PRIVACY STATEMENT PARENTS

Version July 2023

1.   General information

The Poki Kids Website is dedicated to website visitors under the age of 16 years (“Website Visitors”) and provides a safe environment for such children. Poki is especially committed to protecting the privacy of these Website Visitors. This is explained in a simplified manner in our Privacy Info document, in order to also be understandable for children. For parents or guardians that are interested in being informed on how Poki process data of the Website Visitors in more detail, we’ve drafted this “Privacy Statement Parents” as well as the "Cookie Statement Parents". It is designed to provide further transparency into Poki’s privacy practices and principles. It provides information on the data that we collect from Website Visitors through our kids.poki.com web platform (“Poki Kids Website”) from the European Economic Area (EEA).

The Poki Kids Website is owned and operated by Poki B.V. (referred to in this Privacy Statement Parents as “Poki", “we", “our", or “us"). Poki is an entity incorporated under the laws of the Netherlands.

Please note that we determine the language of this Privacy Statement Parents based on the language settings of your browser.

2.   Which data is used and for what purposes?

All features on the Poki Kids Website are available without the need for registration by Website Visitors. We don’t work with accounts or chat box functions. No personal data (such as email addresses and phone numbers) is requested from Website Visitors. Furthermore, we don’t allow any third parties to place advertisements on our Poki Kids Website.

Nonetheless, Poki does process certain electronic data when someone visits the Poki Kids Website for specific purposes, as detailed below.

Processing data on the Poki Kids Website

We process data for providing, maintaining and improving our Poki Kids Website. For more specific information on the cookies and similar technologies used in thisrespect, please refer to our Cookie Statement Parents.

The persons involved. Website Visitors: people who visit the Poki Kids Website.

The purpose of the processing. When a Website Visitor visits the Poki Kids Website or contacts us via e-mail, we will process your information for the following purposes:

  • For the functioning of the Poki Kids Website: incl. remembering the Website Visitor’s settings and to save the Website Visitor’s game progress.
  • For handling any requests, complaints and disputes, for example when you contact us;
  • For determining, exercising and defending our rights; and
  • For complying with legal obligations (incl. fraud prevention) and requests of authorized governmental institutions.

The data that is processed. When a Website Visitor visits the Poki Kids Website, we may process the following information which is collected automatically:

  • IP address;
  • Device ID;
  • Browser type;
  • Browser language setting;
  • Other technical information, such as regarding the interaction between the Website Visitor’s device and our website, the web pages that were visited and the log data;
  • Information provided to us by e-mailing kids@poki.com or contacting us by phone or postal mail.

Sensitive information:

In the context of the Poki Kids Website we do not, in principle, process sensitive information.

Legal grounds for the processing. We base the use of the Website Visitor’s data in the context of the Poki Kids Website on our legitimate interest in offering and securing our website, and pursuing the other processing purposes listed above. If you want more information about this, you can contact us directly via our contact details stated below.

We may also process a Website Visitor’s data based on a legal obligation. This means that we will process the data for as far as we are legally obliged to do so, for instance if we receive an injunction that we need to adhere to.

3.   How do we obtain data?

We obtain a Website Visitor’s data in various ways:

  • Provided by the Website Visitor. Some data we receive straight from you or the minor you represent, when we are contacted via the contact details listed below.
  • Automatically obtained. Some data we obtain automatically, for example by using cookies and similar techniques. When the Website Visitor’s device contacts our web servers when a Website Visitor visits the Poki Kids Website, our web servers automatically collect usage information. Further information on this is included in our Cookie Statement Parents.

The Website Visitor is under no obligation to provide any information about themselves to us. However, refusal to supply certain information via cookie blockers, might impact the Website Visitor’s experiences on or functionality of the Poki Kids Website (e.g. the Website Visitor will not be able to use the “save game” functionality). If the provision of certain personal data is a legal or contractual obligation or an essential requirement for concluding an agreement with us, we will separately provide additional information about this for as far as this is not clear in advance. In this case we will also inform about the possible consequences if this information is not provided.

4.   Who do we share data with?

We only share a Website Visitor’s data with third parties if:

  • This is necessary for the provision of a service or the involvement of the third party. Sub-contractors, for example, will in principle only get access to the personal data that they require for their part of the service provision and will not be allowed to process the data for their own purposes.
  • The persons within the third party that have access to the personal data are under an obligation to treat this data confidentially. Where necessary this is also contractually agreed on.
  • The third party is obliged to comply with the applicable regulations for the protection of personal data, for instance because we have concluded an agreement with this party or because our Terms of Use apply. This includes that the party is obliged to ensure appropriate technical and organizational security measures, and that any transfer of personal data to countries outside the EEA is adequately legitimized.

We could share a Website Visitor’s data on a need-to-know basis with the parties mentioned below. In this context, "need-to-know" means that a party only gets access to the Website Visitor’s data if and insofar as this is required for the professional services provided by this party.

  • Authorized persons, employed by Poki, who are involved with the processing activity concerned. Such as, the members of the support team a Website Visitor is in contact with.
  • Authorized persons, employed by service providers / sub-contractors engaged by Poki, who are involved with the processing activity concerned.
  • Authorized government institutions. Such as, courts, police, and law enforcement agencies. We may release information about our Website Visitors, including IP address, when legally required to do so, at the request of governmental institutions conducting an investigation or to verify or enforce compliance with the policies governing the Poki Kids Website and applicable laws. We may also disclose such user information whenever we believe disclosure is necessary to protect the rights, property or safety of Poki or others.

5.   How do we secure data?

Protecting the Website Visitors’ privacy and data is very important to us. Therefore, Poki has implemented appropriate technical and organizational measures to protect and secure a Website Visitor’s data, in order to prevent violations of the confidentiality, integrity and availability of data. All Poki employees and other persons engaged by Poki for the processing of a Website Visitor’s data are obliged to respect the confidentiality of this data.

Poki has internal documentation in which it is described how we safeguard an appropriate level of technical and organizational security. In addition, a data breach procedure is applicable within Poki, in which it is explained how (potential) data breaches need to be handled. We will, for example, inform the competent supervisory authority and involved data subjects when this is required by the applicable law.

6.   To which countries will we transfer data?

Parties involved with the processing of a Website Visitor’s data originating from the EEA, may be located in a different country. In case the data is processed outside the EEA, the transfer is legitimized in the manner described below. You can find an overview of the EEA countries here: https://ind.nl/en/Pages/eu-eea-countries.aspx.

Transfers outside the EEA. The transfer of personal data to a third party outside the EEA can in the first place be legitimized based on an adequacy decision of the European Commission, in which it is decided that the (part within the) third country in question ensures an adequate level of data protection. On the website of the European Commission, you can find an overview of the adequacy decisions that have been taken.

If personal data is transferred to a country outside the EEA for which there is no adequacy decision, we agree on the applicability of the relevant version of the Standard Contractual Clauses with the relevant party. This is a standard contract to safeguard the protection of personal data, which is approved by the European Commission, in which the parties fill out the appendices. Where appropriate, additional safeguards are taken.

In specific situations we can also rely on the derogations from article 49 GDPR to legitimize the data transfer. This means that we may transfer personal data: (i) with explicit consent, (ii) if this is necessary for the performance of a contract that has been concluded with the Website Visitor or has been concluded in its interest, or (iii) if this is necessary for the establishment, exercise or defense of legal claims. Lastly, in exceptional cases we may also transfer a Website Visitor’s data if the data transfer is necessary for our compelling legitimate interests and is not overridden by the Website Visitor’s interests or rights and freedoms.

You can contact us if you want additional information about the way in which we legitimize the transfer of personal data to countries outside the EEA. Our contact details are stated at the bottom of this document: Privacy Statement Parents.

7.   How do we determine how long we retain data?

In general, we do not keep a Website Visitor’s data for longer than what is necessary in relation to the purposes for which we process this data. There could however be exceptions applicable to the general retention terms.

Exception: shorter retention period. If a Website Visitor or someone on their behalf exercises certain privacy rights, it is possible that Poki will remove the related personal data earlier than the general applicable retention period or – oppositely – retain it for a longer period of time. For more information about this, please refer to the header "Which privacy rights apply (incl. the right to object)?"

Exception: longer retention period. In certain situations, we process a Website Visitor’s data for a longer period of time than what is necessary for the purpose of the processing. This is for instance the case when we have to process the personal data for a longer period of time:

  • Retention obligation. To comply with a minimum retention period or other legal obligation to which we are subject based on the applicable law. This will in principle not apply to cookie related data.
  • Procedure. The data is necessary in relation to a legal procedure.
  • Freedom of expression. When further processing of the data is necessary in order to exercise the right to freedom of expression and information. This will in principle not apply to cookie related data.

8.   Which privacy rights apply (incl. right to object)?

Based on the General Data Protection Regulation ("GDPR"; (EU) 2016/679) Website Visitors have various privacy rights. To what extent these rights can be exercised, may depend on the circumstances of the processing, such as the manner in which Poki processes the personal data and the legal basis for the processing. Below we included a summary of the relevant privacy rights under the GDPR. For more information about this, you can visit the website of the European Commission.

We will respond to all requests without undue delay. If our full response will ever take more than a month due to the complexity or number of requests, we will inform on this. Furthermore, please note that we may request more information to confirm the identity of the person filing the request – thus the Website Visitor or its legal representation – before acting on any request.

8.1    Applicable privacy rights.

In relation to our processing of the Website Visitors’ personal data, the below privacy rights apply.

  1. Right of access. This concerns the right to request access to a Website Visitor’s personal data. This enables the Website Visitor or its legal representation to receive a copy of the data we hold about the Website Visitor (but not necessarily the files themselves). We will then also provide further specifics of our processing of the personal data. For example, the purposes for which we process the data, where we got it from, and with whom we share it.
  2. Right to rectification.This concerns the right to request rectification of the data that we hold about the Website Visitor. This enables the Website Visitor or its legal representation to have any incomplete or inaccurate data corrected.
  3. Right to erasure.This concerns the right to request erasure of the data. This enables the Website Visitor or its legal representation to ask us to delete or remove personal data where: (i) the data is no longer necessary, (ii) the processing activities have been objected to, (ii) the data has been unlawfully processed, (iv) the data has to be erased on the basis of a legal requirement, or (v) where the data has been collected in relation to the offering of information society services. However, we do not have to honor such request in all cases.
  4. Right to object.This concerns the right to object to the processing of personal data where we are relying on legitimate interest as processing ground (see above). Insofar as the processing of the data takes place for direct marketing purposes, we will always honor an objection; however, we do not process the data of Website Visitors for these purposes. For processing for other purposes, we will also cease and desist processing, unless we have compelling legitimate grounds for the processing which override the Website Visitor’s interests, rights and freedoms or that are related to the institution, exercise or substantiation of a legal claim. If such is the case, we will inform on our compelling interests and the balance of interests made.
  5. Right to restriction.The right to restriction of processing means that Poki will continue to store personal data at the request of the Website Visitor or its legal representation but may in principle not do anything further with it. In short, this right can be exercised when Poki does not have (or no longer has) any legal grounds for the processing of the data or if this is under discussion.
  6. Automated decision-making. This concerns the right not to be subject to a decision based solely on automated processing, which significantly impacts the Website Visitor. In this respect, please be informed that when processing the Website Visitor’s data, we do not make use of automated decision-making.
  7. Right to complaint.This concerns the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of the Website Visitor’s habitual residence, place of work or where an alleged infringement took place. Please be referred to the website of the European Data Protection Board (EDPB) for an overview of the EU supervisory authorities and their contact details. However, we would appreciate the chance to deal with any concerns before the supervisory authority is approached, so please contact us beforehand.
8.2    How to exercise the privacy rights.

The Website Visitor or its legal representation can exercise the privacy rights free of charge, by phone or by e-mail via the contact details displayed below. If requests are manifestly unfounded or excessive, in particular because of the repetitive character, we have the right to either charge a reasonable fee or refuse to comply with the request.

8.3    Verification of identity.

We may request specific information to help us confirm the identity of the Website Visitor or its legal representation before we further respond to a privacy request.

8.4    Follow-up of a requests.

We will provide information about the follow-up of the request without undue delay and in principle within one month of receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another two months.

9.    Who is responsible for the processing of the data?

Poki is in principle responsible for the processing of the Website Visitor’s data in the context of the Poki Kids Website. The developers of the games on the Poki Kids Website are required to remove all outgoing links and branding/advertisements (e.g. splash-screens, social links and app-store links) from their game(s).

10.    How can you contact us?

If you or the minor you represent have any questions concerning this Privacy Statement Parents, or data collection in particular, please contact us at kids@poki.com or via:

Poki B.V.
Spui 10
1012 WZ Amsterdam
The Netherlands
+31 20 2800 870 (for communication in Dutch or English)

Please let us know by e-mail in advance if you prefer to have further contact over the phone via another preferred language. We will then provide you with the relevant phone number.

11.   Changes

We may change this Privacy Statement Parents from time to time to accommodate new technologies, industry practices, regulatory requirements or for other purposes. The latest version can always be consulted via the Poki Kids Website. Important changes will also be communicated proactively.

*****