Privacy Policy and GDPR Compliance Statement

1. Summary of purpose of data processing and key principles of data collection and storage
Authentic Vision offers a security solution to combat product counterfeiting and fraud. AV’s tamper-proof labels enable users (as data subjects) to verify the authenticity of a costumer’s product via app scan. Therefore, technical information needs to be processed by AV and must be made available to AV’s customers to provide verification functionality and the authenticity of scanned labels.

Our key principles:

• AV will process all data fairly and lawfully;
• AV will only process data for specified and lawful purposes;
• AV will not keep any data for longer than necessary;
• AV will keep all data secure, and all data is stored on ISO 27001 certified servers located within the European Economic Area (EEA) with back-up nodes to reduce latency of scans outside of the EEA in accordance with applicable privacy laws; and
• AV will ensure that data is not transferred to countries outside the country in which it is collected without adequate protection in accordance with applicable privacy laws.

2. Who is the controller of personal data?
Authentic Vision GmbH is the controller of personal data processed through its authentication application on supported handheld mobile devices. Relevant contact details are specified above. The customer is an independent controller for any further processing of personal data made available by AV via web portal or in the form of a written report.

3. What kind of data is collected?
The data collected includes date and time of use, installation ID, device manufacturer and model, the authentication result, the IP address, and related performance telemetry data. In addition, the app collects an approximate geographic location (derived from the IP address). The function of this personal information collection is to geolocate tamper and fraud attempts.

The user may give consent to provide the exact geolocation via GPS. This data will be processed if the consent is given voluntarily.

No additional data will be collected without the users consent.

If the user chooses to provide feedback or report counterfeit products or services, the user may choose to provide their contact details (e.g. e-mail address) to AV. If the user provides contact details, these may be used by AV and its customers (licensees) for the purposes of providing feedback or a response to the user.

4. What is the legal basis for the collection of data?
The collection of data is based on the contract between the user and AV. AV operates a secure web portal for its business customers and licensees which shows the geographic location where products with AV labels have been scanned and the result of such scans. AV may also aggregate the data specified above (pseudonymization).

Without the provision of personal data (IP address, geographic location is collected as part of a broader data set which may include: date and time of use; installation ID; device manufacturer and model; the authentication result and related performance telemetry data) a contract cannot be fulfilled between the user and AV and authenticity cannot be verified. Therefore, the legal basis for data collection is Art 6 (1) b GDPR.

The legal basis for exact geolocation processing via GPS is the users freely given consent under Art 6 (1) a GDPR. The user has the right to withdraw consent at any time directly in the app. The same process to withdraw as with to give consent applies under the provisions of Art 7 (3) GDPR.

If the user chooses to provide feedback or report counterfeit products or services, the user may provide their contact details to AV and AV will process data made available by the user in order to fulfill the user request under Art 6 (1) b GDPR for the purposes of providing feedback or a response to the user.

Furthermore, AV may use the data in legitimate interests under Art 6 (1) f GDPR pursued by AV, namely for advertising services, to optimize the user experience, fix errors and improve usability and effectiveness of the services provided. The data may be used for provision of authentication and anti-counterfeiting services and marketing (consumer and business) purposes.

AV may update the use of user data and will ask for user consent under Art 6 (1) a GDPR to any changes regarding how user data is processed.

In case of applicable law, AV may be required to share data with government agencies, regulatory bodies and law enforcement authorities under Art 6 (1) c GDPR. AV will share these data in accordance with applicable privacy laws.

5. How long will the data be stored for?
The data is stored as long as necessary to provide our service to customers in accordance with mandatory law. The IP address and geolocation will be stored for 30 days. Other data made available to AV by users will be stored for the necessary period to fulfill the purpose of data processing. The criteria used for the storage period are selected carefully to ensure alignment with the principle of data minimization.

6. Recipients of personal data
AV shares the geolocation with the customer of the verified label (licensee) to guarantee a functioning process under Art 6 (1) b and – if the customer is located in a third country – under Art 49 (1) b GDPR. The customer is an independent controller for any further processing of personal data that is made available by AV via web portal or in form of a written report.

AV may share data with its authorized processors for processing on its behalf, which is applicable especially for storage. For storage, AV uses for example the services of Hetzner and AWS (Amazon Web Services). AV only uses processors providing sufficient guarantees in regard to technical security measures and organizational measures governing the performed processing and will ensure compliance with those measures. AV will ensure that the processing is governed by a contract requiring the processor to only act in accordance with AV’s instructions and in compliance with data protection and privacy laws.

The data collected may be shared with third-party customers and licensees for the purpose of anti-counterfeiting and marketing (consumer and business) or to government agencies, regulatory bodies, and law enforcement authorities. All data processed by such third-parties shall be in accordance with applicable data protection and privacy laws.

AV may include links to third-party services in the app. The use of such third-party services and how data is processed by such third-parties is regulated by the privacy notice of such third parties. All licensees (customers) of AV utilize their own infrastructure and web servers for marketing campaigns, product registration, and cross-selling. AV licensees are independent controllers and such activities are subject to the terms and conditions of the relevant AV licensee. AV may use third-party services for incident reporting and push notification services.

Additionally, these third-party tools may collect and process certain data. We recommend reviewing the privacy policies of these third-party providers for more information on their data handling practices.

7. Are children allowed to use AV services?
AV does not intend to provide services to children. If you are under 18 or under the age of majority, you may use AV’s services only under supervision of a parent or guardian.

8. How does AV secure personal data?
AV secures personal information during transmission through Transport Layer Security (TLS/SSL), which encrypts user-supplied information. It is important for users to take measures to protect against unauthorized access to their own passwords and to their computers, devices, and applications.

9. What rights does the data subject have?
At all times, AV guarantees the following individuals rights:

• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restrict processing;
• the right to data portability;
• the right to object and withdraw consent; and
• rights in relation to automated decision-making and profiling.

10. Which third-party SDKs and APIs are used?
AV uses the following SDKs and APIs:
SDK name: sentry.io
SDK function: Error tracking and application performance monitoring (https://sentry.io/)
Data collected: This SDK collects errors and device information.
License: The MIT License (https://open.sentry.io/licensing/)

11. How can the user raise a complaint?
If you have any concerns about privacy at AV, or you want to withdraw your consent, please contact us at privacy@authenticvision.com and we will resolve the issue for you.

You can file a complaint with our principal supervisory authority, the Austrian Data Protection Agency (DSB), Barichgasse 40-42, 1030 Wien, Austria or with the applicable local data protection authority.

What about Cookies?
AV may use cookies to enable our systems to recognize your browser or device and to provide the AV authentication service to you. For the website to function and information be presented properly, technically essential cookies are enabled. The legal provisions for the use are Art 6 (1) b GDPR and § 165 (3) TKG 2021.

Our website utilizes third-party plugins and scripts to enhance functionality and gather statistical information.

These plugins and scripts include:

• Google reCaptcha (https://policies.google.com/privacy?hl=en-US)
• Jotforms (https://www.jotform.com/privacy/)
• Google Tag Manager (https://policies.google.com/privacy?hl=en-US)
• Google Analytics (https://policies.google.com/privacy?hl=en-US)
• • Microsoft Clarity (https://clarity.microsoft.com/privacy)

Additionally, these third-party tools may collect and process certain data. We recommend reviewing the privacy policies of these third-party providers for more information on their data handling practices. Please note that your use of our website may be subject to the privacy policies of these third-party providers.

Your consent is required to lawfully process non-essential cookies under Art 6 (1) a GDPR and § 165 (3) TKG 2021. Also, your explicit consent is required for the possible data transfer in third countries such as the USA, which is located outside the EEA area without a corresponding adequacy decision and without suitable guarantees, and is therefore not classified as a safe third country.

What about our contact form?
If you enter data into our contact form or contact us via mail, e-mail or phone, AV will process the data made available by the user in order to fulfill the users request under Art 6 (1) b GDPR for the purposes of providing feedback or a response to the request.