Skinly App Privacy Policy

THE PROTECTION OF YOUR DATA IS IMPORTANT TO US!

For us not only the care and protection of your skin is important. We also attach great importance to the protection of your personal data. That's why we respect your privacy and want you to be able to trust us as much when it comes to data protection as when it comes to skin care. We always inform you transparently about what we need your data for and if and for how long we store it. This allows you to decide for yourself for which purposes we may use your data. To ensure the best possible security, the information is always transmitted to us in encrypted form. If you no longer wish us to use your data, please let us know informally, for example by email.

1.    General Information
1.1.     Processing of Personal Data
1.2.     Controller
1.3.     Rights of the Data Subject
1.4.     Disclosure to Authority
2.    Collection of Personal Data when Downloading and Using our App
2.1.      Access Permissions to Functions on your Mobile Device
2.2.      Changes to your Personal Settings
2.3.      Push Notifications
2.4.      Login Profile
2.5.      App Analytics – Google Analytics
3.    Further Services Offered (on- and offline)
3.1.      Contacting/Communication/Collaboration
4.    Objection or Withdrawal of your Consent to the Processing of Personal Data
5.    UNITED STATES Specific Provisions
5.1.     Personal Information We Collect
5.2.     How We Use Your Information
5.3.     How We May Share or Disclose Your Information
5.4.     Your Privacy Choices and Rights
5.5.     How We Protect Your Information
5.6.     International Transfer of Personal Information
5.7.     Personal Information Retention Period
5.8.     State Privacy Rights
5.9.     Biometrics
5.10.   Cookies and Other Technologies
5.11.   Children Using or Accessing The Services
5.12.   Changes to Our Privacy Policy

The purpose of this privacy policy is to provide you with information concerning the processing of personal data when using our app and related services.

1.1. Processing of Personal Data
Personal data within the meaning of Art. 4 of the EU General Data Protection Regulation (GDPR) are all information relating to an identified or identifiable natural person, e.g. name, address, email address, etc.

1.2. Controller
Responsible for the processing of personal data within the meaning of Art. 4 (7) GDPR is: Beiersdorf AG, Beiersdorfstraße 1-9, 22529 Hamburg, Germany.

Contact details of the data protection officer: Dataprotection[at]Beiersdorf.com or under the postal address of the controller for the attention of the “data protection officer”.

1.3. Rights of the Data Subject
As data subject affected by the data processing activity, you have the following rights with regard to your personal data in accordance with the legal provisions:

• Right of access;
• Right to rectification and to erasure;
• Right to restriction of processing;
• Right to data portability; and
• Right to object.

Furthermore, you have the right to lodge a complaint with a supervisory authority concerning the processing of your personal data.

When we work on your above-mentioned right, we may ask you for proof of your identity. For more information on how we process your data, see 3.1.

1.4. Disclosure to Authority
In the event of a legal obligation, we reserve the right to disclose information about you if we are required to surrender it to competent authorities or law enforcement bodies.

Legal basis: Art. 6 (1) c) GDPR (legal obligation)

When downloading our app via App Store, all required information will be transferred to the App Store, in particular the user name, email address and customer number of your account, timestamp of download, payment information and the individual device code number. We have no influence on this data collection and are not responsible for it. We only process the data if it is necessary for downloading the app to your mobile device.

When using the app, we collect the personal data that enables convenient use of the functions. If you want to use our app, we collect the data that is technically necessary for us to offer you the functions of our app and to guarantee stability and security. For identification purpose we generate an individual ID and use the unique ID of the measuring device.

Further information which data we collect when you create an account can be found under the section “Login Profile”.

We might transfer the collected data to the responsible internal departments and other affiliated companies of the Beiersdorf Group or to external service providers, processors (e.g. hosting) for processing in accordance with the required purposes (to display the app and to create the content).

The data you store locally on your mobile device when using the app is only stored until you delete the app on your mobile device.

The data you provide us with will only be stored by us for as long as it is necessary for the fulfilment of the respective purpose, i.e. the performance of our studies for which you have provided us with your data, or for compliance with legal regulations.

Legal basis:

Art. 6 (1) b GDPR (situation similar to a contract)

Art. 6 (1) a GDPR (consent)

2.1. Access Permissions to Functions on your Mobile Device
The app accesses only those functions of your smartphone that are required for the described purposes.

Android:  Used for network communication
permission.INTERNET

Used for Wifi/Hotspot connectivity with measuring device 
permission.ACCESS_NETWORK_STATE 
permission.ACCESS_WIFI_STATE 
permission.CHANGE_WIFI_STATE 
permission.ACCESS_FINE_LOCATION (required when getting the current connected SSID)

Used to interact with the Account Manager (only access to the app's accounts) 
permission.AUTHENTICATE_ACCOUNTS 
permission.GET_ACCOUNTS 
permission.MANAGE_ACCOUNTS 
permission.USE_CREDENTIALS

Used to get the user’s location (necessary for weather and pollen updates) 
permission.ACCESS_COARSE_LOCATION 
permission.ACCESS_BACKGROUND_LOCATION 
permission.RECEIVE_BOOT_COMPLETED (needed to restart location tracking when the device has rebooted)

Further access rights: 
Camera to capture a user's selfie as part of a measurement.

iOS:
Permission asked for push notifications

Further access rights:
Coarse location to actually get the user's location (necessary for weather and pollen updates).
Camera to capture a user's selfie as part of a measurement.
Photo library permissions if a user can pick an existing image as a profile picture.

Before accessing the respective functions, the following access rights are requested from you: push notification, GPS, camera access.

Legal basis:

Art. 6 (1) b GDPR (situation similar to a contract)

Art. 6 (1) a GDPR (consent)

2.2. Changes to your Personal Settings
You can revoke or reassign the access authorizations granted to your mobile device at any time under your personal settings of the mobile device (to be found under “Settings”). If you remove permanently individual access rights from the app, the app can no longer be fully used.

2.3. Push Notifications
If you have agreed to push notifications, we may send you messages with e.g. reminders on your device. You see these messages on the lock screen as an active window while using your mobile device and highlighted on the app-icon of your mobile device.

You can object to the receipt of push notifications at any time under your personal settings of your device and switch them off accordingly.

Legal basis: Art. 6 (1) a GDPR (consent)

2.4. Login Profile
By registering we provide you the opportunity to secure your data with a password and to use this app with all of the skin evaluation features: measure skin condition and get individual product and care recommendations based on the analysis of the gathered data. The skin data collected by a measuring device are enriched by other health data (e.g. menstruation or allergies), lifestyle data (e.g. the level of activity or sleep quality) and/or data about the usage and compatibility of skin care products. Data are gathered by measuring device, by 3rd party application like Fitbit (fitness tracker) or provided via 1st party app by the consumer on a non-obligatory basis (e.g. camera for selfies). The provided data will be further used for our analytical software. We will pseudonymize or (after account deletion) anonymize your data and will use them for scientific researches. By anonymizing the personal data, this data is no longer identifiable to a natural person.

To perform the skin evaluation features we collect the following data:

• Name, email, password, gender, birthday, height, weight, (close up) pictures of your skin or from your face (selfie), health data (e.g. ovulation data, allergy information), country, language, calendar data, smartphone pushID, measuring device ID
• (Geo-) Location data (necessary for the weather, pollen updates which can improve our skin analytics)
• Wifi data (to establish connection between measuring device and internet router)
• Answers to analytical questions (optional – necessary to improve our analytical software)
• Profile picture (optional)
• Activity & training data, sleep, nutrition, weather data, ovulation data (optional via app or Fitbit)

We transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Beiersdorf Group or to external service providers, contract processors (e.g. hosting, consumer database, analytical partners, support providers) in accordance with the required purposes (to carry out the above mentioned skin evaluation features etc.). The personal data is mainly stored and processed within the EU. Platform/hosting or analytical providers can have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard we have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers. For more information (such as a copy of the guarantees), you can contact us at the contact details above.

Your data will be deleted or anonymized as soon as you have deleted your account, unless this conflicts with legal storage obligations or statutes of limitations. In order to delete your data, please log in to your customer account and complete the deletion process within the account/profile area, or send us your withdrawal to the data processing by email. We delete or anonymize your personal data automatically after 24 months inactivity.

Legal basis: Art. 6 (1) a, Art. 9 (2) a) GDPR, § 27 (2) BDSG (Federal German Data Protection Act).

2.5. App Analytics – Google Analytics
This app uses Google Analytics for Firebase and Google Firebase Crash Reporting, a web analysis service of Google Ireland Ltd. (“Google”) especially for apps. For further information please see: https://firebase.google.com/support/privacy/#firebase_data_processing_and_security_terms.

Google uses tracking information on our behalf to analyze your use of this app in order to compile reports on app activities and provide additional services related to app and internet use. Google may also transfer this information to third parties as required by law or if said third parties process this data on behalf of Google. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data.

We use Google Analytics to analyse and regularly improve the use of our app. The statistics obtained enable us to improve our offer and make it more interesting for you as a user. For the exceptional cases in which personal data is transferred to the US, Google has concluded standard contractual clauses in accordance with Art. 46 GDPR. For more information (such as a copy of the guarantees), you can contact us at the contact details above.

Third party information: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Google Analytics Terms of Service: https://www.google.com/analytics/terms/gb.html, General overview on Google Analytics security and privacy principles: https://support.google.com/analytics/answer/6004245?hl=en, as well as Google’s privacy policy: https://policies.google.com/privacy?hl=en.

Lifetime of cookies: up to 12 months (this only applies to cookies set via this app).

Maximum storage period of data: up to 26 months.

Legal basis: Art. 6 (1) a GDPR.

In addition to the purely use of our app, we offer various other services, for which we process your personal data also in an offline context.

3.1. Contacting/Communication/Collaboration
When communicating and/or collaboration with us, e.g. by email or data exchange platform, be it e.g. as a consumer, test person, business partner or customer, the data you provide (your email address, if applicable your name and your telephone number, or personal data submitted during the conversation) will be stored and processed by us in order to e.g. answer your questions, requests or for the purpose of business related correspondence. We delete the data arising in this context once storage is no longer necessary, unless statutory retention obligations exist or periods of limitation must be observed.

When processing data arising in the course of communication, we have a legitimate interest in processing the data in accordance with legal requirements, for internal verification or in accordance with the respective communication request. In order to combat terrorism, we are obliged by law to carry out a comparison with sanctions lists. Therefore, we also process your data to meet legal requirements for comparison with these lists. Furthermore, we process your data in the Beiersdorf Group for the prevention and investigation of criminal offences and other misconduct, the assessment and control of risks, for internal communication and for corresponding administrative purposes. You can object to this processing according to the requirements under 4. In case of consumer inquiries through our internal consumer management tool the personal data will be usually deleted after one year. As an exception, the data will be kept longer if the data is necessary for the establishment, exercise or defence of legal claims.

We transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Beiersdorf Group or to external service providers, contract processors (e.g. hosting, call center service providers) in accordance with the purposes required (e.g. for establishing contacts, business related correspondence and customer care). The personal data is mainly stored and processed within the EU. Platform/hosting or analytical service providers can have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard we have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers. For more information (such as a copy of the guarantees), you can contact us at the contact details above.

Legal basis: 

Art. 6 (1) b GDPR (when processing in the context of a contract or a situation similar to a contract)

Art. 6 (1) c GDPR (when processing is necessary for compliance with a legal obligation)

Art. 6 (1) f GDPR (when processing according to the legitimate interest described above)

If you have given your consent (Art. 6 (1) a GDPR) to the processing of your data, you can withdraw your consent at any time. Such a withdrawal influences the permissibility of processing your personal data after you have given it to us.

If we base the processing of your personal data on the weighing of interests (Art. 6 (1) f GDPR), you may object to the processing. This is the case if processing is not necessary in particular to fulfil a contract with you, which is described by us in the description of the functions / services. When exercising such objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either stop or adjust data processing or point out to you our compelling reasons worthy of protection, on the basis of which we will continue processing.

Of course, you can object to the processing of your personal data for purposes of advertising and data analysis at any time. You can inform us about your objection under the above-mentioned contact details for the controller.

By using/continuing to use the Services, you acknowledge you have read and understand the collection, storage, use, and disclosure of your Personal Information as described in this Privacy Policy, and the App Terms of Use (the “Agreement”) which is incorporated by reference.

Terms of the Agreement

If you choose to access or use the Services, your access and use, and any dispute over privacy is subject to this Privacy Policy and the App Terms of Use, including, but not limited to, limitations on damages and resolution of disputes.

Generally, we collect four (4) types of information about you: (A) information and content you give us directly; (B) information we obtain automatically when you use our Services; (C) demographic information; and (D) information we get about you from other sources. When we talk about “Personal Information” in this Privacy Policy, we are talking about any information collected in accordance with this section. Please see below for more information on each category.

A. Information and Content You Give Us Directly

(i) Personal Information. Personal information, such as your name, address, e-mail address, username, password, and any other information you directly provide us on or through the Services. This includes information you provide when you register or create an account or submit a request for customer service.

(ii) Email Correspondences. Records and copies of your email messages together with your email address and our responses, if you choose to correspond with us through email.

(iii) Health Related Information. Health related information such as your mood, ovulation data, allergy information, physical (biometric) data, such as selfies which shall be anonymized, and any other health or medical information you directly provide us through the Services.

B. Information We Obtain Automatically When You Use Our Services

(i) Activity Information. Details of your use of the device and App, including the features you use; the actions you take; the time, frequency, and duration of your activities; and other information about your use of and actions on the device and App.

(ii) Equipment Information. Information about your computer and internet connection, including your device or computer operating system, IP address, browser type, and browser language.

(iii) Location Information. Information about the location of your device, including GPS location, for purposes of enhancing or facilitating the Services.

(iv) Cookies, Pixel Tags/Web Beacons, and Other Technologies. Cookies, pixel tags, web beacons, clear GIFs, JavaScript, entity tags, HTML5 local storage, resettable device identifiers, or other similar technologies (collectively, the “Technologies”) may be used by us, as well as third parties that provide the content, advertising, or other functionality on the App to automatically collect information through your use of the App. Please see Section 9 for more information on the technologies we may use for this automatic data collection.

C. Demographic Information

We may collect demographic, statistical, or other aggregate information that is about you, but individually does not identify you. Some of this information may be derived from Personal Information, but it is not Personal Information and cannot be tied back to you. Examples of such aggregate information include gender, age, and race.

D. Information We Get About You from Other Sources

We may receive information about you from other sources and add it to our information, including from third-party services and organizations who have the right to provide us with such information. We protect this information according to the practices described in this Privacy Policy, plus any additional restrictions imposed by the source of the data.

We may use the information we collect about you in a variety of ways, to provide support for the App and device, or for administrative purposes.

A. We Use Your Personal Information to Provide Our Services

We may use your Personal Information to:

(i) provide the App, device, and its content to you.

(ii) respond to comments, questions, and provide customer service.

(iii) fulfill any other purpose for which you provide Personal Information.

(iv) communicate with you.

(v) inform you about important changes to, or other news about, the App, device, or any of its features or content.

B. We Use Your Information for Administrative Purposes

We may use your Personal Information to:

(i) operate, maintain, improve, personalize, and analyze the App.

(ii) monitor and analyze trends, usage, and activities for research purposes.

(iii) detect, prevent, or investigate security breaches, fraud, and other unauthorized or illegal activity.

(iv) carry out our obligations and enforce our rights arising from any contracts entered between you and us.

(v) maintain appropriate records for internal administrative purposes.

(vi) allow you to participate in interactive features on the App as applicable.

(vii) Develop, improve, and analyze our predictive models, both experimental and underlying the Services. 

We may share or disclose the personal information provided to third parties for a variety of business purposes without any restrictions, including to provide our Services or to protect us or others. We may also share or disclose information in the event of a major business transaction such as a merger, sale, or asset transfer. The following circumstances describe in additional detail the ways we may share or disclose your Personal Information that we collect or that you provide under this Privacy Policy:

A. We Disclose Your Information to Provide Our Services

(i) Subsidiaries and Affiliates. We may share your Personal Information with our parent companies, subsidiaries, joint ventures, and other affiliated companies of the Beiersdorf Group for purposes of management and analysis, decision-making, and other business purposes, consistent with this Privacy Policy and the required purpose (to display the App and to create content).

(ii) Service Providers. We may share your Personal Information with our third-party service providers, contractors, and any other similar third parties that help us provide our Services. This may include service providers that help us with analytics services or support services, such as website hosting, email and postal delivery, location mapping, product, and service delivery. Service providers are bound by contractual obligations to keep Personal Information confidential and use it only for the purposes for which we disclose it to them.

(iii) Consent or to Fulfill the Purpose that Information was Provided. We may share your Personal Information to fulfill the purpose for which you provide that information, with your consent, or for any other purpose disclosed by us when you provide the information.

(iv) Public Authorities for the Purpose of Study Application Approval. We may share your Personal Information with public authorities who are responsible for the review and approval of scientific study applications.

(v) Improvement of Analytics and Research Studies. We may share your Personal Information with research associates, health institutions, and other third-party research organizations to assess, develop, improve, and exchange predictive modeling and data analytics for purposes of improving outcomes. For example, we may use your Personal Information as a part of a data set that will be used to improve the accuracy of our product outcomes predictive modeling algorithms or in connection with various Company product studies. We may also use your Personal Information for the purpose of presentations, talks and publications concerning scientific study results. We will anonymize your Personal Information when used for scientific research. By anonymizing the Personal Information, it is no longer identifiable to a natural person.

B. We May Disclose Your Information in the Event of a Merger, Sale, or Other Asset Transfers

If we become involved in a merger, acquisition, financing due diligence, divestiture, restructuring, reorganization, bankruptcy, dissolution, sale, or transfer of some or all of our assets (whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding), or transition of Services to another provider, your Personal Information may be sold or transferred to business entities or people involved in such process.

C. We Disclose Your Information to Protect Us or Others

(i) When Required by Law. We may share your Personal Information to comply with any court order, law, or legal process, including to respond to any government or regulatory request.

(ii) To Enforce Our Rights. We may share your Personal Information to enforce or apply this Privacy Policy, our Agreement, and other agreements, including for billing and collection purposes.

(iii) To Protect Lawful Interests. We may share your Personal Information if we believe disclosure will help us protect the rights, property, or safety of Company, our users, partners, agents, and others. This may include exchanging information with other companies and organizations for fraud protection, and spam and malware prevention.

Users of the Services are encouraged to exercise caution when providing personal information about themselves in public or interactive areas.

You have certain choices and rights with respect to your privacy. For example, you may be able to opt out of receiving marketing messages from us, make choices regarding cookies, and exercise other privacy rights under applicable law.

A. Mechanisms to Control Your Information

(i) Cookies and Other Tracking Technologies. You may be able to set your browser to reject cookies and certain other technologies by adjusting the appropriate settings in your browser. Each browser is different, but many common browsers have preferences that may be adjusted to allow you to either accept or reject cookies and certain other technologies before they are set or installed or allow you to remove or reject the use or installation of certain technologies altogether. We recommend that you refer to the “Help” menu in your browser to learn how to modify your browser settings. Please note that you cannot remove Flash cookies simply by changing your browser settings. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe's website. If you disable or refuse cookies, please note that some parts of the Services may become inaccessible or may not function properly.

B. Accessing and Correcting Your Information

In accordance with applicable law, you may have the right to:

(i) Access Personal Information. You may access Personal Information about you, including: (1) confirming whether we are processing your Personal Information; (2) obtaining access to or a copy of your Personal Information; and (3) receiving an electronic copy of Personal Information that you have provided to us, or asking us to send that information to another company (the "right of data portability").

(ii) Request Correction of Personal Information. You may request correction of your Personal Information where it is inaccurate, incomplete, or improperly possessed.

(iii) Request Deletion of Personal Information. You may request deletion of your Personal Information held by us about you.

(iv) Opt-out. You may request to opt-out of the processing of your Personal Information for the purpose(s) of: (1) targeted advertising; (2) sale of Personal Information; or (3) profiling to make decisions that have legal or other significant effects on you.

If you would like to exercise any of these rights, you may send us an email to request access to, correction of or removal of any Personal Information that you have provided to us. We will process such requests in accordance with applicable law. You may also access, correct, or remove your Personal Information by logging into the App and visiting your account profile.

The following are additional Consumer Privacy Rights:

(i) Non-Discrimination. Residents have the right not to receive discriminatory treatment by covered businesses for the exercise of their rights conferred by the applicable privacy law.

(ii) Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, please contact us as set forth in “Contact Information” below and provide written authorization signed by you and your designated agent.

(iii) Verification. To protect your privacy, we will take the following steps to verify your identity before fulfilling your request. When you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative, which may include asking you to answer questions regarding your account and use of our Services.

C. Your Right to Appeal

If you are dissatisfied with the refusal of Company to take action in accordance with the exercise of your rights in the “Accessing and Correcting Your Information” section above, you may request reconsideration by Company, by sending a written request for reconsideration to the mailing address found in the “Contact Information” section below. Within forty-five (45) days of Company’s receipt of such written request for reconsideration, Company shall inform you in writing (at the address indicated in your initial written request) of any action taken or not taken in response to your request for reconsideration, including a written explanation of the reasons for the decision. In addition, if your request for reconsideration is denied, you have the right to appeal to the Attorney General in your state of residence.

We have implemented safeguards reasonably designed to secure your Personal Information. Such safeguards may include the implementation of various technical, physical, administrative, and organizational security measures intended to reduce the risk of loss, misuse, unauthorized access, disclosure, or modification of your information.

The safety and security of your information is also dependent on you. If we have given you (or where you have chosen) a password for access to certain parts of the Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

While we have employed security technologies and procedures to assist safeguarding your Personal Information, no system or network can be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any information you provide to us. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time. Any transmission of Personal Information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the App or device.

If you provide Personal Information through the App and/or device, you acknowledge and agree that such Personal Information may be transferred from your current location to the offices and servers of Company and the other third parties referenced in this Privacy Policy located in the European Union or other countries outside the European Economic Area, which may have data protection laws that are different from the laws where you live. We endeavor to safeguard your information consistent with the requirements of such laws, where applicable.

We keep your information for the length of time needed to carry out the purpose outlined in this Privacy Policy and to adhere to our policies on keeping records (unless a longer period is needed by law). Our records policies reflect applicable laws. We will retain and use your information to the extent necessary to manage your relationship with us, personalize and improve your overall customer experience, and to comply with our legal obligations.

The following state specific rights and requirements are in addition to all other rights and requirements set forth in this Privacy Policy.

A. California Privacy Rights

The California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (CPRA) (together, "CCPA") requires covered businesses to provide California residents with some additional information regarding how they collect, use, and share your "personal information" (as defined in the CCPA).  As such, we have provided additional details below about the information we collect, how we disclose it, and how you can exercise your privacy rights under the CCPA, in the event it applies to our activities in the future.

(i) Categories of Personal Information that is Collected, Disclosed and Shared. The CCPA provides California residents with the right to know what categories of personal information (including sensitive personal information) covered businesses have collected about them and whether such businesses have disclosed that personal information for a business purpose (e.g., to a service provider) in the preceding twelve (12) months. California residents can find this information in the section below.

We may use any of the categories of information listed above for other business or operational purposes compatible with the context in which the personal information was collected. The categories of sources from which we collect personal information and our business and commercial purposes for using personal information are set forth in "Personal Information We Collect" and "How We Use Your Information" above, respectively.

We may share any of the information listed above with service providers, which are companies that we engage for business purposes to conduct activities on our behalf. Service providers are restricted from using personal information for any purpose that is not related to our engagement.

(ii) "Sales or Sharing" of Personal Information under the CCPA. California residents have the right to opt out of the "sale or sharing" of their personal information. Under the CCPA, "sale" is defined broadly and includes the transfer of personal information by a business to a third party for valuable consideration (even if there is no exchange of money) and “sharing” is defined to include the sharing or making available personal information to a third party for cross-context behavioral advertising.

Company may "sell or share" personal information. The categories of personal information we have "sold or shared" and the categories of third parties we have "sold or shared" personal information to in the preceding twelve months are listed below.

Company’s business and commercial purposes for "selling or sharing" personal information can be found in "How We Use Your Information?" above. Company does not have actual knowledge of any "sale or sharing" of personal information of minors under 16 years of age.

 (iii) Additional Privacy Rights for California Residents.

1. Opt-out of "Sales or “Sharing”.  California residents may opt-out of the "sale or sharing" of their personal information by contacting us as set forth in "Contact Information" below. California residents (or their authorized agent) may also exercise:
Email: hautstudie@beiersdorf.com
Mail: Beiersdorf AG, Beiersdorfstraße 1-9, 22529 Hamburg, Germany

2. California Shine the Light.  The California "Shine the Light" law permits users who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their personal information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of personal information disclosed to those parties. If you are a California resident and would like to exercise any of your rights under the law, please contact us as set forth in "Contact Information" below. We will process such requests in accordance with applicable laws.

B. Nevada Privacy Rights.

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Information to third parties who intend to sell or license that Personal Information, even if your Personal Information is not currently being sold. If you would like to exercise this right, please contact us via the information found in the “Contact Information” section above.

C. Virginia, Colorado, Connecticut, and Utah Privacy Rights.

Residents of Virginia, Colorado, Connecticut, and Utah may have additional rights under relevant privacy laws, including under the Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Connecticut Data Privacy Act (“CTDPA”) (effective July 1, 2023) and Utah Consumer Privacy Act (“UCPA”) (effective Jan. 1, 2024), as applicable. The following additional information is required to be provided by covered businesses under applicable state laws.

(i) Sharing of Personal Data under VCDPA, CPA, CTPDA and UCPA. The VCDPA, CPA, CTPDA and UCPA require covered businesses to provide residents of their respective states with the right to know the categories of “personal data” (as defined under applicable law) covered businesses shared with third parties and the categories of third parties with whom such personal data has been shared. Residents of Virginia, Colorado, Connecticut and Utah can find this information below:

(ii) “Sales” or Sharing for Targeted Advertising under VCDPA, CPA, CTPDA and UCPA. Residents of Virginia, Colorado, Connecticut, and Utah have the right to opt-out of the “sale” of their personal data to third parties or the processing of their personal data for targeted advertising (see Section 4(B)(iv) above). For purposes of this paragraph the definition of “sale”, “sell” or “sold” has the meaning set forth in applicable privacy law. If a consumer wishes to exercise their right to opt-out of the sale of personal data or processing of personal data for targeted advertising, they may do so by following this link. The categories of personal data “sold” or processed for targeted advertising can be found below:

A. As used in this policy, “biometric data” includes “biometric identifiers” and “biometric information” as defined in the Illinois Biometric Information Privacy Act, 740 ILCS § 14/1, et seq. “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.

B. Purpose for Collection of Biometric Data

(i) Beiersdorf and/or its vendors may collect, store, use and/or transmit biometric data during the course of conducting Beiersdorf’s survey studies or providing services to those participating in this survey study. With respect to biometric data collected, stored, used and/or transmitted by Beiersdorf and/or its vendors, to the extent required by law, Beiersdorf will obtain written authorization from you to collect, store, use, and/or transmit biometric data prior to the collection of such data.

(ii) Beiersdorf and/or its vendors will collect, store, use and/or transmit any biometric data solely for research and development and business purposes. Neither Beiersdorf nor its vendors will sell, lease, or trade any biometric data that it receives from you as a result of your use of Beiersdorf’s Skinly application.

C. Disclosure

(i) Beiersdorf will not disclose or disseminate any biometric data to anyone other than its authorized vendors and clients without/unless:

1. the subject of the biometric data or the subject’s legally authorized representative consents to the disclosure or dissemination;

2. the disclosure or dissemination completes a financial transaction requested or authorized by the subject of the biometric data or the subject's legally authorized representative;

3. the disclosure or dissemination is required by State or federal law or municipal ordinance; or

4. the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

D. Retention Schedule

(i) Beiersdorf shall retain any biometric data in Beiersdorf’s possession only until the first of the following occurs:

1. Beiersdorf receives written notice from you that the initial purpose for collecting or obtaining such biometric data has been satisfied, such as the termination of the study, or you have discontinued using Beiersdorf’s product or service for which the biometric data was used; or

2. Within 3 years of Beiersdorf receiving written notice of your last interaction with the Skinly application.

E. Data Storage

(i) Beiersdorf and its vendors shall use a reasonable standard of care to store, transmit, and protect from disclosure any paper or electronic biometric data collected. Such storage, transmission, and protection from disclosure shall be performed in a manner that is the same as or more protective than the manner in which Beiersdorf stores, transmits, and protects from disclosure other confidential and sensitive information, including personal information that can be used to uniquely identify an individual or an individual’s account or property, such as genetic markers, genetic testing information, account numbers, PINs, driver’s license numbers and social security numbers.

A. Description of the Tracking Technologies.

We as well as third parties that provide the content, advertising, or other functionality on the App may use Technologies to automatically collect information through your use of the Services. The following describes some of these Technologies we may use for this automatic data collection:

(i) Cookies. A cookie is a small data file stored on the hard drive of your computer either for (a) the duration of your visit on a website ("session cookies") or (b) for a fixed period ("persistent cookies"). Cookies contain information that can later be read by a web server. We may use cookies to provide you with a more personal and interactive experience on the Services.

(ii) Web Beacons. Web beacons are small files that are embedded in webpages, applications, and emails (also known as "clear gifs", "pixel tags", "web bugs", and "single-pixel gifs") that collect information about engagement on our Services. For example, web beacons allow us to track who has visited those webpages or opened an email, to test the effectiveness of our marketing, and for other related website statistics.

(iii) JavaScript. JavaScript are code snippets embedded in various parts of websites and applications that facilitate a variety of operations including accelerating the refresh speed of certain functionality or monitoring usage of various online components.

(iv)Entity Tags. Entity Tags are HTTP code mechanisms that allow portions of websites to be stored or "cached" within your browser and validates these caches when the website is opened, accelerating website performance since the web server does not need to send a full response if the content has not changed.

(v) HTML5 Local Storage. HTML5 local storage allows data from websites to be stored or "cached" within your browser to store and retrieve data in HTML5 pages when the website is revisited.

(vi) Resettable Device Identifiers. Resettable device identifiers (also known as "advertising identifiers") are similar to cookies and are found on many mobile devices and tablets (for example, the "Identifier for Advertisers" or "IDFA" on Apple iOS devices and the "Google Advertising ID" on Android devices), and certain streaming media devices. Like cookies, resettable device identifiers are used to make online advertising more relevant.

B. Our Uses of the Technologies.

We may also use these Technologies for security purposes, to facilitate navigation, to display information more effectively, and to better serve you with more tailored information, as well as for site administration purposes, e.g., to gather statistical information about the usage of our websites in order to continually improve the design and functionality, to understand how users use our websites, and to assist us with resolving questions regarding use of the websites.

C. Mechanisms to Control Cookies and Other Technologies.

You may be able to set your browser to reject cookies and certain other technologies by adjusting the appropriate settings in your browser. Each browser is different, but many common browsers have preferences that may be adjusted to allow you to either accept or reject cookies and certain other technologies before they are set or installed, or allow you to remove or reject the use or installation of certain technologies altogether. We recommend that you refer to the “Help” menu in your browser to learn how to modify your browser settings. Please note that you cannot remove Flash cookies simply by changing your browser settings. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe's website. If you disable or refuse cookies, please note that some parts of the Services may become inaccessible or may not function properly. You can revoke or reassign the access authorizations granted to your mobile device at any time under your personal settings of the mobile device (to be found under “Settings”). If you remove permanently individual access rights from the App, the App can no longer be fully used.

D. Third Party Technologies.

This Privacy Policy covers the use of cookies by Company and does not cover the use of tracking technologies by any third parties. The Services may contain links, content, advertising, or references to other websites or applications run by third parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies or other tracking technologies to collect information about you when you interact with their content on the Services, such as member recruitment vendors to using Web beacons and cookies on our registration pages for payment verification. The information they collect may be associated with your Personal Information or they may collect information about your online activities over time and across different websites. Please be aware that we do not control these third parties' tracking technologies or when and how they may be used. Therefore, Company does not claim nor accept responsibility for any privacy policies, practices, or procedures of any such third party. We encourage you to read the privacy statements and terms and conditions of linked or referenced websites you enter. We do not endorse, screen, or approve, and are not responsible for the practices of such third parties or the content of their application or website. Providing Personal Information to third-party websites or applications is at your own risk. If you have any questions about an ad or other targeted content, you should contact the responsible provider directly.

We are especially committed to protecting the privacy of children. Company’s Services are directed at a general audience over the age of sixteen (16) and are not targeted to children. If we learn that we have inadvertently collected or received Personal Information from an individual under the age of sixteen (16), we will use reasonable efforts to immediately remove such information. If you are a parent or legal guardian and think your child under the age of sixteen (16) has given us information without your consent, please contact us via the information found in the “Contact Information” section above.

We reserve the right to update this Privacy Policy from time to time in order to reflect, changes to our practices or for other operational, legal, or regulatory reasons. When we do update this Privacy Policy, we will post the updates and changes on our App. We may elect to notify you of material changes by mail, email, posting of modified Privacy Policy, or some other similar manner. However, it is your responsibility to check our App regularly for changes to this Privacy Policy. Your continued use of or access to the Services following the posting of any changes to this Privacy Policy constitutes acceptance of those changes.