Privacy Policy for the Shopper App
We, Autonomo GmbH (hereinafter referred to as Autonomo), offer a supermarket in Hamburg, called Hoody, where no checkout is required. Hence, you as the customer do not have to undergo the usual payment procedure at a checkout. Instead, you can register in our app and you will be filmed during your shopping activities and receive an invoice after exiting the store. When using our services and shopping in our Hoody store you will go through the following process:
You must download an app and register an account prior to entering the store. Through the app, you will receive a generated QR-Code, which you will need to enter the store. From the moment of entering the store and until you exit the store, you will be filmed. Rather, as you move around the store you are tracked and occasionally (re)-identified based on visual cues, such as the colour and composition of your clothing. These visual cues also include facial recognition data. The cameras are also used to identify movements made by you, such as reaching for a product on a shelf. They are also used to track the type and how many products you place in your shopping cart. After you have completed your shopping, you can leave the store without checking out. The payment process is then initiated based on the information you previously entered into the respective app. Finally, upon exiting, you will receive a notification of the amount that you are invoiced.
With this Privacy Policy, we seek to make our processing activities transparent to you. We hereby inform you about the legal basis, the scope, and purposes of the personal data we are processing in our Hoody store and app. We are also informing you of your rights as a data subject.
The controller as defined by the GDPR is:
Autonomo GmbH
Victoriakai-Ufer 4d
20097 Hamburg
E-Mail: [email protected]
You can contact our Data Protection Officer as follows:
Niklas Hanitsch
c/o secjur GmbH
Steinhöft 9
20459 Hamburg
Telephone: +49 40 228 599 520
E-Mail: [email protected]
You can contact our Data Protection Officer directly at any time for any questions and suggestions you have regarding data protection, and to exercise your rights under data protection law (see above).
When you use our app or website, we automatically collect the data your device relays to our server (in “server logfiles”). Our server collects a range of general data and information each time you access any page or data in the app. This general data and information are stored in the server’s log files. The information stored may include:
Server log files are stored separately from any other personal data you have provided. We do not use it to create user profiles or to draw any other forms of conclusions about you.
The purposes of processing server log files are:
The legal basis for processing server log files is our legitimate interest pursuant to Art. 6 (1) (f) GDPR. We have a legitimate interest in delivering our online service in a technically flawless manner.
We delete your personal data as soon as they are no longer required to achieve the purpose for which they were collected. We delete personal data that we store in log files after 60 days at the latest.
We use the following hosting service provider:
Amazon Web Services Germany GmbH
Krausenstr. 38
10117 Berlin
Germany
The servers are located in Germany.
After downloading our app, you are asked to provide the following permissions on your device:
We ask you for these permissions for the following purposes:
When downloading the app, you are asked to grant these permissions. The legal basis for processing is hence your consent pursuant to Art. 6 (1) (a) GDPR. You can change the settings on your device and withdraw the permissions at any time. Please note that if you do not provide the permissions or withdraw them at a later stage, you may not necessarily be able to use all functions of the app. The user needs to initiate the use of the camera by selecting to buy age verified products or to choose to register their age.
We use Firebase Cloud Messaging (FCM) to provide push notifications. The service provider of which is:
Google Cloud EMEA Limited
70 Sir John Rogerson’s Quay
Dublin 2
Ireland
To enable push notifications a FCM token is issued by Google. We will consume that token to communicate with FCM to send the Notification to the user. No other personal data we send to google/FCM as a part of the notification service we are rendering. No customer account is transferred to Google in this context.
Prior to entering our Hoody Store for the first time, you must create a customer account. We process your personal data to create a customer account. We also process your personal data when you shop in our Hoody store.
The following data is processed when you register an account, regularly use your account and shop in our Hoody store:
The purposes of processing the above-mentioned personal data are:
The legal basis for processing your personal data is Art. 6 (1) (b) GDPR. The provision of your data is not legally required. However, the personal data mentioned above is required to create the customer account and to provide the Hoody service. As far as we process your facial expression and other body features to improve the automation and accuracy of our services, our legal basis will be your prior consent, according to Art. 9 (2) (a) GDPR. You can withdraw your consent at any time without affecting the lawfulness of processing your face recognition data based on consent before its withdrawal. Please note that without your consent you may not be able to use all of our services provided to you in the app and store.
We delete your personal data as soon as they are no longer required to achieve the purpose for which they were collected. We store your personal data associated with your account for the period that you have a Hoody account. If you delete your account or if you have not been active for 367 days, we will delete your personal data. Generally, the video recordings and imagery are stored for up to 15 days. After that period we will delete video recordings and imagery unless we have legitimate business reasons to retain them, such as for law enforcement purposes. Retained videos will be used as data for accuracy improvement, i.e., they are utilised to improve our service to you. Reasons for retention include dealing with exceptions or edge-cases, such as where two shoppers crossover in the shop and we are unable to re-identify them and thus need to improve our algorithms to avoid errors. Where the usage would not be degraded by doing so, we will anonymise the videos and imagery, as described below.
Please note that certain personal data, such as that relating to payment matters, may be subject to retention obligations under commercial or tax law. We can therefore not delete this data prior to the expiration of these retention obligations.
We use the following payment service providers:
Stripe Payments Europe Limited
North Wall Quay
Dublin 1
Ireland
PayPal Europe SA
Luxembourg
Secupay AG
Goethestraße 6
01896 Pulsnitz
Germany
Worqroom GmbH
Am Sandtorkai 72
20457 Hamburg
Germany
We process personal data in third countries where no adequacy decision by the European Commission exists as defined in Art. 44-49 GDPR. We use the following processor:
Autonomo Labs Pvt Ltd
#2343, 17th Cross Road,
Vanganahalli,1st Sector,
HSR Layout, Bengaluru,
Karnataka, India, 560102
The processor primarily supports Autonomo GMBH with the development of our technology. In most instances, the processor handles customer support cases and handling of relevant shopping videos and imagery to ensure a transaction is processed accurately. In addition, if you, for example, make a request or a claim that we invoiced you incorrectly, the processor will receive the relevant video recordings and handle your case. The processor only has access to individual recordings that are specific to your request or transaction. Otherwise, the processor does not have access to the video recordings or other personal data. However, no personal data will be transmitted and stored in India for the provision of the support services, all data is accessed securely and with only the minimal personal data required to perform their responsibilities.
To safeguard the third country transfer we have concluded standard data protection clauses. You have the right to request a copy of the standard data protection clauses.
In order to detect your interactions with products and your movements in the shop, we use face detection and face recognition technology (so-called facial recognition). We do not rely on facial recognition alone. Facial recognition data is generally used alongside other visual cues as mentioned above.
The face recognition system analyses the face geometry. It identifies facial features that are important in distinguishing a face from other objects and other faces. Face recognition technology basically looks for the following features:
The system then converts these features into a series of numbers called a face-hash. Each person has a unique faceprint, much like a fingerprint.
The purpose of utilising facial recognition data is to ensure accuracy of automatically created invoices. Relying on aspects like clothing and movements sometimes are insufficient for our autonomous shopping system to determine whether a product has been taken from the shelves or has been put back by you. This might be the case for example when people with similar clothing stand close together. We would use the face-hash data to distinguish persons in these scenarios.
The legal basis for processing is your explicit consent pursuant to Art. 9(2)(a)GDPR. We require your consent before you can enter the Hoody store, because face recognition data constitutes biometric data. Biometric data is considered sensitive data and subject to special protection by the GDPR.
Providing your face recognition data is not a statutory requirement. However, this data is necessary to fulfil our contract and provide our service of a checkout-free shopping experience. Without having the opportunity to rely on facial recognition as an additional data point for our automatic billing system we cannot generate accurate invoices.
You can withdraw your consent at any time without affecting the lawfulness of processing your face recognition data based on consent before its withdrawal.
We retain facial recognition data (face-hash) after you exit the store only for a short period, i.e., until all automatic invoice generation has been performed and validated. Once invoice generation is completed and checked, payment processing will start and an invoice will be sent to you. Once all processing is completed the face-hash data will be deleted.
You can contact us through our app, website or email. You can do so via email or via the contact form. To process your contact request, we process the following personal data:
The purpose of processing your personal data is to answer your contact requests and respond to your claims.
The legal basis for processing your personal data is our legitimate interest pursuant to Art. 6 (1) (f) GDPR. If your request concerns a contract or entering a contract, the legal basis is Art. 6 (1) (b) GDPR.
We delete your personal data as soon as they are no longer required to achieve the purpose for which they were collected. We store your data for the period that the subject matter of the communication request is being processed. If the conversation has ended and the subject matter has been resolved, your personal data is deleted.
We use cookies on our app and website. These are text files that your browser automatically creates and that are stored on your device when you visit our app and website. In the cookie, information is stored that arises in each case in connection with the specific end device used. This does not mean, however, that we thereby gain direct knowledge of your identity.
We use technical cookies in our app and website. Cookies are small text files that store information on your device. Technical cookies are cookies that are necessary to provide certain functions in our app. They are therefore strictly necessary.
The information that is stored in strictly necessary cookies is:
The purpose of using strictly necessary cookies is to:
The legal basis for using strictly necessary cookies is our legitimate interests pursuant to Art. 6 (1) (f) GDPR. Our legitimate interest lies in the provision of a functioning app and website.
The technical cookies are only stored for the period of your session. As soon as you end your session in our app and website by uninstalling the app (not only minimizing the App) or logging off, the cookies are deleted.
Our autonomous shopping experience involves automated billing technology for generating our invoices, as described above. The consequences of this is to bill you automatically without human intervention or with as little human intervention as possible. You will have to pay the bill which is generated by our system.
We do not consider automated billing to be considered under the scope of Art. 22 GDPR, and as such we do not perform automated decision making or profiling.
Where possible, we will automate billing decisions around your shopping activities but only where we have a reasonable confidence the decision can be made autonomously. If we are not confident to make a decision we will request a manual review by a fully trained operator.
The algorithms automatically analyses the pictures taken at these steps by recognising visual cues like the colour composition of your clothes, your feet positions, etc., and in some cases also the geometry of your face (as per above). The use of facial recognition can be necessary where the system could otherwise not recognize the person in the images. Our system is able to connect purchased items with the relevant persons as they move around the store. Once the person and product pick-up is detected we automatically place this item in your virtual shopping cart. On exit from the store all processing is completed and the receipt and payment request is issued.
We are not using profiling for our automated decision-making algorithms. That means that we do not analyse or try to predict aspects of a natural person, such as personal preferences, interests, behaviour, or movements.
You will always have the ability to demand that a human intervenes. Whenever you think your invoice is inaccurate you can express your point of view and raise a complaint via the respective functionality in the Hoody app, website or via email. A human will then check the imagery and the decision made by the system.
Most of our video and images captured is automatically discarded within 15 days once your transaction has been completed. On occasion, when unusual scenarios are identified the video and/or images of the shopper are retained for accuracy improvements of the software and for improving the shopping experience for the shopper, this includes:
Prior to uploading the video and imagery data, all textual personal data of the shopper is removed such as email, name, phone number. In addition, information of the store location is removed or anonymized, too to reduce the identifiability of the video or image based on the specific location of the store, i.e., in a small village vs. a big city. Where possible, all the data is anonymized i.e. the faces are blurred. This process is irreversible.
As a further security mechanism to ensure that partially anonymised data will only be processed and retained in rare, but necessary occasions, an Autonomo staff member must complete a data retention request and this must be approved by a manager based on the legitimacy of the request, e.g., when:
In addition, for software improvement a request to use either anonymised or partially anonymised video or imagery is possible for:
The purpose of processing your personal data is accuracy improvements and further development of the software, as well as improving the shopping experience for shoppers (see before).
The legal basis for processing is your explicit consent pursuant to Art. 9(2)(a)GDPR. We require your consent before you can enter the Hoody store, because facial recognition data constitutes biometric data. Biometric data is considered sensitive data and subject to special protection by the GDPR.
You can withdraw your consent at any time without affecting the lawfulness of processing your face recognition data based on consent before its withdrawal.
Personal data including videos, imagery is stored for up to 15 days for processing and 180 days for improvement purposes. Transactional data is stored for tax and commercial law purposes in accordance with the time limitations of the German Commercial Code (Handelsgesetzbuch) commercial books and inventories and the German Tax Code (Abgabenordnung) for 10 years.
We process personal data in third countries where no adequacy decision by the European Commission exists as defined in Art. 44-49 GDPR. We use the following processor:
Autonomo Labs Pvt Ltd
#2343, 17th Cross Road,
Vanganahalli,1st Sector,
HSR Layout, Bengaluru,
Karnataka, India, 560102
The processor primarily supports Autonomo GMBH with the development of our technology. In most instances, the processor handles customer support cases and handling of relevant shopping videos and imagery to ensure a transaction is processed accurately. In addition, if you, for example, make a request or a claim that we invoiced you incorrectly, the processor will receive the relevant video recordings and handle your case. The processor only has access to individual recordings that are specific to your request or transaction. Otherwise, the processor does not have access to the video recordings or other personal data. However, no personal data will be transmitted and stored in India for the provision of the support services, all data is accessed securely and with only the minimal personal data required to perform their responsibilities.
To safeguard the third country transfer we have concluded standard data protection clauses. You have the right to request a copy of the standard data protection clauses.
If you would like to exercise one of your rights and/or want to receive further information, you can contact our Data Protection Officer directly. You have the following as a data subject:
You have a right to request confirmation from us as to whether or not personal data concerning you is being processed. You also have the right to access personal data, including the right to receive a copy of this data.
You have the right to request the correction of inaccurate personal data concerning you. Furthermore, you have the right to request the completion of incomplete personal data, considering the purposes of the processing.
You have the right to demand that personal data concerning you be deleted immediately if one of the reasons provided for by law applies and insofar as the processing or storage is not necessary.
You have the right to demand that we restrict processing if one of the legal requirements is met.
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. Furthermore, you have the right to transfer this data to another controller without hindrance from us, to whom the personal data has been provided, provided that the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
In addition, when exercising your right to data portability pursuant to Article 20 (1) GDPR, you have the right to obtain that the personal data be transferred directly from one controller to another controller, to the extent that this is technically feasible and if this does not adversely affect the rights and freedoms of other individuals
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of public interest pursuant to Art. 6 (1) (e) GDPR or on the basis of legitimate interests pursuant to Art. 6 (1) (f) GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.
You have the right to withdraw your consent to the processing of personal data at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
You are entitled to lodge a complaint with a supervisory authority.
Continuing to develop our app, website and our service, or legal or changed regulatory requirements may make it necessary to change this privacy notice. You can access the current data protection notice at any time here.
Updated: May 2023