Effective from August 2, 2021
1. SCOPE OF POLICY
2. DATA CONTROLLER AND CONTACT INFORMATION
2.1. For the purpose of clarity, the data controller is LAB XR LIMITED, registered at Room 1201, Tower A, 39 Ma Tau Wai Road, Hunghom, Hong Kong.
2.2. If you have any questions, requests or suggestions about processing your personal data, feel free to write an email at firstname.lastname@example.org.
3. WHY AND WHAT CATEGORIES OF PERSONAL DATA IS PROCESSED
3.1. We collect and process your personal data for the following purposes:
a) providing the Services to you via the Platform, which mainly means the creation of your Avatar;
b) communicating and providing customer support to you in relation to providing you the Services (which also includes communicating with you as a potential user before providing any Services, if you have so requested);
c) improving the Platform and the Avatar generation quality;
d) providing you information about updates to the Platform and to uses of the Avatar; 2
e) enforcing and defending Our legal rights;
f) complying with legal or regulatory obligations or requests.
3.2. We may collect and process the following personal data:
a) information you give Us (“Submitted Information”): this is information you give Us about you by filling in forms on the Platform, by corresponding with Us (for example, by e-mail), and when you report a problem with the Platform or the Services. If you contact us, We will keep a record of that correspondence. The information you give Us may include your name and e-mail;
b) information We gather via the Platform (“Gathered Information”): this is visual information that is gathered via the forward-facing camera of your device, if you use selfie for creating the Avatar;
c) information from the cookies (“Cookie Information”): this is information We automatically gather via cookies which help to make the use of the Platform as smooth as possible for you and help Us to understand the preferences and needs of the visitors of the Platform. Such information may include your device’s IP address and country, other data about your device (screen resolution, type, operating system, browser type), unique/online/device/client identifiers, actions on the Platform, referring URL and domain, pages visited, date and time when the Platform was accessed.
3.3. We process the following data for the following purposes:
a) for purpose stated above in clause 3.1.a) – Submitted Information, Gathered Information and Cookie Information;
b) for purpose state above in clause 3.1.b) – Submitted Information;
c) for purpose stated above in clause 3.1.c) – Gathered Information and Cookie Information;
d) for purpose stated above in clauses 3.1.d) – only your e-mail;
e) for purpose stated above in clause 3.1.e) – any of the categories of personal data listed above (determined case-by-case according to the legal right We are entitled to execute);
f) for purpose stated above in clause 3.1.f) – any of the categories of personal data listed above (determined case-by-case according to the legal or regulatory obligation or request We are subject to).
3.4. The provision of personal data by you is not a statutory requirement. It is also not a contractual requirement nor a requirement necessary to use the Services where you do not create an account at the Platform (“Account”). This means that you do not have any obligation to give Us your personal data and you can use the Services without giving Us any of your personal data. However, if you want to create the Account, you must provide your e-mail address, this is a contractual requirement and necessary for creating the Account (but creating the Account is voluntary). Also, some functions of the Platform may be limited if personal data is not provided.
4. LEGAL BASIS FOR PROCESSING PERSONAL DATA
4.1. We process your personal data because it is necessary for the fulfilment of a contract concluded between you and Us for providing you the Services (see clauses 3.1.a) and 3.1.b)); or for taking steps at your request prior to entering into a contract (see clause 3.1.b)). In such a case the legal basis for processing data is the contract concluded between you and Us; or you request prior to entering into a contract.
4.2. We also process your personal data to improve the Platform and the Avatar generation quality (see clause 3.1.c)). In this case the legal ground for processing your personal data is your prior consent. If you do not give Us your consent We will not process your personal data for that purpose. You may at any time withdraw your consent by sending a respective notice to Our e-mail at email@example.com. Withdrawal of consent does not affect your right to use the Services and the Platform.
4.3. Furthermore, We process your personal data (i.e. use your e-mail address) for sending you information about updates to the Platform and to uses of the Avatar (see clause 3.1.d)). But We do it only in the case where you have given Us your e-mail address. The legal basis for that is Our legitimate interest to keep you the in loop of any advancements which the Platform may get (e.g. new customization options, etc.), any news about the Platform and any new use cases for the Avatar. You always have the possibility to unsubscribe from such e-mails by clicking on a link which is provided under each e-mail. If you unsubscribe, We will no longer send you such e-mails.
4.4. We also process your personal data for enforcing and defending Our legal rights under legitimate interest pursued by Us (see clause 3.1.e)). It is Our legitimate interest to enforce and defend Our legal rights as We see it necessary.
4.5. Also, We process personal data for complying with legal or regulatory obligations or requests (see clause 3.1.f)) as processing is necessary for compliance with the legal obligations to which We are subject to.
5. DISLOSURE OF PERSONAL DATA
5.1. We will not disclose your personal data to third parties except for the following cases:
a) Cloud-server service provider(s). We transfer data to cloud servers where We store all Our data, for example to Amazon servers in USA (Amazon Web Services, Inc.). The standard contractual clauses established by the European Commission are applied to the transfer and processing of the personal data.
b) Service providers. We transfer data to different service providers who provide Us IT-services, including Platform’s analytics services which help Us to understand users’ needs and to optimise the Services. For example, Hotjar Ltd (registered in Malta, European Union; as a rule, data processed only in the EU); Amplitude, Inc. (registered in US, California; Standard Contractual Clauses adopted by the European Commission are applied to safeguard the data processing); Google Analytics – Google LCC and its affiliates (Standard Contractual Clauses adopted by the European Commission are applied to safeguard the data processing).
c) Other group members. We have the right to disclose your personal information to any member of Our group, which means Our subsidiaries and Our ultimate holding company and its subsidiaries. Such transfer will only be done if it is necessary for the provision of the Services to You.
d) Asset transfer parties. In the event that We sell or buy any business or assets, in which case We will disclose your personal data to the prospective seller or buyer of such business or assets. If LAB XR or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
e) Legal authorities, institutions and other parties under law. If We are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request. In order to:
i. investigate potential breaches; or
ii. protect the rights, property or safety of Our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
6. ADDITIONAL INFORMATION YOU SHOULD KNOW ABOUT THIRD PARTIES
6.1. Our Platform may, from time to time, contain links to and from the websites of Our partner networks, advertisers and affiliates (including, but not limited to, websites on which the Platform is advertised).
6.2. If you follow a link to any of these websites, please note that these websites and any services that may be accessible through them have their own privacy policies and that We do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as contact and location data. Please check these policies before you submit any personal data to these websites or use these services.
7. HOW LONG PERSONAL DATA IS STORED
7.1. We only store your personal data as long as it is necessary to fulfil the purpose for which it is processed – once the purpose has ceased, the personal data will be erased or anonymised.
7.2. Your personal data will be stored:
a) if you have registered the Account, then up to 30 days after deletion of the Account or where you do not have the Account, then up to 3 years after the last time We provided the Services to you (e.g. 3 years since you created the Avatar or modified the Avatar, whichever happens later) where We process your personal data regarding the provision of the Services (see clause 3.1.a);
b) if you have registered the Account, then up to 30 days after deletion of the Account or where you do not have the Account, then up to 3 years after the last contact with you, where We processes your personal data regarding communicating and providing customer support (see clause 3.1.b));
d) up to 30 days after deletion of the Account or when you unsubscribe from Our e-mails (whichever happens earlier), where We process your personal data for providing you information about updates to the Platform and to uses of the Avatar (see clause 3.1.d));
e) if you have registered the Account, then up to 3 days after deletion of the Account or where you do not have the Account, then up to 3 years after the last time We provided the Services to you, where We process your personal data regarding enforcing and defending Our legal rights (see clause 3.1.e));
f) if you have registered the Account, then up to 3 days after deletion of the Account or where you do not have the Account, then up to 3 years after the last time We provided the Services to you, where We process your personal data regarding complying with legal or regulatory obligations or requests (see clause 3.1.f)).
7.3. Personal data contained in any accounting documents shall be stored for 7 years from the end of the last financial year they relate to.
8. YOUR RIGHTS
8.1. You have the right to contact Us by writing an e-mail at firstname.lastname@example.org to exercise your rights concerning processing of personal data. Such rights include the:
a) right to request access of personal data;
b) right to request rectification of personal data – if the data We hold about you is inaccurate or incomplete;
c) right to request erasure of personal data – if We do not have a legal reason to continue to process and store it;
d) right to request restriction of processing of personal data;
e) right to object to processing of personal data;
f) right to request portability of personal data, i.e. to obtain and reuse your personal data for your own purposes;
g) right that decisions are not taken concerning you which are based on automated decision-making;
h) right to withdraw a consent at any time;
i) right to lodge a complaint with a supervisory authority (Estonian Data Protection Inspectorate – https://www.aki.ee/en).
9. CHILDREN’S PRIVACY
9.1. You must be at least 16 years old to use this Platform.
9.2. Where any personal data provided by you contain the personal data of children under the age of 16 years, you acknowledge that you must have obtained the consent of the child’s parent or guardian prior to posting or creating such information using the Platform.
9.3. In the event that We learn that your any personal data contains the personal data of a child under the age of 16 years, We reserve the right to remove and delete the information without your consent or prior notice to you. If you believe that any information appearing on the Platform contains the personal data of a child under 16 years, please contact Us at email@example.com.