Privacy notice

Effective date: February 12, 2026

Change history

February 12, 2026 - general review and clarifications

February 18, 2025 – inclusion of Pinball VR Classic

November 15, 2024 – inclusion of Pinball FX VR

November 08, 2024 – inclusion of Zen Pinball World

October 24, 2024 – amendments for Pinball M

May 16, 2024 – inclusion of CastleStorm VR, amendments for Pinball FX

October 26, 2023 – inclusion of Minigolf Galaxy

Sep 05, 2023 – inclusion of Pinball M

May 20, 2022 - general review and clarification

March 30, 2022 – inclusion of Pinball FX and related services

January 20, 2021 - general review and clarification

December 3, 2020 - general review and clarification

February 11, 2020 — added California Consumer Privacy Act disclosures

Sep 19, 2019 – added Dread Nautical application, specifying the scope of the present Privacy Notice

Sep 13, 2019 - added the title Star Wars™ Pinball (Nintendo Switch)

Jan 09, 2019 - added the title Williams™ Pinball, added 3rd party SDK Fabric, updated 3rd party SDK Crashlytics

Hi! At ZEN Studios, we love games — pinball, minigolf, adventure or RPG; all kind of games. We want you to enjoy them as much as we do, and we want you to feel safe while doing so. That's why it's important for you to know what personal data we use in our operations and why.

• To make our games work: We need some basic information to make our games (such as Pinball FX or CastleStorm) work. This includes your user ID so we can save your scores, your ranking, or so you can play with your friends.

• To make our games better: We use some data (such as device ID or IP address) to improve our games, find and fix bugs, and prevent cheating. This helps us make the gaming experience better and fairer for everyone.

• For ads and newsletters (only if you want): We show ads in some of our games to keep them free. We always ask for your explicit permission to do this and to send you newsletters. You decide whether you want to give your consent, and you can change your mind at any time.

We take your data seriously and protect it. If you would like to know more, please read our detailed information below.

1. Introduction and Data Controller information

ZEN Studios Software Developer Limited Liability Company (hereinafter referred to as "ZEN Studios," "we," or "Data Controller") is committed to protecting your personal data. The purpose of this Privacy Policy (hereinafter referred to as the "Policy") is to provide clear and transparent information about how we collect, use, and protect your personal data in accordance with the European Union's General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter referred to as the "GDPR") and applicable data protection laws, to provide clear and transparent information about how we collect, use, and protect your personal data when you use our services.

Name and contact details of the Data Controller:

• Name: ZEN Studios Software Developer Limited Liability Company

• Registered office: H-1027 Budapest, Ganz utca 16. 2nd floor

• Company registration number: 01-09-691205

• Tax number: 12532630-2-41

• Email address for data protection issues: support@zenstudios.com

• Phone number: +36 1 780 4679

This Notice applies to the following websites and the games and applications available on or through them (collectively, the "Services"): pinballfx.com, blog.zenstudios.com, forum.zenstudios.com, www.bethesdapinball.com, www.castlestorm.com, www.infiniteminigolf.com, www.kickbeat.com, www.marvelpinball.com, www.starwarspinball.com, www.zenpinball.com, www.dreadnautical.com, and all games and applications developed and published by ZEN Studios.

2. Governing law

This Notice is primarily based on the principles of the European Union's General Data Protection Regulation (Regulation (EU) 2016/679).

For users located in the United Kingdom: In addition to the GDPR, data processing is also subject to the UK GDPR and the Data Protection Act 2018.

For users located in the United States: Certain states, such as California, provide additional rights to their residents. Please read Appendix 2: Additional information for residents of certain states in the United States.

3. Principles of data processing

We apply the following principles in our data processing practices:

• Lawfulness, fairness, and transparency: We process your personal data lawfully, fairly, and transparently.

• Purpose limitation: We collect your data only for specified, explicit, and legitimate purposes and do not process it in a manner that is incompatible with those purposes.

• Data minimization: We only process personal data that is necessary and relevant to achieve the purposes of data processing.

• Accuracy: We ensure that the data we process is accurate and up to date.

• Storage limitation: We only store your data for as long as necessary to achieve the purposes.

• Integrity and confidentiality: We ensure the security of your personal data through appropriate technical and organizational measures.

• Accountability: We take responsibility for compliance with the above principles and are able to demonstrate this compliance.

4. Detailed data processing activities

Below, we detail the purposes for which we process your personal data, the legal basis for doing so, and how long we retain it.

4.1. Ensuring the basic functioning of the Services

These data processing activities are essential for you to be able to use our games and online services as intended (e.g., saving game progress, multiplayer mode functionality, managing leaderboards).

Personal data processed

Legal basis for data processing

Data retention period

Platform* user ID (e.g., PSN

ID, Xbox Live ID, Google

Game Services ID, Game

Center ID), generated user ID, username, in-game

friends list

GDPR Article 6(1)(b)

(performance of a contract)

Until the user account is deleted or until the end of the year following the termination of the service.**

*We receive platform user IDs and usernames directly from the relevant platform provider (e.g.

Sony, Microsoft, Nintendo) when you link your account to our service.

** If the processing of your data is necessary for the fulfillment of a legal obligation to which we are subject or for the enforcement of legal claims, we will inform you separately if this is permitted by the applicable legal regulations.

4.2. Development and analysis of our services and fraud prevention

Processing this data helps us understand our users’ habits, enhance the gaming experience, eliminate technical errors, and prevent behavior that violates our terms of service.

Personal data processed	Legal basis for data processing	Data retention period
Device ID, IP address, platform type, game usage metrics (e.g., time spent in the game, achievements)	Article 6(1)(f) of the GDPR (legitimate interest). Our legitimate interest is to continuously improve the security and quality of our services. We have performed and documented the related balancing test.	Three years after the end of product support.

4.3. Display of advertisements and marketing

We may display advertisements in our Services. We require your prior, explicit consent for personalized advertising and data collection for marketing purposes.

Personal data processed

Legal basis for data processing

Data retention period

Device ID, IP address, advertising identifiers (e.g.,

IDFA, AAID)

Article 6(1)(a) of the GDPR (consent of the data subject). We request consent on a platform designed for this purpose (Consent Management Platform), which is granular, informed, and can be revoked at any time.

Until consent is withdrawn.

4.4. Newsletter and direct marketing

If you subscribe to our newsletter, we will inform you about our news and promotions by email.

Personal data processed

Legal basis for data processing

Data retention period

Name, email address

Article 6(1)(a) of the GDPR

(consent of the data subject)

Until consent is withdrawn (unsubscribed).

4.5. Customer service and contact

If you contact us, we will process the data you provide in order to respond to your request.

Personal data processed

Legal basis for data processing

Data retention period

Name, email address, telephone number, subject and content of the inquiry, purchase information

Article 6(1)(b) (performance of a contract) or (f)

(legitimate interest) of the GDPR, depending on the nature of the inquiry.

For 5 years after the case is closed.

5. Data transfer and data processors

We use third-party service providers (data processors) to provide our services. We ensure that our partners also process your data in accordance with the provisions of the GDPR.

5.1. Main partner categories:

• Platform providers: (e.g., Sony, Microsoft, Nintendo, Apple, Google) for running games and managing user accounts.

• Network and server infrastructure providers: (e.g., Exit Games - Photon, Saber Interactive) to provide multiplayer features.

• Analytics providers: (e.g., Google Analytics, Flurry) to improve our services.

• Advertising partners and SDKs: (e.g., Google AdMob, UnityAds, Vungle, IronSource) to display advertisements.

• Payment providers: (e.g., Xsolla) to process in-game purchases.

• Newsletter providers: (e.g., MailChimp) for marketing communications.

52. International data transfers

Many of our partners are located outside the European Economic Area (EEA) and the United Kingdom, primarily in the United States. Such data transfers require appropriate safeguards in accordance with Chapter V of the GDPR.

For data transfers to the United States, we primarily use the EU-U.S. Data Privacy Framework (DPF) and its UK extension, the UK-US Data Privacy Framework Data Bridge. If our US partner is certified under these frameworks, the data transfer is based on the European Commission's adequacy decision and the UK government, which ensures an adequate level of data protection.

For partners who are not certified under the DPF or are located in a third country without an adequacy decision, we ensure the legal basis for data transfers by applying the Standard Contractual Clauses (SCCs) approved by the European Commission and their UK equivalent, the International Data Transfer Agreement (IDTA) or the UK Addendum.

6. Our relationship with social media platforms: joint data processing

When you visit our websites, you may encounter links and social plugins that connect to various social media platforms. By integrating these tools, we and the operators of the respective platforms act as joint controllers within the meaning of Article 26 of the GDPR with regard to the specific process of collecting and transferring your personal data to them on our website. This joint processing is strictly limited to this initial collection and transfer of data. We have no control over and are not responsible for any subsequent processing of the data by the social media platform. This section explains this relationship and your rights.

Our joint responsibility is limited to collecting and transferring data such as your IP address, browser information, and the URL of the page you visited on our website. We are responsible for providing you with this information and for establishing a legal basis for this data transfer. The social media platform is solely responsible for how it handles your data after receiving it, including profiling, advertising, or linking it to other data about you. To understand their practices and exercise your rights, you should review their privacy policies.

Summary of joint data processing agreements with social media platforms

Social media partner and link to the privacy policy

Scope of joint data processing activities (Data collected and transferred)

Joint purpose

Legal basis

Division of responsibilities

Meta Platforms Ireland Ltd.

(Facebook
https://www.facebook.com/privacy/policy

Instagram
https://privacycenter.instagram.com/policy)

Collection and transmission of your IP address, browser information, cookie identifiers, and the URL of the page you

visited, triggered by the loading of social plugins

(e.g., 'Like' and

'Share' buttons).

Enabling you to share our content on Meta platforms and increasing the visibility of our products, which is in our commercial interest.

Legitimate interest

(GDPR

Article

6(1)(f)). You have the right to object to this data processing.

ZEN Studios: Responsible for providing this information and ensuring the legal basis for data collection and transfer from our website.

Meta: Solely responsible for all further processing of the data after

				transfer.
Google Ireland Ltd. (YouTube https://policies.google.com/privacy)	Collection and transfer of your IP address, browser information, and viewing activity when you interact with YouTube videos embedded on our websites.	To provide rich media content and game previews directly on our websites.	Legitimate interest (GDPR Article 6(1)(f)). You have the right to object to this data processing.	ZEN Studios: Responsible for providing this information and ensuring the legal basis for data transfer initiated by the video player. Google: Solely responsible for all further data processing, including viewing history for its own analytics and advertising purposes.
X Corp. (X/Twitter https://privacy.x.com/en)	Collection and transfer of your IP address and browser information when our pages containing embedded X content (e.g., news feed or 'Post' button) are loaded.	Displaying realtime social conversations and enabling easy sharing of our content on the X platform.	Legitimate interest (GDPR Article 6(1)(f)). You have the right to object to this data processing .	ZEN Studios: Responsible for providing this information and ensuring the legal basis for data transfer. X Corp.: Solely responsible for all further processing of data .
Discord Inc. https://discord.com/privacy/	Collection and transfer of your IP address and browser information when you click on the link to join our official	To facilitate your access to our official player community for support, discussion, and announcements.	Legitimate interest (GDPR Article 6(1)(f)). You have the right to object to this data	ZEN Studios: Responsible for providing this information and ensuring the legal basis for the data transfer initiated by your click.
	Discord server.		processing.	Discord Inc.: Solely responsible for all further processing of data once you have arrived at their service.

7. Our presence on social media (official pages and communities)

In addition to the links and plugins on our websites, we also maintain official pages, channels, and community spaces (e.g., fan pages, servers) on various social media platforms to stay in touch with our community.

• Joint data processing for page statistics: When you visit these pages, the platform operator (e.g., Meta for Facebook pages) may collect data about your activity for statistical purposes (e.g., "Page Insights"). We and the platform operator are joint controllers with regard to the processing of personal data related to the generation of these anonymized statistical data.

• Our purpose: Analyzing this aggregated data helps us understand how visitors interact with our content, enabling us to optimize our communication.

• Legal basis: The legal basis for data processing is our legitimate interest pursuant to Article 6(1)(f) of the GDPR, which is related to maintaining contact with the community and measuring the effectiveness of our marketing activities.

• Sharing of responsibility: Although joint data processing exists, the platform operator is primarily responsible for collecting data, producing statistics, and ensuring your rights as a data subject . Please refer to the privacy policy of the platform in question. Regardless of this, you may also exercise your rights against us.

• Management of your interactions: When you comment, send a message, or otherwise interact on our official pages, we process the data you provide (e.g., username, comment content) in order to respond to you and moderate the community. The legal basis for this is also our legitimate interest in community management.

Please note that we have no influence over the broader data processing activities carried out by social media platforms for their own purposes.

8. Use of cookies and similar technologies

Our websites use cookies and similar technologies. Cookies are small text files that your browser stores on your device.

• Strictly necessary cookies: These are necessary for the basic functioning of the website (e.g., managing logins). Your consent is not required for their use.

• Analytical and performance cookies: These help us understand how visitors use our websites so that we can improve their functionality.

• Marketing and advertising cookies: These enable us to display advertisements that are relevant to your interests.

With the exception of strictly necessary cookies, we ask for your prior, explicit consent to use all other cookies. You can do this via a cookie banner (Consent Management Platform) that appears when you first visit the website. The banner provides a clear and equal opportunity to accept or reject all cookies. You also have the option to configure cookies by purpose, partially, or even individually. You can withdraw your consent at any time just as easily via the "Cookie settings" link, which is always available on our websites.

9. Protection of children's data

We consider the protection of children's personal data to be of paramount importance.

• Our services are not intended for children under the age of 14.

• In accordance with applicable law, the consent of a person exercising parental authority is required for data processing based on consent by users under the age of 18.

• In case of reasonable doubt, we may verify the consent of the parent or legal guardian (e.g., via email approval). If the verification is unsuccessful, the user account will be temporarily or permanently deactivated.

10. Your rights (data subject rights)

Under the GDPR, you have the following rights in relation to the processing of your personal data:

• Right of access: You have the right to request information about whether we process your personal data and, if so, to access that data.

• Right to rectification: You can request that inaccurate personal data be corrected and incomplete data be completed.

• Right to erasure ("right to be forgotten"): Under certain conditions, you may request the erasure of your personal data.

• Right to restriction of processing: In certain cases, you may request that we restrict the processing of your personal data.

• Right to data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and to transmit those data to another controller.

• Right to object: You may object to the processing of your personal data based on legitimate interests. In the case of direct marketing, the objection is unconditional.

• Right to withdraw consent: If the processing is based on consent, you may withdraw your consent at any time. The withdrawal does not affect the lawfulness of the processing prior to the withdrawal.

You can exercise your rights by sending an email to support@zenstudios.com. We will respond to your request without undue delay, but no later than one month after receiving it.

11. Legal remedies

If you believe that the processing of your personal data violates legal requirements, you may lodge a complaint with the supervisory authority.

The Hungarian supervisory authority is:

• Name: National Authority for Data Protection and Freedom of Information (NAIH) • Headquarters: 1055 Budapest, Falk Miksa utca 9-11.

• Postal address: 1363 Budapest, Pf.: 9.

• Email: ugyfelszolgalat@naih.hu

• Website: https://naih.hu

In the United Kingdom

• Name: Information Commissioner's Office (ICO),

• Website: https://ico.org.uk

You also have the right to take legal action in the event of a violation of your rights.

12. Data security

We use appropriate technical and organizational measures (e.g., encryption, access control) to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

13. Amendments to the Notice

We reserve the right to unilaterally amend this Notice. We will inform you of any amendments to the Notice via our websites.

1. Appendix

Detailed data processing activities by service

The purpose of the following appendix is to provide detailed, product-specific information about the data processing that takes place in our individual games and services. This appendix should be read in conjunction with the above data Privacy Notice. In the event of any conflict, the general principles and legal bases set out in the above Notice shall prevail.

1. Data processed in our games

Application	Personal data processed	Purpose of data processing	Legal basis for data processing
Planet Minigolf	Playstation Network ID (PSN ID)	User identification	Performance of a contract (in accordance with section 4.1)
Infinite MiniGolf, Minigolf Galaxy	Game server ID, User name, Platform user ID, Generated user ID	User identification	Contract fulfillment (according to section 4.1)
	Device ID, IPv4/6 address	Service development, bug fixing, fraud prevention	Legitimate interest (as per Section 4.2)
Independence Day Resurgence: Battle Heroes	Platform type, Platform user ID, Platform username, In-game friends list	User identification, basic game functionality	Contract fulfillment (as per Section 4.1)
CastleStorm (Free to Siege & Nintendo Switch)	Game server ID, Username, Platform user ID, Generated user ID	User identification	Contract fulfillment (as per section 4.1)
	Device ID, IPv4/6 address	Service development, bug fixing, fraud prevention	Legitimate interest (as per Section 4.2)

Aliens vs. Pinball, Bethesda Pinball, Zen Pinball, CastleStorm – Free to Siege, Williams Pinball, Zen Pinball World	Google Advertising ID (GAID) Apple Identifier for Advertisers (IDFA)	Advertising services, personalized ads	Consent (as described in Sections 4.3 and 6)
Pinball FX, Pinball FX VR, Pinball FX3, Pinball FX2 VR, Pinball VR Classic, Pinball M, Star Wars™ Pinball (Nintendo Switch)	Platform user ID, Platform username, Generated user ID	User identification, leaderboards	Contract fulfillment (as per Section 4.1)
	Device ID, IPv4/6 address	Service development, bug fixes, fraud prevention	Legitimate interest (as described in Section 4.2)
Zen Pinball, Zen Pinball World, Star Wars™ Pinball, Williams™ Pinball, Marvel Pinball, Bethesda Pinball, Aliens vs. Pinball, and other pinball games (iOS, Android)	Google Game Services / Game Center ID and name, Generated user ID	User identification, leaderboards	Contract fulfillment (as described in Section 4.1)
	Device ID, IPv4/6 address	Service development, bug fixes, fraud prevention	Legitimate interest (as described in Section 4.2)
	Facebook ID and name	Optional social features (e.g., inviting friends)	Consent (active consent prior to use of the feature)
	Email address (Williams™ Pinball only)	User identification, account recovery	Contract fulfillment (as per Section 4.1)
	Email address (Williams™ Pinball only)	Sending newsletters	Consent (as per Section 4.4)
Disco Dodgeball - REMIX	Platform-specific identifiers (Xbox, PSN, Nintendo), IP address	Operation of multiplayer mode	Contract fulfillment (as per Section 4.1 of )
Dread Nautical (iOS, tvOS, MacOS)	No personal data is collected or stored in this application.	-	-
CastleStorm VR	Upon the start and during the term of use of this application, Service Provider doesn’t record and/or store any personal data.

2. Third-party technologies (SDKs) in our games

The table below lists examples of third-party technologies used in our games. Data collection by these technologies for non-essential functions (e.g., analytics, advertising) is based solely on your prior, explicit, and granular consent, which you can provide and withdraw through the consent management platform (CMP) provided in our services.

Partner / Technology	Purpose of data processing	Legal basis for data processing
Photon Networking	Operation of multiplayer mode, network communication	Performance of a contract (in accordance with Section 4.1)
Saber Interactive	Operation of multiplayer mode, network communication	Contract fulfillment (as per Section 4.1)
Google Analytics, Google Firebase	Analysis of user habits, service development	Consent (as per Sections 4.3 and 6)
Google AdMob, UnityAds, Vungle, IronSource, etc.	Advertising services, personalized ads	Consent (as described in Sections 4.3 and 6)

Xsolla	Payment processing, purchase management	Contract fulfillment (as per section 4.1)
MailChimp	Sending newsletters	Consent (as per section 4.4)

2. Appendix

Additional information for residents of certain states in the United States

This appendix supplements the information contained in the Notice and provides rights in accordance with certain states in the United States, specifically the California Privacy Rights Act (CPRA).

1. Your California privacy rights

Right to know/access: You have the right to know what personal information we collect, use, sell, or share about you.

Right to rectification: You have the right to request that we correct any inaccurate personal information about you.

Right to deletion: You have the right to request that we delete your personal information, with certain exceptions.

Right to opt out of sale/sharing: You have the right to prohibit the "sale" or "sharing" of your personal information. Under the CPRA, "sharing" includes transferring data to third parties for crosscontextual behavioral advertising.

Right to restrict use of sensitive personal information: You have the right to restrict the use and disclosure of "Sensitive Personal Information" (SPI).

Right to non-discrimination: You will not be discriminated against for exercising these rights.

2. How to exercise your rights

To exercise your California rights, please email support@zenstudios.com or use the below described methods.

To opt out of sharing your personal information:

Application Steps

1. Open the Settings menu in the application

2. Select Legal Resources

Williams™ Pinball

3. Select Privacy Settings

4. Choose Deny All

1. Open the Settings menu in the application

2. Select Support

Zen Pinball World

3. Select Privacy Settings

4. Choose Deny All

Please visit the following URLs to exercise your access and deletion rights with involved third parties:

Applications URLs

Zen Pinball, Zen Pinball World https://myaccount.google.com/data-and-privacy

Aliens vs. Pinball, Zen Pinball World, https://developers.is.com/ironsource-mobile/air/ironsource-mobile-privacy-policy/

Williams™ Pinball