Privacy policy


This privacy policy explains how we process personal data at SuperScale. SuperScale consists of two companies: (i) SuperScale sp. z.o.o., with its registered seat at Zacna 2 1, 50-283 Gdańsk, Poland, registered in the register of entrepreneurs of the National Court Register kept by the District Court for Gdańsk-Północ in Gdańsk, VII Commercial Division under KRS No. 0000510468 and (ii) its 100% subsidiary SuperScale s. r. o., with its registered seat at Zálužická 1, Bratislava 821 01, Slovakia, company ID No. (IČO): 47 523 697, registered in the Commercial Registry kept by Bratislava I District Court, Section Sro, insert No. 94037/B (jointly and each hereinafter referred to as “SuperScale”, “we” or “us”). Being based in the EU, we must comply with the EU general data protection regulation (the GDPR) and local legislation when processing the personal data. You may find GDPR’s text here.


When we provide analytic, marketing, big data or advisory services to our clients (e.g. game developers) (“Services”), we process personal data in position of data processor of our clients. As regards Services, our clients conclude a contract and a data processing agreement with SuperScale sp. z.o.o. which then uses SuperScale s. r. o. as its sub-processor based on our internal data processing agreement. 

We also act as data controllers in relation to data we process for our own purposes for example in the marketing, HR, legal, statistics, administrative and compliance area (see below). In respect to our own purposes SuperScale entities concluded the so-called joint controllers’ agreement under Article 26 of the GDPR. We regard both entities as part of one group or one family and often our joint activities (e.g. marketing campaigns) relate to SuperScale brand and not the individual entity. Also, staff of both SuperScale entities collaborates and cooperates together. The essence of the joint controllers’ agreement is following:

    • Both SuperScale entities collaborate in joint processing activities related to all below mentioned SuperScale’s purposes;
    • We have established a single contact point for data subjects, as per this privacy policy;
    • Internally, data subject request are primarily handled by SuperScale s. r. o. (Slovakia);
    • Our main establishment is located in Slovakia;
    • SuperScale entities share data for the internal administrative purposes (as per recital 48 of the GDPR);
  • Each SuperScale entity may conclude agreements with processors also on behalf / for the benefit of the other SuperScale entity;

Because we process personal are as both processors and controllers, this privacy policy is addressed both to our clients but also to visitors of our websites or social media profiles. We may also use additional information and more specifying information to fully deal with our information obligations under the GDPR.

SuperScale sp. z.o.o. and BOOMBIT SPÓŁKA AKCYJNA concluded joint controller agreement pursuant to Art. 26 GDPR in relation to purposes of processing:
(i) Establishment, exercise or defence of legal claims (legal agenda); (ii) Tax, billing and accounting; (iii) Contract Performance. In this agreement, joint
controllers agreed on the following essential parts:

  • Data subjects have right to apply their rights vis-à-vis both controllers at single contact point, which is the correspondence address Zacna 2 1, 50-283
    Gdańsk, Poland or by email to;
  • Notwithstanding the foregoing part of the joint controller agreement, the data subject may exercise his/her rights pursuant the GDPR in relation to
    each controller and vis-à-vis each controller separately;
  • Information about the processing of personal data according to Art. 13 and Art. 14 GDPR is provided jointly by both controllers to data subjects
    through Privacy Policies published on their official websites.


If you have any questions concerning how we process your personal data, you can contact us at or by post using our registered seat addresses above. We have not appointed data protection officer, but we have internally appointed a number of persons responsible for data protection agenda in general. We also use external legal advisors in this respect. 

Please note that when the processing concerns provision of the Services, we are not entitled to handle or respond to your request on behalf of our clients. If you have questions about how our clients (e.g. game developers) use your data (including via us), please get in touch with them. We can only forward your requests to them.  


We process the personal data for the following purposes of processing and on the following legal basis: 

In order to provide the Services, we process personal as a data processor on behalf of our clients (e.g. game developers). The purpose and legal basis of such processing is determined individually by each client and not but us. However, our clients generally describe the purpose of processing as: 

    • product improvement purposes, e.g. improvement, development, maintenance and testing of the app/software and its new features or updates;
    • direct marketing communication, conducting marketing campaigns and related marketing analytics; or
  • raising awareness about the organization, its products and services online.

In general, our clients process personal data about their users and gamers on the basis of their consent, contract concluded with them or on the basis of their legitimate interests. However, this is not our concern. Please check the privacy policy of a particular game developer to see the details. The above information is only illustrative, for the perspective clients or interested gamers.

As a controller, we process personal data for the following (compatible) purposes: 

  • Maintaining adequate level of security (security). We consider security of our assets, property, staff and generally our informational security to be both our legal obligation pursuant to the Art. 6(1)(c) of the GDPR as well as our legitimate interests pursuant to the Art. 6(1)(f) of the GDPR (underlined above). Therefore, we monitor usage of our systems internally to detect breach of the internal policies, unauthorized operations in our systems or harmful bots, codes or conduct. This purpose involves adoption of adequate security measures, their periodic assessment and review.
  • Direct marketing communication & raising brand awareness online (marketing). We consider processing of personal data for direct marketing our legitimate interests pursuant to the Art. 6(1)(f) of the GDPR (underlined above) as confirmed by recital 47 of the GDPR. However, where required by ePrivacy or other legal regulations (such as the Polish Act on Provision of Electronic Services or Slovak Act on Electronic Communications), we rely on data subject consent pursuant to the Art. 6(1)(a) of the GDPR instead. This purpose is related to direct marketing communication of SuperScale products for example via our own marketing campaigns, newsletters, events, blogs as well as raising brand awareness through our social media profiles, online interaction with users, maintaining our websites and publication of team or event photos where allowed.
  • Establishment, exercise or defence of legal claims (legal agenda). As any business, we have a legal agenda. Therefore, from time to time we must pursue our legal claims, ask for compensation or settlement and keep legal evidence, request legal advice from external advisors, ensure compliance with regulations, get represented by legal advisors in court, criminal, administrative or other proceedings or report to law enforcement authorities or otherwise. We do this on the basis of our legitimate interests pursuant to the Art. 6(1)(f) of the GDPR (underlined above) or on the basis of contract performance pursuant to the Art. 6(1)(b) of the GDPR.
  • Tax, billing & accounting. In order to comply with tax, billing & accounting regulations we must process certain limited scope of personal data. We do this because we are obliged to do so pursuant to the Art. 6(1)(c) of the GDPR.
  • Contract performance. We conclude number of legal contracts with both individuals and other businesses which serve to support our essential business activities. We need to enforce, perform and manage contracts and we do that based on our legitimate interests pursuant to the Art. 6(1)(f) of the GDPR (underlined above) or based on contract performance pursuant to the Art. 6(1)(b) of the GDPR.
  • Personnel & payroll purposes. In relation to our internal staff, we are obliged to process certain limited data by the employment, commercial, social deductions and insurance regulations pursuant to the Art. 6(1)(c) of the GDPR.
  • Benefits for business partners. On the basis of data subject consent to the Art. 6(1)(a) of the GDPR we provide personal data of our business partners to 3rd party benefits providers.
  • Statistics. We keep anonymous or aggregated statistics like number of clients, campaigns or users, costs saved, average conversion rate and similar. We make sure such statistics are not personal data, however, these statistics might be made by conversion from the personal data about our clients. In line with Art. 89 of the GDPR, statistical processing is performed on this basis of any of above-mentioned legal bases.


We only process personal data which is necessary both in scope of type to for the purposes of processing explained above. We believe this entails typical categories of personal data in relation to typical purposes of processing. Systematic processing of special categories of personal data under Article 9 of the GDPR is not present at SuperScale. However, we cannot exclude the possibility of such processing in relation to the personnel and payroll purposes if the law and the specific situation require us to do so for example in relation to the data relating to health. We also do not process personal data relating to criminal convictions and offences under Article 10 of the GDPR. Therefore, for the most purposes we only process the basic identification and contact personal data including typical communication data and content. As regards marketing, we process data typically collected by using business features of social media and website analytics software solutions such as data pushed through the cookies, website browsers and advertisement identifiers. We believe such processing – regardless of whether we have actual access to such information or not – includes elements of profiling but not individual decision making. 

As regards the personal data we process as processors within provision of the Services, we cannot globally define the exact scope of data processed because this is determined by our clients (controllers) in the respective data processing agreements. However, in typical scenario we process data described in relation to marketing above in conjunction with aggregated performance analysis of game usage and in-game data provided to us by the controller. Generally, we look into how users interact with game’s features and subsequently advice the game developer how to improve the game both in terms of revenue generated as well as in terms of user experience, retention, loyalty and other performance indicators. These activities are (in principle) aggregated and not focused on a particular individual. We nevertheless understand that this still entails processing of personal data. 


In relation to the Services we provide, we collect personal data on the behalf of our clients as a processor/sub-processor therefore your personal data are typically provided to us by original controllers. This is typically within the context of the relationship between game player and game developer being contractual parties. The provision of data here is therefore voluntary. 

We can also collect your personal data from you directly when we act as controller. For example, by communication with you, by conclusion of contract with you, via activity on social media or sending us a message via forms on our website. Such provision of data is voluntary and if it relates to a contract, it might be contractual requirement or a requirement necessary to enter into a contract. Since the activities which lead to provision of your data to us we believe are voluntary, you should not be in a position where you have to provide the data to us. 

As regards contact forms on our website and business cooperation offers published on third party websites, we expect conclusion of a contract with you or your company and therefore we regard this communication as a pre-contractual communication. As part of contractual or personnel & payroll purposes, we do not request your consent because we rely on contract performance or our legitimate interest. 


We take the confidentiality of your personal data very seriously and have policies in place to ensure that your data is only shared with authorized staff (internal recipients) or a verified/authorized third party. Our staff might have access to your personal data on a strictly need-to-know basis typically governed and limited by function, role and department of the particular employee. We have also put in place policies and procedures that ensure we separate data per client where possible. We also use sub-contractors to support us in providing Services which might process personal data for us. We ensure that selection of our sub-contractors and any processing of personal data by them is compliant with the GDPR. Categories of recipients of user personal data (processed on behalf of our clients) are hosting providers, cloud services providers and communication tool providers (such as Slack, Google, Amazon Web Services, Digitalocean, Tableau) as is explained in detail in our data processing agreement. As regards the other purposes, the recipients of personal data might be:

  • both SuperScale entities;
  • hosting or cloud services providers (Amazon and Google);
  • providers of standard software solutions (such as Microsoft, Amazon, Google, Time Doctor, Asana, Slack);
  • marketing and analytics software service providers and social media platform operators (such as Google and Facebook);
  • billing, accounting and legal advisors;
  • public authorities if required based on local law;
  • authorized personnel of the above.

When we act as processors of our clients (controllers), we process personal data provided to us in number of applications under the clients’ name and account on their behalf. We do not consider this appointment of another sub-processor by us, but rather as exchange of data between the same-level processors based on controller’s instruction. 


By default, we seek not to transfer your personal data outside the EU and/or European Economic Area where not necessary. However, some of our sub-contractors or the above-mentioned recipients of personal data might be based or their servers might be co-located in the United States of America (USA). As such, USA is regarded a third party not ensuring adequate level of protection. However, companies certified under the EU-US Privacy Shield mechanism according to the Commission (EU) are regarded as ensuring adequate level of protection. Any transfer of personal data outside the European Economic Area is done by us only under strict compliance with the GDPR. We ensure the third-party recipients are either certified under the EU-US Privacy Shield, concluded EU model clauses with us or follow equivalent safeguards. 


We must not and we do not want to store your personal data for longer than necessary for the given purpose of processing. Due to this legal requirement but also due to technical and financial aspects of data storage we actively delete data where no longer necessary. Retention periods are either provisioned in respective laws, data processing agreements, instructions of our controllers or are set out by us in our internal policies. When processing of your personal data is based on consent and you decide to withdraw your consent, we do not further process your personal data for the specific purpose. However, it does not exclude the possibility that we process your personal data on different legal grounds especially due to our legal obligations. General retention periods for the above purposes of processing are as follows:

  • Maintaining adequate level of security. Throughout duration of the business relationship and/or usage of our internal systems. We aim to delete security logs where kept once every 3 years, in case these are needed for the legal agenda.
  • Direct marketing communication & raising brand awareness online (marketing). Until you or us actively delete your message, comment, profile or until you object against direct marketing or revoke consent. We delete private messages on our profile and non-active marketing data once every 3 years.
  • Establishment, exercise or defence of legal claims (legal agenda). During the legal dispute, negotiation, or settlement, during court, administrative or criminal proceedings (can generally be from 2 to 7 years) or until the relevant limitation period has not passed, which depending on type of legal claim may generally be from 2 to 10 years (Slovak law) or from 3 to 6 years (Polish law).
  • Tax, billing & accounting. Generally, 5 years (for Polish accounting documents) or 10 years (for Slovak accounting documents) as of the accounting year in which the tax, billing or account documentation originated.
  • Contract performance. Generally, 3 years after termination of the contract, unless required longer for legal agenda.
  • Personnel & payroll purposes. In relation to our internal staff, we are obliged to process certain limited data by the employment, commercial, social deductions and insurance regulations pursuant to the Art. 6(1)(c) of the GDPR. General retention period is 10 years from end of the employment relationship, unless the applicable law does not provide longer periods for certain documents (in some cases up to 50 years under Polish law or 70 years from employee’s date of birth under Slovak law).
  • Benefits for business partners. Until withdrawal of the data subject consent or end of business cooperation.
  • Statistics. Only as long and only if other purposes of processing are relevant. As soon as the data is not personal, GDPR does not apply and retention periods are unlimited.

All retention periods related to the personal data we process for our clients (controllers) are determined by our clients. We can only keep such personal data during the term of our data processing agreement after which we must return or erase all personal data about clients’ data subjects. However, we might erase personal data even sooner, if the client instructs us to do so for example if the client does not regard storing such data no longer necessary for the given purpose. Please also see storage period for cookies we use on our websites (below). 


When we process your personal, you have data subject rights under the Article 15 to 22 of the GDPR. Among others, you have:

  • right to request information and access to your personal data according to Article 15 GDPR;
  • right to rectification of inaccurate data (and completion of incomplete data) according to Article 16 GDPR;
  • right to erasure of personal data according to Article 17 GDPR (right to be forgotten);
  • right to restriction of processing according to Article 18 GDPR;
  • the right to data portability according to Article 20 GDPR.right to object against processing according to Article 21 GDPR; and
  • right not to be subject to individual decision making according to Article 22 GDPR (which we do not undertake).

However, these are not absolute rights which only exist if the relevant conditions are met. For example, right for erasure does not apply in case such personal data is required for compliance with legal obligation (legal compliance) or for the establishment, exercise or defence of legal claims (legal enforcement). The only absolute right is right to object against direct marketing under Article 21 (2) of the GDPR which is not linked to any further condition and we must always comply with such objection. Please contact us if you have a general query about your data subject rights. 

We must explicitly bright to your attention the following information:

As regards consent: “You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.”

As regards right to object: “You have right to object to any processing that is based on legitimate interest or public interest (we do not rely on public interest) including to profiling pursuant to the Article 21 GDPR. You also have a right to object to any direct marketing processing of your personal data including profiling.”

You have also a right to lodge a complaint to the relevant data protection supervisory authority. Please note that our lead supervisory data protection authority is the Slovak Data Protection Authority ( You are free to contact the Polish Data Protection Authority ( if you feel your request is more relevant to Polish territory.  

When enforcing your data subject rights, please be as explicit and detailed as possible. Otherwise, we might respond with request to clarify a generic, vague or too general requests which in turn delays getting the information you request. As mentioned above, if you are our clients’ user, we are not entitled to handle your request. These should be addressed to the controller (our client, i.e. game developer).


Our website might contain links to other websites and/or services of different providers than us. We are not responsible for content and provision of websites or services of different providers than us. This privacy policy does not apply on the processing of personal data during browsing or using websites or services of different providers than us.


When operating our websites or generally supporting our Service we may use cookies and similar technologies. Specifically, we use these technologies for general analysis of our website traffic, for marketing analytics and for direct marketing purposes. You have control over the use of cookies via settings of your internet browser, where you can disable cookies at any time and via our cookies bar, where you can grant consent with the use of cookies where such consent is required by ePrivacy laws. You can control and/or delete cookies as you wish – for details, see You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work. We use cookies in following way at

Cookie name Description of cookie purpose Provider Type Expiry
NID Registers a unique ID that identifies a returning user´s device. The ID is used for targeted ads. HTTP 6 months
rc::a This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website. HTML Persistent
rc::b This cookie is used to distinguish between humans and bots. HTML Session
rc::c This cookie is used to distinguish between humans and bots. HTML Session
cookielawinfo-checkbox-necessary Session cookies for optimal functions of website. HTTP 1 day
cookielawinfo-checkbox-non-necessary Session cookies for optimal functions of website. HTTP 1 year

We use cookies in following way at

Cookie name Description of cookie purpose Provider Type Expiry
NID Registers a unique ID that identifies a returning user´s device. The ID is used for targeted ads. HTTP 6 months
rc::a This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website. HTML Persistent
rc::b This cookie is used to distinguish between humans and bots. HTML Session
rc::c This cookie is used to distinguish between humans and bots. HTML Session
cookielawinfo-checkbox-necessary Session cookies for optimal functions of website. HTTP 1 day
cookielawinfo-checkbox-non-necessary Session cookies for optimal functions of website. HTTP 1 year
_ga Registers a unique ID that is used to generate statistical data on how the visitor uses the website. Google Analytics HTTP 2 years
_gat Used by Google Analytics to throttle request rate Google Analytics HTTP 1 day
_gid Registers a unique ID that is used to generate statistical data on how the visitor uses the website. Google Analytics HTTP 1 day
collect Used to send data to Google Analytics about the visitor’s device and behavior. Tracks the visitor across devices and marketing channels. Google Analytics Pixel Session

Google Analytics

This service from Google Inc. is an analytics tool that stores information in cookies to generate statistics about traffic to our sites. This functionality is not indispensable for browsing and serves to monitor the website’s performance and improve it. When using Google Analytics, we do not process any personal information or other identifiers usable for indirect identification (e.g., IP address) of the data subjects. However, this does not mean that your personal data is not processed by Google Inc., the Google Analytics controller. The main cookie used by Google Analytics is the _ga file. More about the types of cookies used by Google Inc. you can learn here: or see information above.

In addition to reporting on our website usage statistics, Google Analytics, along with some advertising cookies, can be used to show you more relevant ads from Google Inc. (based on your search and activity history within our website), as well as to measure the interactions with display ads from Google Inc. Google Analytics also uses cookies on our website to analyze your behavior, which are stored on the website’s end-user device (computer, tablet, smartphone). Google anonymizes part of the end user’s IP address of our website as soon as it is collected, thereby enhancing your privacy. Google Inc. uses the information collected during the use of the website to evaluate your use of our website, to provide us with activity reports on the website and to provide us with other services related to the use of our website and the use of the Internet. 

This data processing by Google Analytics can be prevented by appropriately setting up an Internet browser where you can install the browser plug-in (available on the following link): Clicking on this link will save your opt-out cookie to your web browser, which will prevent future data from being accessed when you visit our website ( For more information on the processing of your personal information by Google Inc. when using Google Analytics, you can read their Privacy Policy available at:


Please read relevant privacy policies to better understand processing of your personal data by providers of social media platforms. We only have a typical admin control over the personal data processed by us via our own company profile. We assume that by using these social media platforms, you understand that your personal data might be processed for other purposes and that your personal data might by transferred to other third countries and third parties by providers of social media platforms.

In connection with the processing of statistical data on the use of our Facebook profile, we have the status of a joint controller with Facebook, while basic information on the agreement of joint controllers pursuant Art. 26 (1) and (2) can be found here:  

Our social media add-ons are integrated on our website. You will recognize them by the Facebook logo on the website. When you visit our website, Facebook receives information that you have visited our website with your IP address. If you click on the Facebook icon available on our website while you are signed in and / or registered to your Facebook account, the content of the website is redirected to your Facebook profile. Consequently, Facebook may associate your visit to your website with your user account. Data is transferred regardless of whether you have a Facebook account or not. Please note that when using our website, we have no influence on the data collected and the data processing processes, and we also do not know the overall scope of the data being collected, the purpose of the processing or the data processing. of such data. Facebook stores your information about you as user profiles and uses it for your own advertising, market research, and / or customizing your services and tools to registered users. Such evaluation is performed in order to inform other Facebook users of your activities on our website. You are entitled to object against the creation of such user profiles, and you must contact Facebook to lodge an objection against that processing. We always recommend you sign out of your Facebook account, especially to avoid associating your online activity with your profile. For more information about the purpose and scope of your data discovery and processing by Facebook, please visit the Facebook Privacy Statement at:    

We would also like to inform you that we can use the services provided by Facebook Ireland Limited, which are labelled as “data file custom audiences” – the management of the audience for advertising campaigns, and may combine the data we process with personal data processed in Facebook and “measurement and analytics”, in which Facebook processes personal data on our behalf to measure the performance and reach of our advertising campaigns and provide us with user reports that have seen and responded to our advertising content. Therefore, this processing of your personal data may occur if you interact with our advertising content or our websites as you use your Facebook-based user profile. In such cases, we use Facebook as the processor, using the following legal safeguards to process your personal data:,

If the above-described processing of personal data interferes with you, you can object to it or you can also use the available self-regulatory tools developed for the online marketing sector, available here: or These online tools allow you to automatically identify and delete third-party digital identifiers (including those from Facebook) in your browser, thereby preventing your personal data from being processed.


We may change this privacy policy from time to time by posting the most current privacy policy and its effective date on our website. In case we change this privacy policy substantially, we may bring such changes to your attention by explicit notice on our websites or by email.

SuperScale sp. z.o.o.

SuperScale s. r. o.

September 2019