a standard of protection comparable to that under the PDPA through contractual arrangements.

Access and Correction

You have the right to request access to and correction of your personal data held by us. Please contact info@sheronyx.com.

Data Breach Notification

In the event of a data breach that is notifiable under the PDPA, we will notify the Personal Data Protection Commission (PDPC) and affected individuals as required by law.

Supervisory Authority

Personal Data Protection Commission (PDPC)
https://www.pdpc.gov.sg

Annex 10 – India (Digital Personal Data Protection Act, 2023)

Applicable to users located in India.

This section supplements the main Privacy Notice in accordance with India’s Digital Personal Data Protection Act, 2023 (DPDPA).

Data Fiduciary

Pascal Scherrer, Schulstraße 17, 76437 Rastatt, Germany; info@sheronyx.com.

Basis for Processing

Personal data is processed on the basis of your free, specific, informed, unconditional, and unambiguous consent (Section 6 DPDPA) or for legitimate uses as prescribed by law.

Purposes of Processing

Personal data is processed for the purposes described in Section C.4 of this Privacy Notice.

Cross-Border Transfers

Personal data may be transferred to countries notified by the Central Government as permissible under the DPDPA. Pending the issuance of the relevant notification, we ensure that appropriate safeguards are in place in line with current guidance.

Your Rights (Data Principal Rights)

You have the following rights under the DPDPA:

  • Right to access information about your personal data being processed
  • Right to correction and erasure of personal data
  • Right to grievance redressal
  • Right to nominate another individual to exercise rights on your behalf in the event of death or incapacity

To exercise your rights, please contact info@sheronyx.com.

Grievance Redressal

To raise a grievance regarding the processing of your personal data, please contact info@sheronyx.com. We will respond within a reasonable timeframe in accordance with applicable rules.

Supervisory Authority

Data Protection Board of India (to be established under DPDPA)
Ministry of Electronics and Information Technology (MeitY):
https://www.meity.gov.in