Privacy Information by bgood GmbH
for the use of the goodbag smartphone-app
In the following we provide you with information about your rights regarding the collection and processing of your personal data. This information is provided in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR).
The controller of the data processing is
Commercial Register: FN 442550i, Commercial Court Vienna
E-Mail: [email protected]
The lawfulness of the data processing is based on the necessity for the performance of the contract concluded with you via the goodbag smartphone-app (Art. 6 sec 1b GDPR) namely regarding the use of your data for the purposes of technical operation of the goodbag smartphone-app (e.g. display of shops nearby), the processing of orders via the web shop and general customer administration.
Some data processing activities, in particular about interactions within the goodbag smartphone-app, are based on our legitimate interests which are not overridden by your interests (Art 6 sec 1f GDPR). Our legitimate interest relates to the analysis of usage as well as improvement of the goodbag smartphone-app's performance and usability.
The storage of the data during the legal storage periods is carried out in accordance with corresponding legal obligations (Art. 6 sec 1c GDPR).
We process the following personal data when using the bag:
- Identification number (Universal Unique Identifier) of the bag
- Serial number of the chips built into the bag
In case of using the goodbag smartphone-app without registration we additionally process the following personal data:
- Identification number of the customer
- Position data (GPS coordinates), region and time zone
- Installation-ID of the app
- IP-address of the device used
- Shops, in which a voucher was redeemed (ID and name of the shop)
- Identification number (Universal Unique Identifier) of previous bags used with the same device
- Language- and regional settings of the used device
- Date and time of a bag-scan
- Interactions within the goodbag smartphone-app
- Interactions with the NFC-chip of the bag
- Places/shops, in which the bag was scanned
In case of using the goodbag smartphone-app with registration we additionally process the following personal data:
- Date of birth or age
- E-mail address
- Profile Photo
- Profile Biography
- Data regarding social media log-ins (e.g. Facebook-, Google-, Twitter-account data)
In case of an order via the goodbag smartphone-app's web shop we process the following personal data:
- Contact data (e-mail address, phone number)
- Delivery address
- Invoice address
- Payment details
In case of contacting us (e.g. feedback, suggestion of a partner shop) via the goodbag smartphone-app we process the following personal data:
- E-mail address
- Content of the message/recommendation
If you want to apply as partner shop we process the following personal data:
- Name of the company
- Contact data (e-mail address, phone number)
If you use the form for planting a tree we process the following personal data:
- E-mail address
- Code to prove authorization of planting a tree
If you refer a friend, we process the following personal data:
- E-mail address of the recipient
- Identity of the referring person (connection with goodbag account)
- Status of the recruit-a-friend-code
As far as necessary for the purposes mentioned in section 3, we use the following services and disclose your personal data to our technical service provider:
- "Google Maps" and "Firebase" of Google LLC with its seat in the USA; to guarantee the safety of your data, it is certified under the EU-US Privacy Shield Agreement;
- "Apple Maps" of Apple Inc. with its seat in the USA;
- "shopify" of Shopify International Ltd with its seat in Ireland;
- Newsletter mailing: The Rocket Science Group LLC d/b/a MailChimp with its seat in the USA; to guarantee the safety of your data, it is certified under the EU-US Privacy Shield Agreement;
- Diverse services of the "Visual Studio App Center" of Microsoft Corporation; some of the Microsoft corporations have their seat in the USA; to guarantee the safety of your data, those are certified under the EU-US Privacy Shield Agreement; and
- Content Delivery Network and Proxy-Server of Cloudflare, Inc., with its seat in the USA; to guarantee the safety of your data, those are certified under the EU-US Privacy Shield Agreement.
As host provider we use, inter alia, DigitalOcean with its seat in the USA (certified under the EU-US Privacy Shield Agreement), Google Cloud of Google LLC with its seat in the USA (certified under the EU-US Privacy Shield Agreement), Amazon AWS of Amazon.com, Inc. with its seat in the USA (certified under the EU-US Privacy Shield Agreement) and of Amazon Web Services EMEA SARL with its seat in Luxembourg as well as Azure of Microsoft Corporation with its seat in the USA (certified under the EU-US Privacy Shield Agreement).
In case you choose using a social media log-in (e.g. Facebook Connect, Google Sign-In, Sign in with Twitter) personal data will be transferred to the responsible social media provider as well as to the service "Firebase Authentication" of Google LLC with its seat in the USA (certified under the EU-US Privacy Shield Agreement).
Furthermore other service providers (processors) contracted by us will receive your personal data in order to render their respective services. All service providers are contractually obligated to keep your personal data confidential and may use your personal data only on our behalf and in line with our instructions.
We will transfer your personal data to public authorities and institutions (e.g. tax authority, courts, public prosecutor's office) if we are legally obligated to do so.
We just process your personal data as long as necessary. As soon as your data is no longer needed and there is no requirement for a longer storage period, it will be deleted automatically. We store your personal data necessary for the performance of the contract at least for the duration of the entire business relationship as well as, furthermore, in accordance with the legal storage and documentation obligations.
Right to information
Provided that we process your personal data, you have the right to information about the purposes of processing, the categories of personal data, the origin and the recipients of your personal data, the duration of storage, your rights and the existence of an automated decision-making.
Rectification and erasure of data
If we process inaccurate or incomplete personal data you have the right to rectification of such data. You may also request the erasure of your personal data if your data is processed unlawfully, subject to legal obligations preventing the erasure of your personal data.
Limitation of processing
You may request to limit the processing of your personal data in certain cases.
You have the right to receive the personal data, which you have provided to us, in a structured, commonly used and machine-readable format. You have the right to direct transmission of those data to another controller as far as this is technically feasible.
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. If you object to processing of your personal data, we shall cease to process this data unless our legitimate interests to processing your personal data override your interests, rights and freedoms or the processing serves the assertion, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you. In this case, we will cease the processing of your personal data for marketing purposes immediately.
You have the right to lodge a complaint with the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, +43 1 52 152-0, e-mail address: [email protected] if you believe that your rights to protection of your personal data have been infringed.