Penny Arcade Privacy Policy

Version 1.3

Effective Date: October 10, 2023

Introduction

THIS PRIVACY POLICY DESCRIBES HOW INFORMATION ABOUT YOU MAY BE COLLECTED, USED, AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.  THIS PRIVACY POLICY FURTHER DESCRIBES OUR POLICIES WITH REGARDS TO PERSONAL INFORMATION.  PLEASE REVIEW IT CAREFULLY.

Acceptance of Privacy Policy.  This Privacy Policy (the “Privacy Policy”) concerns the collection, use, and disclosure of your (“you” or “user”) information by PA, Inc. (“PA,” “we,” or “us”) in connection with the services, programs, websites, and software applications (collectively, the “Service”) provided by PA.  This Privacy Policy is incorporated by reference into the PA Terms of Service (the “Terms”), which can be found here: Terms of Service.  By subscribing to or otherwise using the Service, or accessing any content or material that is made available by PA through the Service, you agree to be bound by the Terms, including this Privacy Policy.  PA reserves the right to change or modify this Privacy Policy at any time and in its sole discretion.  Any changes or modifications will be effective immediately upon posting of the revisions on the Service.  Your continued use of the Service following the posting of such changes or modifications will constitute your acceptance of those changes or modifications.

Types of Personal Information.  For purposes of this Privacy Policy, “Personal Information” refers to any information that could be used to identify the participant, either alone or in combination with other information.  PA collects and uses several types of Personal Information in connection with the Service: 

“Registration Information” is collected when you subscribe to or register for the Service.  This information includes, but is not limited to, your name, user account name, password, membership date, and contact information such as email address and telephone number.  PA uses Registration Information to authenticate your access to PA Services, including PA websites, forums and mobile applications, and to send you marketing communications.  
“Purchaser Information” is collected when you purchase a product from PA through the Service.  This information includes, but is not limited to, your name, shipping address, credit card information, and contact information such as email address and telephone number.  PA uses Purchaser Information to charge you for products you order, ship the products to you, and to send you marketing communications.  
“Club Information” is collected when a user joins Club PA and includes, but is not limited to, the total amount a user has paid through Patreon and your user account name.

Other Types of Collected Information.  When you use the Service, some information is automatically collected through the use of log files.  Such information may include your device’s Internet Protocol (IP) address, your device’s operating system, the browser type, and your device ID (only for iOS users).  To ensure your data is safe and used only to the extent necessary to provide the Service, PA deletes this information automatically over time.  PA uses this information for purposes such as analyzing trends, administering the Service, improving customer service, diagnosing problems with our servers, tracking user movement, and gathering broad demographic information for aggregate use. 

Use of Cookies.  We may also automatically collect certain information through the use of web beacons or “cookies.”  Cookies are small data files that are stored on a user’s hard drive at the request of a website to enable the site to recognize users who have previously visited them and retain certain information such as customer preferences and history.  If we combine cookies with, or link them to, any of the Personal Information, PA will treat this information as Personal Information.  If you wish to block, erase, or be warned of cookies, please refer to your browser instructions or help screen to learn about these functions.  However, if your browser or device settings will not allow you to accept cookies or if you block cookies, you may not be able to sign in to your PA account or access certain Service features.  

In addition, PA may use third parties to provide certain functionalities or to collect, track and analyze non-personally identifiable usage and statistical information from users, such as the user’s browser type, operating system, device ID (only for iOs users).  These third parties may collect personal information from you in connection with the services they provide and may place cookies, web beacons or other devices on your device to collect non-personal information which may be used, among other things, to deliver advertising targeted to your interests and to better understand the usage of the Service and the other services tracked by these third parties.  PA is not responsible for, and does not control, any actions or policies of any third-party service providers.

Use of Google Analytics.  PA uses Google Analytics to provides information about how many users visit our website, when they visit, and how they navigate the site.  We also use other Google Analytics tools, such as Demographics and Interest Reporting, which enables us to learn more about the characteristics and interests of the users who visit our website, and Remarketing with Google Analytics, which enables us to provide relevant advertising on different websites and online services.  To learn more about Google’s privacy practices, please review the Google Privacy Policy at https://www.google.com/policies/privacy/.  You can also download the Google Analytics Opt-out Browser Add-on to prevent their data from being used by Google Analytics at https://tools.google.com/dlpage/gaoptout.

Disclosure of Personal Information to Third-Parties.  In general, PA will not disclose individual-level Personal Information to third parties, except under the following circumstances:

PA may disclose individual-level Personal Information to partners or service providers (e.g. credit card processors) who process and/or store Personal Information in order to help PA provide, understand, or improve the Service.  In those instances, the protection of your individual-level Personal Information will be subject to the privacy policy of the specific PA partner or service provider.
PA may disclose such information to third parties where you provide express written consent for PA to do so.

Information Required to be Disclosed by Law.  Under certain circumstances, Personal Information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders, or in coordination with regulatory authorities.  You acknowledge and agree that PA is free to preserve and disclose any and all Personal Information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (i) comply with legal or regulatory process (such as a judicial proceeding, court order, or government inquiry) or obligations that PA may owe pursuant to ethical and other professional rules, laws, and regulations; (ii) enforce the PA Terms of Service; (iii) respond to claims that any content violates the rights of third parties; or (iv) protect the rights, property, or personal safety of PA, its employees, its participants (including you), and the public.  In the event PA is required by law to disclose Personal Information, PA will notify you through the contact information provided to PA in advance, unless doing so would violate the law or a court order.

Security.  To prevent unauthorized access or disclosure, to maintain data and information integrity, and to ensure the appropriate use of information, PA uses various physical, technical, and administrative measures to keep your Personal Information secure, in accordance with current technological and industry standards.  In particular, all connections to the PA websites and mobile applications are encrypted using Secure Socket Layer (SSL) technology.  Please recognize that protecting Personal Information is also your responsibility.  We ask all participants to be responsible for keeping their password secure as well as other authentication information used to access the Service.  You should not share authentication information with any third parties, and should inform PA immediately of any prohibited use of your password.  PA cannot secure and assumes no liability for Personal Information that you release to third parties.

Children’s Privacy.  PA is committed to protecting the privacy of children and abiding by the provisions of the Children’s Online Privacy Protection Act (COPPA).  The Service is not designed or intended to attract children under the age of 13.  A parent or legal guardian, however, may consent his/her child to use the Service, if the child is old enough to do so.  The parent/guardian may create an account for, and provide Registration Information on behalf of his or her child (if applicable).  In such case, the parent/guardian assumes full responsibility for ensuring that the information that he or she provides to PA about his or her child is kept secure and that the information submitted is accurate.  In the event that PA is notified or becomes aware that the Service has been used by a child under the age of 13 to store information of that child without parental consent, PA shall be and is authorized to delete, in its entirety, any of the information stored by that child.  The Company also reserves the right to revoke any license to use the Service which is being used or has been used by a child under the age of 13.

Account Closure and Correction of Personal Information.  If you wish to terminate your registered account, you may do so by sending a request to PA via email at cs@penny-arcade.com.  If you terminate your account, PA retains limited Registration Information related to your order history (e.g., name, contact, and transaction data) for accounting and compliance purposes.  Personal Information and Registration Information can be changed, corrected, or updated using the PA websites and mobile applications.  

Business Transitions.  In the event that PA goes through a business transition such as a merger, acquisition by another company, or sale of all or a portion of its assets, your Personal Information will likely be among the assets transferred.  In such a case, your Personal Information would remain subject to the terms of the pre-existing and current Privacy Policy until such time as you are notified that the different terms shall apply.

California Do-Not-Track Disclosures.  PA does not track its customers over time and across third party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals.  Third parties that have content embedded on PA’s websites or mobile applications (e.g. social features) may set cookies on a user’s browser and/or obtain information about the fact that a web browser visited a specific PA website from a certain IP address.  Third parties cannot collect any other personal identifiable information from PA’s websites unless you provide it to them directly.  

Know Your Rights.

Data Privacy for California Residents. - CCPA

This section applies solely to all visitors, users, and others who reside in the State of California. We adopt this notice to comply with the California Consumer Privacy Act of 2018 (the “CCPA”) and any terms defined in the CCPA have the same meaning when used in this notice.

Information We Collect. PA collects information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device ("personal information"). In particular, PA's Service has collected the following categories of personal information from its consumers within the last twelve (12) months:

1. Identifiers. Real names, postal addresses, online identifier, telephone number, credit/debit card number, and email address.

2. Commercial Information. Products and/or services purchased, purchasing history.

3. Internet or Similar Network Activity.  Information regarding your interaction with the Service.

Sources of Personal Information. PA obtains the personal information listed above from the following sources:

1. Directly from you. For example, from forms you complete or products and services you purchase.

2. Indirectly from you. For example, from observing your actions on the Service.

3. Third Parties.  For example, we collect user name information from Patreon members of Club PA.

Use of Personal Information.  We may use or disclose the personal information we collect for one or more of the following business purposes:

1. To fulfill the purpose for which you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that personal information to respond to your inquiry. If you provide your personal information to purchase a product or service, we will use that information to process your payment and facilitate delivery. We may also save your information to facilitate new product orders or process returns.

2. To provide, support, personalize, and develop our websites, products, and/or services.

3. To create, maintain, customize, and secure your account with us.

4. To process your requests, purchases, transactions, and payments and prevent transactional fraud.

5. To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.

6. To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.

7. To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.

8. As described to you when collecting your personal information or as otherwise set forth in the CCPA.

PA will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.  PA does not sell your personal information.

Data Privacy for EU Residents. - GDPR

General Data Protection Regulation (“GDPR”) Information for EU Residents.  The following information describes our commitments to you under the EU General Data Protection Regulation (“GDPR”).  Except where a term is specifically defined herein, terms in Section 12 will have the meaning provided under the GDPR.

When PA acts as Controller.  PA acts as a Controller when it determines the purposes and means of processing personal data.  

When PA acts as a Processor.  PA acts as a Processor where it processes personal data for another Controller.  Where we process your data in our capacity as a Processor on behalf of a third-party Controller, the processing of your personal data will not be governed by this Privacy Policy.  In such event, we encourage you to contact the Controller directly to learn about their processing of your information and to exercise your rights, or we will forward your request directly to such Controller upon receipt.

Right to access, correct, and delete your personal data.  Please contact privacy@penny-arcade.com to exercise your rights to access, correct, and delete your personal data pursuant to GDPR.  We are not required to comply with your request to erase personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or deference of legal claims.  Subject to the above terms and conditions, PA will, within 60 days from the request of a customer, delete the personal data concerning such customer.  Notwithstanding the above provisions, PA shall be permitted to retain any and all anonymized, aggregate data.  

Right to restrict the processing of your personal data.  You have the right to restrict the use of your personal data; however, we can continue to use your personal data following a request for restriction, where:

• we have your consent; or

• to establish, exercise or defend legal claims; or

• to protect the rights of another natural or legal person.

Right to data portability.  To the extent that we process your personal data (i) based on your consent or under a contract; and (ii) through automated means, you have the right to receive such personal data in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller.

Personal data retention.  We retain your personal data for as long as necessary to provide you with our services, or for other important purposes such as complying with legal obligations, resolving disputes, and enforcing our agreements.

Third parties with access to personal data.  PA shares your personal data with third parties as follows:

• Customer support service providers: to process orders and respond to customer service requests

• Website and mobile application usage analytics services: to determine who is using PA’s services and how to improve those services

• Payment processors: to process customer payments

• Warehouse facilities: to ship customer orders to the locations designated by the customer

• Software developers: to develop and test PA’s software

PA’s “privacy by design” approach requires that our default user data protection levels be at the highest setting by default.  In the unlikely event of breach, PA will notify data subjects and supervisory authorities in the EU according to procedures provided in GDPR Articles 33 and 34. 

Using and sharing your information.  We collect, use, and share your personal data where we are satisfied that we have an appropriate legal basis to do this. This may be because:

• Our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you; or

• Our use of your personal data is in our legitimate interest as a commercial organization (for example in order to make improvements to our products and services and to provide you with information you request);

• Our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we have (for example, where we are required to disclose personal data to a court); or

• Our use of your personal data is in accordance with your consent.

If you would like to find out more about the legal bases on which we process personal data, please contact us using the details below.

Exporting Personal Data from the EU.  PA may transfer your personal data outside of the country from which it was originally provided.  This transfer may be intra-group or to third parties that we work with who may be located in jurisdictions outside the EU which have no data protection laws or laws that are less strict compared with those governing the EU.  Whenever we transfer personal data outside of the EU, we take legally required steps to make sure that appropriate safeguards are in place to protect your personal data as further set forth below.  Please contact us as set forth below for more information about the safeguards we have put in place to protect your personal data and privacy rights in these circumstances. 

How to exercise your rights.  

Data Privacy for California Residents.

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

1. The categories of personal information we collected about you.

2. The categories of sources for the personal information we collected about you.

3. Our business or commercial purpose for collecting or selling that personal information.

4. The categories of third parties with whom we share that personal information.

5. The specific pieces of personal information we collected about you (also called a data portability request).

6. If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:

1. sales, identifying the personal information categories that each category of recipient purchased; and

2. disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service providers to:

1. Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.

2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

3. Debug products to identify and repair errors that impair existing intended functionality.

4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).

6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.

7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.

8. Comply with a legal obligation.

9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by sending us an email at privacy@penny-arcade.com.

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a twelve month period. The verifiable consumer request must:

1. Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.

2. Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.  Making a verifiable consumer request does not require you to create an account with us.  We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

We aspire to respond to a verifiable consumer request within forty five (45) days of receipt of the request.  If we require more time (up to ninety (90) days) we will inform you of the reason(s) why an extension is needed and how long we anticipate the period to be.  Any disclosure we provide will only cover the twelve (12) month period preceding the receipt of your request.  If applicable, the response may provide the reasons why we cannot comply with your request.  For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-Discrimination.

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

1. Deny you goods or services.

2. Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.

3. Provide you a different level or quality of goods or services.

4. Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

EU Residents - EU-U.S. Data Privacy Framework

PA complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the U.S. Department of Commerce.  PA has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

In compliance with the EU-U.S. DPF, PA commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF should first contact PA at: privacy@penny-arcade.com

We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you.  We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

If you are not happy with how we have resolved your complaint, you may contact the relevant supervisory authority.

Lawful requests.  PA may be required to disclose personal data pursuant to lawful requests made by public authorities, including to meet national security or law enforcement requirements.

Inquiries and Complaints.  If you wish to verify, correct or delete any personal data pertaining to you that we have collected, or if you have any questions or concerns, or if you have any complaints, please contact us at privacy@penny-arcade.com.

Dispute Resolution.  In compliance with the EU-U.S. DPF, PA commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF to VeraSafe Ireland Ltd, an alternative dispute resolution provider based in the European Union.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://verasafe.com/public-resources/contact-data-protection-representative for more information or to file a complaint.  The services of VeraSafe Ireland Ltd. are provided at no cost to you.

You may also contact PA’s designated, EU-based representative at:

VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork, T23AT2P, Ireland

Binding Arbitration. You may have the option to select binding arbitration for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with PA and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see US Department of Commerce’s DPF Framework: Annex I (Binding Arbitration).

Notice.  When PA collects personal data from individuals, it will inform the individual of the purpose for which it collects and uses the personal data and the types of non-agent third parties to which PA discloses or may disclose that information.  PA shall provide the individual with the choice and means for limiting the use and disclosure of their personal data.  Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal data to PA, or as soon as practicable thereafter, and in any event before PA uses or discloses personal data for a purpose other than for which it was originally collected. 

In instances in which PA is not the controller or collector of the personal data, but only a processor, it has no means of providing individuals with the choice and means for limiting the use and disclosure of their personal data or providing notices when individuals are first asked to provide personal data to PA.  In such instances, PA will comply with the instructions of the controller of such information; provide appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and to the extent appropriate, assist the controller in responding to individuals exercising their rights under the Principles.

PA will inform individuals about your organization being subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

All participating organizations must inform individuals about each element listed in the Notice Principle, including the participating organizations’ liability in cases of onward transfers to third parties.  The Accountability for Onward Transfer Principle explains that to transfer personal information to a third party acting as a controller, a participating organization must, among other things, comply with the Notice and Choice Principles.  The Recourse, Enforcement and Liability Principle explains that, in the context of an onward transfer, a participating organization has responsibility for the processing of personal information it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on its behalf.  The participating organization shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Choice.  In those instances where PA collects personal data from individuals, it will offer individuals the opportunity to choose (including to opt out, if applicable) whether their personal data is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.

Disclosures to Third Parties.  In those instances where PA collects personal data from individuals, prior to disclosing personal data to a third party, PA shall notify the individual of such disclosure and allow the individual the choice to opt out of such disclosure.  PA shall ensure that any agent third party for which personal data may be disclosed subscribes to these principles or are subject to law providing the same level of privacy protection as is required by these principles and agree in writing to provide an adequate level of privacy protection. 

Data Security.  PA shall take reasonable steps to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction.  PA has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the information from loss, misuse, unauthorized access or disclosure, alteration or destruction.  PA cannot guarantee the security of information on or transmitted via the Internet.

Self-assessment.  PA uses a self-assessment approach or outside compliance review to assure compliance with this privacy policy and periodically verifies that this privacy policy is accurate, comprehensive for the information intended to be covered, and in accordance with the Principles.

Data Integrity.  PA shall only process personal data in a way that is compatible with and relevant for the purpose for which it was collected or authorized by those who provided the information.  To the extent necessary for those purposes, PA shall take reasonable steps to ensure that personal data is accurate, complete, current and reliable for its intended use.

Access.  In those instances in which PA collects personal data directly from individuals, PA shall allow those individuals access to their personal data and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.

Rest of World.

Within our capability and scope, PA commits to extending to you abilities equal to the rights granted under CCPA and GDPR to residents of all other parts of the world not governed by an existing data privacy law. To this end if you would like to make a data privacy related request of equal scope and type to the rights extended by the CCPA or GDPR but do not live in an area governed by these laws please contact us at privacy@penny-arcade.com.

While PA commits to attempt to extend these abilities to all users of our services we make no guarantee that we will be able to comply with all requests due to reasons outlined above. There is also no ability for us to offer alternate dispute resolution in these cases.

Contact. If you have questions about this Privacy Policy, please contact us at privacy@penny-arcade.com or by writing to us at:

Penny Arcade, Inc.
Attn: Data Privacy Officer
9660 153rd Ave NE
Redmond, WA 98052