Bodygram Platform Privacy Policy

Effective Date: January 11, 2024

Bodygram Inc. (“Bodygram”, “We”, “Us”, or “Our”) respects your privacy and is committed to protecting it through our compliance with this policy. This privacy policy will explain how Bodygram uses the personal data we collect from you when you use our Bodygram Platform (“Platform”) by creating your account, or accessing our APIs and/or Features available within Platform. We keep its privacy policy under regular review and place any updates on this page.

Please note that Bodygram acts both as a data processor and a data controller for certain data processing activities. In this privacy policy we will explain to which data processing activity Bodygram acts as a data processor and to which as a data controller.

Bodygram provides its Platform to business clients (”clients”) for them to integrate our APIs into their systems or/and utilize the Features such as ‘Body Scan’ in accordance with their business requirements. Purposes for using our APIs or Features vary from client to client. In this matter our clients act as the data controller while Bodygram acts as a data processor. Additionally, Bodygram conducts data processing activities in its own interest and responsibility to which Bodygram is the data controller.

As a data processor to our clients, we are bound by means of data protection to their instructions, or/and Platform agreement, or our respective terms with each client. If the data controller processes personal data in the EEA, we conclude a data processing agreement pursuant to Art. 28 GDPR with our clients to ensure data protection.

Topics

1. Information on data processing when using Bodygram Platform
2. Information on data processing by Bodygram as Controller
   • What data do we collect?
   • How do we collect your data?
   • How do we use your data?
   • How do we store your data?
   • Recipients of data?
   • Which Service Providers Do We Use?
   • What are your data protection rights?
   • Who we are and how to contact us or our data protection officer
   • Rights under the California Consumer Privacy Act (CCPA)

A. Information on data processing when using Bodygram Platform

Bodygram Platform provides APIs and Features to our clients, who can start using Platform by signing up for an account. Once registered, clients can scan their end-user’s bodies by either providing basic information such as height, weight, gender, and age, or by supplying this information along with 2 body photos through our APIs or/and Features within the Platform. Platform then provides estimated body measurements and a 3D avatar, among other outputs, to assist in fulfilling their business purposes.

Commonly, clients integrate our body scan technology into their services to offer a customized experience to their own users. As such, clients using the Platform determine the means and purposes of the data processing. In these instances, Bodygram acts as a data processor according to Art. 4 No. 8 GDPR and adheres to client instructions. To deliver body measurements and 3D avatars, we regularly process the following personal data, provided either directly by clients or indirectly through client services:

• IP address
• Height, Weight, Age, Gender
• Whole Body Images

Our clients are responsible for processing this data for their own purposes. If you are using a service from one of our clients and have questions about data processing or protection, please contact the respective client directly, as they are the data controller. Please also have a look at the privacy policy of the respective client.

Should you wish to exercise your data subject rights in relation to data processing involving our APIs or Features on the Bodygram Platform, please reach out to the entity responsible for the service that has implemented our technology.

B. Information on data processing by Bodygram as Controller

As mentioned above, there are data processing activities carried out by Bodygram as a data controller.

What data do we collect?

• Email
• Password
• Device Information
  • Operating system,
  • Browser type and version.
• Information on our Platform usage such as:
  • IP address and referrer,
  • host name and connecting device,
  • the transferred amount of data and access status,
  • date and time of usage,
  • a number of scans conducted within an account.

How do we collect your data?

Bodygram receives the data directly provided by you when you:

• Create an account for Bodygram Platform
• Use or view Platform
• Send inquiries to us through the link to our contact forms (you will be redirected to our websites)

How do we use your data?

Bodygram processes your data for the following purposes;

• For the registration of an account on Bodygram Platform, Bodygram processes the personal data provided, when you register your account. The processing of data is carried out in order to fulfill the contract between Bodygram and you (Agreement to the Bodygram Platform Agreement or/and customized contract) in accordance with Art.6 (1) lit. (b) GDPR.

• For the technical provision of the Bodygram Platform and providing access for users which is our legitimate interest, the temporary data processing taking place in the course of your website’s visit is strictly necessary (Art.6 (1) lit. (f) GDPR).

• For the provision of a good customer service, it is our legitimate interest to monitor the usage of Platform and communicate with clients such as informing clients when they are approaching their scan limits or haven’t utilized free scan opportunities to maximize its benefits (Art.6 (1) lit. (f) GDPR).

• For the purpose of preventing fraud, it is our legitimate interest to implement measures such as flagging multiple sign-ups from a single location (Art.6 (1) lit. (f) GDPR).

How do we store your data?

Bodygram securely stores your data in licensed servers located globally. If the data is stored in a country that does not provide an adequate level of protection for personal information, Bodygram will take adequate measures designed to protect the personal information, such as ensuring that such transfers are subject to the terms of the EU Model Clauses or other adequate transfer mechanism as required under relevant data protection laws.

The personal data being processed by Bodygram will be erased or their processing will be restricted in compliance with legal regulations. Unless otherwise in this privacy policy expressly stated, Bodygram will erase personal data as soon as it is no longer required the purpose it has been obtained for. Other than that, data will only be retained longer than for its intended purposes needed, if this is necessary for other legally permissible purposes or if the data must be retained longer in order to be compliant with statutory retention obligations.

In the context of body scanning, information such as height, weight, age, gender, body images, estimated measurements, and 3D avatars are retained for the duration of the contract. Clients have the flexibility to delete this data at any point during the contract using the provided API, in accordance with their business requirements. For body images, an automated process extracts characteristics in a manner that ensures they are inherently non-identifiable. Other data elements, including height, weight, age, gender, and estimated measurements, are anonymized; they are not stored with any personal identifiers. This anonymization process ensures that the data, while used for enhancing our technology and business development, remains unlinked to any personally identifiable information and is stored securely. Please note that under GDPR regulations, such anonymized data is not considered personal data and is not covered by the GDPR.

Recipients of data?

We engage with third-party service providers to facilitate specific operational functions, explained in more detail in each section. These service provider process user data under our strict guidance and in compliance with data protection agreements.

General Information on Data Processing

Our commitment to safeguarding data privacy and security is evident in our relationships with all third-party service providers and data processors. Where processors are used, they are bound to our privacy policy by a data processing agreement under Art. 28 GDPR. These service providers are our contractors and assist in the processing of your personal data, for example in the provision of this Platform. To ensure the protection of your personal data, we have implemented a range of measures including Standard Contractual Clauses (SCCs), the Data Privacy Framework (https://www.dataprivacyframework.gov/) where applicable, and additional data protection measures. These include rigorous data processing agreements to maintain the highest standards of data privacy. We will inform you which service providers we use are certified under the Privacy Framework in the relevant sections of the privacy policy.

Hosting Provider: Bodygram uses a hosting provider based in the United States for technical processing of meta and communication data. (see above, “What data do we collect?”). With the hosting provider we have concluded a so-called data processing agreement (i.e., in accordance with Art. 28 GDPR), by which the provider is bound to our instructions and processes the data on our behalf. The hosting provider is based in the United States.

Bodygram will take adequate measures designed to protect personal information. In particular, effective legal remedies against official access to your personal data may not exist. We have concluded EU Model Clauses with our hosting provider by which he guarantees to ensure an adequate data protection level. In addition, our hosting provider is certified under Data Privacy Framework, so any transfer can be based on the adequacy decision issued by the EU Commission.

Which Service Providers Do We Use?

Please refer to ‘Recipients of data’ above. In addition, we use the following services.

AWS: For the purpose of registering and managing your account within Bodygram Platform, we use the service AWS provided by Amazon Web Services, Inc., 410 Terry Ave. N., Seattle, WA 98109-5210, United States. When you create your account on Bodygram Platform, your submission data (Email address, Password), including your IP address and timestamp, will be transferred to AWS’s servers for processing and storage. The legal basis to process personal data for the fulfillment of a contract between Bodygram and you (Agreement to the Bodygram Platform Agreement). The transfer of data to the USA is based on the EU Commission’s adequacy decision (in accordance with Art. 45 of the GDPR) and AWS’s certification under the new Data Privacy Framework.

Bodygram Japan K.K.: Bodygram Japan K.K., a subsidiary of Bodygram Inc. located in Japan, is engaged for troubleshooting purposes. We have concluded a Data Processing Agreement with Bodygram Japan K.K. (i,e,, in accordance with Art. 28 GDPR), by which Bodygram Japan K.K. is bound to our instructions and processed the data on our behalf. Additionally, Japan has an adequacy decision of the European Commission in accordance with the Art.45 GDPR, which states that Japan provides an adequate level of data protection similar to the GDPR.

What are your data protection rights?

You have the following rights free of charge against any person responsible for the processing of your personal data:

• Right to withdraw your consent

• Right to access: you may request access to your personal information that we process

• Right to erasure: you may request the erasure of your personal data. They will be erased without undue delay, unless there are legal reasons for further storage (e.g., legal storage obligations).

• Right to object: You have the right to object to the processing of your personal data at any time for reasons relating to your special situation. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. The collection of data for the provision of the websites and the storage of the log files is absolutely necessary for the operation of the websites.

• Right to correct your personal data, discontinue our usage of your personal data, and other rights stipulated in each applicable jurisdictional law.

You also have the right to lodge a complaint with a data protection authority in the jurisdiction where you reside, where you work, or where the alleged infringement of your rights took place. We will comply with any such request in full accordance with the applicable laws and regulations.

If you would like to exercise any of these rights, please contact us at our email: privacy@bodygram.com.

If you are EU/EEA or UK based, you can also contact us using the following representative email addresses, for EU/EEA: art-27-rep-bodygram@rickert.law and for UK: art-27-rep-bodygram@rickert-services.uk.

Who we are and how to contact us or our data protection officer

Responsible for the data processing activities in relation to Bodygram Platform is Bodygram Inc., 228 Park Ave S, PMB 91811 New York, New York 10003-1502 USA (att: Bodygram Personal Information Protection Manager). If you have any questions about Bodygram’s privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

Email us at: privacy@bodygram.com (Data Protection Officer)

Our EU/UK representatives can be contacted in addition or instead of the controller by, in particular, supervisory authorities and data subjects, on all issues related to processing and for the purposes of ensuring compliance with EU/UK data protection laws.

Rickert Rechtsanwaltsgesellschaft mbH
Bodygram Inc.
Colmantstraße 15, 53115 Bonn Germany
art-27-rep-bodygram@rickert.law

Rickert Services Ltd UK
Bodygram Inc.
PO Box 1487
Peterborough
PE1 9XX
United Kingdom
art-27-rep-bodygram@rickert-services.uk

Rights under the California Consumer Privacy Act (CCPA)

If you are a California resident, you may request that we:

1. disclose to you the following information covering the 12 months preceding your request:

• the categories and specific pieces of personal information we collected about you. (See What data do we collect?);
• the categories of sources from which we collected such personal information. (See How do we collect your data?);
• the business or commercial purpose for collecting or selling personal information about you (See How do we use your data?); and
• the categories of third parties to whom we sold or otherwise disclosed personal information (See Recipient of Data).

2. delete personal information we collected from you, subject to certain exceptions.

We do not sell your personal information about you. We will respond to your request consistent with applicable law. If you are an authorized agent making an access or deletion request on behalf of a California resident, please reach out to us at privacy@bodygram.com and indicate that you are an authorized agent. We will provide you with instructions on how to submit a request as an authorized agent on behalf of a California resident.

Please note that there may be cases when we may decline your requests, e.g., when we are legally obligated to do so. Additionally, you will not receive any discriminatory treatment in case you exercise your privacy rights.

If you are a California resident, you may obtain information about exercising your rights, as described above, by contacting us at privacy@bodygram.com.