Program Terms and Conditions
Last updated: June 14, 2023
1. Campaign
General Terms. Campaign General Terms. For each Campaign, Publisher may access metrics (i.e., click URLS or view URLs for iOS, Android, Web and Desktop platforms) in Attribution Measurement Partner (including Mobile Measurement Partner and Web/Desktop Attribution Partner). Campaigns may be monitored by Scopely and Publisher pursuant to the standard settings in MMP, as confirmed by Scopely tools, including, but not limited to twenty-four (24) hour device fingerprinting and twenty-four (24) hour device attribution on install. Unless Publisher provides Scopely with its applicable URL prior to the Start Date, Scopely will use the Publisher’s MMP integrated click URL format. Should Publisher’s Campaign click URL or view URL involve sub-publishers and/or sub-site ID, Publisher shall pass sub-publisher or sub-site ID through each click URL or view URL to Scopely, when applicable. For the avoidance of doubt, all Campaigns shall be click URLS unless designated by Scopely as view through attribution in the IO. Provided that Publisher has the capability to identify users who have previously installed an application prior to the Start Date (“negative target” installs), Scopely may postback (i.e. the transmission of data back to the same sub-page by means of HTTP-Post) and notify the Publisher of the negative target installs related to that application, in addition to install(s), if any, solely attributed to Publisher. This Section 1 shall survive any termination and/or expiration of the IO.
2. Publisher
Attribution; Payment Terms.
(a) Publisher
Attribution. For CPI Campaigns, as designated by Scopely and Publisher in the Campaign Type section of the IO, Scopely will attribute an acquisition to Publisher only if a user: (a) clicks on the click URL or view URL, (b) downloads the application, and c) subsequently opens the application within the agreed attribution window according to the MMP standard last-click attribution window (“Cost per Install or “CPI”), and Scopely shall only be obligated to pay for such installs if Publisher shares a specific placement (actual app name, bundle id, or website) where Scopely’s ad is served – either directly via the tracking provider under the site-id parameter, or if not possible, via a shared document (e.g., Google Doc) with transparent site identification detail. For CPE Campaigns, as designated by Scopely and Publisher in the Campaign Type section of the IO, Scopely will attribute an acquisition to Publisher only if a user: (a) clicks on the click URL or view URL, and (b) completes a specific in-game action or event as designated by Scopely (“Cost per Event” or “CPE”). For the avoidance of doubt, the calculation of CPIs and CPEs may not apply to installs that are attributable to incentivized offer walls or rebrokered beyond the agreed-upon placement/inventory as specified in the Campaign details.
(b) Payment
Terms. Subject to the terms and conditions of the IO, Scopely shall pay Publisher according to the monthly settlement cycle times provided by and made available to Publisher, in MMP. For the avoidance of doubt, Scopely will not pay invoices based on Publisher counts outside of MMP unless approved in advance in writing by Scopely. Payment terms for Campaigns are net 45 days from receipt of an acceptable invoice unless indicated otherwise on the IO.
3.
Ad Creative.
Scopely develops a wide range of ad copy and creatives in multiple formats, sizes & languages for use in connection with the Campaigns (“Ad Creative”), which Scopely may provide to Publisher from time-to-time. Subject to prior written approval from Scopely and to the extent raw assets are made available to Publisher, Publisher may use the raw assets to develop their own creative assets, and Scopely encourages Publisher to assist in creative development. However, in all instances, Publisher will abide by industry standards. Upon prior written approval from Scopely, Publisher may assist Scopely in the creative development process of Ad Creative (e.g., animated gifs and rich media content). Scopely authorizes Publisher to use Ad Creative solely for its intended purpose as designated by Scopely in writing. As between the parties, all Ad Creative, including all intellectual property rights contained therein, is owned by Scopely. For the avoidance of doubt, other than Ad Creative, no other creative assets may be used to promote Scopely apps without Scopely’s prior written approval.
4.
Data. To the extent Publisher accesses data relating to end users of Scopely apps and/or websites, Publisher will only access, collect, and/or use such user data (through its designated URL, MMP URL, or otherwise) for the sole purpose of the applicable Campaign, and at all times pursuant to the IO. Any activity not expressly permitted pursuant to the immediately preceding sentence is not authorized by Scopely and shall be strictly prohibited. With respect to user data that is “personal data” or “personal information” (as such terms are defined under applicable laws), Publisher further agrees to adhere to the terms of the Scopely Data Processing Addendum located below and incorporated herein by reference.
5. Publisher
Restrictions. Publisher shall not: (a) re-broker a Campaign, (b) offer a Campaign to Scopely’s existing “Direct Partners” identified on the Site, (c) leverage any “Prohibited Networks” identified on the Site, and/or (d) promote a Campaign using any advertising or related asset that creates a permanent or semi-permanent link on a user’s device, as determined by Scopely in its sole discretion (“Restricted Activities”). If Publisher conducts or engages in Restricted Activities related to a Campaign, then: (i) Scopely may pause that Campaign, at any time, in its sole discretion, and (ii) without limiting Scopely’s other rights, Scopely is under no obligation to pay Publisher for such Campaign attributions and Publisher may not recognize the attributable acquisition. “Restricted Activities” also include the following, in addition to the above restrictions in this Section 5:
·
Surfacing traffic from Facebook and/or other social media;
·
Search engine
marketing;
·
Incentivized traffic (unless approved in writing by Scopely);
·
Push
notifications;
·
App discovery
platforms;
·
Auto-redirects
(i.e. a link or image that is displayed to users as an ad, but redirects users
to the app store page);
·
Pop traffic (i.e.
pop under the window in mobile web);
·
Use of bots, spyware, phishing, or other malicious tactics
·
Promotion of apps
or websites whose content is of an adult or explicit nature;
·
Promotion of
content/sites specifically directed at individuals under the age of 18;
·
Promotion of apps
or websites whose content is drug or alcohol related; &
·
Individual icons,
icon placement and/or bookmarking.
This Scopely Data Processing Addendum (“DPA”) is entered into by the Publisher (“Provider”) identified on the applicable Insertion Order for services (“Insertion Order”) and Scopely, Inc., together with its affiliates and subsidiaries (“Scopely”), and is made effective as of the date such Insertion Order is fully executed. This DPA is incorporated into the relevant Insertion Order and collectively, the Insertion Order (including any exhibits or amendments thereto), and the DPA (including the Module Two SCCs, as defined below), are referred to in this DPA as the “Agreement.” If there is a conflict between any of the terms of the Agreement, the relevant provisions of the following documents shall prevail, in order of precedence: (i) the Module Two SCCs; (ii) this DPA; and (iii) the Insertion Order.
Provider acknowledges the sensitive nature of information that relates, directly or indirectly, to an identified or identifiable person, including without limitation, names, email addresses, postal addresses, identification numbers, location data, unique identifiers, device identifiers, online identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity as well as any other information that may otherwise be considered “personal data” or “personal information” under Data Protection Laws (“Personal Data”). “Data Protection Laws” means all applicable data protection laws, rules, regulations, and guidelines, including, without limitation, the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and the California Consumer Privacy Act, including its implementing regulations (“CCPA”), any amendments thereto, and successor laws, rules, regulations, or guidelines. The EU GDPR and UK GDPR shall be referred to in this DPA, collectively, as the “GDPR.”
Provider agrees to the following with regard to Personal Data it processes on behalf of Scopely:
1. Processing of Personal Data.
1.1 Roles of the Parties. Where the GDPR is applicable, Scopely is a “controller” and Provider is a “processor,” as such terms are set forth in the GDPR. Where the CCPA is applicable, Scopely is a “business” and Provider is a “service provider,” as such terms are set forth in the CCPA.
1.2 Purpose of the Processing. Scopely is disclosing the Personal Data to Provider solely for the following limited purpose (the “Business Purpose”) in the course of providing its services under the Agreement (“Services”): to facilitate advertising of Scopely’s products on third-party apps and websites and to provide attribution and measurement in connection with such advertising.
1.3 Other Details of the Processing. The other details of the processing, including the types of Personal Data, the categories of data subjects, and the duration of the processing are further specified in the Agreement.
1.4 Provider’s Obligations.
1.4.1 Provider will process only such Personal Data as is necessary for the Business Purpose and will do so in accordance with Scopely’s documented instructions. Provider will immediately inform Scopely in writing if, in its opinion, an instruction infringes Data Protection Laws.
1.4.2 Provider will maintain the accuracy and integrity of Personal Data in its possession, custody, or control.
1.4.3 Provider will limit disclosure of and access to Personal Data to only those personnel with a business need to access the data for purposes of performing the Services and who are subject to a duty of confidentiality (whether statutory or contractual).
1.4.4 Provider grants Scopely the right to take reasonable and appropriate steps to: (i) ensure that Provider uses the Personal Data in a manner consistent with Scopely’s obligations under Data Protection Laws, including by conducting reasonable audits and inspections; and (ii) stop and remediate Provider’s unauthorized use of Personal Data. Such steps may include, at Scopely’s discretion, regular internal or third-party assessments, audits, or other technical and operational testing at least once every twelve (12) months, or written documentation that Provider has complied with any of its obligations under this DPA.
1.4.5 Provider will not “sell” or “share” any Personal Data it collects pursuant to the Agreement. The terms “sell” and “share” have the meanings set forth in the CCPA.
1.4.6 Provider will not retain, use, or disclose the Personal Data it collects pursuant to the Agreement for any purpose, commercial or otherwise, other than the Business Purpose, unless expressly permitted by the CCPA. Furthermore, Provider will not retain, use, or disclose such Personal Data outside the direct business relationship between Scopely and Provider, unless expressly permitted by the CCPA.
1.4.7 Without limiting the foregoing, Provider will not: license, distribute, make available, or otherwise disclose any Personal Data collected hereunder to any third party; merge or combine Personal Data with any other data set; use any Personal Data to develop profiles of Scopely’s users or to retarget or contact Scopely’s users on the websites or applications of Provider or any third party; or otherwise use the Personal Data for the benefit of Provider or any third party (in each instance, other than as expressly permitted by the CCPA and authorized by Scopely).
1.4.8 Provider certifies that it understands the restrictions set forth in this Section 1.4 and will comply with them.
2. Compliance with Law. Provider represents and warrants that it complies and will comply during the Term with all applicable Data Protection Laws, including, without limitation, providing the same level of privacy protection for the Personal Data as required of Scopely under such laws. Provider also represents and warrants that it will comply with all rules and requirements of any third party platform through which Provider may gain access to Personal Data (e.g., Apple, Google, Meta). Provider will maintain policies and procedures designed to ensure that it processes Personal Data in a manner consistent with any notice provided to the individual data subject or, where consent is required, consistent with the data subject’s consent. Provider will assist Scopely in complying with all applicable Data Protection Laws, including, without limitation: (a) complying with any obligations in responding to individuals who exercise their privacy rights under Data Protection Laws with respect to the processing of their Personal Data, including rights to notice, choice, access, deletion, rectification, objection, restriction, data portability and privacy-related complaint resolution; (b) complying with such data protection impact assessments or consultations with data protection authorities as may be required by Data Protection Laws; and (c) making available to Scopely all information necessary to demonstrate Provider’s compliance with its obligations under Data Protection Laws and this DPA. Provider will notify Scopely promptly in writing if it determines that it can no longer meet its obligations under any Data Protection Laws.
3. Security. Provider has implemented and will maintain as appropriate: (i) a comprehensive, written information security program in compliance with applicable law; and (ii) appropriate legal, technical, and organizational measures (including those described in this DPA and as may be required under Data Protection Laws) to protect Personal Data from any accidental or unlawful destruction, any loss, alteration, or unauthorized disclosure, use, or access, and from any breach or attempted breach of Provider’s security measures (“Information Security Incident”), keeping in mind the nature of the information. Periodically during the Term and upon reasonable notice, Provider shall make available to Scopely any information reasonably required to allow Scopely to verify Provider’s compliance with this clause. Provider will inform Scopely without undue delay (and no later than 24 hours of becoming aware) in the event it learns or reasonably believes an Information Security Incident has occurred or is reasonably likely to occur. Upon any such discovery, Provider will cooperate with Scopely to investigate, remediate, mitigate, and prosecute any such occurrence and assist Scopely with timely notifications to affected individuals, data protection authorities and others as may be required under Data Protection Laws. Provider shall provide Scopely with assurances that such Information Security Incident will not recur, and reimburse Scopely for remediation costs incurred in connection with such Information Security Incident (including, without limitation, costs associated with: (a) provision of notice to affected individuals and relevant public authorities, and (b) daily credit monitoring and identity theft insurance for any breach that poses a risk of identity theft).
4. Subcontractors Provider will not use the services of any subcontractor to process Personal Data in connection with this Agreement, other than as authorized by Scopely in each instance. If such processing is authorized, Provider will enter into a written agreement with such subcontractor that complies with Data Protection Laws and ensures that such authorized subcontractor is aware of and bound by the requirements of this DPA. Provider remains fully responsible and liable for all acts and omissions of such subcontractor. Provider will provide reasonable notice to Scopely of any intended replacement or addition of subcontractors, giving Scopely the opportunity to approve or object to such changes. If Provider becomes aware of any breach of the Agreement by a subcontractor processing Personal Data on its behalf, Provider will promptly notify Scopely and assist with any investigation thereof. In such event, Scopely may, at its option, require Provider to: (a) suspend the transfer of Personal Data to the subcontractor, and (b) cause the subcontractor to promptly return or destroy any Personal Data in its possession, custody, or control. If Provider fails to do so, in addition to any rights and remedies as may be available to Scopely under law or equity, Scopely shall have the right to immediately terminate the Agreement and receive a pro-rata refund of any prepaid fees.
5. International Transfers
5.1 To the extent that there are any transfers, pursuant to the Agreement, of Personal Data from the European Economic Area (“EEA”) or Switzerland to a country outside of the EEA, Switzerland or any country approved by the European Commission, Swiss Federal Data Protection and Information Commissioner and/or other competent authority as providing adequate protection for Personal Data, each party agrees that it will abide by Module Two of the Standard Contractual Clauses implemented by the European Commission on June 4, 2021 for Controller to Processor transfers (“Module Two SCCs”), which are incorporated herein by reference. The parties agree that the following terms apply to the Module Two SCCs: (i) the optional docking provision of Clause 7 shall apply; (ii) for the purpose of Clause 9(a), option 2 shall apply and the period shall be thirty days; (iii) the optional provision in Clause 11 shall not apply; (iv) for the purpose of Clause 13, the competent supervisory authority shall be the regulator in Spain, the Agencia Española de Protección de Datos; (v) for the purpose of Clause 17, the parties agree that the Module Two SCCs shall be governed by the laws of Spain; and (vi) Annexes 1 and 2 of the Module Two SCCs are set forth in Appendix A to this DPA.
5.2. To the extent that there are any transfers, pursuant to the Agreement, of Personal Data from the United Kingdom (“UK”) (such data, “UK Personal Data”) outside of the UK or any country approved by the UK Information Commissioner’s Office (“ICO”) as providing adequate protection for UK Personal Data, then: (i) the Module Two SCCs shall also apply to transfers of UK Personal Data; and (ii) the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) shall be deemed executed by the parties and the Module Two SCCs between the parties shall be deemed amended as specified in the UK Addendum, including that the competent supervisory authority shall be the ICO.
5.3. Provider shall cooperate fully with Scopely in conducting any related data privacy assessments, questionnaires, or similar diligence as may be necessary, in Scopely’s sole determination, in connection with cross-border transfers.
5.4. Upon Scopely’s request, Scopely and Provider shall enter into any additional standard contractual clauses, or any similar or successor agreement, as may be required from time to time, in Scopely’s sole determination, to allow for the transfer of Personal Data to Service Provider (including its affiliates) in accordance with Data Protection Laws.
5.5. Provider shall not process or transfer Personal Data in or to a territory other than the U.S., EEA, Switzerland, or UK unless it has obtained Scopely's prior authorization and complied with any additional requirements specified by Scopely in connection with such processing and/or transfer.
5.6. Provider shall notify Scopely promptly in writing if it determines that it is unable to comply with this Section 5 and work with Scopely in such cases to stop and remediate any unauthorized processing. Provider shall cease to process the Personal Data if, in Scopely's reasonable discretion, Provider is not compliant with this Section 5.
6. Retention, Disposal, and Destruction Provider will retain Personal Data collected in connection with this Agreement only so long as necessary to carry out its obligations under the Agreement. In the event Provider determines it can no longer comply with the terms of this DPA, or at Scopely’s direction at any time, and in any event upon termination or expiration of this Agreement, Provider will immediately cease processing of the Personal Data and upon Scopely's election, promptly return to Scopely or destroy any such Personal Data and any copies thereof, whether in hard copy or electronic format. Provider will ensure that Personal Data is destroyed in a manner consistent with Data Protection Laws. If requested by Scopely, Provider will provide Scopely with written certification of its compliance with these procedures.
7. Survival. This DPA and all provisions herein shall survive so long as, and to the extent that, Provider retains any Personal Data.
ANNEX 1 TO THE STANDARD CONTRACTUAL CLAUSES
1. List of Parties.
Data exporter The data exporter is the Scopely company listed on the Insertion Order. The data exporter’s contact information is as listed on the Insertion Order. The data exporter’s role is Controller. The activities relevant to the data transferred under these Clauses is: processing as part of the services ordered by data exporter pursuant to the Insertion Order. Data importer The data importer is the Publisher listed on the Insertion Order. The data exporter’s contact information is as listed on the Insertion Order. The data importer’s role is Processor. The activities relevant to the data transferred under these Clauses is: processing as part of the services ordered by data exporter pursuant to the Insertion Order.
2. Description of Transfer Categories of data subjects whose personal data is transferred End users of Scopely’s mobile applications and/or websites Categories of personal data transferred Personal data provided by Scopely to facilitate Provider’s provision of the services to Scopely, including but not limited to: online identifiers, such as IDFA, GAID, and IP addresses Sensitive data transferred (if applicable) Not applicable The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) Continuous basis Nature of the processing Processing as part of the services ordered by Scopely in the Insertion Order Purpose(s) of the data transfer and further processing Providing the services pursuant to the Insertion Order The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period Personal data will be retained until termination or expiration of the services For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing Same as above
3. Competent Supervisory Authority The competent supervisory authority will be the regulator in Spain: Agencia Española de Protección de Datos (“AEPD”) Address: C/ Jorge Juan, 6, 28001 Madrid, Spain Telephone: +34 901 100 099/ +34 91 266 35 17 Website: www.aepd.es
ANNEX 2 TO THE STANDARD CONTRACTUAL CLAUSES
To ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons, data importer agrees in the DPA to implement and maintain: a comprehensive, written information security program in compliance with applicable law; and appropriate legal, technical, and organizational measures to protect personal data from any accidental or unlawful destruction, loss, alteration, or unauthorized disclosure, use, or access, and from any breach or attempted breach of data importer’s security measures. Examples of such measures may include: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorization Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimization Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure