Privacy Policy

In this Privacy Policy we explain which data including personal data of users of our Avatar Cloud Services (“our service”) we collect, how we use it and for which purposes.

 

1) Controller

The party responsible for the collection, processing and use of your personal data is NeXR Technologies SE, Charlottenstraße 4, 10969 Berlin, (hereinafter ”NeXR“ or ”we“). E-Mail: privacy@avatar.cloud

 

2) Data Protection Officer

activeMind AG

Kurfürstendamm
56
10707 Berlin

Tel.: +49 (0)30 / 770 19 10 70

dataprotect@nexr-technologies.com

 

3) Definitions

“BDSG“ means the German Data Protection Act.

”GDPR“ means the General Data Protection Regulation, Regulation (EU) 2016/679

“TTDSG” means the German Act about Data Protection and Protection of Privacy.

“UWG” means the German Unfair Competition Act.

“Personal Data” is any information relating to an identified or identifiable natural person; This includes, for example, your name, address as well as the data that you provide when creating a user account for our service. Personal data does not include statistical data that we may collect from your use of our service in a way that it is not connected to your Personal Data, for example, general information about which features of our service are most used of for which content there is general interest among our users.

“Data Subject“ means you, the user whose personal data is being processed.

 

4) Legal Basis

When we process personal data with your  consent, the legal basis is Art. 6 (1) lit. a GDPR.

When we process personal data to prepare, enter into or to perform a contract with the person to which the data belongs, the legal basis is Art. 6 (1) lit. b GDPR).

We may also process personal data to the extent  necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which may require the protection of your personal data. In this case, the legal basis is Art. 6 (1) lit. f GDPR.

 

5) Erasure & Duration of Storage

We process personal data only as long as it is necessary for the respective purpose stated in this privacy policy. The personal data will then be deleted, provided that no legal retention periods conflict with data deletion. Insofar as data processing is based on your consent, the purpose ceases to apply when you withdraw your consent. Insofar as data processing is carried out on the basis of legitimate interests, the purpose of storage ceases to apply when the legitimate interest no longer exists.  Insofar as data processing is carried out for the purpose of initiating or implementing a contractual relationship, the purpose ceases to apply as soon it has been achieved.
Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Blocking, anonymization or deletion of data will also take place if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract. Blocking means that the data is archived and can no longer be used for operational purposes.

 

6) Right to Object

You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you on the basis of Art. 6(1)(f) GDPR (data processing on the basis of a weighing of interests); this also applies to profiling based on this provision within the meaning of Art. 4(4) GDPR. Objections can be filed via Email or letter to the Controller indicated above.

If you file an objection, we will no longer process your personal data unless we can prove compelling reasons for the processing worthy of protection which outweigh your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims.

7) Data we collect and how we process it

We collect data, when you are installing, using or otherwise access our service. The data we collect and how we process it, depends on your use of our Service. The making available of personal data is voluntary. However, the processing of data is required for the performance of our Service or parts of our Service, therefore, without certain data we cannot provide our Service or certain features cannot be used.

1. User Account

To use our service, you have to create a user account. This requires that we collect your age, sex and your email address. We may offer the option to voluntarily provide additional information. We use the information provided by you to enable your use of our Service and to communicate with you about our Service and your use of our Service.

If you chose to use our Single Sign-On (SSO) functions, we will receive your personal information from third parties to create your user account or to log you into your user account. Single Sign-On means that you can create an Avatar Cloud user account, or your can log into your Avatar Cloud user account, through the services of third parties such as Facebook or Google.

Legal basis: Entering into and the performance of a contract, or to take steps prior to entering into a contract (Art. 6 (1) lit. b GDPR).

2. Service Provision & Logfiles
Each time you access our service, your user account data is matched for authentication.
Legal basis: Entering into and the performance of a contract, or to take steps prior to entering into a contract (Art. 6 (1) lit. b GDPR).

Logfiles. We also collect and store the following information from your terminal device in so-called log files: device model and hardware and software versions, if provided by your device. Operating system. Mobile carrier, signal strength. Frequency and duration of your use, and which functions you use. If you use our service on multiple devices, we aggregate the data collected on those devices. The log files are deleted or anonymized at the latest at the end of the contract.

We use this data to test, further develop and improve our service. We also use this data to ensure the security of our systems.

Legal basis: Legitimate interest (Art. 6 (1) lit. f GDPR).

3. Avatar
At the heart of our service is a three-dimensional image, a so-called Avatar, which is created when you have yourself scanned in one of our 3D body scanners. The Avatar contains your body measurements, such as your height and shape, eye color, body weight if applicable, and other characteristics unique to you. When you are scanned again, this data will be collected again.

We are aware that especially body measurements in the facial area are particularly sensitive data. We do not use this data to identify a person.

Legal basis: Entering into and the performance of a contract, or to take steps prior to entering into a contract (Art. 6 (1) lit. b GDPR).

We also use this data to test, further develop and improve our service.

Legal basis: Legitimate interest (Art. 6 (1) lit. f GDPR).

4. Customer Service
When you contact our customer service, we collect the information provided by you, for example information about your use of our service and any problems you encountered while using it. We also collect the contact information you provide in order to process and respond to your request.
Legal basis: Legitimate interest in processing your request (Art. 6 (1) lit. f GDPR) and Entering into and the performance of a contract, or to take steps prior to entering into a contract (Art. 6 (1) lit. b GDPR).

5. News Letter
If you have subscribed to our news letter, we use your contact data to send it to you. In order to subscribe to the news letter, you have to order it and confirm your order by clicking on a confirmation link that we will send to you following your order. All our news letters contain an easy un-subscribe link.
Legal Basis: Your consent (Art. 6 (1) lit. a, 7, 8 GDPR)

6. Direct Marketing
We use your contact data to send information about similar products and services offered by us e.g. via E-mail, SMS or Push Notification). You have the right to object to this use of your data at any time, and we will inform you about this tight to object in every message.
Legal basis: Art. 6 (1) lit. f GDPR in conj. with §7 Abs. 3 UWG

Subject to your consent, we will use your contact details to send you information about goods and services listings of our partners, for example via email, SMS or so-called push notification. Your consent is voluntary and can be revoked at any time. We point this out when obtaining your consent. The revocation can be made via our mobile app or by sending an informal message to privacy@avatar.cloud.
Legal Basis: Your consent (Art. 6 (1) lit. a, 7, 8 GDPR)

7. Advertising and other Sponsored Content
We may display  advertisements, offers and other sponsored content to you.
Legal basis: Entering into and the performance of a contract, or to take steps prior to entering into a contract (Art. 6 (1) lit. b GDPR).

We only use personalized data for the display of personalized advertisements subject to your consent. In the settings of our service you can specify the type of offers that may be interesting for you. You can also disable personalized advertising entirely at any time. The selection of the displayed advertising is then no longer based on your personal data.
Legal Basis: Your consent (Art. 6 (1) lit. a, 7, 8 GDPR)

8. Anonymisation
We anonymize Avatars and Avatar data in order to use this anonymized data for commercial purposes. By anonymizing this data, it can no longer be traced back to you.
Legal basis: Entering into and the performance of a contract, or to take steps prior to entering into a contract (Art. 6 (1) lit. b GDPR).

9. Location Data
We only use location-based information such as your current whereabouts if you use a localization function of our service, for example, to show you nearby scanner locations. We only do this if you have revocably consented to this via the settings on your end device, for example, by activating the GPS information of your end device (GPS) for our service. We do not permanently collect your location data.
Legal Basis: Your consent (Art. 6 (1) lit. a, 7, 8 GDPR)

10. Cooperation Partners
NeXR cooperates with other companies so that you can use our service together with the offers of our cooperation partners. In doing so, we either act as contractor, i.e. as processor within the meaning of the GDPR, or we act as Controller within the meaning of the GDPR.

If and to the extent that we act as a contractor of the cooperation partner, the legal basis for the processing of your personal data is your agreement with the respective partner.  In that case, the partner is Controller within the meaning of the GDPR, and the use of your personal data by the partner is subject to the  privacy policy of partner as well as other agreements you may have made with the partner.

The fact that we may act as a contractor does not exclude a separate user relationship between you and us. If you have opened a user account for our service, then within the scope of this relationship we always act as the responsible party (Controller) in the sense of data protection law, and this privacy policy applies. 

If and to the extent that we do not act as contractor of the cooperation partner but in our capacity as the responsible party (Controller), then the processing of your personal data and particularly the transfer of personalized data to any third party is subject to your consent. Your consent will be requested separately within our service and is freely revocable. You can manage the consents granted to us in the settings of our service.
Legal Basis: Your consent (Art. 6 (1) lit. a, 7, 8 GDPR)

11. Service Providers
For the provision of our services we partly use service providers, for example for the provision of technical (infrastructure) services, analysis and design services and payment providers. Insofar as the processing of personal data is part of the service, we oblige our partners to comply with applicable data protection law and conclude agreements, so-called data processing agreements pursuant to Art. 28 GDPR, to ensure our control over the data and the protection of your rights.

Where we use service providers outside the EU and EEA, we ensure that an adequacy decision and/or appropriate safeguards (for example, standard contractual clauses) are in place.

If we offer chargeable services as part of our service, the required transaction data of your purchases will be collected by us and the payment will be processed by external payment service providers. In doing so, they process the required transaction data in accordance with their applicable data protection policies.

12. Google Analytics for Firebase and Firebase Crashlytics
Subject to the consent of our users, we use Google Analytics for Firebase and Firebase Crashlytics. We ask for your consent to our use of Google Analytics for Firebase and Firebase Crashlytics when you first open our app. You are free to grant your consent or not. You can disable the use of Google Analytics for Firebase and Firebase Crashlytics at any time in the app.

The information generated by using Google Analytics for Firebase and Firebase Crashlytics about the use of our app is transmitted to a Google server in the USA with an anonymized IP address and stored there. The IP anonymization function in Analytics sets the last octet to zero for user IP addresses of type IPv4 and the last 80 bits in memory for IPv6 addresses. Therefore, exact IP addresses of our users will not be stored.

Google uses the transmitted information to evaluate your use of our app and  provides summaries of their findings to us. Google reserves the right to transfer this information to third parties. If you agree to the use of Google Analytics for Firebase and Firebase Crashlytics in our app, you consent to the use and processing of the data collected by Google about your use for the purposes described in this Section 12.

The usage data collected in this way forms the basis for statistical, anonymous evaluations from which trends can be identified. Based on these trends the services offered can be improved.

Please note that the level of data protection in the USA might not correspond to that of the European Union. There is currently no adequacy decision of the European Commission in place for the USA. To protect your data after the transfer, we have concluded standard contractual clauses with Google. Please let us know should you want to obtain a copy thereof.
The legal basis for the integration of Google Analytics for Firebase and Firebase Crashlytics is your express consent pursuant to Article 6 (1) p. 1 lit. a and § 25 Abs. 1 TTDSG).

13. No automated decision-making, no Profiling
We do not use fully automated decision-making within the meaning of Article 22 GDPR. Should we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is required by law.
Except as in connection with the display of personalized advertising as described above, we do not process your data with the aim of automatically evaluating certain personal aspects.

8) YOUR RIGHTS AS A DATA SUBJECT

Subject to statutory conditions, you have the following rights under Article 15 to 22 GDPR:
·       The right to receive information about your personal data;
·       The right to have your personal data corrected;
·       The right to restrict the processing of personal data or to object;
·       The right to have your personal data erased or blocked. Subject to statutory storage duties, data may only be blocked for the duration of these duties;
·       The right to data portability;
·       The right to object to the sale of your data.

You can exercise your rights by mail or email to the address of the data controller indicated in this privacy policy. We will generally respond in the form you choose for your request. To the extent that there are doubts about the identity of the person asserting rights, we reserve the right to request additional information or evidence necessary to confirm their identity.

You may also contact the competent supervisory authority:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
Tel.: +49 (0)30 13889-0
Fax: +49 (0)30 2155050
mailbox@datenschutz-berlin.de

Current version date: 23.12.2022