ZENIMAX MEDIA ONLINE PRIVACY POLICY

ZENIMAX MEDIA ONLINE PRIVACY POLICY

Last Updated: January 1, 2021

This ZeniMax Media Online Privacy Policy ("Policy") describes how ZeniMax Media Inc. and our affiliates and subsidiaries (collectively, "ZeniMax", "we" or "us") collect, use and otherwise process the personal information we collect about our customers, purchasers, subscribers, and/or users (each a "User") of our mobile applications, games, websites and other online services (collectively, our "Services").

Overview

We think transparency is important. In this overview, we summarize the personal information we collect and how we use it, which is further explained in our Privacy Policy below. Keep in mind that the actual personal information we collect and how we use it varies depending upon the nature of our relationship and interactions with you. Also, in some cases (such as where required by law), we ask for your consent or give you certain choices prior to collecting or using certain personal information.

Categories of Personal Information Collected. Generally, we collect the following types of personal information:

• Identifiers: Includes direct identifiers such as name, username and alias; email, billing address, other contact information; UID, BUID, device id, IP address, third-party platform identifiers and account details (e.g., PlayStation®, Xbox, Steam, Facebook), and other online or unique identifiers.
• Customer records: Includes your account and profile information and customer records that contain personal information, such as username, name, demographics and other characteristics or descriptions, email, address, telephone number, and other contact information, account credentials, communications preferences, billing and payment information, customer service and support tickets and records, and other information individuals provide us in order to register for, access or purchase our Services.
• Commercial information: Includes records of personal property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies, such as information about your subscriptions and current and past payments and purchases, and games you play or are interested in.
• Usage data: Includes browsing history, clickstream data, search history, access logs, information regarding your interactions with our websites, mobile apps and other Services and our marketing emails and online ads, and other usage data related to your use of the Services, such as language and preferences, in-game purchases, game-play statistics, scores, persona, characters, achievements, rankings, time spent playing, click paths, game profile, preferences and friends, as well as your comments, posts and interactions in forums and communities.
• Geolocation data: Includes precise location information about a particular individual or device, such as device location information for mobile games users.
• Audio, video and other electronic data: Includes audio, electronic, visual, thermal, or similar information, such as photographs and images (e.g., that you provide us or post to your profile), call recordings (e.g., of customer support calls), and User photos submitted (such as profile images).
• Inferences: Includes inferences drawn from other personal information that we collect to create a profile based on your account and activities, that reflect your preferences, characteristics, behavior, attitude and abilities related to the Services.

Uses of Personal Information. In general, we may use and disclose personal information for the following purposes:

• Providing our Services and related support
• Protecting the integrity of the Services
• Analyzing and improving the Services and our business
• Personalizing the Services
• Advertising, marketing and promotional purposes
• Securing and protecting our business
• Defending our legal rights
• Auditing, reporting, corporate governance, and internal operations
• Complying with legal obligations

ESRB Privacy Certification. ZeniMax values the importance of your privacy and has received the ESRB Privacy Certification. ZeniMax is a valid licensee, and participating member of the Entertainment Software Rating Board's Privacy Certified Program ("ESRB Privacy Certified"). All Services where this Policy is posted and which display an ESRB certification seal have been reviewed and certified by ESRB Privacy Certified to meet established online information collection, use and disclosure practices. As a licensee of this privacy program, we are subject to audits of our Services and other enforcement and accountability mechanisms administered independently by the ESRB.

If you are a California resident, please be sure to review Section 15.a. California Residents below for important information about our privacy practices and your rights under California privacy laws, including your right to submit a "Do Not Sell My Info" request.

You can review more detailed information about our privacy practices and your rights and choices below in our Privacy Policy, which is organized into the following sections:

1. Scope of Our Policy
2. Personal Information We Collect
3. Purposes of Use and Legal Bases for Processing of Personal Information
4. Disclosure and Sharing of Personal Information
5. Cookies, Analytics and Personalization
6. Interest-based Advertising
7. Third-Party Links and Features
8. User Generated Content
9. Security of Your Information
10. Data Retention
11. International Transfers of Data
12. User Rights and Choices
13. Contact Details
14. Changes to this Policy
15. Additional Information for Users in Certain Jurisdictions

1. Scope of Our Policy

This Policy applies to the personal information that ZeniMax collects and processes about Users related to our Services, including games published by Bethesda Softworks and ZeniMax Online Studios, and games developed by other ZeniMax studios; more information about our studios is available at www.zenimax.com/studios. This Policy does not apply to any third-party websites, services, products or mobile applications maintained by other companies, which are linked to from our Services.

By registering for an account with us, providing your information to us through the Services, or otherwise using any of our Services, you understand and acknowledge that ZeniMax may process your personal information in accordance with this Policy. If you do not want this Policy to apply to you, please do not use the Services or communicate with us via the Services. If required by applicable law, we will obtain your consent to our collection, use, transfer and disclosure of your personal information.

Personal Information. In this Policy, our use of the term "personal information" includes other similar terms under applicable privacy laws—such as "personal data" and "personally identifiable information." In general, personal information includes any information that identifies, relates to, describes, or is reasonably capable of being associated, or reasonably linked or linkable with a particular individual.

Not Covered by this Policy. This Policy does not apply to job applicants and candidates who apply for employment with us, or to employees and non-employee workers in the context of our working relationship with them.

2. Personal Information We Collect

ZeniMax collects personal information directly from Users, automatically related to the use of the Services, and in some cases, from third parties (such as social networks, platform providers, payment processors, and operators of certain third-party services that we use). The information we collect about Users varies depending upon the circumstances, such as the games or Services used.

Information We Collect from You. Generally, we collect your personal information on a voluntary basis. However, if you decline to provide certain personal information that is marked mandatory, you may not be able to access certain Services or we may be unable to fully respond to your inquiry. In general, we may collect the following personal information:

• Registration and profile information: To access and use certain Services (e.g., to register a game, download or use a mobile application, access subscription-based Services, create an account) you may be required to register with us, by providing us with certain required information, which is identified on the registration page. Depending upon the Services you use, this may include your name, a username and password, as well as country of residence, email, and contact information; certain Services will not be available if you decline to provide required information. We may also ask you or allow you to submit certain optional information, which may include your phone number, birthdate, location, preferences, a photo or avatar, and other profile information.
• Purchases and payments information: If you make a purchase or sign up for certain subscription-based Services, you are required to provide your payment information, including name, billing and shipping address and details, payment type, as well as credit card number or other payment account details (e.g., PayPal). We work with third parties like payment processors and fulfillment partners to process these payments. We do not collect, receive, process or store credit card or debit card numbers, or other third-party payment account credentials (e.g., PayPal); this information is collected directly by these third parties. Depending upon the Service, we may receive your username, name, email, the payment type, product(s) or service(s), and other transaction details, and maintain records of your purchase and subscription history.
• Marketing, contests and promotions: Users can sign up online or in-person (e.g., at tradeshows, conferences and the like) to receive direct marketing communications from us, including emails about game launches, developments, and upcoming releases. If you agree to receive direct marketing communications from us, we collect your email address, and we may also collect your name, preferences, and if relevant, information about your account and the Services and other games you use. We may also collect your name, age, email address, and other information related to contests, sweepstakes or other events or activities on our websites and social media channels.
• Your communications: When you email us, call us, or otherwise send us communications regarding the Services, we collect and maintain a record of your contact details, communications and our responses. We may also maintain records of the in-game communications and information that you post in chat sessions, forums, and in other areas of the Services.

Information We Collect and Receive from Third Parties. We may collect and receive personal information about you from third parties, as explained below.

• Third-party and mobile platforms: You may be able to login through or connect certain third-party accounts (each a "Third-Party Account")—such as Steam, Twitch, Xbox Live, PSN and Facebook—to your account with us, or to interact with us and others on game forums and communities on third-party platforms. These Third-Party Accounts and platforms are operated and managed by third parties (each a "Third-Party Platform"), and subject to their respective terms and conditions. When you link a Third-Party Account to use our Services, you may be able to connect and interact with and share game information with your friends and network from that Third-Party Account, and, in some cases, you may be able to make purchases through or earn rewards (subject to applicable program terms) from that Third-Party Account. When you access, play or use our Services through a Third-Party Platform or website, we may collect or receive your console identifier(s) (e.g., XUID and PUID), as well as IP address, MAC address, and other device identifiers, registered email address, and other information you authorize them to provide us. In addition, we may allow you to login to certain Services through Third-Party Accounts, such as Google/Stadia (https://stadia.google.com/privacy), Steam (https://store.steampowered.com/privacy_agreement/) and Facebook (facebook.com/about/privacy/). If you choose to login this way, you are asked to share certain information with us (which may include name, email, friends and public profile information); the specific information and whether it is required or optional is stated on the permissions page when you first log in with or connect the Third-Party Account. If you play or purchase our Service on your mobile device, we receive information about you from the app stores and other mobile platform providers, including your username and/or device ID.
• Third-party tools: We also may use third-party tools to help us manage and analyze our social media presence, and report on comments, mentions and other content that is posted about us on Third-Party Platforms and other social media sites, other public channels and forums. The information collection and sharing practices of these third parties are subject to their respective terms and conditions and privacy policies.
• Vendors and providers: We may engage vendors and work with other partners to provide services to us or to Users on our behalf (such as payment processors, digital storefronts, cloud hosting and services providers). In addition, we may receive personal information from ad networks, analytics providers and others who we work with to deliver, improve and measure our online advertising and marketing campaigns.

Information We Collect About Your Usage and Activities. We collect personal information about how you use the Services and interact with us and others, such as information we collect automatically (e.g., using cookies and pixel tags), as well as information we derive about you and your use of the Services. Such information includes:

• User IDs: We assign account holders a unique user identifier, which we use to identify and link relevant information to your activities within the Services (e.g., in-game information such as statistics, scores, achievements and subscription levels). Some of our games also may allow Users to play without creating an account and/or registering with us. In such cases, we may assign you a guest user ID so that we can keep track of your game play, scores, stats, purchasing data and usage data for your current and future sessions. If you later decide to register or create an account with us, we may associate your guest ID and the data from your guest session(s) with your account.
• Activities, stats, friends and preferences: We collect usage and preference details related to your use of the Services, such as language, in-game purchases, game-play statistics, scores, persona, characters, achievements, rankings, time spent playing, click paths, game profile, preferences, friends (including friend relationships through, for example, the creation of clans) and other data that you provide to us as part of your account.
• Other information: We also may automatically or indirectly collect information about you, your computer or mobile device (such as when you use our Services, read our emails, through social media channels). We (and our third-party providers) may record log files and use cookies, pixel tags, local shared objects, java script, and other mechanisms to collect this information about you. For more information, see Section 5. Cookies, Analytics and Personalization below. In addition, we may collect location information from your device if you grant us permission to do so, or derive your location based upon your IP address.

Children. ZeniMax does not knowingly request or collect personal information from children younger than 13 years of age. If you believe that we have collected personal information from a child under 13, please contact us as set forth in Section 13. Contact Details, below, and we will take action as necessary to securely delete such information.

3. Purposes of Use and Legal Bases of Processing for Personal Information

While the purposes for which we may process personal information will vary depending upon the circumstances, in general, we use personal information for the business and commercial purposes set forth in this section. In this section, we also explain the legal bases for which we process personal information about Users, as required by the EU General Data Protection Regulation (the "GDPR") (and other relevant laws such as the UK Data Protection Act 2018 and the Brazilian General Data Protection Law (the "LGPD")).

Legal Bases for Processing. Pursuant to the GDPR (and other relevant laws), in general, we process your personal information for the following legal bases:

• Performance of our contract with you: The personal information we collect may be used to perform our agreements with you, including our Terms of Use, Code of Conduct and other terms and conditions applicable to the Services you use.
• To comply with a legal obligation to which ZeniMax is subject: The personal information we collect may be processed in order to comply with the law and our legal obligations.
• For our legitimate business interests: We may process personal information in furtherance of our legitimate business interests in protecting, maintaining and improving the Services; developing new games, features and services; marketing and promoting our Services (including by profiling and marketing to Users); protecting our legal rights and interests; in support of mergers, acquisitions, reorganizations and other business transactions; and to generally operate and improve our business.
• With your consent: We may process personal information about you based on your consent, for example (where required by law) to send you marketing communications, surveys, news, updates and other communications. In addition, where required by applicable law, ZeniMax will obtain your consent to this Policy and our collection, use and disclosure of your personal information. Users may be able to withdraw their consent at any time in accordance with applicable laws; please see Section 12. User Rights and Choices below for information on how to withdraw your consent.

Purposes of Use and Processing. While the purposes for which we may process personal information will vary depending upon the circumstances, in general, we use personal information for the business and commercial purposes set forth below. Where GDPR or other similar laws apply, we have set forth the legal bases for such processing (see above for further explanation of our legal bases) in parenthesis below.

• Providing our Services and related support: Including to operate the Services; to administer contests, programs and promotions; to communicate with Users about their access to and use of our Services; to respond to User inquiries; to fulfil User orders and requests; to process payments; to provide troubleshooting and other technical support; and for other customer service and support purposes. (Legal basis: performance of our contract with you; and for our legitimate business interests)
• Protecting the integrity of the Services: Including to verify your identity; to detect and prevent fraud, cheating and unauthorized activities; to facilitate software updates; to secure of our systems and the Services; to prevent hacking, cheats and spamming; to enforce our Terms of Use, Code of Conduct, and other applicable terms; and to protect the rights and safety of Users. (Legal basis: performance of our contract with you; compliance with laws; and for our legitimate business interests)
• Analyzing and improving the Services and our business: Including to better understand how Users access and use our Services; to evaluate and improve the Services and our business operations; to develop new games, features, offerings and services; to conduct surveys and other evaluations; and for other research and analytical purposes. (Legal basis: our legitimate business interests)
• Personalizing the Services: Including to tailor content we send or display on our websites and other Services (e.g., for your geographic area); to offer personalized help and instructions; to tailor your gameplay experiences; and otherwise personalize your experiences with the Services. (Legal basis: our legitimate business interests)
• Advertising, marketing and promotional purposes: Including to send or display targeted marketing; to reach you with more relevant ads and to evaluate, measure and improve the effectiveness of our ad campaigns; to send you newsletters, offers or other information we think may interest you; to contact you about our Services or information we think may interest you; and to administer promotions and contests. Where required by applicable law, we will obtain your consent to use your personal information for marketing and related purposes. (Legal basis: our legitimate business interests and/or with your consent)
• Securing and protecting our business: Including to protect and secure our business operations, assets, Services, network and information and technology resources; to investigate, prevent, detect and take action regarding fraud, cheating, unauthorized access, situations involving potential threats to the rights or safety of any person or third party, or other unauthorized activities or misconduct (Legal basis: our legitimate business interests and/or compliance with laws)
• Defending our legal rights: Including to manage and respond to actual and potential legal disputes and claims, and to otherwise establish, defend or protect our rights or interests, including in the context of anticipated or actual litigation with Users or third parties. (Legal basis: our legitimate business interests and/or compliance with laws; in Brazil, this also includes the exercise of rights in judicial, administrative or arbitration proceedings in accordance with applicable laws)
• Auditing, reporting, corporate governance, and internal operations: Including relating to financial, tax and accounting audits; audits and assessments of our operations, privacy, security and financial controls, risk, and compliance with legal obligations; our general business, accounting, record keeping and legal functions; to maintain appropriate business records; to enforce company policies and procedures; and related to any actual or contemplated merger, acquisition, asset sale or transfer, financing, bankruptcy or restructuring of all or part of our business. (Legal basis: our legitimate business interests and/or compliance with laws)
• Complying with legal obligations: To comply with applicable legal or regulatory obligations, including as part of a judicial proceeding; to respond to a subpoena, warrant, court order, or other legal process; or as part of an investigation or request, whether formal or informal, from law enforcement or a governmental authority. (Legal basis: our legitimate business interests and/or compliance with laws)

4. Disclosure and Sharing of Personal information

ZeniMax may disclose your personal information as follows, and we will obtain your consent to do so where required by applicable law:

Vendors and Providers. We may engage vendors, agents, service providers, and affiliated entities to provide services to us or to Users on our behalf, such as support for the internal operations of our websites, online stores (including payment processors), products (such as our games) and services (e.g., forum operations, and technical support processing), as well as related offline product support services, data storage and other services. In providing their services, they may access, receive, maintain or otherwise process personal information on our behalf. Our contracts with these service providers do not permit use of your personal information for their own marketing and other purposes.

ZeniMax Group Companies. Your personal information may be processed by members of ZeniMax Group companies (see www.zenimax.com/legal_information) for purposes of assisting us to market our Services and games, analytics, research and demographic studies, development, and to help us improve and tailor the Services we provide. If you have consented, we may also share your personal information so that they may contact you about other products and services offered by ZeniMax affiliates as set forth in Section 12. User Rights and Choices below. Our subsidiary or affiliate companies are subject to this Policy when they use your personal information.

Advertising and Analytics Partners. We engage third parties that provide advertising, campaign measurement, online and mobile analytics, and related services to us (with your consent, where required by applicable laws). They may use this information to help us better reach individuals with relevant ads and to measure and improve our ad campaigns, or to better understand how individuals interact with our Services. In addition, these third parties may combine the information collected from us and our Services with information collected about you from third-party sites, apps and services, in order to make inferences about you and your interests, to better tailor advertising and content to you across multiple sites, apps, and services, and to collect associated metrics.

Legally Required. We may also disclose your personal information if we believe we are required to do so by law, or that doing so is reasonably necessary to comply with legal processes; when we believe necessary or appropriate to disclose personal information to law enforcement or other governmental or regulatory authorities or the courts (in any relevant jurisdiction worldwide), such as to investigate actual or suspected fraud or violations of law, breaches of security, or breaches of this Policy; to regularly exercise our rights in judicial, administrative or arbitration proceedings (as applicable in Brazil); to respond to any claims against us; and, to protect the rights, property, or personal safety of ZeniMax, our customers, or the public.

Corporate Transactions. In addition, your personal information may be disclosed as part of any proposed or actual merger, sale, and transfer of ZeniMax assets, acquisition, bankruptcy, or similar event.

With Consent. We may also disclose your personal information to any other affiliated or third parties where you have consented or requested that we do so.

Notwithstanding anything else in this Policy, we may share aggregate or de-identified information with third parties for research, marketing, analytics and other purposes, provided such information does not identify a particular individual and the individual cannot be re-identified.

5. Cookies, Analytics and Personalization

We and our third-party providers use cookies, clear GIFs/pixel tags, JavaScript, local storage, log files, and other mechanisms to automatically collect and record information about your browsing activities, gaming performance and use of the Services. We may combine this "activity information" with other personal information we collect about you. Generally, we use this activity information to understand how our Services are used, track bugs and errors, provide and improve our Services, establish matchmaking, verify account credentials, allow logins, track sessions, prevent fraud, and protect our Services, as well as for targeted marketing and advertising, to personalize content and for analytics purposes (see Section 12. User Rights and Choices below for information about opting-in or out of certain uses of your personal information).

Below is a summary of these activities. For more detailed information about these mechanisms and how we collect activity information, see our Cookie Policy, which applies to our sites that display or link to this Cookie Policy, available at https://zenimax.com/legal/cookie-policy.

Log Files. We collect certain activity information from log files. Log file information is automatically reported by your browser or mobile application to our servers when you access our Services. We record certain information from these log files, including web requests, IP address, browser type and version, language information, referring and exiting URLs, links clicked, pages viewed and other similar information.

Cookies. Are small files with a unique identifier that are transferred to your browser through our websites. They allow us to remember Users who are logged in, to understand how Users navigate through and use our Services, and to display personalized content and targeted ads (including on third-party sites and applications).

Clear GIFs, pixel tags and web beacons. These are tiny graphics with a unique identifier, similar in function to cookies that we use to track the online movements of Users of our Services and to personalize content. We also use these in our emails to let us know when they have been opened or forwarded, so we can gauge the effectiveness of our communications.

Anti-Cheat and Fraud Prevention. Providing a fair gameplay environment is important to us. We prohibit cheating, hacking, account stealing, and any other unauthorized or fraudulent activity when using our Services. In order to detect and prevent fraud and cheating, we may use anti-cheat and fraud prevention tools, applications, and other technologies. When you use our Services, such technologies may create a machine "fingerprint" or "hash" of your machine components, and collect information about you, including information about your browser, device, activities, game identifiers, and operating system. We may also monitor publicly-available information, third-party sites and/or use anti-cheat technology within our Services.

Analytics Tools. We may use internal and third-party analytics tools (see our Cookie Policy at https://zenimax.com/legal/cookie-policy for a list of third parties) to collect and aggregate activity data and other data across multiple channels.

Do-Not-Track signals. Please note that our websites do not recognize or respond to any signal which your browser might transmit through the so-called 'Do Not Track' feature your browser might have. If you wish to disable cookies on our Services, you should not rely on any 'Do Not Track' feature your browser might have.

Preferences. You can review or change your preferences for most cookies and tags on our websites (other than those that are necessary to the proper functioning of our websites) by adjusting your cookie settings:

Cookie Settings

6. Interest-based Advertising

We work with third-party ad networks, channel partners, mobile ad networks, analytics and measurement services and others ("third-party ad companies") to personalize content and display advertising within our Services (including our websites and our mobile and other games and apps), as well as to manage our advertising on third-party sites, mobile apps and online services. We and these third-party ad companies may use cookies, pixels tags, and other tools (which we may refer to collectively as "targeting cookies") to collect activity information within our Services (as well as on third-party sites and services), as well as IP address, location information, device ID, cookie and advertising IDs, and other identifiers; we and these third-party ad companies use this information to provide you more relevant ads and content within our Services and on third-party sites and apps, and to evaluate the success of such ads and content. See our Cookie Policy (https://zenimax.com/legal/cookie-policy) for more details about the third-party ad companies we work with and first and third-party tags used on the Services and on third-party sites and apps.

Preferences. We make available multiple ways for you to manage your preferences regarding targeting cookies, advertising and personalization.

• Our websites and online games: You can review or change your preferences for targeting cookies and tags on our websites by adjusting your cookie settings:
  Cookie Settings

• Mobile: Some of our mobile games and apps may include third-party advertising and analytics. You can opt out of targeted advertising from third parties in our mobile games by adjusting your device privacy settings. This means that you will no longer get targeted ads; however, you may still receive contextual or general ads.

  • For iOS devices, you can turn on the "Limit Ad Tracking" setting (go to Settings>Privacy>Advertising and select/toggle on Limit Ad Tracking).

  • For Android devices, turn on "Opt out of Ads Personalization" setting (go to Settings > Privacy > Advanced > Ads and select/toggle on Opt out of Ads Personalization)

  In addition, certain of our mobile games include analytics and related personalization that you can opt out of through an in-app settings for that game (you can access this setting from the main menu of such mobile games).

• Industry ad choice programs: You can also control how participating third-party ad companies use the information that they collect about your visits to our websites and use of our mobile applications, and those of third parties, in order to display more relevant targeted advertising to you; for more information and to opt out of receiving targeted ads from participating third-party ad networks go to:

  • U.S. Users: aboutads.info/choices (Digital Advertising Alliance) (You can also download the DAA AppChoices tool in order to help control interest-based advertising on apps on your mobile device)
  • EU Users: youronlinechoices.eu (European Interactive Digital Advertising Alliance)
  • Canada Users: youradchoices.ca/choices/ (Digital Advertising Alliance of Canada)

Opting out of participating ad networks does not opt you out of being served advertising. You may continue to receive generic or "contextual" ads on our Services. You may also continue to receive targeted ads on other websites, from companies that do not participate in the above programs.

Custom Lists and Matching. Unless you have opted out, we may share certain hashed customer list information (such as your name, email address and other contact information) with third parties—such as Facebook and Google—so that we can better target ads and content to our Users, and others with similar interests, within their services. These third parties use the personal information we provide to help us target ads and to enforce their terms, but we do not permit them to use or share the data we submit with other third-party advertisers. You may opt out of this as set forth below, in Section 12. User Rights and Choices.

7. Third-Party Links and Features

Our Services may contain links to third-party sites that are not owned or controlled by ZeniMax. We are not responsible for the collection and use of your information by these third-party sites. We recommend that you read the privacy notice of the website to which you link before you submit any personal information.

In addition, our Services may include or incorporate social media and other third-party features (e.g., widgets, buttons, and plugins), which are operated by third-party platforms and networks, such Facebook, Steam, Twitch, Twitter, Instagram, YouTube, and others. These features are hosted by the respective third-party operator even though they appear on our Services. Subject to your cookie preferences, the third party may collect your IP address, URL, date and time stamp, browser details and the like, subject to their own privacy policies.

8. User Generated Content

You may choose to disclose information (including personal information) about yourself in the course of contributing user generated content to ZeniMax Services such as forums. Information that you disclose in any of these forums is unencrypted public information, and may be accessed by members of the public, who are not subject to this Policy. In addition, when you enter certain public areas of our Services, your username and other public profile information may be viewable by others. You should have no expectation of privacy as to any information you post or display in our forums or games, or in your profile, or that you otherwise make available on our or through our Services.

9. Security of Your Information

The security of your personal information is important to us. ZeniMax takes steps to protect against possible breaches of our Services and the personal information we maintain. However, no website or Internet transmission is completely secure. Thus, ZeniMax cannot and does not guarantee that unauthorized access, hacking, data loss, or other breaches will never occur. We urge you to take steps to keep your personal information safe, such as choosing a strong password and keeping it private, enabling multifactor authentication (where available), as well as logging out of your User account, and closing your web browser when finished using the Services.

10. Data Retention

We will retain your personal information as long as necessary for purposes for which the personal information was collected and is used by us, as stated in this Policy. If you wish to cancel your account or request that we no longer use your personal information to provide the Services to you, please contact us as set forth below, in Section 13. Contact Details. However, if you withdraw consent or otherwise object to our collection, use and disclosure of your personal information, you may not be able to use the Services. Further, to the extent permitted by applicable law, we will retain and use your personal information as necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements.

11. International Transfers of Data

ZeniMax is headquartered in the United States, and has operations, entities and service providers in the United States and throughout the world. As such, we and our service providers may transfer your personal information to, or access it in, jurisdictions (including the United States and other jurisdictions where we, our affiliates and service providers have operations) that do not provide equivalent levels of data protection as your home jurisdiction. We will take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it, including through appropriate written data processing terms and/or data transfer agreements.

Users in the European Economic Area (EEA) and United Kingdom. Your personal information may be transferred to and processed in the United States and other jurisdictions that do not provide equivalent levels of data protection according to the European Commission. In such cases, ZeniMax will take steps to ensure that appropriate safeguards are in place to protect your personal information, including by putting in place standard contractual clauses as approved by the European Commission (the form for the standard contractual clauses can be found at http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm).

Users in Brazil. If your personal information is subject to Brazilian laws, ZeniMax will ensure that appropriate safeguards are in place to protect your personal information, as required by the LGPD (once effective).

12. User Rights and Choices

ZeniMax gives Users several easy-to-use ways to access, amend and exercise their choices and rights regarding their personal information.

Marketing Preferences. You may change your email preferences and opt out of marketing communications through the Marketing Preferences tab in your account profile.

• Marketing emails: You can opt out or change your preferences for marketing emails in the Marketing Preferences tab of your account profile. You may also opt out by using the unsubscribe option in each marketing email we send to you. If you opt out of direct marketing communications, we may to the extent permitted by applicable law still send you non-promotional communications, such as those about your account or our ongoing business relations. For example, if our service is temporarily suspended for maintenance, or your payment could not be processed, we might send you an email.
• Custom lists and matching: You can opt out of being included in custom lists and matching campaigns by us, by updating your Marketing Preferences in your account profile.

Cookies and Advertising. As noted above in Section 5. Cookies, Analytics and Personalization and Section 6. Interest-based Advertising, you can manage your preferences for cookies (including advertising cookies) on our websites and in our online games by adjusting your cookie preferences:

Cookie Settings

For our mobile games and apps that include third-party advertising and analytics, you can opt out of targeted advertising in our mobile games by adjusting your iOS or Android device privacy settings, as explained above, in Section 6. Interest-based Advertising. In certain of our mobile games, you may also be able to opt out through the in-app settings (accessible from the main menu) for that game.

Push Notifications. In some of our mobile Services, we may send push notifications from time-to-time in order to update you about the game, events or promotions that we may be running. If you no longer wish to receive these types of communications, you may turn them off at the device level.

Remove Content. If you wish to request removal of any User content you have posted, please contact us as set forth below, in Section 13. Contact Details.

Access, Amendment and Deletion. Registered Users may review and update their profile information and communications preferences directly within their account. If you would like us to delete your personal information, you may contact us to delete your account. Please contact ZeniMax Privacy as set forth below, in Section 13. Contact Details, to exercise your rights or make a request regarding your personal information.

Submitting a Privacy Request. Privacy requests should be directed to the ZeniMax Media Inc.'s privacy team as set forth below in Section 13. Contact Details. Please keep in mind that certain Services will not be available if you withdraw your consent, or otherwise delete or object to our processing of certain personal information. We will respond to your request in accordance with applicable law, and we will inform you if we do not intend to comply with your request.

Additional Information for Users in Certain Jurisdictions. In Section 15. Additional Information for Users in Certain Jurisdictions, we provide additional information as required under California privacy laws, as well as the GDPR, UK Data Protection Act 2018 and the LGPD. Users in California, the EEA, the UK and Brazil should review this section for more information regarding their rights under these respective laws.

13. Contact Details

If you have any questions, complaints or comments regarding our Policy or practices, please submit a request at:

https://help.bethesda.net/app/incident10/?prod=711&cat=1220 (Bethesda Users), or
https://help.elderscrollsonline.com/app/incident/?category=1220 (The Elder Scrolls Online Users).

You may also contact us via email at [email protected], or by postal mail at:

ZeniMax Media Inc.
Attn: ZeniMax Customer Service/Privacy
1370 Piccard Drive
Rockville, Maryland 20850 USA

Controller and Representative. The controller for your personal information is ZeniMax Media Inc.,1370 Piccard Drive, Rockville, MD 20850 USA. In addition, for purchases made by Users in the EEA and the UK, ZeniMax Europe Ltd, Reg. No. 06333300, Haymarket House, 28-29 Haymarket, London SW1Y 4SP, is also a controller for your transaction data. This Policy applies to both ZeniMax Media Inc. and ZeniMax Europe Ltd., and data subjects may exercise their rights with respect to their EEA and UK transaction data with both entities by contacting ZeniMax Media Inc. online, by email or by postal mail, as set forth above.

EU Representative: ZeniMax Media Inc. and ZeniMax Europe Ltd have appointed ZeniMax Benelux BV, Grote Berg 18E, 5611 KK Eindhoven, the Netherlands, as representative office for purposes of the GDPR.

UK Representative: ZeniMax Media Inc. has appointed its subsidiary ZeniMax Europe Ltd, Haymarket House, 28-29 Haymarket, London SW1Y 4SP, United Kingdom, as its representative office for purposes of UK data protection laws.

ESRB Privacy Certified. As previously mentioned, we are a member of ESRB's Privacy Certified Program. If you believe that we have not responded to your inquiry or your inquiry has not been satisfactorily addressed, please contact ESRB Privacy Certified at [email protected]. or https://www.esrb.org/privacy/contact/.

14 .Changes to this Policy

This Policy is current as of the Last Updated set forth above. We may change this Policy from time to time, so please be sure to check back periodically. We will post any changes to this Policy on our Services. If we make any changes to this Policy that materially affect our practices with regard to the personal information we have previously collected from you, we will endeavor to provide you with notice in advance of such change, such as by highlighting the change on website or sending you an email, and giving you additional choices regarding such change prior to the material change becoming effective.

15. Additional Information for Users in Certain Jurisdictions

a. California Residents
Below, we provide information, as required under California privacy laws, including the California Consumer Privacy Act ("CCPA"), which requires that we provide California residents certain specific information about how we handle their personal information, whether collected online or offline. This section does not address or apply to our handling of publicly available information made lawfully available by state or federal governments or other personal information that is subject to an exemption under the CCPA.

Categories of Personal Information We Collect and Disclose. Our collection, use and disclosure of personal information about a California resident will vary depending upon the circumstances and nature of our interactions or relationship with such resident. The table below sets out generally the categories of personal information (as defined by the CCPA) about California residents that we collect, sell, and disclose to others for a business purpose. We collect these categories of personal information from the following sources, for the purposes described above, in Section 3. Purposes of Use Purposes of Use and Legal Bases for Processing of Personal Information, and share it as described above, in Section 4. Disclosure and Sharing of Personal Information:

• Our affiliates and subsidiaries
• Third-party platforms
• Third-party sites and services
• Ad networks
• Analytics providers
• Social networks
• Internet service providers
• Operating systems and platforms
• Our vendors and service providers

Personal Information Collected		May We Disclose this Information?	Categories of Third Parties to Whom We May Disclose this Information
Categories	Description
Identifiers	Includes direct identifiers such as name, username and alias; email, billing address, other contact information; UID, BUID, device id, IP address, third party platform identifiers and account details (e.g., PlayStation®, Xbox, Steam, Facebook), and other online or unique identifiers.	YES	vendors and service providers advisors and agents government entities and law enforcement affiliates and subsidiaries advertising networks data analytics providers social networks internet service providers operating systems and platforms
Customer Records	Includes your account and profile information and customer records that contain personal information, such as username, name, demographics and other characteristics or descriptions, email, address, telephone number, and other contact information, account credentials, communications preferences, billing and payment information, customer service and support tickets and records), and other information individuals provide us in order to register for, access or purchase our Services	YES	vendors and service providers advisors and agents government entities and law enforcement affiliates and subsidiaries internet service providers operating systems and platforms
Commercial Information	Includes records of personal property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies, such as information about your subscriptions and current and past payments and purchases, games you play or are interested in, and your purchase tendencies.	YES	vendors and service providers advisors and agents government entities and law enforcement affiliates and subsidiaries advertising networks data analytics providers social networks internet service providers operating systems and platforms
Usage Data	Includes browsing history, clickstream data, search history, access logs, information regarding your interactions with our websites, mobile apps and other Services and our marketing emails and online ads, and other and other usage data related to your use of the Services, such as language and preferences, in-game purchases, game-play statistics, scores, persona, characters, achievements, rankings, time spent playing, click paths, game profile, preferences and friends, as well as your comments, posts and interactions in forums and communities.	YES	vendors and service providers advisors and agents government entities and law enforcement affiliates and subsidiaries advertising networks data analytics providers social networks internet service providers operating systems and platforms
Geolocation Data	Includes precise location information about a particular individual or device, such as device location information for mobile games users.	YES	vendors and service providers advisors and agents government entities and law enforcement affiliates and subsidiaries advertising networks data analytics providers
Audio,Video and Electronic Data	Includes audio, electronic, visual, thermal, or similar information, photographs and images (e.g., that you provide us or post to your profile), call recordings (e.g., of customer support calls), and User photos submitted (such as profile images)	YES	vendors and service providers advisors and agents government entities and law enforcement affiliates and subsidiaries advertising networks data analytics providers social networks internet service providers operating systems and platforms business customer/client
Inferences	Includes inferences drawn from other personal information that we collect to create a profile based on your account and activities, that reflect your preferences, characteristics, behavior, attitude and abilities related to the Services.	YES	vendors and service providers advisors and agents government entities and law enforcement affiliates and subsidiaries advertising networks

Do We "Sell" Personal Information? The CCPA defines a "sale" as disclosing or making available to a third party personal information in exchange for monetary or other valuable consideration. While we do not disclose personal information to third parties in exchange for monetary compensation from such third parties, we do disclose or make available certain categories of personal information to third parties in order to receive certain services or benefits from them, such as when we make browsing history available to third-party ad companies (through third-party tags on our Sites and Apps) in order to improve and measure our ad campaigns and reach Users with more relevant ads and content. As defined by the CCPA, we may "sell" Identifiers and Usage Data to third-party advertising networks, analytics providers, and social networks.

California Residents' Rights. California law grants California residents certain rights and imposes restrictions on particular business practices as set forth below.

Do-Not-Sell. California residents have the right to opt-out of our sale of their personal information. We do not sell personal information about residents who we know are younger than 16 years old. As noted above, you may opt out of "sales" (via third-party cookies) on our websites and online games here:

Cookie Settings

You can opt-out in our mobile games by adjusting your iOS or Android device privacy settings, as explained above, in Section 6. Interest-based Advertising. In certain of our mobile games you may also opt-out through the in-app settings (accessible from the main menu) for that game.

Requests to Delete. Subject to certain exceptions, California residents have the right to, at no charge, request deletion of their personal information that we have collected about them and to have such personal information deleted, except where an exemption applies.

Request to Know. California residents have the right to request and, subject to certain exemptions, receive a copy of the specific pieces of personal information that we have collected about them in the prior 12 months and to have this delivered, free of charge, either (a) by mail or (b) electronically in a portable and, to the extent technically feasible, readily useable format that allows the individual to transmit this information to another entity without hindrance. California residents also have the right to request that we provide them certain information about how we have handled their personal information in the prior 12 months, including the:

• categories of personal information collected;
• categories of sources of personal information;
• business and/or commercial purposes for collecting and selling their personal information;
• categories of third parties/with whom we have disclosed or shared their personal information;
• categories of personal information that we have disclosed or shared with a third party for a business purpose; and
• categories of third parties to whom the residents' personal information has been sold and the specific categories of personal information sold to each category of third party.

California residents may make a Request to Know up to twice every 12 months.

Submitting Requests to Know and Delete. Requests to Know and Requests to Delete may be submitted online or by email:

• Bethesda Users: https://help.bethesda.net/app/incident10/?prod=711&cat=1220
• Elder Scrolls Online: https://help.elderscrollsonline.com/app/incident/?category=1220
• Email: [email protected]

When you submit a request to know or a request to delete, we will take steps to verify your request by matching the information provided by you with the information we have in our records. You must complete all required fields on our webform (or otherwise provide us with this information via the above email address) and verify your access to the registered email address for your account, in order to verify your request. In some cases, we may request additional information in order to verify your request or where necessary to process your request. If we are unable to adequately verify a request, we will notify the requestor. Authorized agents may initiate a request on behalf of another individual by contacting us in writing at the contact information set forth above, in Section 13. Contact Details; authorized agents will be required to provide proof of their authorization and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent. We will respond to verifiable requests received from California residents as required by law.

Right to Non-Discrimination. The CCPA prohibits discrimination against California residents for exercising their rights under the CCPA. Discrimination may exist where a business denies or provides a different level or quality of goods or services, or charges (or suggests that it will charge) different prices, rates, or penalties on residents who exercise their CCPA rights, unless doing so is reasonably related to the value provided to the business by the residents' data.

Financial Incentives. California residents have the right to be notified of any financial incentives offers and their material terms, the right to opt-out of such incentives at any time and may not be included in such incentives without their prior informed opt-in consent. Where we offer any financial incentives under the CCPA, we will notify you in advance of the material terms of such incentives and your related rights, before we obtain your consent to such incentives.

Your Rights Under California's Shine-the-Light Law. We do not share personal information collected online with unaffiliated third parties for their own direct marketing purposes and will not do so unless you agree to such disclosure. If you are a California resident and you still believe your information has been shared or you have general questions about how your information may have been shared, you may contact us by requesting a list of the third parties to which we have disclosed personally identifiable information about you for their own direct marketing purposes. You may make one request per year. In your request, please attest to the fact that you are a California resident and provide a current California address for your response. You may request this information in writing by contacting us via the contact details set out in Section 13. Contact Details above.

For more information about our privacy practices, you may contact us as set forth above, in Section 13. Contact Details.

b. EEA (GDPR), UK and Brazil

Subject to the conditions set out in the applicable law, Users in in the European Union/European Economic Area, United Kingdom and Brazil ( as well as in other jurisdictions where similar rights apply) have the following rights regards our processing of their personal information:

• Right of access: If you ask us, we will confirm whether we are processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details).
• Right to correction (rectification): If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it corrected. If you are entitled to have information corrected and if we have shared your personal information with others, we will let them know about the rectification where possible.
• Right to erasure: You can ask us to delete your personal information in some circumstances, such as where we no longer need it or if you withdraw your consent (where applicable). If you request that we delete your personal information, we may do so by deleting your account(s) with us. Brazilian Users may also request the anonymization, blocking or erasure of: unnecessary or excessive personal information, or personal information processed in violation of the LGPD.
• Right to restrict (block) processing: You can ask us to restrict the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to our use or stated legal basis.
• Right to data portability: You have the right, in certain circumstances, to receive a copy of personal information we have obtained from you in a structured, commonly used and machine readable format, and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
• Right to object: Where our processing is on the basis of our legitimate interests (other than marketing purposes), we must stop such processing unless we have compelling legitimate grounds that override your interest or where we need to process it for the establishment, exercise or defense of legal claims. Where we are relying on our legitimate interests (other than marketing), we believe that we have a compelling interest in such processing, but we will individually review each request and related circumstances.
• Right to object to marketing: You can ask us to stop processing your personal information to the extent we do so on the basis of our legitimate interests for marketing purposes. If you do so, we will stop such processing for our marketing purposes.
• Right not to be subject to automated decision-making: You have the right not to be subject to a decision when it is based on automatic processing if it produces a legal effect or similarly significantly affects you, unless it is necessary for entering into or performing a contract between us. ZeniMax does not engage in automated decision-making. Brazilian Users may also request the revision of any decision made solely on the basis of automatic processing, to the extent such decision affects your interests and applies to our Services.
• Right to withdraw your consent: In the event your personal information is processed on the basis of your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Brazilian Users also have the right to be informed about the consequences of denying or withdrawing consent.
• Right to lodge a complaint: You also have the right to lodge a complaint with a supervisory authority if you consider that our processing of your personal information infringes the law.

Please note that some of these rights may be limited, such as where we have an overriding interest or legal obligation to continue to process the data. Please contact us using the information set out above, in Section 13. Contact Details, if you wish to exercise any of your rights or if you have any enquiries or complaints regarding the processing of your personal information by us.