EveLab Insight Data Protection Policy
Last Revision Date: 20 October 2023
This Data Protection Policy applies to individuals who access and use the Service (as defined in the EveLab Insight Terms of Use) and/or sign up for an Account (as defined in the EveLab Insight Terms of Use).
We attach great importance to the privacy of your Personal Data (defined below), and we are also committed to maintaining your trust in us. We are committed to taking reasonable security protection measures designed to protect your Personal Data in accordance with industry security standards. Please take a moment to read this Data Protection Policy so that you know and understand how we collect, use and disclose your “personal information”, “personal data” and other similar information as defined under applicable data protection laws (collectively, “Personal Data”).
By accessing the Service and/or signing up for an Account, you agree EveLab Insight (Singapore) Pte. Ltd. and its affiliates (collectively “EveLab Insight”) and their respective branches, subsidiaries and related corporations (collectively, the "Companies"), as well as their respective representatives and/or agents (“Representatives”) (the Companies and Representatives collectively referred to herein as "us", "we" or "our") may collect, use, disclose and share amongst themselves your Personal Data, and disclose such Personal Data to the Companies' authorised service providers and relevant third parties in the manner set forth in this Data Protection Policy, on the following basis:
(a) in jurisdictions which allow for legitimate-interest based processing, on the basis of such legitimate interests including as set out in this Data Protection Policy; and
(b) in all other jurisdictions, on the basis of your consent which you hereby give.
This Data Protection Policy supplements but does not supersede nor replace any other consents you may have previously provided to us in respect of your Personal Data, and your consents herein are additional to any rights which any of us may have at law to collect, use and/or disclose your Personal Data.
1. Collection of Personal Data
1.1. In order to make full use of the features of the Service, you need to provide your name, gender, date of birth, mobile phone number, email address and cosmetic surgery history (to create a personal skin file). After providing the above information and agreeing to the EveLab Insight Terms of Use and this Data Protection Policy, you can make full use of the features of the Service. If you do not provide the above information, you may not be able to do so. If you do not agree to enable the Service’s facial recognition features, you can still continue to use the Service and your mobile phone number and/or your email address will be used to confirm your Account.
1.2. Generally, in relation to the Service, we collect Personal Data in the following ways:
(a) when you access or use the Service (including but not limited to conducting skin analysis test, comparing historical skin test results and generating skin test results) in which we may collect your 3D facial images (only applicable to EveLab Insight Eve V) and faceprints, both without iris/retina images;
(b) when you submit any queries in connection with the Service;
(c) when you sign up for an Account;
(d) when you interact with the Service’s customer service officers or any of our staff, for example, via face-to-face meetings, telephone calls, letters, online forms (such as any “Contact Us” forms on our websites), social media platforms and emails;
(e) when you request that we contact you;
(f) when you respond to our requests for additional Personal Data;
(g) when you ask to be included in an email or other mailing list;
(h) when you respond to our market surveys, promotions and other initiatives; and
(i) when you submit your Personal Data to us for any other reason.
1.3. If you provide us with any Personal Data relating to a third party (e.g. information on your customers, spouse, children, parents, and/or employees), by submitting such information to us, you represent to us that you have obtained the consent of such third party to you providing us with their Personal Data for the respective purposes.
1.4. You should ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with products and services you have requested.
How We Process Children's Personal Data
1.5. We will not collect or request Personal Data from those under 16 years of age (or any other specified age in accordance with applicable laws in your area). If you are less than 16 years of age, please do not send your Personal Data to us, including your name, address, telephone number or e-mail address. If you think we might have any information belonging to children under the age of 18, please contact us using the channels listed below.
2. Purposes for the Collection, Use and Disclosure of Your Personal Data
2.1. Where permitted under applicable data protection laws, we collect, use and disclose your Personal Data for the following purposes:
(a) providing you the Service, including without limitation analysing your skin condition, sending you reports on the same (this may require collecting, using and/or disclosing your Personal Data, including: gender, age, birth information, data relating to your skin condition, imaging of your skin etc.) and providing you with beauty solution (such as recommendation of cosmetic products and/or skin care products) based on your skin condition and analysis report;
(b) responding to, processing and handling complaints, queries, requests, feedback, customer service requests and/or suggestions relating to the Service - if you believe your relevant rights have been violated, you can file a complaint and report in accordance with our infringement complaint process. In the process, we will ask you to provide valid Personal Data to verify the authenticity of the complaint and report. As this can be sensitive information, we will take strict confidentiality measures and will not share it with any third parties except those necessary to resolve your inquiry;
(c) verifying your identity;
(d) safeguarding national interests such as national security, national defence, public safety, public health and public information;
(e) protecting your or other individual’s life, reputation and other important legal rights and interests;
(f) complying with any applicable rules, laws and regulations, codes of practice or guidelines or to assist in law enforcement and investigations by relevant authorities;
(g) processing your application for an Account;
(h) maintaining and administering your Account;
(i) signing and fulfiling contracts required by you;
(j) maintaining the safe and stable operation of the Service, such as identifying or dealing with any failure of the Service;
(k) protecting the security of your Account, network, operation, and system, and to prevent phishing, website fraud and Trojan horse viruses - this may require collecting, using and/or disclosing information about your device, including non-changeable device unique identifiers (such as IMEI numbers, MAC address, AndroidID, IDFA) and GUID;
(l) assisting our business partners in profiling and management of their respective customers;
(m) facilitating R&D and market research in the skin care industry;
(n) managing your preferences - we will analyse the characteristics of your preference and habits, and create user profiles (such user profiles are anonymized or de-identified as data analysis results will not be related to specific user identities) based on the collected information, in order to present content that is more in line with your needs;
(o) sending you news and offers from the Companies, and/or the Representatives that may be of interest to you;
(p) tailoring information and product or service offerings to you in accordance with your preferences and purchase history and/or other transactions with us;
(q) conducting market research, understanding and analysing customer behaviour, preferences and demographics to enable us to improve the Service;
(r) using online advertising and other technologies in connection with the above; and/or
(s) any other purpose directly relating to any of the above.
2.2. Please understand that the functions and services we provide to you are constantly evolving. If we intend to collect, use and/or disclose your Personal Data for an additional purpose not listed above, we will, and may at any time, amend this Data Protection Policy and/or use page prompts, interactive processes, website announcements, etc. separately to explain the content, scope and purpose of these additional purposes, so as to obtain your consent where required by applicable laws.
2.3. The legal bases we rely on for processing your Personal Data will vary depending on the applicable law. Our legal bases for processing your Personal Data for the purposes described above include: (a) processing that is necessary for the performance of our contract with you (such as where necessary to provide you with our products or services); (b) processing that is necessary for our legitimate interests (such as to carry out analytics in order to improve our service); (c) processing that is necessary to comply with our legal obligations (such as to respond to a subpoena or other legal process); and (d) where required by applicable law, your consent.
2.4. In relation to particular products or services or in your interactions with us, we may also have specifically notified you of other purposes for which we collect, use or disclose your Personal Data. If so, we will collect, use and disclose your Personal Data for these additional purposes as well, unless we have specifically notified you otherwise.
3. Disclosure of Personal Data
3.1. We will take reasonable steps in an effort to protect your Personal Data against unauthorised disclosure. Subject to the provisions of any applicable law, your Personal Data may be provided, for the purposes listed above (where applicable), to the following entities or parties, regardless of the jurisdiction they are located in:
(a) amongst ourselves;
(b) our retail partners that you interact with via your use of our Service (“Retail Partners”). By using our Service, you are directing EveLab Insight to share your Personal Data with the Retail Partner. Your Personal Data will also be subject to the Retail Partner’s privacy policy. Please note that we do not control, and we are not responsible for the Retail Partner’s processing of your Personal Data;
(c) our authorized partners - for the purposes stated in this Data Protection Policy, some of our services will be provided by authorized partners (including the Third Parties (as defined in the EveLab Insight Terms of Use)), including product analysis services, technical support services and etc. We may share some of your Personal Data with our partners to provide better customer service and user experience. We will only share your Personal Data for legal, legitimate, necessary, specific, and clear purposes, and we will only share the Personal Data necessary to provide the services; at the same time, we will sign a strict confidentiality agreement with the companies, organizations and individuals with whom we share Personal Data with, requiring them to process Personal Data in accordance with our Data Protection Policy and any other relevant confidentiality and security measures;
(d) the various departments within the Companies;
(e) agents, contractors or third-party service providers who provide operational services to us, such as telecommunications, information technology, payment, processing, training, market research, storage, archival, customer support investigation services or other services to us;
(f) vendors or other third-party service providers in connection with promotions and goods/services offered on the Service;
(g) our professional advisers such as our auditors and lawyers;
(h) relevant government regulators, government ministries, statutory boards or authorities, and/or law enforcement agencies, whether local or overseas, to comply with any directions, laws, rules, guidelines, regulations or schemes issued or administered by any of them, as well as to comply with listing and other requirements or directions of any relevant securities exchange;
(i) other external parties we, in good faith, believe doing so is required or appropriate to respond to legal process, to protect your, our, or others’ rights, property, or safety, or to assist with an investigation and prosecution of suspected or actual illegal activity; and
(j) any other party to whom you authorise us to disclose your Personal Data to.
3.2. Except as set out in this Data Protection Policy, we will not actively share or transfer your Personal Data to third parties. If there are other situations which require the sharing or transfer of your Personal Data or if you need us to share or transfer your Personal Data to a third party, we will directly confirm that the third party has obtained your consent for such acts if required by applicable law or we otherwise believe it is appropriate. In addition, we may conduct a risk assessment for the provision of your Personal Data to such third party.
3.3. At present, we will not actively obtain your Personal Data from third parties. As for future business development where we may need to obtain your Personal Data indirectly from a third party, we will express to you the source of your Personal Data, the type of Personal Data and our scope of use of your Personal Data. For instance, if we are aware that the Personal Data processing activities required by us to conduct business is beyond the scope of the authorization and consent originally provided to the third party, we will obtain your explicit consent before processing such Personal Data; in addition, we will strictly abide by relevant laws and regulations and we will require third parties to obtain the consents required under applicable laws before they provide such information.
Transfer
3.4. Except as set out in this Data Protection Policy, we will not transfer your Personal Data to any company, organization or individual, unless:
(a) we have obtained your consent by your agreement to this Data Protection Policy; and/or
(b) in the case of merger, acquisition or bankruptcy liquidation, if it involves the transfer of Personal Data, we will require new companies and organizations holding your Personal Data to continue to be bound by this Data Protection Policy, otherwise we will require the company or organization to seek your consent again.
3.5. Because we provide the Service through resources and servers around the world, your agreement to this Data Protection Policy means that you consent that your Personal Data may be transferred to or accessed from jurisdictions other than the jurisdiction in which you use the Service and may be processed and stored anywhere in the world, in the cloud on our servers, on the servers of our affiliates, and/or the servers of our service providers.
3.6. Such other jurisdictions may have different data protection laws or even no data protection laws. In such cases, we will ensure that your Personal Data is adequately protected. For example, we may implement security measures such as data de-identification prior to cross-border data transfer.
Public Disclosure
3.7. We only disclose your Personal Data publicly if:
(a) we have obtained your explicit consent; and/or
(b) we are required to do so by laws, legal procedures, lawsuits or mandatory requirements of government authorities.
4. Data Security
4.1. We use industry-standard security measures designed to protect Personal Data in our possession or our control by making reasonable security arrangements designed to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. For example:
(a) when you exchange data (such as credit card information) between your browser and the Service, it is protected by SSL encryption;
(b) we provide HTTPS secure access to the supporting web services provided by the Service;
(c) we use encryption technology designed to ensure the confidentiality of data;
(d) we use trusted protection mechanisms designed to prevent data from being maliciously accessed;
(e) we deploy access control mechanisms designed to ensure that only authorized personnel can access Personal Data; and
(f) we organize security and privacy protection training courses to strengthen our employees’ awareness of data privacy concerns.
4.2. We will take reasonably practicable steps to ensure that irrelevant Personal Data is not collected. We are committed to keeping your Personal Data within the period required by law or reasonably necessary to implement features and services in connection with the Service (i.e. we store your face data so that you are able to track your skin analysis results for comparison purposes; without such face data stored, we are unable to generate reports with comparison analysis and you would not be able to meaningfully assess whether your skin condition has improved or deteriorated from previous results). We will delete, de-identify, or anonymize Personal Data after the data retention period expires. In determining the data retention period, we take into account a number of factors, including but not limited to, whether the applicable laws require us to retain such Personal Data for a certain period of time and whether you are a recurring customer, in which case we will continue to retain your Personal Data until you instruct us to delete your account with us.
4.3. However, we cannot completely guarantee the security of any Personal Data we may have collected from or about you, or that no harmful code will infiltrate our website or application (for example viruses, bugs, trojan horses, spyware or adware).
4.4. Whilst we strive to protect your Personal Data, we cannot ensure the security of the information you transmit to us via the Internet, and we urge you to take every precaution to protect your Personal Data when you use such platforms.
4.5. If applicable, you undertake to keep any information relating to your Account (including any link to your skin analysis report) secure and confidential and shall not disclose or permit it to be disclosed to any unauthorised person, and to inform us as soon as reasonably practicable if you know or suspect that the confidentiality of any information relating to your Account has been lost, stolen or compromised in any way or that actual or possible unauthorised access has taken place. We are not liable for any damages resulting from any security breaches, on unauthorised and/or fraudulent access of any information relating to your Account.
4.6. In the event of an unfortunate Personal Data security incident, we will act in accordance with the requirements of applicable laws and regulations, to keep you informed of the basic details and the possible impact of the security incident, the measures we have taken or will take, suggestions to you to reduce any risks, remedial measures and more. We will promptly inform you about the event by email, letter, phone, push notification, etc. in accordance with the requirements of applicable law. When it is difficult to notify you individually, we will take a reasonable and effective way to make an announcement. At the same time, we will proactively report the handling of Personal Data security incidents in accordance with the requirements of regulatory authorities.
5. Third-Party Sites
5.1. The Application (as defined in the EveLab Insight Terms of Use) may contain links to other websites operated by third parties. We are not responsible for the privacy practices of websites operated by third parties that are linked to the Application. We encourage you to learn about the privacy policies of such third-party websites. Some of these third-party websites may be co-branded with our logo or trademark, even though they are not operated or maintained by us. Once you have left the Application, you should check the applicable privacy policy of the third-party website to determine how they will handle any information they collect from you.
6. Contacting Us - Feedback, Withdrawal of Consent, Access and Correction of your Personal Data
6.1. If you:
(a) have any questions or feedback relating to your Personal Data or this Data Protection Policy;
(b) believe we have infringed your rights to your Personal Data;
(c) would like to withdraw your consent to any use of your Personal Data as set out in this Data Protection Policy; or
(d) would like to obtain access and make corrections to your Personal Data records, you can approach us via the following channels:
|
|
compliance@evelabinsight.com |
6.2. You may also write to our Data Protection Officer as follows:
|
Unit 8106B, Level 81, International Commerce Centre, 1 Austin Road West, Hong Kong Attn: Legal Department, EveLab Insight |
6.3. Please note that if your Personal Data has been provided to us by a third party, you should contact such third party directly to make any queries, feedback, and access and correction requests to us on your behalf.
6.4. If you withdraw your consent to any or all use of your Personal Data, depending on the nature of your request, we may not be in a position to continue to provide the Service to you or administer any contractual relationship already in place. This may also result in the termination of any agreements you have with us (e.g. termination of your Account), and your being in breach of your contractual obligations or undertakings. Our legal rights and remedies in such event are expressly reserved.
7. How This Policy Will Be Updated
7.1. This Data Protection Policy is subject to change at any time. We will post any changes to this Data Protection Policy on this page. For major changes, we may inform you via additional means, such as via email. Subject to your rights at law, you agree to be bound by the prevailing terms of this Data Protection Policy as updated from time to time by us.
7.2. Major changes referred to in this policy include, but are not limited to:
(a) changes to the purposes for which we process Personal Data, the types of Personal Data we process, and how we use your Personal Data;
(b) your rights to participate in the processing of Personal Data and how you exercise them have changed; and
(c) when a Personal Data security impact assessment report indicates that there is a risk.
8. Country-Specific Terms
Countries which allow processing of Personal Data on the basis of legitimate interest
Japan
8.1. If you are located in Japan, please contact us at the contact details in section 6 above if you want to request us to disclose to you the purposes of the use of; or to disclose; or to correct, add to, delete, or cease to use; or to cease to provide to third parties, Personal Data that we hold about you. For us to process your request, please also submit an identification certificate and other documents which we may request. We will charge JPY500 per request. We will use the Personal Data provided by you in relation to any of the aforementioned requests for the purpose of processing and responding to your request.
8.2. If you are located in Japan and provide us with your email address and/or a telephone number, you consent for us and our affiliates to send marketing materials via email, text message or telephone.
South Korea
8.3. When processing (i.e., collect, use, (overseas) transfer, etc.) your Personal Data to enable your access and use of our Services, we will secure proper legal grounds under the South Korean privacy laws for the processing of your Personal Data (including, but not limited to, acquisition of your prior express consent). We do not assume your consent for the processing of your Personal Data only by your access/use of our Services or submission of your information to us.
8.4. We do not collect and/or store cookies.
8.5. For the performance of Services, you agree that we may delegate the processing of your personal data to the following external professional service providers:
Domestic Delegation
|
Delegatee’s Name |
Descriptions of Delegated Works |
|
Microsoft Corporation |
The use of Microsoft Cloud Platform in South Korea for data storage |
8.6. In principle, we will immediately destroy your Personal Data if: (a) you terminate your use of our Services or (b) the purposes of collection and use of Personal Data have been achieved. However, if we are required to retain your Personal Data for a longer period of time under applicable laws and regulations, we will retain your Personal Data for the period as required under such applicable laws and regulations.
8.7. When destroying Personal Data, measures will be taken to make the Personal Data irrecoverable or irreproducible. Electronic files which contain Personal Data will be deleted permanently using a technical method which makes the files irreproducible. Any other records, print-outs, documents or any other recording media will be shredded or incinerated.
United States of America
8.8. You agree that EveLab Insight may use facial recognition technology to collect biometric information from the photos or images you provide. EveLab Insight may use such information to verify your identity, to provide and improve the Service, and for our internal research purposes. Where required by law, we will delete your biometric information within three years of your last interaction with the Service.
8.9. If you are a California resident, section(s) 8.9 – 8.12 apply to our processing of your Personal Data. The California Consumer Privacy Act (“CCPA”) provides California residents with the right to know what categories of Personal Data we have collected about them:
8.10.
|
Category of Personal Data |
Collected by EveLab Insight? |
|
Identifiers |
Yes |
|
Personal information categories listed in Cal. Civ. Code § 1798.80(e) |
Yes |
|
Characteristics of protected classifications under California or federal law |
Yes |
|
Commercial information |
No |
|
Biometric information |
Yes |
|
Internet activity or electronic network activity information |
No |
|
Geolocation data |
No |
|
Audio, electronic, visual, thermal, olfactory, or similar information |
Yes |
|
Professional or employment-related information |
No |
|
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)) |
No |
|
Inferences drawn from other personal information to create a profile |
Yes |
8.11. We use this Personal Data to provide and improve the Service and for the purposes set forth above.
8.12. California residents have the right to: (i) receive a copy of Personal Data that you have provided to us, or ask us to send that Personal Data to another company; and (ii) request erasure of Personal Data held about you by us, subject to certain exceptions prescribed by law. To exercise these rights, please contact us as set forth in section 6. For purposes of the CCPA, we do not “sell” your Personal Data.
8.13. California residents also have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the California Consumer Privacy Act.
8.14. If you are a Nevada resident, we do not “sell” your Personal Data.
Singapore
8.15. If you have provided your Singapore telephone number(s) and have indicated that you consent to receiving marketing or promotional information via your telephone number(s), then from time to time, we may contact you using such telephone number(s) (including via voice calls, text, fax or other means) with information about our products and services (including discounts and special offers).
India
8.16. You agree that this Data Protection Policy and the security practices adopted by us to safeguard your Personal Data as stated herein constitute reasonable security practices and procedures under Section 43A of the Information Technology Act, 2000 and that the security practices and procedures prescribed by the Central Government of India do not apply to this Data Protection Policy.
European Union/European Economic Area (EU/EEA)
8.17. For cases in which we process personal data within the scope of the Regulation (EU) 2016/679 (European General Data Protection Regulation, “GDPR”), you will find the relevant details on the processing of your personal data in the GDPR Notice below.
9. Language
9.1. This Data Protection Policy is prepared and drafted in English, but may be translated into other languages (e.g. Japanese and Korean). Should any conflict arise between the English language version of this Data Protection Policy and any translation hereof, the English language version shall be controlling.
10. General
10.1. Section 18 of the EveLab Insight Terms of Use shall apply to this Data Protection Policy, mutatis mutandis, as if they had been fully set forth herein, except that the term “these Terms of Use” therein shall be changed to “this Data Protection Policy”.
In context with the provision of the Service (as defined in the EveLab Insight Terms of Use) we process personal data.
If the GDPR applies to our processing of your personal data, we process personal data only in accordance with the GDPR. In our above (general) Privacy Policy, you find information on when the GDPR applies to our processing of personal data. This GDPR Notice replaces the above (general) Privacy Policy and includes detailed information on our processing of your personal data under the GDPR. Where there is a conflict between the information given in the above (general) Privacy Policy and this GDPR Notice, this GDPR Notice shall prevail if the respective processing falls within the scope of the GDPR.
I. Information on the controller
1. Identity and contact details of the controller
EveLab Insight (Singapore) Pte. Ltd.
Unit 8106B, Level 81, International Commerce Centre
1 Austin Road West, Hong Kong
E-mail: compliance@evelabinsight.com
2. Identity and contact details of the controller’s representative
Rivacy GmbH
Mexikoring 33, 22297 Hamburg, Germany
E-mail: info@rivacy.eu
3. Contact details of the controller’s data protection officer
EveLab Insight (Singapore) Pte. Ltd.
Legal Department
Unit 8106B, Level 81, International Commerce Centre
1 Austin Road West, Hong Kong
E-mail: compliance@evelabinsight.com
Phone number: +852 2321 2973
II. Information on the processing of personal data
1. Details on the personal data which are processed
|
Categories of personal data processed |
Personal data included in the categories |
Sources of the data |
Storage duration |
|
|
Account Data |
Data that is collected during registration for and use of the Service. This includes the following information: name, gender, date of birth, mobile phone number, email address.
|
User of the Service |
The provision of the information marked as mandatory during the registration process is a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data. If the mandatory information is not provided, you cannot make full use of the Service. |
The data you provide will remain stored in your Account for as long as your Account exists until you delete it yourself. You may contact us to delete your Account for you at any time.
|
|
Body Data |
Data that is collected during registration for and use of the Service. This includes the following information: skin colour, facial images, faceprints and cosmetic surgery history.
|
User of the Service Generated by us (through sensors in the Eve device) |
The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data. If the data is not provided, you cannot make full use of the Service. |
We are committed to keeping your body data within the period required by law or reasonably necessary to implement features and services in connection with the Service (i.e., we store your face data so that you are able to track your skin analysis results for comparison purposes; without such face data stored, we are unable to generate reports with comparison analysis and you would not be able to meaningfully assess whether your skin condition has improved or deteriorated from previous results). We will delete, de-identify, or anonymize Personal Data after the data retention period expires. In determining the data retention period, we take into account a number of factors, including but not limited to, whether the applicable laws require us to retain such Personal Data for a certain period of time and whether you are a recurring customer, in which case we will continue to retain your Personal Data until you instruct us to delete your account with us. |
|
Contact Form Data |
Data you provide us with in contact forms on our website: These include the information you provide to us in the relevant contact form. In particular this could include your name, date of birth, telephone number, email address and the content of your request.
|
User of the Service |
The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data. If the data is not provided, we cannot process your request. |
The data are stored until your request has been dealt with. We store these data for evidence purposes for the assertion, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations exist.
|
2. Details on the processing of the personal data
|
Purpose of processing the personal data |
Categories of personal data processed |
Automated decision-making |
Legal basis and, where applicable, legitimate interests |
Recipient |
|
Provision of the Service |
Account Data Body Data
|
No automated decision-making takes place. |
Regarding Protocol Data: Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests): Our legitimate interest is the provision of the content of our applications requested by the user. Regarding Account Data and Body Data: Art. 6 (1) (a) GDPR (consent) Regarding Body Data; additionally: Art. 9 (2) (a) GDPR (explicit consent for the processing of special categories of personal data) |
Hosting Provider |
|
Processing of requests (customer service) |
Account Data Contact Form Data |
No automated decision-making takes place. |
If your request concerns a contract to which you are party or the performance of pre-contractual measures: Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract). Otherwise: Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests): In this case, our legitimate interest is the processing of your request. |
- |
|
Verifying the user’s identity |
Account Data |
No automated decision-making takes place. |
Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests): In this case, our legitimate interest is verifying your identity to be able to provide the Service to you. |
Hosting Provider |
|
Complying with any applicable rules, laws and regulations, codes of practice or guidelines or to assist in law enforcement and investigations by relevant authorities |
Account Data |
No automated decision-making takes place. |
Art. 6 (1) (c) GDPR (necessary for compliance with a legal obligation to which the controller is subject) |
Public authorities |
|
Processing your application for an Account |
Account Data |
No automated decision-making takes place. |
Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests): Our legitimate interest is the provision of the content of our applications requested by the user. |
Hosting Provider |
|
Maintaining and administering your Account |
Account Data |
No automated decision-making takes place. |
Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests): Our legitimate interest is the provision of the content of our applications requested by the user. |
Hosting Provider |
|
Signing and fulfilling contracts requested by you |
Account Data |
No automated decision-making takes place. |
Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).
|
Hosting Provider |
|
Maintaining the safe and stable operation of the Service, such as identifying or dealing with any failure of the Service |
Account Data |
No automated decision-making takes place. |
Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests): Our legitimate interest is ensuring the safe and stable operation of the IT infrastructure used for the provision of the Service. |
Hosting Provider |
|
Protecting the security of your Account, network, operation, and system, and to prevent phishing, website fraud and Trojan horse viruses |
Account Data |
No automated decision-making takes place. |
Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests): Our legitimate interest is ensuring the security of the IT infrastructure used for the provision of our websites, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks). |
Hosting Provider |
|
Assisting our business partners in profiling and management of their respective customers |
Account Data Body Data |
No automated decision-making takes place. |
Art. 6 (1) (a) GDPR (consent) If Body Data are being processed for this purpose: Art. 9 (2) (a) GDPR (explicit consent for the processing of special categories of personal data) |
Business partners that conduct skin test for you by using Eve device |
|
Managing your preferences - we will analyse the characteristics of your preference and habits and create user profiles (such user profiles are anonymized or de-identified as data analysis results will not be related to specific user identities) based on the collected information, in order to present content that is more in line with your needs |
Account Data
|
No automated decision-making takes place. |
Art. 6 (1) (a) GDPR (consent) |
Hosting Provider |
|
Sending you news and offers from the Companies, and/or the Representatives that may be of interest to you |
Account Data |
No automated decision-making takes place. |
Art. 6 (1) (a) GDPR (consent) |
N/A |
|
Tailoring information and product or service offerings to you in accordance with your preferences and purchase history and/or other transactions with us |
Account Data |
No automated decision-making takes place. |
Art. 6 (1) (a) GDPR (consent) |
N/A |
|
Using online advertising and other technologies in connection with the above |
Account Data |
No automated decision-making takes place. |
Art. 6 (1) (a) GDPR (consent) |
N/A |
|
Recipient |
Recipient’s role |
Transfers to third countries and/or international organisations |
Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations |
|
Hosting Provider: Google Asia Pacific Pte. Ltd. Microsoft Corporation Firebase, Inc.
|
Processor |
There is no transfer to third countries and/or international organisations. |
Not applicable. |
|
Other EveLab Insight entities (EveLab Insight Global Limited, Xiamen EveLab Insight Technology Co., Ltd, Xiamen EveLab Insight Network Services Co., Ltd.) |
Processor |
There is no transfer to third countries and/or international organisations. |
Not applicable. |
|
Our retail partners that you interact with via your use of our Service (“Retail Partners”). Your Personal Data will also be subject to the Retail Partner’s privacy policy. Please note that we do not control, and we are not responsible for the Retail Partner’s processing of your Personal Data. For any additional information please contact your Retail Partner. |
Controller |
There is no transfer to third countries and/or international organisations. |
Not applicable. |
|
Our professional advisers such as our auditors and lawyers |
Controller |
There is no transfer to third countries and/or international organisations. |
Not applicable. |
|
Relevant government regulators, government ministries, statutory boards or authorities, and/or law enforcement agencies, whether local or overseas, to comply with any directions, laws, rules, guidelines, regulations or schemes issued or administered by any of them, as well as to comply with listing and other requirements or directions of any relevant securities exchange |
Controller |
There is no transfer to third countries and/or international organisations. |
Not applicable. |
|
Any other party to whom you authorise us to disclose your Personal Data to |
Processor |
There is no transfer to third countries and/or international organisations. |
Not applicable. |
III. Information on the rights of data subjects
As a data subject, you have the following rights with regard to the processing of your personal data:
· Right of access (Art. 15 GDPR)
· Right to rectification (Art. 16 GDPR)
· Right to erasure (“right to be forgotten”) (Art. 17 GDPR)
· Right to restriction of processing (Art. 18 GDPR)
· Right to data portability (Art. 20 GDPR)
· Right to object (Art. 21 GDPR)
· Right to withdraw consent (Art. 7 (3) GDPR)
You may contact us for the purpose of exercising these rights using the contact information in Section I.
Where applicable, you find information on any specific modalities and mechanisms which facilitate the exercise of your rights, in particular the exercise of your rights to data portability and to object, in the information on the processing of personal data in Section II of this GDPR Notice.
You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
Below you find more detailed information on your rights with regard to the processing of your personal data:
As a data subject, you have a right to obtain access and information under the conditions provided in Art. 15 GDPR.
This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data. If so, you also have the right to obtain access to the personal data and the information listed in Art. 15 (1) GDPR. This includes information regarding the purposes of the processing, the categories of personal data that are being processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed (Art. 15 (1) (a), (b) and (c) GDPR).
You can find the full extent of your right to access and information in Art. 15 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
As a data subject, you have the right to rectification under the conditions provided in Art. 16 GDPR.
This means in particular that you have the right to receive from us without undue delay the rectification of inaccuracies in your personal data and completion of incomplete personal data.
You can find the full extent of your right to rectification in Art. 16 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
3. Right to erasure (“right to be forgotten”)
As a data subject, you have a right to erasure (”right to be forgotten”) under the conditions provided in Art. 17 GDPR.
This means that you have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in Art. 17 (1) GDPR applies. This can be the case, for example, if personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (Art. 17 (1) (a) GDPR).
If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (Art. 17 (2) GDPR).
The right to erasure (“right to be forgotten”) does not apply if the processing is necessary for one of the reasons listed in Art. 17 (3) GDPR. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (Art. 17 (3) (b) and (e) GDPR).
You can find the full extent of your right to erasure (“right to be forgotten”) in Art. 17 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
4. Right to restriction of processing
As a data subject, you have a right to restriction of processing under the conditions provided in Art. 18 GDPR.
This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Art. 18 (1) GDPR applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (Art. 18 (1) (a) GDPR).
Restriction means that stored personal data are marked with the goal of restricting their future processing (Art. 4 (3) GDPR).
You can find the full extent of your right to restriction of processing in Art. 18 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
As a data subject, you have a right to data portability under the conditions provided in Art. 20 GDPR.
This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us if the processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and the processing is carried out by automated means (Art. 20 (1) GDPR).
You can find information as to whether an instance of processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR in the information regarding the legal basis of processing in Section II of this GDPR Notice.
In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller if technically feasible (Art. 20 (2) GDPR).
You can find the full extent of your right to data portability in Art. 20 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
As a data subject, you have a right to object under the conditions provided in Art. 21 GDPR.
At the latest in our first communication with you, we expressly inform you of your right, as a data subject, to object.
More detailed information on this is given below:
Right to object on grounds relating to the particular situation of the data subject
|
You can find information as to whether an instance of processing is based on Art. 6 (1) (e) or (f) GDPR in the information regarding the legal basis of processing in Section II of this GDPR Notice. In the event of an objection relating to your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. You can find the full extent of your right to objection in Art. 21 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679. |
Right to object to direct marketing
|
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. You can find information as to whether and to what extent personal data are processed for direct marketing purposes in the information regarding the legal basis of processing in Section II of this GDPR Notice. If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes. You can find the full extent of your right to objection in Art. 21 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679. |
Where an instance of processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, as a data subject you have the right to withdraw your consent at any time pursuant to Art. 7 (3) GDPR,. The withdrawal of your consent does not affect the legitimacy of the processing that occurred based on your consent until the withdrawal. We inform you of this before you grant your consent.
You can find information as to whether an instance of processing is based on Art. 6 (1) (a) or Art. 9 (2) (a) GDPR in the information regarding the legal basis of processing in Section II of this GDPR Notice.
8. Right to lodge a complaint with a supervisory authority
As a data subject, you have a right to lodge a complaint with a supervisory authority under the conditions provided in Art. 77 GDPR.
IV. Information on the technical terms of the GDPR used in this GDPR Notice
The technical terms relating to data protection used in this GDPR Notice have the meaning used in the General Data Protection Regulation.
The full scope of the definitions of the General Data Protection Regulation can be found in Art. 4 GDPR, which can be downloaded from the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
You will find more detailed information on the most important technical terms of the General Data Protection Regulation used in this GDPR Notice below:
“personal data” means any information relating to an identified or identifiable natural person (”data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“data subject” means the respective identified or identifiable natural person, to which the personal data refers to;
“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
“international organisation” means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
“third country” means a country which is not a member state of the European Union (”EU”) or the European Economic Area (”EEA”);
“Special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.