Privacy Policy

Privacy Policy

Last updated: March 2026

Kingsisle Entertainment, Inc. (hereinafter: “we,” “us”) respects the integrity of personal data, protects privacy and ensures the security of its customers’ personal data.

In this Privacy Policy, we want you to understand what information we collect and process about you when you play Grub Guardian (the "App" or the "Services") and for what purpose we collect such data. In addition, we would like to inform you about the rights you are entitled to if you have entrusted us with your personal data as part of our offers.

For our other games and services, a separate privacy policy applies, available under this link https://www.wizard101.com/game/privacypolicy.

Please note that our privacy practices are subject to the applicable laws of the regions in which we operate. Accordingly, some additional region-specific terms will only apply to individuals in those locations, or as required by applicable law.

FOR US CITIZENS ONLY: BY USING OR ACCESSING THE SERVICES, YOU AGREE TO THIS PRIVACY POLICY. IF YOU DO NOT AGREE WITH OUR POLICIES OR PRACTICES, YOU SHOULD NOT USE OR ACCESS THE SERVICES OR PROVIDE US WITH ANY PERSONAL INFORMATION.

Kingsisle Entertainment, Inc.

3800 Quick Hill Road

Austin

TX 78728

United States of America

Telephone: +1 512-623-5900 (Not for support queries)

We are the controller within the meaning of Article 4 No. 7 of the General Data Protection Regulation (GDPR) and other data protection regulations. As the controller, we decide, if necessary, jointly with third parties, on the purposes and means of processing personal data. This is contingent upon the processing being lawful.

If you're an EU/EEA/UK/Brazil resident you can contact our external Data Protection Officer by emailing to: privacy.kingsisle@gamigo.com.

You can contact our representative within the European Union by writing a letter to

gamigo AG

Behringstr. 16b

22765 Hamburg

Germany

and by emailing: EURepresentative@gamigo.com

Decisive for the definition of the terms used in this Privacy Policy, such as the term personal data, is Art. 4 GDPR (where applicable).

The provision of personal data on the internet always carries the risk of unauthorized processing by third parties who gain unauthorized access to this data, as no technological system can be fully protected against external attacks.

We take technical and organizational measures to protect your data from misuse. We process your data in accordance with the requirements of applicable data protection laws, including GDPR where applicable. The data processing is carried out according to the current state of the art and is continuously reviewed and improved.

We obtain personal data in the following way:

We receive personal data from you when you create or use an account in connection with the App, contact support, or make purchase/subscriptions. Providing this information is normally voluntary. However, certain information may be required for the App to function properly (e.g., to enable account login or purchases).

Examples: Registration/update of user accounts; support and community management requests; use of the social functions offered by us; purchases; e-mail address; self-chosen nicknames; name; age/date of birth (if required for age-rating); billing-related information (where applicable).

When you use the App, some data is automatically collected and generated, including technical and usage data.

Examples: Device information (device model, OS version, language, time zone); app version; IP address; approximate location derived from IP address (e.g., country/city); app usage data (sessions, crashes, error logs); advertising and attribution data (see below).

The scope and purposes of the processing of your personal data will depend on how you use the App and which features you use. Not every feature involves all processing practices described in this Privacy Policy. In the following, we would like to give you an overview of the personal data that we process in connection with the App.

Personal data is all information relating to an identified or identifiable natural person. Data that cannot be assigned to a specific natural person is not personal data (e.g., aggregated statistics).

We treat your personal data confidentially and in accordance with applicable data protection laws. We do not share personal data with third parties without your consent unless permitted by law or necessary to perform the contract (e.g., to provide the App, show ads (subject to consent), process purchases, or measure campaign performance (subject to consent)).

The main legal bases are set out in Art. 6(1) GDPR (where applicable), in particular:

• Art. 6(1)(a) GDPR: consent

• Art. 6(1)(b) GDPR: performance of a contract

• Art. 6(1)(c) GDPR: compliance with a legal obligation

• Art. 6(1)(f) GDPR: legitimate interests (unless overridden by your interests/rights)

To use certain features of the App, you need an account. The App is a companion game to our other game "Wizard101" and the same account system is to be used.

Cross-platform synchronization: If you use both Wizard101 and the App, we may synchronize certain data across platforms to provide a unified experience, including account access, art assets associated with your account (e.g., owned cosmetics), game progress, and virtual currency balances.

Examples of processed data: account ID; username/nickname; account region; preferred language; email address; age/date of birth (if required); linked accounts (if applicable); entitlement and membership/subscription status; virtual currency balances; inventory/owned items; progress markers.

Legal basis: Art. 6(1)(b) GDPR.

We process technical logs to operate the App, ensure security, identify errors, and prevent misuse, including fraud and manipulation.

Examples of processed data: IP address; device model; OS version; app version; timestamps; crash reports; connection type; usage frequency; error codes; security/fraud signals.

Legal basis: Art. 6(1)(b) GDPR (operation of the App) and Art. 6(1)(f) GDPR (security, fraud prevention, ensuring stability of services).

When you play the App, data is generated that stores game progress and enables core game functionality. Where the App is connected to Wizard101, certain gameplay data may be synchronized as described above.

Examples of processed data: progress history; game statistics; unlocks; inventory items; in-game interactions; session events; purchase-related entitlement signals.

Legal basis: Art. 6(1)(b) GDPR.

Processing for fraud prevention/manipulation prevention may also rely on Art. 6(1)(f) GDPR.

If you contact us for support, we process the information necessary to handle your request and improve our services.

Examples of processed data: contact details; account identifiers; ticket content; device/app information; screenshots; purchase receipts (if needed for verification).

Legal basis: Art. 6(1)(b) GDPR (where necessary to provide support as part of the contract) and/or Art. 6(1)(f) GDPR (legitimate interest in assisting users and improving services).

The App may offer memberships/subscriptions or purchases. Where purchases are made via the Apple App Store or Google Play Store, Apple/Google process payment data as independent controllers. We generally receive transaction confirmations and entitlement information necessary to grant access to purchased content.

Examples of processed data: transaction identifier; purchase timestamp; subscription status; product ID; currency and price (if provided to us); chargeback/refund signals; entitlement flags.

Legal basis: Art. 6(1)(b) GDPR.

Where we must retain transaction records to comply with legal obligations, Art. 6(1)(c) GDPR applies.

If the App uses push notifications, we process device tokens and notification events to deliver such messages.

Examples of processed data: device token; notification status; timestamps; content of the message.

Legal basis: Art. 6(1)(a) GDPR (consent), where applicable.

The App integrates third-party SDKs for advertising, ad mediation, attribution/measurement, and consent management.

The App displays ads. Subject to your consent (where required), advertising partners may process data such as:

• Advertising ID (IDFA on iOS / GAID on Android)

• IP address (can imply approximate location, but not precise geolocation)

• Approximate location (country/city level)

• Device information (model, OS, language, time zone)

• Ad events (impressions, clicks)

• App activity related to ads (sessions, crashes)

• Fraud detection signals

Legal basis: Art. 6(1)(a) GDPR (consent), where required.

We use an attribution partner to measure the effectiveness of marketing campaigns and understand which campaign/source led to an install or a conversion. The attribution partner may process:

• Advertising ID (IDFA/GAID)

• App instance/install identifiers

• Device and app information

• Attribution data (source, campaign name, timestamps)

In-app events we choose to send (e.g., login, tutorial completion, purchase, subscription started, level completed), which may include revenue amount/currency and product ID.

Important: The attribution partner can only receive the in-app events that we (or our developers) configure to be transmitted.

Legal basis: Art. 6(1)(a) GDPR (consent), where required.

We do not finally control how third parties who partner with us to promote products and services, provide marketing and advertisements, conduct data analytics, or use the data for other commercial purposes, use and share your personal data once they receive it but have implemented contractual and other safeguards. You will need to contact such third parties directly for information about their privacy practices or to exercise any rights you may have.

You can find an overview of the advertising networks and partners that we use below, additional information may be found in our CMP. In addition to the partners listed there, we use the following advertising networks in order to be able to integrate advertising within our App. These collect the personal data described above for the purpose of providing personalized advertising:

We use a CMP to collect and manage user consent choices for advertising and related technologies.

Legal basis: Art. 6(1)(c) GDPR and/or Art. 6(1)(f) GDPR (compliance and documentation of consent choices), as applicable.

To achieve the processing purposes described above, we share personal data with service providers and partners. The specific sharing of personal data depends on how you use the App.

We share personal data with the following categories of service providers as processors: to service providers in the context of fraud and manipulation prevention, to service providers to conduct surveys, to service providers for analysis services, to payment service providers, to service providers for sending newsletter, to service providers for advertising services, data centers, as well as to subsidiaries and affiliated companies within the meaning of Sec. 15 AktG (German Stock Corporation Act). The transfer of the personal data to the respective recipient as processor is lawful under Art. 28 GDPR.

We pass on personal data to the following categories of service providers as independent controllers: Lawyers, authorities, the police, and payment service providers.

Where you consent to us setting non-essential cookies (see the “Cookies” section), we share personal data with third parties. This includes advertising partners, IT service providers, social media providers and partners to analyze our website for performance (i.e., measuring visits, traffic sources, and usage patterns).

If personal data is transferred to a third country, i.e., a country outside the EU or the EEA (Norway, Iceland, Liechtenstein), we ensure compliance with applicable transfer requirements (e.g., adequacy decisions or appropriate safeguards such as standard contractual clauses), in accordance with Art. 44 et seq. GDPR (where applicable).

We store personal data only as long as there is a specific purpose for this. The duration of the storage depends on the purpose of the processing, the requirements of the processing, as well as on your and our interests and rights and, if applicable, the interests and rights of third parties. We always store personal data as briefly as possible (principle of data economy data/minimization), but at the same time we observe the statutory requirements which stipulate a minimum retention period (e.g., in commercial and tax law of up to 10 years, Sec. 257 para. 4 of the German Commercial Code, Sec. 147 para. 3 of the German Fiscal Code).

In any case, the following shall apply: If the purpose of processing has ceased to exist or if data is no longer required to achieve this purpose and there are no further statutory storage obligations to the contrary, we delete the relevant data (e.g., we delete support tickets at the latest 9 months after we have processed your request).

In this section, we inform you about the rights you have in relation to the processing of your data. To exercise your rights, please let us know if you are an EU/EEA/UK/Brazil resident and email us at privacy.kingsisle@gamigo.com.

You have a right to access your data pursuant to Art. 15 GDPR stored by us.

You have a right pursuant to Art. 16 GDPR to have incorrect personal data rectified or correct personal data completed.

Pursuant to Art. 17 GDPR, you have the right to have your personal data stored by us erased. Please note that we cannot undo an erase, i.e., all your game scores and progress are permanently lost.

You have the right to restrict the processing of your data pursuant to Art. 18 GDPR if you dispute the accuracy of the data, if the processing is unlawful but you refuse to erase it, if we no longer need the data but you need it for the assertion, exercise or defense of legal claims or if you have lodged an objection to the processing in accordance with Art. 21 GDPR.

You have the right to data transfer pursuant to Art. 20 GDPR, i.e., the right to receive selected data stored by us about you in a common, machine-readable format, or to request the transfer to another controller,

You have a right to object processing of data pursuant to Art. 21 GDPR.

If we process data on the basis of a consent given by you, you have the right to withdraw the consent given at any time with effect for the future. The withdrawal of consent does not render invalid the data processed on the basis of the consent until the time of withdrawal.

You have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. To consult the contact details of the supervisory authorities in the German federal states, please access the following link:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

This Privacy Policy is merely to inform you and does not require your agreement. We may adapt the Privacy Policy from time to time (e.g., if processing activities change or new SDKs are introduced). We will inform you of material changes by appropriate means.

Applicable only and in addition to the provisions outlined above for residents of the United States.

The California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020, provides you with specific rights regarding your personal information. This section describes the rights that California consumers have and explains how to exercise those rights. For the purposes of this section, personal information does not include: (i) information that is lawfully made available from federal, state or local government records; (ii) de-identified or aggregated data; or (iii) information excluded from the scope of the CCPA. To be clear, these rights are granted only to the extent that you are a California consumer and we are acting as a “business” under the CCPA with respect to your personal information. The rights in this section are not intended to grant you additional rights, but only your rights under the CCPA.

General information regarding our collection, use, and disclosure of personal information is set forth in the Privacy Policy above. To help consumers make informed privacy decisions, the CCPA defines personal information by discrete categories. Information about our data practices pertaining to these categories of personal information can be found below (some types of personal information may apply to multiple categories).

In the past 12 months, we have collected the categories of personal information described in the “Personal Information We Collect From You” section above for the business or commercial purpose(s) indicated above. Depending on your level of interaction with us, we may not have collected your personal information from all of the categories.

Company may disclose your personal information to a third party for a business purpose, or sell or share your personal information, subject to your right to opt out (see Personal Information Sales Opt-Out and Opt-In Rights, below). The information above under “How We Disclose Or Share Your Personal data” describes the entities with which we may disclose your personal information.

As a California consumer, you have the right to request that we disclose certain information to you about our collection, use, disclosure or sale of your personal information. Once we receive and confirm your verifiable consumer request (see Exercising Your Rights, below) and subject to certain limitations that we describe below, we will disclose such information. You have the right to request any or all of the following:

• The categories of personal information we collected about you.

• The categories of sources from which the personal information is collected.

• Our business or commercial purpose for collecting or selling that personal information.

• The categories of third parties with whom we share that personal information.

• The specific pieces of personal information we collected about you (see “Right to Data Portability” below).

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Your Rights, below), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. However, we maybe retain personal information that has been de-identified or aggregated. Furthermore, we may deny your deletion request if retaining the information is necessary for us or our service provider(s) in order to perform certain actions set forth under CCPA, such as detecting security incidents and protecting against fraudulent or illegal activity.

You have the right to request a copy of personal information we have collected and maintained about you. The CCPA allows you to request your information from us up to twice during a 12-month period. We will provide our response in a readily usable (and usually electronic) format.

You have the right to request the correction of any personal information we maintain about you.

You have the right to opt out of the sale or sharing of your personal information, along with the right to opt in to the sale of such information.  We do not sell or share the personal information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the "right to opt-in") from either the consumer who is less than 16 (but greater than 13) years of age, or the parent or guardian of a consumer less than 13 years of age. To our knowledge, we do not sell or share the personal information of minors under 16 years of age.

To exercise the right to opt out, you (or your authorized representative at that time) may submit an opt-out request by visiting the Privacy Center in our Apps. We will also treat Global Privacy Control browser signals as valid opt-out requests. In order to facilitate your request, we may require you to provide us with the MAID for your device.

More information on how to retrieve this information can be found under this link: https://revealmobile.com/how-to-find-your-mobile-ad-id/.

We will not discriminate against you for exercising any of your CCPA rights, including but not limited to, by:

• Denying you goods or services.

• Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.

• Providing you a different level or quality of goods or services.

• Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

To exercise the rights described above, please contact us by using the following methods:

• Emailing us at privacy.kingsisle@gamigo.com (not for Opt-out requests)

• Visiting our Opt-out page in the Privacy Center linked within the user settings menu in our Apps

After submitting a rights request, excluding opt-out requests, we will take steps to verify your identity in order for us to properly respond and confirm that it is not a fraudulent request. In order to verify your identity, we will ask, at a minimum, that you provide your name, email address, phone number, address, and relationship to us, so that we can seek to match this information with the information existing in our systems. When providing us this information, you represent and affirm that all information provided is true and accurate. If we are unable to verify that the consumer submitting the request is the same individual about whom we have collected personal information, we may contact you for more information, or we may not be able to meet your request.

Only you, or an agent legally authorized to act on your behalf, may make a verifiable request related to your personal information. If you are making a request as the authorized agent of a California consumer, we will ask you also submit reliable proof that you have been authorized in writing by the consumer to act on such consumer’s behalf.

We will make every effort to respond to your request within 45 days from when you contacted us. If you have a complex request, the CCPA allows us up to 90 days to respond. We will still contact you within 45 days from when you contacted us to let you know we need more time to respond.

In addition to the above rights, under California Civil Code Section 1798.83 (“Shine the Light”), California residents may have the right to request in writing from businesses with whom they have an established business relationship: (a) a list of the categories of personal information, as defined under Shine the Light, such as name, email address, and mailing address, and the type of services provided to the customer that a business has disclosed to third parties (including affiliates that are separate legal entities) during the immediately preceding calendar year for the third parties’ direct marketing purposes; and (b) the names and addresses of all such third parties. To request the above information, please contact us by email at privacy.kingsisle@gamigo.com.

Residents of Virginia, Connecticut, Utah and other states with applicable privacy laws (“States”) have certain rights with respect to their personal information.  These rights are established through the Virginia Consumer Data Protection Act (“VCDPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”) and other applicable Laws (collectively, the “State Laws”). The rights available to residents of these States are explained below.

The categories of personal information we process, our purposes for processing your personal information, the categories of personal information that we share with third parties, and the categories of third parties with whom we share it are set forth in the details of our Privacy Policy above.

In addition to the rights set forth in our Privacy Policy, the State Laws provide you with the following rights, except where indicated otherwise below:

(a)         Right to know. You have the right to know whether we process your personal information and to access such personal information.

(b)         Right to data portability. You have the right to obtain a copy of your personal information that you previously provided to us or that we have obtained in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another business without hindrance, where the processing is carried out by automated means. Subject to certain exceptions, you may request such personal information free of charge as permitted under State Laws.

(c)          Right to delete. Certain users have the right to delete personal information that you have provided to us or that we have obtained about you; requests from Utah residents cover only personal information that you have provided directly to us. Please note that we may deny requests to delete if the requested deletion falls under an exception as set forth the applicable State Laws. Additionally, if you request deletion of your personal information and we have obtained such information from a third-party source, we may retain such data by keeping a record of the deletion request and the minimum data necessary to ensure that your personal information remains deleted from our records and that such retained data is not used for any other purpose, or we may opt you out of the processing of such personal information for any purpose except for those allowed under the applicable State Laws.

(d)         Right to opt out. Certain users have the right to opt out of the processing of the personal information for purposes of: (i) targeted advertising; (ii) the sale of personal information; or (iii) profiling that produces legal or similarly significant effects concerning you. Utah residents may opt out of the processing for the purposes described in (i) and (ii) of this paragraph.

As of the latest date of the Privacy Policy:

• We do process personal information for the purposes of targeted advertising;

• We do sell your personal information in exchange for monetary consideration; and

• We do not engage in profiling decisions based on your personal information that produce legal or similarly significant effects concerning you.

If you wish to opt out of the processing of your personal information for any of the above purposes, and your state of residence provides for such opt-out right, please view our Privacy Center in the user profile settings menu of our Apps.

(e)         Right to correct. Certain users have the right to correct inaccuracies in your personal information, taking into account the nature of the personal information and the purposes for which we process it.

(f)           Right to nondiscrimination. You have the right not to receive discriminatory treatment by us for the exercise of your Virginia privacy rights. Unless permitted by applicable State Law, we will not:

• Deny you goods or services;

• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;

• Provide you a different level or quality of goods or services; or

• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

To exercise any of your State Law privacy rights, or if you have any questions about your privacy rights, you may contact us by:

• Visiting our Privacy Center in the user profile settings menu of our Apps.

After submitting a request, we will take steps to verify your identity in order for us to properly respond and/or confirm that your request is not fraudulent. We may contact you for additional information as reasonably necessary to authenticate your request, but if we are ultimately unable to authenticate your request using reasonably commercial efforts, then we may not be able to comply with it.

Only you may make a verifiable request related to your personal information. If you are making a request as the parent or legal guardian of a known child regarding the processing of that child’s personal information, we may ask you to submit reliable proof of your identity.

We will make every effort to respond to your request within 45 days from when you contacted us. If you have a complex request, the certain State Laws allow an extension of our time to respond. We will contact you within 45 days from when you contacted us to inform you of the need for additional time and the reason for such extension. We may charge you a reasonable fee to cover administrative costs if your requests are manifestly unfounded, excessive, or repetitive.

If we decline to take action on a request that you have submitted, we will inform you of our reasons for doing so. and, for Virginia and Connecticut residents, provide instructions for how to appeal the decision. Residents of those will have the right to appeal within a reasonable period of time after you have received our decision. Within the time provided by your State Law of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If we deny your appeal, we will provide you with a method for contacting your state’s regulatory authority to submit a complaint.

Certain State Laws require companies to obtain a consumer’s affirmative consent before processing “Sensitive Data,” which may include, depending on the specific statute, information that reveals:

• Geolocation data

• Racial or ethnic origin

• Religious beliefs

• A mental or physical health condition or diagnosis

• Sex life or sexual orientation

• Citizenship or citizenship status

• Genetic data

• Biometric data

• Personal data regarding a known child

• Contents of email

• Social Security or other ID

We will not process any such Sensitive Data of certain state residents without first obtaining your consent if required by State Laws.

If you are a resident of Nevada, you have the right to opt out of the sale of certain personal information that we have collected (or may collect) from you to data brokers or other third parties. You can exercise this right via the Privacy Center linked in the user profile settings menu within our Apps.

We use the service Google reCAPTCHA provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"), to protect our website against spam and misuse and to ensure that interactions are made by natural persons (and not by bots).

As part of the use of reCAPTCHA, personal data may be processed, in particular IP address, browser and device information, user interactions (e.g. mouse movements, keystrokes), as well as technical information about the requesting device and the accessed website. Google processes this data on our behalf as a data processor within the meaning of Art. 28 GDPR. We have entered into a data processing agreement with Google.

The processing is carried out for the purpose of ensuring the security of our website and preventing automated abuse, which represents our legitimate interest (Art. 6(1)(f) GDPR). Where required, processing is additionally based on your consent pursuant to Art. 6(1)(a) GDPR in conjunction with applicable cookie laws.

In the context of using reCAPTCHA, personal data may be transferred to servers of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. An adequate level of data protection is ensured by appropriate safeguards, in particular the conclusion of Standard Contractual Clauses (Art. 46 GDPR).

You can control the execution of scripts such as reCAPTCHA via your browser settings or extensions. Please note that this may limit the functionality of our website.

You can find out more about reCAPTCHA on Google’s Developers page https://cloud.google.com/security/products/recaptcha. More general information on privacy at Google can be found under https://policies.google.com/.