In this Customer Privacy Policy (Privacy Policy or Policy):
At TSGG, we are committed to protecting the personal data of our customers, as well as complying with applicable data privacy laws. This Privacy Policy outlines and explains how we collect and use your personal data through your use of the Website, our services and/or when you visit an OCHE® and/or SHUFL® Venue. This Privacy Policy describes:
This is to make sure you have a full picture of how we process your personal data. Our Websites are designed and intended for use by adults and are not intended for children. We do not knowingly collect personal data relating to children.
This privacy policy applies to all TSGG customers in all territories, including the European Economic Area (EEA) and the United Kingdom (UK) that are accessing or using our website or our services and/or otherwise visiting an OCHE® and/or SHUFL® Venue.
For the purpose of data protection law, TSGG is the data controller in respect of any personal data collected and used by TSGG through your use of the Website, your use of our services and/or your visit at an OCHE® and/or SHUFL® Venue. This is because we dictate the purpose for which your personal data is used and how we use your personal data.
For any questions or further details relating to the processing and protection of your personal data, please see the “How to contact us” section of this Privacy Policy.
We may collect your personal data either directly from you or indirectly from third parties.
We collect and process your personal data directly from you, for example, when you:
In so doing, we may ask for personal data, such as your name, date of birth, address, email address, telephone number or credit card details.
We may also collect “special categories of personal data” about you with your explicit consent. For more information on the special categories of data we collect and how we use it, please refer to the relevant section below.
We also receive and store certain types of personal data whenever you interact with us online. For example, when you:
Examples of the types of personal data we collect include; IP address, device ID, location data, computer and connection information such as browser type and version, time zone setting, browser plug-in types and versions, and operating system. During some of your internet browsing on TSGG websites we may also use software tools to measure and collect session information, including page response times, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from the page. We may also collect technical information to help us identify your device for fraud prevention and diagnostic purposes.
We may collect personal data from other sources. For example, this may include receiving personal data from:
We may also combine personal data. For example, we may:
Different types of personal data will be held about you in the course of using the Website, using any services offered by us and when you visit an OCHE® and/or SHUFL® Venue, and you provide us with your personal data. Please refer to Appendix 1 of this Privacy Policy for examples of the types of personal data we collect from you, use, transfer, disclose, and otherwise process.
We may also collect certain sensitive personal data about you from you (including any special categories of personal data). Due to the nature of the special categories of personal data, we consider the processing of special categories of data as high-risk personal data processing activities and will apply the highest levels of technological and organizational measures to keep this data secure. We limit the circumstances where we collect and process these special categories of data.
For example, the special categories of personal data we hold about you may include information concerning your health, such as food allergies or intolerances which you provide to us. Where we do so, we will rely on your explicit consent, or we will notify you if we can rely on a different legal basis for processing this type of data.
When you are using the Website, using any services offered by us and when you visit an OCHE® and/or SHUFL® Venue, you may provide us with personal data relating to third parties. For example, where you make a reservation at an OCHE® and/or SHUFL® Venue and wish to provide personal data of any third parties in connection to your reservation.
We will use this personal data in accordance with this specific Privacy Policy. If you are providing personal data to us relating to a third party, you confirm that you have the consent of the third party to share such personal data with us and that you have made the information in this Privacy Policy available to the third party.
We process any personal data or special category of personal data of such third parties in accordance with applicable local law.
We use your personal data for a variety of different purposes in connection with the provision of the Website; use of any services offered by us and when you visit an OCHE® and/or SHUFL® Venue and/or when you have placed an online order with us through the Websites, and in order to execute such online order. In particular, your personal data may be used by us, our employees, service providers, and disclosed to third parties for the purposes set out in the Appendix 2 of this Privacy Policy.
We emphasize that any processing activities carried out by TSGG shall be done in accordance with the principles relating to the processing of personal data identified in Appendix 3 of this Privacy Policy.
We must tell you which legal basis we rely on when we use your personal data and the specific legal basis for each purpose for which we process your personal data. For each purpose identified in Appendix 2 of this Privacy Policy, we have set out the legal basis on which we use your personal data. This is because, under applicable data protection law, we can only use your personal data if we have a lawful legal basis to do so. Examples of where we have a lawful legal basis to process your personal data, includes when:
When we process your special category personal data, we will rely on either of the following legal bases:
In principle, we will retain your personal data for no longer than is necessary for the purposes for which the personal data are processed. The length of time we hold on to your personal data will vary according to what that information is and the reason for which it is being processed.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means. We also consider any applicable legal, regulatory, tax, accounting or other requirements which may specify how long we should retain your personal data for.
When personal data is no longer required to be stored, we take appropriate steps to securely delete, anonymize or transfer the data to an archive (where this is allowed under applicable laws).
For further information on our policy and how long we will keep your information for, please reach out to the Legal Department at legal@thesocialgaminggroup.com.
We may share your personal data for the above-aforementioned purposes (Appendix 2) with our group companies as well as authorized third-party agents, service providers and/or subcontractors of TSGG. Please refer to Appendix 4 of this Privacy Policy for a specific list of the categories of recipients of your personal data with examples.
We may also disclose your personal data to other third parties, for example:
Whenever TSGG uses an authorized third-party agent, service provider and/or subcontractor to process personal data, such third party must always provide a sufficient guarantee about its security measures. This means that written contracts with third parties always require that the third-party processor undertakes the same security measures as TSGG. In addition, the contract stipulates that the third-party processor – at any time – makes available all information necessary to demonstrate compliance with data protection law. Consequently, the guidelines as set out in this Privacy Policy are guaranteed at all times.
We will process your personal data both within and outside the EEA and the UK. As TSGG begins to expand globally, we may need to transfer data internationally within the TSGG group companies.
When we transfer personal data outside the EEA and the UK, we will implement appropriate and suitable safeguards to ensure that such personal data will be protected with a similar level of protection as required by applicable data protection law in its country of origin, for example we will seek to anonymise it. If we can’t anonymise your personal data, we will take reasonable steps to ensure that your personal data is always protected. For this purpose, we shall implement the following safeguards:
For further information as to the safeguards we implement and to obtain a copy, please contact the Legal Department at legal@thesocialgaminggroup.com
We have put in place appropriate security measures to seek to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instruction and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Legal Department at legal@thesocialgaminggroup.com.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
When we process your personal data, you, as a data subject, have certain rights with respect to the data we process. The rights below are those that apply under the EU General Data Protection Regulation and so will predominantly apply to individuals located in the EEA or the United Kingdom.
As a data subject, you have the following rights:
Please see Appendix 5 of this Privacy Policy for a more detailed summary and explanation of your above-mentioned rights. Some exceptions may apply to these rights. If such an occasion occurs, the individual is thoroughly informed of the reason why the request is not complied with.
You can exercise these rights using the contact details listed in the ‘How to contact us’ section in this Privacy Policy. Data subjects are not required to pay any charges for exercising the abovementioned rights. If a data subject right request is made, we will respond to your request without undue delay and, at the latest, within one month of receiving the request. If the request is complex or a number of requests are made, TSGG has the right to extend the time to respond by a further two months.
In relation to the right to lodge a complaint to the relevant data protection authority, if you think there is a problem with how your personal data is being handled, please contact us by using the details set out in the ‘How to contact us’ section below. You also have a right to complain to the data protection authority as mentioned above. You can refer to this list of the data protection authorities in the EEA. However, there may be other data protection authorities that may be relevant to you. Please get in touch using the ‘How to contact us’ section below if you require further information.
This Privacy Policy was last updated in May, 2023.
We will review this Privacy Policy every two years, and we reserve the right to make any changes at any time to take account of changes in our business activities and legal requirements and the manner in which we process personal data
Any changes we make to this Privacy Policy in the future will be posted on our website and apps.
If you have any questions regarding this Privacy Policy or the way we use your personal data (outside of the EEA and the United Kingdom), please contact us. Our contact details are provided below:
Name: The Social Gaming Group AS
Postal address: Rådhusgata 30B, 0151 Oslo, Norway
Email address: legal@thesocialgaminggroup.com (Legal Department, TSGG)
Contact information: Name, title, address, email address and telephone number.
Telephone recordings: Recordings of telephone calls with our representatives and call centres.
Register to use our online services: Username and account number for access to our website.
Details of complaints and compliments you make: Name, address, e-mail address or telephone number, details about the service you received/your experience.
Financial information and account details: Details regarding products purchased, price, payment method and other financial account details.
CCTV footage: Videos and images captured on CCTV if you visit an OCHE® and/or SHUFL® Venue.
Order data: Information regarding the online order(s) that you place with us through our website (e.g., products that you order, date of order, delivery address, payment information).
Photographs: Images that you share with us via social media or images of you taken during your use of our gaming services at an OCHE® and/or SHUFL® Venue or via app services.
Video: Images or video footage of you taken during your use of our gaming services at an OCHE® and/or SHUFL® Venue or via app services.
Customer satisfaction/feedback surveys: Your views and opinions about your visit to an OCHE® and/or SHUFL® Venue and your dining experience, as well as your views about the Website.
Technical Information: Technical Information from any device you use in our venues.
TSGG abides by the principles identified in the table below when processing personal data:
Lawfulness, fairness and transparency
Your personal data will only be processed lawfully, fairly and in a transparent manner in relation to the data subject, as detailed in this Privacy Policy.
Purpose limitation
Your personal data will be only collected for specified, explicit and legitimate purposes, as detailed in this Privacy Policy and will not be further processed in a manner incompatible with those purposes.
Data minimization
We will only process personal data that is adequate, relevant and is limited to what is necessary. This also includes restricting access to personal data to only those functions/groups of functions that need this personal data to carry out their work.
Accuracy
We take appropriate measures to ensure that the personal data that we process about you is accurate and up to date. For this purpose, we provide you with the ability to correct, amend, or delete inaccurate personal data where this is applicable, in accordance with relevant laws.
In some instances, you can make these changes yourself otherwise, please contact HR for more information on how you can correct, amend or delete your inaccurate data.
Storage limitation
In principle we do not hold your personal data for longer than is required for the original purpose it was collected, unless those purposes are compatible with the original purpose, or we are under a legal obligation to retain it for longer. The purpose of retention could be a legal obligation, such as tax law or another legitimate reason, for example to prove our rights and obligations.
When personal data is no longer required to be stored, we take appropriate steps to securely delete, anonymize or transfer the data to an archive (where this is allowed under applicable laws)
Integrity and confidentiality
The right security controls are in place to protect against unauthorized and unlawful processing and against accidental loss or destruction of, or damage to, personal data.
This includes both technical controls (e.g., pseudonymization/encryption, role-based access control) and organizational controls (e.g., training and awareness).
We may share your personal data with the following:
Our group companies
Other companies and entities that are part of the TSGG Group.
Our authorized third-party agents, service providers and/or subcontractors of TSGG
Our business partners, suppliers and sub-contractors for the performance of any contract we enter into with you, for example:
A current list of these third-party service providers with whom we share your personal data can be provided to you on application to the Legal Department at legal@thesocialgaminggroup.com.
Our professional external advisors
Including accountants, lawyers and other professional advisers that assist us in carrying out our business activities, a current list of these third parties can be provided to you on application to the Legal Department at legal@thesocialgaminggroup.com.
Our franchisees
These are individuals or organisations who enter into an agreement with us to operate an OCHE® and/or SHUFL® Venue under the TSGG brand in various jurisdictions all over the world. Your personal data will not be shared with all of our franchisees but only those that are relevant to you.
Social media-related parties
We have different social media-related parties for each area of the world in which we operate – your personal data may be shared with the social media-related parties in our area, but not all. A list of our current social media-related parties and the countries in which they operate is set out below:
Right to information
You have the right to be informed about the collection and use of your personal data by us. This information is shared with you through this Privacy Policy. You have the right to receive a copy of your personal data that we hold about you, subject to certain exemptions.
We may require further information in order to respond to your request (for instance, evidence of your identity and information to enable us to locate the specific personal data you require).
Right to access
You have, at any time, the right to request access to the personal data we process about you. When you exercise this right, we must provide a copy of the personal data to which you have requested access.
We may require further information to respond to your request (for instance, evidence of your identity and information to enable us to locate the specific personal data you require).
Right to rectification
You have the right to ask us to rectify any errors and correct your personal data, that we hold where it is inaccurate or incomplete. We take reasonable steps to ensure that personal data which is inaccurate is rectified without delay.
Right to erasure
You have the right to request us to erase your personal data in certain circumstances. This right only applies under certain circumstances and is not absolute. For example:
Right to restriction
In certain circumstances, you may not be entitled to require the deletion of your personal data. Still, you may have the right to suspend our use of your personal data . In this instance, all processing, except storing, of that personal data must stop whilst the restriction is in place. This right only applies under certain circumstances and is not absolute. For example:
Right to data portability
You have the right to obtain your personal data in a structured, commonly used and machine-readable format and for it to be transferred to another party, where it is technically feasible. The right is not absolute as it only applies to:
Right to object to the use of your personal data (including to object to direct marketing)
You have the right to object to the use of your personal data in certain circumstances and subject to certain exemptions. Examples of this right include:
Right to object to a decision based solely on automated processing (including profiling)
You have the right not to be evaluated solely on the basis of automated processing, including profiling (e.g., automated profiling in connection with offers of employment, credit access, and insurance). This means we will not use (without any human involvement) your personal data (e.g., automated processing of personal data to evaluate certain aspects about you) in a way that produces legal effects concerning you or similarly significantly affects you unless it is:
Right to withdraw consent.
You always have the right to withdraw your consent at any time when we rely on consent to use your personal data.
Right to lodge a complaint to the relevant data protection authority.
You have the right to complain directly to the relevant Data Protection Authority if you think we have not processed your personal data in accordance with data protection law, but please do check if our Data Protection Officer can help you first.
In the case of which data protection authority you may complain to, this will depend on factors such as which OCHE and/or SHUFL Venue you visited and the country in which it is located or where the infringement occurred.