Privacy policy for the System Akvile mobile app

(Last updated 11 November 2022)

§ 1 General Information

(1) The responsible party pursuant to Art. 4 (7) of the EU-General Data Protection Regulation (GDPR) is System Akvile GmbH, WeWork, Axel-Springer-Platz 3, 20355 Hamburg, team@systemakvile.com, as also stated in the imprint.

(2) You can contact our data protection officer by emailing team@systemakvile.com or writing to us at our postal address in the form of a letter addressed to "the data protection officer".

(3) If you wish to contact us by e-mail or by post, we will store your e-mail address and, if you have provided it, your name and telephone number so that we can answer your questions. We will delete the data accrued in this context once the storage of it is no longer necessary or - in the case of legal retention obligations – i.e. if you object to the processing of this data.

§ 2 PROCESSING OF PERSONAL DATA

(1) Along with our online offerings, we also provide a mobile app that you can download onto your mobile device. In the following pages, we will inform you about the collection of personal data when using this mobile app. You can access this privacy policy under the "Privacy Policy" tab within the website or app at any time.

(2) We collect the following types of data:

    • General personal data: This data includes your name, age, address, and email address and is needed to create a user account.

    • Device data: This data informs us about the device you use to access our services, such as the model, name and identifiers, device settings, application identifier, and crash information. This information helps us to fix bugs, tailor our services to our users' devices and improve our services.

    • IP address: We collect IP addresses provided by your mobile device to deliver the service. We also use the IP address to determine your approximate location for statistical and analytics purposes, and for regulatory compliance in different countries. We do not collect your precise location.

    • Event and usage data: When you use the app we process data in order to understand your usage of our services (e.g., which tab in the app you open). We collect this information and use it as aggregate data to better understand which features are the most relevant or useful to our users as a whole and to communicate with you about relevant and timely information and promotional content.

    • Health data: We process health data such as your skin information (e.g., skin type, sensitivity, photos of your skin) and your general health (e.g., weight, lifestyle, stress) to provide our service to you. You can choose to share this health data with us via onboarding/daily questionnaires and the photos you take of your face, all of which are collected in order to provide you with the best possible advice tailored to you and your journey towards healthier skin.

(3) The legal basis for processing the above data is Art 6 (1) (b) of the European General Data Protection Regulation (GDPR). System Akvile may use this data for the purpose of improving the System Akvile app, the services we provide to you, and to prevent abusive use of our service. In accordance with Art 6 (1) (f) GDPR, we consider that we have a legitimate interest to offer an error-free and functional service.

(4) The legal basis for the processing of your health data is your consent pursuant to Art 9 (2) (a) GDPR. By creating an account with System Akvile you explicitly consent to the following. System Akvile may store and process the health data you provide for the purpose of providing services to you and improving service features. System Akvile may share health data with the EU-based contractor HautAI OU. HautAI is an AI-powered SaaS system that allows us to collect, store and analyze skin-related data using computer vision and machine learning algorithms to provide the services to you. HautAI is bound by the GDPR and a data processing agreement. HautAI is obliged to work with due care towards accomplishing that its employees comply with all applicable legal requirements for data protection and the information obtained is not released to unauthorized third parties or otherwise used/exploited. HautAI may engage subprocessors such as cloud infrastructures (IaaS) that are bound to the same data protection obligations as HautAI.

The photos will be deleted if you delete your account or actively delete the photos yourself in the app. In case of deletion of the app, all other data will be depersonalized in such a way that any identification of you as a person becomes impossible.

(5) To promote scientific acne and skin research, we share data with carefully selected and vetted scientists. For this purpose, we anonymize your personal data by removing or "hashing" (i.e., making your data unrecognizable with the means available to us) personal identification features so that neither the scientists nor third parties can associate them with you. The legal basis for the use of your personal data for scientific research purposes is § 27 BDSG (Federal Data Protection Act of Germany) and your consent according to Art. 9 (2) (a)

(6) We may disclose the information we collect, including your personal data, when we in good faith believe that disclosure is required to comply with the law, a court order, or a subpoena according to Art 6 (1) (c) of the GDPR. We may also disclose your personal data to prevent or investigate a possible crime, such as fraud or identity theft.

(7) When downloading the mobile app, the required information is transferred to the app store chosen by you, i.e., your username, email address, and customer number for your account, time of download, payment information, and the individual device identification number for your smartphone. We have no influence on the collection of this data and are therefore not responsible for it. We only process the data insofar as it is necessary for downloading the mobile app to your mobile device.

(8) When using the mobile app, we automatically collect the personal data described below in order to enable you to use all of the functions of the app. If you want to use our mobile app, we collect the following data that is technically necessary for us to offer you the functions of our mobile app and to ensure stability and security whereby the legal basis for the collection of this necessary data is Art. 6 (1) (f) GDPR:

    • IP address;
    • Date and time of the request;
    • Time zone difference from Greenwich Mean Time (GMT);
    • Content of the request (specific page);
    • Access status / http status code;
    • Amount of data transferred in each case;
    • Website from which the request came;
    • Browser;
    • Operating system and its interface; and
    • Language and version of the browser software.

(9) When you create a user account or sign up, we use your access data to grant you access to your user account ("mandatory data"). Mandatory data within the scope of the registration process are marked with an asterisk and are required for the conclusion of the user contract. If you do not provide this data, you will not be able to create a user account. We use this mandatory data to verify that it is you when you log in and in order to follow up on any requests for resetting your password. The information you provide during the registration or login process will be processed and used by us to verify your eligibility for managing your user account; to enforce the app's terms of use and any associated rights and obligations; and to contact you to send you technical or legal news, updates, security notifications or other messages relating to these things, like the management of the user account, for example.

    (10) We allow you to log in with your Google, Facebook, or Apple account (so-called social logins). When using social login, your Google, Facebook, or Apple account will be connected to the System Akvile app. You can change the settings for this at any time in your Google, Facebook, or Apple account. For more details, please refer to the user instructions for Google, Facebook, or Apple. We will share certain information with Google, Facebook, or Apple, such as device data, your IP address, and the information you provided when you created your account. This may result in your personal data being transferred to Google, Facebook, or Apple servers outside the European Union. It is your decision whether, and to what extent, you use the Social Login service and what information you provide to Google, Facebook, or Apple. No health data will be exchanged with Google, Facebook, or Apple when using the Social Login.

    (11) Furthermore, we will need your device identification, the unique number of the end device (IMEI = International Mobile Equipment Identity), mobile phone number (MSISDN), MAC address for WLAN use, and the name of your mobile end device and your e-mail address.

      (12) For advertising purposes, we use a so-called "Advertising Identifier" (IDFA). This is a unique, but non-personalized and non-permanent identification, number for a specific device provided by iOS or Android. The data collected via the IDFA is not linked to any other information related to your device. We use the IDFA to provide you with personalized advertising and to evaluate your usage of the app. If you activate the option "no ad tracking" in the Android or iOS settings under "Privacy" - "Advertising", we can only take the following measures: Measure your interaction with banners by counting the number of times a banner is displayed without being clicked ("frequency capping"), click-through rate, identify unique usage ("unique user" and security measures, prevent fraud and troubleshoot. You can delete the IDFA in the device settings at any time ("Reset Ad ID"), in which case a new IDFA will be created which will not be merged with any data collected previously. Please note that in this case you may not be able to use all of the functions of our app.

        (13) Processing of your personal data for purposes other than those described will only take place if a legal provision permits this or you have consented to the changed purpose of the data processing. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these new purposes before processing your data further and we will provide you with all other relevant information.

        § 3 Your Rights

        (1) You have the following rights regarding your personal data:
          • The right to information, i.e. you can receive information about the personal data that has been collected about you at any time by submitting a request via e-mail, which we will answer for you in line with the guidelines laid out in Article 15 of the GDPR;

          • The right to rectification or deletion of your data in the event that your data is inaccurate, Art. 17 GDPR;

          • The right to limit the processing of your data, Art. 18 GDPR;

          • The right to object to the processing of your data, Art. 21 GDPR;

          • The right to data portability, Art. 20 GDPR.

        (2) You also have the right to complain to the relevant data protection supervisory authority about the processing of your personal data by our company.

        § 4 Cookies/DATA AnalysIS Tools

        (1) In addition to the aforementioned data, cookies are stored on your computer when you use our mobile app. Cookies are small text files that are stored in the device memory of your mobile device and assigned to the mobile app you are using. Cookies can provide certain information to the entity that sets the cookie (in this case: us). Cookies cannot execute programs or transfer viruses to your mobile device. They serve to make mobile apps more user-friendly and effective.

          • This mobile app uses the following types of cookies, the scope, and functionality of which are explained below:

            • Transient Cookies (see point b),

            • Persistent Cookies (see point c).

          • Transient cookies are automatically deleted when you close our mobile app. These include session cookies. These cookies store a so-called session ID, which can be used to assign various requests to your mobile app. This allows your mobile device to be recognized when you use our mobile app again. Session cookies are deleted when you log out or close the app.

          • Persistent cookies are automatically deleted after a specific period of time, which may vary depending on the cookie. You can configure the settings of your mobile operating system and the app according to your wishes and you can choose to refuse to accept third-party cookies or all cookies, for example. We would like to point out that if you refuse all cookies you may not be able to use all functions of our mobile app.

        (2) In some situations, we engage other companies to process your personal data on our behalf (so-called “Processors”). Processors are companies that help us to run the app, improve our communication or perform other app-related activities. They may process certain Personal Data on our behalf to accomplish the goals related to the App functions and associated activities. You can opt out of these analytical tools at any time by adjusting your privacy preferences within the System Akvile app.

          • Google Analytics, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; "Google"). Google Analytics uses cookies, which allow an analysis of your use of the app. The information generated by the cookie about your use of the app will be transmitted to and stored by Google on servers in the United States. 

                    Google will use this information on our behalf for the purpose of evaluating your use of the app, compiling reports on app activity, and providing other services relating to app activity and internet usage to the app operator. Pseudonymous user profiles can be created from the processed data.

                    We only use Google Analytics with IP anonymization enabled. This means that Google will truncate the IP address of users in member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by the user's browser is not merged with other Google data. Users can prevent cookies from being stored by adjusting the settings accordingly in their browser settings.

                    The legal basis for the use of Google Analytics is § 15 para. 3 TMG (German act on electronic information and communication services) or Art. 6 para. 1 lit. f GDPR. Users can also prevent the collection of data generated by the cookie and related to their use of the app (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser add-on. Choosing to opt-out of cookies prevents your data from being collected when visiting this app in the future. Google is part of the EU-US Privacy Shield - Agreement and thus guarantees compliance with European data protection laws.

                    The personal data of the users will be deleted or anonymized after 14 months.

            –        For more information about Google's use of data, settings, and opt-out options, please see Google's privacy policy (https://policies.google.com/privacy) and the settings for the display of advertising by Google (https://adssettings.google.com/authenticated).

          • System Akvile is using TikTok Ads Manager to help us deliver more relevant advertising to you on the System Akvile Services and help measure the effectiveness of our ads. We are sharing information such as CPM, CPC, CPA, clicks conversions, impressions, CTR, and the average time per view with TikTok Ads Manager. TikTok Ads Manager does not have access to any of the personal health information you track in the app. By using our service, you explicitly consent to the use and processing of your data collected by TikTok Ads Manager as described above. But you can opt-out at any time.

          • System Akvile uses an attribution and marketing analytics service by Appsflyer, that helps us measure and analyze the effectiveness of our marketing campaigns by understanding which marketing campaigns contributed to the download/installation of the System Akvile App. Moreover, Appsflyer, helps us measure and analyze certain events and actions within the System Akvile App, such as in-app purchases. We share technical information (e.g. device type), technical identifiers (e.g. IDFA), and engagement information (e.g. clicks on System Akvile ads) with Appsflyer so that we can optimize our ad campaigns. Appsflyer does not have access to any of the personal health information you track in the app. By using our service, you explicitly consent to the use and processing of your data collected by Appsflyer as described above. The privacy policy of Appsflyer can be found here.

          • We engage Amplitude Inc. to process your app usage data on our behalf. Amplitude offers cloud-based analytical tools that help us to better understand how you use the App and engage with particular features. This knowledge enables us to enhance our services and communication to provide you a better user experience. The privacy policy of Amplitude can be found here.

        § 5 PERIOD OF DATA STORAGE

        We process your data for the above purposes until you delete your account or request deletion. In case of a deletion request, we will delete your account within one month and your data will be deleted or irrevocably anonymized (so that no conclusions can be drawn about a specific natural person). In addition, we may retain your data for purposes such as asserting, exercising, and defending legal claims and maintaining high quality and safety standards, especially with regard to post-marketing surveillance; however, the processing of your data is limited to these purposes.

        § 6 WHERE WE STORE YOUR PERSONAL DATA

        (1) The personal data you provide will be stored within the European Union on cloud servers operated by Amazon Web Services EMEA S.A.R.L. (hereinafter "AWS") with a local branch in Luxembourg. However, the collected data may be processed by processors outside the European Economic Area (previously and hereinafter "EEA") on the basis of any data processing agreements to the extent that the additional requirements for the processing of personal data in third countries pursuant to Article 44 et seq. GDPR are met (e.g., if the subcontractor is able to provide appropriate safeguards under Article 46 GDPR, in particular standard data protection clauses, binding internal data protection rules, approved codes of conduct, or else exemptions for specific cases under Article 49 GDPR) and the additional measures to be ensured on a mandatory case-by-case basis are taken.

        (2) Sensitive data, particularly health data, is transmitted between your device and our server in encrypted form. Transport Layer Security ("TLS") is used for this purpose. When transmitting sensitive data, you should always make sure that your device can verify our certificate.

        (3) Please address any concerns regarding the safeguards for the transfer of your personal data outside the EEA directly to us.

        § 7 COMMUNICATION AND NEWSLETTERS

        (1) We use your personal information, such as your email address, to send you messages, emails, and newsletters. This includes push notifications, in-app messages, and emails to send health-related content and occasional promotional materials that may be of interest to you.

        (2) When you enable System Akvile's push notifications in your device settings you consent to receive push notifications. You may revoke your consent at any time. You can unsubscribe from our newsletter by clicking on the unsubscribe link at the bottom of the message, and you can disable notifications from System Akvile in your device settings.

        (3) We may communicate with you via email if you have contacted System Akvile with questions or support requests regarding our services or the System Akvile App. In order to respond effectively to certain support requests, System Akvile will need to access and process your personal data, including your health data. In this case, you expressly consent to the processing of your Personal Data, including your health data, for the purpose of receiving the support you have requested.

        (4) To provide these services, we may share information such as your email address with third-party providers for the sole purpose of providing you with a newsletter service. This provider is The Rocket Science Group, LLC. ("Mailchimp") based in Atlanta (USA), which processes your email address, name, user ID and usage data, and certain health data to send you information and occasional promotional content via in-app message, push notification, and email.

        (5) The companies mentioned above are either based in the EU or guarantee a sufficient level of data protection by agreeing on standard contractual clauses with System Akvile for the transfer of data between the EU and non-EU countries. You can find the privacy statements of these services on their respective websites.

        § 8 SURVEYS/RAFFLES AND SIMILAR CAMPAIGNS

        (1) If you participate in surveys, raffles, or similar campaigns, we will process your personal data for the purposes specified in the consent and in the terms of this Privacy Policy.

        (2) The data collected concerns questions about the purposes of the respective survey, your person, your circumstances and habits, your interests, your general health, and your skin condition.

        (3) Data collected as part of raffles are used to determine the winner and distribute the prize.

        (4) We pass on the collected data for the purpose of processing to the respective internal departments as well as, if applicable, to external service providers, order processors (e.g. platform, hosting, analysis service providers) in accordance with the required purposes (to carry out the survey). Platform/hosting service providers receive access to personal data from a third country (countries outside the European Economic Area). With these service providers, so-called standard contractual clauses according to Art. 46 GDPR have been concluded as appropriate guarantees. Further information can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_de

        (5) We delete the data accrued in this context after the storage is no longer necessary unless there are legal retention obligations or statutes of limitations that must be observed. As a rule, the data is deleted after two years at the latest.

        § 9 Shopify

        We use an enterprise resource planning system for processing orders. For this purpose, your personal data is collected as part of the order process and is transmitted to Shopify International Limited; Victoria Buildings, 2nd Floor 1-2 Haddington Road; Dublin 4, D04 XN32, Ireland.

        § 10 PAYMENT SERVICE PROVIDERS

        (1) We use external payment service providers through whom you and we can make payment transactions:

        (2) In the context of fulfilling contracts, we use the payment service providers on the basis of Art. 6 (1) (b) GDPR. Furthermore, we use external payment service providers based on our legitimate interests pursuant to Art. 6 (1) (f) GDPR in order to offer our users effective and secure payment options.

        (3) The data processed by the payment service providers includes inventory data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and check sums as well as the information related to the contract, total and recipient. This information is required for carrying out the transactions. However, the data entered is only processed by the payment service providers and stored with them. i.e., we do not receive any account or credit card related information, but only information to confirm or deny the receipt of the payment. Under certain circumstances, the payment service providers transmit the data to credit agencies. The purpose of the transmission of this data is to check your identity and creditworthiness. In this regard, we refer to the terms and conditions and data protection information of the payment service providers.

        (4) The terms and conditions and data protection notices of the respective payment service providers apply to the payment transactions, which can be accessed within the respective websites or transaction applications. We also refer to these for the purpose of gaining further information, carrying out cancellations, and adhering to access, and other data subject rights.

        § 11 OBJECTION OR REVOCATION AGAINST THE PROCESSING OF YOUR DATA

        (1) If you have given your consent to the processing of your data, you can revoke this consent at any time. Such a revocation affects the permissibility of the processing of your personal data after you have expressed it to us.

        (2) If we base the processing of your personal data on a balance of interests, you can object to the processing. This is the case if the processing is not necessary, in particular, for the performance of a contract with you, which is presented by us in each case in the description of the functions and offers. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will review the situation and either cease or adjust the data processing or show you our legitimate grounds on the basis of which we will continue the processing.

        (3) You can object to the processing of your personal data for purposes of advertising and data analysis at any time.

        § 12 CHANGES TO THIS PRIVACY STATEMENT

        In order to keep this privacy policy up to date at all times, we reserve the right to make changes to this privacy policy as necessary. The current version can be found under Privacy in our app.