Privacy Policy of ZATAP
V1.5 – 29.02.2024
We (“collectID“, “us“, “we“, or “our“) are committed to protecting your privacy when using the ZATAP application (hereinafter referred to as the “Application” or the “Service“).
This policy informs you of our policies regarding the collection, use and disclosure of Personal Data when you use our Application and the choices you have associated with that Data.
By using the Application, you agree to the collection and use of information in accordance with this Policy. Unless otherwise defined in this Privacy Policy, the terms used in this Privacy Policy have the same meanings as in our Terms and Conditions.
In Germany, we have appointed an EU representative in accordance with Article 27 of the GDPR. If you are visiting us from the EU/EEA, you can also contact LEXR Germany Rechtsanwalts GmbH:
- by e-mail to: LEXR Germany Rechtsanwalts GmbH, Gormannstrasse 14, 10119 Berlin, Germany
- by mail to: contact@lexr.com
- or call us at: +49 171 2242 782
1 Definitions
Personal Data: Personal Data means data about an individual who can be identified through the data (or from the data and other information either in our possession or likely to come into our possession). Section 2 explains which Personal Data we collect about you when you use our Application and how.
Data Subject (or User): Data Subject is any individual who is using our Application and is the subject of Personal Data.
Data Controller: Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your Personal Data.
Data Processor (or Service Provider): Data Processor (or Service Provider) means any natural or legal person who processes the Personal Data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your Personal Data more effectively. A list of the Service Providers we are currently using can be found in Section 10 ‘Service Providers’.
Blockchain: Blockchain is a data structure that is designed to maintain a digital ledger of transactions. The software that manages a Blockchain works by distributing copies of this ledger to every computer running the software, creating a decentralized network of machines that all hold the same exact transaction history. When an entry is added to the ledger on one machine, every other machine participating in the network must update their ledger to match the changes. The Blockchain can be thought of, more familiarly, as an extra secure database with the added benefits of transparency, decentralization and immutability of data. This is how we record product authenticity so that, by virtue of some clever cryptography, it is independently verifiable. Blockchain technology ensures that the collectID product ecosystem is as secure as technically possible.
NFC: NFC stands for Near Field Communication. It is a technology that enables a wireless connection between battery-free, passive tags with a reading device such as a smartphone. NFC technology is already being used intensively in areas such as payment transactions, e.g. NFC tags enable contactless payments with credit and debit cards.
2 How we collect personal data
2.1 Our approach to data collection
We collect information about you when you use our Application, including browsing and taking certain actions within it.
2.2 Directly
We collect information directly through the following actions.
- Registration on the Application: We collect information about you when you register on our Application, with your e-mail, Facebook, Google or Apple account. The “Login Data” consists of the following:
- Email address.
- User ID.
- Username.
- Profile picture.
- Date of birth and age.
- Additional elements that users may add to their profiles.
- Connection of a blockchain wallet: We collect information about your blockchain wallet when you connect your blockchain wallet to the ZATAP account. The “Blockchain Data” consists of the following:
- User public address.
- Scanning products and adding products to a collection: We collect information about the products you scan and add to your collection. The “Product Data” consists of the following:
- Product NFC Tag ID.
- Product serial number.
- Product name, brand, model, size, color, photo and other characteristics.
2.3 Indirectly
We also collect information indirectly as follows.
- Usage of the Application: We keep track of certain information about you when you visit and interact with our Application. The “Usage Data” consists of the following:
- Session-related information, such as last login, login attempts, previous logins.
- Application activity, such as product scanning, adding products to the user’s collection, links clicked.
- Device and connection information: We collect information about your computer, phone, tablet, or other devices you use to access the Application. The “Device Data” consists of the following:
- Type of device.
- Operating system.
- Unique device identifier(s).
- Diagnostic data.
- IP Address.
- Approximate geolocation data (country, city, and street).
- Tracking technologies: We and our third-party partners, such as our advertising and analytics partners, use tracking technologies (the “Tracking Data”) to provide functionality and to recognize you across different Services and devices. For more information, please refer to Section 11 ‘Tracking Technologies’.
- Other partners: We receive information about you and your activities on and off the Application from third-party partners, such as:
- Advertising and market research partners who provide us with information about your interest in and engagement with, our Services and online advertisements.
- Public sources and registers, such as news articles, commercial registers and internet searches as well as to comply with legal obligations related to anti-money laundering and Know Your Customer procedures.
- From our commercial partners when connecting your tickets to their venues through the products included in your collection, allowing us to identify your ticket and the information therein as well as the events you attended.
3 How we use product data
At the moment, the ZATAP NFC tags (the “Tags“) can be found on different product types, namely but not limited to wearables, apparel, beverages, paintings, CDs and sports good such as skis and bycicles.. You can add a product to your collection by scanning the Tag with your smartphone. This enables you to use our various features within the Application. The product tag ID (the “Tag ID“) is stored on the Blockchain (please see Section 6 ‘Storage and Data Transfers’ for a more thorough explanation of what this entails).
The Tag IDs contain an encrypted URL (web address) and a unique NFC-ID to identify the product. The Tag IDs do not contain any other data, and they have no access to the data stored on your device. No customer personal data is stored on the Tag IDs, and geolocation is impossible through the Tag IDs.
While Tag IDs do not contain your Personal Data, please note that disclosing ownership of rare products to third parties, e.g. on social media, may lead to the identification of other products in your collection by another user of the Application.
4 Legal basis and purposes
4.1 Our approach
Our legal basis for collecting and using the Personal Data described in this Privacy Policy depends on the Personal Data we collect and the specific purposes for which we collect it.
4.2 Contract
We process your Personal Data to perform our contractual obligations or take steps linked to a contract with you.
The purposes are the following:
- To verify your age.
- To provide and administer services as instructed by you.
- To disclose your username and profile picture to other users who scan products you own or have previously owned, as well as to users engaged in gamification features linked with your products.
- To provide you with customer support.
4.3 Consent
We may rely on your freely given consent at the time you provided your Personal Data.
The purposes are the following:
- To provide you with news, special offers and general information about goods, services and events which we or our Commercial Partners offer by means of push notifications or email correspondence.
- To share your information with our Commercial Partners for purposes not connected with our legitimate interests (as defined in Section 10.4 Commercial Partners’).
- To analyse, improve, personalise and monitor the usage of our Application (including analytics) and communications.
- To allow other users to see your collection, including your username, image, bio and the products included therein.
4.4 Legitimate interests
We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced.
The purposes are the following:
- To provide, maintain and improve our Application, as well as to detect, prevent and address security threats.
- To notify you about changes to our Application and our Privacy Policy, and to send you information about the products in your collection.
4.5 Public interest
We may process your Personal Data to meet regulatory and public interest obligations.
The purpose is the following:
- To maintain records and conduct compliance checks, e.g. anti-money laundering, fraud and crime prevention.
5 Data retention
We retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy, and to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes and enforce our legal agreements and policies.
Data that is stored on the Blockchain is immutable. This means that it cannot be deleted. For that reason, we refrain from storing Personal Data on it, except for the Blockchain Data and the Product Data. Once, however, your Personal Data has been deleted on the basis of a legal requirement or the exercise of your data protection rights, the Blockchain Wallet is no longer connected to you r user account. For more information on this, please refer to the ‘Right to erasure’ under Section 9.
6 Storage and data transfers
6.1 Our approach to data storage
We care for your privacy and data protection rights (as described in Section 9). We have therefore opted for a granular approach when it comes to storing data.
6.2 Data transfers
We and/or our Service Providers may transfer your personal data to and process it:
- In the EU/EEA
- In the USA
We may use service providers who are partly located in so-called third countries (outside the European Union or the European Economic Area or Switzerland) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the EU.
We safeguard your personal data per our contractual obligations and applicable data protection legislation when transferring data abroad.
Such safeguards may include:
- the transfer to countries that have been deemed to provide an adequate level of protection according to lists of countries published by the Federal Data Protection and Information Commissioner, as well as to countries where there is an adequacy decisions by the European Commission in place;
- applying standard data protection model clauses, binding corporate rules or other standard contractual obligations that provide appropriate data protection.
If a third country transfer takes place and there is no adequacy decision or appropriate safeguards, it is possible and there is a risk that authorities in the third country (e.g. intelligence services) can gain access to the transferred data and that the enforceability of your data subject’s rights cannot be guaranteed.
Please refer to Section 10 ‘Service Providers’ for a full list of the data processors that we use.
6.3 Storing the blockchain wallet and product data
The only information that we store on the Blockchain is the Blockchain Wallet (as defined under Section 2 ‘How We Collect Personal Data’) as well as Product Data (as defined under Section 3 ‘How We Collect Product Data’).
As explained above, the Blockchain is a transparent database. This means that the information stored on it is publicly accessible. While the Tag ID does not contain Personal Data, you should be aware that disclosing past or current possession of a rare product may result in the identification of other products in your collection through the information available on the Blockchain Wallet.
The Blockchain is also a decentralized database. This means that the information stored on the Blockchain is not stored on one, central location (such as e.g. your Personal Data on Google Cloud Storage), but distributed throughout the network. Therefore, ZATAP has no control over whether the Product Data is stored inside or outside the EEA.
7 Data disclosure
We may disclose your Personal Data in the good faith belief that such action is necessary to:
- To comply with a legal obligation (i.e. if required by law or in response to valid requests by public authorities, such as a court or government agency).
- To protect and defend our rights or property.
- To prevent or investigate possible wrongdoing in connection with the Application.
- To protect the safety of Application visitors or the public.
- To protect ourselves against legal liability.
8 Data security
8.1 Our approach to data security
We take reasonable technical and organizational security measures that we deem appropriate in order to protect data, be it Personal Data or Product Data, against manipulation, loss, or unauthorized third-party access. Our security measures are continually adapted to technological developments.
We also take internal data privacy very seriously. Our employees and the service providers that we retain are required to maintain secrecy and to comply with applicable data protection legislation. In addition, they are granted access to personal data only insofar as this is necessary for them to carry out their respective tasks or mandate.
We take all the steps reasonably necessary to ensure that no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your Personal Data (as described in Section 6 ‘Storage and Data Transfers’).
The security of your Personal Data is important to us but remember that no method of transmission over the Internet or method of electronic storage, be it cloud-, storage-, or blockchain-based is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
The following Sections describe the steps we have taken to protect your Personal Data.
8.2 Confidentiality
Physical access control: No unauthorised access to our facilities.
Electronic access control: No unauthorised use of the Personal Data processing and storage systems.
Internal access control: No unauthorised reading, copying, changes or deletions of Personal Data within the system.
Pseudonymization: The processing of Personal Data in such a method/way, that the data cannot be associated with a specific person without the assistance of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.
8.3 Integrity
Data transfer control: No unauthorised reading, copying, changes or deletions of Personal Data with electronic transfer or transport.
Data entry control: Verification whether and by whom Personal Data is entered into a data processing system, is changed or deleted.
Blockchain: No unauthorised reading, copying, changes or deletions of the Blockchain Wallet and Product Data.
8.4 Availability and resilience
Availability control: Prevention of accidental or wilful destruction or loss.
Contract control: No third-party data processing as per Article 28 GDPR without corresponding instructions from the Client.
Data Protection policies: The processing of Personal Data in alignment with internal Policies by trained staff.
9 Data protection rights
9.1 Your data protection rights
You have certain data protection rights. We will respond to your request without undue delay, at the latest within one calendar month after receipt. Please note that we may ask you to verify your identity before responding to such requests.
9.2 Right to access
You have a right to request a copy of the Personal Data held by us as a data controller, which we will provide to you in an electronic form.
9.3 Right to amendment
You have the right to ask us to correct our records if you believe they contain incorrect or incomplete information about you.
9.4 Right to withdraw consent
If you have provided your consent to the collection, processing and transfer of your Personal Data, you have the right to fully or partly withdraw your consent. This includes cases where you wish to opt out from marketing messages.
Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another Legal Basis for the processing.
You may use the Application settings to adjust your consent settings. To stop receiving emails from us, contact us at info@collectid.io.
9.5 Right to erasure
You have the right to request that we delete your Personal Data when it is no longer necessary for the Purposes for which it was collected, or when it was unlawfully processed.
When you exercise your right to erasure, your user account and all associated data will be deleted from our database. The Blockchain Wallet (i.e. the user public address, related transaction history and related Tag ID(s)) will persist, as data that is stored on the Blockchain is immutable, but all connections between the Blockchain Wallet and your user account will be deleted. Your ownership of the products in your collection will be deleted from our database.
9.6 Right to restriction of processing
You have the right to request the restriction of our processing of your Personal Data where you believe it to be inaccurate, our processing is unlawful, or where we no longer need to process it for the initial Purpose, but where we are not able to delete it due to a legal obligation or because you do not want us to delete it.
9.7 Right to portability
You have the right to request that we transmit your Personal Data to another data controller in a common format such as Excel, where this is data which you have provided to us and where we are processing it on the Legal Basis of your consent or in order to perform our contractual obligations (e.g. to provide our Services).
9.8 Right to object to processing
Where the Legal Basis for our processing of your Personal Data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate Legal Basis for the processing which override your interests, or if we need to continue to process the Data for the establishment, exercise or defence of a legal claim.
9.9 Right to lodge a complaint with a supervisory authority
You have the right of appeal to a data protection supervisory authority if you believe that the processing of your personal data violates data protection law.
In Switzerland, you may contact the Federal Data Protection and Information Commissioner, Feldeggweg 1, CH-3003 Bern
10 Service providers
10.1 Our approach to service providers
We may employ third party companies and individuals to facilitate the operation of our Application (“Service Providers”), provide the Application on our behalf, perform Application-related services, assist us in analysing how our Application is used or help us provide you with tailor-made offers and exclusive deals. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
10.2 Functional services providers
10.2.1 Pusher Beams
Pusher Beams is provided by MessageBird B.V., Trompenburgstraat 2C1079 TX Amsterdam, The Netherlands (“Pusher Beams”). Pusher Beams is an API for sending push notifications to iOS, Android and Web applications based on your consent. It includes a hosted service and specialized SDKs to seamlessly manage our app’s device push tokens. Pusher Beams furthermore allows us to orchestrate a personalised notification experience for app users, namely by programmatically trigger push notifications based on in-app activities to keep users engaged with our Application. In order to do this, we provide Pusher Beams with the following personal data: internal user ID, unique device identifier.
For more information you may visit MessageBird privacy policy.
10.2.2 Google Cloud Storage
Google Cloud Storage is provided by Google Cloud EMEA Limited. This type of service has the purpose of hosting Data and files that enable this Application to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of this Application. Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.
For more information you may visit Google privacy policy.
10.2.3 Auth0
Auth0 is a registration and authentication service provided by Auth0 Inc. To simplify the registration and authentication process, Auth0 can make use of third-party identity providers and save the information on its platform.
For more information you may visit Auth0 privacy policy.
10.2.4 Facebook Login
Facebook Login is provided by Meta Platforms Ireland Limited, or by Meta Platforms, Inc., depending on the location this Application is accessed from. Facebook Login is a registration and authentication service connected to the Facebook social network.
For more information you may visit Meta privacy policy.
10.2.5 Google OAuth
Google OAuth is provided by Google LLC or by Google Ireland Limited, depending on the location this Application is accessed from. Google OAuth is a registration and authentication service connected to the Google network.
For more information you may visit Google privacy policy.
10.2.5 Sign in with Apple
Sign in with Apple is provided by Apple Distribution International Limited, or Apple Inc. depending on the location this Application is accessed from. Sign in with Apple is a registration and authentication service connected to the Apple network.
For more information you may visit Apple privacy policy.
10.3 Social media services providers
We maintain online presences on social networks to, among other things, communicate with customers and prospective customers and to provide information about our products and services. If you have an account on the same network, it is possible that your information and media made available there may be seen by us, for example, when we access your profile. In addition, the social network may allow us to contact you. The content communication via the social network and the processing of the content data is thereby subject to the responsibility of the social network. As soon as we transfer personal data into our own system, we are responsible for this independently. This is then done in order to carry out pre-contractual measures and to fulfil a contract. For the legal basis of the data processing carried out by the social networks under their own responsibility, please refer to their data protection declarations. Below is a list of social networks on which we operate an online presence:
- Facebook: Privacy policy
- Instagram: Privacy policy
- LinkedIn: Privacy policy
- Twitter: Privacy policy
- Pinterest: Privacy policy
- TikTok: Privacy policy
- Youtube: Privacy policy
10.4 Commercial partners
Commercial Partners consist of product manufacturers, brands, authenticators and sellers.
We share the following anonymous and anonymized information with our Commercial Partners on the basis of our legitimate interest to improve our Service:
- Product details (brand, name, size, condition, authenticator, date of registration by current owner, number of previous product owners).
- User and collection details (anonymous user ID, approximate location, where interaction with the application occurred, products scanned or added to the collection).
Beyond what is mentioned above, we will never share Personal Data with our Commercial Partners without your explicit, freely given, informed and specific consent. You can opt in and out of sharing information with our Commercial Partners by managing your preferences in the Application settings. We process this personal data based on your consent in order to link the products in your collection to your tickets to our commercial partners’ venues, as well as to inform our partners of the individuals who own their merchandise, for marketing purposes.
We share the following Personal Data with our Commercial Partners on the basis of that explicit consent. The following Personal Data is only shared with the Commercial Partners related to products included in your collection:
- Username.
- Age and birthdate.
- Email address.
- Bio.
- The serial number and list of products in your collection.
11 Tracking systems
We may employ tracking systems provided by third parties which allow us to measure and evaluate the use of our Application (on an anonymized basis).
The Service provider may receive Personal Data e.g. your device identifier and your use of the Application on the basis of your explicit consent.
11.1 Matomo
Our Application uses Matomo, service provided by InnoCraft, 7 Waterloo Quay PO6140 Wellington, New Zealand (“Matomo”). Matomo is a privacy-friendly analytics solution. Matomo is an analytics software platform that provides detailed reports on our Application usage, allowing us to track app sessions, screen views, events, goals, etc. Matomo allows us to do so with cookieless tracking in a way where cookies and other tools are not used or installed in your device. This ensures a privacy-friendly analytics system, since no personal data is processed and users are not tracked. We deploy this cookieless tracking from the moment you launch our app. Matomo furthermore allows us to track users through tools that collect your personal data, in order to ensure more accurate usage reports. This may include the processing of personal data such as IP addresses, browser, browser version, device type, operating system, data, time, time zone, pages visited, screens visited, files clicked and downloaded. We will only deploy these tools after obtaining your consent. To know more about Matomo’s cookie usage, consult its privacy policy.
11.2 Google Analytics
We use the analytics service Google Analytics 4, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). If you have not consented to the use of the analytics tools, your data will not be collected as part of Google Analytics 4.
Google Analytics 4 uses JavaScript and pixels to read information on your terminal device and other tools to store information on your terminal device. This is used to analyse your usage behaviour and to improve our Application. The access data is compiled by Google on our behalf into pseudonymous usage profiles and transferred to a Google server in the USA. We will process the information obtained in order to evaluate your use of the Application and to compile reports on website activities.
The data collected as part of the usage analysis of Google Analytics 4 is enriched with data from the Google Search Console and linked to data from Google Ads, in particular to measure the success of our advertising campaigns (so-called conversions).
The following data may be processed by Google Analytics 4: IP address; user ID and device ID; pages viewed (date, time, URL, title, length of stay); downloaded files; clicked links to other websites or apps; achievement of certain goals (conversions); technical information (operating system; version and language; device type, brand, model and resolution); approximate location (country, region and city, if applicable, based on anonymised IP address).
To know more about Google’s privacy practices, consult its privacy policy.
11.3 Smartlook
Our Application uses the analytics service by Smartlook.com, s.r.o, Sumavska 524/31, Veveri, 602 00 Brno, Czech Republic (“Smartlook”). If you have not consented to the use of the analytics tools, your data will not be collected as part of Smartlook. Smartlook provides analytical tools to analyse the behaviour of our Application’s users. These tools provide a way to anonymously connect visits of each user. Smartlook will use this information to provide insights into your usage of our Application solely for the operator of our Application.
To know more about Smartlook’s privacy practices, consult its privacy policy.
12 Links to third-party sites
Our Application may contain links to sites and applications that are not operated by us. If you click a third-party link, you will be directed to that third party’s site or service.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
13 Changes to this privacy policy
We may update our Privacy Policy from time to time.
We will notify you via email and/or a prominent notice on our Application, prior to the change becoming effective and update the ‘effective date’ at the top of this Privacy Policy, but we encourage you to review this Privacy Policy periodically for any changes.
Changes to this Privacy Policy are effective when they are posted on this policy.
14 Contact us
If you have any questions about this Privacy Policy, please contact us at:
collectID AG
Neumarkt 11
8400 Winterthur
Switzerland
info@collectid.io