1. Scope of application
This Privacy Policy applies to all data processing activities that take place while using the SmartStamp App and are related to personal data.
2. Responsible Party
The responsible party within the meaning of the data protection regulations is:
SmartStamp AG, Rothausstrasse 1, 8280 Kreuzlingen, Switzerland CHE-152.040.728, Commercial Register Thurgau CH-440 – 3041442 7
Phone +41763472200
Mail: privacy@smartstamp.com
3. Overview
The protection of your personal data when using our app is important to us. The following is an overview of the legal basis of which we process personal data. As a Swiss entity, SmartStamp is subject to the Swiss Federal Data Protection Act (hereinafter “FADP”). Additionally, if EU/EEC citizens are affected, the European Regulation (EU) 2016⁄679, the General Data Protection Regulation (hereinafter “GDPR”) would be applicable.
With the following data protection declaration, we inform you in particular about the type, scope, purpose, duration and legal basis of the processing of personal data, insofar as we decide either alone or jointly with others on the purposes and means of processing. In addition, we inform you below about the third-party components we use for optimization purposes and to increase the quality of use, insofar as third parties process data under their own responsibility.
4. Amendments of this Privacy Policy
SmartStamp reserves the right to amend this Privacy Policy from time to time in order to comply with changed legal requirements or to implement new features in the Privacy Policy. The current Privacy Policy is always linked in the SmartStamp App.
5. Contacting us
Users have the option of contacting us via an online contact form or via email. The personal data provided to us for this purpose (e.g. name, address, telephone number or email address) are used exclusively for processing the contact requests of the users. The data will not be passed on to third parties or published.
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case when the processing of the respective request has been completed, i.e. when it is clear from the circumstances that the matter in question has been conclusively clarified.
You may at any time revoke your consent to the processing of your personal data and object to the storage of the personal data that you have transmitted to us. In this case, the conversation cannot be continued. For this purpose, users can contact the contact addresses provided by us. All personal data stored in the course of contacting us will then be deleted.
We would like to point out that the confidentiality of emails or other electronic forms of communication on the Internet cannot be guaranteed. For confidential information we recommend the postal service.
6. Collection of personal data when using the app
Personal data of users is collected and used only to the extent necessary to provide a functional app and our content and services.
Every use of our app and every retrieval of a file stored in the app are logged.
Logged are: Name of the retrieved file, date and time of retrieval, amount of data transferred, notification of successful retrieval, app identifier and requesting domain. The registration of accesses is done for reasons of data security and to ensure the stability and operational security of our system and to protect against possible attacks from the outside. In addition, the data is statistically evaluated for the optimization of the offer. Based on the logged data, it is not possible to trace which content you have accessed or which files you have retrieved.
The temporary collection of the data is necessary to enable delivery of the content to the end devices and to ensure their playback. A combination of this data with other data sources does not take place.
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.
The collection of data for the provision of the app and its storage is absolutely necessary for the operation of the offer, so that there is no possibility of objection on the part of the users.
User-provided information:
- Account details required for authentication and use of the app
- User info (email, phone number, user profile picture)
- Any artworks or creative content the user chooses to save in the app
- Such data is stored in Cloud Firestore and/or Cloud Storage until the user requests deletion
- Where applicable, blockchain-related hashes cannot be deleted from the blockchain once recorded but associated off-chain data can be removed upon request
- Artwork pictures
- Device information (OS version, model, app version)
- User preferences (saved on the phone storage, inaccessible to us, favorite language, favorite currency etc.)
7. Disclosure of data to third parties
7.1 Google
We use various services provided by Google. Depending on the state in which users are located, the data controller is:
Google Ireland Limited Gordon House, Barrow Street Dublin 4th Ireland for users of Google services who are habitually resident in the European Economic Area or Switzerland, or
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA for users of Google services who have their habitual residence in other countries.
Google provides further information at https://policies.google.com/privacy
as well as https://firebase.google.com/support/privacy
We use the following services:
• Cloud Functions for Firebase
• Firebase Authentication
• Firebase App Check
• Firebase Crashlytics
• Firebase Remote Config
• Google Analytics for Firebase
• Cloud Storage for Firebase
• Cloud Firestore (Google Cloud Platform Product)
Firebase is a database that can be used to embed realtime information into your own online offering. In this process, user data is transmitted anonymously to Firebase. This service records your user behavior within our apps.
Firebase Crashlytics is a simple realtime crash reporter that allows you to track, prioritize and fix stability issues that affect the quality of your app. Crashlytics saves you time in troubleshooting by intelligently grouping crashes and highlighting the circumstances that led to them.
Firebase Authentication is used to simplify the login and authentication process. To do this, Firebase Authentication can use thirdparty identity services and store the information on its platform. Personal data collected: Email, username, password.
Google Analytics may share data with other tools provided by Firebase, such as Crash Reporting, Authentication, Remote Config or Notifications. This application uses mobile device identifiers and cookielike technologies to run the Google Analytics for Firebase service.
Cloud Storage for Firebase is a storage service we use to store files you upload using the app, such as photos.
Cloud Firestore is a service we use to store information you upload through the App, such as object descriptions.
A more detailed description of the services is available at
https://firebase.google.com/
Users can opt out of certain Firebase features through the appropriate mobile device settings, such as mobile advertising settings:
For Android: Settings > Google > Ads > Reset Ad ID.
For iOS: Settings > Privacy > Advertising > No ad tracking.
Personal data collected:
- Unique device identifier for advertising (Google advertising ID or IDFA);
- Usage data.
We use servers located within the EU whenever possible. However, it cannot be ruled out that data may also be transferred to the USA.
We have concluded an data processing agreement with Google (Art. 28 GDPR). https://firebase.google.com/terms/data-processing-terms
The security of the data transfer is ensured as the contract contains standard contractual clauses in accordance with Art. 46 (2) lit. c GDPR, which have been adopted by the EU Commission.
The legal basis is Art. 6 Sec. 1 lit. f) GDPR. Our legitimate interest lies in the optimization and economic operation of our services.
7.2 Postmark
For communication with the customer (such as mailing) we use the product Postmark of the service provider Wildbit LLC, 225 Chestnut St., Philadelphia, PA, 19106 USA.
Data is stored for 45 days by Postmark and then deleted.
More information:
https://postmarkapp.com/eu-privacy#security-and-privacy
This is based on an order processing contract (Art. 28 GDPR). Within this framework, we pass on name, email address, gender, login data and contract data to Wildbit LLC.
The security of the data transfer is ensured as the contract contains standard contractual clauses according to Art. 46 (2) lit. c GDPR, which have been adopted by the EU Commission.
The legal basis is Art. 31 Abs. 2 lit. a FADP / Art. 6 (1) lit. b GDPR, as the use is necessary for the performance of the contract with our customers.
7.3 PXL Vision Service
We use PXL Vision Service for verification of identity, age, and electronic signatures.
PXL Vision AG, Rautistrasse 33, 8047 Zürich
In case you are an artist and want to use SmartStamp as an agency for your works of art, we require passport data to ensure that you are indeed the person you claim to be. The data stored will be first name, last name, date of birth. The duration is limited to as long as you assign SmartStamp as you agent.
In case you are customer and want to use SmartStamp as an agency to buy works of art, we require passport data to ensure that you are indeed the person you claim to be. The data stored will be first name, last name, date of birth. The duration is limited to as long as the respective transactions are fulfilled.The legal basis is the fulfillment of the contractual relationship in accordance with Art. 31 Sec. 2 lit. a FADP / Art. 6 Sec. 1) lit. b) GDPR.
7.4 HubSpot
We will link our Firebase analytics to our CRM HubSpot. HubSpot is an AI-powered customer platform designed to manage and optimize customer relationships of businesses. It combines CRM with hubs for sales, marketing, service, content, commerce, and data.
HubSpot, Inc., 25 First Street, Cambridge, MA 02141, United States
We have concluded a data processing agreement with HubSpot (Art. 28 GDPR).
https://legal.hubspot.com/dpa
The legal basis is Art. 31 Sec. 2 lit. a DSG / Art. 6 Sec. 1 lit. f) GDPR. Our legitimate interest lies in the optimization and economic operation of our services.
8. Duration
Your personal data will be stored by us until the contractual relationship is finally terminated, no further mutual claims can arise from it and the statutory retention periods have also expired.
Personal data that we process in the performance of our duties in the public interest or on the basis of justified corporate interests will be stored until the purpose has been fulfilled or the task has been completed and documentation is no longer required, in particular for any evidentiary purposes for the protection of rights or legal prosecution.
9. Collection of data from third parties
Principally, SmartStamp does not collect from third parties any personal data that is transmitted by the user when using the SmartStamp App and that is then processed and stored on the SmartStamp servers.
10. Data Security
In addition to using state-of-the-art encryption methods, SmartStamp takes all necessary technical and organizational measures to prevent unauthorized access and misuse of data of users of the SmartStamp App. The security measures are continuously improved in line with technological developments.
11. Control options of the user
In addition to the legal claims of data protection law (see Section 11), SmartStamp provides users the following control options over their personal data:
From the homepage, tap the profile icon in the top-right corner. On the page that opens, select the “Profile Information” tile. Edit the relevant text fields, then press Save to confirm your changes.
The user may correct or complete their telephone number and/or email address in the SmartStamp App under “My Profile.”
12. Rights of users
As data subjects, users of the SmartStamp App can assert various claims under data protection law against SmartStamp.
Depending on the applicable law, data subjects may exercise the following rights in relation to personal data against SmartStamp:
12.1 Right to information
Art. 25 and 26 FADP [for EU/EEA: Art. 15 GDPR]
Confirmation of whether data concerning them is being processed, information about the processed data, further information about the data processing and copies of the data;
12.2 Right to correction or completion
Art. 32 Sec. 2 FADP [for EU/EEA: Art. 16 GDPR]
Correction or completion of incorrect or incomplete data without undue delay;
12.3 Right to deletion
Art. 32 Sec. 2 FADP [for EU/EEA: Art. 17, 18 GDPR]
Immediate erasure of the data concerning you, or, alternatively, insofar as further processing is necessary, restriction of processing;
12.4 Right to data transfer
Art. 28 and 29 FADP [for EU/EEA: Art. 20 GDPR] [only for data processing based on consent or a contract and with the aid of automated procedures]
To receive the data concerning them and provided by them and to transfer this data to other providers/controllers;
12.5 Right to file a complaint
[for EU/EEA: Art. 77 GDPR]
To file a complaint with the supervisory authority if they are of the opinion that the data concerning them is being processed by the provider in breach of data protection regulations;
12.6 Right to objection
Users have the right to object to the future processing of data concerning where such personal data is processed based on SmartStamp’s overriding private interests; Art. 31 FADP [for EU/EEA: Art. 6 Sec. 1 lit. f GDPR]; only for data processing based on legitimate interests; Art. 30 Sec. 2 FADP [for EU/EEA: Art. 21 GDPR]
12.7 Right to withdrawal of consent
A data subject has the right to withdraw their consent to the processing of their personal data by SmartStamp. This has the consequence that SmartStamp may no longer
continue the data processing based on this consent. The processing of the user’s personal data by SmartStamp up to this point in time on the basis of the user’s consent remains lawful; only for data processing based on consent; Art. 30 Sec. 2 FADP [for EU/EEA: Art. 7 Sec. 3 GDPR]
12.8 Right to blocking
Art. 32 FADP [for EU/EEA: Art. 18 GDPR]
For the protection of their personality, a data subject has the right to request that SmartStamp blocks the processing of their personal data;