Data protection policy of «k kiosk app» (Hereinafter "App")

The Data Controller for the processing of your personal data in connection with this App is Valora Schweiz AG, Hofackerstrasse 40, CH-4132 Muttenz. You can reach our company data protection officer at dataprivacy@valora.com or at our postal address with the addition "Data Protection Officer".

Valora uses the data provided by you primarily for the purpose of the proper operation of this App, as well as for the performance and processing of App services (incl. customer satisfaction survey). You will find details in this chapter.

• Data collected during the registration process: During the registration process, we will ask you for your first name, surname, date of birth, gender and mobile phone number. We will then generate an individual user ID for you. The processing of this data takes place in order to fulfil the terms of use of this App and is necessary to enable your access to the App, the maintenance of your user account and direct communication (incl. customer satisfaction survey) to you if needed. We need your date of birth for purposes of age verification, and in order to send you birthday wishes and a small birthday surprise. We also store your e-mail address when you contact our customer service by e-mail.
• Means of payment within the Payment Linked Loyalty programme (PLL): if you choose to register one or more means of payment in the app so that you can automatically collect points, stamps and other benefits in the future (without having to show the QR code in the app), we will process data relating to whichever registered means of payment you choose. We will store the type of payment method (e.g. VISA, MasterCard, etc.); if applicable, we will also store
• your partially masked card number (e.g. XXX XXX XXX1 234) as well as a so-called pseudonymous card token (an alphanumeric identification number created by the payment processor based on your card number). Furthermore, we will store in which of our sales outlets and at what time the registered means of payment was last used. This data is used solely for the purpose of enabling you to collect points and stamps more easily. You can delete the stored means of payment in your customer profile at any time. In this case, your payment method data will also be deleted from our systems. Furthermore, the data will be deleted if you delete your entire customer account.
• App-usage analyses: Your individual user profile is composed of the information you entered during registration (see above), your purchasing data (including location and time data, use of discounts or other offers, etc.) as well as data on App usage (whether and when you used the App, which functions you activated, etc.). Based on the user profiles of all App users, we can conduct analyses that reflect consumer behaviour and consumption patterns and profiles. Such processing is carried out based on our legitimate interests to better understand user acceptance and to continually optimise this App and our offers. Depending on the analysis, your data will either be aggregated (and thus anonymised) or pseudonymised. In addition, data is gathered on reward points collected in accordance with the terms of use of this App so that Valora can operate its reward program and correctly allocate the points to the relevant customers.
• Direct advertising: Based on the evaluation of your user profile, we can send you attractive offers and relevant information about products and promotions in the App. When you set up the App, you can choose to receive such push notifications. You can adjust your selection at any time. You can also subscribe to our newsletter. You can subscribe and unsubscribe via a separate link provided to you in the App.
• Sweepstakes within the App: In the case of sweepstakes promotions, we record which users have been provided with which promotions, which users have participated in which promotions, which users have won which prizes and which prizes they have redeemed. As part of your participation in one of our sweepstakes, it is further necessary that we process the following personal data from you: For the purpose of prize delivery, it may be necessary for us to collect your postal address. In the event of a win, we also use your cell phone number stored in the App to activate the prize in your customer account and/or to contact you directly. In addition, we can provide customer support if something does not work. The described data processing is carried out exclusively for the purpose of handling the respective promotion. We store data that we need exclusively for the proper processing of the promotion (e.g. address) for up to 2 months after dispatching the prize.
• Invitation to a friend to use the app (Tell-a-Friend): When an invitation to use the App is sent to a friend, Valora collects the mobile phone number of that friend and stores this number in the inviting user's user profile for a period of one month, unless the mobile phone number of the friend is already linked to an existing user account. If the invited friend registers during this time by using the invitation link sent via SMS, a voucher will be sent to the inviting user. If the friend does not register within one month, the mobile phone number will be deleted. The mobile phone number of the invited friend will not be used for any other purposes.
• Sending a gift voucher to a friend (Gift-a-Friend): When sending a gift voucher to a friend via the SMS function, Valora collects the mobile phone number of that friend to check whether a user account has already been set up with this mobile phone number. If the friend who received the gift is already a registered user, the voucher will be delivered via App, otherwise via SMS. Immediately afterwards, the friend's mobile phone number is pseudonymised. The mobile phone number of the friend receiving the gift is not used for any other purposes.

When you download this App, the relevant App-Store processes certain information related to the user and user's device, e.g.: IP address, device identification numbers (IMEI, UDID, IMSI, MAC address), mobile telephone number (MSISDN), name of device, user-specific App-Store log-in data such as user name/password.
The use of third party platforms is at your own risk. We have not reviewed the third-party platforms and accept no responsibility for how the providers process personal data. We recommend that you read the privacy statements of third-party platforms in advance.

• Passing on your data to other Valora companies: Insofar as it is necessary for the provision of this App or for other legitimate interests of Valora, Valora will share your data with other members of the Valora Group.
• Transfer of personal data to third parties: Valora may transfer certain tasks and data to third parties ("service providers") commissioned by it in order to ensure proper operation (e.g. carrying out the registration process), maintenance and the various functions of this App, as well as to store the data. The service providers are data processors of Valora and are contractually bound to the processing purposes described herein. In particular, they may only process your data within the framework of fulfilling their contractual obligations towards Valora and their obligations under applicable law. If we are involved in a merger, joint venture, acquisition/sale or sale of assets, we may disclose your data to a transaction partner for further processing.
• Disclosure in connection with criminal proceedings: To the extent permitted by law, we may disclose information that is necessary or conducive to the investigation or prevention of an actual or suspected criminal offense or other violation of our or a third party's rights.
• Analysis data: Valora may disclose aggregated or non-personal information to the public and other partners. It is possible, for example, that Valora may publish such information in order to demonstrate trends in customer behaviour. However, you as a person can then no longer be identified from this data.

As a matter of principle, your data will only be processed in Switzerland and in the member states of the European Union.
In order to store your data securely on our customer database, we use a cloud service provider that provides data centers in Ireland and Germany. Should it nevertheless be necessary to transfer your personal data to a country that does not have an adequate level of data protection, we will ensure appropriate guarantees: Either the recipient will enter into the accepted standard contractual clauses or the recipient can prove that it is self-certified under the Privacy Shield (EU-US/CH-US).

All of your stored personal information will be stored by Valora (and/or by related entities or third-party service providers commissioned by Valora) only so long as necessary for use of the App or so long as permitted or required by law.

• Registration data will be stored for the duration of the existence of the user account. User accounts will be deleted unasked after two years of inactivity.
• We use and store analytical data for a period of three year, with the proviso that aggregated or anonymised data that no longer relate to individual users may, however, be used beyond that period for internal purposes.
• Mobile phone numbers of friends to whom you have recommended the use of this App will be deleted after the period of one month.

Data whose specified maximum processing duration has been reached is automatically deleted within one month.

However, aggregated or anonymised data that no longer relate to individual users can be processed beyond the specified period.

• Revocation of consents: For those data processing operations to which you have given your consent, you have the right to revoke your consent at any time. The adjustment of your personal settings can be made directly in the App. Since you can give your consent for various functionalities, in the event of a revocation of your consent, only the functionality for which you have revoked your consent will be deactivated or restricted (e.g. push notifications). If you have subscribed to our newsletter, you can unsubscribe simply by clicking on the unsubscribe link in the newsletter.
• Objection: You can object to such data processing, which we carry out based on our legitimate interests, at any time.
• Right to information: You also have the right to learn from us what data we process about you, on what legal basis and for what purposes, and to request a free copy of your personal data.
• Right of rectification: If your data is incomplete or incorrect, you have the right to request rectification of your personal data. You can correct some information yourself in the customer centre of the app.
• Right to erasure: You have the right to have your personal data erased under certain circumstances. In individual cases, the right to deletion may be excluded. You have the right to delete your customer account and the associated data independently at any time. For technical and administrative reasons, the final deletion of the customer account may take up to 30 days after you have requested the deletion. Please note that uninstalling the app will not automatically erase your customer account and that your information will remain intact in case you decide to reinstall the App later on.
• Automated decisions and profiling: Where, in the context of this app, decisions are based exclusively on automated processing including the creation of a personality profile (in particular personalized offers), you can refuse those decisions which affect you in a legal or other significant way. 

If you wish to exercise your above-described rights or have other questions about the processing of your personal information, please contact our company Data Protection Officer by sending an e-mail to dataprivacy@valora.com or a letter to our mailing address, adding the words "Attn: Data Protection Officer". To enable our Data Protection Officer to classify your query as quickly as possible, it is best to add "kkiosk App" in the subject line of your message.

If you have a reason to assume that Valora is not using your personal information in compliance with the applicable laws and other regulations and/or if you are dissatisfied with the reply to your query about the exercise of your rights, you may lodge a complaint with the supervisory authority.

We use the Google developer platform Firebase and the related functions and services of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ("Google"). Google Firebase is a platform for Apps developers for mobile devices and websites. Google Firebase offers a variety of functions described on the following summary page: https://firebase.google.com/products/.

Such functions include, among others, the storage of Apps, including the users’ personal information, such as content created by you or information about your interaction with the Apps. In addition, Google Firebase offers interfaces that enable interactions between App users and other services.
The users’ interactions are analysed using the Firebase Analytics service, which helps us record our users interactions, e.g., events such as the first-time opening of the App, uninstall, updates, crashes and the frequency of use of the App. Certain interests of the users are also recorded and analysed.
The information processed using Google Firebase may be used in combination with other Google services, such as Google Analytics and the Google Marketing services. In that case, only pseudonymous information, such as Android Advertising ID or Advertising Identifier for iOS will be processed in order to identify the user's mobile devices. For further information about the use of data for marketing purposes by Google, see the summary page: https://www.google.comp/policies/technologies/ads; Google's Privacy Policy is available at https://www.google.com/policies/privacy .
Google is certified under the Privacy-Shield Agreement, which guarantees that it ensures a level of privacy protection commensurate with European data protection laws https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Please note that this Data Protection Policy is subject to change at any time without prior notice. Please check this App Data Protection Policy for changes on a regular basis. We label changes with an additional label such as "new" or "update". All changes will enter into effect immediately upon publication of the revised App-Data Protection Policy in this App.