(Last updated 6 June 2023)
§ 1 GENERAL INFORMATION
(1) The responsible party pursuant to Art. 4 (7) of the European General Data Protection Regulation (GDPR) is System Akvile GmbH, WeWork, Axel-Springer-Platz 3, 20355 Hamburg, firstname.lastname@example.org, as also stated in the imprint.
(2) You can contact our data protection officer by emailing email@example.com or writing to us at our postal address in the form of a letter addressed to "the data protection officer".
(3) If you wish to contact us by e-mail or by post, we will store your e-mail address and, if you have provided it, your name and telephone number so that we can answer your questions. We will delete the data accrued in this context once the storage of it is no longer necessary or - in the case of legal retention obligations – i.e. if you object to the processing of this data.
(5) We collect the following types of personal data from you:
Device data: This data informs us about the device you use to access our services, such as the model, name and identifiers, device settings, application identifier, and crash information. This information helps us to fix bugs, tailor our services to our users' devices and improve our services.
IP address: We collect IP addresses provided by your mobile device to deliver the service. We also use the IP address to determine your approximate location for statistical and analytics purposes, and for regulatory compliance in different countries. We do not collect your precise location.
Event and usage data: When you use the app we process data in order to understand your usage of our services (e.g., which tab in the app you open). We collect this information and use it as aggregate data to better understand which features are the most relevant or useful to our users as a whole and to communicate with you about relevant and timely information and promotional content.
Data from external sources: We may receive personal data about you from third parties. For example, we may obtain information from third parties, to enhance or supplement existing user information, including to customize and personalize your experience and for statistical purposes and analytics, as described below.
(6) Anonymous information does not fall under personal data. Anonymous information is information which does not relate to an identified or identifiable natural person or personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable Recital 26 GDPR.
(7) Depending on which features of the Services you use, we will process your personal data based on one or more of the following legal bases:
The photos will be deleted if you delete your account or actively delete the photos yourself in the app. In case of deletion of the app, all other data will be depersonalized in such a way that any identification of you as a person becomes impossible.
(a) Your consent Art 6 (1) (a) GDPR;
(b) The processing of the above data is necessary for the performance of the app’s services pursuant to Art 6 (1) (b) GDPR;
(c) We may disclose the information we collect, including your personal data, when we in good faith believe that disclosure is required to comply with the law, a court order, or a subpoena according to Art 6 (1) (c) of the GDPR. We may also disclose your personal data to prevent or investigate a possible crime, such as fraud or identity theft.
(d) We may process your Personal Data in relation to our legitimate interests in providing the Services to you, our commercial interests, including our interest in protecting the security and integrity of the Services, and wider societal benefits Art 6 (1) (f) GDPR;
(9) We allow you to log in with your Google, Facebook, or Apple account (so-called social logins). When using social login, your Google, Facebook, or Apple account will be connected to the System Akvile app. You can change the settings for this at any time in your Google, Facebook, or Apple account. For more details, please refer to the user instructions for Google, Facebook, or Apple. We will share certain information with Google, Facebook, or Apple, such as device data, your IP address, and the information you provided when you created your account. This may result in your personal data being transferred to Google, Facebook, or Apple servers outside the European Union. It is your decision whether, and to what extent, you use the Social Login service and what information you provide to Google, Facebook, or Apple. No health data will be exchanged with Google, Facebook, or Apple when using the Social Login.
(10) For advertising purposes, we use a so-called "Advertising Identifier" (IDFA). This is a unique, but non-personalized and non-permanent identification, number for a specific device provided by iOS or Android. The data collected via the IDFA is not linked to any other information related to your device. We use the IDFA to provide you with personalized advertising and to evaluate your usage of the app. If you activate the option "no ad tracking" in the Android or iOS settings under "Privacy" - "Advertising", we can only take the following measures: Measure your interaction with banners by counting the number of times a banner is displayed without being clicked ("frequency capping"), click-through rate, identify unique usage ("unique user" and security measures, prevent fraud and troubleshoot. You can delete the IDFA in the device settings at any time ("Reset Ad ID"), in which case a new IDFA will be created which will not be merged with any data collected previously. Please note that in this case you may not be able to use all of the functions of our app. The legal basis for this data processing is your consent Art 6 (1) (a) GDPR.
(11) Processing of your personal data for purposes other than those described will only take place if a legal provision permits this or you have consented to the changed purpose of the data processing. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these new purposes before processing your data further and we will provide you with all other relevant information.
§ 3 HEALTH DATA
(13) The legal basis for the processing of your health data is your consent pursuant to Art 9 (2) (a) GDPR. By creating an account with System Akvile you explicitly consent to the processing of your health data for the purpose of providing services to you and improving service features.
(14) System Akvile may share health data with the EU-based contractor HautAI OU. HautAI is an AI-powered SaaS system that allows us to collect, store and analyze skin-related data using computer vision and machine learning algorithms to provide the services to you. HautAI is bound by the GDPR and a data processing agreement. HautAI is obliged to work with due care towards accomplishing that its employees comply with all applicable legal requirements for data protection and the information obtained is not released to unauthorized third parties or otherwise used/exploited. HautAI may engage subprocessors such as cloud infrastructures (IaaS) that are bound to the same data protection obligations as HautAI. The healt date will be deleted if you delete your account or actively delete the data yourself in the app.
(15) To promote scientific acne and skin research, we share data with carefully selected and vetted scientists. For this purpose, we anonymize your personal data by removing or "hashing" (i.e., making your data unrecognizable with the means available to us) personal identification features so that neither the scientists nor third parties can associate them with you. The legal basis for the use of your personal data for scientific research purposes is § 27 BDSG (Federal Data Protection Act of Germany) and your consent according to Art. 9 (2) (a) GDPR.
§ 4 FACE SCANS
(1) Why are we collecting and storing your face data:
We are collecting and storing your face data to provide our services to you. You can scan your face on the System Akvile app to receive a detailed analysis of your current face skin condition (including scores on hydration, pigmentation, and uniformness), recommendations on how to improve your skin health, and a report of your overall progress. Moreover, we are collecting and storing your face data to improve our algorithms and to develop new app features so we can provide the best possible services to you.
(2) Legal basis for the collection and storage of you face data:
The legal basis for the collection and storage of your face data is your consent pursuant to Art 9 (2) (a) GDPR. By creating an account with System Akvile you explicitly consent to the processing of your face scans for the purpose of providing the aforementioned services to you.
(3) Location of storage:
Your face scans will be stored within the European Union on cloud servers operated by Amazon Web Services EMEA S.A.R.L. with a local branch in Luxembourg, which is subject to the same data protection obligations as we are.
(4) Length of storage and deletion of face data:
We store your face scans until you delete your account, request deletion, or actively delete the data yourself in the app. We store the face data for this period because we are constantly working on improving our algorithms and developing new app features to offer the best services to you. This is necessary since skin problems are chronic in nature and come and go over time. Therefore, proper historical documentation is necessary to effectively support you on your journey to a healthier skin.
(5) Third parties:
For the purpose of providing the aforementioned services to you, System Akvile shares your face scans with the EU-based contractor HautAI OU. HautAI is an AI-powered SaaS system that allows us to collect, store and analyze skin-related data using computer vision and machine learning algorithms. HautAI is bound by the GDPR and a data processing agreement. HautAI is obliged to work with due care towards accomplishing that its employees comply with all applicable legal requirements for data protection and the information obtained is not released to unauthorized third parties or otherwise used/exploited.
HautAI stores your face scans on their cloud infrastructure at:
• Microsoft Azure, located in North Europe, East USA and
• Google Cloud EMEA Limited, located in Europe West, Belgium,
for the purpose of providing the aforementioned services to you. The providers of the cloud infrastructure are bound to the same data protection obligations as HautAI.
The length of storage and deletion of face data mentioned under section 4 also applies to HautAI.
§ 5 YOUR RIGHTS
(1) You have the following rights regarding your personal data:
- The right to information, i.e. you can receive information about the personal data that has been collected about you at any time by submitting a request via e-mail, which we will answer for you in line with the guidelines laid out in Article 15 of the GDPR;
- The right to rectification or deletion of your data in the event that your data is inaccurate, Art. 16 GDPR;
- The right to erasure of your personal data, you may ask us to erase your Personal Data if you withdraw your consent to processing, if you believe such processing is unlawful. Please be aware that erasing some Personal Data may affect your experience using certain features of the Services that rely on historic data, Art. 17 GDPR;
- The right to limit the processing of your data, Art. 18 GDPR;
- The right to data portability, Art. 20 GDPR;
- The right to object to the processing of your data, Art. 21 GDPR.
(2) You also have the right to complain to the relevant data protection supervisory authority about the processing of your personal data by our company.
§ 6 Cookies/DATA ANALYSIS TOOLS
(3) In addition to the aforementioned data, cookies are stored on your mobile device when you use our mobile app. Cookies are small text files that are stored in the device memory of your mobile device and assigned to the mobile app you are using. Cookies can provide certain information to us. Cookies cannot execute programs or transfer viruses to your mobile device. They serve to make mobile apps more user-friendly and effective.
(4) This mobile app uses Transient and Persistent Cookies.
(a) Transient cookies are automatically deleted when you close our mobile app. These include session cookies. These cookies store a so-called session ID, which can be used to assign various requests to your mobile app. This allows your mobile device to be recognized when you use our mobile app again. Session cookies are deleted when you log out or close the app.
(b) Persistent cookies are automatically deleted after a specific period of time, which may vary depending on the cookie. You can configure the settings of your mobile operating system and the app according to your wishes and you can choose to refuse to accept third-party cookies or all cookies, for example. We would like to point out that if you refuse all cookies you may not be able to use all functions of our mobile app.
- Google will use this information on our behalf for the purpose of evaluating your use of the app, compiling reports on app activity, and providing other services relating to app activity and internet usage to the app operator. Pseudonymous user profiles can be created from the processed data.
- We only use Google Analytics with IP anonymization enabled. This means that Google will truncate the IP address of users in member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by the user's browser is not merged with other Google data. Users can prevent cookies from being stored by adjusting the settings accordingly in their browser settings.
- Google is part of the EU-US Privacy Shield Agreement and thus guarantees compliance with European data protection laws.
§ 7 COMMUNICATION AND NEWSLETTERS
(1) We use your personal information, such as your email address, to send you messages, emails, and newsletters. This includes push notifications, in-app messages, and emails to send health-related content and occasional promotional materials that may be of interest to you.
(2) For the purpose of providing you with a newsletter service we may share information such as your email address, name, user ID and usage data with the Rocket Science Group, LLC. ("Mailchimp") based in Atlanta (USA). Mailchimp processes your data to send you information and occasional promotional content via in-app message, push notification, and email regarding System Akvile.
(3) We may communicate with you via email if you have contacted System Akvile with questions or support requests regarding our services or the System Akvile App. In order to respond effectively to certain support requests, System Akvile will need to access and process your personal data, including your health data. In this case, you expressly consent to the processing of your Personal Data, including your health data, for the purpose of receiving the support you have requested.
(4) The companies mentioned above are either based in the EU or guarantee a sufficient level of data protection by agreeing on standard contractual clauses with System Akvile for the transfer of data between the EU and non-EU countries. You can find the privacy statements of these services on their respective websites.
(5) When you enable System Akvile's push notifications in your device settings you consent to receive push notifications. You may revoke your consent at any time. You can unsubscribe from our newsletter by clicking on the unsubscribe link at the bottom of the message, and you can disable notifications from System Akvile in your device settings.
§ 8 SURVEYS/RAFFLES AND SIMILAR CAMPAIGNS
(7) The data collected concerns questions about the purposes of the respective survey, your person, your circumstances and habits, your interests, your general health, and your skin condition.
(8) Data collected as part of raffles are used to determine the winner and distribute the prize.
(9) We pass on the collected data for the purpose of processing to the respective internal departments as well as, if applicable, to external service providers, order processors (e.g. platform, hosting, analysis service providers) in accordance with the required purposes (to carry out the survey). Platform/hosting service providers receive access to personal data from a third country (countries outside the European Economic Area). With these service providers, so-called standard contractual clauses according to Art. 46 GDPR have been concluded as appropriate guarantees.
(10) We delete the data accrued in this context after the storage is no longer necessary unless there are legal retention obligations or statutes of limitations that must be observed. As a rule, the data is deleted after two years at the latest.
§ 9 PERIOD OF DATA STORAGE
We process your data for the above purposes until you delete your account or request deletion. In case of a deletion request, we will delete your account within one month and your data will be deleted or irrevocably anonymized (so that no conclusions can be drawn about a specific natural person). In addition, we may retain your data for purposes such as asserting, exercising, and defending legal claims and maintaining high quality and safety standards, especially with regard to post-marketing surveillance; however, the processing of your data is limited to these purposes.
§ 10 WHERE WE STORE YOUR PERSONAL DATA
(11) The personal data you provide will be stored within the European Union on cloud servers operated by Amazon Web Services EMEA S.A.R.L. (hereinafter "AWS") with a local branch in Luxembourg. However, the collected data may be processed by processors outside the European Economic Area (previously and hereinafter "EEA") on the basis of any data processing agreements to the extent that the additional requirements for the processing of personal data in third countries pursuant to Article 44 et seq. GDPR are met (e.g., if the subcontractor is able to provide appropriate safeguards under Article 46 GDPR, in particular standard data protection clauses, binding internal data protection rules, approved codes of conduct, or else exemptions for specific cases under Article 49 GDPR) and the additional measures to be ensured on a mandatory case-by-case basis are taken.
(12) Sensitive data, particularly health data, is transmitted between your device and our server in encrypted form. Transport Layer Security ("TLS") is used for this purpose. When transmitting sensitive data, you should always make sure that your device can verify our certificate.
(13) Please address any concerns regarding the safeguards for the transfer of your personal data outside the EEA directly to us.
§ 11 SHOPIFY
§ 12 PAYMENT SERVICE PROVIDERS
(14) We use external payment service providers through whom you and we can make payment transactions:
(2) In the context of fulfilling contracts, we use the payment service providers on the basis of Art. 6 (1) (b) GDPR. Furthermore, we use external payment service providers based on our legitimate interests pursuant to Art. 6 (1) (f) GDPR in order to offer our users effective and secure payment options.
(3) The data processed by the payment service providers includes inventory data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and check sums as well as the information related to the contract, total and recipient. This information is required for carrying out the transactions. However, the data entered is only processed by the payment service providers and stored with them. i.e., we do not receive any account or credit card related information, but only information to confirm or deny the receipt of the payment. Under certain circumstances, the payment service providers transmit the data to credit agencies. The purpose of the transmission of this data is to check your identity and creditworthiness. In this regard, we refer to the terms and conditions and data protection information of the payment service providers.
(4) The terms and conditions and data protection notices of the respective payment service providers apply to the payment transactions, which can be accessed within the respective websites or transaction applications. We also refer to these for the purpose of gaining further information, carrying out cancellations, and adhering to access, and other data subject rights.
§ 13 OBJECTION OR REVOCATION AGAINST THE PROCESSING OF YOUR DATA
(5) If you have given your consent to the processing of your data, you can revoke this consent at any time. Such a revocation affects the permissibility of the processing of your personal data after you have expressed it to us.
(6) If we base the processing of your personal data on a balance of interests, you can object to the processing. This is the case if the processing is not necessary, in particular, for the performance of a contract with you, which is presented by us in each case in the description of the functions and offers. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will review the situation and either cease or adjust the data processing or show you our legitimate grounds on the basis of which we will continue the processing.
(7) You can object to the processing of your personal data for purposes of advertising and data analysis at any time.
§ 14 CHILDREN’S PRIVACY
(8) We do not knowingly collect or use personal data from children under the age of 13. By registering you are required to confirm that you are at least 13 years old, or that your parents have agreed that you can use the System Akvile app.
(9) If you are located in the EU, you can only use our services if you are over the relevant age at which you can provide explicit consent to the processing of your data under the laws of your country (this is between 13 and 16 years old, depending on the country you live in) or if you have the consent of your parent or legal guardian. If you are a parent and learn that your child is using System Akvile without your permission or if you have any specific question about our data privacy, please contact us at firstname.lastname@example.org.
§ 15 CHANGES TO THIS PRIVACY STATEMEN