In addition to covering how we collect, use, disclose, transfer, and store your information, this policy also discloses our purpose and lawful basis for processing your information, and your related rights. Our legal basis for collecting and using personal information will depend on the personal information concerned and the specific context in which we collect it. In most cases, the lawful basis will be that the processing: (i) is necessary for our legitimate interests in carrying out our business with you, including direct marketing, provided those interests are not outweighed by your rights and interests, or (ii) is necessary to perform a contract with you. Where processing is based on your consent, we will identify the processing purposes and provide you with relevant information to make the processing fair and transparent. If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place.
In this policy the following words have the following meanings:
“Data Protection Laws” means any Applicable Law relating to the processing, privacy, and use of Personal Data, including (a) in the United Kingdom, (i) the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, and any laws or regulations implementing Directive 95/46/EC (Data Protection Directive) or Directive 2002/58/EC (ePrivacy Directive); and/or (ii) the General Data Protection Regulation (EU) 2016/679 (GDPR), and/or any corresponding or equivalent national laws or regulations (Revised UK DP Law) (b) in member states of the European Union, the Data Protection Directive or the GDPR, once applicable, and the ePrivacy Directive, and all relevant member state laws or regulations giving effect to or corresponding with any of them; and (c) any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority; and
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person and where referred to in this policy includes special categories of Personal Data.
Information We Collect From You
Depending on the context in which you interact with us, SLE may collect or receive the following information:
Account and Profile Information: When registering on our Web site, users must provide their email address, their age, and a username. Once registered, each user has the option, but is not required, to complete an account profile with any of the following additional information: first name, last name, street address, city, state/province/region of residence, and country of residence. Our Web site includes in-site communications tools (e.g., forums, comments, or chat); provided, however, any disclosure of personally identifiable information (“PII”) in a chat room, message board or other public forum, will result in the immediate removal of the PII and all parties associated with providing the PII. Additionally, at our in-person or in-theater events, we, our third-party partners, the media, and/or other SLE members may wish to take photos, videos, or audio recordings of those in attendance. When you use our Web site to purchase items or pay for attendance at events, we also require your billing information, such as a credit card number and billing address.
In addition, users may provide us with your content (“Content”). Please see the Terms of Service to understand what rights SLE has to your Content.
The Service will also permit you to publish or post your Content (e.g., on social media such as Facebook or Twitter). If you elect to share such information, it will be disclosed to your intended audience. The functionality of the application will make it clear when you are about to share information in this manner – and the audience it will be disclosed to. For example, a video you share generally to the community will be publicly accessible.
Service Information: When you use our Services, we receive information generated through the use of the Services, either entered by you or others who use the Services, or from the Services infrastructure itself. This information may include, but is not limited to, name, username, company/organization, company/organization address, email address, phone number, IP address, MAC address, latitude, longitude, device name(s), device ID(s), and directory ID or other information you place within the Services. Performance and Usage Data: We may collect statistical, usage, configuration, and performance data of the Services to monitor the performance, integrity, and stability of the Services. Further, we may use and disclose this information for any purpose, provided that such data is first de-identified. Payment Information: We use third party payment processors to process payments made to us. In connection with the processing of such payments, we do not retain any personally identifiable information or any financial information such as credit card numbers. Rather, all such information is provided directly to our third-party processors whose use of your personal information is governed by their privacy policies. The privacy policies of our current third-party processors may be viewed at:
Information from Third Parties: We receive information from third party business partners such as the contact details of prospects and sales leads. In addition, we collect information from public databases or other data you may have made publicly available, such as information posted on professional networks and social media platforms.
Location Information: Some of our applications collect general location information based on IP address. This information is used to customize the services provided to you, such as location-based information of specific managed devices. Location information is only viewable by the end user. We do not use, disclose, or sell location information for the purposes of providing targeted marketing or advertisements.
Information We Collect From Children
The Children's Online Privacy Protection Act of 1998 and its rules (collectively, "COPPA") require us to inform parents and legal guardians (as used in this policy, "parents") about our practices for collecting, using, and disclosing personal information from children under the age of 13 ("children"). COPPA and the GDPR also require us to obtain verifiable consent from a child's parent for certain collection, use, and disclosure of the child's personal information.
Parents of users under 13 years old:
In-Site Communications Tools:
Our Web site includes various in-site communications tools (e.g., forums, comments, or chat). Parents of children under 13 should note our in-site communications tools permit a child user to participate in chat rooms; provided, however, any disclosure of personally identifiable information in a chat room, message board or other public forum, will result in the immediate removal of the PII and all parties associated with providing the PII. . Please be aware that anyone may read postings on certain in-site communications tools. SLE cannot guarantee the security of information that any user discloses or communicates online in public areas. Those who do so, do so at their own risk. We actively monitor the content of our in-site communications tools. If age inappropriate material or PII is posted, it will be removed immediately by us for security, privacy and/or legal reasons. We will not republish postings from our in-site communications tools elsewhere on the Web.
Use Of Collected Information
We will only use your Personal Data to the extent the law allows us to do so. Under the General Data Protection Regulation (GDPR), we rely on the following legal bases for processing your Personal Data:
where you have given us your consent; where it is necessary to perform a contract, we have entered into or are about to enter into with you; and where it is necessary for the purposes of our legitimate interests (or those of a third party) and your interests or fundamental rights and freedoms do not override those interests. We use information held about you in the following ways:
processing of an enquiry received from you; and processing a request for further information or in response to you expressing an interest in one or more of our products or services. We will use information you give to us:
to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us; to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about; to provide you, or permit other SLE companies to provide you, with information about goods or services related to your enquiry; to notify you about changes to the Services; and to ensure that content from our site is presented in the most effective manner for you and for your computer. We will use information we collect about you:
to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; to improve our site to ensure that content is presented in the most effective manner for you and for your computer; and as part of our efforts to keep our site safe and secure. We may combine information we receive from other sources with information you give to us and information we collect about you. We will use this information and the combined information for the purposes set out above (depending on the types of information we receive).
SLE uses your Personal Information as follows:
To provide you with the features, functions, and benefits of the Services
To help us internally operate and maintain the Service (such as, for the purposes of fixing malfunctions, testing our security systems, etc.)
To enhance, improve and further develop the Services (such as, creating new features or functions, refining the user experience, increasing the technical performance of our products, etc.)
We will use your contact information to provide you with notices relate to your use of the Services (such as account notifications and legal notices)
We will use your contact information (such as, your email address) to provide you with promotional and marketing emails. You can opt-out of receiving certain types of promotional and marketing emails – but in such case you may not receive the full benefit of the Services. Opting-out can be done by following the instructions set forth in the email (usually in the footer)
To help personalize the Services experience (e.g., remembering your information so you will not have to enter it each time you open the application on your mobile device)
And for the other purposes referenced herein
With your Consent (e.g., Social Sharing):
SLE may share your Content with third parties with your consent (for example, if you consent to us sharing certain information with an SLE community or posting to a third party account on your behalf, such as to your Facebook wall or Twitter feed). The functionality of the website and application will make it clear when you are about to share information in this manner – and the audience to which it will be disclosed.
Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to (i) ask us for a notice identifying the categories of personal information which we share with our affiliates and/or third parties for marketing purposes, and providing contact information for such affiliates and/or third parties, (ii) the right to delete personal information collected from them, (iii) the right to opt-out of the sale of their personal information, and (iv) the right to non-discrimination for exercise their rights under the California Consumer Privacy Act. If you are a California resident and would like a copy of this notice, please submit a written request to: email@example.com or 2912 Colorado Ave., Suite 203, Santa Monica, CA 90404.
Residents of the EU, UK, Lichtenstein, Norway and Iceland
If you are a resident of the European Union (“EU”), United Kingdom, Lichtenstein, Norway, or Iceland, you may have additional rights under the EU General Data Protection Regulation (the “GDPR”) with respect to your Personal Data, as outlined below.
For this section, we use the terms “Personal Data” and “processing” as they are defined in the GDPR, but “Personal Data” generally means information that can be used to individually identify a person, and “processing” generally covers actions that can be performed in connection with data such as collection, use, storage, and disclosure. SLE will be the controller of your Personal Data processed in connection with the Services.
Third Party Advertising
SLE will not provide these third party advertisers with any access to your Personal Information without your consent or except as part of a specific program or feature for which you will have the ability to opt-in. However, please note that if an advertiser asks us to show an advertisement to a certain audience or audience segment and you respond to that advertisement, the advertiser or ad-server may conclude that you fit the description of the audience they were trying to reach. In addition, we may allow advertisers to choose the demographic information of users who will see their advertisements and/or promotional offers and you agree that we may provide any of the information we have collected from you in non- personally identifiable form to an advertiser, in order for that advertiser to select the appropriate audience for those advertisements and/or offers. For example, we might use the fact you are located in San Francisco to show you ads or offers for San Francisco businesses, but we will not tell such businesses who you are.
Third Party Data Measurement
Where We Store Your Personal Data
All information you provide to us is stored with a reputable 3rd party cloud service provider. Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
Retention Of Personal Data
We will only retain your Personal Data for as long as necessary to fulfill the purposes for which we collected your Personal Data. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of that Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Your rights under GDPR. Under certain circumstances, you have the right to:
Request access to your Personal Data (commonly known as a “subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it. Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data in certain circumstances. Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it. Request the transfer of your Personal Data to another party.
If you want to review, verify, correct, or request erasure of your Personal Data, object to the processing of your Personal Data, or request that we transfer a copy of your Personal Data to another party, please contact us as indicated in the Contact section of this Policy. Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers, and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any Personal Data to these websites. To exercise any of the above rights, you can contact SLE using the information in Section 14 below. You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here:
Commitment to Comply with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF
Non-EU/Non-United Kingdom/Non-Switzerland Individuals
Agreement To Arbitrate
Class Action Waiver
ARBITRATION MUST BE ON AN INDIVIDUAL BASIS. THIS MEANS NEITHER YOU NOR SLE MAY JOIN OR CONSOLIDATE CLAIMS IN ARBITRATION BY OR AGAINST OTHER INTERESTED PARTIES OR LITIGATE IN COURT OR ARBITRATE ANY CLAIMS AS A REPRESENTATIVE OR MEMBER OF A CLASS OR IN A PRIVATE ATTORNEY GENERAL CAPACITY.
Governing Law And Rules For Arbitration
The Arbitration Agreement is governed by the Federal Arbitration Act (FAA). Arbitration must proceed only with the American Arbitration Association (AAA) or Judicial Arbitration and Mediation Services (JAMS). The rules for the arbitration will be the procedures of the chosen arbitration organization. If the organization’s procedures change after the claim is filed, the procedures in effect when the claim was filed will apply. Arbitration hearings will take place in Los Angeles, California. A single arbitrator will be appointed. The arbitrator must:
Follow all applicable substantive law, except when contradicted by the FAA; Follow applicable statutes of limitations; Honor valid claims of privilege; and Issue a written decision including the reasons for the award.
The arbitrator’s decision will be final and binding except for any review allowed by the FAA. However, if more than $100,000 was genuinely in dispute, then either you or SLE may choose to appeal to a new panel of three arbitrators. The appellate panel is completely free to accept or reject the entire original award or any part of it. The appeal must be filed with the arbitration organization not later than 30 days after the original award issues. The appealing party pays all appellate costs unless the appellate panel determines otherwise as part of its award. Any arbitration award may be enforced (such as through a judgment) in any court with jurisdiction.
Financial Transaction Prohibitions
SLE offerings and marketplaces expressly prohibit all illegal activities including, but not limited to, money laundering, terrorism financing, financial crimes, fraud, etc. SLE operations are conducted in compliance with all applicable financial recordkeeping and reporting requirements, including those of the bank secrecy act, as amended by title III of the uniting and strengthening America by providing appropriate tools required to intercept and obstruct terrorism act of 2001 (USA patriot act), and the applicable anti-money laundering statutes of the united states where the company conduct its business, including the rules and regulations thereunder and any related or similar rules, regulations or guidelines, issued, administered or enforced by any US governmental agency.
Information We Share
When you use our site, we share information that we collect from you, such as your email (in hashed form), IP address or information about your browser or operating system, with our identity partners/service providers, including LiveRamp Inc. LiveRamp returns an online identification code that we may store in our first-party cookie for our use in online, in-app, and cross-channel advertising and it may be shared with advertising companies to enable interest-based and targeted advertising. To opt out of this use, please click here.
Super League Enterprise, Inc.
Attn: Data Protection Officer
2912 Colorado Ave. Suite 203
Santa Monica, CA 90404
Last Updated: September 20, 2023
Exhibit A - Standard Contract Clauses
For the purposes of the clauses:
personal data, special categories of data/sensitive data, process/processing, controller, processor, data subject and supervisory authority/authority shall have the same meaning as in Directive 95/46/EC of 24 October 1995 (whereby the authority shall mean the competent data protection authority in the territory in which the data exporter is established);
the data exporter shall mean the controller who transfers the personal data;
the data importer shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with the terms of these clauses and who is not subject to a third country's system ensuring adequate protection;
clauses shall mean these contractual clauses, which are a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
The details of the transfer (as well as the personal data covered) are specified in Annex B, which forms an integral part of the clauses.
Obligations of the data exporter
The data exporter warrants and undertakes that:
The personal data have been collected, processed, and transferred in accordance with the laws applicable to the data exporter.
It has used reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses.
It will provide the data importer, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the data exporter is established.
It will respond to enquiries from data subjects and the authority concerning processing of the personal data by the data importer, unless the parties have agreed that the data importer will so respond, in which case the data exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the data importer is unwilling or unable to respond. Responses will be made within a reasonable time.
It will make available, upon request, a copy of the clauses to data subjects who are third party beneficiaries under clause 3, unless the clauses contain confidential information, in which case it may remove such information. Where information is removed, the data exporter shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, the data exporter shall abide by a decision of the authority regarding access to the full text of the clauses by data subjects, as long as data subjects have agreed to respect the confidentiality of the confidential information removed. The data exporter shall also provide a copy of the clauses to the authority where required.
Obligations of the data importer
The data importer warrants and undertakes that:
It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
It will have in place procedures so that any third party it authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorised or required by law or regulation to have access to the personal data.
It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.
It will process the personal data for purposes described in Annex B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.
It will identify to the data exporter a contact point within its organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause 1(e).
At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under clause 3(which may include insurance coverage).
Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion.
It will process the personal data, at its option, in accordance with:
the data protection laws of the country in which the data exporter is established, or
the relevant provisions of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data, or
the data processing principles set forth in Annex A.
It will not disclose or transfer the personal data to a third-party data controller located outside the European Economic Area (EEA) unless it notifies the data exporter about the transfer and
the third-party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or
the third-party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or
data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or
with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer
Liability and third-party rights
Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third-party rights under these clauses. This does not affect the liability of the data exporter under its data protection law.
The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses clause 1(b), clause 1(d), clause 1(e), clause 2(a), clause 2(c), clause 2(d), clause 2(e), clause 2(h), clause 2(i), clause 3(a), clause 5, clause 6(d)and clause 7 against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter's country of establishment. In cases involving allegations of breach by the data importer, the data subject must first request the data exporter to take appropriate action to enforce his rights against the data importer; if the data exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the data importer directly. A data subject is entitled to proceed directly against a data exporter that has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses (the data exporter shall have the burden to prove that it took reasonable efforts).
Law applicable to the clauses
These clauses shall be governed by the law of the country in which the data exporter is established, with the exception of the laws and regulations relating to processing of the personal data by the data importer under clause 2(h) which shall apply only if so selected by the data importer under that clause.
Resolution of disputes with data subjects or the authority
In the event of a dispute or claim brought by a data subject or the authority concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
Each party shall abide by a decision of a competent court of the data exporter's country of establishment or of the authority which is final and against which no further appeal is possible.
In the event that the data importer is in breach of its obligations under these clauses, then the data exporter may temporarily suspend the transfer of personal data to the data importer until the breach is repaired or the contract is terminated.
In the event that:
the transfer of personal data to the data importer has been temporarily suspended by the data exporter for longer than one month pursuant to clause 6(a);
compliance by the data importer with these clauses would put it in breach of its legal or regulatory obligations in the country of import;
the data importer is in substantial or persistent breach of any warranties or undertakings given by it under these clauses;
a final decision against which no further appeal is possible of a competent court of the data exporter's country of establishment or of the authority rules that there has been a breach of the clauses by the data importer or the data exporter; or
a petition is presented for the administration or winding up of the data importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the data importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs
then the data exporter, without prejudice to any other rights which it may have against the data importer, shall be entitled to terminate these clauses, in which case the authority shall be informed where required. In cases covered by clause 6(b)(i), clause 6(b)(ii), or clause 6(b)(iv) above the data importer may also terminate these clauses.
Either party may terminate these clauses if
any Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the data importer, or
Directive 95/46/EC (or any superseding text) becomes directly applicable in such country.
The parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason (except for termination under clause 6(c) does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the personal data transferred.
Variation of these clauses
The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.
Description of the transfer
The details of the transfer and of the personal data are specified in Annex B. The parties agree that Annex B may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause 1(e). The parties may execute additional annexes to cover additional transfers, which will be submitted to the authority where required. Annex B may, in the alternative, be drafted to cover multiple transfers.
Annex A - Data Processing Principles
Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described herein or subsequently authorized by the data subject.
Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant, and not excessive in relation to the purposes for which they are transferred and further processed.
Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer) unless such information has already been given by the data exporter.
Security and confidentiality: Technical and organizational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.
Rights of access, rectification, deletion, and objection: As provided in Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal information about them that an organization holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the data importer or other organizations dealing with the data importer and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organization may require further justifications before proceeding to rectification, amendment, or deletion. Notification of any rectification, amendment, or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the data importer, and the data subject may always challenge a refusal before the authority.
Sensitive data: The data importer shall take such additional measures (e.g., relating to security) as are necessary to protect such sensitive data in accordance with its obligations under this Annex A.
Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to "opt-out" from having his data used for such purposes.
Automated decisions: For purposes hereof "automated decision" shall mean a decision by the data exporter or the data importer which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated decisions concerning data subjects, except when:
such decisions are made by the data importer in entering into or performing a contract with the data subject, and
the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties.
where otherwise provided by the law of the data exporter.
Last Updated: October 23, 2021
Annex B - Transfer Impact Assessment
SUPER LEAGUE ENTERPRISE, INC.
TRANSFER IMPACT ASSESSMENT
DATA FLOW/TRANSFER MAP
Super League Enterprise has identified the following data flow and transfer tools for its properties:
API Requests. All client API requests originating from the EU are routed to our AWS Servers located in Oregon, which capture client IP addresses of all incoming API traffic. IP addresses are logged locally on each server but are also persisted onto Amplitude (third-party analytics platform) and our ELK stack (Elasticsearch - Logstash - Kibana, used for event logging/metrics, hosted on our AWS account). If authentication is involved, a social platform OAuth consent application is invoked (hosted on our AWS account), which in turn captures social platform user-related data, including social platform usernames, profile links, profile photos, email addresses, and reach metrics (follower/subscriber count). The social platform user data is then persisted onto MySQL instances (hosted on our AWS account) and a MongoDB cluster (managed by MongoDB Atlas, a third-party).
Live Video Streaming. Live video streaming data from clients in the form of the RTMP protocol is captured on AWS Servers located closest to the user; anyone from EU will be streaming to Frankfurt, Germany. IP addresses are logged locally on each streaming server but are also persisted onto our ELK stack (Elasticsearch - Logstash - Kibana, used for event logging/metrics, hosted on our AWS account in Oregon). RTMP video data is redirected to social platforms as specified by the user, as well as converted to another video format called HLS, which is then served globally to all direct viewing users via AWS CloudFront CDN.
Tools to Identify EU Traffic. Currently, we rely on Amplitude (third-party analytics platform) and our ELK stack to do Geo IP lookups to identify EU traffic.
Attached as Exhibit A is a diagram showing the data flow for the Mobcrush property.
Minehut/Super League Enterprise
Web Requests. Our properties sit behind content delivery networks (CDNs) such as Amazon Web Services (AWS) CloudFront service that has global presence. CDNs use multiple ways of determining where a request comes from in order to fulfill the request while minimizing latency; but it is not foolproof. For instance, if the user’s network is not optimally routed then the network traffic could land outside Europe to the nearest CDN edge location. In more deliberate cases, a European based user may use a VPN or other such “exit node” to pretend to be coming from someplace else on the planet and the CDN would not be able to know the true user’s origin and serve traffic from whatever CDN edge location is closest, network- wise, to the exit node. European requests likely hit a local EU based CloudFront location which then serves cached content directly from that location or requests un-cached content direct from our origins located within various cloud services hosted in the US. All these requests use standard Internet protocols
LOCAL LAW ASSESSMENT
The United States has not adopted an all-encompassing data protection law, like the European Union’s General Data Protection Regulation (GDPR), which means that the GDPR does not have an American equivalent. Instead, the US’s data protection landscape is comprised of a patchwork of federal and state laws and regulations. Federal data protection includes the Federal Trade Commission (“FTC”) data security standards and sector-specific laws, like financial services and healthcare. All 50 states and several territories have enacted data breach notification laws that apply when personal information is lost or accessed by unauthorized parties.
Super League Enterprise has conducted a gap analysis, which is attached as Exhibit B to this Transfer Impact Assessment, of the U.S. data privacy laws that apply to its business to determine where these laws divert from the GDPR.
VENDOR PROCUREMENT PROCESS
Super League Enterprise has adopted the following vendor management process that consists of:
a) Pre-engagement due diligence;
b) Development and implementation of standard contract terms that support Super League Enterprise’s privacy and information security programs; and
c) Select vendor oversight and contract enforcement.
Pre-Engagement Due Diligence
Pre-engagement due diligence is intended to determine whether vendors have reasonable privacy and information security programs and practices in place before any personal data is shared with the vendor. Effective due diligence requires collaboration between Super League Enterprise and the vendor to:
Identify any services to be performed by the vendor that require access to Super League Enterprise’s systems or data, including personal information collection, based on the proposed scope of work;
Explore options to lower risks by minimizing the vendor’s proposed access to and use of sensitive data or systems while still meeting business requirements; and
Examine the vendor’s policies, procedures, internal controls, and training materials to assess the vendor’s capabilities to:
recognize and manage changing data security risks;
conduct appropriate employee training and oversight, including any applicable subcontractors;
meet the organization’s privacy and information security policies; and
comply with any applicable laws, regulations, and industry standards.
Super League Enterprise also reviews the vendor’s privacy and data security history, including any regulatory enforcement actions, litigation, or prior security incidents, such as data breaches.
Standard Contract Terms
Super League Enterprise has developed and imposes standard privacy and data security contract terms to ensure that vendors protect Super League Enterprise’s data and systems in a manner that:
Meets or exceeds Super League Enterprise’s own practices;
Adheres to Super League Enterprise’s policies and procedures; and
Complies with applicable laws, regulations, and industry standards.
Oversight and Enforcement
Super League Enterprise engages in regular vendor oversight to:
Monitor vendor performance;
Ensure vendors meet or exceed contract terms;
Identify risks or potential issues early, before problems arise that may affect privacy or data security; and
Protect Super League Enterprise when business relationships end, for example, to ensure data is returned or reasonably destroyed.
Super League Enterprise’s oversight may consist of:
Onsite visits and testing conducted directly by the organization or its representatives;
Vendor self-assessments; and
Third-party audits, assessments, and certifications.
RE-EVALUATION PROCESS OF TRANSFER TOOLS
Super League reviews its privacy protocols on a regular basis to ensure they are in compliance with domestic and international rules and laws.
Super League reviews its internal processes on a regular basis to ensure we are protecting our customers’ privacy using best practices.
Super League last reviewed its data transfer flow and processes on October 23, 2021.
Exhibit A - Data Flow Diagram
All client API requests originating from the EU are routed to our AWS Servers located in Oregon, which capture client IP addresses of all incoming API traffic. IP addresses are logged locally on each server but are also persisted onto Amplitude (third-party analytics platform) and our ELK stack (Elasticsearch - Logstash - Kibana, used for event logging/metrics, hosted on our AWS account). If authentication is involved, a social platform OAuth consent application is invoked (hosted on our AWS account), which in turn captures social platform user-related data, including social platform usernames, profile links, profile photos, email addresses, and reach metrics (follower/subscriber count). The social platform user data is then persisted onto MySQL instances (hosted on our AWS account) and a MongoDB cluster (managed by MongoDB Atlas, a third-party).
Live Video Streaming
Live video streaming data from clients in the form of the RTMP protocol is captured on AWS Servers located closest to the user. EU users are streamed to Frankfurt, Germany. IP addresses are logged locally on each streaming server but are also persisted onto our ELK stack (Elasticsearch - Logstash - Kibana, used for event logging/metrics, hosted on our AWS account in Oregon). RTMP video data is redirected to social platforms as specified by the user, as well as converted to HLS video format, which is then served globally to all direct viewing users via AWS CloudFront CDN. CloudFront service has a global presence. European requests hit a local EU based CloudFront location which then serves cached content directly from that location or requests un-cached content direct from our origins located within various cloud services hosted in the US. All these requests use standard Internet protocols.
Tools to Identify EU Traffic
We rely on Amplitude (third-party analytics platform) and ELK stack for Geo IP lookups to identify EU traffic.
Super League last reviewed its data flow diagrams on 11/22/2021.