Airflux, AB180 Inc.’s AI-powered mobile-game monetization platform, follows GDPR privacy-by-design principles and enforces robust security safeguards to protect personal data and uphold every user’s rights to transparency, access, and control.
Airflux places the highest regard for users’ rights to data privacy and control by collecting and processing only what is strictly required for attribution analysis. Our strict adherence to user data privacy is evident across all our engineering - empowering data subjects with their full gamut of rights ranging from data control, deletion, retention, transfer, and more.

‍

What is GDPR?

The GDPR (General Data Protection Regulation) is a regulation of the European Union (EU) on personal data protection, which came into full effect on May 25, 2018. It ensures the free movement of personal data within the EU member states and strengthens the data subject’s right to protect their personal data.

GDPR defines three key roles:

How these roles map to Airflux

• Data Subjects – Players of our clients’ games
  When players generate gameplay events or contextual information that the studio chooses to send to Airflux, those players are the data subjects and retain all rights granted under GDPR (access, erasure, portability, etc.).‍
• Controllers – Our clients (mobile-game studios)
  Game publishers integrate the Airflux SDK and inference APIs to optimise ad timing and rewards. They determine the purposes (“improve user experience and monetisation”) and the means (“collect gameplay events and context”) of processing and therefore act as data controllers.‍
• Processor – Airflux (AB180 Inc.)
  Airflux receives pseudonymised event data and contextual attributes solely to perform revenue-optimisation analytics and real-time ad-decisioning, strictly following the studio’s documented instructions. In this capacity Airflux operates as a data processor and implements appropriate technical and organisational safeguards to protect all personal data entrusted to it.

GDPR Compliance by Airflux

Data Security

In order to keep client data secure and meet the security requirements of the GDPR, Airflux has made the best effort to monitor and manage all kinds of tangible and intangible security threats at all times. We implement data security on various levels, including products, system infrastructure and network, data storage and transfer, access control, development, monitoring, business continuity and disaster recovery, internal and external audits, and physical and human resources security. For more information, check out Airflux’s Information Security.

‍

International Data Transfer

Airflux, headquartered in South Korea, with servers located in Japan (Tokyo Region), meets the requirements to securely and legally process data received from customers (controllers) based in the EU, holding a GDPR adequacy decision. This decision allows for the transfer of personal data to the specific country, as determined by the European Commission to have data protection standards equivalent to those of the EU, without the need for additional measures. For further details, please refer to the relevant GDPR provisions.

‍

Data Subject Request Management

Airflux guarantees most of the data subjects’ rights included in the GDPR. These rights are based on the basic principle that data subjects themselves should be able to control their data. Data subjects can either directly exercise rights to Airflux via electronic means such as Web UI (User Interface) listed at this link, or they can indirectly exercise rights through clients (Controller) affiliated with them. Clients can also send complaints to Airflux conveniently by using Web UI. Airflux, as a processor, guarantees the data subject the following rights.

1. The right to be informed: Individuals have the right to be informed of what kinds of data are collected and processed by which data controller and processor. This is as shown in the table below.
2. The right to erasure (also known as The right to be forgotten): Individuals have the right to have their personal data erased.
3. The right of access by the data subject: Individuals can access the personal data that they have provided.
4. The right to data portability: Individuals can transfer their personal data to other subjects.
5. The right to rectification: Individuals can rectify their personal data.
6. The right to restriction of processing: Individuals can make the data controller or data processor store provided personal data, but not process it.

‍

Data Protection by Design and Default

Airflux has designed and embodied data protection with the intention of keeping the data subject’s personal data secure and processing them and protecting the whole procedure ranging from collecting and processing data to providing data with respect to data security and personal data protection.

1. Personal data are collected with the consent of the data subject.
2. The transfer of any personal data either without the consent of the data subject or of children under 14 years old can be blocked beforehand by using an Opt-Out function of SDK.
3. Sensitive personal data are stored and processed after being encrypted and pseudonymized.
4. Collected personal data are never to be provided or sold to a third party.
5. In the process of collecting, processing, and providing data, any other subjects, including staffs at Airflux, who were not given the right, cannot access personal data.

Representative

The GDPR requires a written designation of a representative in the EU by the controller or processor not based in the EU. Contact information and address of AB180 Inc., a service provider of Airflux, in the EU are as follows:

GDPR-Rep.eu
Maetzler Rechtsanwalts GmbH & Co KG
Attorneys at Law
c/o AB180 Inc.
Schellinggasse 3/10, 1010 Vienna, Austria

Please add the following subject to all correspondence:
GDPR-REP ID: 12799064

‍

Information that Airflux guides to the data subject according to the right to be informed

Type of Information / Contents (Table)

• Identification and contact information of the controller and its representative (if applicable) and contact information of DPO
  • Data Controller: It may differ depending on clients.
  • Data Processor: AB180 Inc.
  • Contact Information: [email protected]
  • DPO: Jinkyung Hwang, [email protected]
• Purpose of processing the personal data
  • To analyse gameplay and monetisation events in order to optimize ad event, thereby improving both user experience and lifetime revenue.
• Legitimate benefits that the data controller or a third party may obtain
  • Controllers: obtain accurate, data-driven insights to optimise ad strategy and overall game revenue.
  • Processor: provide analytics and ad-decisioning services and receive fees for those services.
• Recipient of personal data and types of recipients
  • Recipient: AB180 Inc.
  • Types of Recipient: Data Processor
• Details transferred to third countries and the protection method
  • Transfer Item: Collected personal data
  • Transfer Countries: Republic of Korea, Japan
  • Protection Method: Online transfer via a security protocol (encryption)
• Period of retention or criteria applied to decide the period of retention
  • Criteria: The data processor, AB180 Inc., based in the Republic of Korea, can retain data for up to one year without a reason to retain the data, under the Personal Information Protection Act of Republic of Korea.
• Existence of each right owned by the data subject
  • The data subject owns <Right to be informed>, <Right to be forgotten>, <Right of access by the data subject>, <Right to rectification>, <Right to data portability>, and <Right to restriction of processing>. The data subject can either exercise each right directly by oneself and transfer it to the data processor (using email or Web UI) or make a request directly to the data processor using Web UI to exercise the right.
• The right to withdraw consent at any time
  • The right is exercised in a way that, after the data subject withdraws consent through the data controller, the data controller informs the data processor of the withdrawal by electronic means (after using an Opt-Out function of SDK, send request for data deletion using email or Web UI).
• The right to lodge a complaint with a supervisory authority
  • Every data subject has the right to lodge a complaint with a supervisory authority without prejudice to any other administrative or judicial remedy. In this case, the data subject can lodge a complaint with a supervisory authority in the member state of habitual residence, place of work or place of the alleged infringement.
• Whether the provision of personal data is a statutory or contractual requirement or obligation and the possible consequences of failure to provide such data
  • To analyze the effects of mobile Provision of personal data is not a statutory or contractual requirement or obligation. Without the data subject’s consent on provision of data, the data controller should stop providing data using an Opt-Out function which the data processor offers. Even if the data subject has already consented or the data have already been provided, the data subject can withdraw the consent. The data processor should not discriminate against the data subjects with respect to providing services even if the data subject does not provide personal data.application advertisements
• The existence of automated decisions, including profiling, as well as how such decisions are made, and their significance and the envisaged consequences
  • The data provided by the data subject undergo electronic data profiling to analyze the effects of advertisements. However, the data subject is not the target of automated decision-making herein. In particular, any legal or similarly significant effects are not produced.

The best practices for clients (the controllers) wishing to conform to the GDPR

The best practices listed below can help clients conform to the GDPR. Conforming to the GDPR can help you to build customer trust and minimize the risks of regulatory restrictions if you are operating services for citizens living in the EU.

1. Find out whether you (client) are subject to the GDPR.
2. If you are subject to mandatory designation of a DPO as set out by the GDPR, designate a DPO who will carry out duties according to the GDPR.
3. Find out what kind of data are collected from the data subject and in what way they are processed and stored. Identify and improve vulnerabilities that may lead to the leakage of political and technical data according to each step.
4. Figure out the rights that should be guaranteed for the data subject and implement a measures to accept the request of the data subject in a simple way.
5. Before collecting data from the data subject, obtain a consent on personal data collection using a ‘freely given, specific and clear, and yet unambiguous’ method. In addition, if personal data of children are to be collected, they should be processed after obtaining the consent of their legal guardian.
6. In case of exchanging personal data with a third controller or processor, conform to the method of personal data transfer to third countries or international organizations set out by the GDPR.
7. In case of an incident of personal data leakage, report immediately to the supervisory authority and inform the data subject of the incident. It is recommended to establish a measures for such incidents in advance.
8. According to the GDPR, any global corporations not based in the EU should designate a representative in the EU. Designate a representative who will communicate with the EU supervisory authority.
9. Use a 3rd party tool, such as Airflux, that conforms to the GDPR. You can conform to the GDPR more safely and conveniently.

Resources

To make a GDPR request to AB180 Inc.: https://gdpr-rep.eu/dsrtool/12799064

To know about GDPR: https://gdpr.eu

Airflux's Privacy Policy: https://ab180.notion.site/airflux-privacy-en

Airflux's Information Security Page: Information Security

Airflux's Terms of Service: https://ab180.notion.site/terms-of-service-en

‍