§ 1 INFORMATION ABOUT THE COLLECTION OF PERSONAL DATA
(1) Along with our online offerings, we also provide a mobile app that you can download onto your mobile device. In the following pages, we will inform you about the collection of personal data when using this mobile app. Personal data encompasses all information that relates to you as an identified or identifiable natural person. This includes, for example, general information such as your name, address and email addresses. It also includes data about your user behaviour as well as data about your health which can be shared with us via onboarding/daily questionnaires and the photos you take of your face, all of which are collected in order to provide you with the best possible advice tailored to you and your journey towards healthier skin.
(2) The responsible party pursuant to Art. 4 (7) of the EU-General Data Protection Regulation (GDPR) is System Akvile GmbH, WeWork, Axel-Springer-Platz 3, 20355 Hamburg, email@example.com, as also stated in the imprint.
(3) You can contact our data protection officer by emailing firstname.lastname@example.org or writing to us at our postal address in the form of a letter addressed to "the data protection officer".
(4) If you wish to contact us by e-mail or by post, we will store your e-mail address and, if you have provided it, your name and telephone number so that we can answer your questions. We will delete the data accrued in this context once the storage of it is no longer necessary or - in the case of legal retention obligations – i.e. if you object to the processing of this data.
(5) If we commission service providers in order to fulfil specific functions or would like to use your data for advertising purposes, we will inform you in detail about the respective processes. In doing so, we will also state the defined criteria for the storage period of your data.
§ 2 YOUR RIGHTS
(1) You have the following rights regarding your personal data:
- The right to information, i.e. you can receive information about the personal data that has been collected about you at any time by submitting a request via e-mail, which we will answer for you in line with the guidelines laid out in Article 15 of the GDPR,
- The right to rectification or deletion of your data in the event that your data is inaccurate, Art. 17 GDPR,
- The right to limit the processing of your data, Art. 18 GDPR,
- The right to object to the processing of your data, Art. 21 GDPR,
- The right to data portability, Art. 20 GDPR.
(2) You also have the right to complain to the relevant data protection supervisory authority about the processing of your personal data by our company.
§ 3 COLLECTION OF PERSONAL DATA WHEN USING OUR MOBILE APP
(1) When downloading the mobile app, the required information is transferred to the app store chosen by you, i.e., your username, email address and customer number for your account, time of download, payment information, and the individual device identification number for your smartphone. We have no influence on the collection of this data and are therefore not responsible for it. We only process the data insofar as it is necessary for downloading the mobile app to your mobile device.
(2) When using the mobile app, we automatically collect the personal data described below in order to enable you to use all of the functions of the app. If you want to use our mobile app, we collect the following data that is technically necessary for us to offer you the functions of our mobile app and to ensure stability and security whereby the legal basis for the collection of this necessary data is Art. 6 para. 1 sentence 1 lit. F GDPR:
- IP address,
- Date and time of the request,
- Time zone difference from Greenwich Mean Time (GMT),
- Content of the request (specific page),
- Access status / http status code
- Amount of data transferred in each case,
- Website from which the request came
- operating system and its interface as well as
- Language and version of the browser software.
- Health data such as images of the face and skin and personal data shared for the purpose of personalising the app. This data is provided voluntarily by you as the user. Depending on the data you have provided us with, this may also include information about your general health. This enables us to offer you personalized advice tailored to your specific lifestyle. The photos will be deleted if you delete your account or actively delete the photos yourself in the app. In case of deletion of the app, all other data will be depersonalized in such a way that any identification of you as a person becomes impossible.
(4) We allow you to log in with your Google, Facebook, or Apple account (so-called social logins). When using a social login, your Google, Facebook, or Apple account will be connected to the System Akvile app. You can change the settings for this at any time in your Google, Facebook or Apple account. For more details, please refer to the user instructions for Google, Facebook, or Apple. We will share certain information with Google, Facebook, or Apple, such as device data, your IP address and the information you provided when you created your account. This may result in your personal data being transferred to Google, Facebook, or Apple servers outside the European Union. It is your decision whether, and to what extent, you use the Social Login service and what information you provide to Google, Facebook, or Apple. When using the Social Login, no health data will be exchanged with Google, Facebook, or Apple.
(5) Furthermore, we will need your device identification, the unique number of the end device (IMEI = International Mobile Equipment Identity), mobile phone number (MSISDN), MAC address for WLAN use, the name of your mobile end device and your e-mail address.
(6) For advertising purposes, we use a so-called "Advertising Identifier" (IDFA). This is a unique, but non-personalised and non-permanent identification, number for a specific device provided by iOS or Android. The data collected via the IDFA is not linked to any other information related to your device. We use the IDFA to provide you with personalized advertising and to evaluate your usage of the app. If you activate the option "no ad tracking" in the Android or iOS settings under "Privacy" - "Advertising", we can only take the following measures: Measure your interaction with banners by counting the number of times a banner is displayed without being clicked ("frequency capping"), click-through rate, identify unique usage ("unique user" and security measures, prevent fraud and troubleshoot. You can delete the IDFA in the device settings at any time ("Reset Ad ID"), in which case a new IDFA will be created which will not be merged with any data collected previously. Please note that in this case you may not be able to use all of the functions of our app.
(7) To promote scientific acne and skin research, we share data with carefully selected and vetted scientists. For this purpose, we anonymize your personal data by removing or "hashing" (i.e., making your data unrecognisable with the means available to us) personal identification features so that neither the scientists nor third parties can associate them with you. The legal basis for the use of your personal data for scientific research purposes is § 27 BDSG (Federal Data Protection Act of Germany) and your consent according to Art. 9 GDPR.
(8) Processing of your personal data for purposes other than those described will only take place if a legal provision permits this or you have consented to the changed purpose of the data processing. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these new purposes before processing your data further and we will provide you with all other relevant information.
§ 3 COOKIES/DATA ANALYSIS TOOLS
(1) In addition to the aforementioned data, cookies are stored on your computer when you use our mobile app. Cookies are small text files that are stored in the device memory of your mobile device and assigned to the mobile app you are using. Cookies can provide certain information to the entity that sets the cookie (in this case: us). Cookies cannot execute programs or transfer viruses to your mobile device. They serve to make mobile apps more user-friendly and effective.
- a) This mobile app uses the following types of cookies, the scope and functionality of which are explained below:
– Transient Cookies (see point b),
– Persistent Cookies (see point c).
- b) Transient cookies are automatically deleted when you close our mobile app. These include session cookies. These cookies store a so-called session ID, which can be used to assign various requests to your mobile app. This allows your mobile device to be recognized when you use our mobile app again. Session cookies are deleted when you log out or close the app.
- c) Persistent cookies are automatically deleted after a specific period of time, which may vary depending on the cookie. You can configure the settings of your mobile operating system and the app according to your wishes and you can choose to refuse to accept third-party cookies or all cookies, for example. We would like to point out that if you refuse all cookies you may not be able to use all functions of our mobile app.
– Google will use this information on our behalf for the purpose of evaluating your use of the website, compiling reports on website activity, and providing other services relating to website activity and internet usage to the website operator. Pseudonymous user profiles can be created from the processed data.
– We only use Google Analytics with IP anonymization enabled. This means that Google will truncate the IP address of users in member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by the user's browser is not merged with other Google data. Users can prevent cookies from being stored by adjusting the settings accordingly in their browser settings.
– The legal basis for the use of Google Analytics is § 15 para. 3 TMG (German act on electronic information and communication services) or Art. 6 para. 1 lit. f GDPR. Users can also prevent the collection of data generated by the cookie and related to their use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser add-on. Choosing to opt-out of cookies prevents your data from being collected when visiting this website in the future. Google is part of the EU-US Privacy Shield - Agreement and thus guarantees compliance with European data protection laws.
– The personal data of the users will be deleted or anonymized after 14 months.
If you do not wish for your data to be collected by Google Analytics in the future, you can also send an email to email@example.com at any time.
§ 5 WHERE WE STORE YOUR PERSONAL DATA
(1) The personal data you provide will be stored within the European Union on cloud servers operated by Amazon Web Services EMEA S.A.R.L. (hereinafter "AWS") with a local branch in Luxembourg. However, the collected data may be processed by processors outside the European Economic Area (previously and hereinafter "EEA") on the basis of any data processing agreements to the extent that the additional requirements for the processing of personal data in third countries pursuant to Article 44 et seq. GDPR are met (e.g., if the subcontractor is able to provide appropriate safeguards under Article 46 GDPR, in particular standard data protection clauses, binding internal data protection rules, approved codes of conduct or else exemptions for specific cases under Article 49 GDPR) and the additional measures to be ensured on a mandatory case-by-case basis are taken.
(2) Sensitive data is transmitted between your browser and our website in encrypted form. Transport Layer Security ("TLS") is used for this purpose. When transmitting sensitive data, you should always make sure that your browser can verify our certificate.
(3) Please address any concerns regarding the safeguards for the transfer of your personal data outside the EEA directly to us.
§ 6 COMMUNICATION, SURVEYS AND NEWSLETTERS
(1) We use your personal information, such as your email address, to send you messages, emails, and newsletters. This includes push notifications, in-app messages, and emails to send health-related content and occasional promotional materials that may be of interest to you.
(2) When you enable System Akvile's push notifications in your device settings you consent to receive push notifications. You may revoke your consent at any time. You can unsubscribe from our newsletter by clicking on the unsubscribe link at the bottom of the message, and you can disable notifications from System Akvile in your device settings.
(3) We may communicate with you via email if you have contacted System Akvile with questions or support requests regarding our services or the System Akvile App. In order to respond effectively to certain support requests, System Akvile will need to access and process your personal data, including your health data. In this case, you expressly consent to the processing of your Personal Data, including your health data, for the purpose of receiving the support you have requested.
(5) To provide these services, we may share information such as your email address with third party providers for the sole purpose of providing you with a newsletter service. This provider is The Rocket Science Group, LLC. ("Mailchimp") based in Atlanta (USA), which processes your email address, name, user ID and usage data and certain health data to send you information and occasional promotional content via in-app message, push notification and email.
(6) The companies mentioned above are either based in the EU or guarantee a sufficient level of data protection by agreeing on standard contractual clauses with System Akvile for the transfer of data between the EU and non-EU countries. You can find the privacy statements of these services on their respective websites.
§ 7 SHOPIFY
We use an enterprise resource planning system for processing orders. For this purpose, your personal data is collected as part of the order process and is transmitted to Shopify International Limited; Victoria Buildings, 2nd Floor 1-2 Haddington Road; Dublin 4, D04 XN32, Ireland.
§ 8 PAYMENT SERVICE PROVIDERS
(1) We use external payment service providers through whom you and we can make payment transactions:
– Paypal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full)
– Mastercard (https://www.mastercard.com/global/en/vision/corp-responsibility/commitment-to-privacy/privacy.html)
– Klarna (https://www.klarna.com/international/privacy-policy/)
– Visa (https://usa.visa.com/legal/privacy-policy.html)
– Apple Pay (https://www.apple.com/legal/privacy/)
(2) In the context of fulfilling contracts, we use the payment service providers on the basis of Art. 6 para. 1 lit. b. GDPR. Furthermore, we use external payment service providers based on our legitimate interests pursuant to Art. 6 para. 1 lit. f. GDPR in order to offer our users effective and secure payment options.
(3) The data processed by the payment service providers includes inventory data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and check sums as well as the information related to the contract, total and recipient. This information is required for carrying out the transactions. However, the data entered is only processed by the payment service providers and stored with them. i.e., we do not receive any account or credit card related information, but only information to confirm or deny the receipt of the payment. Under certain circumstances, the payment service providers transmit the data to credit agencies. The purpose of the transmission of this data is to check your identity and creditworthiness. In this regard, we refer to the terms and conditions and data protection information of the payment service providers.
(4) The terms and conditions and data protection notices of the respective payment service providers apply to the payment transactions, which can be accessed within the respective websites or transaction applications. We also refer to these for the purpose of gaining further information, carrying out cancellations, and adhering to access, and other data subject rights.
§ 9 CHANGES TO THIS PRIVACY STATEMENT