EYEWARE BEAM SOLUTION | Privacy Notice

  1. Introduction

We recognize the importance of your privacy and of transparency in our processing of your personal data.

At Eyeware Tech SA (we, our or Eyeware), we recognize the importance of your privacy and of transparency in our processing of your personal data.

This privacy notice (Privacy Notice) informs you on the personal data we collect and process in connection with the provision of our Beam Solution (the Beam Solution) and/or the services provided through the Beam Solution (together with the Beam Solution, our Services).

By accessing and using our Services, you expressly acknowledge that we may collect and process your personal data in accordance with this Privacy Notice.

This Privacy Notice is incorporated into and forms an integral part of our terms of use [https://beam.eyeware.tech/license.html] for the Beam Solution (ToU). All capitalized terms not defined in this document have the meaning given to them in the ToU.

  1. Short Version

The following is a brief summary of (but not a replacement for) this Privacy Notice:

  • Eyeware Tech SA is responsible for the processing, as controller, of your personal data. This Privacy Notice, however, only applies to our activities, and not to those of third party providers (even if we link to their services or if they integrate the Beam Solution with their own applications) (see sections 3 and 8);
  • As part of our operation of the Services, we may access and/or collect personal data which is provided to us by you, or which we collect automatically when you interact with the Services.
  • We process such personal data in compliance with Swiss laws and other laws applicable to us, mainly for the purpose of providing our Services (see section 4).
  • In particular, to provide you with the Services, we compute in real-time head, face, and eye tracking data (Tracking Data) using your device’s camera. While doing so, we do not record or store your video recordings. If you integrate our technology with your own content (such as a video), we will also not record or access such content (see sections 4 and 10);
  • We may also process your personal data to communicate with you, send our newsletter, analyze and improve the use of our Services, comply with our legal obligations, and for the other legitimate purposes indicated in this Privacy Notice (see section 7, as well as sections 5 and 6);
  • Your personal data is stored in Switzerland and/or in the E.U. We do not share it with third parties or transfer it abroad, unless this is both necessary for the operation of our Services and permitted by applicable laws. This may for instance be the case when we use service providers or must interact with third parties to conduct our professional activities (see sections 8 and 9);
  • We do not store your personal data in a form permitting your identification for longer than necessary for us to fulfill the purposes set out in this Privacy Notice. Furthermore, we do not store at all the videos recordings captured by your cameras (we only process the live feeds to generate the Tracking Data) (see section 10);
  • We apply security measures and strive to protect your personal data. However, no IT infrastructure is completely secure, and we cannot guarantee that our is (see section 11);
  • You may contact us ([email protected]) to exercise your rights pertaining to your personal data (see sections 13 and 14).
  1. Who is responsible for the processing of your personal data

Eyeware Tech SA, Rue Marconi 19, 1920 Martigny, Switzerland, is responsible for the processing, as controller, of your personal data. You will find our contact details below in Section 14.

This Privacy Notice only applies to processing undertaken by or on behalf of us. Whilst we may provide links to third party websites, contents, or services, we are not responsible for their policies in relation to personal data. In such circumstances, the collection and use of your personal data are governed by the privacy policy of those third-party providers, which you should carefully review to learn more about their personal data processing practices.

We believe that the Beam Solution should be wildly available. To this end, we provide tools to developers and third service providers (our Partners) enabling them to integrate our eye tracking technology in their own products. When doing so (and subject to their acceptance of our SDK licensing terms [https://beam.eyeware.tech/sdk-license.html]; more on this in Section 8), the Partners can access the Tracking Data (head pose, gaze coordinates) and create their own interactive applications.

If you are a user or customer of any of our Partners (a User-of-a-Partner), please read the following: this Privacy Notice does not address how our Partners collect and use your personal data. If you would like to make any requests or queries regarding your personal data, please contact such Partner(s) directly. For example, if you wish to request to access, correct, amend, or delete inaccurate personal data that was originally collected by one of our Partners, please direct your query to the relevant Partner.

  1. Personal data collection

We collect the personal data that you provide to us.

We collect the personal data that you provide to us when using our Services, for example when you communicate with us, through web forms you fill, or when you subscribe to our newsletter.

It is mandatory that you complete the data fields identified by an asterisk. If one or more mandatory data fields are not completed, we will not be able to provide access to our Services. You are not required to complete the optional data fields in order to access our Services.

We collect head and eye tracking data in real-time, without storing any video recordings, and without collecting any other personal information during this process.

When you use the Beam Solution, using the camera feed on your device, the Beam Solution automatically computes your head and face pose, as well as gaze coordinates (Tracking Data). The computation occurs in real time and is done directly on your device. The videos recorded with your camera are not transferred to our services and we neither record nor store them.

We only collect the output of this computation (the Tracking Data), which is necessary to provide our technology (and the services of our Partners). We do not store Tracking Data in a manner which permits us to identify you, and do not link it to other information about you.

We do not collect your content, such as video streams.

You can integrate our eye tracking technology with your own content, such as video streams.

As a rule, we do not store or process your content.

The only exceptions to this rule concern optional services you may request, which require access to your content. In such cases, we will inform you in advance about your processing activities.

Certain personal data are also collected in an automated manner.

We also automatically collect logs and analytics data about your activities, as further described in this Privacy Notice. You may define certain authorizations relating to the automatic collection of your personal data when you configure your device according to available functionalities.

  1. How we process your personal data

We process your personal data by automated means for the purposes indicated in this Privacy Notice and in accordance with applicable law.

We process your personal data in compliance with applicable law, in particular Swiss data protection laws and, to the extent they apply to us, other data protection legislations, such as the EU General Data Protection Regulation (GDPR) or its equivalent in the United Kingdom, using computers or computer tools, in line with the purposes set out in this Privacy Notice.

We do not process your personal data to create a profile about you (profiling). We also do not make decisions exclusively on the basis of an automated processing which has legal effects on the data subjects or affect them significantly (automated individual decision).

We may combine your personal data with other information (aggregate) or erase any information that allows us to identify you (anonymize), so that it is no longer considered personal data under applicable data protection law, in which case this Privacy Notice will no longer apply, and we may use such data for purposes not contemplated by this Privacy Notice (e.g. for benchmarking or analytics purposes, or to develop and market new services). You may object to the anonymization or aggregation of your personal data for this purpose at any time (see section 13 below for additional information on your rights).

We take the technical and organizational appropriate security measures to prevent unauthorized access, disclosure, modification, alteration, or destruction of your personal data, as specified in Section 11 below.

  1. On which legal ground do we process your personal data

We process your personal data only if we have a valid legal ground to do so.

We will only process your personal data if we have a valid legal ground for doing so. Depending on the processing activity carried out, we will therefore only process your personal data if:

  • The processing is necessary to fulfill our contractual obligations to you or to take pre-contractual steps at your request (Contractual Necessity);

This is the case in particular when processing your personal data is strictly required to provide you with the Services, as further specified in section 7 below. When the GDPR applies, Contractual Necessity is based on Article 6(1)(b) GDPR;

  • The processing is necessary for the fulfillment of our legitimate interests, and only to the extent that your interests or fundamental rights and freedoms do not require us to refrain from processing (Legitimate Interest);

Our Legitimate Interests include in particular (i) ensuring that our Services are provided in an efficient and secure way (e.g. through internal analysis of the Services’ stability and security, updates and troubleshooting, as well as support services); (ii) improving and developing the Services (including monitoring the use of our Services, and for statistical purposes); (iii) benefiting from cost-effective services (e.g. we may opt to use certain services offered by suppliers rather than undertaking the activity ourselves); and (iv) achieving our corporate goals. When the GDPR applies, Legitimate Interest is based on Article 6(1)(f) GDPR;

  • We have obtained your prior consent in a clear and unambiguous manner (Consent);

When the GDPR applies, Consent is based on Article 6(1)(a) GDPR;

  • The processing is necessary to comply with our legal or regulatory obligations (Legal Obligation);

Finally, we will process your personal data if we are required by law to do so, as further specified in section 7 below. When the GDPR applies, Legal Obligation is based on Article 6(1)(c) GDPR.

  1. Purposes for which we process your personal data?

We process your personal data for legitimate and clearly identified purposes:

Your personal data is collected and processed for the purpose of operating the Services and for the other legitimate purposes explicitly specified below, only to the extent relevant to achieve these purposes, and is not further processed in a manner that is incompatible with them.

We process your personal data for the following purposes:

To operate the Beam Solution and provide the related Services.

We mainly process your personal data to provide the Services, based on our Contractual Necessity to do so, including for interacting with you, providing you with the requested Services, as well as for customer and user management purposes.

In addition to the personal data which you provide when interacting with the Beam Solution, and the Tracking Data we collect using your device camera (see section 4 for additional information on this), we automatically collect technical information about your interactions with the Services, such as the local IP address, the content that was accessed, the date and time of access, information about your device type and operating system, your preferences, or other information related to your interaction with the Beam Solution, including your navigation details on the Beam Solution. We process this data to establish a connection with your device over the internet, to evaluate the use of the Beam Solution and to manage its stability and security, based on our Legitimate Interest to do so.

To contact you and respond to your queries, and enable you to interact with other users.

You have the option of contacting us via the Beam Solution by email. In this context, we process the data which you provide to us (including your contact information and the subject-matter of the request). This data is used for the purpose of providing you with the requested information and services, based on our Contractual Necessity.

You may also opt to use the services of third parties through our Beam Solution, such as Discord, in order to interact with other users. In such case, the privacy statements of those providers are applicable.

To send you our newsletter and other advertising information.

If you subscribe to our newsletter, we will collect your contact details (name and email address) and use it to provide you with our newsletter, based on your Consent. You may unsubscribe from the newsletter service at any time, in which case your contact details will be deleted.

We process the time of registration and your opt-in confirmation based on our Legal Obligation to demonstrate compliance. We also analyze your use of our newsletter, e.g. whether you have opened it or clicked on certain links, and process this data to optimize and improve our newsletter, based on our Legitimate Interest.

We use the third party services of Mailchimp to provide our newsletter service, which will have access to your login data in order to provide you with the service. Its privacy statements is applicable in connection with this, which you will find here: https://mailchimp.com/legal/privacy/.

Independently from your subscription to our newsletter, we may also contact you by email to inform you about our activities if you have previously subscribed for the use of our Services, if you have not objected to the corresponding use of your email address. You can object to the use of your email address for this purpose at any time by contacting us (see contact detail in section 14). The legal basis for the corresponding processing of your data is our Legitimate Interest to advertise certain sales offers and activities relating to our previous interactions with you.

For internal analysis and statistical purposes in order to improve our Services.

Unless you object to such processing, we may process your personal data, in particular data relating to your use of our Services and your preferences (e.g. the content you accessed, date and time of access and your preferences), for internal analysis and statistical purposes, in order to better understand the needs of our users, to optimize their experience, and in general to improve the ergonomics and functionality of our Services. You may object to such processing activities at any time (see section 13 below for additional information on your rights).

We do not link this information to you or your account. We use analytics tools provided by known market providers – such as the standard statistical tool of Apple, Google Analytics, Mixpanel, Survicate, and Firebase – which provide to us only aggregated or anonymized, non-identifiable data. The privacy policy of those service providers is applicable in this context. You will find information on their privacy practices and how to opt out of their analytics cookies by clicking on the following links: Apple Inc, Google Analytics, Firebase, Mixpanel, Survicate.

To comply with our other Legal Obligations or for other Legitimate Interests.

We may further process your personal data if we have a Legal Obligation to do so or for other Legitimate Interests. This will for instance be the case if we need to disclose certain information to public authorities or retain such information for tax or accounting purposes, or for the establishment, exercise or defense of legal claims.

The personal data that we process for this purpose are those that we collected for one of the purposes indicated elsewhere in this section 7. We retain the personal data for the duration of the legal obligation imposed on us.

If we have obtained your consent.

In addition to the above, we may process your personal data if we have obtained your prior unambiguous consent for specific purposes. Consent given can be withdrawn at any time, but this does not affect data processed prior to withdrawal.

  1. The circumstances in which we share your personal data with third parties

We may share your personal data with third parties if this is necessary for the operation of our Services, if there is a legal obligation or permission to do so, or if there is another valid reason to do so.

We may transfer your personal data to third party service providers in connection with the operation of the Services and with subcontractors such as IT service providers, cloud service providers, database providers, automated marketing solutions providers and consultants, including Apple Inc, Google Analytics, Firebase, Mixpanel, and Survicate. Detailed information on these providers can be found in the previous section.

Prior to transferring personal data to these providers, we make sure to have in place the contractual documentation in place to ensure that they will provide an equal protection of users’ personal data as stated in this Privacy Notice.

We may share your Tracking Data with Partners if you are using our technology with their Services.

As indicated in section 3, if you interact with the Beam Solution through the application of a Partner, that Partner will have access to your Tracking Data and process it in accordance with its own privacy practices.

For clarity, Partners only have access to the Tracking Data and not to your video recordings (for more information on this, see Section 4). To access the Tracking Data, Partners must agree to our SDK licensing terms, which require them in section 4.2 to:

  • provide sufficient information to users;
  • obtain the users’ prior explicit and freely given consent prior to using their data;
  • ensure the security of such data; and
  • comply with any applicable privacy law.

We may also disclose your personal data to third parties where we have a legal obligation to do so or a legitimate interest in doing so.

We may also disclose your personal data where we have a legitimate interest in doing so, for example (i) to respond to a request from a judicial authority or in accordance with a legal obligation; (ii) to bring or defend against a claim or lawsuit; or (iii) in the context of restructuring, in particular if we transfer our assets to another company.

  1. International Transfers

Your personal data may be disclosed outside of Switzerland and the European Union, including to countries that do not guarantee the same level of data protection and privacy as Switzerland and the European Union.

The personal data that we collect from you may be stored and processed in Switzerland and the European Union, or transferred to, stored at or otherwise processed elsewhere, including in the U.S., or any other country which may not necessarily offer an adequate level of data protection as recognized by Switzerland and/or the European Union. In such cases, we will ensure that suitable safeguards are in place, in accordance with applicable data protection laws, for instance by relying on standard contractual clauses adopted by the European Commission.

If you transmit information and data to us, you are expressly deemed to consent to such data transfers. You may request additional information in this regard and obtain a copy of the relevant safeguards upon request by sending a request to the contact address indicated in section 14 below.

  1. How long we store your personal data?

Your personal data will not be stored longer than necessary. 

We will erase or anonymize personal data as soon as it is no longer necessary for us to fulfill the purposes set out in section 7 of this Privacy Notice. This period varies, depending on the type of data concerned and the applicable legal requirements. As a rule:

  • As described in Section 4, we do not store videos recordings captured by your cameras (we only process the live feeds).
  • Tracking Data generated through the Beam Solutions is immediately anonymized (meaning that the data cannot be linked to you).
  • Your account information is retained for as long as your account is active. If you delete your user account, your account information will be deleted or anonymized immediately after such event, unless data must be retained for a valid reason (such as evidentiary or tax purposes);
  • Log files are as a rule automatically deleted or anonymized within 30 days of their collection, unless we must retain them for a valid reason.
  1. Security

We maintain physical, technical and procedural safeguards to keep secure your personal data.

We are committed to the security of your personal data, and have in place physical, administrative and technical measures designed to keep secure your personal data and to prevent unauthorized access to it. We restrict access to your personal data to those persons who need to know it for the purpose described in this Privacy Notice. In addition, we use standard security protocols and mechanisms to exchange the transmission of sensitive data. When you enter sensitive information on our Beam Solution, we encrypt it using Transport Layer Security (TLS) technology.

Although we take appropriate steps to protect your personal data, no IT infrastructure is completely secure. Therefore, we cannot guarantee that data you provide to us is safe and protected from all unauthorized third-party access and theft. We waive any liability in this respect.

The internet is a global environment. As a result, by sending information to us electronically, such data may be transferred internationally over the internet depending upon your location. Internet is not a secure environment and this Privacy Notice applies to our use of your personal data once it is under our control only. Given the inherent nature of the internet, all internet transmissions are done at your own risk.

If we have reasonable reasons to believe that your personal data have been acquired by an unauthorized person, and applicable law requires notification, we will promptly notify you of the breach by email (if we have it) and/or by any other channel of communication (including by posting a notice on the Beam Solution).

  1. How we use cookies or other analytical tools

We do not use cookies in relation to the Beam Solution.

Cookies are small files of letters and numbers downloaded on to your computer when you access certain websites. In general, cookies allow a website to recognize a user’s computer. They may be used to monitor and analyze how users interact interactions with a website or other service, to improve it and its functionalities, and/or customize it depending on users’ interactions. For more information on cookies, please visit the website http://www.allaboutcookies.org.

We do not use cookies in relation to the Beam Solution.

  1. Your rights with regard to the processing of your personal data

You have the right to access your personal data we process and may request in particular that they be removed, updated, or rectified.

Unless otherwise provided by law, you have the right to know whether we are processing your personal data. You may contact us to know the content of such personal data, to verify its accuracy, and to the extent permitted by law, to request that it be supplemented, updated, rectified or erased. You also have the right to ask us to cease any specific processing of personal data that may have been obtained or processed in breach of applicable law, and you have the right to object to any processing of personal data for legitimate reasons.

If you request us to delete your personal data from our systems, we will do so unless we need to retain your data for legal or other legitimate reasons. Please note that any information that we have copied may remain in back-up storage for some period of time after your deletion request.

Where we rely on your consent to process your personal data, we will seek your freely given and specific consent by providing you with informed and unambiguous indications relating to your personal data. You may revoke at any time such consent (without such withdrawal affecting the lawfulness of processing made prior to).

The above does not restrict any other rights you might have pursuant to applicable data protection legislation under certain circumstances. In particular, if the GDPR applies to the processing of your personal data the GDPR grants you certain rights as a data subject if the respective requirements are met:

  • Right of access (15 GDPR) – you have the right to access and ask us for copies of your personal data.
  • Right to rectification (16 GDPR) – you have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Right to erasure (17 GDPR) – you have the right to ask us to erase your personal data in certain circumstances.
  • Right to restriction of processing (18 GDPR) – you have the right to ask us to restrict the processing of your personal data in certain circumstances.
  • Right to data portability (20 GDPR) – you have the right to ask that we transfer in a structured, commonly used and machine-readable format the personal data you gave us to another organization, or to you, in certain circumstances.
  • Right to object to processing (21 GDPR) – you have the right to object to the processing of your personal data which is based on our Legitimate Interests, in certain circumstances. In such case, we will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms or where the processing is necessary for the establishment, exercise or defense of legal claims.

As a rule, you are not required to pay any charge for exercising your rights and we will respond to your request within one month.

You will find further details of your rights in sections 5 and 7 of this Privacy Notice in connection with each processing activity we perform. If you want to exercise any of your rights, or want additional information about them, please contact us using the contact detailed listed below (see section 14).

You have the right to lodge a complaint with the competent authority.

If you are not satisfied with the way in which we process your personal data, you may lodge a complaint with the competent data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, in addition to the rights described above.

Although this is not required, we recommend that you contact us first, as we might be able to respond to your request directly.

Your rights under the California Consumer Privacy Act (CCPA)

If you are a California resident using the Services, the California Consumer Privacy Act (CCPA) may provide you the right to request access to and deletion of your personal data.

If you are a California resident, you may request that we:

  • disclose to you the following information covering the 12 months preceding your request:
  • the categories and specific pieces of personal information we collected about you and the categories of personal information we sold (see Sections 4 and 7 of this Privacy Notice);
  • the categories of sources from which we collected such personal information (see Section 4 of this Privacy Notice);
  • the business or commercial purpose for collecting or selling personal information about you (see Sections 6 and 7 of this Privacy Notice); and
  • the categories of third parties to whom we sold or otherwise disclosed personal information (see Section 8 of this Privacy Notice).
  • delete personal information we collected from you; or
  • opt-out of any future sale of personal information about you.

In addition, users of the Services who are California residents and under 18 years of age may request and obtain removal of content they posted.

We do not sell user personal data to third parties for the intents and purposes of the CCPA.

In order to exercise the right to request access to and deletion of your personal data, please see the contact details in section 14 below. We do not discriminate based on the exercise of any privacy rights that you might have under this section and will respond to your request consistent with applicable law.

All requests must be labeled “California Removal Request” on the email subject line. All requests must provide a description of the content you want removed and information reasonably sufficient to permit us to locate that content. We do not accept California Removal Requests via postal mail, telephone, or facsimile. We are not responsible for notices that are not labeled or sent properly, and we may not be able to respond if you do not provide adequate information. Please note that your request does not ensure complete or comprehensive removal of the material. For example, materials that you have posted may be republished or reposted by another user or third party.

  1. Contact Us

If you believe your personal data has been used in a way that is not consistent with this Privacy Notice, or if you have any questions or queries regarding the collection or processing of your personal data, please contact us at [email protected].

  1. Updates to this Privacy Notice

This Privacy Notice may be subject to amendments. Any changes or additions to the processing of personal data as described in this Privacy Notice affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you (including by email and/or via the Beam Solution, e.g. banners, pop-ups or other notification mechanisms). If you do not agree to the changes made, you must stop accessing and/or using the impacted Services.

 

____________________________________________

 

Last updated: 07 October 2021.