Privacy Policy of OFM Studios GmbH

I. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions is:

OFM Studios GmbH
Stolberger Str. 321a
50933 Cologne, Germany
E-mail: privacy@ofm.gmbh

II. General information on data processing

1. Scope of the processing of personal data

As a rule, we only collect the personal data that you provide to us during your sign-up or registration and, where applicable, when using paid services. Personal data is data containing information about personal or factual circumstances. When signing up and registering as a user on our website you only need to provide an e-mail address and/or a username and/or a password. The password is stored in encrypted form, which at no time allows any conclusion to be drawn about the actual password.

You may also, on a voluntary basis, enter the team-ID of the manager who recruited you during sign-up. The team-ID is the number that uniquely identifies each club. This allows the manager who recruited you to receive a bonus if you make a purchase.

In the context of the performance of the user agreement, in particular as part of the paid services you have chosen, the provision of further data such as full name, address, bank account details, credit card numbers etc. may be required. For the processing of your enquiries or for your support it is sometimes necessary to ask you for personal data such as name, address, e-mail address and telephone number.

We also collect data in the course of voluntary participation in surveys. We only pass on personal data to cooperating companies or external service providers to the extent that this is legally required or permitted, in particular for performance of the contract, payment processing, the protection of other users, the defence against threats to state or public security, or the prosecution of criminal offences.

For analytical purposes we collect automatically generated data such as your recent visits to our services and how you move through the various areas, in order to make our services more intuitive and to evaluate user needs and preferences.

2. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6 (1) (a) GDPR serves as the legal basis. When processing personal data necessary for the performance of a contract to which the data subject is party, Article 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations necessary for the performance of pre-contractual measures. Where processing of personal data is required to fulfil a legal obligation to which our company is subject, Article 6 (1) (c) GDPR serves as the legal basis. In the event that vital interests of the data subject or another natural person make the processing of personal data necessary, Article 6 (1) (d) GDPR serves as the legal basis. If the processing is necessary to safeguard a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the first-mentioned interest, Article 6 (1) (f) GDPR serves as the legal basis.

3. Purpose of the processing of personal data

We collect and process data in order to enable you to use the Services. This includes processing for data security purposes as well as for the stability and operational security of our system and for billing purposes. We process data in order to support you with support enquiries. Data is further processed in order to detect and prevent abusive use of multiple accounts, e.g. for fraud purposes. Data processing also takes place in order to acquire new customers and to display advertising which we believe corresponds to your interests.

4. Data erasure and storage duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this has been provided for by European or national legislators in EU regulations, laws or other provisions to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for the further storage of the data for a contractual conclusion or contractual fulfilment.

5. Data security

We endeavour to take reasonable precautions to prevent unauthorised access to your personal data and unauthorised use or alteration of this data, and to minimise the corresponding risks. Nevertheless, the provision of personal data, whether in person, by telephone or via the internet, always involves risks and no technological system is entirely free from the possibility of being manipulated or sabotaged. We process the information collected from you in accordance with German and European data protection law. All employees are obliged to maintain data secrecy and the data protection regulations and have been instructed accordingly. During payment transactions, your data is transmitted in encrypted form using the SSL procedure.

III. Provision of the Services and creation of log files

1. Description and scope of the data processing

Each time our Services are accessed, our system automatically collects data and information from the computer system of the calling computer. The following data is collected: Internet protocol; IP address; URL of the referring website; date and time of access; browser type and operating system as well as hardware information; transferred data volume; access status (file transferred, file not found, etc.); duration and frequency of use; available IDs of third parties (e.g. Google Play ID, Facebook ID etc.) to enable cross-device use. The data is also stored in the log files of our system.

2. Legal basis for the data processing

The legal basis for the temporary storage of the data and the log files is Article 6 (1) (f) GDPR.

3. Purpose of the data processing

The temporary storage of the IP address by the system is necessary to enable the Services to be delivered to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. Storage in log files takes place to ensure the functionality of the Services. In addition, the data serves to optimise the Services and to ensure the security of our information technology systems. Storage beyond the session duration takes place for fraud prevention purposes (e.g. payment fraud, breach of game rules through use of multiple accounts by the same person) and for IT security purposes (e.g. protection against DDoS attacks). Our legitimate and overriding interest in the processing within the meaning of Article 6 (1) (f) GDPR also lies in these purposes.

4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose of its collection.

5. Right to object and removal

The collection of data for the provision of the Services and the storage of the data in log files is essential for ensuring the most uninterrupted operation of the Services possible. The user therefore has no option to object.

IV. Support ticket system

1. Description and scope of the data processing

A support ticket system is available within our Services for electronic contact. If a user makes use of this option, the entered data is transmitted to and stored by us. This data is: type of enquiry, username, subject, question/problem description. Alternatively you can contact us via the provided e-mail address support@ofm.gmbh. In this case the personal data submitted with the e-mail will be stored. There is no transfer of data to third parties in this context. The data is used exclusively for processing the enquiry.

2. Legal basis

If the user has given consent, the legal basis is Article 6 (1) (a) GDPR. The legal basis for processing data transmitted in the course of sending an e-mail is Article 6 (1) (f) GDPR. If the e-mail contact aims at the conclusion of a contract, the additional legal basis is Article 6 (1) (b) GDPR.

3. Purpose, storage duration, and right to object

The processing of personal data serves us solely for processing the contact. For fraud prevention and support improvement, the data is stored for six months. You may revoke your consent at any time. If you contact us, you can object to the storage of your personal data at any time; in such a case the conversation cannot be continued and all personal data stored during the contact will be deleted.

V. Cookies, web beacons and consent management

1. Description and scope of the data processing

We use so-called "cookies", i.e. text files or pixels that are stored on the user's display device. These are technologies with the help of which certain user-specific settings and technical information can be collected, by means of which the user can be identified. We use cookies to make our Services more user-friendly. Some elements of our Services require that the user be identifiable. We also use cookies that enable an analysis of the user's behaviour. In addition, we use cookies to deliver advertising.

There are permanent cookies which remain on your display device for a longer period, and session cookies which are stored temporarily on your display device and are deleted after closing the Services. We use necessary cookies, functional cookies, performance cookies, targeting and advertising cookies, and conversion-tracking cookies.

Necessary cookies. These cookies are necessary for the use of the Services. Without these necessary cookies, we may not be able to provide certain services or features, or the display of the Services may not be error-free.

Functional cookies. Functional cookies allow us to recognise your preferences and to provide you with enhanced and better-adapted features, e.g. personalisation of the Services, recognition of whether we have already asked you about certain things, or other services you may have requested.

Performance cookies. Performance cookies, sometimes also called analytics cookies, collect information about your use of the Services and enable us to improve how the Services function. They show us, for example, which pages are most frequently used and help us to identify problems with the use of the Services and determine whether our advertising is being displayed effectively.

Targeting and advertising cookies. We and our service providers may use targeting or advertising cookies to show you advertising that is better adapted to your interests and preferences. They can also be used to limit the number of identical advertisements you see within the Services or to determine the effectiveness of our marketing campaigns.

Conversion-tracking cookies. To enable our users to have the best possible game experience, we constantly try to add new players to our games. To bill and steer marketing measures we use conversion tracking. Upon the first login of a registered user, only the conversion pixel of the publisher whose campaign brought the user to us is loaded — no longer all pixels at once. This minimises the data flow to advertising networks to the technical minimum.

2. Consent Management Platform (Sourcepoint)

To obtain and manage consent for non-essential cookies and tracking services, we use the Consent Management Platform (CMP) of Sourcepoint (account ID 375, rolled out via Stroeer Digital Group). Before processing your personal data for marketing or analytics purposes, you are informed via a consent banner and you can grant, refuse, or revoke your consent per vendor at any time. You can adjust your consent settings at any time via the Privacy Manager on our websites.

3. List of cookies we set (selection)

• _ga, _gid, _gads (Google)
• amplitude_id (Amplitude)
• fbm_number (Facebook)
• PHPSESSID, POPUPCHECK (session / application)
• mt_tmpUID, mt_lineID, mt_creativeID, mt_conversion_done (OFM marketing tracking)
• vid, srv1, srv2, im, sde, axd, al, al_vid, globalvar_user (application)

4. Third parties that may set cookies

• Google (Google Ads, DV360)
• Sourcepoint / Stroeer Digital (consent management, ad sales)
• Amplitude (product analytics)
• INFOnline (IVW/AGOF reach measurement)
• Facebook (login, advertising)
• Cloudflare (CDN / bot protection)

5. Legal basis, purpose and storage duration

The legal basis for the processing of personal data using technically necessary cookies is Article 6 (1) (f) GDPR; for non-necessary cookies and tracking services it is Article 6 (1) (a) GDPR (consent obtained via the CMP). The purpose of using technically necessary cookies is to simplify use. The user data collected by technically necessary cookies is not used to create user profiles. Cookies are stored on the user's device and transmitted by it to us. You as a user therefore have full control over the use of cookies — by changing the settings in your internet browser or mobile device, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. If cookies are disabled, it may no longer be possible to use all the functions of the Services to their full extent.

VI. Google Services

1. Google Ads & Google Marketing Platform

On the basis of your consent (Article 6 (1) (a) GDPR, given via the CMP) and/or our legitimate interests (Article 6 (1) (f) GDPR), we use marketing services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), in particular Google Ads and Display & Video 360 (DV360). The transfer of data to the USA is based on the EU-US Data Privacy Framework (Adequacy Decision of the European Commission of 10 July 2023), under which Google is certified.

The Google marketing services enable us to display advertising on and for our website in a more targeted manner, in order to show users only ads that potentially correspond to their interests. To this end, when our website and other websites on which Google marketing services are active are accessed, code from Google is directly executed by Google and so-called (re)marketing tags (invisible graphics or code, also referred to as "web beacons") are integrated into the website. With their help an individual cookie is stored on the user's device. The cookies may be set by various domains, including google.com, doubleclick.net and googleadservices.com.

User data is processed pseudonymously in the context of Google marketing services. In the case of Google Ads, each advertiser receives a different "conversion cookie". The information obtained with the help of the cookie or pixel is used to compile conversion statistics — the advertising customers do not receive any information by which users could be personally identified.

Further information about the use of data for marketing purposes by Google can be found at policies.google.com/technologies/ads. Google's privacy policy is available at policies.google.com/privacy. If you wish to object to interest-based advertising by Google, you can use the settings and opt-out options provided by Google at adssettings.google.com.

VII. Amplitude

We use the product analytics service Amplitude of Amplitude, Inc., 501 2nd Street, Suite 100, San Francisco, CA 94107, USA, to evaluate usage behaviour on a pseudonymous basis. The data collected via these technologies is not used to personally identify the user without their separately granted consent and is not merged with personal data about the bearer of the pseudonym. The data is stored on Amplitude servers in the United States (US region). The transfer to the USA is based on the EU-US Data Privacy Framework — Amplitude is certified under this framework. You can find Amplitude's privacy policy at amplitude.com/privacy.

VIII. INFOnline (SZMnG)

1. Description and scope of the data processing

Our website uses the measurement procedure ("SZMnG") of INFOnline GmbH (www.INFOnline.de) to determine statistical metrics about the use of our offerings. The aim of the usage measurement is to statistically determine the number of visits to our website, the number of visitors and their surfing behaviour on the basis of a uniform standard procedure, in order to obtain market-wide comparable values.

For all digital offerings that are members of the IVW (Informationsgemeinschaft zur Feststellung der Verbreitung von Werbeträgern e. V. – www.ivw.eu) or participate in studies of the AGOF (Arbeitsgemeinschaft Online-Forschung e. V. – www.agof.de), the usage statistics are regularly further processed by AGOF and agma into reach figures.

INFOnline GmbH collects the following data, which under the EU GDPR has a personal reference:

• IP address: IP addresses are shortened by 1 byte before any processing and are only further processed in anonymised form. There is no storage or further processing of unshortened IP addresses.
• Randomly generated client identifier: Reach processing uses either a cookie with the identifier "ioam.de", a "Local Storage Object", or a signature created from various automatically transmitted browser information to recognise computer systems. The validity of the cookie is limited to a maximum of one year.

2. Legal basis, purpose and storage duration

Measurement is carried out on the basis of legitimate interest under Article 6 (1) (f) GDPR. The purpose of the processing is the creation of statistics and the formation of user categories. The full IP address is not stored by INFOnline GmbH. The shortened IP address is stored for a maximum of 60 days. The usage data linked to the unique identifier is stored for a maximum of six months.

3. Right to object

If you do not wish to participate in the measurement, you can opt out via the following link: optout.ioam.de. To guarantee an exclusion from the measurement, it is technically necessary to set a cookie. Further information on data protection in the measurement procedure can be found on the INFOnline GmbH, AGOF and IVW websites.

IX. Facebook Connect

We offer you the option to sign in to our Services with Facebook Connect. This is a service provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). An additional registration is therefore not necessary. To log in you will be redirected to the Facebook page, where you can log in with your user data. This links your Facebook profile and our service. Through this link we automatically receive the following information from Facebook: e-mail address. This information is mandatory for the conclusion of the contract in order to identify you. Further information on Facebook Connect and the privacy settings can be found in the privacy notice at facebook.com/about/privacy.

X. Social-media plugins

We use plugins from the social networks Facebook (Meta Platforms Ireland Ltd.) and X (formerly Twitter; X Corp., 1355 Market Street, Suite 900, San Francisco CA 94103, USA) ("Social Networks") on our platform. You can recognise the plugins by the respective network logo. Simply accessing our Services does not establish a direct connection from your browser to the servers of the social networks and no data is transmitted (unless you are signed in via Facebook Connect). If you actively use the plugins, they transmit various data to the respective social network, including date and time of the visit, the URL visited, the URL previously visited, browser, operating system and IP address. If you are simultaneously logged in to one of the named networks while using our Services, it cannot be ruled out that the provider may associate the visit with your network account. The purpose and scope of the data collection and the further processing and use of the data by the networks can be found in their respective privacy notices.

XI. Newsletter

We offer you a free newsletter service. With the newsletter we inform you about new game features and new versions of OnlineFussballManager as well as about other online games. We also inform you about time-limited campaigns, e.g. around the football European Championship. We further remind you by e-mail if you forget to look after your team for a few days. To receive the newsletter via e-mail, you can sign up during registration or in the settings within the Services. You will then receive a confirmation e-mail with a link or confirmation code. After confirmation you are subscribed to the newsletter. You can unsubscribe from the newsletter at any time. Each newsletter also contains an unsubscribe link.

XII. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights against the controller:

1. Right of access

You may request the controller to confirm whether personal data concerning you is being processed by us. If such processing exists, you may request information about the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients, the planned storage period or criteria for determining the period, the existence of a right to rectification or erasure, restriction of processing or objection, the existence of a right to lodge a complaint with a supervisory authority, all available information about the origin of the data if it was not collected from the data subject, and the existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR. You have the right to request information on whether personal data concerning you is transferred to a third country or to an international organisation.

2. Right to rectification

You have a right to rectification and/or completion against the controller if the personal data processed about you is incorrect or incomplete. The controller must carry out the rectification without undue delay.

3. Right to restriction of processing

Under the conditions of Article 18 GDPR you may request the restriction of the processing of your personal data — in particular if you contest the accuracy of the personal data, if the processing is unlawful and you object to deletion, if the controller no longer needs the personal data but you require it for the establishment, exercise or defence of legal claims, or if you have lodged an objection under Article 21 (1) GDPR and it is not yet clear whether the legitimate grounds of the controller override yours.

4. Right to erasure

You may request the controller to delete personal data concerning you without undue delay if any of the grounds under Article 17 (1) GDPR apply — e.g. if the data is no longer necessary, if you withdraw your consent, if you object and there are no overriding legitimate grounds, or if the data has been unlawfully processed. The right to erasure does not exist where processing is necessary to exercise the right of freedom of expression and information, to comply with a legal obligation, for reasons of public interest, for archiving purposes, or for the establishment, exercise or defence of legal claims.

5. Right to notification

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure or restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to be informed of these recipients.

6. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data was provided, provided that the processing is based on consent under Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR or on a contract under Article 6 (1) (b) GDPR and the processing is carried out by automated means.

7. Right to object

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is based on Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling, insofar as it is connected with such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

8. Right to revoke data-protection consent

You have the right to revoke your data-protection consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent up until the revocation.

9. Automated decisions in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision (a) is necessary for entering into, or performance of, a contract between you and the controller, (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or (c) is based on your explicit consent.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR. The competent supervisory authority for OFM Studios GmbH is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW).

Last updated: 01 Jun 2026