Skinly App Privacy Policy

THE PROTECTION OF YOUR DATA IS IMPORTANT TO US!

For us not only the care and protection of your skin is important. We also attach great importance to the protection of your personal data. That's why we respect your privacy and want you to be able to trust us as much when it comes to data protection as when it comes to skin care. We always inform you transparently about what we need your data for and if and for how long we store it. This allows you to decide for yourself for which purposes we may use your data. To ensure the best possible security, the information is always transmitted to us in encrypted form. If you no longer wish us to use your data, please let us know informally, for example by email.

1. General Information

The purpose of this privacy policy is to provide you with information concerning the processing of personal data when using our app and related services.

1.1. Processing of Personal Data
Personal data within the meaning of Art. 4 of the EU General Data Protection Regulation (GDPR) are all information relating to an identified or identifiable natural person, e.g. name, address, email address, etc.

1.2. Controller
Responsible for the processing of personal data within the meaning of Art. 4 (7) GDPR is: Beiersdorf AG, Unnastraße 48, 20253 Hamburg, Germany.

Contact details of the data protection officer: Dataprotection[at]Beiersdorf.com or under the postal address of the controller for the attention of the “data protection officer”.

1.3. Rights of the Data Subject
As data subject affected by the data processing activity, you have the following rights with regard to your personal data in accordance with the legal provisions:

  • Right of access;
  • Right to rectification and to erasure;
  • Right to restriction of processing;
  • Right to data portability; and
  • Right to object.

Furthermore, you have the right to lodge a complaint with a supervisory authority concerning the processing of your personal data.

When we work on your above-mentioned right, we may ask you for proof of your identity. For more information on how we process your data, see 3.1.

1.4. Disclosure to Authority
In the event of a legal obligation, we reserve the right to disclose information about you if we are required to surrender it to competent authorities or law enforcement bodies.

Legal basis: Art. 6 (1) c) GDPR (legal obligation)

2. Collection of Personal Data when Downloading and Using our App

When downloading our app via App Store, all required information will be transferred to the App Store, in particular the user name, email address and customer number of your account, timestamp of download, payment information and the individual device code number. We have no influence on this data collection and are not responsible for it. We only process the data if it is necessary for downloading the app to your mobile device.

When using the app, we collect the personal data that enables convenient use of the functions. If you want to use our app, we collect the data that is technically necessary for us to offer you the functions of our app and to guarantee stability and security. For identification purpose we generate an individual ID and use the unique ID of the measuring device.

Further information which data we collect when you create an account can be found under the section “Login Profile”.

We might transfer the collected data to the responsible internal departments and other affiliated companies of the Beiersdorf Group or to external service providers, processors (e.g. hosting) for processing in accordance with the required purposes (to display the app and to create the content).

The data you store locally on your mobile device when using the app is only stored until you delete the app on your mobile device.

The data you provide us with will only be stored by us for as long as it is necessary for the fulfilment of the respective purpose, i.e. the performance of our studies for which you have provided us with your data, or for compliance with legal regulations.

Legal basis:

Art. 6 (1) b GDPR (situation similar to a contract)

Art. 6 (1) a GDPR (consent)

2.1. Access Permissions to Functions on your Mobile Device
The app accesses only those functions of your smartphone that are required for the described purposes.

Android:  Used for network communication
permission.INTERNET

Used for Wifi/Hotspot connectivity with measuring device 
permission.ACCESS_NETWORK_STATE 
permission.ACCESS_WIFI_STATE 
permission.CHANGE_WIFI_STATE 
permission.ACCESS_FINE_LOCATION (required when getting the current connected SSID)

Used to interact with the Account Manager (only access to the app's accounts) 
permission.AUTHENTICATE_ACCOUNTS 
permission.GET_ACCOUNTS 
permission.MANAGE_ACCOUNTS 
permission.USE_CREDENTIALS

Used to get the user’s location (necessary for weather and pollen updates) 
permission.ACCESS_COARSE_LOCATION 
permission.ACCESS_BACKGROUND_LOCATION 
permission.RECEIVE_BOOT_COMPLETED (needed to restart location tracking when the device has rebooted)

Further access rights: 
Camera to capture a user's selfie as part of a measurement.

iOS:
Permission asked for push notifications

Further access rights:
Coarse location to actually get the user's location (necessary for weather and pollen updates).
Camera to capture a user's selfie as part of a measurement.
Photo library permissions if a user can pick an existing image as a profile picture.

Before accessing the respective functions, the following access rights are requested from you: push notification, GPS, camera access.

Legal basis:

Art. 6 (1) b GDPR (situation similar to a contract)

Art. 6 (1) a GDPR (consent)

2.2. Changes to your Personal Settings
You can revoke or reassign the access authorizations granted to your mobile device at any time under your personal settings of the mobile device (to be found under “Settings”). If you remove permanently individual access rights from the app, the app can no longer be fully used.

2.3. Push Notifications
If you have agreed to push notifications, we may send you messages with e.g. reminders on your device. You see these messages on the lock screen as an active window while using your mobile device and highlighted on the app-icon of your mobile device.

You can object to the receipt of push notifications at any time under your personal settings of your device and switch them off accordingly.

Legal basis: Art. 6 (1) a GDPR (consent)

2.4. Login Profile
By registering we provide you the opportunity to secure your data with a password and to use this app with all of the skin evaluation features: measure skin condition and get individual product and care recommendations based on the analysis of the gathered data. The skin data collected by a measuring device are enriched by other health data (e.g. menstruation or allergies), lifestyle data (e.g. the level of activity or sleep quality) and/or data about the usage and compatibility of skin care products. Data are gathered by measuring device, by 3rd party application like Fitbit (fitness tracker) or provided via 1st party app by the consumer on a non-obligatory basis (e.g. camera for selfies). The provided data will be further used for our analytical software. We will pseudonymize or (after account deletion) anonymize your data and will use them for scientific researches. By anonymizing the personal data, this data is no longer identifiable to a natural person.

To perform the skin evaluation features we collect the following data:

  • Name, email, password, gender, birthday, height, weight, (close up) pictures of your skin or from your face (selfie), health data (e.g. ovulation data, allergy information), country, language, calendar data, smartphone pushID, measuring device ID
  • (Geo-) Location data (necessary for the weather, pollen updates which can improve our skin analytics)
  • Wifi data (to establish connection between measuring device and internet router)
  • Answers to analytical questions (optional – necessary to improve our analytical software)
  • Profile picture (optional)
  • Activity & training data, sleep, nutrition, weather data, ovulation data (optional via app or Fitbit)

We transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Beiersdorf Group or to external service providers, contract processors (e.g. hosting, consumer database, analytical partners, support providers) in accordance with the required purposes (to carry out the above mentioned skin evaluation features etc.). The personal data is mainly stored and processed within the EU. Platform/hosting or analytical providers can have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard we have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers. More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.

Your data will be deleted or anonymized as soon as you have deleted your account, unless this conflicts with legal storage obligations or statutes of limitations. In order to delete your data, please log in to your customer account and complete the deletion process within the account/profile area, or send us your withdrawal to the data processing by email. We delete or anonymize your personal data automatically after 24 months inactivity.

Legal basis: Art. 6 (1) a, Art. 9 (2) a) GDPR, § 27 (2) BDSG (Federal German Data Protection Act).

2.5. App Analytics – Google Analytics
This app uses Google Analytics for Firebase and Google Firebase Crash Reporting, a web analysis service of Google Ireland Ltd. (“Google”) especially for apps. For further information please see: https://firebase.google.com/support/privacy/#firebase_data_processing_and_security_terms.

Google uses tracking information on our behalf to analyze your use of this app in order to compile reports on app activities and provide additional services related to app and internet use. Google may also transfer this information to third parties as required by law or if said third parties process this data on behalf of Google. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data.

Third party information: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Google Analytics Terms of Service: https://www.google.com/analytics/terms/gb.html, General overview on Google Analytics security and privacy principles: https://support.google.com/analytics/answer/6004245?hl=en, as well as Google’s privacy policy: https://policies.google.com/privacy?hl=en.

Transfer to third countries are possible.46 GDPR. More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.

Maximum storage period of data: up to 26 months.

Legal basis: Art. 6 (1) a GDPR.

3. Further Services Offered (on- and offline)

In addition to the purely use of our app, we offer various other services, for which we process your personal data.

If we use contracted service providers for individual functions of our offer or would like to use your data for advertising purposes, we will inform you in detail about the respective processes below.

External service providers have been carefully selected and commissioned by us, are bound by our instructions and are regularly checked.

We may also disclose your personal data to third parties when we offer promotions, sweepstakes, contracts or similar services in conjunction with partners. Further information can be obtained at the time when you provide the data or in the description of the services below.

If our service providers are based in a country outside the European Economic Area (EEA), international data transfers can occur. We will inform you of the consequences of this circumstance in the description of the service below.

3.1. Contacting/Communication/Collaboration
When communicating and/or collaboration with us, e.g. by email or data exchange platform, be it e.g. as a consumer, test person, business partner or customer, the data you provide (your email address, if applicable your name and your telephone number, or personal data submitted during the conversation) will be stored and processed by us in order to e.g. answer your questions, requests or for the purpose of business related correspondence. We delete the data arising in this context once storage is no longer necessary, unless statutory retention obligations exist or periods of limitation must be observed.

When processing data arising in the course of communication, we have a legitimate interest in processing the data in accordance with legal requirements, for internal verification or in accordance with the respective communication request. In order to combat terrorism, we are obliged by law to carry out a comparison with sanctions lists. Therefore, we also process your data to meet legal requirements for comparison with these lists. Furthermore, we process your data in the Beiersdorf Group for the prevention and investigation of criminal offences and other misconduct, the assessment and control of risks, for internal communication and for corresponding administrative purposes. You can object to this processing according to the requirements under 4. In case of consumer inquiries through our internal consumer management tool the personal data will be usually deleted after one year. As an exception, the data will be kept longer if the data is necessary for the establishment, exercise or defence of legal claims.

We transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Beiersdorf Group or to external service providers, contract processors (e.g. hosting, call center service providers) in accordance with the purposes required (e.g. for establishing contacts, business related correspondence and customer care). The personal data is mainly stored and processed within the EU. Platform/hosting or analytical service providers can have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard we have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers. More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.

Legal basis: 

Art. 6 (1) b GDPR (when processing in the context of a contract or a situation similar to a contract)

Art. 6 (1) c GDPR (when processing is necessary for compliance with a legal obligation)

Art. 6 (1) f GDPR (when processing according to the legitimate interest described above)

4. Objection or Withdrawal of your Consent to the Processing of Personal Data

If you have given your consent (Art. 6 (1) a GDPR) to the processing of your data, you can withdraw your consent at any time. Such a withdrawal influences the permissibility of processing your personal data after you have given it to us.

If we base the processing of your personal data on the weighing of interests (Art. 6 (1) f GDPR), you may object to the processing. This is the case if processing is not necessary in particular to fulfil a contract with you, which is described by us in the description of the functions / services. When exercising such objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either stop or adjust data processing or point out to you our compelling reasons worthy of protection, on the basis of which we will continue processing.

Of course, you can object to the processing of your personal data for purposes of advertising and data analysis at any time. You can inform us about your objection under the above-mentioned contact details for the controller.