HomePrivacy Policy

Privacy Policy

Valid from: August 11, 2023

Last modified: August 11, 2023

Limassol, Cyprus

This Privacy Policy (hereinafter referred to as the “Policy”) defines the rules for the processing of personal data of data subjects using the website with the domain name https://levelupper.com/ (hereinafter referred to as the “Website”) or/and the services “LevelUpper” provided through the Website (hereinafter referred to as the “Services”).

The Policy is enacted by ETERNAL STAR LTD, a legal entity incorporated in Cyprus under the registration number HE 445014, with registered office at Evripidou, 12A, Agia Zoni, 3031, Limassol, Cyprus (hereinafter referred to as the “Company”). The Company is responsible for determining means and purposes of processing of personal data in accordance with this Policy.

This Policy is enacted in accordance with the General Data Protection Regulation (GDPR) No. 2016/679 adopted by the European Parliament and the Council on 27 April 2016, as well as the Children's Online Privacy Protection Act and Rule enacted by the Federal Trade Commission (COPPA) and California Consumer Privacy Act (CCPA).

The terms and definitions provided by the GDPR apply to this Policy unless the definition of the specific term contradicts the definition provided in the Policy.

This Policy shall be read and construed in lieu of the Terms and Conditions of the Company that establish the rules for the provision of the Services (hereinafter referred to as the “Terms”), as well as the Payment Policy and Cancellation and Refund Policy of the Company.

The terms and definitions of the Terms apply to this Policy unless they contradict the terms and definitions of GDPR or the Policy.

Please read carefully the Terms before reading and agreeing with this Policy because the Policy includes the terms the definitions of which can only be found in the Terms.

The following terms and definitions are established by the Policy:

“Data subject” means the User of the Services, as well as a natural person that visits and uses the Website without creating User's Account or/and using the Services of the Company or interacts with the Company in any other way without using the Services.

“Controller” means the Company.

“Processor” means a legal entity or a natural person that processes personal data of Data subjects on behalf of the Controller.

“Third parties” means natural persons or legal entities receiving Data subject's personal data for purposes not related to processing of personal data, including commercial and other business purposes.

“Minor” means a natural person who is less than 16 (sixteen) years of age.

1. Lawfulness of processing

1.1. Under the Policy, the personal data of Data subjects is processed under the following legal grounds:

1.1.1. The Data subject has given consent to the processing of his or her personal data in accordance with the Policy (point (a) paragraph 1 Article 6 GDPR).

1.1.2. Processing of Data subject's personal data is necessary for the provision of the Services in accordance with the Terms of the Company (point (b) paragraph 1 Article 6 GDPR).

1.2. By opening, visiting, and using the Website, the Data subject provides the Company with the consent to the processing of cookie files and other similar data in accordance with Section 7 of the Policy and other personal data prescribed in para.2.1.12 of the Policy.

1.3. By creating the User's Account, the User provides the Company with the consent to the processing of personal data provided in Section 2 of the Policy.

1.4. By interacting with the Company via social networks and messengers in accordance with Section 8 of the Policy, the Data subject provides the Company with the consent to the processing of personal data prescribed by para.8.2 of the Policy.

2. Personal data processed by the controller

2.1. Under the Policy, the Controller has the right to process the following personal data of Data subjects:

2.1.1. Username and password created by the User during the creation of the User's Account in accordance with the Terms.

2.1.2. Email address of the User.

2.1.3. First and last name of the User.

2.1.4. Telephone number of the User.

2.1.5. Information about the social networks accounts of the User, namely, the username or URL of the User's profile in the social network.

2.1.6. History of purchases made by the User through the User's Account and the history of User's activities on the Website and within the User's Account, namely, the webpages of the Services visited by the User, the Services that has been seen or/and requested by the User, the history of payments made by the User, the information about the shopping cart of the User in the User's Account and the contents of the shopping cart of the User's Account (the list of Services and additional options of the Services that have been added to the shopping cart or deleted from the shopping cart). The information about the shopping cart is processed even if the User eventually doesn't pay for the Services or/and removes all the Services and the additional options of the Services from the shopping cart.

2.1.7. Unique identifier (ID, username, user tag etc.) of the User in the Game that is used for identifying the profile of the User in the network of the Game.

2.1.8. Login and password of the User in the Game Account.

2.1.9. Login or unique identifier, password or/and one-time code, as well as the information about the device of the User used for connecting with the User's device through the remote access software, such as TeamViewer, Any Viewer, or Windows Remote Desktop.

2.1.10. The messages sent by the User to the Company, the Managers, or the Boosters through the communication channels provided by the Company (which includes information about cancellation and refund requests made by the User in accordance with the Cancellation and Refund Policy of the Company), as well as other information about interaction and communication of the User with the Company, the Managers, and the Boosters.

2.1.11. Information about the character and the activities of the User in the Game, as well as the information about the achievements, benefits, failures, and restrictions received by the User in the Game.

2.1.12. Cookie files processed in accordance with Section 7 of the Policy, as well as other analytical or metric data about the visitors of the Website collected with assistance of Processors that may include the following information:

A) Operating system used on the device of the Data subject

B) Version (type) of the Website visited by the Data subject (mobile or desktop version)

C) Screen resolution of the Data subject's device

D) Time during which the Data subject visited the Website and the activities of the Data subject within the Website (pages visited, clicks made by the Data subject, time spent on the specific webpage of the Website).

E) Number of Data subjects that visited the Website within the specific period of time.

F) Number of unique Data subjects that visited the Website.

2.2. In addition to personal data provided in para.2.1 of the Policy, the Controller also processes financial information of the Users, namely:

2.2.1. The information about the methods of payments chosen by the Users on the Website and the information about the payments made by the Users (including information about the applied currency of the payment, the exchange rate, and the total sum of the payment).

2.2.2. The information about bank (e-wallet) accounts and bank cards (debit or credit) of the Users used for paying for the Services (which includes information about bank card number and other credentials of the bank card).

2.2.3. The information about the refunds made in favor of the User.

2.3. The personal data provided in para.2.2 of the Policy is processed in accordance with the Payment Policy of the Company and the Cancellation and Refund Policy of the Company.

2.4. The personal data provided in para.2.1.12 of the Policy is anonymized and cannot be pertained to any specific Data subject.

2.5. The personal data provided in para.2.1.1 of the Policy can be automatically saved for auto-entry when the User logs into the User's Account.

3. Purposes of personal data processing

3.1. The personal data provided in paras.2.1.1-2.1.2, paras.2.1.6-2.1.11, and para.2.2 of the Policy are processed for the following purposes:

3.1.1. Provision of the Services in accordance with the Terms, the Payment Policy, and the Cancellation and Refund Policy of the Company.

3.1.2. Resolution of disputes with the Users.

3.1.3. Processing and receiving payments from the Users in accordance with the Terms, the Payment Policy, and the Cancellation and Refund Policy of the Company.

3.1.4. Performing cancellations and refunds in accordance with the Cancellation and Refund Policy of the Company.

3.1.5. Other communication with the Users not related to advertising or marketing.

3.1.6. Improving the work of the Website and the quality of the Services, providing technical support to the User's Accounts of the Users.

3.2. The personal data provided in paras.2.1.1-2.1.6 and para.2.1.12 of the Policy are processed for the following purposes:

3.2.1. Marketing and advertising purposes, which includes both direct marketing and advertising of Company's products related to the Website on other websites, in social media, and in search engines.

3.2.2. Analytical purposes.

3.2.3. Resolving disputes with Data subjects.

3.2.4. Other communication with Data subjects not related to advertising or marketing or resolving disputes.

4. Controller and processors of personal data

4.1. The Company is the Controller of the Data subject's personal data meaning that the Company defines the categories of personal data processed, the purposes of personal data processing, the list of Processors, the ways of processing and storing personal data, and the rules of cross-border transfer of personal data.

4.2. The personal data described in this Policy is processed either directly by the Controller or by the Processors engaged by the Controller that process personal data on behalf of the Controller. The Controller is responsible before the Data subjects for the Processors processing personal data of Data subjects in accordance with this Policy. The following categories of Processors are engaged by the Controller in the processing of personal data of Data subjects:

4.2.1. Managers, Boosters, and other persons directly involved in the provision of the Services in favor of the Users.

4.2.2. Processors processing the payments of the Users and participating in performing the refunds in favor of the Users.

4.2.3. Processors storing personal data of Data subjects.

4.2.4. Processors providing advertising and marketing services to the Controller.

4.2.5. Processors analyzing, assessing, storing, and systemizing personal data provided in para.2.1.6 and para.2.1.12 of the Policy.

4.2.6. Processors providing technical support for the Website and the User's Account.

4.2.7. Processors assisting the Company with resolving disputes with the Users.

4.2.8. Subsidiaries and other affiliate legal entities of the Company engaged in the provision of the Services.

4.3. All the Processors of the Controller engaged in the processing of the personal data under the Policy act in accordance with the contract concluded between the Controller and the respective Processor. The concluded contract provides for the security and confidentiality of personal data of Data subjects and compliance with GDPR and other applicable legislation.

5. Controller and third parties

5.1. The Controller does not transfer personal data of Data subjects to any Third parties for any purposes not related to processing of personal data in accordance with the Policy.

5.2. The Controller does not sell and has never sold personal data of Data subjects to any Third party. The Controller has no intention in selling personal data of Data subjects to any Third parties.

6. Controller and minors

6.1. The Website and the Services of the Company are not directed to Minors. This is confirmed by the fact that the provision of the Services prescribed by the Terms requires making the payments which can only be made by a person with legal capacity. Furthermore, many of the Games in respect of which the Services are provided have at least 16+ age restriction due to the scenes of violence or the presence of adult talking not aimed at the audience of Minors. Furthermore, some of the Services offered by the Company require deep interaction with the Booster that cannot be organized if the User is a Minor. Finally, the Terms provide that the Services can only be provided to the Users who are at least 16 (sixteen) years of age.

6.2. The Controller does not process and does not have actual knowledge that the Controller is processing personal data of Minors. If the Controller finds out that some data from or about a Minor was collected or/and processed in other way, the Controller will immediately take all the necessary measures aimed at deleting such data and restricting access of the Minor to the Website and the Services.

6.3. If the Controller has doubts regarding the age of the User, the Controller has the right to request the User to verify the User's age. If the User refuses to verify the User's age or if the Controller finds out that the User is less than 16 (sixteen) years of age, the rules of para.6.2 of the Policy apply.

7. Cookie policy

7.1. The Website of the Company may use “Cookies”.

Cookies or cookie files are small text files located in browser directories that may include an anonymous unique identifier. Generally, there are two types of cookies – a session cookie and a persistent cookie. A session cookie is used to make it easier for a person to navigate a website and expires when a person closes the browser. A persistent cookie remains on a hard drive of a person's device for an extended period of time. Cookies cannot be used to run programs or deliver viruses to a person's computer. Cookies are uniquely assigned to a person's device and can only be read by a web server in the domain that issued the cookie to a person's device. To learn more about cookies please follow the link.

7.2. The Company may use both session cookies and persistent cookies to help Data subjects navigate through the Website and efficiently perform the functions of the Website. Particularly, the following kinds of cookies may be used by the Company in accordance with this Policy:

7.2.1. Session Cookies. The Company may use Session Cookies to operate the Services provided via the Website.

7.2.2. Preference Cookies. The Company may use Preference Cookies to remember preferences and various settings of the Data subject using the Website.

7.2.3. Security Cookies. The Company may use Security Cookies for making safe the use of the Website.

7.3. By use of cookies, the Company may automatically collect information about the online activity of the Data subject on the Website. Such information may include:

7.3.1. The information about the webpages of the Website visited by the Data subject.

7.3.2. The URL links clicked by the Data subject on the Website.

7.3.3. The searches made by the Data subject via the Website.

7.4. The Data subject has the right to accept or decline cookies by using the browser settings. However, if the Data subject declines cookies, the Data subject may not be able to use the full range of functions provided by the Website.

7.5. The Company may also use other technologies for processing personal data provided in para.7.3 of the Policy, including the following:

7.5.1. Web beacons. Web beacons (also known as clear gifs, pixel tags, or web bugs) are tiny graphics with a unique identifier, similar in functions to cookies, and used to track online movements of website users. Unlike cookies, which are stored on a user's device, web beacons are embedded invisibly on the web pages of the website or in an email, and the size of such web beacons is about the size of the period at the end of the sentence.

7.5.2. Tracking URLs. A tracking URL is a standard link that has parameters attached to it for the purpose of tracking and analytics. A tracking URL has unique identifier that allows to identify the source of the website's traffic (e.g., the location from which the Internet users visit the website, or the search engine used by the visitors for clicking the URL of the website).

7.6. The Company may also use web beacons and tracking URLs prescribed by para.7.5 of the Policy in marketing emails of the Company (including marketing bulk emailing) and in online advertisements of the Company posted on third-party websites.

8. Company and social networks

8.1. In order to promote information about the Company, its Services, and the Website, the Company may create the accounts in social networks and messengers, including Facebook, Instagram, WhatsApp, and Telegram.

8.2. Data subjects may follow the accounts of the Company in social networks and the channels of the Company in messengers. Data subjects may like posts and comments of the Company and leave comments, reviews, or reactions under the posts and messages of the Company in social networks and messengers. Data subjects may also send messages to accounts of the Company in social networks and messengers.

8.3. The data prescribed by para.8.2 of the Policy is considered as personal data of Data subjects provided in para.2.1.10 of the Policy. Such personal data of Data subjects, depending on the nature of the processed data, may be used by the Company for the purposes provided by para.3.1.2, para.3.1.5, para.3.1.6, or para.3.2 of the Policy.

9. Rights of a data subject

9.1. Each Data subject has the following rights:

9.1.1. Right of access: the Data subject is entitled to receive from the Controller the information about personal data that is processed by the Controller, the purposes of personal data processing, the categories of personal data recipients, the period of personal data storage, and the information about the transfer of personal data to other jurisdictions.

9.1.2. Right to lodge a complaint with a supervisory authority: the Data subject is entitled to file a complaint against the Controller with a supervising authority of Data subject's habitual residence or place of work, or with a supervising authority located in a place of possible infringement, or with a supervising authority of Controller's residence which supervises the compliance of the Controller with personal data legislation.

9.1.3. Right to rectification: the Data subject is entitled to rectification of inaccurate data about the Data subject.

9.1.4. Right to erasure: the Data subject is entitled to erasure the personal data about the Data subject.

9.1.5. Right to restriction of processing: the Data subject is entitled to restrict processing of personal data under the grounds provided for in Article 18 GDPR.

9.1.6. Right to data portability: the Data subject is entitled to receive personal data about the Data subject in a structured, commonly used, and machine-readable format and transmit such data to another controller.

9.1.7. Right to object: the Data subject is entitled to object to personal data processing on the grounds relating to a particular situation (for example, if the Controller processes personal data for marketing purposes).

9.1.8. Right not to be subject to a decision based solely on automated processing, including profiling.

9.1.9. Right to file a request or complaint with the Controller. Such right also includes the right of the Data subject to use judicial remedies against the Controller in a country of Controller's or Data subject's residence under Article 79 GDPR and the right to use judicial remedies against the supervisory authority in a country where the supervisory authority is established (Article 78 GDPR).

9.1.10. Right to withdraw Data subject's consent to personal data processing.

9.1.11. Right to prohibit sale or resale of Data subject's personal data.

9.2. Unless otherwise is provided by other paragraphs of the Policy, the Data subject that wants to exercise his or her rights provided by para.9.1 of the Policy shall send a mail or an email to the Company by using contact details of the Company provided in Section 14 of the Policy.

9.3. The User that wants to exercise one of the rights provided in paras.9.1.3-9.1.8 or paras.9.1.10-9.1.11 of the Policy shall contact the Company through the customer support system provided to Users in accordance with Section 5 of the Terms.

9.4. The User can exercise the right provided in para.9.1.3 of the Policy by changing the personal data without the assistance of the Company if such personal data is personal data provided in paras.2.1.2-2.1.5 of the Policy or if the rectified data is the password of the User's Account.

9.5. If the User has the User's Account and uses the Services of the Company and the request of the User relates to personal data provided in paras.2.1.1-2.1.2 of the Policy, the rights of the User provided in para.9.1.4 and para.9.1.10 of the Policy may only be exercised by deleting the User's Account in accordance with the Terms. In this case, the User will no longer be able to use the Services in accordance with the Terms of the Company.

9.6. By agreeing with this Policy, the User agrees that erasure of User's personal data, restriction of processing of User's personal data, objection to processing of User's personal data, or withdrawal of User's consent to the processing of personal data may result in restriction of User's access to the Services and may impair the ability of the User to use the Services in a proper manner as prescribed by the Policy.

9.7. If the Data subject desires to lodge a complaint with a supervisory authority against the Company or use judicial remedies against the Company or the supervisory authority, the Data subject shall follow the procedures provided by Articles 77-79 GDPR and by the legislation of the country in which the Data subject is planning to lodge a complaint or use judicial remedies.

10. Security of personal data

10.1. The Controller takes all the reasonable measures to protect Data subject's personal data from unauthorized access by third parties, as well as against loss, misuse, alteration, or destruction of personal data, including the following:

10.1.1. The Data subject's session on the Website goes through the secure SSL connection during the Website browsing.

10.1.2. Only authorized personnel of the Controller have access to the personal data of Data subjects, and these employees and contractors are required to treat this information as confidential.

10.1.3. The Controller ensures the confidentiality of the User's credentials used for entering the Game Account, as well as other data used for playing the Games or/and receiving the Services.

10.1.4. The Booster providing the Services to the User on a “Piloted” Boosting Method uses VPN for entering the Game Account of the User and brings the Game Account of the User to the original settings after the provision of the Services in accordance with the Terms.

10.1.5. The Company uses encryption methods for providing the Services to the Users.

10.1.6. The Company conducts regular check-ups and tests of the internal network system for the security issues.

10.2. The existing security measures will be reviewed from time to time in accordance with new legislation and technical innovations.

11. Storage of personal data

11.1. The Controller stores personal data of Data subjects only for the period that is necessary for achieving the purposes of processing provided by Section 3 of this Policy.

11.2. The Controller stores personal data of the User provided in paras.2.1.1-2.1.11 and para.2.2 of the Policy as long as the User has the User's Account and uses the Services.

If the User deletes the User's Account in accordance with the Terms, the Controller will delete personal data provided in paras.2.1.1-2.1.5 of the Policy.

The User may at any point of time delete personal data provided in paras.2.1.3-2.1.5 of the Policy.

The User may at any point of time request the Controller to delete personal data provided in paras.2.1.6-2.1.11 and para.2.2 of the Policy. In this case, however, the opportunity of the User to use the Services can be restricted if the Controller does not have the opportunity to provide the Services without processing of the deleted personal data.

11.3. If the User deletes the User's Account in accordance with the Terms, the Controller has the right to store personal data of the User provided in paras.2.1.6-2.1.11 of the Policy for the period of 3 (three) years after deletion of the User's Account unless the User directly requests the Controller to delete such personal data at the time of the User's Account deletion.

11.4. The Controller takes all the reasonable steps to periodically delete personal data provided in para.2.1.12 of the Policy. However, because such personal data cannot be attributed to any specific Data subject, the Controller does not have technical opportunity to exercise the request of the Data subject to delete personal data provided in para.2.1.12 of the Policy that relates directly to such a Data subject.

11.5. The Controller does not store personal data provided in para.2.2.2 of the Policy. Particularly, the Controller does not store credentials of bank cards of the Users and does not allow Users to save credentials of their bank cards in the User's Account for future transactions.

11.6. The Controller does not store any personal data provided in Section 8 of the Policy.

11.7. The Controller will continue to store personal data of a Data subject if storing such personal data is required by applicable legislation aimed at preventing money laundering or terrorist financing.

12. International transfer of personal data

12.1. The Controller stores personal data of Data subjects only on the servers located in Cyprus or/and other countries of EEA (European Economic Area which includes the countries of the European Union plus Iceland, Liechtenstein, and Norway).

12.2. The Processors of the Controller store personal data of Data subjects in the countries of EEA, as well as the countries outside EEA in respect of which the European Commission made the decision that such countries provide an adequate level of data protection (Article 45 GDPR). Particularly, the personal data of Data subjects may be stored in the United Kingdom, Andorra, or Switzerland. The full list of the countries outside EEA providing an adequate level of data protection can be found through the link.

12.3. If it is not possible to store personal data of the Data subject in accordance with para.12.1 or para.12.2 of the Policy, the Controller will transfer personal data of Data subject to jurisdictions outside EEA subject to appropriate safeguards provided in Article 46 GDPR.

12.4. If for some reasons it is not possible for the Controller to transfer and store personal data of the Data subject in accordance with paras.12.1-12.3 of the Policy, the Controller will transfer Data subject's personal data outside EEA only subject to the provisions of Article 49 GDPR which provide derogations for specific situations.

If the only legal ground under which the Controller can transfer Data subject's personal data outside EEA is the consent of the Data subject (Article 49 paragraph 1 point (a) GDPR), the Controller will only perform the transfer after receiving the consent of the Data subject to the proposed transfer of personal data. Such consent may only be obtained from the Data subject after the Controller informs the Data subject about the possible risks of such a transfer caused by the absence of an adequacy decision provided by para.12.2 of the Policy and appropriate safeguards provided by para.12.3 of the Policy. If the Data subject does not provide the consent to the transfer of personal data, the Controller may refuse provision of the Services to such a Data subject or restrict access of the Data subject to the Website if the provision of the Services or provision of access to the Website are impossible without the Data subject's consent to the international transfer of personal data.

13. Changes to this policy

13.1. The Company shall periodically review this Policy for the compliance with applicable data protection laws and will provide the Policy with amendments as the Company deems necessary. The amendments will be posted on the Website in the form of the updated Policy and will be in effect since the date of publication, unless otherwise is specifically provided in the text of the updated version of the Policy. The publication of the updated version of the Policy amounts to notification of Data subjects about the changes. Data subjects shall periodically review the Website for the amendments in the Policy.

13.2. The Company will take reasonable measures to notify the Users about the changes in the Policy. In doing so, the Company may send emails to the Users or notify the Users through the customer support system provided by Section 5 of the Terms.

14. Contacting controller
ETERNAL STAR LTD

A legal entity incorporated in Cyprus.
Registration number: HE 445014
Address: Evripidou, 12A, Agia Zoni, 3031, Limassol, Cyprus.
Email: support@levelupper.com

We use essential cookies to make our website work. With your consent, we may also use non-essential cookies to improve user experience and analyze website traffic.
By clicking “Accept,” you agree to our website's cookie use as described in our Cookie Policy.