Privacy Policy of ZATAP

V1.5 – 29.02.2024

We (“collectID“, “us“, “we“, or “our“) are committed to protecting your privacy when using the ZATAP application (hereinafter referred to as the “Application” or the “Service“).

This policy informs you of our policies regarding the collection, use and disclosure of Personal Data when you use our Application and the choices you have associated with that Data.

By using the Application, you agree to the collection and use of information in accordance with this Policy. Unless otherwise defined in this Privacy Policy, the terms used in this Privacy Policy have the same meanings as in our Terms and Conditions.

In Germany, we have appointed an EU representative in accordance with Article 27 of the GDPR. If you are visiting us from the EU/EEA, you can also contact LEXR Germany Rechtsanwalts GmbH:

1 Definitions

Personal Data: Personal Data means data about an individual who can be identified through the data (or from the data and other information either in our possession or likely to come into our possession). Section 2 explains which Personal Data we collect about you when you use our Application and how.

Data Subject (or User): Data Subject is any individual who is using our Application and is the subject of Personal Data.

Data Controller: Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your Personal Data.

Data Processor (or Service Provider): Data Processor (or Service Provider) means any natural or legal person who processes the Personal Data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your Personal Data more effectively. A list of the Service Providers we are currently using can be found in Section 10 ‘Service Providers’.

Blockchain: Blockchain is a data structure that is designed to maintain a digital ledger of transactions. The software that manages a Blockchain works by distributing copies of this ledger to every computer running the software, creating a decentralized network of machines that all hold the same exact transaction history. When an entry is added to the ledger on one machine, every other machine participating in the network must update their ledger to match the changes. The Blockchain can be thought of, more familiarly, as an extra secure database with the added benefits of transparency, decentralization and immutability of data. This is how we record product authenticity so that, by virtue of some clever cryptography, it is independently verifiable. Blockchain technology ensures that the collectID product ecosystem is as secure as technically possible.

NFC: NFC stands for Near Field Communication. It is a technology that enables a wireless connection between battery-free, passive tags with a reading device such as a smartphone. NFC technology is already being used intensively in areas such as payment transactions, e.g. NFC tags enable contactless payments with credit and debit cards.

2 How we collect personal data

2.1 Our approach to data collection

We collect information about you when you use our Application, including browsing and taking certain actions within it.

2.2 Directly

We collect information directly through the following actions.

2.3 Indirectly

We also collect information indirectly as follows.

3 How we use product data

At the moment, the ZATAP NFC tags (the “Tags“) can be found on different product types, namely but not limited to wearables, apparel, beverages, paintings, CDs and sports good such as skis and bycicles.. You can add a product to your collection by scanning the Tag with your smartphone. This enables you to use our various features within the Application. The product tag ID (the “Tag ID“) is stored on the Blockchain (please see Section 6 ‘Storage and Data Transfers’ for a more thorough explanation of what this entails).

The Tag IDs contain an encrypted URL (web address) and a unique NFC-ID to identify the product. The Tag IDs do not contain any other data, and they have no access to the data stored on your device. No customer personal data is stored on the Tag IDs, and geolocation is impossible through the Tag IDs.

While Tag IDs do not contain your Personal Data, please note that disclosing ownership of rare products to third parties, e.g. on social media, may lead to the identification of other products in your collection by another user of the Application.

4 Legal basis and purposes

4.1 Our approach

Our legal basis for collecting and using the Personal Data described in this Privacy Policy depends on the Personal Data we collect and the specific purposes for which we collect it.

4.2 Contract

We process your Personal Data to perform our contractual obligations or take steps linked to a contract with you.

The purposes are the following:

4.3 Consent

We may rely on your freely given consent at the time you provided your Personal Data.

The purposes are the following:

4.4 Legitimate interests

We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced.

The purposes are the following:

4.5 Public interest

We may process your Personal Data to meet regulatory and public interest obligations.

The purpose is the following:

5 Data retention

We retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy, and to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes and enforce our legal agreements and policies.

Data that is stored on the Blockchain is immutable. This means that it cannot be deleted. For that reason, we refrain from storing Personal Data on it, except for the Blockchain Data and the Product Data. Once, however, your Personal Data has been deleted on the basis of a legal requirement or the exercise of your data protection rights, the Blockchain Wallet is no longer connected to you r user account. For more information on this, please refer to the ‘Right to erasure’ under Section 9.

6 Storage and data transfers

6.1 Our approach to data storage

We care for your privacy and data protection rights (as described in Section 9). We have therefore opted for a granular approach when it comes to storing data.

6.2 Data transfers

We and/or our Service Providers may transfer your personal data to and process it:

We may use service providers who are partly located in so-called third countries (outside the European Union or the European Economic Area or Switzerland) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the EU.

We safeguard your personal data per our contractual obligations and applicable data protection legislation when transferring data abroad.

Such safeguards may include:

If a third country transfer takes place and there is no adequacy decision or appropriate safeguards, it is possible and there is a risk that authorities in the third country (e.g. intelligence services) can gain access to the transferred data and that the enforceability of your data subject’s rights cannot be guaranteed.

Please refer to Section 10 ‘Service Providers’ for a full list of the data processors that we use.

6.3 Storing the blockchain wallet and product data

The only information that we store on the Blockchain is the Blockchain Wallet (as defined under Section 2 ‘How We Collect Personal Data’) as well as Product Data (as defined under Section 3 ‘How We Collect Product Data’).

As explained above, the Blockchain is a transparent database. This means that the information stored on it is publicly accessible. While the Tag ID does not contain Personal Data, you should be aware that disclosing past or current possession of a rare product may result in the identification of other products in your collection through the information available on the Blockchain Wallet.

The Blockchain is also a decentralized database. This means that the information stored on the Blockchain is not stored on one, central location (such as e.g. your Personal Data on Google Cloud Storage), but distributed throughout the network. Therefore, ZATAP has no control over whether the Product Data is stored inside or outside the EEA.

7 Data disclosure

We may disclose your Personal Data in the good faith belief that such action is necessary to:

8 Data security

8.1 Our approach to data security

We take reasonable technical and organizational security measures that we deem appropriate in order to protect data, be it Personal Data or Product Data, against manipulation, loss, or unauthorized third-party access. Our security measures are continually adapted to technological developments.

We also take internal data privacy very seriously. Our employees and the service providers that we retain are required to maintain secrecy and to comply with applicable data protection legislation. In addition, they are granted access to personal data only insofar as this is necessary for them to carry out their respective tasks or mandate.

We take all the steps reasonably necessary to ensure that no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your Personal Data (as described in Section 6 ‘Storage and Data Transfers’).

The security of your Personal Data is important to us but remember that no method of transmission over the Internet or method of electronic storage, be it cloud-, storage-, or blockchain-based is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

The following Sections describe the steps we have taken to protect your Personal Data.

8.2 Confidentiality

Physical access control: No unauthorised access to our facilities.

Electronic access control: No unauthorised use of the Personal Data processing and storage systems.

Internal access control: No unauthorised reading, copying, changes or deletions of Personal Data within the system.

Pseudonymization: The processing of Personal Data in such a method/way, that the data cannot be associated with a specific person without the assistance of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.

8.3 Integrity

Data transfer control: No unauthorised reading, copying, changes or deletions of Personal Data with electronic transfer or transport.

Data entry control: Verification whether and by whom Personal Data is entered into a data processing system, is changed or deleted.

Blockchain: No unauthorised reading, copying, changes or deletions of the Blockchain Wallet and Product Data.

8.4 Availability and resilience

Availability control: Prevention of accidental or wilful destruction or loss.

Contract control: No third-party data processing as per Article 28 GDPR without corresponding instructions from the Client.

Data Protection policies: The processing of Personal Data in alignment with internal Policies by trained staff.

9 Data protection rights

9.1 Your data protection rights

You have certain data protection rights. We will respond to your request without undue delay, at the latest within one calendar month after receipt. Please note that we may ask you to verify your identity before responding to such requests.

9.2 Right to access

You have a right to request a copy of the Personal Data held by us as a data controller, which we will provide to you in an electronic form.

9.3 Right to amendment

You have the right to ask us to correct our records if you believe they contain incorrect or incomplete information about you.

9.4 Right to withdraw consent

If you have provided your consent to the collection, processing and transfer of your Personal Data, you have the right to fully or partly withdraw your consent. This includes cases where you wish to opt out from marketing messages.

Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another Legal Basis for the processing.

You may use the Application settings to adjust your consent settings. To stop receiving emails from us, contact us at info@collectid.io.

9.5 Right to erasure

You have the right to request that we delete your Personal Data when it is no longer necessary for the Purposes for which it was collected, or when it was unlawfully processed.

When you exercise your right to erasure, your user account and all associated data will be deleted from our database. The Blockchain Wallet (i.e. the user public address, related transaction history and related Tag ID(s)) will persist, as data that is stored on the Blockchain is immutable, but all connections between the Blockchain Wallet and your user account will be deleted. Your ownership of the products in your collection will be deleted from our database.

9.6 Right to restriction of processing

You have the right to request the restriction of our processing of your Personal Data where you believe it to be inaccurate, our processing is unlawful, or where we no longer need to process it for the initial Purpose, but where we are not able to delete it due to a legal obligation or because you do not want us to delete it.

9.7 Right to portability

You have the right to request that we transmit your Personal Data to another data controller in a common format such as Excel, where this is data which you have provided to us and where we are processing it on the Legal Basis of your consent or in order to perform our contractual obligations (e.g. to provide our Services).

9.8 Right to object to processing

Where the Legal Basis for our processing of your Personal Data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate Legal Basis for the processing which override your interests, or if we need to continue to process the Data for the establishment, exercise or defence of a legal claim.

9.9 Right to lodge a complaint with a supervisory authority

You have the right of appeal to a data protection supervisory authority if you believe that the processing of your personal data violates data protection law.

In Switzerland, you may contact the Federal Data Protection and Information Commissioner, Feldeggweg 1, CH-3003 Bern

10 Service providers

10.1 Our approach to service providers

We may employ third party companies and individuals to facilitate the operation of our Application (“Service Providers”), provide the Application on our behalf, perform Application-related services, assist us in analysing how our Application is used or help us provide you with tailor-made offers and exclusive deals. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

10.2 Functional services providers

10.2.1 Pusher Beams

Pusher Beams is provided by MessageBird B.V., Trompenburgstraat 2C1079 TX Amsterdam, The Netherlands (“Pusher Beams”). Pusher Beams is an API for sending push notifications to iOS, Android and Web applications based on your consent. It includes a hosted service and specialized SDKs to seamlessly manage our app’s device push tokens. Pusher Beams furthermore allows us to orchestrate a personalised notification experience for app users, namely by programmatically trigger push notifications based on in-app activities to keep users engaged with our Application. In order to do this, we provide Pusher Beams with the following personal data: internal user ID, unique device identifier.

For more information you may visit MessageBird privacy policy.

10.2.2 Google Cloud Storage

Google Cloud Storage is provided by Google Cloud EMEA Limited. This type of service has the purpose of hosting Data and files that enable this Application to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of this Application. Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.

For more information you may visit Google privacy policy.

10.2.3 Auth0

Auth0 is a registration and authentication service provided by Auth0 Inc. To simplify the registration and authentication process, Auth0 can make use of third-party identity providers and save the information on its platform.

For more information you may visit Auth0 privacy policy.

10.2.4 Facebook Login

Facebook Login is provided by Meta Platforms Ireland Limited, or by Meta Platforms, Inc., depending on the location this Application is accessed from. Facebook Login is a registration and authentication service connected to the Facebook social network.

For more information you may visit Meta privacy policy.

10.2.5 Google OAuth

Google OAuth is provided by Google LLC or by Google Ireland Limited, depending on the location this Application is accessed from. Google OAuth is a registration and authentication service connected to the Google network.

For more information you may visit Google privacy policy.

10.2.5 Sign in with Apple

Sign in with Apple is provided by Apple Distribution International Limited, or Apple Inc. depending on the location this Application is accessed from. Sign in with Apple is a registration and authentication service connected to the Apple network.

For more information you may visit Apple privacy policy.

10.3 Social media services providers

We maintain online presences on social networks to, among other things, communicate with customers and prospective customers and to provide information about our products and services. If you have an account on the same network, it is possible that your information and media made available there may be seen by us, for example, when we access your profile. In addition, the social network may allow us to contact you. The content communication via the social network and the processing of the content data is thereby subject to the responsibility of the social network. As soon as we transfer personal data into our own system, we are responsible for this independently. This is then done in order to carry out pre-contractual measures and to fulfil a contract. For the legal basis of the data processing carried out by the social networks under their own responsibility, please refer to their data protection declarations. Below is a list of social networks on which we operate an online presence:

10.4 Commercial partners

Commercial Partners consist of product manufacturers, brands, authenticators and sellers.

We share the following anonymous and anonymized information with our Commercial Partners on the basis of our legitimate interest to improve our Service:

Beyond what is mentioned above, we will never share Personal Data with our Commercial Partners without your explicit, freely given, informed and specific consent. You can opt in and out of sharing information with our Commercial Partners by managing your preferences in the Application settings. We process this personal data based on your consent in order to link the products in your collection to your tickets to our commercial partners’ venues, as well as to inform our partners of the individuals who own their merchandise, for marketing purposes.

We share the following Personal Data with our Commercial Partners on the basis of that explicit consent. The following Personal Data is only shared with the Commercial Partners related to products included in your collection:

11 Tracking systems

We may employ tracking systems provided by third parties which allow us to measure and evaluate the use of our Application (on an anonymized basis).

The Service provider may receive Personal Data e.g. your device identifier and your use of the Application on the basis of your explicit consent.

11.1 Matomo

Our Application uses Matomo, service provided by InnoCraft, 7 Waterloo Quay PO6140 Wellington, New Zealand (“Matomo”). Matomo is a privacy-friendly analytics solution. Matomo is an analytics software platform that provides detailed reports on our Application usage, allowing us to track app sessions, screen views, events, goals, etc. Matomo allows us to do so with cookieless tracking in a way where cookies and other tools are not used or installed in your device. This ensures a privacy-friendly analytics system, since no personal data is processed and users are not tracked. We deploy this cookieless tracking from the moment you launch our app. Matomo furthermore allows us to track users through tools that collect your personal data, in order to ensure more accurate usage reports. This may include the processing of personal data such as IP addresses, browser, browser version, device type, operating system, data, time, time zone, pages visited, screens visited, files clicked and downloaded. We will only deploy these tools after obtaining your consent. To know more about Matomo’s cookie usage, consult its privacy policy.

11.2 Google Analytics

We use the analytics service Google Analytics 4, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). If you have not consented to the use of the analytics tools, your data will not be collected as part of Google Analytics 4.

Google Analytics 4 uses JavaScript and pixels to read information on your terminal device and other tools to store information on your terminal device. This is used to analyse your usage behaviour and to improve our Application. The access data is compiled by Google on our behalf into pseudonymous usage profiles and transferred to a Google server in the USA. We will process the information obtained in order to evaluate your use of the Application and to compile reports on website activities.

The data collected as part of the usage analysis of Google Analytics 4 is enriched with data from the Google Search Console and linked to data from Google Ads, in particular to measure the success of our advertising campaigns (so-called conversions).

The following data may be processed by Google Analytics 4: IP address; user ID and device ID; pages viewed (date, time, URL, title, length of stay); downloaded files; clicked links to other websites or apps; achievement of certain goals (conversions); technical information (operating system; version and language; device type, brand, model and resolution); approximate location (country, region and city, if applicable, based on anonymised IP address).

To know more about Google’s privacy practices, consult its privacy policy.

11.3 Smartlook

Our Application uses the analytics service by Smartlook.com, s.r.o, Sumavska 524/31, Veveri, 602 00 Brno, Czech Republic (“Smartlook”). If you have not consented to the use of the analytics tools, your data will not be collected as part of Smartlook. Smartlook provides analytical tools to analyse the behaviour of our Application’s users. These tools provide a way to anonymously connect visits of each user. Smartlook will use this information to provide insights into your usage of our Application solely for the operator of our Application.

To know more about Smartlook’s privacy practices, consult its privacy policy.

12 Links to third-party sites

Our Application may contain links to sites and applications that are not operated by us. If you click a third-party link, you will be directed to that third party’s site or service.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

13 Changes to this privacy policy

We may update our Privacy Policy from time to time.

We will notify you via email and/or a prominent notice on our Application, prior to the change becoming effective and update the ‘effective date’ at the top of this Privacy Policy, but we encourage you to review this Privacy Policy periodically for any changes.

Changes to this Privacy Policy are effective when they are posted on this policy.

14 Contact us

If you have any questions about this Privacy Policy, please contact us at:

collectID AG
Neumarkt 11
8400 Winterthur
Switzerland
info@collectid.io