Website Privacy Policy

Effective Date: January 11, 2024

Bodygram Inc. (“Bodygram”, “We”, “Us”, or “Our”) respect your privacy and are committed to protecting it through our compliance with this policy. This Privacy Policy describes how Bodygram (controller) uses the personal data we collect from you when you view our websites (bodygram.com and its subdomains, “websites”).

Please also note that this privacy policy is not intended for the iOS application. For information about the processing of personal data through the iOS application, please refer to these links: US Japan

This Privacy Policy may be updated from time to time as we implement new technologies and/or changes in the law. Any such changes will be brought to your attention in an appropriate manner.

Topics:

• What data do we collect?
• How do we collect your data?
• How do we use your data?
• How do we store your data?
• Recipients of data
• What are your data protection rights?
• Cookies and third party requests
• How do we use cookies?
• What types of cookies do we use?
• Which service providers do we use?
• How to manage cookies
• Who we are and how to contact us or our data protection officer
• Rights under the California Consumer Privacy Act (CCPA)

What data do we collect?

Information automatically collected by Bodygram in the course of the user’s view of our websites including Bodygram Platform:

• Referrer

• IP address

• Date and time of websites visit

• Host name and connecting device

• Browser type and version

• Operating system

• The page visited on our websites

• Following websites that were visited via our websites

• The transferred amount of data and access status

• Cookies

Information additionally provided by you, through contact form:

• Your First and last name

• Job Title

• Company Name

• Email-address

• Phone Number

• Your Company’s size /Employees

• Country/Region

Information additionally provided by you, through newsletter subscription form:

• Email-address

Information additionally provided by you, during the account sign-up process on Bodygram Platform:

• Email-address

• Password

How do we collect your data?

The data collected by Bodygram is either directly or indirectly provided by you. We collect data and process data when you:

• Use or view our websites

• Send inquiries to us through our contact forms on the websites or via email or call us by telephone

• Subscribe to our newsletter

• Register your interest in our upcoming services

• Create an Account for Bodygram Platform

• Use or view Bodygram Platform

How do we use your data?

Bodygram collects your data for the following purposes:

• For the technical provision of the websites and Bodygram Platform and providing access for users which is also our legitimate interest, the temporary data processing taking place in the course of your website’s visit is strictly necessary (i.e., Art. 6 (1) lit. (f) GDPR).

• For the performance of contract or in order to take steps at your request prior to entering into a contract, e.g., when you contact us for an offer or request support regarding our services, the data processing taking place when you contact us via our contact forms, email or telephone is necessary (i.e., Art.6 (1) lit. (b) GDPR).

• For the provision of a good customer service, it is our legitimate interest to process the personal data provided when you contact us for, e.g., informative purposes via contact forms, email, or telephone (i.e., Art. 6 (1) lit. (f) GDPR).

• For the provision of the Newsletter about our products and services, Bodygram processes the personal data provided, when you submit to our Newsletter based on your consent to receive such communication (i.e., Art.6 (1) lit. (a) GDPR).

• For the protection against cyberattacks by investigating and deterring unauthorized or illegal accesses, Bodygram processes technical data and shortened when visiting our websites and Bodygram Platform as it is in Bodygram’s legitimate interests (i.e., Art.6 (1) lit. (f) GDPR).

• For the purpose of understanding and measuring traffic to our websites. Bodygram employs cookies and similar technologies, based on your consent. This allows us to improve our websites (i.e., Art.6 (1) lit. (a) GDPR).

• For the registration of an account on Bodygram Platform, Bodygram processes the personal data provided, when you register your account. The processing of data is carried out in order to fulfill the contract between Bodygram and you (Agreement to the Bodygram Platform Agreement) in accordance with Art.6 (1) lit. (b) GDPR.

How do we store your data?

Bodygram securely stores your data in licensed servers located globally. If the data is stored in a country that does not provide an adequate level of protection for personal information, Bodygram will take adequate measures designed to protect the personal information, such as ensuring that such transfers are subject to the terms of the EU Model Clauses or other adequate transfer mechanism as required under relevant data protection laws.

The personal data being processed by Bodygram will be erased or their processing will be restricted in compliance with legal regulations. Unless otherwise in this privacy policy expressly stated, Bodygram will erase personal data as soon as it is no longer required the purpose it has been obtained for. Other than that, data will only be retained longer than for its intended purposes needed, if this is necessary for other legally permissible purposes or if the data must be retained longer in order to be compliant with statutory retention obligations.

Regarding personal data being processed in the course of a user’s view of our websites, the data concerned will be stored temporarily to enable the delivery of our websites. Your IP address data will be erased and not stored for longer than necessary, unless otherwise specified, so that it is no longer possible to identify you.

Regarding contact requests Bodygram will delete such requests and personal data concerned after processing respectively handling unless statutory retention obligations require further storing. Requests that are solely of informative nature (e.g., that will not lead to a contract or contain other contractual content that needs to be retained) will be deleted at the end of the year in which the request has been made.

Regarding retention periods for cookies please have a look at the cookie settings, accessible via the cookiebot-icon at the bottom of the website.

Recipients of data

For the technical provision of our websites, we use the hosting services of a hosting provider to process meta and communication (see above, “What data do we collect?”). With the hosting provider we have concluded a so-called data processing agreement (i.e., in accordance with Art. 28 GDPR), by which the provider is bound to our instructions and processes the data on our behalf. The hosting provider is based in the United States.

Bodygram will take adequate measures designed to protect the personal information. In particular, effective legal remedies against official access to your personal data may not exist. We have concluded EU Model Clauses with our hosting provider by which he guarantees to ensure an adequate data protection level. In addition, our hosting provider is certified under Data Privacy Framework, so any transfer can be based on the adequacy decision issued by the EU Commission.

What are your data protection rights?

You have the following rights free of charge against any person responsible for the processing of your personal data:

• Right to withdraw your consent

• Right to access: you may request access to your personal information that we process

• Right to erasure: you may request the erasure of your personal data. They will be erased without undue delay, unless there are legal reasons for further storage (e.g., legal storage obligations).

• Right to object: You have the right to object to the processing of your personal data at any time for reasons relating to your special situation.  The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. The collection of data for the provision of the websites and the storage of the log files is absolutely necessary for the operation of the websites.

• Right to correct your personal data, discontinue our usage of your personal data, and other rights stipulated in each applicable jurisdictional law.

You also have the right to lodge a complaint with a data protection authority in the jurisdiction where you reside, where you work, or where the alleged infringement of your rights took place. We will comply with any such request in full accordance with the applicable laws and regulations.

If you would like to exercise any of these rights, please contact us at our email: privacy@bodygram.com.

If you are EU/EEA or UK based, you can also contact us using the following representative email addresses, for EU/EEA: art-27-rep-bodygram@rickert.law and for UK: art-27-rep-bodygram@rickert-services.uk.

Cookies and third party requests

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. Third party requests are made from external parties when implementing external content into our websites. The third party content is downloaded from external websites when you visit our websites. When you visit our websites (bodygram.com and its subdomains), we may collect information from you automatically through cookies or similar technology.

For further information, visit allaboutcookies.org.

How do we use cookies?

We use cookies in a range of ways to improve your experience on our websites and enhance our marketing efforts, including:

• Understanding how you use our websites

• Serving targeted advertisements and promotions

• Tracking user interaction with our ads

These cookies allow us to better understand your interests and provide more relevant content and advertising.

What types of cookies do we use?

There are a number of different types of cookies, however, our websites use:

• Necessary – Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

• Statistics – Bodygram uses these cookies for internal analytics. A mix of first-party and third-party cookies are used.

• Preferences – Preference cookies enable a website to remember information that changes the way the website behaves or looks, like you preferred language or the region that you are in.

• Marketing - Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

Which service providers do we use?

AWS

To manage our websites’ content, we use the service AWS for our Content Management System provided by Amazon Web Services, Inc., 410 Terry Ave. N., Seattle, WA 98109-5210, United States. The data including IP addresses is collected to enable delivery of the website. The legal basis of the processing is our legitimate interest in ensuring the functionality and maintenance of our website. With AWS, Inc., we have concluded a so-called data processing agreement (i.e., in accordance with Art. 28 GDPR) and EU Model Clauses. The transfer of data to the USA is based on the EU Commission’s adequacy decision (in accordance with Art. 45 of the GDPR) and the company’s certification in accordance with the new Data Privacy Framework.

Google

Google Analytics 4

For statistics we use the service Google Analytics 4 provided by Google LLC. Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA to analyze the usage of our websites. The data is collected in order to improve our websites. With Google LLC we have concluded a so-called data processing agreement (i.e., in accordance with Art. 28 GDPR) and EU Model Clauses.  The transfer of data to the USA is based on the EU Commission’s adequacy decision (in accordance with Art. 45 of the GDPR) and the company’s certification in accordance with the new Data Privacy Framework.

When visiting our websites, the following data are processed:

• IP address (in shortened form, unambiguous assignment is not possible);

• Approximate location (country and city)

• Technical information like browser, internet provider, device and screen resolution

• User behaviour (accessed pages and clicks)

• Origin of your visit (from which website or which advertisement our site was reached)

• Session length and if the site was left without any interaction

• Sharing of content (social media);

• Clicked links to other websites;

• Achievement of specific goals (conversions).

Legal basis for the data processing is your consent. You can withdraw your consent any times (please see below “How to manage cookies”). Google Analytics sets cookies in your browser for the duration of two years from your last visit. Further information can be found in the cookie management tool.

With IP anonymisation on our website, your IP address is shortened by Google by the last few digits within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser within the scope of Google Analytics 4 will not be merged with other Google data.

As part of the evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning for automated analysis and enrichment of the data. The evaluations are carried out automatically with the help of artificial intelligence or on the basis of concrete, individually defined criteria. Google Analytics sets cookies in your browser for the duration of two years from your last visit. These cookies contain a randomly generated User-ID, with which you can be recognised upon your next visit. The information collected by the cookies about the use of our website (including your anonymised IP address) may under certain circumstances be transferred to a Google server in the USA under Google’s responsibility and stored there. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there.

The logged data is stored by Google together with the randomly generated user ID, which is stored in a cookie on your device, enabling the evaluation of pseudonymised user profiles. This user-related data is automatically deleted after 14 months.

Google Tag Manager

Additionally, together with Google Analytics we use Google Tag Manager, a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, which allows us to place and administrate “tags” (small code elements). Google Tag Manager enables the activation of tags, which allows other services, such as Google Analytics, to collect data. Google Tag Manager itself does not process personal data.

Youtube

Also, we use the service Youtube provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA to embed the videos to introduce our services in order to improve Bodygram’s online presence. Youtube is integrated with a plugin by which information on the usage of the websites including your IP-address will be collected and send to a Google server, which is located in the United States. With Google LLC. we have concluded a so-called data processing agreement (i.e., in accordance with Art. 28 GDPR) and EU Model Clauses.The transfer of data to the USA is based on the EU Commission’s adequacy decision (in accordance with Art. 45 of the GDPR) and the company’s certification in accordance with the new Data Privacy Framework.

The legal basis for the data processing is your consent. Upon the first visit to our website, we ask for your consent. You can withdraw your consent any times (please see below “How to manage cookies”).

Google Fonts

On our websites we use the service Google Fonts provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Fonts is a font register, which means by using it we can use externally hosted fonts on our websites. The Google fonts are optimized for the web usage and save data traffic, which results in reduced loading times. We use Google Fonts to ensure high quality of our websites. When using Google Fonts, the details of the HTTP request including the timestamp, requested URL, and all HTTP headers will be transferred to Google’s servers in the USA, which is necessary to ensure correct graphical display. Your IP addresses are not logged.

Google Fonts does not set any cookies on your device. Your IP address is requested by the Google domains fonts.googleapis.com and fonts.gstatic.com. Such requests are processed separately from other Google services, according to Google. Google Fonts is supporting all established browsers and works reliably on most mobile end devices. Legal basis for this is our legitimate interest in the efficient secure provision of the website, as Google Fonts is optimized for the web and provides quicker loading times and reduces data traffic.

reCAPTCHA

To protect our “Contact Us” form from spam and automatic programs’botsabuse, we use the service reCAPTCHA provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. reCAPTCHA analyzes the behavior of the website visitor based on various characteristics to determine whether the input is made by a human or by abusive bots.

The analysis starts automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information, such as the website visitor’s IP address, device and application data, the results of security checks, and the time they spend on the website. The data collected during the analysis will be forwarded to Google. The data will not be used for personalized advertising.

The use of reCAPTCHA is in the legitimate interest of protecting our website from spam and abuse, as well as ensuring the integrity and functionality of our “Contact Us” form. With Google we have concluded a so-called data processing agreement (i.e., in accordance with Art.28 GDPR) and EU Model Clauses. The transfer of data to the USA is based on the EU Commission’s adequacy decision (in accordance with Art. 45 of the GDPR) and Google’s certification under the new Data Privacy Framework.

HubSpot

To manage inquiries and contact data from our potential customers, we use the customer relationship management system (“CRM service”) of the service provider HubSpot, Inc.,25 First Street, 2nd Floor, Cambridge, MA 02141 USA. With HubSpot, Inc., we have concluded a so-called data processing agreement (i.e., in accordance with Art. 28 GDPR) and EU Model Clauses. The transfer of data to the USA is based on the EU Commission’s adequacy decision (in accordance with Art. 45 of the GDPR) and the company’s certification in accordance with the new Data Privacy Framework.

Legal basis for this is our legitimate interest in providing efficient and secure support and handling of inquiries.

We furthermore use HubSpot to track visitor behavior on our website. HubSpot employs browser cookies for this purpose. This involves the use of so-called “web beacons” and also the setting of “cookies”, which are stored on your computer and enable an analysis of your use of the website by us. Your actions will be logged anonymously until you fill out a form. Once you provide an email address through a form, your past and future activities are associated with this email, creating a personalized user profile. HubSpot evaluates the collected information (e.g. IP address, geographical location, browser type, duration of the visit and pages visited) on behalf of Bodygram to create reports about the visit and the pages visited on our website.

Legal basis for this is your consent. Upon the first visit to our website, we ask for your consent. You can withdraw your consent any time (please see below “How to manage cookies”).For more details about how HubSpot processes data, please visit https://legal.hubspot.com/privacy-policy.

Meta Pixel/Business Ads

Meta Pixel is a service of Meta Platforms Inc. 1601 Willow Road Menlo Park California 94025, USA. The service enables us to determine target groups for advertisements on Meta, so-called “Business Ads”, based on website visits and surfing behaviour. We also use this pixel to measure the effectiveness of online marketing measures. In this way, we can track the actions of users after they have seen a Business Ad and/or clicked and then placed an order. When you visit a website, the pixel is integrated directly by Meta and can store a cookie on your device. If you subsequently log in to your Facebook Account or are already logged in to your Facebook Account, your visit to this site will be logged in your profile. The collected user data is anonymous for us and therefore does not allow us to draw any conclusions about your identity. However, this data is stored and processed by Meta so that it is possible to draw conclusions about the respective user profile. For more information about Meta Pixel please visit https://www.facebook.com/business/tools/meta-pixel/. Data processing by Meta is carried out according to the Meta data usage guidelines. For this purpose, we have concluded a joint controller agreement with Meta. For more information about Meta’s data processing, please visit: https://www.facebook.com/about/privacy/. The transfer of data to the USA is based on the EU Commission’s adequacy decision (in accordance with Art. 45 of the GDPR) and the company’s certification in accordance with the new Data Privacy Framework.

Newsletter

Your personal data will be used to send you our newsletters and to inform you about news from our company, new services, new products and customized events according to your interests. This includes information about current or future service and product offerings as well as events involving our company or group companies (e.g., trade fairs). In order to be able to send you the newsletter, we need your e-mail address.

The legal basis for the processing is your consent. We use the personal data you provider during registration exclusively for sending our newsletter.

We are also entitled to store your IP addresses, registration time in order to check your registration and to adequately clarify any possible misuse of your personal data.

Moreover, we analyse our newsletter campaigns. If you open an email, the file contained in the email (so-called web.beacon) connects to our newsletter server. This makes it possible to determine whether a newsletter message has been opened and which links, if any, have been clicked on.

We base our processing on your consent, so this means that you have the right to withdraw your consent at any time or to object to the processing of your personal data for the purpose of sending the newsletter. If this happens, we will immediately remove your from our newsletter distribution list in order to comply with your request. You can withdraw your consent at any time by sending an email to our data protection officer or by following the instructions at the end of a newsletter email. If you send use an e-mail, please let us know what your withdrawal should refer to so that we can allocate your request.

The data is processed in an electronic newsletter system for the duration of the subscription. For this purpose and for sending the newsletter, we use HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141 USA. We have concluded a so-called data processing agreement (i.e., in accordance with Art. 28 GDPR) and EU Model Clauses. The transfer of data to the USA is based on the EU Commision’s adequacy decision (in accordance with Art.45 of the GDPR) and the company’s certification in accordance with the new Data Privacy Framework.

How to manage cookies

You can set your browser not to accept cookies, and the above website (allaboutcookies.org) tells you how to remove cookies from your browser. Additionally, you can set specific cookie settings when first visiting our websites as we have implemented a cookie management tool. You can change your settings at any time. However, in a few cases, some of our websites’ features may not function as a result. For more information, please have a look at the cookie settings, accessible via the cookiebot-icon at the bottom of the website.

Who we are and how to contact us or our data protection officer

Responsible for the data processing activities on the websites and controller is Bodygram Inc., 228 Park Ave S, PMB 91811 New York, New York 10003-1502 USA (att: Bodygram Personal Information Protection Manager). If you have any questions about Bodygram’s privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

Email us at: privacy@bodygram.com (Data Protection Officer)

Our EU/UK representatives can be contacted in addition or instead of the controller by, in particular, supervisory authorities and data subjects, on all issues related to processing and for the purposes of ensuring compliance EU/UK data protection laws.

Rickert Rechtsanwaltsgesellschaft mbH

Bodygram Inc.

Colmantstraße 15 53115 Bonn Germany

art-27-rep-bodygram@rickert.law

Rickert Services Ltd UK

Bodygram Inc.

PO Box 1487

Peterborough

PE1 9XX

United Kingdom

art-27-rep-bodygram@rickert-services.uk

Rights under the California Consumer Privacy Act (CCPA)

If you are a California resident, you may request that we:

1. disclose to you the following information covering the 12 months preceding your request:

• the categories and specific pieces of personal information we collected about you. (See What data do we collect?);

• the categories of sources from which we collected such personal information. (See How do we collect your data?);

• the business or commercial purpose for collecting or selling personal information about you (See How do we use your data?); and

• the categories of third parties to whom we sold or otherwise disclosed personal information (See Recipient of Data).

2. delete personal information we collected from you, subject to certain exceptions.

We do not sell your personal information about you. We will respond to your request consistent with applicable law. If you are an authorized agent making an access or deletion request on behalf of a California resident, please reach out to us at privacy@bodygram.com and indicate that you are an authorized agent. We will provide you with instructions on how to submit a request as an authorized agent on behalf of a California resident.

Please note that there may be cases when we may decline your requests, e.g., when we are legally obligated to do so. Additionally, you will not receive any discriminatory treatment in case you exercise your privacy rights.

If you are a California resident, you may obtain information about exercising your rights, as described above, by contacting us at privacy@bodygram.com.