Privacy Policy


My name is Milan Timčenko, Identification Number: 042 63 235 with address at Průmyslová 468/3, 747 18, Píšť, Czech Republic, and I am the game developer of Mall Craze (for this Privacy Policy, I will be referred as the “us” or “Developer“). In the text below, I will refer to myself as the “controller” or “we”, and to yourselves as “you” or the “data subject”.


As we handle your personal data, we are in the position of personal data controller under the GDPR and are required to inform you of how we process your personal data.


Personal data are information related to an identified or identifiable person. In brief, personal data include all information about you that you have provided to us or that we have obtained otherwise.


The conditions under which we may process your personal data are listed directly in the GDPR. We may (and sometimes must) process your personal data on the following grounds:

  • you have given your consent to us;
  • the processing is necessary for the performance of a contract concluded between you and us or a contract we intend to conclude;
  • the processing is necessary for compliance with a legal obligation which applies to us;
  • the processing is necessary in order to protect your vital interests (or those of another natural person);
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in us;
  • the processing is necessary in view of our legitimate interests or those of a third party.

The legal grounds based on which we process your personal data can be found below, under Question 5.


We may collect or process your data directly from you, specifically:

  • data you give us via Mall Craze;
  • data you give us when you contact us or report a problem with Mall Craze;
  • data about your activity as a user of Mall Craze (collected automatically);


We approach personal data processing responsibly and seriously – we therefore want to inform you as clearly as possible for what purpose we process your personal data. It is possible that not all the purposes listed below will apply to you and you thus need not worry if some of the purposes mentioned here appear to make no sense in your case. We may use your data for several purposes, relying on specific legal bases:

6.1. to perform the agreement with you (art. 6.1.b GDPR):

  • to provide you with Mall Craze,
  • to maintain, improve and develop Mall Craze,
  • to maintain technical support services,

6.2. to meet our legal obligations (art. 6.1.c GDPR):

  • for tax, legal and accounting purposes
  • for the accountability purposes as defined by EU legislation (GDPR)

6.3. to fulfill our legitimate interests, i.e. lawful purposes that could be reasonably expected from us in the context of Mall Craze (art. 6.1.f GDPR):

  • to defend from or pursue legal claims,
  • to calculate conversion rates and other elements of Mall Craze performance,


We will store your personal data for as long as we need it to fulfil the purposes outlined in this Privacy Policy. In more detail:

  • we will keep the data associated with your Mall Craze account until you close it or delete game (i.e. for as long as we have a contract in place);
  • after that, we may keep some of your data for a longer period, not exceeding 3 to 10 years, for tax and/or accounting purposes;
  • we may also keep some of your data to defend ourselves from or to pursue legal claims, for no longer than 3 years;
  • when we no longer require your data we will delete or anonymize it.


We do all we can to protect your personal data. In the vast majority of cases, we (and possibly our employees and persons in a similar position) are the only ones to have access to the data. In some specific cases, we might, however, appoint another person to process personal data for us; in that case, we have concluded the relevant contracts with the processors. In other cases (especially in cases of mediation), we transfer your personal data with your consent to the companies whose products or services we offer to you.

We denote all these persons as recipients and list the categories of recipients below:

Recipient Reason for disclosure
Crash Reporting services provider We use a third party service that allows us to process crash reports


GDPR naturally provides you with various rights which you can exercise depending on the legal basis for our processing of your personal data. To make things easier for you, we therefore provide the following table, which will help you determine which rights you can exercise and which you cannot (given that not all the legal grounds are relevant, we mention only those which can apply):

Right to: Consent Performance of a contract Compliance with a legal obligation Legitimate interest
access Yes Yes Yes Yes
rectification Yes Yes Yes Yes
erasure Yes Yes Yes Yes
restriction Yes Yes Yes Yes
portability Yes Yes No No
objection to processing No No No Yes
revocation of consent Yes No No No
lodging a complaint with the Office Yes Yes Yes Yes

Further conditions regarding when and how you can exercise the given rights can be found in the following part.

9.1. Right of access

You have the right to obtain a confirmation from us as to whether or not we process your personal data. If we process your personal data, you have the right to access the personal data being processed and, at the same time, the right to obtain a copy of such personal data.

9.2. Right to rectification

We strive to process only up-to-date information about you and erase any incorrect information, following their rectification. However, this does not prevent you from asking us to rectify personal data that are no longer up-to-date or are incorrect.

9.3. Right to erasure (“right to be forgotten”)

If we no longer require your personal data, we will erase them immediately. However, this in no way affects your right to have your personal data erased (or rendered anonymous) without delay based on any of the following reasons:

  • the personal data are no longer required for the above purposes;
  • you withdraw your consent to personal data processing;
  • you raise an objection regarding a legitimate interest and we come to the conclusion that this legitimate interest does not override your rights (in the case of marketing purposes based on a legitimate interest, we will erase these data immediately);
  • the processing has been unlawful;
  • we are required to erase the data based on the laws of the Czech Republic or European Union law.

However, this right is not absolute. In some cases, we need not/must not erase your personal data – this is so in the following cases, where processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for complying with a legal obligation;
  • for reasons of a public interest in the area of public health;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • for the establishment, exercise or defence of legal claims.

However, it is quite possible that none of the above cases will become relevant, and so you need not worry that we would not erase your personal data.

9.4. Right to restriction of processing

At the same time, you have the right to claim that we restrict personal data processing in one of the following cases:

  • you contest the accuracy of your personal data – for a period necessary to verify their accuracy;
  • the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
  • we no longer need the personal data for the purposes of the processing, but you require us to store them for the establishment, exercise or defence of legal claims;
  • you raise an objection regarding a legitimate interest – until the objection is evaluated as to its justification.

9.5. Right to portability

Although this might seem odd at first sight, if we process your personal data by automated means and the processing is based on consent or necessity for the performance of a contract, you have the right to “portability”. The right to portability guarantees that we will transmit the data you have provided to us in a commonly used and machine-readable format, either to you or to another data controller identified by you.

9.6. Right to object to processing based on a legitimate interest

If we process your personal data on the basis of a legitimate interest, you have the right to raise a justified objection against such processing. In cases where data are being processed for the purposes of direct marketing, you need not justify your request and we will immediately cease processing your personal data, in line with the GDPR.

In other cases, we have the right to review your objection and assess whether your rights override our legitimate interest.

9.7. Right to withdraw consent

If we process your personal data on the basis of your consent, you naturally have the right to refuse the consent and withdraw it at any time. In that case, we will not continue with the processing and, if the law does not prevent us from doing so, we will erase your personal data.

However, if we simultaneously process your personal data based on some other legal ground, we are not required (and sometimes not even allowed) to erase the personal data.

9.8. Right to lodge a complaint with the Office for Personal Data Protection

If you believe that we are processing your personal data unlawfully, you naturally have the right to lodge a complaint with the supervisory authority, specifically the Office for Personal Data Protection (


You can exercise your rights easily by sending an e-mail to Please note that we first have to verify your identity.