Bodygram Body2Fit Privacy Policy

Establishment date: May 2, 2024

Bodygram Inc. (“Bodygram”, “We”, “Us”, or “Our”) respects your privacy and is committed to protecting it through our compliance with this policy. This privacy policy will explain how Bodygram uses the personal data we collect from you when you use our Body2Fit services (“services”) through our clients’ websites or apps (hereafter “clients’ systems”).

Please note that Bodygram acts both as a data processor and a data controller for certain data processing activities. In this privacy policy we will explain to which data processing activity Bodygram acts as a data processor and to which as a controller.

Bodygram provides its Body2Fit service to business clients for them to implement the service on their online store (e.g., website or app) in order to provide size and clothing recommendations to their customers. In this matter Bodygram acts as a data processor while our clients, as the online store owners, act as the data controller. Additionally, Bodygram conducts data processing activities in its own interest and responsibility to which Bodygram is the data controller.

As a data processor to our clients, we are bound by means of data protection to their instructions. For this we have concluded a data processing agreement in accordance with Art. 28 GDPR with our clients to ensure data protection.

Topics:

• Information on data processing when using the Body2Fit service
• Information on data processing by Bodygram as controller
  • What data do we collect?
  • How do we collect your data?
  • How will we use your data?
  • How do we store your data?
  • Recipients of data
  • What are your data protection rights?
  • Who we are and how to contact us or our data protection officer
  • Rights under the California Consumer Privacy Act (CCPA)

Information on data processing when using the Body2Fit service

Bodygram’s Body2Fit service regularly will be implemented by online store owners on their website in form of a widget or their online store apps. The service provides size recommendations and fitting illustrations to the customers of the online store owners which act as the data controller according to Art. 4 No. 7 GDPR. This means that the online store owner determines the means and purposes of the data processing by our Body2Fit service. Regularly the online store owners choose to implement Body2Fit for the purpose of improving customer experience by providing size recommendations and fitting illustrations according to the individual specifications provided by the customer. For further information, please refer to the privacy policy of the respective online store. If you have concluded an individual contractual agreement with the respective store owner to fulfill the additional business purposes and/or you give your consent to the online store owner, we will provide the size recommendation, and fitting illustrations and the use of estimated body measurements, which are processed to create the above-mentioned size recommendations, to the online store owner as part of our data processing agreement.In this matter, Bodygram acts as a data processor according to Art. 4 No. 8 GDPR and is bound by the instructions of the online store owner.

To provide the size and clothing recommendations regularly the following personal data provided either directly or indirectly by you will be processed:

• IP address
• Height, Weight, Age, Gender
• Optional additional information to improve recommendations, such as fitting preference
• Whole Body Images *optional

Please have also a look at the privacy policy of the respective online store.

If you have any questions on data processing or data protection in general, please reach out directly to the respective online store owner as the data controller.

If you wish to assert your data subject rights in connection with the aforementioned data processing, please contact the person responsible for the online store that implemented our service.

Information on data processing by Bodygram as controller

As mentioned above there are data processing activities that conducts Bodygram as a data controller.

What data do we collect?

Bodygram collects the following data:

• Height, Weight, Age, Gender
• Optional additional information to improve recommendations, such as fitting preference
• Device Information
  • Operating system
  • Browser type and version
• Information on our Service Usage
  • IP address and referrer
  • Host name and connecting device
  • The transferred amount of data and access status
  • Date and time of usage

How do we collect your data?

Bodygram receives the data directly provided by you through the use of our services via our clients’ systems (e.g., their online store websites or online store apps).

Additionally, Bodygram may also receive order related information from our clients’ systems:

• Products or services which you ordered on our clients’ systems
• Products or services which you returned on our clients’ systems

The information does not include personal data, particularly no personal identifiers like IP addresses, advertising identifiers, or alike. For example, we will be provided with information on which size and clothing recommendation has been suggested depending on certain body measurements and whether any products or services have been returned that have been ordered based on said recommendation. Bodygram will not be able to draw any conclusion on an individual nor will it be provided with personal data that can be tied back to an individual person.

How will we use your data?

Bodygram processes your data for the following purposes:

• To protect our service against cyberattacks by investigating and deterring unauthorized or illegal activities, Bodygram processes technical data such as IP addresses when using our service, as it is in Bodygram’s legitimate interests (i.e., Art. 6 (1) lit. (f) GDPR).

How do we store your data?

Bodygram securely stores your data in licensed servers located globally. If the data is stored in a country that does not provide an adequate level of protection for personal information, Bodygram will take adequate measures designed to protect the personal information, such as ensuring that such transfers are subject to the terms of the EU Model Clauses or other adequate transfer mechanism as required under relevant data protection laws.

The personal data being processed by Bodygram will be erased or their processing will be restricted in compliance with legal regulations. Unless otherwise in this privacy policy expressly stated, Bodygram will erase personal data as soon as it is no longer required the purpose it has been obtained for. Other than that, data will only be retained longer than for its intended purposes needed, if this is necessary for other legally permissible purposes or if the data must be retained longer in order to be compliant with statutory retention obligations.

Regarding personal data being processed in the course of a user’s usage of the Body2Fit service implemented by the online store owner, the data concerned will be stored temporarily to enable the delivery of the service (i.e., widget). Additionally, the log files that include your IP address will be stored temporarily for the purpose to ensure the functionality of the website and the security of our information technology systems, and deleted regularly (after 30 days at the latest).

Bodygram will not store your image data longer than the minimum time required. Once the processing to generate estimated body measurements and diagnosis to troubleshoot any failure in the process are complete, your image data will be automatically deleted in accordance with our data processing agreement with the online store owner (data controller). The other information such as height, weight, age, gender, estimated body measurements will be anonymized and not stored with any unique identifiers. The anonymized data will be stored for the purpose of improving our technology and services mentioned above. They’re not tied to any unique personally identifiable information, nevertheless, we store them securely. Please note that anonymized data do not fall under GDPR.

Recipients of data

For the technical provision of the Body2Fit service, we use the hosting services of a hosting provider to process meta and communication (see above, “What data do we collect?”). With the hosting provider we have concluded a so-called data processing agreement (i.e., in accordance with Art. 28 GDPR), by which the provider is bound to our instructions and processes the data on our behalf. The hosting provider is based in the USA. Bodygram will take adequate measures designed to protect the personal information. In particular, effective legal remedies against official access to your personal data may not exist. We have concluded EU Model Clauses with our hosting provider by which he guarantees to ensure an adequate data protection level. In addition, our hosting provider is certified under Data Privacy Framework, so any transfer can be based on the adequacy decision issued by the EU Commission.

Furthermore, we use Bodygram Japan K.K., a Japan based subsidiary of Bodygram Inc., as a service provider for the purpose of troubleshooting. We have concluded a Data Processing Agreement with Bodygram Japan K.K. (i.e., in accordance with Art. 28 GDPR), by which Bodygram Japan K.K. is bound to our instructions and processed the data on our behalf. Additionally, Japan has an adequacy decision of the European Commission in accordance with the Art. 45 GDPR, which states that Japan provides an adequate level of data protection similar to the GDPR.

What are your data protection rights?

You have the following rights free of charge against any person responsible for the processing of your personal data:

• Right to withdraw your consent
• Right to access: you may request access to your personal information that we process
• Right to erasure: you may request the erasure of your personal data. They will be erased without undue delay, unless there are legal reasons for further storage (e.g., legal storage obligations).
• Right to object: You have the right to object to the processing of your personal data at any time for reasons relating to your special situation. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. The collection of data for the provision of the Body2Fit service and the storage of the log files is absolutely necessary for the operation of the service.
• Right to correct your personal data, discontinue our usage of your personal data, and other rights stipulated in each applicable jurisdictional law.

You also have the right to lodge a complaint with a data protection authority in the jurisdiction where you reside, where you work, or where the alleged infringement of your rights took place. We will comply with any such request in full accordance with the applicable laws and regulations.

Please note that we prioritize user’s privacy and security and hence do not store an individual’s body measurements data with unique identifiers that are tied to that individual after the size recommendation has been provided. In case such data requests are made we may not be able to accommodate them because of this data anonymization and minimization process we take for our users. If you would like to exercise any of these rights, please contact us at our email: privacy@bodygram.com. If you are EU/EEA or UK based, you can also contact us at our email privacy@bodygram.com, or contact the following EU/UK representative addresses.

Rickert Rechtsanwaltsgesellschaft mbH
Bodygram Inc.
Colmantstraße 15 53115 Bonn Germany
art-27-rep-bodygram@rickert.law

Rickert Services Ltd UK
Bodygram Inc.
PO Box 1487
Peterborough
PE1 9XX
United Kingdom
art-27-rep-bodygram@rickert-services.uk

Who we are and how to contact us or our data protection officer

Responsible for the data processing activities in relation to technically required data for the provision of the widget is Bodygram Inc., 228 Ave. S, PMB 91811 New York, New York 10003-1502 USA (att: Bodygram Personal Information Protection Manager). If you have any questions about Bodygram’s privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

Email us at: privacy@bodygram.com (Data Protection Officer)

Our EU/UK representatives can be contacted in addition or instead of the controller by, in particular, supervisory authorities and data subjects, on all issues related to processing and for the purposes of ensuring compliance with EU/UK data protection laws.

Rickert Rechtsanwaltsgesellschaft mbH
Bodygram Inc.
Colmantstraße 15 53115 Bonn Germany
art-27-rep-bodygram@rickert.law

Rickert Services Ltd UK
Bodygram Inc.
PO Box 1487
Peterborough
PE1 9XX
United Kingdom art-27-rep-bodygram@rickert-services.uk

Rights under the California Consumer Privacy Act (CCPA)

If you are a California resident, you may request that we:

1. disclose to you the following information covering the 12 months preceding your request:
   • the categories and specific pieces of personal information we collected about you. (See What data do we collect?);
   • the categories of sources from which we collected such personal information. (See How do we collect your data?);
   • the business or commercial purpose for collecting or selling personal information about you (See How will we use your data?); and
   • the categories of third parties to whom we sold or otherwise disclosed personal information (See Recipient of Data).
2. delete personal information we collected from you, subject to certain exceptions.

We do not sell your personal information about you. We will respond to your request consistent with applicable law. If you are an authorized agent making an access or deletion request on behalf of a California resident, please reach out to us at privacy@bodygram.com and indicate that you are an authorized agent. We will provide you with instructions on how to submit a request as an authorized agent on behalf of a California resident.

Please note that there may be cases when we may decline your requests, e.g., when we are legally obligated to do so. Additionally, you will not receive any discriminatory treatment in case you exercise your privacy rights.

If you are a California resident, you may obtain information about exercising or exercise your rights, as described above, by contacting us at privacy@bodygram.com.