Privacy Policy

1. Controller and Contact

This Privacy Policy explains how Surmiso (“we”, “us”, or “our”) collects, uses, discloses, and protects personal data when you use the Service.

The controller responsible for the processing of personal data under this Privacy Policy is:

2. Scope

This Privacy Policy applies to the Surmiso web application and any related services provided by us (the “Service”).

This Policy should be read together with our Terms of Service.

3. Personal Data We Collect

3.1 Account and identity data

• If you sign in with Google or Facebook/Meta: name, email address, profile picture, and a unique account identifier provided by the authentication provider.
• If you sign in via OTP: email address and verification metadata relating to OTP delivery and validation.

3.2 Game and community data

• Game statistics, scores, game progress, and related in-game history.
• Any User Content you submit (e.g., text entries), where applicable.

3.3 Technical and usage data

• IP address, device identifiers (where available), browser type/version, operating system, language, time zone, referring URLs, and log data.
• Usage information such as pages viewed, features used, access times, and interactions.

3.4 Communications data

• Messages you send to us (e.g., support emails) and our responses.
• Preferences, including consent records (e.g., for newsletters and cookie/advertising choices).

3.5 Cookies and similar technologies

We (and our partners) may use cookies, local storage, SDKs, pixels, or similar technologies to operate the Service, remember settings, and deliver/measure advertising (see Section 7).

4. Purposes of Processing and Legal Bases

We process personal data only where we have a legal basis under applicable data protection law (including the GDPR). Depending on context, this may include consent, performance of a contract, legal obligation, and legitimate interests.

4.1 To provide and operate the Service

Purpose: account creation, authentication, gameplay, and saving progress. Legal basis: performance of a contract.

4.2 To secure the Service

Purpose: fraud prevention, abuse prevention, rate limiting, and incident response. Legal basis: legitimate interests in maintaining the security and integrity of the Service.

4.3 To communicate with you

Purpose: support, service notices, security alerts, and OTP delivery. Legal basis: performance of a contract and/or legitimate interests, depending on the communication.

4.4 Advertising (Google H5 Ads) and measurement

Where required by law for cookies/identifiers or personalized ads, we rely on your consent. Where consent is not required, we may rely on legitimate interests to deliver contextual ads and measure performance, as permitted by applicable law.

4.5 Newsletters and direct marketing

We will send newsletters and other direct marketing messages by email only if you have provided prior consent where required by law. You can withdraw consent at any time.

4.6 Legal compliance and enforcement

We may process data to comply with legal obligations and to establish, exercise, or defend legal claims.

5. Is Providing Personal Data Required?

If you want to use accounts, authentication data (email and/or third-party login data) is necessary to provide the Service.

You may refuse optional processing (such as newsletters/marketing and certain advertising cookies) without losing access to core gameplay, unless those features are technically inseparable from the chosen configuration.

6. Sharing and Disclosure

We may share personal data with the following categories of recipients:

• Authentication providers (Google and Facebook/Meta) to enable login.
• Advertising providers (including Google H5 Ads) to display and measure advertisements, depending on your settings.
• Email delivery providers to send OTP messages and, if you opt in, newsletters.
• Hosting and infrastructure providers that operate our servers and related systems.
• Professional advisers and competent authorities where required to comply with law, respond to lawful requests, or protect rights and safety.

We do not sell your personal data.

7. Cookies, Advertising, and Similar Technologies

We use essential technologies necessary to operate the Service (e.g., session management and security).

We (and advertising partners) may use non-essential cookies/identifiers to:

• deliver advertisements (contextual or personalized depending on your choices);
• measure ad performance and limit ad frequency; and
• detect fraud and abuse.

Where required by law, non-essential cookies/identifiers will be used only after you provide consent through a cookie/consent banner or settings.

You can withdraw consent at any time by changing your cookie/consent settings (if available) or via your browser settings. Withdrawal does not affect the lawfulness of processing before withdrawal.

8. International Data Transfers

Some of our service providers may process data outside the European Economic Area, including in the United States.

Where applicable, transfers may rely on:

• the EU–US Data Privacy Framework adequacy decision (where the recipient is certified); and/or
• the European Commission’s Standard Contractual Clauses (SCCs) and supplementary measures where required.

You may request further information about the safeguards used by contacting us.

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy.

Typical retention periods include:

• Account and game data: retained while your account remains active. If you request deletion, we will delete or anonymize data within a reasonable period, unless retention is required by law or for legitimate purposes (e.g., security and dispute resolution).
• Server and security logs: typically retained for a limited period for security and troubleshooting, unless a longer period is necessary to investigate abuse or comply with legal obligations.
• Newsletter data: retained until you withdraw consent/unsubscribe; we may keep a minimal record of consent and opt-out to demonstrate compliance and prevent re-sending to opted-out addresses.

Backups may persist for a limited time and are overwritten on a rolling basis.

10. Your Rights (GDPR)

Subject to conditions and limitations under applicable law, you have the right to:

• access your personal data;
• rectification of inaccurate data;
• erasure (“right to be forgotten”);
• restriction of processing;
• data portability (where applicable);
• object to processing based on legitimate interests, including the right to object to direct marketing at any time; and
• withdraw consent at any time (where processing is based on consent).

To exercise your rights, contact help@surmiso.com.

11. Complaints

You have the right to lodge a complaint with a supervisory authority.

In the Czech Republic, the competent authority is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, “UOOU”).

12. Security

We implement appropriate technical and organizational measures designed to protect personal data (e.g., access controls and security practices).

No method of transmission or storage is fully secure; therefore, we cannot guarantee absolute security.

13. Children

The Service is intended for users aged 15 and above.

Where we rely on consent (e.g., newsletters or certain advertising/cookies) and we become aware that a user is under the applicable age for valid consent, we will take reasonable steps to discontinue consent-based processing and/or delete data as required.

14. Changes to This Privacy Policy

We may update this Policy from time to time. The “Last Updated” date indicates when changes were made.

Material changes will be communicated in a reasonable manner (e.g., in-app notice).

15. Contact

For privacy questions or requests, contact help@surmiso.com.