Privacy Policy for the xBand mobile application

Effective Date: 2023-11-06

xTactor IT AB ("us", "we", or "our") operates the xBand mobile application (hereinafter referred to as the "Service"), available in the Google Play Store and Apple App Store.

This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data. We take your privacy seriously and are committed to protecting your personal information. We will not use or share your information with anyone except as described in this Privacy Policy. By using the Service, you agree to the collection and use of information in accordance with this policy.

Any use of Cookies – or of other tracking tools — by this Service or by the owners of third-party services used by this Service serves the purpose of providing the Service required by you, in addition to any other purposes described in the present document.

Owner and data controller

xTactor IT AB

Vasavägen 13, 169 58 Solna, Sweden

team@xtactor.com

Information we collect and use

We, by ourselves or through third parties, collect various types of information for the purpose of providing and improving our Service. We may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personal data may be freely provided by you, or, in case of usage data, collected automatically when using this Service.

Unless specified otherwise, all data requested by the Service is mandatory and failure to provide this data may make it impossible for this Service to function correctly. In cases where the Service specifically states that some data is not mandatory, you are free not to communicate this data without consequences to the availability or the functioning of the Service. If you are uncertain about which personal data is mandatory you are welcome to contact us.

The information we collect about you may include, but is not limited to:

Personal data

• Email address
• First name
• Last name
• Username
• Other personal information that you have freely disclosed to us through for example support and feedback forms while using the Service

Usage data

We may also automatically collect information about how the Service is accessed and used. This usage data may include, but is not limited to:

• Your device's Internet Protocol address (e.g., IP address)
• Device model and version
• Your mobile device unique ID
• Device operating system type and version
• The installed version of the Service
• Unique application identifiers
• Usage statistics, including interactions with the Service
• Date and time of access to the Service
• Language
• Time zone

Authentication data

When you use our Service, you may choose to create an account and sign in. We may collect information about the authentication methods you use to log in, including, but not limited to:

• Email Address and Password (for email sign-in)
• Google Sign-In
• Sign in with Apple

If you decide to register through or otherwise grant us access to a third-party authentication Service, such as Google or Apple, we may collect personal data that is already associated with your account on the third-party Service. This may include the name, email address and profile picture associated with your account on that third-party Service.

Mode and place of processing the data

Methods of processing

We take appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the data.

The data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to us, in some cases, the data may be accessible to certain types of persons in charge, involved with the operation of this Service (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed as data processors by us. The updated list of these parties may be requested from us at any time.

Place

Your information, including personal data, is processed at our operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to, and maintained on, computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your personal data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

Transfer of data outside of the EU and EEA

For further information about the legal basis for transfer of data outside of the European Union (EU) and European Economic Area (EEA), you are requested to contact us through the contact details provided in the present document.

Countries that guarantee European standards

If this is the legal basis, the transfer of personal data from the EU and EEA to third countries is carried out according to an adequacy decision of the European Commission. The European Commission adopts adequacy decisions for specific countries whenever it considers that country to possess and provide personal data protection standards comparable to those set forth by EU data protection legislation. You can find an updated list of all adequacy decisions issued on the European Commission's website.

Based on standard contractual clauses

If this is the legal basis, the transfer of your personal data from the EU and EEA to third countries is carried out according to “standard contractual clauses” provided by the European Commission. This means that data recipients have committed to process personal data in compliance with the data protection standards set forth by EU data protection legislation. For further information, you are requested to contact us through the contact details provided in the present document.

Equal protection of user data

We share your data only with third parties carefully selected to ensure that they provide the same or equal protection of user data as stated in this privacy policy and requested by applicable data protection laws. Further information on data processing and privacy practices by third parties can be found in their respective privacy policies.

Retention time

Unless specified otherwise in this document, personal data shall be processed and stored for as long as required by the purpose they have been collected for, set out in this Privacy Policy, and may be retained for longer due to applicable legal obligation or based on your consent. We will retain and use your personal data to the extent necessary to provide you with the Service, comply with any applicable laws, resolve disputes, and enforce our legal agreements and policies.

We will also retain usage data for internal analysis purposes. Usage data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.

We delete the data stored by us as soon as the purpose on which the storage is based has ceased to exist and as soon as there are no legal obligations to retain data and no deviating regulations have been made in this data protection declaration. If the data cannot be deleted because it is required for other, legally permissible purposes (e.g. storage for reasons of commercial or tax law), its processing will be restricted. In this case, the data is processed exclusively for this purpose and is otherwise blocked.

Once the retention period expires, personal data shall be deleted. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

The purposes of processing

We use the collected data for various purposes, including:

• To provide and maintain the Service
• To notify you about changes to our Service
• To provide customer support and respond to your inquiries
• To monitor the usage of the Service
• To detect, prevent, and address technical issues
• To improve and personalize the Service
• To identify user trends and evaluate the Service
• To manage your registration as a user and provide you with the functionalities of the Service that are available to you as a registered user
• To contact you regarding support requests or feedback
• To contact you by email or mobile application's push notifications regarding updates, news, or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation
• To comply with legal obligations
• To respond to enforcement requests
• To protect our rights and interests (or those of our users or third parties)
• Detect any malicious or fraudulent activity

Legal basis of processing

We may process personal data relating to you if one of the following applies:

• You have given your consent for one or more specific purposes
• Provision of data is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof
• Processing is necessary for compliance with a legal obligation to which we are subject
• Processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in us
• Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party

In any case, we will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Detailed information on the processing of personal data

Platform services and hosting

These services have the purpose of hosting and running key components of the Service, therefore allowing the provision of this Service from within a unified platform. Such platforms provide a wide range of tools to us – e.g. analytics, user registration, commenting, database management, e-commerce, payment processing – that imply the collection and handling of personal data. Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the personal data are stored.

App Store Connect (Apple Inc.)

This Service is distributed on Apple's App Store, a platform for the distribution of mobile apps, provided by Apple Inc.

App Store Connect enables us to manage this Service on Apple's App Store. Depending on the configuration, App Store Connect provides us with analytics data on user engagement and app discovery, marketing campaigns, sales, in-app purchases, and payments to measure the performance of this Service. App Store Connect only collects such data from users who have agreed to share them with us. You may find more information on how to opt out via their device settings on Apple's page about sharing of analytics, diagnostics and usage information.

Personal data that is shared with, and processed by the service, may include

• Diagnostics
• Universally unique identifier (UUID)

Place of processing

United States

More information

Apple's Privacy Policy

Google Play Store (Google Ireland Limited)

The Service is distributed on the Google Play Store, a platform for the distribution of mobile apps, provided by Google Ireland Limited.

By virtue of being distributed via this app store, Google collects usage and diagnostics data and share aggregate information with us. Much of this information is processed on an opt-in basis.

You may opt-out of this analytics feature directly through their device settings. More information on how to manage analysis settings can be found on Google's page about sharing of usage and diagnostics information.

Personal data that is shared with, and processed by the service, may include

• Usage data

Place of processing

Ireland

More information

Google's Privacy Policy

Analytics

We use analytics to collect and analyze data about how the Service is used. This information helps us understand user interactions and improve the Service.

Google Analytics for Firebase (Google Ireland Limited)

Google Analytics for Firebase or Firebase Analytics is an analytics service provided by Google LLC or by Google Ireland Limited.

In order to understand Google's use of data, consult Google's partner policy.

Firebase Analytics may share data with other tools provided by Firebase, such as Crash Reporting, Authentication or Remote Config. You may check this Privacy Policy to find a detailed explanation about the other tools used by us.

This Service uses identifiers for mobile devices and technologies similar to cookies to run the Firebase Analytics service.

You may opt-out of certain Firebase features through applicable device settings, such as the device advertising settings for mobile phones.

Personal data that is shared with, and processed by the service, may include

• Application opens
• Application updates
• Device information
• Geography/region
• Launches
• Number of sessions
• Number of users
• Operating systems
• Session duration
• Universally unique identifier (UUID)
• Usage data

Place of processing

Ireland

More information

Google's Privacy Policy

Infrastructure monitoring

This type of service allows us to monitor the use and behavior of the Service so that its performance, operation, maintenance and troubleshooting can be improved.

Crashlytics (Google Ireland Limited)

Firebase Crashlytics helps us track and diagnose app crashes. When the app crashes, it sends crash reports that may contain information such as the device model, operating system version, the date and time of the crash and information about the event or page view that caused the crash. Crashlytics is a monitoring service provided by Google Ireland Limited.

Personal data that is shared with, and processed by the service, may include

• Crash data
• Device information
• Usage data
• Universally unique identifier (UUID)
• Geography/region

Place of processing

Ireland

More information

Google's Privacy Policy

Content performance and features testing (A/B testing)

The services contained in this section allow us to remotely configures parts of the Service, without you having to update to the Service to a new version.

Firebase Remote Config (Google Ireland Limited)

Firebase Remote Config is an A/B testing and configuration service provided by Google Ireland Limited.

Remote configurations can be personalized to target users with a specific device OS, version of the app, language or based on data from Google Analytics for Firebase, or other parameters. It can also allow us to track and analyze you response or behavior regarding changes to the structure, text or any other component of the Service.

Personal data that is shared with, and processed by the service, may include

• Various types of data as specified in the privacy policy of the service

Place of processing

Ireland

More information

Google's Privacy Policy

Hosting and backend infrastructure

This type of service has the purpose of hosting data and files that enable the Service to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of the Service.

Some services among those listed below, if any, may work through geographically distributed servers, making it difficult to determine the actual location where the personal data are stored.

Firebase Cloud Functions (Google Ireland Limited)

Firebase Cloud Functions is a hosting and backend service provided by Google Ireland Limited.

Personal data that is shared with, and processed by the service, may include

• IP address for event-handling and HTTP functions
• Usage data
• Various types of data as specified in the privacy policy of the service

Place of processing

Ireland

More information

Google's Privacy Policy

Firebase Firestore Database (Google Ireland Limited)

Firebase Storage is used to store and manage files and data associated with the Service, such as your user settings, account information and messages (for example comments, feedback and support requests) you have sent to us through the Service.

Personal data that is shared with, and processed by the service, may include

• Various types of data as specified in the privacy policy of the service

Place of processing

Ireland

More information

Google's Privacy Policy

Registration and authentication

By registering or authenticating, you allow this Service to identify you and give you access to dedicated services. Third parties may provide registration and authentication services. In this case, this Service will be able to access some data, stored by these third-party services, for registration or identification purposes.

Some of the services listed below may also collect personal data for targeting and profiling purposes; to find out more, please refer to the description of each service.

Firebase Authentication (Google Ireland Limited)

Firebase Authentication is a registration and authentication service provided by Google Ireland Limited. To simplify the registration and authentication process, Firebase Authentication can make use of third-party identity providers and save the information on its platform.

Personal data that is shared with, and processed by the service, may include

• Email address
• First name
• Last name
• Password
• Profile picture
• Social media accounts
• Username
• User agent
• IP address

Place of processing

United States

More information

Google's Privacy Policy

Google OAuth (Google Ireland Limited)

Google OAuth is a registration and authentication service provided by Google Ireland Limited and is connected to the Google network.

Personal data that is shared with, and processed by the service, may include

• Various types of data as specified in the privacy policy of the service

Place of processing

Ireland

More information

Google's Privacy Policy

Sign in with Apple (Apple Inc.)

Sign in with Apple is a registration and authentication service provided by Apple Inc. When signing up with Apple you can, instead of sharing your email address with us, choose that Apple may generate a private relay address on behalf of you that automatically forwards messages to your verified personal email account - therefore shielding your actual email address from us. You can read mor about Sign in with Apple on Apple's page about Sign in with Apple.

Personal data that is shared with, and processed by the service, may include

• Email address
• First name
• Last name
• Username

Place of processing

United States

More information

Apple's Privacy Policy

Direct registration (this Service)

You can register by filling out the registration form and providing your personal data directly to this Service. To simplify authentication we then share this data with Firebase Authentication (see separate section in this Privacy Policy).

Personal data that processed may include

• Email address
• First name
• Last name
• Password

Contact through push notifications

We may, with your consent, send you push notifications and in-app messages, such as updates, news, reminders, and important information related to the Service. You can consent to receiving push-notifications the first time you install the Service, or at a later time. You can also revoke the permission at any time from the settings of your device.

Firebase Cloud Messaging (Google Ireland Limited)

Firebase Cloud Messaging is a message sending service provided by Google Ireland Limited. Firebase Cloud Messaging allows us to send in-app messages and push notifications to you. Messages can be sent to single devices using instance IDs, groups of devices, or specific topics or user segments.

These services may also collect data concerning the date and time when the message was viewed by you, as well as when you interacted with it, such as by clicking on links included in the message.

Personal data that is shared with, and processed by the service, may include

• Instance IDs
• Various types of data as specified in the privacy policy of the service

Place of processing

Ireland

More information

Google's Privacy Policy

User identification via a universally unique identifier (UUID)

The Service may track you by storing a so-called universally unique identifier (or short UUID) for analytics purposes or for storing your preferences or content submitted to us. This identifier is generated upon installation of the service, it persists between Service launches and updates, but it is lost when you delete the application. A reinstall generates a new UUID. If you create an account on the Service the UUID will instead be linked to your account and will be reused when you sign in with the same account again, even if you have reinstalled the Service or are using it from another device.

Contact and comment forms

When you freely submit a comment, support request or other content to us through the forms provided in the Service, this information is sent by email to us and also stored in our database through Firebase (see details about Firebase Firestore Database in this Privacy Policy). You are responsible for any personal information you choose to disclose through these forms. The information is used by us to improve the Service and contact you to reply to any support requests or feedback. To increase security and prevent abuse of the system your comments and messages are associated with your unique identifier that can be linked back to your email-address if you are signed in. You can however choose to not be contacted about your message or comment when submitting the form through the Service.

Personal data that processed may include

• Email address
• Any information you freely provide in the message field

Device permissions for personal data access

Depending on your specific device, the Service may request certain permissions that allow it to access your device data as described below.

By default, these permissions must be granted by you before the respective information can be accessed. Once the permission has been given, it can be revoked by you at any time. In order to revoke these permissions, you may refer to the device settings or contact us for support at the contact details provided in the present document. The exact procedure for controlling app permissions may be dependent on your device and software. Please note that the revoking of such permissions might impact the proper functioning of this Service. If you grant any of the permissions listed below, the respective personal data may be processed (i.e accessed to, modified or removed) by this Service.

Approximate location permission

Used for accessing your approximate device location. The Service may collect and use your location data in order to provide location-based services. This is needed on some devices for Bluetooth to function properly.

Precise location permission

Used for accessing your precise device location. The Service may collect and use your location data in order to provide location-based services. This is needed on some devices for Bluetooth to function properly.

Bluetooth sharing permission

Used for accessing Bluetooth related functions such as scanning for devices, connecting with devices, and allowing data transfer between devices. Needed for communication between the Service and your xBand.

Notification access permission

Used for accessing any push-notifications your device receives. The Service may collect and use your notification data in order to send them to your xBand. Data from your notifications is only used in the communication between the Service running on your mobile phone and your xBand, it is not stored or processed on any of our servers and is not shared with any third parties.

Push notification permission

Used to send you push notifications to your device, such as updates, news and polls. Also see section about Contact through push notifications.

Links to third-party services

The Service may contain links to third-party websites or services that are not owned or controlled by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. You further acknowledge and agree that we shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any such content, goods, or services available on or through any such websites or services.

Disclosure of your personal data

We normally do not disclose your data to anyone (that is not mentioned as one of our service providers in this Privacy Policy). However, in some cases, mentioned below, it might be necessary for us to disclose your data.

Business transactions

If the company is involved in a merger, acquisition or asset sale, your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, the company may be required to disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

The company may disclose your personal data in the good faith belief that such action is necessary to:

• Comply with a legal obligation
• Protect and defend the rights or property of the company
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public
• Protect against legal liability

Security

We value your trust in providing your personal information. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

Your choices and rights

You have the following rights regarding your personal data, to the extent permitted by law:

• Access: You have the right to learn if data is being processed by us, obtain disclosure regarding certain aspects of the processing and obtain a copy of the data undergoing processing.
• Rectification: You have the right to verify the accuracy of your data. You can request that we correct or update any information you believe is inaccurate.
• Deletion: You can request that we erase the personal data we have collected about you.
• Restriction: You can request that we restrict the processing of your personal data. In this case, we will not process your data for any purpose other than storing it.
• Data Portability: You have the right to receive your data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance.
• Withdrawal of Consent: You can withdraw your previously given consent for the processing of your data at any time.
• Objection: You have the right to object to the processing of your data if the processing is carried out on a legal basis other than consent.
• Lodge a complaint: You have the right to file a complaint with a data protection supervisory authority.

We may need to retain certain information when we have a legal obligation or lawful basis to do so. Please also note that exercising these rights is subject to legal limitations and may impact your ability to use certain features of the Service.

You may update, amend, or delete some of your personal information at any time by signing in to your account, if you have one, and visiting the account settings section that allows you to manage your personal information. You may also contact us to request access to, correct, or delete any personal information that you have provided to us.

You are also entitled to learn about the legal basis for data transfers abroad including to any international organization governed by public international law or set up by two or more countries, such as the United Nations, and about the security measures taken by us to safeguard your data.

Details about the right to object to processing

Where personal data is processed for a public interest, in the exercise of an official authority vested in us or for the purposes of the legitimate interests pursued by us, you may object to such processing by providing a ground related to your particular situation to justify the objection.

You must know that, however, should your personal data be processed for direct marketing purposes, you can object to that processing at any time, free of charge and without providing any justification. Where you object to processing for direct marketing purposes, the personal data will no longer be processed for such purposes. To learn whether we are processing personal data for direct marketing purposes, you may refer to the relevant sections of this document.

How to exercise these rights

Any requests to exercise your rights can be directed to us through the contact details provided in this document. Such requests are free of charge and will be answered by us as early as possible and always within one month, providing you with the information required by law. Any rectification or erasure of personal data or restriction of processing will be communicated by us to each recipient, if any, to whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort.

Children’s privacy

Our Service does not address anyone under the age of 18. We do not knowingly collect personally identifiable information from anyone under the age of 18. If You are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from anyone under the age of 18 without verification of parental consent, we take steps to remove that information from our servers.

If we need to rely on consent as a legal basis for processing your information and your country requires consent from a parent, we may require your parent's consent before we collect and use that information.

Legal action

Your personal data may be used for legal purposes by us in court or in the stages leading to possible legal action arising from improper use of the Service or related services.

You declare to be aware that we may be required to reveal personal data upon request of public authorities.

System logs and maintenance

For operation and maintenance purposes, this Service and any third-party services may collect files that record interaction with this Service (System logs) or use other personal data (such as the IP Address or unique identifiers) for this purpose.

Information not contained in this policy

More details concerning the collection or processing of personal data may be requested from us at any time. Please see the contact information at the beginning of this document to request more information or if you have any questions.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time. Thus, you are advised to review this page periodically for any changes. We will notify you of any changes by posting the new Privacy Policy on this page.