V1.2 – 18.05.2020
We ("collectID", "us", "we", or "our") are committed to protecting your privacy when using the collectID application (hereinafter referred to as the "Application" or the "Service"). The Application is a product authentication ecosystem allowing users to easily authenticate and trade products by simply tapping their smartphone on the product. Through the combination of blockchain technology and NFC hardware, collectID fights the problem of counterfeiting. Thus, collectID reinforces consumer confidence in brands and retailers while simultaneously creating a new, secure resale market.
This page informs you of our policies regarding the collection, use and disclosure of Personal Data when you use our Application and the choices you have associated with that Data.
Personal Data: Personal Data means data about an individual who can be identified through the data (or from the data and other information either in our possession or likely to come into our possession). Section 2 explains which Personal Data we collect about you when you use our Application and how.
Data Subject (or User): Data Subject is any individual who is using our Application and is the subject of Personal Data.
Data Processor (or Service Provider): Data Processor (or Service Provider) means any natural or legal person who processes the Personal Data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your Personal Data more effectively. A list of the Service Providers we are currently using can be found in Section 10 'Service Providers'.
Blockchain: Blockchain is a data structure that is designed to maintain a digital ledger of transactions. The software that manages a Blockchain works by distributing copies of this ledger to every computer running the software, creating a decentralized network of machines that all hold the same exact transaction history. When an entry is added to the ledger on one machine, every other machine participating in the network must update their ledger to match the changes.
The Blockchain can be thought of, more familiarly, as an extra secure database with the added benefits of transparency, decentralization and immutability of data. This is how we store the details of your collection so that, by virtue of some clever cryptography, only you have the credentials to transfer the ownership of your products. Blockchain technology ensures that the collectID product ecosystem is as secure as technically possible.
NFC: NFC stands for Near Field Communication. It is a technology that enables a wireless connection between battery-free, passive tags with a reading device such as a smartphone. NFC technology is already being used intensively in areas such as payment transactions, e.g. NFC tags enable contactless payments with credit and debit cards.
We collect information about you when you use our Application, including browsing and taking certain actions within it.
We collect information directly through the following actions.
We also collect information indirectly as follows.
The product data ("Product Data") consists of the following information: tag ID, product ID, product name, product details and product photo.
At the moment, the collectID NFC tags (the "Tags") can be found on selected sneaker brands, high-end watches, and sports merchandise. You can add a product to your collection by scanning the Tag with your smartphone and pressing “add to my collection”. The product tag ID (the "Tag ID") is stored on the Blockchain (please see Section 6 'Storage and Data Transfers' for a more thorough explanation of what this entails).
The Tags contain an encrypted URL (web address) and a unique NFC-ID to identify the product. The Tags do not contain any other data, and they have no access to the data stored on your device (smartphone). No customer personal data is stored on the Tags, and geolocation is impossible through the Tags.
While Tags do not contain your Personal Data, please note that disclosing ownership of rare products to third parties e.g. on social media may lead to the identification of other products in your collection by another user of the Application.
We process your Personal Data to perform our contractual obligations or take steps linked to a contract with you.
The purposes are the following:
We may rely on your freely given consent at the time you provided your Personal Data.
The purposes are the following:
We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced.
The purposes are the following:
We may process your Personal Data to meet regulatory and public interest obligations.
The purpose is the following:
Data that is stored on the Blockchain is immutable. This means that it cannot be deleted. For that reason, we refrain from storing Personal Data on it, save for the Blockchain Wallet. Once, however, your Personal Data has been deleted on the basis of a legal requirement or the exercise of your data protection rights, the Blockchain Wallet is no longer connected to you. For more information on this, please refer to the 'Right to erasure' under Section 9.
We care for your privacy and data protection rights (as described in Section 9). We have therefore opted for a granular approach when it comes to storing data.
We do not store your Personal Data on the Blockchain, with the exception of the Blockchain Wallet (please refer to Section 6.3 below).
We store your Personal Data on Google Cloud Storage. Google Cloud Storage is a hosting service provided by Google LLC or by Google Ireland Limited, depending on the location this Application is accessed from. Google LLC is certified under the EU-U.S. Privacy Shield, which establishes appropriate and suitable safeguards to ensure compliance with the GDPR according to the EU Commission decision of 12 July 2016 (C(2016) 4176).
If you are located outside Switzerland and choose to provide information to us, please be aware that the data protection laws may differ from those of your jurisdiction.
We take all the steps reasonably necessary to ensure that no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your Personal Data.
In particular, for transfers of Personal Data outside the EEA, contracts containing the EU Standard Contractual Clauses according to the EU Commission decisions of 27 December 2004 (2004/915/EC) and 05 February 2010 (C(2010)593) constitute appropriate and suitable safeguards to ensure compliance with GDPR. In addition to Standard Contractual Clauses, we may use data processors that are certified under the EU-U.S. Privacy Shield, which establishes appropriate and suitable safeguards to ensure compliance with the GDPR according to the EU Commission decision of 12 July 2016 (C(2016) 4176). Please refer to Section 10 'Service Providers' for a full list of the data processors that we use.
The only information that we store on the Blockchain is the Blockchain Wallet (as defined under Section 2 'How We Collect Personal Data') as well as Product Data (as defined under Section 3 'How We Collect Product Data').
As explained above, the Blockchain is a transparent database. This means that the information stored on it is publicly accessible. While the Tag ID does not contain Personal Data, you should be aware that disclosing past or current possession of a rare product may result in the identification of other products in your collection through the information available on the Blockchain Wallet.
The Blockchain is also a decentralized database. This means that the information stored on the Blockchain is not stored on one, central location (such as e.g. your Personal Data on Google Cloud Storage), but distributed throughout the network. Therefore, collectID has no control over whether the Product Data is stored inside or outside the EEA.
We may disclose your Personal Data in the good faith belief that such action is necessary to:
We take reasonable technical and organizational security measures that we deem appropriate in order to protect data, be it Personal Data or Product Data, against manipulation, loss, or unauthorized third-party access. Our security measures are continually adapted to technological developments.
We also take internal data privacy very seriously. Our employees and the service providers that we retain are required to maintain secrecy and to comply with applicable data protection legislation. In addition, they are granted access to personal data only insofar as this is necessary for them to carry out their respective tasks or mandate.
We take all the steps reasonably necessary to ensure that no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your Personal Data (as described in Section 6 'Storage and Data Transfers').
The security of your Personal Data is important to us but remember that no method of transmission over the Internet or method of electronic storage, be it cloud-, storage-, or blockchain-based is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
The following Sections describe the steps we have taken to protect your Personal Data.
Physical access control: No unauthorised access to our facilities.
Electronic access control: No unauthorised use of the Personal Data processing and storage systems.
Internal access control: No unauthorised reading, copying, changes or deletions of Personal Data within the system.
Pseudonymization: The processing of Personal Data in such a method/way, that the data cannot be associated with a specific person without the assistance of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.
Data transfer control: No unauthorised reading, copying, changes or deletions of Personal Data with electronic transfer or transport.
Data entry control: Verification whether and by whom Personal Data is entered into a data processing system, is changed or deleted.
Blockchain: No unauthorised reading, copying, changes or deletions of the Blockchain Wallet and Product Data.
Availability control: Prevention of accidental or wilful destruction or loss.
Contract control: No third-party data processing as per Article 28 GDPR without corresponding instructions from the Client.
Data Protection policies: The processing of Personal Data in alignment with internal Policies by trained staff.
You have certain data protection rights. We will respond to your request without undue delay, at the latest within one calendar month after receipt. Please note that we may ask you to verify your identity before responding to such requests.
You have a right to request a copy of the Personal Data held by us as a data controller, which we will provide to you in an electronic form.
You have the right to ask us to correct our records if you believe they contain incorrect or incomplete information about you.
If you have provided your consent to the collection, processing and transfer of your Personal Data, you have the right to fully or partly withdraw your consent. This includes cases where you wish to opt out from marketing messages.
Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another Legal Basis for the processing.
You may use the Application privacy dashboard to adjust your consent settings. To stop receiving emails from us, please click on the 'unsubscribe' link in the email you received from us or contact us at email@example.com.
You have the right to request that we delete your Personal Data when it is no longer necessary for the Purposes for which it was collected, or when it was unlawfully processed.
When you exercise your right to erasure, your user account and all associated data will be deleted from our database. The Blockchain Wallet (i.e. the user public address, related transaction history and related Tag ID(s)) will persist, as data that is stored on the Blockchain is immutable, but all connections between the Blockchain Wallet and your user account will be deleted. The products in your collection will be deleted from our database.
You have the right to request the restriction of our processing of your Personal Data where you believe it to be inaccurate, our processing is unlawful, or where we no longer need to process it for the initial Purpose, but where we are not able to delete it due to a legal obligation or because you do not want us to delete it.
You have the right to request that we transmit your Personal Data to another data controller in a common format such as Excel, where this is data which you have provided to us and where we are processing it on the Legal Basis of your consent or in order to perform our contractual obligations (e.g. to provide our Services).
Where the Legal Basis for our processing of your Personal Data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate Legal Basis for the processing which override your interests, or if we need to continue to process the Data for the establishment, exercise or defence of a legal claim.
You have the right of appeal to a data protection supervisory authority if you believe that the processing of your personal data violates data protection law.
In Switzerland, you may contact the Federal Data Protection and Information Commissioner, Feldeggweg 1, CH-3003 Bern
We may employ third party companies and individuals to facilitate the operation of our Application ("Service Providers"), provide the Application on our behalf, perform Application-related services, assist us in analysing how our Application is used or help us provide you with tailor-made offers and exclusive deals. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
Google Cloud Storage is provided by Google LLC/ Google Ireland. This type of service has the purpose of hosting Data and files that enable this Application to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of this Application. Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.
Google Cloud Storage is a hosting service provided by Google LLC or by Google Ireland Limited, depending on the location this Application is accessed from.
Auth0 is provided by Auth0 Inc. Auth0 is a registration and authentication service provided by Auth0 Inc. To simplify the registration and authentication process, Auth0 can make use of third-party identity providers and save the information on its platform.
The Personal Data collected consists of: email address; first name; last name; password; picture.
The place of processing is the United States. For more information you may visit https://auth0.com/privacy. Auth0 Inc. is a Privacy Shield participant.
Facebook Authentication is provided by Facebook Inc. Facebook Authentication is a registration and authentication service provided by Facebook Inc. and is connected to the Facebook social network.
The place of processing is the United States. For more information you may visit https://www.facebook.com/help/405977429438260. Facebook Inc. is a Privacy Shield participant.
Google OAuth is operated by Google LLC/ Google Ireland Limited. Google OAuth is a registration and authentication service provided by Google LLC or by Google Ireland Limited, depending on the location this Application is accessed from and is connected to the Google network.
The place of processing is the United States. For more information you may visit https://policies.google.com/privacy. Google LLC is a Privacy Shield participant.
We use Facebook account access. Facebook account access is provided by Facebook Inc. This service allows this Application to connect with your Facebook account, provide by Facebook Inc.
The permissions asked are: contact email, email address, share function.
The place of processing is the United States. For more information you may visit https://www.facebook.com/policy.php. Facebook Inc. is a Privacy Shield participant.
Commercial Partners consist of product producers, product authenticators and sellers.
We share the following anonymous and anonymised information with our Commercial Partners of the basis of our legitimate interest to improve our Service:
We share the following Personal Data with our Commercial Partners on the basis of your explicit consent:
We will never share Personal Data with our Commercial Partners without your explicit, freely given, informed and specific consent. You can opt in and out of sharing information with our Commercial Partners by managing your preferences in the Application privacy dashboard.
We may employ tracking systems such as Google Analytics or similar services on our Application. These are services provided by third parties, which may be located in any country worldwide (in the case of Google Analytics, Google LLC is in the U.S., www.google.com) and which allow us to measure and evaluate the use of our Application (on an anonymized basis). For this purpose, permanent cookies are used, which are set by the Service Provider.
The Service Provider may receive Personal Data e.g. your device identifier and your use of the Application on the basis of your explicit consent.
We reserve the right, if required, to employ other tracking systems than those named herein for the specified purpose.
Our Application may contain links to sites that are not operated by us. If you click a third-party link, you will be directed to that third party’s site or service.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.