PRIVACY NOTICE EEVIE APP
[As of March 2023]
Who is responsible for collecting and processing data?
We, eevie GmbH, Rather Straße 49 d, 40476 Düsseldorf, Germany, are responsible for collecting and processing your data. You can contact us for any questions or comments at the following e-mail address privacypolicy@eevie.io.What data do we collect, and why do we process your data?
We collect and process your data only for specific purposes. These may relate to technological requirements, contractual requirements or requests explicitly stated by users. Analytics and search engine optimisation that assist us in the improvement of our site.
When you use our app, we have to collect and store certain data (e.g. IP address, regional settings of the device) for technical reasons. The legal basis for the processing of this data is Article 6(1)(b) GDPR. If you want to use the functions mentioned below, we need your personal data. This data is used for the advanced features of the app: Personalization, syncing your profile across devices and regular updates via email. Your email and password are only collected when you log in. We process your personal data specifically for the following services:
2.1 User account
You must provide the following information when creating an account
● email address
● password
● nickname, which does not need to be your real name
Without this information, our system cannot create a personal account for you. We also assign an individual ID to your user account. The legal basis for the processing of this data is the fulfilment of our contract according to Article 6(1)(b) GDPR.
All other personal profile information is entered into the app is voluntary. This voluntary information includes:
● Information about yourself which can be displayed on your profile
● A picture of yourself
● All other information you enter into the app.
Legal basis for processing voluntary data is your consent pursuant to Article 6(1)(a) GDPR.
We store your above-mentioned data to offer you our services and gain insights from your data. Foremost, we use your data to provide you and the group or company you joined with insights of your CO2 footprint and change of habits. For more information on the leaderboard and business
customer dashboard feature please see 2.3 bellow.
2.2 Tracking habits
With our app, you can track your habits to measure your progress and calculate your carbon footprint. We also send you tips & tricks or reminders in the form of notifications to help you to better achieve the goals you set. You can enter your habits manually as well as let the app track your GPS location for automatic calculation. We use your GPS location data for the purpose of automatically calculating your carbon footprint and sending you location-relevant tips and tricks. Such tips may include, for example, nearby farmers markets. For more information on the processing of location data, see below under 3.2 and on notifications under 4.1. The legal basis for tracking your habits is your consent pursuant to Article 6(1)(a) GDPR.
2.3 Leaderboard & Business Customer Dashboard
When you join a group or company, your information (profile name, profile picture, kg CO2 reduced and seedlings earned in eevie) can be visible on a leaderboard of that group or company. This leaderboard feature is part of the business customer dashboard that is made available to the company when it joins our Impact Partner Program and has invited its employees to participate via the email address. In addition, we share the employee invitation status (accepted and activated) in correlation to their email address, and aggregated impact data in the form of graphical charts of carbon footprint reduction over time and progress in various habits of the participating employees. The legal basis for tracking and sharing this data with the group or company you have joined is your consent in accordance with Article 6(1)(a) GDPR.
2.4 Tree planting
Via the app, you can plant trees with our partner Eden Reforestation Projects. Our partner does not receive any personal data of our users.
You can purchase the trees through our payment service provider Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland ("Stripe"), You can make the purchases via Apple Pay, Google Pay or by credit card. Stripe receives from us the data you enter into the app when you purchase trees. These are, for example, your credit card number including CCV and expiration date as well as your email address. The purpose of transmitting the data is processing payments and preventing fraud. The personal data shared between Stripe and the controller may be transferred by Stripe to credit reporting agencies. The purpose of this transfer is to check identity and creditworthiness. Stripe may disclose the personal data to affiliated companies and service providers or subcontractors to the extent necessary to fulfil its contractual obligations or to process the data on its behalf. You can object to this processing of your data at any time by sending a request to Stripe or the appointed credit agencies. However, Stripe may still be entitled to process your personal data if this is necessary to process payments in accordance with the contract.
You can access Stripe's applicable privacy policy at https://stripe.com/en-de/privacy.
The legal basis for the processing of your payment data is Article 6(1)(b) GDPR.
3. Which access authorization do we use?
Certain access permissions are technically necessary for the app to function properly, while other permissions are optional.
3.1 Access authorization for technical reasons: Android
Due to the technical requirements of Android, we automatically receive the permission to send push notifications.
3.2 Processing of location data
The app offers the service to automatically track your carbon footprint and your progress in reducing CO2 emissions. If you want to use this feature, your current location must be sent to the system so that the app can calculate your emissions. The app will only identify your location if you have authorized this in your device settings. You grant authorization either via a dialog box when using the app for the first time or via the settings of your device.
The legal basis for the processing of your location is your consent pursuant to Article 6(1)(a) GDPR.
We only use this data to manage the information you have requested. By deactivating the corresponding settings, you can prevent the app from accessing your location and thus withdraw your consent at any time.
3.3 Motion data
The app also offers the service of automatically tracking your carbon footprint and your progress in reducing CO2 emissions by means of a motion sensor. If you want to use this feature, you must grant the Motion sensor permission on Android or the Health/Fitness permission on iOS. This authorization does not give us access to health data pursuant to Article 9 GDPR.
The legal basis for the processing of your movement data is your consent pursuant to Article 6(1)(a) GDPR.
We only use this data to manage the information you have requested. By deactivating the corresponding settings, you can prevent the app from accessing your movement data and thus withdraw your consent at any time.
4. What external services and content do we use?
4.1 Push notifications (“habit nudges”)
We think it's beneficial to give you tips, reminders, and pushes to achieve your habit goals. This information is sent via push notifications if you enable this setting in the app. To send push notifications, we use the service provided by OneSignal Inc, 2194 Esperanca Avenue, Santa Clara, CA 95054 ("OneSignal"). OneSignal may receive personally identifiable information, such as user ID, temporary unique device identifier (e.g., IDFA and Android ID), and your IP address, if you have enabled push notifications. For more information, please see OneSignal's privacy policy at https://onesignal.com/privacy_policy.
OneSignal is a provider based in the USA, which is why your data is transmitted there. With the Schrems II decision of the European Court of Justice (C-311/18), the previously existing adequacy decision for data transfers to the USA, the so-called Privacy Shield agreement, was declared invalid. The European Court of Justice found that the U.S. does not ensure an adequate level of data protection. Above all, there is a risk that personal data will be subject to access by U.S. authorities for control and monitoring purposes and that no effective legal remedies will be available. The transfer to as well as the processing and/or storage of personal data by OneSignal is therefore based on the standard contractual clauses of the European Commission pursuant to Article 46(2)(c) GDPR. Where necessary, additional technical and organizational measures are taken if an adequate level of data protection cannot otherwise be guaranteed.
The legal basis for these data processing activities is Article 6(1)(a) GDPR.
You can deactivate push notifications in the settings of the app or in the settings of your device and thus withdraw your consent at any time.
4.2 Google Maps
We use Google Maps to display an interactive map of our tree planting projects. Google Maps is a map service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. By using Google Maps, your information about the use of this app, including your IP address, may be transmitted to Google in the USA. When you call up a page of the app that contains Google Maps, your browser establishes a direct connection with Google's servers. The map content is transmitted by Google directly to the app and integrated by it. Therefore, we have no influence on the scope of the data collected by Google in this way. According to our knowledge, this is at least the following data:
Date and time of the visit to the app page in question,
IP address.
We have no influence on the further processing and use of the data by Google and therefore cannot assume any responsibility for this.
If you do not want Google to collect data about you via our website, please do not visit the project overview page.
The purpose and scope of the data collection and the further processing and use of the data by Google, as well as your rights in this regard and setting options for protecting your privacy, can be found in Google's data protection information (https://policies.google.com/privacy?hl=en).
To our knowledge, Google also transfers your above-mentioned data to the USA. With the Schrems II decision of the European Court of Justice (C-311/18), the previously existing adequacy decision for data transfers to the USA, the so-called Privacy Shield agreement, was declared invalid. The European Court of Justice found that the USA does not ensure an adequate level of data protection. Above all, there is a risk that personal data will be subject to access by U.S. authorities for control and monitoring purposes and that no effective legal remedies will be available. The transfer to, as well as the processing and/or storage of, personal data by Google is therefore based on the European Commission's standard contractual clauses under Article 46(2)(c) GDPR. We have also concluded a corresponding joint responsibility agreement with Google. You can access this at https://privacy.google.com/intl/de/businesses/mapscontrollerterms/. Where necessary, additional technical and organizational measures are taken if an adequate level of data protection cannot otherwise be guaranteed.
The legal basis for the processing of your data is the performance of the contract with you according to Article 6(1)(b) GDPR.
4.3 Firebase
We use Firebase, a technology from Google Ireland Limited, Gordon House, Barrow Street, Dublin D04 E5W5, Ireland, ("Firebase") in our app. We do not use Firebase services that use personally identifiable information, such as IP addresses, email addresses, phone numbers, or passwords.
The Firebase services we use process pseudonymous personally identifiable information. In most cases, the personally identifiable information is limited to so-called "instance IDs" that are time-stamped. These "Instance IDs" assigned by Firebase are unique and thus allow linking different events or processes. We do not consider this data to be personally identifiable information, nor do we make any effort to personalize it after the fact. We process this aggregated data to analyze and optimize user behavior and app functionality. Google Firebase processes the pseudonymous data in bulk together with data of other users, so that your individual data and measurements can no longer be assigned to you.
For Firebase Analytics, Google uses the advertising ID of the mobile device in addition to the "instance ID" described above. You can restrict the use of the advertising ID in the device settings of your mobile device.
In the event of an app crash, information about your device and the circumstances of the app crash is collected via Firebase Crashlytics and transmitted to us to find the cause of the respective crash and fix it faster. This serves the stability and improvement of the app.
You can find more information about Firebase's privacy and security here: https://firebase.google.com/support/privacy/ and at https://firebase.google.com/. More information about Google and privacy can be found at https://www.google.com/policies/privacy/.
To our knowledge, Google also transfers your above-mentioned data to the USA. With the Schrems II decision of the European Court of Justice (C-311/18), the previously existing adequacy decision for data transfers to the USA, the so-called Privacy Shield agreement, was declared invalid. The European Court of Justice found that the USA does not ensure an adequate level of data protection. Above all, there is a risk that personal data will be subject to access by U.S. authorities for control and monitoring purposes and that no effective legal remedies will be available. The transfer to, as well as the processing and/or storage of personal data by Google is therefore based on the standard contractual clauses of the European Commission pursuant to Article 46(2)(c) GDPR. We have also concluded a corresponding contract on commissioned processing with Google. You can view this at https://firebase.google.com/terms/data-processing-terms. Where necessary, additional technical and organizational measures are taken if an adequate level of data protection cannot otherwise be guaranteed.
The legal basis for the processing of your data in Firebase Analytics is your consent in accordance with Article 6(1)(a) GDPR. Firebase Crashlytics is used to optimize the app and improve the offer. The legal basis for processing your data in Firebase Crashlytics is therefore our legitimate interest according to Article 6(1)(f) GDPR.
5. What is the legal basis for processing your personal data?
Insofar as we obtain consent from you for processing operations of personal data, this serves as the legal basis according to Article 6(1)(a) GDPR.
When processing personal data that is necessary for the performance of a contract with you, the contract is the legal basis under Article 6(1)(b) GDPR. Article 6(1)(b) GDPR also applies to processing operations that are necessary for the performance of pre-contractual measures, for example in cases of inquiries about our products or services.
If our company is subject to a legal obligation by which the processing of personal data becomes necessary, such as for the compliance with tax obligations, the processing is based on Article 6(1)(c) GDPR.
In addition, we may also process your personal data on the basis of our legitimate interest pursuant to Article 6 (1) (f) GDPR, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
6. Does EEVIE share data with other parties?
Developing and operating an app generally requires the involvement of processing parties issued with instructions. Such parties include computer centre operators, development agencies, and other service providers tasked with roles relating to developing and operating the app. We also involve external service providers for features like tree planting and other features that are currently in development.
External service providers that process data on our behalf are carefully selected by us and subject to strict contractual obligations. These service providers follow our instructions, something which is guaranteed by means of strictly regulated contracts, technical and organisational measures, and supplementary checks.
We forward your data only if you have provided your explicit consent (e.g. when joining a group or a company) or if this is absolutely required due to legal obligations.
Your personal data will not be forwarded to third party states outside the EU/EEA or to international organisations in the absence of suitable guarantees. These include EU standard contract clauses and an adequacy decision from the EU Commission.
7. How long is your data stored?
We retain your data only as long as it is necessary to meet the purpose for which it was collected (e.g. as part of a contractual relationship) or as long as retention is required by law. For example, as part of a contractual relationship, we retain your data at least until the complete fulfilment of the contract. Afterwards, we store your data for the duration of the legal retention period.
8. Automated individual decision-making, including profiling
We do not use or intend to use your personal data for automated individual decision-making (including profiling).
9. Are cookies used?
We do not use cookies in our app.
10. What rights do I have as EEVIE user?
You can submit a request to see what personal details of yours are stored in our system.
You can ask us to correct and delete your personal data or restrict its processing (block) provided this is legally permissible and is possible within the context of the current contractual relationship.
You have the right to submit a complaint to a supervisory body. The supervisor responsible for eevie GmbH is: Data Protection Officer for the State of North Rhine-Westphalia (Die Landesbeauftragte für den Datenschutz Nordrhein-Westfalen), Kavalleriestraße 2-4, 40213 Duesseldorf, Germany. E-mail: poststelle@ldi.nrw.de
You have to right to the transferability of the data you have supplied us within the context of consent or a contract (data portability).
If you have provided us with consent to data processing, you can revoke it in the same manner as you supplied it. Revoking consent does not affect the legal standing of any processing which took place prior to the withdrawal of consent.
You can revoke your consent to data processing due to reasons relating to your specific situation if such processing is performed on grounds relating to our justified interests.
You can revoke your consent to receiving advertising whenever you wish and with future effect (right to object to advertising).
To make use of this right, you can send notification of your objection in writing to the following address:
eevie GmbH, Rather Straße 49 d, 40476 Düsseldorf , Germany
Or you can contact us via e-mail:privacypolicy@eevie.io
11. How up to date is this privacy policy?
We regularly update our privacy policy to suit changes to technical functions or legal conditions. As a result, we recommend that you read the privacy policy at regular intervals. If your consent is necessary or elements of the privacy policy contain regulations concerning the contractual relationship with you, the changes are made only with your consent that we will obtain from you explicitly.