Privacy Policy of collectID

V1.2 – 18.05.2020

We ("collectID", "us", "we", or "our") are committed to protecting your privacy when using the collectID application (hereinafter referred to as the "Application" or the "Service"). The Application is a product authentication ecosystem allowing users to easily authenticate and trade products by simply tapping their smartphone on the product. Through the combination of blockchain technology and NFC hardware, collectID fights the problem of counterfeiting. Thus, collectID reinforces consumer confidence in brands and retailers while simultaneously creating a new, secure resale market.

This page informs you of our policies regarding the collection, use and disclosure of Personal Data when you use our Application and the choices you have associated with that Data.

By using the Application, you agree to the collection and use of information in accordance with this Policy. Unless otherwise defined in this Privacy Policy, the terms used in this Privacy Policy have the same meanings as in our Terms and Conditions.

1 Definitions

Personal Data: Personal Data means data about an individual who can be identified through the data (or from the data and other information either in our possession or likely to come into our possession). Section 2 explains which Personal Data we collect about you when you use our Application and how.

Data Subject (or User): Data Subject is any individual who is using our Application and is the subject of Personal Data.

Data Controller: Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your Personal Data.

Data Processor (or Service Provider): Data Processor (or Service Provider) means any natural or legal person who processes the Personal Data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your Personal Data more effectively. A list of the Service Providers we are currently using can be found in Section 10 'Service Providers'.

Blockchain: Blockchain is a data structure that is designed to maintain a digital ledger of transactions. The software that manages a Blockchain works by distributing copies of this ledger to every computer running the software, creating a decentralized network of machines that all hold the same exact transaction history. When an entry is added to the ledger on one machine, every other machine participating in the network must update their ledger to match the changes.

The Blockchain can be thought of, more familiarly, as an extra secure database with the added benefits of transparency, decentralization and immutability of data. This is how we store the details of your collection so that, by virtue of some clever cryptography, only you have the credentials to transfer the ownership of your products. Blockchain technology ensures that the collectID product ecosystem is as secure as technically possible.

NFC: NFC stands for Near Field Communication. It is a technology that enables a wireless connection between battery-free, passive tags with a reading device such as a smartphone. NFC technology is already being used intensively in areas such as payment transactions, e.g. NFC tags enable contactless payments with credit and debit cards.

2 How we collect personal data

2.1 Our approach to data collection

We collect information about you when you use our Application, including browsing and taking certain actions within it.

2.2 Directly

We collect information directly through the following actions.

2.3 Indirectly

We also collect information indirectly as follows.

3 How we collect product data

The product data ("Product Data") consists of the following information: tag ID, product ID, product name, product details and product photo.

At the moment, the collectID NFC tags (the "Tags") can be found on selected sneaker brands, high-end watches, and sports merchandise. You can add a product to your collection by scanning the Tag with your smartphone and pressing “add to my collection”. The product tag ID (the "Tag ID") is stored on the Blockchain (please see Section 6 'Storage and Data Transfers' for a more thorough explanation of what this entails).

The Tags contain an encrypted URL (web address) and a unique NFC-ID to identify the product. The Tags do not contain any other data, and they have no access to the data stored on your device (smartphone). No customer personal data is stored on the Tags, and geolocation is impossible through the Tags.

While Tags do not contain your Personal Data, please note that disclosing ownership of rare products to third parties e.g. on social media may lead to the identification of other products in your collection by another user of the Application.

4 Legal basis and purposes

4.1 Our approach

Our legal basis for collecting and using the Personal Data described in this Privacy Policy depends on the Personal Data we collect and the specific purposes for which we collect it.

4.2 Contract

We process your Personal Data to perform our contractual obligations or take steps linked to a contract with you.

The purposes are the following:

4.3 Consent

We may rely on your freely given consent at the time you provided your Personal Data.

The purposes are the following:

4.4 Legitimate interests

We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced.

The purposes are the following:

4.5 Public interest

We may process your Personal Data to meet regulatory and public interest obligations.

The purpose is the following:

5 Data retention

We retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy, and to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes and enforce our legal agreements and policies.

Data that is stored on the Blockchain is immutable. This means that it cannot be deleted. For that reason, we refrain from storing Personal Data on it, save for the Blockchain Wallet. Once, however, your Personal Data has been deleted on the basis of a legal requirement or the exercise of your data protection rights, the Blockchain Wallet is no longer connected to you. For more information on this, please refer to the 'Right to erasure' under Section 9.

6 Storage and data transfers

6.1 Our approach to data storage

We care for your privacy and data protection rights (as described in Section 9). We have therefore opted for a granular approach when it comes to storing data.

6.2 Storing personal data

We do not store your Personal Data on the Blockchain, with the exception of the Blockchain Wallet (please refer to Section 6.3 below).

We store your Personal Data on Google Cloud Storage. Google Cloud Storage is a hosting service provided by Google LLC or by Google Ireland Limited, depending on the location this Application is accessed from. Google LLC is certified under the EU-U.S. Privacy Shield, which establishes appropriate and suitable safeguards to ensure compliance with the GDPR according to the EU Commission decision of 12 July 2016 (C(2016) 4176).

If you are located outside Switzerland and choose to provide information to us, please be aware that the data protection laws may differ from those of your jurisdiction.

We take all the steps reasonably necessary to ensure that no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your Personal Data.

In particular, for transfers of Personal Data outside the EEA, contracts containing the EU Standard Contractual Clauses according to the EU Commission decisions of 27 December 2004 (2004/915/EC) and 05 February 2010 (C(2010)593) constitute appropriate and suitable safeguards to ensure compliance with GDPR. In addition to Standard Contractual Clauses, we may use data processors that are certified under the EU-U.S. Privacy Shield, which establishes appropriate and suitable safeguards to ensure compliance with the GDPR according to the EU Commission decision of 12 July 2016 (C(2016) 4176). Please refer to Section 10 'Service Providers' for a full list of the data processors that we use.

6.3 Storing the blockchain wallet and product data

The only information that we store on the Blockchain is the Blockchain Wallet (as defined under Section 2 'How We Collect Personal Data') as well as Product Data (as defined under Section 3 'How We Collect Product Data').

As explained above, the Blockchain is a transparent database. This means that the information stored on it is publicly accessible. While the Tag ID does not contain Personal Data, you should be aware that disclosing past or current possession of a rare product may result in the identification of other products in your collection through the information available on the Blockchain Wallet.

The Blockchain is also a decentralized database. This means that the information stored on the Blockchain is not stored on one, central location (such as e.g. your Personal Data on Google Cloud Storage), but distributed throughout the network. Therefore, collectID has no control over whether the Product Data is stored inside or outside the EEA.

7 Data disclosure

We may disclose your Personal Data in the good faith belief that such action is necessary to:

8 Data security

8.1 Our approach to data security

We take reasonable technical and organizational security measures that we deem appropriate in order to protect data, be it Personal Data or Product Data, against manipulation, loss, or unauthorized third-party access. Our security measures are continually adapted to technological developments.

We also take internal data privacy very seriously. Our employees and the service providers that we retain are required to maintain secrecy and to comply with applicable data protection legislation. In addition, they are granted access to personal data only insofar as this is necessary for them to carry out their respective tasks or mandate.

We take all the steps reasonably necessary to ensure that no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your Personal Data (as described in Section 6 'Storage and Data Transfers').

The security of your Personal Data is important to us but remember that no method of transmission over the Internet or method of electronic storage, be it cloud-, storage-, or blockchain-based is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

The following Sections describe the steps we have taken to protect your Personal Data.

8.2 Confidentiality

Physical access control: No unauthorised access to our facilities.

Electronic access control: No unauthorised use of the Personal Data processing and storage systems.

Internal access control: No unauthorised reading, copying, changes or deletions of Personal Data within the system.

Pseudonymization: The processing of Personal Data in such a method/way, that the data cannot be associated with a specific person without the assistance of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.

8.3 Integrity

Data transfer control: No unauthorised reading, copying, changes or deletions of Personal Data with electronic transfer or transport.

Data entry control: Verification whether and by whom Personal Data is entered into a data processing system, is changed or deleted.

Blockchain: No unauthorised reading, copying, changes or deletions of the Blockchain Wallet and Product Data.

8.4 Availability and resilience

Availability control: Prevention of accidental or wilful destruction or loss.

Contract control: No third-party data processing as per Article 28 GDPR without corresponding instructions from the Client.

Data Protection policies: The processing of Personal Data in alignment with internal Policies by trained staff.

9 Data protection rights

9.1 Your data protection rights

You have certain data protection rights. We will respond to your request without undue delay, at the latest within one calendar month after receipt. Please note that we may ask you to verify your identity before responding to such requests.

9.2 Right to access

You have a right to request a copy of the Personal Data held by us as a data controller, which we will provide to you in an electronic form.

9.3 Right to amendment

You have the right to ask us to correct our records if you believe they contain incorrect or incomplete information about you.

9.4 Right to withdraw consent

If you have provided your consent to the collection, processing and transfer of your Personal Data, you have the right to fully or partly withdraw your consent. This includes cases where you wish to opt out from marketing messages.

Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another Legal Basis for the processing.

You may use the Application privacy dashboard to adjust your consent settings. To stop receiving emails from us, please click on the 'unsubscribe' link in the email you received from us or contact us at info@collectid.io.

9.5 Right to erasure

You have the right to request that we delete your Personal Data when it is no longer necessary for the Purposes for which it was collected, or when it was unlawfully processed.

When you exercise your right to erasure, your user account and all associated data will be deleted from our database. The Blockchain Wallet (i.e. the user public address, related transaction history and related Tag ID(s)) will persist, as data that is stored on the Blockchain is immutable, but all connections between the Blockchain Wallet and your user account will be deleted. The products in your collection will be deleted from our database.

9.6 Right to restriction of processing

You have the right to request the restriction of our processing of your Personal Data where you believe it to be inaccurate, our processing is unlawful, or where we no longer need to process it for the initial Purpose, but where we are not able to delete it due to a legal obligation or because you do not want us to delete it.

9.7 Right to portability

You have the right to request that we transmit your Personal Data to another data controller in a common format such as Excel, where this is data which you have provided to us and where we are processing it on the Legal Basis of your consent or in order to perform our contractual obligations (e.g. to provide our Services).

9.8 Right to object to processing

Where the Legal Basis for our processing of your Personal Data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate Legal Basis for the processing which override your interests, or if we need to continue to process the Data for the establishment, exercise or defence of a legal claim.

9.9 Right to lodge a complaint with a supervisory authority

You have the right of appeal to a data protection supervisory authority if you believe that the processing of your personal data violates data protection law.

In Switzerland, you may contact the Federal Data Protection and Information Commissioner, Feldeggweg 1, CH-3003 Bern

10 Service providers

10.1 Our approach to service providers

We may employ third party companies and individuals to facilitate the operation of our Application ("Service Providers"), provide the Application on our behalf, perform Application-related services, assist us in analysing how our Application is used or help us provide you with tailor-made offers and exclusive deals. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

10.2 Functional services providers

10.2.1 Google Cloud Storage

Google Cloud Storage is provided by Google LLC/ Google Ireland. This type of service has the purpose of hosting Data and files that enable this Application to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of this Application. Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.

Google Cloud Storage is a hosting service provided by Google LLC or by Google Ireland Limited, depending on the location this Application is accessed from.

To find out more about Google Cloud Storage, please access their Privacy Policy: https://policies.google.com/privacy.

10.2.2 Auth0

Auth0 is provided by Auth0 Inc. Auth0 is a registration and authentication service provided by Auth0 Inc. To simplify the registration and authentication process, Auth0 can make use of third-party identity providers and save the information on its platform.

The Personal Data collected consists of: email address; first name; last name; password; picture.

The place of processing is the United States. For more information you may visit https://auth0.com/privacy. Auth0 Inc. is a Privacy Shield participant.

10.2.3 Facebook Authentication

Facebook Authentication is provided by Facebook Inc. Facebook Authentication is a registration and authentication service provided by Facebook Inc. and is connected to the Facebook social network.

The place of processing is the United States. For more information you may visit https://www.facebook.com/help/405977429438260. Facebook Inc. is a Privacy Shield participant.

10.2.4 Google OAuth

Google OAuth is operated by Google LLC/ Google Ireland Limited. Google OAuth is a registration and authentication service provided by Google LLC or by Google Ireland Limited, depending on the location this Application is accessed from and is connected to the Google network.

The place of processing is the United States. For more information you may visit https://policies.google.com/privacy. Google LLC is a Privacy Shield participant.

10.3 Social media services providers

We use Facebook account access. Facebook account access is provided by Facebook Inc. This service allows this Application to connect with your Facebook account, provide by Facebook Inc.

The permissions asked are: contact email, email address, share function.

The place of processing is the United States. For more information you may visit https://www.facebook.com/policy.php. Facebook Inc. is a Privacy Shield participant.

10.4 Commercial partners

Commercial Partners consist of product producers, product authenticators and sellers.

We share the following anonymous and anonymised information with our Commercial Partners of the basis of our legitimate interest to improve our Service:

We share the following Personal Data with our Commercial Partners on the basis of your explicit consent:

We will never share Personal Data with our Commercial Partners without your explicit, freely given, informed and specific consent. You can opt in and out of sharing information with our Commercial Partners by managing your preferences in the Application privacy dashboard.

11 Tracking systems

We may employ tracking systems such as Google Analytics or similar services on our Application. These are services provided by third parties, which may be located in any country worldwide (in the case of Google Analytics, Google LLC is in the U.S., www.google.com) and which allow us to measure and evaluate the use of our Application (on an anonymized basis). For this purpose, permanent cookies are used, which are set by the Service Provider.

The Service Provider may receive Personal Data e.g. your device identifier and your use of the Application on the basis of your explicit consent.

We reserve the right, if required, to employ other tracking systems than those named herein for the specified purpose.

12 Links to third-party sites

Our Application may contain links to sites that are not operated by us. If you click a third-party link, you will be directed to that third party’s site or service.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

13 Changes to this privacy policy

We may update our Privacy Policy from time to time.

We will notify you via email and/or a prominent notice on our Application, prior to the change becoming effective and update the 'effective date' at the top of this Privacy Policy, but we encourage you to review this Privacy Policy periodically for any changes.

Changes to this Privacy Policy are effective when they are posted on this page.

14 Contact us

If you have any questions about this Privacy Policy, please contact us at:

collectID AG
Rietbergstrasse 33
9403 Goldach
Switzerland
info@collectid.io