Privacy Notice

for use of the “Unite in Taste” app

Protecting your personal data is important to us and a special concern. Compliance with legal data protection regulations is standard business practice. Hereinafter, we wish to inform you what personal data we collect during a download and when the app is used, how we use the data and what your rights are in conjunction with your personal data.

 

I. Who is responsible for data processing?

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection regulations is:

experimenta gGmbH
Experimenta-Platz
74072 Heilbronn
Tel.: 07131 – 88 795 0
(hereinafter: “we”)

Data Protection Officer
Mirella Eiberger
E-Mail: datenschutz@experimenta.science

 

II. How is my data processed and used when I download and use the app?

When you download our free “Unite in Taste” app (hereinafter: app) from an app store, the required information is transmitted to the app store, specifically user name, email address and customer number of your account, time of the download as well as the device-level ID. This is not information we collect, but is linked to the use relations with the respective app store. We have no influence on the transmission of this data. More information can be found in the privacy policy of the respective app store.

In the following sections, we list in which cases we use your personal data and for what purposes.

a) Data processing when the app is used
As a rule, we use your email address for registration. If you would like to use our mobile app, we process the following data that are necessary technically for us to be able to offer you the functions of our mobile app and guarantee security:

• IP address (not stored permanently )
• Date and time of the request
• Access status/HTTP status code
• The amount of data transferred in each case
• Operating system
• Language and version of the browser software.

We also process data when the app is used:

• Login data with email address, user account
• The device’s software status
• The device’s unique ID from the authentication process
• Anonymous statistics on the user’s behavior in the app

User data (only login data) are stored in the user database (part of the Firebase authentication service). Gaming data is stored in the Firestore database. All information relevant to the game such as e.g., player progress, the in-game wallet status, the in-game objects in the user’s possession, etc.

When the app is used, you also receive current news about new functions or software releases. Personal data provided voluntarily are used to personalize the app.

If you decide not to register, a pseudonym will be used for the account, and no personal data shall be collected.

b) Permissions of the app
The app does not request any permissions.

c) Google Firebase
We use certain Google Firebase services to ensure the functionality of our app. This is a development platform consisting of various products and solutions that app operators can implement to manage and efficiently design their services. We process and store the user’s game scores (avatar appearance, room appearance, score, level progress, quests solved, and account email address, if applicable) in order to continue game progress over multiple game sessions. The provider of the products is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

d) Google Analytics for Firebase
We use the function “Google Analytics for Firebase” as an analysis tool. We use it to process online IDs, IP addresses and device IDs as well as IDs entered by the user. We use this information to analyze the user’s scores (what the avatar looks like, what the room look like). The products’ provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

e) Unity Analytics (Plugins)
We use certain services provided by Unity Analytics to the app user’s gaming behavior. Specifically, it is an analysis plugin consisting of various products and solutions that app operators can use to analyze your game in the app. The product provider is Unity Technologies, USA.

 

III. Legal basis for processing personal data

Your personal data is processed in compliance with the EU General Data Protection Regulation (GDPR). Your personal data is processed to provide the services already displayed within the app in addition to the authentication during the logon to use the app. Data processing takes place either to fulfill a contract point (b) Art. 6 (1) of the GDPR or to protect the legitimate interests point (f) of Article (1) GDPR in the form of our interest in the offering of the corresponding service. We are also partly required by law to store your data pursuant to point (c) of Art. 6 (1) of the GDPR.).

To the extent that we use services provided by Google Firebase, we do so exclusively by using the aforementioned functionalities and for the purposes explicitly stated. The legal basis for this is point (f) of Article 6(1) GDPR since it represents our legitimate interest to be able to provide you with a functioning app. The services are also required to provide you with the corresponding functions and thus allow us to meet our contractual obligations to the extent that you take advantage of our offerings (point (b) Art. 6 (1) GDPR.

We use the tracking tools (Unity Analytics) used in our app exclusively with your consent (point (a) Art. 6 (1) GDRP).

In addition to processing your personal data to provide services, we also process your data – to the extent that the your, the data subject’s, legitimate interests are not overridden – on the basis of our legitimate interest or the interest of a third party. This specifically includes the following processing purposes:

• to establish legal claims and defense of legal disputes,
• to ensure the operation of our IT systems as well as further development of these measures, measures required for business management,
• to prevent and investigate offences,
• to prevent fraud.

IV. Who receives my data?

As a rule, your personal data is not passed on to third parties. Data may be passed on in exceptional cases if necessary for the purpose of fulfillment of the contract if you have expressly consented to or we have a legitimate interest in transmitting the data.

Only those departments within our company are given access to your data which require said data to fulfill our contractual and legal obligations. The service providers we hire within the framework of order processing as well as vicarious agents may receive data for these purposes. These include companies in the categories IT service providers, logistics, print services, telecommunications, debt collection, consulting as well as sales and marketing, among others.

In regard to the passing on of data to recipients outside of our company, it should be noted first of all that we only pass on required personal data in compliance with the regulations on data protection. As a rule, we are only allowed to pass on information about you when legally required to do so, you have consented thereto or we are authorized to disclose said information. Under these circumstances, recipients of personal data e.g., may be:

• public offices or institutions (e.g., fiscal, judicial and law enforcement authorities) in the event of the existence of a legal or official obligation,
• service providers who we hire within the framework of order processing, e.g.,

– K5 Factory GmbH, Konradinstrasse 5, 81543 Munich (developers and maintenance)
– Google europe-west3 with registered offices in Frankfurt

To the extent that we hire external service providers (processors), said providers are carefully selected and pursuant to Art. 28 GDPR are required to comply with all requirements of the Regulation.

We have obligated Google (Firebase Google Analytics for Firebase) to meet the requirements of the Regulation and concluded a contract for the processing of personal data pursuant to Art. 28 GDPR. The information about your use of the functions provided and generated by Google Firebase / Google Analytics for Firebase are generally transmitted to a Google server in Ireland and then to the USA and stored there. Google uses the EU standard contractual clauses for the transmission of data to ensure the transfer to a third country is legitimate.

 

V. Is data transferred to a third country or an international organization?

Data may only be transferred to countries outside of the European Union or Member States (so-called third countries) if mandated by law, you have given your consent or we have commissioned said processing pursuant to Art. 28 GDPR. If service providers in third countries are employed, they shall also be obligated to comply with the level of data protection throughout Europe through the agreement of the EU standard contractual clauses.

The current EU standard contractual clauses can be accessed at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_de. We have taken additional technical and organizational measures to ensure an adequate level of data protection.

 

VI. How long is my data stored?

We process and store your personal data as long as needed to fulfill the purpose. If the data is no longer required, your data will be deleted, unless deletion of said data is precluded by legal retention obligations or current limitation periods.

 

VII. Data Security

The app is protected by technical and organizational measures against loss, destruction, access, alteration, or unauthorized disclosure by unauthorized persons. For this purpose and to protect the transmission of confidential content, the app uses encryption. Encryption prevents unauthorized third parties from reading data you transmit.

 

VIII. What are my data protection rights?

You have the right to:

• obtain information as to whether or not personal data is being processed pursuant to Article 15 GDPR,
• rectification of inaccurate personal data pursuant to Article 16 GDPR,
• erasure (‘right to be forgotten’) of personal data pursuant to 17 GDPR,
• object pursuant to Article 21 GDPR, You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data which is based on point (e) or (f) of Article 6(1) GDPF. We no longer process the personal data in this case unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise or defence of legal claims. If you would like to make use of your right to object, send an email to: datenschutz@experimenta.science
• Right to restriction of processing pursuant to Article 18 GDPR,
• Right to data portability pursuant to Article 20 GDPR.

The relevant national restrictions apply to the right of access to personal information as well as to the right of erasure (for Germany Sections 34, 35 of the German Federal Data Protection Act BDSG).

 

IX. To what extent does automated individual decision-making occur?

As a rule, we do not make any decisions based solely on automated processes pursuant to Article 22 GDPR. Should we make a decision in individual cases, we shall inform you hereof where required by law and obtain your consent where appropriate.

 

X. Does profiling occur?

As a rule, we do not do any profiling. Profiling is any type of automated processing of personal data with the aim of analyzing or predicting the performance at work, economic situation, health, personal preferences or interests, reliability, behavior, location or movements of a natural person. Only data that has been rendered anonymous is analyzed. If you apply pseudonymization to personal data in individual cases, you will be informed separately where required by law and obtain your consent where appropriate.

 

XI. Can I revoke my consent once given?

To the extent that we process your data based on your consent, you have the right to revoke your consent at any time. Your data will then no longer be processed for the purposes to which you gave your consent. Please note that the lawfulness of the data processing granted before revoking your consent is not affected by said revocation. If you would like to make use of your right to revocation, send an email to: datenschutz@experimenta.science

 

XII. No obligation to provide personal data

There is no legal or contractual obligation to provide personal data. To logon, users must enter an email address, Apple ID, Facebook ID or Google ID. However, you are not obligated to provide personal data. It is admissible to use the app with an account under a pseudonym, in which case no personal data is processed.

 

XIII. Right of complaint to a supervisory authorityde

If you consider the processing of your personal data an infringement to current legislation, you may lodge a complaint with the supervisory authority at any time pursuant to Article 77 GDPR. This applies without prejudice to any administrative or judicial remedy. The competent supervisory authority responsible for us can be reached at:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Postfach 10 29 32, 70025 Stuttgart
Königstraße 10a, 70173 Stuttgart
Tel.: 0711/61 55 41 – 0
Fax: 0711/61 55 41 – 15
E-Mail: poststelle@lfdi.bwl.de
Internet: https://www.baden-wuerttemberg.datenschutz.de

Status: March 2022