Status April 2022

Table of Contents

1. Name and address of the data controller
2. Contact information of the Data Protection Officer
3. Data processing in the snoop-it! app
4. Rights of the data subject
5. Deployment of the app and creation of the log files
6. Email contact
7. Contact form
8. Hosting
9. Plugins used
10. Use of SDKs
11. Telemetry data
12. Authorization management in the app

1. Name and address of the data controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:
snoopstar GmbH
In the Steele 11
40599 Duesseldorf
Germany
+49 211 74849 120
contact@snoop-it.de
https://snoop-it.de

2. Contact information of the Data Protection Officer

The Data Protection Officer of the data controller is:
DataCo GmbH
Dachauer Straße 65
80335 Munich
Germany
+49 89 7400 45840
www.dataguard.de

3. Data processing in the snoop-it! app

This page provides information on the privacy policy applicable to the snoop-it! app for Android and iOS (“App”). The app is an offer of snoopstar GmbH, In der Steele 11, 40599 Düsseldorf, Germany (“snoop-it!”, “we” or “us”).

1. Scope of processing

The app is based on AR technology and uses the device’s camera to detect objects and experience virtual multimedia content. The following personal data is requested when using the app and is stored and processed anonymously:

• IP address of the requesting device

In addition, the data listed below is requested, stored and processed during use:

• unique user, where each user is assigned an anonymized UniqueID (for iOS the identifierForVendor, see also https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor, for Android Settings.Secure.ANDROID_ID, see also https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID), so that it can be determined how many unique users have used our app in any given time period.
• Number of snoops (i.e. recognitions), this stores how many recognitions or views of AR experiences there are per scene (i.e. target), so that over any period of time it can be determined how many detections there have been for specific motifs/targets.
• events for so-called button actions; here, the events or so-called button actions are stored for each AR experience, so that it can be determined which actions of an AR experience the users have performed over any period of time.

The data is always transferred through an SSL-secured channel.

2. Purpose of processing

The processing is used to perform the service, to ensure the function, to improve the app and for marketing and advertising purposes.

3. Legal basis for the processing of personal data

The processing is necessary to protect a legitimate interest of our company or a third party and is based on Art. 6 (1) S. 1 let. f GDPR as the legal basis for the processing.

4. Data deletion and storage period

The personal data collected by us for the service will be deleted pursuant to Art. 6 para. 1 S. 1 let. c GDPR after expiry of the tax and commercial law retention and documentation obligations (from HGB, StGB or AO), unless you have consented to further storage in accordance with Art. 6 para. 1 S. 1 let. a GDPR.

5. Possibility of objection and removal

The user may exercise his right of withdrawal at any time by contacting the user’s administrator or snoop-it!. If the user objects to the processing of his personal data for the purpose of performing the service, he will not be able to use snoop-it!. For marketing and advertising purposes, the user may object by electronic means.

4. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights against the data controller:

1. Right to information

You may request confirmation from the data controller as to whether the personal data concerning you are being processed by the data controller.
If such processing takes place, you may request information from the data controller about the following:

1. • the purposes for which the personal data are processed;
   • the categories of personal data that are processed;
   • the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
   • the intended duration of the storage of the personal data concerning you or, if a concrete specification is not possible in this respect, criteria for the determination of the storage duration;
   • the existence of a right to rectification or deletion of personal data concerning you, a right to restriction of processing by the data controller or a right to object to such processing;
   • the existence of a right of appeal to a regulator;
   • any available information on the origin of the data, if the personal data have not been collected from the data subject;
   • the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the software involved and the scope and intended effects of such processing for the data subject.

You have the right to request information about whether personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

2. Right to rectification

You have a right to rectification and/or completion with regard to the data controller if the personal data concerning you are inaccurate or incomplete. The responsible party will make the correction without undue delay.

3. Right to restriction of processing

Under the following conditions, you may request the restriction of the processing of personal data concerning you:

1. • if you contest the accuracy of the personal data concerning you for a period enabling the data controller to verify the accuracy of the personal data;
   • the processing is unlawful and you object to the deletion of the personal data and request the restriction of the use of the personal data instead;
   • the data controller no longer needs the personal data for the purposes of processing, but you need them for the assertion, exercise or defense of legal claims, or
   • if you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet clear whether the legitimate grounds of the data controller outweigh your grounds.

Where the processing of personal data concerning you has been restricted, such data may be processed, with the exception of their storage, only with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the European Union or a Member State.
If the restriction of processing has been imposed in accordance with the above conditions, you will be informed by the data controller before the restriction is lifted.

4. Right to deletion

a) Obligation to delete

You may request the data controller to delete the personal data concerning you without undue delay, and the data controller will be required to delete such data without undue delay if one of the following grounds applies:

1. • The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
   • You revoke your consent on which the processing is based pursuant to Art. 6 (1) p. 1 let. a or Art. 9 (2) let. a GDPR and there is no other legal basis for the processing.
   • You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
   • The personal data concerning you have been processed unlawfully.
   • The deletion of the personal data concerning you is necessary for compliance with a legal obligation under European Union or Member State law to which the data controller is subject.
   • The personal data concerning you has been collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

b) Information to third parties

If the data controller has made the personal data concerning you public and is required to delete it pursuant to Article 17(1) of the GDPR, it will take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform the data processor for the personal data that you, as the data subject, have requested the deletion of all links to, or copies or replications of, such personal data.

c) Exceptions

The right to deletion does not exist insofar as the processing is necessary to

1. • exercise the right to freedom of expression and information;
   • for compliance with a legal obligation which requires processing under European Union or Member State law to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
   • for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) GDPR;
   • for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, where the right referred to in Section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or
   • for the assertion, exercise or defense of legal claims.

5. Right to information

If you have exercised the right to rectification, deletion or restriction of processing with regard to the data controller, the data controller is required to communicate this rectification or deletion of the data or restriction of processing to all recipients to whom the personal data relating to you have been disclosed, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by the data controller.

6. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the data controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another data controller without the data controller to whom the personal data was transmitted being able to prevent you from doing so, provided that

1. • the processing is based on consent pursuant to Art. 6 para. 1 sentence 1 let. a GDPR or Art. 9 para. 2 let. a GDPR or on a contract pursuant to Art. 6 para. 1 S. 1 let. b GDPR and
   • the processing is carried out with the help of automated procedures.

In exercising this right, you also have the right to obtain that the personal data concerning you be transferred directly from one data controller to another data controller, where technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability will not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

7. Right of objection

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6 (1) sentence 1 let. e or f GDPR; this also applies to profiling based on these provisions.

The data controller will no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in connection with the use of information society services – notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures using technical specifications.

8. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent will not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

9. Automated decision in individual cases including profiling

You have the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

1. • is necessary for the conclusion or fulfillment of a contract between you and the responsible party,
   • is permitted under European Union or Member State law to which the data controller is subject and that law contains appropriate measures to protect your rights and freedoms and legitimate interests, or
   • takes place with your express consent.

However, these decisions will not be based on special categories of personal data as defined in Article 9(1) of the GDPR, unless Article 9(2)(a) or (b) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.

In the cases mentioned under 1. and 3., the data controller will take reasonable steps to safeguard the rights and freedoms as well as the legitimate interests of the data subject, which will include, at least, the right to obtain the intervention of a data subject on the part of the data controller, to express his perspective and contest the decision.

10. Right to complain to a regulator

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a regulator, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The regulator to which the complaint has been lodged will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

5. Deployment of the app and creation of the log files

1. Description and scope of data processing

Each time our app is called up, our system automatically collects data and information from the operating system of the calling mobile device.
The following data is collected:

1. • Browser type and version
   • Operating system used
   • Referrer URL
   • Name and URL of the retrieved file
   • Name of the access provider
   • Date and time of the server request
   • IP address

This data is stored in the log files of our system. This data is not stored together with other personal data of the user.

2. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the delivery of the app to the user’s mobile device. For this purpose, the user’s IP address must remain stored for the duration of the session.

The storage in log files is done to ensure the functionality of the app. In addition, we use the data to optimize the app and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes are also our legitimate interest in data processing according to Art. 6 para. 1 S. 1 let. f GDPR.

3. Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 S. 1 let. f GDPR.

4. Storage duration

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of data collection for the provision of the app, this is the case when the respective session has ended.

In the case of storage of data in log files, this is the case after seven days at the latest. Storage beyond this is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.

5. Possibility of objection and removal

The collection of data for the provision of the app and the storage of the data in log files is mandatory for the operation of the app.

6. Email contact

1. Description and scope of data processing

Within our app, it is possible to contact us through the email address provided. In this case, the user’s personal data transmitted with the email will be stored.

The data will be used exclusively for the processing of the conversation.

2. Purpose of data processing

In the case of contact by email, this also constitutes the necessary legitimate interest in processing the data.

3. Legal basis for data processing

The legal basis for the processing of the data is Art. 6 para. 1 let. a GDPR, if the user has given his consent.

The legal basis for the processing of the data transmitted in the context of sending an email is Art. 6 (1) let. f GDPR. If the email contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) let. b GDPR.

4. Storage duration

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of personal data transmitted by email, this is the case when the respective conversation with the user has ended. The conversation is over when the circumstances indicate that the issue in question has been conclusively resolved.

The additional personal data collected during the sending process will be deleted after seven days at the latest.

5. Possibility of objection and removal

The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts us by email or turns to his company admin, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

All personal data stored in the course of contacting us will be deleted in this case.

7. Contact form

1. Description and scope of data processing

A contact form is available on our app for you to contact us by electronic means. If a user prepares use of this option, the data entered in the input mask is transmitted to us and stored.
The contact form is provided through the cloud-based tool JIRA Service Desk from Atlassian.

At the time of sending the message, the following data is stored:

• Email address
• Name (not mandatory)
• First name (not mandatory)
• Telephone/mobile phone number (not mandatory)

Alternatively, you can contact us through the email address provided. In this case, the user’s personal data transmitted with the email will be stored.

The data will be used exclusively for the processing of the conversation.

2. Purpose of data processing

The processing of personal data from the input mask serves us exclusively to process the contact. In the case of contact by email, this also constitutes the necessary legitimate interest in processing the data.

The other personal data that is processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our information technology systems.

3. Legal basis for data processing

The legal basis for the processing of the data transmitted in the context of sending an email is Art. 6 para. 1 S. 1 let. f GDPR. Our legitimate interest is derived from the purpose of the data processing. If the email contact aims at the conclusion or implementation of a contractual relationship, the additional legal basis for the processing is Art. 6 (1) p. 1 let. b GDPR.

4. Storage duration

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and the data transmitted by email, this is the case when the respective conversation with the user has ended. The conversation is over when the circumstances indicate that the issue in question has been conclusively resolved.

The additional personal data collected during the registration process will be deleted at the latest after termination of the contractual relationship or after termination of the general use of the app.

5. Possibility of objection and removal

The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts contact@snoop-it.de by email, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

8. Hosting

The app is hosted on servers of a service provider contracted by us.
Our hosting service providers are:

• • BitPioneers GmbH
  • Parametric Technology GmbH
  • jointMedia nv in Belgium

We have concluded an order processing agreement with all service providers, in which we oblige the respective service provider to protect user data and not to pass it on to third parties.
The servers automatically collect and store information in so-called server log files, which the app automatically transmits during a visit. The information stored is:

1. • Browser type and version
   • Operating system used
   • Referrer URL
   • Name and URL of the retrieved file
   • Name of the access provider
   • Date and time of the server request
   • IP address

This data is not merged with other data sources. The collection of this data is based on Art. 6 para. 1 let. f GDPR. The app operator has a legitimate interest in the technically error-free presentation and optimization of its app – for this purpose, the server log files must be recorded.
The location of the app backend servers is geographically in Germany.

9. Plugins used

We use plugins for various purposes. The plugins used are listed below:

1. Storage duration

Your personal information will be retained for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law, such as for tax and accounting purposes.

2. Transfer to third countries

When using plugins marked with third country transfer or USA, personal data may be transferred to servers in the USA. The legal basis for this transfer is consent pursuant to Art. 6 (1) p. 1 let. a GDPR. The United States of America does not provide an adequate level of data protection based on a decision of the European European Union. The main risk of transmission lies in the obligation of plug-in providers to make user data accessible to American authorities under certain circumstances. An order processing contract with standard contractual clauses is currently being concluded with all providers in order to make transfers to third countries as data protection-friendly and secure as possible. Adjustments to the ECJ ruling of July 16, 2020 (Schrems II, Ref. C-311/18) including additional safeguards are currently being sought by us.

3. Possibility of revocation and removal

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent will not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

You can prevent the collection as well as the processing of your personal data by the respective providers by preventing third-party cookies from being stored on your computer, using the “Do Not Track” function of a supporting browser, disabling the execution of script code in your browser or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.

10. Use of SDKs

1. Description of the use of SDKs

We use SDKs (Software Development Kits) to provide functional modules. For this purpose, the code used is embedded in the SDKs.
Third-party libraries used:

• • Vuforia

No personal data is processed or stored during this process.

11. Telemetry data

1. Description and scope of data processing

We collect telemetry data in our app. We implement this with the service providers better operating hours. The following personal data are processed as part of telemetry data processing:

• IP address

2. Purpose of data processing

The data will be processed for the following purposes:

• Infrastructure monitoring
• App monitoring
• Optimisation of resources
• Troubleshooting
• Protocol analysis

3. Legal basis for data processing

The collection of this data is based on Art. 6 para. 1 let. f GDPR. The app operator has a legitimate interest in the technically error-free presentation and optimization of its app – for this purpose, the server log files must be recorded.

4. Storage duration

Your personal information will be retained for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.

5. Possibilities of objection and removal

To make the objection valid, users can write an informal email to contact@snoop-it.de.

12. Authorization management in the app

1. Description of the permissions

The app requires the following sharing permissions to use some features:

• iOS
  • Camera
  • Services on site
• Android
  • Camera
  • Location

2. Purpose of the permits

The various permissions are required for the following functions:

• Camera
  • For subject detection and AR content playout.
• Location
  • For the geo-based playout of AR content

This privacy policy was created with the assistance of DataGuard.