• Home
  • Skinly App Privacy Policy

Skinly App Privacy Policy

THE PROTECTION OF YOUR DATA IS IMPORTANT TO US!

For us not only the care and protection of your skin is important. We also attach great importance to the protection of your personal data. That's why we respect your privacy and want you to be able to trust us as much when it comes to data protection as when it comes to skin care. We always inform you transparently about what we need your data for and if and for how long we store it. This allows you to decide for yourself for which purposes we may use your data. To ensure the best possible security, the information is always transmitted to us in encrypted form. If you no longer wish us to use your data, please let us know informally, for example by email.

1.    General Information
1.1.     Processing of Personal Data
1.2.     Controller
1.3.     Rights of the Data Subject
1.4.     Disclosure to Authority
2.    Collection of Personal Data when Downloading and Using our App
2.1.      Access Permissions to Functions on your Mobile Device
2.2.      Changes to your Personal Settings
2.3.      Push Notifications
2.4.      Login Profile
2.5.      App Analytics – Google Analytics
3.    Further Services Offered (on- and offline)
3.1.      Contacting/Communication/Collaboration
3.2.      Newsletter
3.3.      Campaigns (e.g. Sweepstakes, Surveys, Product Tests)
3.4.      Shop
4.    Objection or Withdrawal of your Consent to the Processing of Personal Data 

1. General Information

The purpose of this privacy policy is to provide you with information concerning the processing of personal data when using our app and related services.

1.1. Processing of Personal Data
Personal data within the meaning of Art. 4 of the EU General Data Protection Regulation (GDPR) are all information relating to an identified or identifiable natural person, e.g. name, address, email address, etc.

1.2. Controller
Responsible for the processing of personal data within the meaning of Art. 4 (7) GDPR is: Beiersdorf AG, Unnastraße 48, 20253 Hamburg, Germany.

Contact details of the data protection officer: Dataprotection[at]Beiersdorf.com or under the postal address of the controller for the attention of the “data protection officer”.

1.3. Rights of the Data Subject
As data subject affected by the data processing activity, you have the following rights with regard to your personal data in accordance with the legal provisions:

  • Right of access;
  • Right to rectification and to erasure;
  • Right to restriction of processing;
  • Right to data portability; and
  • Right to object.

Furthermore, you have the right to lodge a complaint with a supervisory authority concerning the processing of your personal data.

When we work on your above-mentioned right, we may ask you for proof of your identity. For more information on how we process your data, see 3.1.

1.4. Disclosure to Authority
In the event of a legal obligation, we reserve the right to disclose information about you if we are required to surrender it to competent authorities or law enforcement bodies.

Legal basis: Art. 6 (1) c) GDPR

2. Collection of Personal Data when Downloading and Using our App

When downloading our app via App Store, all required information will be transferred to the App Store, in particular the user name, email address and customer number of your account, timestamp of download, payment information and the individual device code number. We have no influence on this data collection and are not responsible for it. We only process the data if it is necessary for downloading the app to your mobile device.

When using the app, we collect the personal data that enables convenient use of the functions. If you want to use our app, we collect the data that is technically necessary for us to offer you the functions of our app and to guarantee stability and security. For identification purpose we generate an individual ID and use the unique ID of the measuring device.

Further information which data we collect when you create an account can be found under the section “Login Profile”.

We might transfer the collected data to the responsible internal departments and other affiliated companies of the Beiersdorf Group or to external service providers, processors (e.g. hosting) for processing in accordance with the required purposes (to display the app and to create the content).

The data you store locally on your mobile device when using the app is only stored until you delete the app on your mobile device.

The data you provide us with will only be stored by us for as long as it is necessary for the fulfilment of the respective purpose, i.e. the performance of our studies for which you have provided us with your data, or for compliance with legal regulations.

Legal basis: Art. 6 (1) b GDPR and Art. 6 (1) a GDPR

2.1. Access Permissions to Functions on your Mobile Device
The app accesses only those functions of your smartphone that are required for the described purposes.

Android:  Used for network communication
permission.INTERNET

Used for Wifi/Hotspot connectivity with measuring device 
permission.ACCESS_NETWORK_STATE 
permission.ACCESS_WIFI_STATE 
permission.CHANGE_WIFI_STATE 
permission.ACCESS_FINE_LOCATION (required when getting the current connected SSID)

Used to interact with the Account Manager (only access to the app's accounts) 
permission.AUTHENTICATE_ACCOUNTS 
permission.GET_ACCOUNTS 
permission.MANAGE_ACCOUNTS 
permission.USE_CREDENTIALS

Used to get the user’s location (necessary for weather and pollen updates) 
permission.ACCESS_COARSE_LOCATION 
permission.ACCESS_BACKGROUND_LOCATION 
permission.RECEIVE_BOOT_COMPLETED (needed to restart location tracking when the device has rebooted)

Further access rights: 
Camera to capture a user's selfie as part of a measurement.

iOS:
Permission asked for push notifications

Further access rights:
Coarse location to actually get the user's location (necessary for weather and pollen updates).
Camera to capture a user's selfie as part of a measurement.
Photo library permissions if a user can pick an existing image as a profile picture.

Before accessing the respective functions, the following access rights are requested from you: push notification, GPS, camera access.

Legal basis: Art. 6 (1) b GDPR and Art. 6 (1) a GDPR.

2.2. Changes to your Personal Settings
You can revoke or reassign the access authorizations granted to your mobile device at any time under your personal settings of the mobile device (to be found under “Settings”). If you remove permanently individual access rights from the app, the app can no longer be fully used.

2.3. Push Notifications
If you have agreed to push notifications, we may send you messages with e.g. reminders on your device. You see these messages on the lock screen as an active window while using your mobile device and highlighted on the app-icon of your mobile device.

You can object to the receipt of push notifications at any time under your personal settings of your device and switch them off accordingly.

Legal basis: Art. 6 (1) a GDPR.

2.4. Login Profile
By registering we provide you the opportunity to secure your data with a password and to use this app with all of the skin evaluation features: measure skin condition and get individual product and care recommendations based on the analysis of the gathered data. The skin data collected by a measuring device are enriched by other health data (e.g. menstruation or allergies), lifestyle data (e.g. the level of activity or sleep quality) and/or data about the usage and compatibility of skin care products. Data are gathered by measuring device, by 3rd party application like Fitbit (fitness tracker) or provided via 1st party app by the consumer on a non-obligatory basis (e.g. camera for selfies). The provided data will be further used for our analytical software. We will pseudonymize or (after account deletion) anonymize your data and will use them for scientific researches. By anonymizing the personal data, this data is no longer identifiable to a natural person.

To perform the skin evaluation features we collect the following data:

  • Name, email, password, gender, birthday, height, weight, (close up) pictures of your skin or from your face (selfie), health data (e.g. ovulation data, allergy information), country, language, calendar data, smartphone pushID, measuring device ID
  • (Geo-) Location data (necessary for the weather, pollen updates which can improve our skin analytics)
  • Wifi data (to establish connection between measuring device and internet router)
  • Answers to analytical questions (optional – necessary to improve our analytical software)
  • Profile picture (optional)
  • Activity & training data, sleep, nutrition, weather data, ovulation data (optional via app or Fitbit)

We transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Beiersdorf Group or to external service providers, contract processors (e.g. hosting, consumer database, analytical partners, support providers) in accordance with the required purposes (to carry out the above mentioned skin evaluation features etc.). The personal data is mainly stored and processed within the EU. Platform/hosting or analytical providers can have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard we have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers or they are (additionally) EU-U.S. Privacy Shield certified. More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.

Your data will be deleted or anonymized as soon as you have deleted your account, unless this conflicts with legal storage obligations or statutes of limitations. In order to delete your data, please log in to your customer account and complete the deletion process within the account/profile area, or send us your withdrawal to the data processing by email. We delete or anonymize your personal data automatically after 24 months inactivity.

Legal basis: Art. 6 (1) a, Art. 9 (2) a) GDPR, § 27 (2) BDSG (Federal German Data Protection Act).

2.5. App Analytics – Google Analytics
This app uses Google Analytics for Firebase and Google Firebase Crash Reporting, a web analysis service of Google Inc. (“Google”) especially for apps. For further information please see: https://firebase.google.com/support/privacy/#firebase_data_processing_and_security_terms.

Google uses tracking information on our behalf to analyze your use of this app in order to compile reports on app activities and provide additional services related to app and internet use. Google may also transfer this information to third parties as required by law or if said third parties process this data on behalf of Google. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data.

Third party information: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Google Analytics Terms of Service: https://www.google.com/analytics/terms/gb.html, General overview on Google Analytics security and privacy principles: https://support.google.com/analytics/answer/6004245?hl=en, as well as Google’s privacy policy: https://policies.google.com/privacy?hl=en.

This app also uses Google Analytics for a device-independent analysis of visitor flows, which is carried out via a user ID. You can disable cross-device tracking of your usage in your Google Account under “My information”, “Personal information”.

Maximum storage period of data: up to 26 months.

Legal basis: Art. 6 (1) a GDPR.

3. Further Services Offered (on- and offline)

In addition to the purely use of our app, we offer various other services, for which we process your personal data.

If we use contracted service providers for individual functions of our offer or would like to use your data for advertising purposes, we will inform you in detail about the respective processes below.

External service providers have been carefully selected and commissioned by us, are bound by our instructions and are regularly checked.

We may also disclose your personal data to third parties when we offer promotions, sweepstakes, contracts or similar services in conjunction with partners. Further information can be obtained at the time when you provide the data or in the description of the services below.

If our service providers are based in a country outside the European Economic Area (EEA), international data transfers can occur. We will inform you of the consequences of this circumstance in the description of the service below.

3.1. Contacting/Communication/Collaboration
When communicating and/or collaboration with us, e.g. by email or data exchange platform, be it e.g. as a consumer, test person, business partner or customer, the data you provide (your email address, if applicable your name and your telephone number, or personal data submitted during the conversation) will be stored and processed by us in order to e.g. answer your questions, requests or for the purpose of business related correspondence. We delete the data arising in this context once storage is no longer necessary, unless statutory retention obligations exist or periods of limitation must be observed.

When processing data arising in the course of communication, we have a legitimate interest in processing the data in accordance with legal requirements, for internal verification or in accordance with the respective communication request. In order to combat terrorism, we are obliged by law to carry out a comparison with sanctions lists. Therefore, we also process your data to meet legal requirements for comparison with these lists. Furthermore, we process your data in the Beiersdorf Group for the prevention and investigation of criminal offences and other misconduct, the assessment and control of risks, for internal communication and for corresponding administrative purposes. You can object to this processing according to the requirements under 4. In case of consumer inquiries through our internal consumer management tool the personal data will be usually deleted after one year. As an exception, the data will be kept longer if the data is necessary for the establishment, exercise or defence of legal claims.

We transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Beiersdorf Group or to external service providers, contract processors (e.g. hosting, call center service providers) in accordance with the purposes required (e.g. for establishing contacts, business related correspondence and customer care). The personal data is mainly stored and processed within the EU. Platform/hosting or analytical service providers can have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard we have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers or they are (additionally) EU-U.S. Privacy Shield certified. More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.

Legal basis: Art. 6 (1) b GDPR.

3.2. Newsletter
The optional newsletter contains news, offers and further information on the selected topic. By subscribing to the newsletter you will receive in accordance with the consent you have given in each case  personalized information about the products, services or suggestions for participation in promotions, such as competitions or product tests by email or advertising on your own or third-party channels (e.g. via social media).

With your registration for the newsletter you will receive a newsletter tailored to your needs (if the newsletter is “personalized”, “individualized” or “customized”). We eventually evaluate your purchase and click behavior on our apps, websites or within the newsletter in order to compile the information relevant to you.

The newsletter is sent regularly (usually once a month). For special actions (e.g. advent calendar), daily emailing may also occur.

We also use remarketing measures to show you the relevant online advertising.

The data will be forwarded to our customer management platform, which service providers may also have access to support and implement the newsletter. Platform/hosting providers will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard we have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers or they are (additionally) EU-U.S. Privacy Shield certified. More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.

These collected data are automatically deleted after 24 months if they no longer respond to the newsletter, e.g. open (inactivity). If you no longer wish to receive the newsletter, you can unsubscribe at any time. Click on the link contained in each newsletter, you will then be guided through the unsubscribe process, or send us your withdrawal by email.

Legal basis: Art. 6 (1) a GDPR.

3.3. Campaigns (e.g. Sweepstakes, Surveys, Product Tests)
When you participate in sweepstakes, surveys or similar campaigns, we use the personal information you provide to conduct the campaign. Further information on the purposes can be found in the respective terms and conditions of the campaign.

We transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Beiersdorf Group or to external service providers, contract processors (e.g. hosting, shipping, processing service providers) in accordance with the purposes required (to carry out the campaign). Platform/hosting providers will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard we have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers or they are (additionally) EU-U.S. Privacy Shield certified. More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.

Your data will be deleted after the final processing of the campaign (see terms and conditions of participation), unless this conflicts with statutory retention obligations or statutes of limitations.

The provision of your personal data is necessary for the performance of a contract. You are not obliged to provide your personal data. If your data is not provided, you cannot participate in the campaign.

Further information can be found in the respective terms and conditions of the campaign.

Legal basis: Art. 6 (1) b GDPR.

3.4. Shop
If you would like to order products in our shop, it is required for the conclusion of the contract that you enter your personal data, which we need for the completion and execution of your order. Required information for the execution of the order is marked separately, any other information you provide is voluntary. We process the data provided by you only to process and execute your order.

For this purpose we might transmit on the collected data to the relevant internal departments for processing and to other affiliated companies within the Beiersdorf Group or to external service providers, contractors (e.g. payment providers, fulfilment providers, customer management service providers, content management provider) in accordance with the required purposes (processing and execution of the order). Platform/hosting providers may have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard we have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers or they are (additionally) EU-U.S. Privacy Shield certified. More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.

To prevent unauthorized access to your personal data, especially financial data, the order process is encrypted using TLS technology.

In addition, you can voluntarily create a customer account through which we can store your data for future purchases. When you create such an account, the data you have provided will be stored revocably. All other data, including your user account, can always be deleted.

We may also process the information you provide in course of your purchase in our shop to send you interesting product information based on the products you have been purchased in our shop or to give you the possibility to rate your purchased products. We therefore send you information by email in context with your purchase. This is a special form of direct marketing, in which we have a legitimate interest in strengthening consumer loyalty by suggesting appropriate and interesting product information. Besides that, we may also send you technical or other factual information in context with your purchase. You can object at any time to receiving such information by following the requirements as described in in Section 4.

We are obliged by commercial and applicable tax laws to store your address, payment and order data for a period of up to ten years. 

Legal basis: Art. 6 (1) b, f GDPR.

4. Objection or Withdrawal of your Consent to the Processing of Personal Data

If you have given your consent (Art. 6 (1) a GDPR) to the processing of your data, you can withdraw your consent at any time. Such a withdrawal influences the permissibility of processing your personal data after you have given it to us.

If we base the processing of your personal data on the weighing of interests (Art. 6 (1) f GDPR), you may object to the processing. This is the case if processing is not necessary in particular to fulfil a contract with you, which is described by us in the description of the functions / services. When exercising such objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either stop or adjust data processing or point out to you our compelling reasons worthy of protection, on the basis of which we will continue processing.

Of course, you can object to the processing of your personal data for purposes of advertising and data analysis at any time. You can inform us about your objection under the above-mentioned contact details for the controller.