Skip to Content

Privacy Policy

Privacy Policy for "Can You Hold It?"

Effective Date: June 26, 2025

1. Introduction & Scope

Welcome to "Can You Hold It?" (the "Game"), developed by XRCOO ("XRCOO," "we," "us," or "our"). Our registered office is in Poland. We are dedicated to protecting the privacy and handling the personal data of all our players, including adults and children, with transparency, ethics, and robust security measures.

This Privacy Policy ("Policy") explains how we collect, use, disclose, and safeguard your information when you play our Game. It outlines your data protection rights under applicable laws, including the General Data Protection Regulation (GDPR) if you are in the European Economic Area (EEA) or the United Kingdom (UK), and specific protections for children under laws such as the Children's Online Privacy Protection Act (COPPA) in the United States and GDPR Article 8.

Please read this Policy carefully. By accessing or playing the Game, you acknowledge that you have read, understood, and agree to the terms of this Policy. If you are a parent or legal guardian of a Child (as defined below) playing the Game, by allowing your Child to access or play the Game, you are agreeing to the terms of this Policy on your Child’s behalf.

IF YOU DO NOT AGREE WITH THE TERMS OF THIS PRIVACY POLICY, PLEASE DO NOT ACCESS OR PLAY THE GAME. IF YOU ARE A PARENT OR GUARDIAN AND DO NOT AGREE, PLEASE DO NOT ALLOW YOUR CHILD TO ACCESS OR PLAY THE GAME.

We reserve the right to make changes to this Policy at any time and for any reason. We will alert you about any material changes by updating the "Effective Date" of this Policy and may provide additional notice as appropriate under the circumstances (e.g., an in-game notification or a notice on our official website). Your continued use of the Game following the posting of changes will mean you accept those changes.

2. Definitions

  • Controller: For the purposes of GDPR and other applicable data protection laws, XRCOO is the data controller responsible for your Personal Data collected in connection with the Game.
  • Personal Data / Personal Information: Any information relating to an identified or identifiable natural person ('data subject'), as defined by GDPR, and including "Personal Information" as defined by COPPA. This includes, but is not limited to, names, email addresses, online identifiers (such as IP address, device identifiers, platform usernames), location data (if specifically collected with consent), gameplay data linked to an individual, and for Children, also includes parent's contact information for Verifiable Parental Consent (VPC) purposes.
  • Child/Children:
    • For the purposes of COPPA (applicable to users in the United States): Individuals under 13 years of age.
    • For the purposes of GDPR (applicable to users in the EEA/UK): Individuals under 16 years of age, unless an EEA Member State or the UK has lawfully set a lower age for consent for information society services (which cannot be below 13 years). We will apply the relevant age threshold based on the user's jurisdiction if known; otherwise, we will default to the higher protective standard of under 16 for GDPR purposes.
  • Adult: Individuals who do not fall under the definition of a Child as outlined above.
  • Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • GDPR: The General Data Protection Regulation (EU) 2016/679.
  • COPPA: The Children's Online Privacy Protection Act of the United States.
  • VPC (Verifiable Parental Consent): Consent obtained from a parent or legal guardian in a manner that is reasonably calculated, in light of available technology, to ensure that the person providing consent is actually the Child's parent or guardian, as required by laws like COPPA.

3. Age Gating and User Identification

To ensure appropriate privacy protections are applied, the Game may implement an age screen upon first launch or use age information provided by the VR platform through which you access the Game (where such information is available and reliably provided by the platform).

  • If a user identifies as a Child through our age screen, or if we have actual knowledge that a user is a Child, or if the VR platform indicates the user is a Child, the specific data practices described in Section 4 ("Children's Privacy") of this Policy will apply to that user.
  • If a user identifies as an Adult through our age screen, or if the VR platform indicates the user is an Adult, the data practices applicable to Adults, as outlined throughout this Policy, will apply.
    Users are prohibited from misrepresenting their age. If we become aware that a Child has misrepresented their age, we may terminate their access to certain features or the Game and will take steps to delete their Personal Data in accordance with this Policy and applicable law.

4. Children's Privacy

XRCOO is deeply committed to protecting the privacy of our younger players. This section specifically details our practices regarding the collection, use, and disclosure of Personal Data from Children. If there is any conflict between this Children's Privacy section and any other section of this Policy, this Section 4 shall take precedence for any Personal Data collected from Children.

4.1. Collection of Personal Data from Children

  • Direct Collection of Identifiable Personal Data Requiring VPC: We do not knowingly collect Personal Data that directly identifies a Child (such as full name, home address, email address, telephone number, or photographs, videos, or audio files containing the Child's image or voice) without first obtaining Verifiable Parental Consent (VPC), except in limited circumstances permitted by law (e.g., to collect a parent's email address solely to seek VPC, or for a one-time response to a specific request from a Child where the information is not used for any other purpose and is deleted immediately after).
  • Gameplay Data: We collect data related to a Child’s gameplay (such as game progress, levels achieved, scores, high scores, in-game achievements, and choices related to customizable avatars). For Children, this data is primarily used for internal Game operations, to provide the core Game experience, and for purposes described under "Persistent Identifiers for Internal Operations." This data is not used for behavioral advertising or to build extensive profiles of Children for unrelated commercial purposes.
  • Platform Usernames/Gamertags: If a Child participates in features like leaderboards or multiplayer gameplay, their platform-provided username or gamertag (which they or their parent chose on the VR platform) may be displayed to other players. We strongly encourage parents to guide their Children in selecting pseudonymous usernames that do not reveal personal information. We do not allow Children to create or input custom text-based usernames directly within our Game systems that could readily reveal Personal Data.
  • Persistent Identifiers for Internal Operations: Like many online services, the Game automatically collects certain persistent identifiers (e.g., IP address, device model, operating system, device identifiers, platform-specific identifiers like user ID on the VR platform) and general usage data (e.g., crash reports, game performance analytics, features used, session duration). When collected from Children, we use this information solely for the following purposes, often referred to as "support for internal operations" under COPPA and permitted under similar exceptions in GDPR:
    • Maintaining or analyzing the functioning of the Game (e.g., diagnosing crashes, improving performance).
    • Performing network communications necessary for the Game to operate.
    • Authenticating users or personalizing content within the Game (in a manner that does not involve building a detailed profile for other purposes).
    • Protecting the security or integrity of the Child, other users, or the Game.
    • Ensuring legal or regulatory compliance.
    • Contextual advertising (meaning advertising based on the content of the Game screen a Child is viewing, not on their behavior over time or across different sites/apps ). We do not engage in behavioral advertising directed to Children.
      We do not use these persistent identifiers collected from Children to track them across third-party apps or websites for purposes other than internal operations, nor for behavioral advertising, nor for creating profiles for such purposes.
  • No Collection of Sensitive Data: We do not knowingly collect or solicit sensitive Personal Data (such as health information, biometric data, or precise geolocation data that identifies street name and city/town) from Children.

4.2. Use of Children's Personal Data

Any Personal Data collected from Children (either with VPC where required, or for permitted internal operations as described above) is used by XRCOO solely for the following purposes:

  • To provide, operate, maintain, and (in a limited, non-profiling manner) personalize the Game for the Child.
  • To improve the Game's features, stability, and user experience, primarily through aggregated or de-identified analytics.
  • To provide customer support if initiated by the Child or their parent (potentially requiring VPC for ongoing interactions involving Personal Data).
  • To ensure the safety and security of our Child users and the Game environment.
  • To comply with our legal and regulatory obligations.

4.3. Sharing of Children's Personal Data

We do not share Children's Personal Data with third parties except in the following strictly limited circumstances:

  • Service Providers for Internal Operations: We may share information with our trusted third-party service providers who perform services on our behalf to support the internal operations of the Game (e.g., analytics providers for game performance and crash reporting, server hosting providers, customer support platform providers if used for Children). These service providers are contractually obligated to:
    • Maintain the confidentiality and security of the Personal Data.
    • Use the Personal Data only for the specific services they are providing to us for the Game's internal operations.
    • Comply with applicable children's privacy laws (e.g., COPPA, GDPR Article 8).
    • Examples of such providers may include:
      • Unity Technologies (for Unity Analytics, configured for child-directed services to limit data collection and use as per Unity's guidelines).
      • VR Platform Providers (e.g., Meta, Sony, Valve): These platforms provide essential functionalities like user authentication, achievements, leaderboards, and multiplayer identity. Their data collection and use are governed by their own privacy policies. We only receive or share data with them that is necessary for the Game's operation and integration with their platform features.
  • Legal Requirements or Safety: We may disclose Children's Personal Data if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of XRCOO, (iii.
    ) act in urgent circumstances to protect the personal safety of users of the Game or the public, or (iv) protect against legal liability. We will apply heightened scrutiny and safeguards when such disclosures involve Children's data.
  • Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, Children's Personal Data may be transferred to a successor or assignee, provided that the successor or assignee agrees to abide by the terms of this Policy with respect to Children's Personal Data or provides parents with notice and obtains new VPC.
  • With Explicit Verifiable Parental Consent: For any other purpose not described above, we will only share a Child's Personal Data with third parties after obtaining explicit VPC.

We do not make Children's Personal Data publicly available through XRCOO's own systems (beyond platform usernames/gamertags on leaderboards or in multiplayer sessions where participation is inherent to the feature and the username is chosen on the VR platform). We do not enable Children to make their Personal Data publicly available through our Game systems in a way that is not moderated or managed with appropriate safeguards.

4.4. Verifiable Parental Consent (VPC)

Where VPC is required under applicable law (e.g., for collecting Personal Data from Children beyond that necessary for internal operations, or for certain sharing practices), XRCOO will:

  • Provide direct notice to parents (e.g., via email provided for this purpose) about our specific data practices concerning their Child before collecting the relevant Personal Data. This notice will describe the types of Personal Data to be collected, how it will be used, and our disclosure practices.
  • Use a method of VPC that is reasonably calculated, in light of available technology and the sensitivity of the information, to ensure that the person providing consent is indeed the Child's parent or legal guardian. Methods may include, but are not limited to, a consent form to be signed and returned, a credit/debit card verification, a call to a toll-free number staffed by trained personnel, or other methods permitted by COPPA and GDPR.
  • Provide parents with the choice to consent to our collection and use of their Child's Personal Data without consenting to the disclosure of that Personal Data to third parties, unless such disclosure is inherent to the activity for which consent is sought (e.g., participation in a feature that inherently involves sharing with other users).

4.5. Parental Rights and Controls

Parents and legal guardians of Children have the following rights with respect to their Child's Personal Data collected by XRCOO:

  • Right to Review: You have the right to review the specific types of Personal Data we have collected from your Child.
  • Right to Delete: You have the right to request that we delete the Personal Data we have collected from your Child from our records.
  • Right to Refuse Further Collection or Use (Revoke Consent): You have the right to refuse to permit our further collection or use of your Child's Personal Data, or to revoke any prior consent you have given. Please note that exercising this right may mean your Child can no longer use certain features of the Game or the Game entirely.
  • Right to be Informed: You have the right to be informed about our data practices concerning your Child, as detailed in this Policy.

To exercise any of these rights, please contact us directly as detailed in Section 15 ("Contact Us") of this Policy. Please include "Children's Privacy Parental Request" in the subject line of your communication. We will respond to your request within a reasonable timeframe and in accordance with applicable law (e.g., within 30 days for GDPR-related requests). We will take reasonable steps to verify your identity as the Child's parent or legal guardian before granting access to or making changes to the Child's Personal Data.

5. Information We Collect (Applicable to All Users, with Child-Specific Limitations as Noted Above)

This section details the types of information we may collect from all users. For users identified as Children, the specific limitations, purposes, and consent requirements described in Section 4 ("Children's Privacy") will always apply and take precedence.

**a. Personal Data You Voluntarily Provide:**
*   **Support Communications:** If you contact us for support, feedback, or other inquiries, we collect your name (if provided), email address, platform username, and the content of your communication.
*   **Account Creation (Primarily for Adults):** If we offer direct account creation with XRCOO (separate from VR platform accounts) for certain features or services primarily aimed at Adults, we may collect information such as a username, password, and email address. (This feature would generally require VPC if offered to Children).
*   **Feedback, Surveys, Contests, or Promotions (Primarily for Adults):** If you, as an Adult, choose to participate in surveys, contests, or promotional offers, we may collect information you provide in connection with those activities, such as your contact details and responses.

**b. Gameplay Data:**
*   Information related to your progress in the Game, levels achieved, scores, high scores, in-game achievements, items or customizations acquired or used, and choices related to customizable avatars.

**c. Device and Technical Information (Often Collected Automatically):**
*   **Crash Reports & Performance Analytics:** Information about game performance, crashes, device type and model, operating system version, hardware specifications, IP address (which may be anonymized or pseudonymized), unique device identifiers, and general gameplay patterns (e.g., session duration, features used, game settings).
*   **Platform Information:** Information received from the VR platform you use to access the Game (e.g., Steam, Meta Quest Store, PlayStation Store), such as your platform user ID, entitlement information (to verify your ownership of the Game), and potentially aggregated or anonymized sales data or player statistics. The platform's own privacy policy governs its collection of your data.
*   **Cookies and Similar Technologies:** As detailed in Section 12. For Children, the use is strictly limited.

**d. Multiplayer Data (If Applicable):**
*   If you participate in multiplayer modes, your platform username/gamertag and certain gameplay data (like your score, in-game actions, or avatar appearance) will be processed and visible to other players in that game session.
*   Network information, such as your IP address, may be processed by the VR platform or our servers (or third-party networking providers we may use) to establish and maintain the connection for multiplayer gameplay.

content_copydownload

Use code with caution.

6. How We Use Your Information (Applicable to All Users, with Child-Specific Limitations)

This section outlines the purposes for which we use your information. For users identified as Children, the purposes are restricted as per Section 4.2 ("Use of Children's Personal Data").

Purpose of ProcessingLegal Basis (GDPR) - For Adult UsersLegal Basis (GDPR) - For Child Users
To operate, maintain, and provide you with the core features and functionality of the Game.Art. 6(1)(b) GDPR: Processing is necessary for the performance of a contract with you (to provide the Game services).Art. 6(1)(b) GDPR (for core functionality supporting internal operations) and/or Art. 6(1)(a) GDPR via VPC (for features beyond basic operations needing Personal Data), or Art. 6(1)(f) GDPR (Legitimate Interest for strictly necessary internal operations).
To enable player-to-player interactions in multiplayer modes (if applicable).Art. 6(1)(b) GDPR: Necessary for the performance of a contract.Art. 6(1)(b) GDPR and/or Art. 6(1)(a) GDPR via VPC.
To display your scores on leaderboards (if you participate).Art. 6(1)(b) GDPR: Necessary for the performance of a contract.Art. 6(1)(b) GDPR and/or Art. 6(1)(a) GDPR via VPC.
To respond to your customer service requests, support needs, and other inquiries.Art. 6(1)(b) GDPR: Necessary to take steps at your request or for the performance of a contract, or Art. 6(1)(f) GDPR: Our legitimate interest to provide effective customer support.Art. 6(1)(f) GDPR (Legitimate Interest for one-time query resolution not requiring ongoing PI use) or Art. 6(1)(a) GDPR via VPC (for ongoing support needing PI).
To monitor and analyze usage, trends, and player behavior to improve the Game's design, features, and your overall experience (Primarily for Adults, or aggregated/de-identified for Children).Art. 6(1)(f) GDPR: Our legitimate interest to improve our Game and services, or Art. 6(1)(a) GDPR: Your consent for non-essential analytics cookies/trackers.Restricted to internal operations as per Section 4.1, on basis of Art. 6(1)(f) GDPR (Legitimate Interest for internal ops) or necessity for service.
To diagnose and fix technical problems, bugs, and crashes.Art. 6(1)(f) GDPR: Our legitimate interest in maintaining the stability and functionality of our Game.Art. 6(1)(f) GDPR (Legitimate Interest for internal ops).
To protect the security and integrity of the Game, prevent fraud, abuse, and ensure fair play.Art. 6(1)(f) GDPR: Our legitimate interest to protect our services, users, and intellectual property.Art. 6(1)(f) GDPR (Legitimate Interest for internal ops).
To comply with legal and regulatory obligations to which we are subject.Art. 6(1)(c) GDPR: Processing is necessary for compliance with a legal obligation.Art. 6(1)(c) GDPR.
To send you marketing communications, newsletters, or promotional offers about XRCOO games and services (For Adults who have explicitly opted-in).Art. 6(1)(a) GDPR: Your explicit consent.Not applicable to Children. We do not send marketing communications to Children.
To personalize advertising shown to you within the Game (For Adults who have consented to relevant advertising cookies/trackers).Art. 6(1)(a) GDPR: Your explicit consent.Not applicable to Children. We do not engage in behavioral advertising directed to Children.

Where we rely on legitimate interests (Art. 6(1)(f) GDPR) as a legal basis, we have performed a balancing test to ensure that our legitimate interests are not overridden by your interests or fundamental rights and freedoms, particularly for Children.

7. Sharing Your Information (Applicable to All Users, with Child-Specific Limitations)

This section details how and with whom we may share your information. For users identified as Children, sharing is strictly restricted as per Section 4.3 ("Sharing of Children's Personal Data").

  • With Your Consent (For Adults, or with Verifiable Parental Consent for Children): We may share your Personal Data with third parties when we have your explicit consent (or VPC for Children) to do so for a specific purpose.
  • By Law or to Protect Rights: We may disclose your information if we are required to do so by law or legal process, or if we believe in good faith that disclosure is necessary to:
    • Comply with a legal obligation or respond to lawful requests from public authorities.
    • Protect and defend the rights, property, or safety of XRCOO, our users (including yourself or your Child), or the public.
    • Prevent or investigate possible wrongdoing in connection with the Game.
    • Enforce our terms and conditions or other agreements.
  • Third-Party Service Providers: We may share your Personal Data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. These providers are contractually obligated to keep Personal Data confidential, use it only for the purposes for which we disclose it to them, and implement appropriate security measures.
    • For Children, these are strictly limited to providers supporting internal operations as detailed in Section 4.3.
    • For Adults, these may also include providers for broader analytics, marketing automation (if you've consented to marketing), or advertising networks (if you've consented to advertising cookies/trackers).
  • Leaderboards & Other Players (Multiplayer Gameplay): If you participate in leaderboards or multiplayer modes, your platform username/gamertag and certain gameplay statistics (like scores or avatar appearance) will be visible to other players.
  • Business Transfers: In the event that XRCOO is involved in a merger, acquisition, financing, due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your Personal Data may be sold or transferred as part of such a transaction as permitted by law and/or contract. We will notify you via email and/or a prominent notice within the Game or on our website of any change in ownership or uses of your Personal Data, as well as any choices you may have regarding your Personal Data. For Children's Personal Data, the successor entity will be required to honor the commitments in this Policy or provide new notice and obtain VPC.
  • Aggregated or De-Identified Data: We may share aggregated or de-identified information, which cannot reasonably be used to identify you or a Child, with third parties for various purposes, including research, marketing, analytics, or to improve our services.

We do not "sell" your Personal Data or Children's Personal Data in the traditional sense or as "sale" is commonly defined in laws like the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA). We do not engage in behavioral advertising using Personal Data collected from users we have identified as Children.

8. International Data Transfers

Your information, including Personal Data, may be transferred to, stored, and processed in countries other than your country of residence, including countries outside the EEA or UK (such as the United States, where some of our third-party service providers may be located or process data). These countries may have data protection laws that are different from, and potentially less protective than, the laws of your country.

When we transfer your Personal Data to countries outside the EEA or UK, we will ensure that appropriate safeguards are in place to protect your Personal Data in accordance with this Policy and applicable data protection laws. These safeguards include:

  • Transferring Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission (an "adequacy decision").
  • Implementing Standard Contractual Clauses (SCCs) approved by the European Commission (or the UK Information Commissioner's Office for UK data transfers) with the third party receiving the data. These contractual clauses require the recipient to protect your Personal Data to the same standards as it would be within the EEA/UK. We also assess the need for any supplementary measures to ensure an equivalent level of protection.
  • Relying on other valid transfer mechanisms permitted under GDPR, such as Binding Corporate Rules (BCRs) if applicable.

By using the Game and providing us with your information, you acknowledge that your Personal Data may be transferred to and processed in these countries with these safeguards in place. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy.

9. Data Retention

We will retain your Personal Data only for as long as is reasonably necessary to fulfill the purposes for which it was collected, as set out in this Policy, or as long as your account with the Game or relevant VR platform is active (if applicable), or as needed to provide you with the Game services.

We will also retain and use your Personal Data to the extent necessary to:

  • Comply with our legal and regulatory obligations (for example, if we are required to retain your data to comply with applicable tax or accounting laws).
  • Resolve disputes and enforce our legal agreements and policies.
  • Support the internal operations of the Game.

For Children's Personal Data, we are particularly mindful of retention periods. We retain Personal Data collected from a Child for only as long as is reasonably necessary to fulfill the purpose for which it was collected (e.g., to provide the Game, support internal operations, or for the duration of parental consent). We will delete or anonymize Children's Personal Data when it is no longer needed for these purposes, upon a verifiable parental request to do so (subject to legal exceptions), or if consent is revoked.

Gameplay data stored locally on your device is under your control for as long as you choose to keep it or the Game installed. Data held by VR platforms (e.g., for cloud saves or platform achievements) is subject to their respective retention policies.

Once the retention period expires, Personal Data will be securely deleted or anonymized so that it can no longer be associated with an individual. Anonymized or aggregated data, which can no longer be used to identify you or a Child, may be kept for longer periods for research, statistical, or service improvement purposes.

10. Security of Your Information

We have implemented and maintain a combination of administrative, technical, and physical security measures designed to protect your Personal Data from unauthorized access, use, alteration, disclosure, or destruction. These measures include, but are not limited to:

  • Data encryption where appropriate (both in transit and at rest).
  • Access controls to limit access to Personal Data to authorized personnel who need it to perform their job duties.
  • Secure software development practices.
  • Regular review of our information collection, storage, and processing practices, including physical security measures, to guard against unauthorized access to systems.
  • Training for our staff on data protection and security.

While we take reasonable and appropriate steps to secure the Personal Data you provide to us, please be aware that despite our best efforts, no security measures are perfect or impenetrable, and no method of data transmission over the Internet or method of electronic storage can be guaranteed to be 100% secure. Therefore, we cannot guarantee its absolute security. Any transmission of Personal Data is at your own risk. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us of the problem by contacting us in accordance with Section 15 ("Contact Us").

11. Your Data Protection Rights (Specifically for EEA/UK Residents)

If you are a resident of the European Economic Area (EEA) or the United Kingdom (UK), you have certain data protection rights under the GDPR. These rights apply to Adult users for their own data and to parents or legal guardians exercising these rights on behalf of their Children. XRCOO aims to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.

Your rights include:

  • The right to be informed: You have the right to be provided with clear, transparent, and easily understandable information about how we use your Personal Data and your rights. This is why we are providing you with this Privacy Policy.
  • The right of access: You have the right to request access to your Personal Data that we hold about you and to receive a copy of it.
  • The right to rectification: You have the right to request that we correct any Personal Data we hold about you that is inaccurate or request that we complete any Personal Data that is incomplete.
  • The right to erasure (right to be forgotten): You have the right to request the deletion or removal of your Personal Data where there is no compelling reason for us to keep using it, or where you have successfully exercised your right to object to processing, or where we may have processed your information unlawfully, or where we are required to erase your Personal Data to comply with local law. This right is not absolute and only applies in certain circumstances.
  • The right to restrict processing: You have the right to 'block' or suppress further use of your Personal Data in certain circumstances (e.g., if you contest the accuracy of the Personal Data or have objected to our use of it). When processing is restricted, we can still store your Personal Data, but may not use it further.
  • The right to data portability: You have the right to obtain and reuse your Personal Data for your own purposes across different services. This allows you to move, copy, or transfer Personal Data easily from our IT systems to another organization, or directly to you, in a structured, commonly used, and machine-readable format. This right only applies to Personal Data you have provided to us where processing is based on your consent or for the performance of a contract with you, and when processing is carried out by automated means.
  • The right to object to processing: You have the right to object to certain types of processing, including processing based on our legitimate interests, on grounds relating to your particular situation, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. You also have the absolute right to object to the processing of your Personal Data for direct marketing purposes (which we would only do with your explicit consent for Adult users).
  • Rights related to automated decision-making and profiling: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into, or performance of, a contract between you and us, or is authorized by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or is based on your explicit consent. XRCOO does not currently engage in such automated decision-making that produces legal effects or similarly significantly affects users of "Can You Hold It?".
  • The right to withdraw consent: If you have given your consent to anything we do with your Personal Data (i.e., where we rely on consent as a legal basis for processing specific Personal Data), you have the right to withdraw your consent at any time. Withdrawing consent will not, however, make unlawful our use of your Personal Data that occurred while consent had been apparent.

12. How to Exercise Your Rights (Including Parental Rights)

To exercise any of the rights described above, please contact us using the contact details provided in Section 15 ("Contact Us") of this Policy. For requests specifically related to a Child's Personal Data, parents or legal guardians should refer to Section 4.5 ("Parental Rights and Controls") and clearly indicate that the request pertains to a Child's data.

Please be specific in your request and provide sufficient information to allow us to identify you (or your Child, in the case of a parental request) and verify your (or your parental) authority. We will respond to your request within one month of receipt, as required by GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

We may need to request additional information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights, or to verify parental status). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

There is generally no fee to access your Personal Data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

You also have the right to lodge a complaint with a competent data protection supervisory authority. For EEA/UK residents, this will typically be the authority in your EU Member State of habitual residence, place of work, or place of the alleged infringement. The lead supervisory authority for XRCOO in Poland is the President of the Office for Personal Data Protection (Urząd Ochrony Danych Osobowych - UODO).

13. Cookies and Similar Technologies

"Cookies" are small text files stored on your device. While the Game itself, being a VR application, may not use "cookies" in the traditional web browser sense as extensively as a website, we and our third-party service providers may use various similar technologies to collect information automatically when you play the Game. These technologies may include:

  • Device Identifiers: Such as your device's advertising ID (if applicable and consented to by Adults), vendor ID, or other unique hardware identifiers.
  • SDKs (Software Development Kits): These are blocks of code embedded in the Game, often provided by our partners (e.g., Unity Technologies for analytics, VR platform providers), that may collect information about your device and how you interact with the Game.
  • Local Storage: The Game may use local storage on your device to save game progress, settings, and preferences.
  • Pixels or Beacons (less common in VR games, but possible via integrated web views): Small electronic files that may be used for analytics or to track interactions.

These technologies are used for purposes such as:

  • Operating and ensuring the proper functioning of the Game.
  • Authenticating users and maintaining session information.
  • Saving your game preferences and progress.
  • Understanding game usage, player engagement, and performance (analytics).
  • Diagnosing technical issues, bugs, and crashes.
  • Enabling features provided by VR platforms (e.g., achievements, cloud saves, multiplayer services).
  • For Adult users who have provided consent: Potentially for delivering contextual or personalized advertising within the Game (if applicable), or for other analytics purposes beyond essential operations.

Specific Considerations for Children:

For users identified as Children, the use of cookies and similar technologies is strictly limited to those necessary for the Game's internal operations (as described in Section 4.1 under "Persistent Identifiers for Internal Operations") and to comply with legal requirements. We do not use these technologies to track Children across third-party sites or apps for behavioral advertising or to build detailed profiles for such purposes. Analytics tools used for Children (e.g., Unity Analytics) are configured to operate in a manner consistent with children's privacy laws like COPPA and GDPR.

Your Choices (Primarily for Adult Users):

Many VR platforms and device operating systems provide you with controls to manage the collection and use of certain device identifiers, particularly for advertising or broader analytics purposes. Please consult the settings and privacy documentation of your specific VR platform and device. Where we are required by applicable law to obtain your consent for the use of non-essential cookies or similar technologies that are directly controlled by us (e.g., for personalized advertising for Adult users), we will provide you with a clear mechanism to provide or withhold that consent.

14. Third-Party Websites, Services, and VR Platforms

The Game operates on and integrates with various third-party VR platforms (e.g., Steam, Meta Quest Store, PlayStation Store). Your use of these platforms is subject to their own terms of service and privacy policies, which we encourage you to review. Our Privacy Policy does not cover the data practices of these VR platforms, except to the extent we receive or share data with them as described herein.

The Game may also contain links to or integrate with other third-party websites, services, or applications (e.g., community forums, social media features if integrated, links to our website). We are not responsible for the privacy practices or the content of these external third-party services. This Privacy Policy does not apply to their collection or use of your information. We encourage you to carefully review the privacy policies of any third-party services you access before providing any Personal Data to them.

15. Contact Us

If you have any questions, comments, or concerns about this Privacy Policy, our data handling practices, or if you wish to exercise your data protection rights (including parental rights), please contact us:

XRCOO

Email: [email protected]

For data protection purposes, if you are in the EEA or UK, you also have the right to lodge a complaint with our lead supervisory authority, which is:

President of the Office for Personal Data Protection (Urząd Ochrony Danych Osobowych - UODO)

Address: Stawki 2, 00-193 Warsaw, Poland

Website: uodo.gov.pl