Privacy Policy immerGallery and immerGallery Demo

Data protection information 
Protecting your data is very important to us. To ensure transparent cooperation, we draw your attention to important processing activities and special features. To be able to use our services, please purchase and download our app immerGallery and immerGallery Demo from the Meta Horizon Store from Meta. Data processing and payment procedures are carried out exclusively via Meta. We do not collect or receive any personal data from you here. Further information on data protection from Oculus can be found at https://www.meta.com/legal/privacy-policy/.       

Purpose and legal basis of data processing 
Data processing at immerVR GmbH is carried out to provide apps and services for immersive media in accordance with Article 6 (1) (b) of the GDPR for pre-contractual or contractual measures. These include: 
• answering enquiries 
• administration
• offer preparation, contract processing and order processing 
• providing the platform 
• maintaining business relationships      

  As a company, we are subject to different legal obligations. In order to fulfil these obligations, it may be necessary to process personal data in the public interest pursuant to Article 6 (1c) of the GDPR or Article 6 (1e) of the GDPR. 
• control and reporting obligations 
• creditworthiness, age and identity checks 
• prevention of criminal acts   

  Controller pursuant to Article 4(7) EU General Data Protection Regulation (GDPR)
immerVR GmbH 
Im Zollstock 12
91093 Hessdorf
Germany
Daniel Pohl
support@immervr.com

If you have any questions about our data protection, please email us.   


Collection of personal data in our apps: immerGallery  and immerGallery Demo
Our app is located in the Meta Horizon Store. We collect, process and store the following data from you and use it for the purpose of improving our apps, e.g. fixing a bug or creating a better user experience. In our apps, you can submit an internal developer log file, e.g. in the case a failure happens inside the app and you want to notify us about it. The legal basis is Article 6 (1) (b) of the GDPR. The data submitted for developer log files is: 
• IP address (last segment anonymized), for the purpose of knowing if the report comes from the same user within keeping the same IP address    
• submission date, time and time zone for the purpose of knowing when incidents/bugs happened
• data in the app log file might reveal used path and file names on the system where the app is running for the purpose of understanding as developer from which location which files were loaded. It contains the used version number of the app for the purpose of knowing in which app version the incident/bug happened. It might contain which buttons and interactions happened during the app usage, which virtual reality system is used with what kind of input controllers for the purpose of reconstructing what lead to the incident/bug. Furthermore, the used screen frequency is shown and the status of relevant Android permissions to run the app for reconstructing the environment settings for the incident/bug. HMD-specific events like HMDAcquired, HMDMounted, VrFocusAquired, TrackingAquired, and according lost events are stored in the log file for reconstructing the scenario of the incident/bug. Recentering events and the result of the Meta user entitlement check are stored for reconstructing the events. Information about the local settings used for the app with their values of that config file are transmitted, e.g. keeping the rotation in 360° content enabled during program restarts for the purpose of replicating the same settings when the incident/bug happened. System memory statistics like the total amount of reserved memory, texture memory, texture count, frame rate, frame time, draw call, number of triangles, amount of mesh memory, CPU and GPU levels over time and the status of the internal garbage collection can be included in the log files for giving the developers an overview of the system status and resources. Results of the recognition of the voice control might be included in the log files, but no audio data for the purpose of improving voice control with wrongly detected inputs. Statistics about the app usage, e.g. the number of app starts or the usage time of the app over multiple sessions might be included when sending the log file for the purpose of giving further information for debugging issues. A list of purchased addons and/or unlocked rewards can be included.

During run-time, the app itself is not using user-specific data by itself (excluding of course user inputs or content provided by the user). However, the required call to the Meta Entitlement check might internally use user data to verify the entitlement status. We do not have access to that user-specific data, please refer to the Meta Horizon Store, Meta's Terms and Conditions and Meta's Privacy Policy for further information. Meta IDs and/or hashed version of these may be used to authenticate you as valid user of our apps. Your reward gallery status is synced externally to guarantee that after a reinstall of the app, you still have access to this content.

Voice control in the app is executed locally. No audio is submitted to a cloud or another server. As mentioned above, we might store the recognized voice controls as text in the log file, which is only sent upon the user's explicit and voluntary command to us.

In the case where we have user-specific data from you, you can request that data by contacting us at the address (see email above or postal address) above while providing evidence of your user identity. Furthermore, you can request that your user-specific data is deleted through contacting us through the email address mentioned above.

As determined by the Meta Horizon Store, Meta's Terms and Conditions and Meta Privacy Policy, Meta might collect data from you automatically while using our app. We do not have influence on this and cannot enable or disable this. Data might include: user ratings of the app, time spent in the app, if user has been using the app within the last 28 days, averaged data over multiple users regarding age, gender, country, region and similar properties. Furthermore, crash statistics might be automatically created by Meta and include information about the used devices (e.g. Quest, Quest 2), regions of the user and so on. We do not have influence on this and cannot enable or disable this. 

For Meta Quest devices, we may use platform features such as User ID (grants an app access to the user id to enable various features), User Profile (grants an app access to the Meta username and profile photo) and Avatars (grants an app access to Meta Avatars, a persistent identity across the Meta ecosystem. With Meta avatars, users can bring their own visual identities into our app). These will be used in accordance with the Oculus Developer Data Use Policy (https://developer.oculus.com/policy/data-use/).

Our virtual reality app immerGallery is based on the Unity game engine. We do not have influence on this or access to the data, but Unity might do the following: Unity has collected some or all of the following information about your device: unique device identifiers (e.g., IDFV for iOS devices and Android ID for Android devices); IP address; country of install (mapped from IP address); device manufacturer and model platform type (iOS, Android, Mac, Windows, etc.) and the operating system and version running on your system or device; language; CPU information such as model, the number of CPUs present, frequency, and instruction set support flags; the graphics card type and vendor name; graphics card driver name and version (e.g., “nv4disp.dll 6.10.93.71”); which graphics API is in use (e.g., “OpenGL 2.1” or “Direct3D 9.0c”); amount of system and video RAM present; current screen resolution; version of the Unity Editor used to create the game; sensor flags (e.g., device support for gyroscope, touch pressure or accelerometer); application or bundle identification (“app ID”) of the game installed; unique advertising identifiers provided for iOS and Android devices (e.g., IDFA or Android Ad ID); and a checksum of all the data that gets sent to verify that it transmitted correctly.

Our application integrates Photon Fusion and Photon Voice for multiplayer interaction and voice communication functionalities. These services are provided by Exit Games GmbH, located at Hongkongstr. 7, 20457 Hamburg, Germany (hereinafter referred to as "Photon"). This section outlines the nature, scope, and purpose of data processing within our app in relation to Photon's services, in compliance with the General Data Protection Regulation (GDPR).
Photon Fusion and Photon Voice, as components of our app, involve the processing of data on servers managed and operated by Photon. The data processing is carried out on the basis of a Data Processing Agreement (DPA) between us and Photon, in accordance with Article 28 GDPR. Location and Transfer of Data: Photon's server infrastructure is globally distributed to ensure minimal latency and optimal performance. Personal data processed through Photon services may be transferred to, and stored at, a destination outside the European Economic Area (EEA). Photon takes all steps reasonably necessary to ensure that your data is treated securely and in accordance with GDPR standards.

To participate with other users in multiplayer, your chosen player name will be shared. As you require the same galleries to view them together, the gallery names, the number of content files and potential file paths on the local device may be shared internally in the app for synchronization. Common album titles will be displayed on each client. It will be shared which app version you use and how many galleries you have on your system. An admin status can be exchanged between users to control the multiplayer experience.
  
Meta
Name and address of controllers pursuant to Article 26 of the GDPR 
In case of any questions or enquiries regarding data collection and usage on the Meta platform, please contact:​Meta Platforms Ireland Ltd. (referred to as "Meta"), 4 Grand Canal Square, Grand Canal Harbour in Dublin 2 Ireland.

OpenStreetMap usage in immerGallery and immerGallery Demo
In order to provide you with a dynamic map image from your image's meta data or settings you used in the corresponding .immerVR files, we may use the services from the map image provider OpenStreetMap. In order to generate the dynamic map, information like GPS data from the image content or GPS data mapped to certain tiles in a zoomable map might be transmitted. To be able to receive image data, the IP address of the client needs to be used. The privacy policy (e.g., regarding GDPR) of OpenStreetMap can be found here: https://wiki.osmfoundation.org/wiki/GDPR_Privacy_Statement and https://wiki.osmfoundation.org/wiki/Privacy_Policy. The OpenStreetMap Foundation is located at St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom.

Pastebin usage in immerGallery and immerGallery Demo
Services from Pastebin may be used to allow you to access information posted from yourself or others directly inside our app. For example, if you want to send yourself an URL that is long to type, you can instead type it on a PC with a keyboard, paste it to Pastebin and then recover the URL in immerGallery. Pastebin collects data as they explain in their Privacy Statement (https://pastebin.com/doc_privacy_statement): Much of Pastebin is public-facing. If Your Content is public-facing, third parties may access and use it in compliance with Pastebin's Terms of Service. Pastebin does not sell that content; it is yours. However, Pastebin does allow third parties, such as research organizations or archives, to compile public-facing Pastebin information, excluding User Personal Information, per Pastebin's Terms and Agreements (https://pastebin.com/doc_terms_of_service). Furthermore Pastebin states that your Personal Information, associated with your content, may be gathered by third parties in these compilations of Pastebin data. If you do not want your Personal Information to appear in third parties’ compilations of Pastebin data, please do not make your Personal Information publicly available. Pastebin is located at 3000 C St Ste 301, Anchorage, Alaska, 99503, United States.

No obligation to provide and consequences of non-provision
The provision of personal data is not legally or contractually prescribed and you are not obliged to provide data. We will inform you in the course of the input process if the provision of personal data is required for the relevant service (e.g. by calling it a “mandatory field”). In the case of necessary data, non-provision means that the service in question cannot be provided.    

Storage time of your data
We process your personal data, where necessary, for the duration of the business relationship and as long as it is necessary for the aforementioned purposes, as well as in accordance with the statutory retention and documentation obligations arising in particular from the fiscal code and the commercial code, which usually amount to 10 years. In addition, personal data may be stored and stored for as long as the data are relevant to pending judicial or administrative proceedings in which the controller has a party status.    

Your rights 
(1) You have the following rights with regard to personal data concerning you: 
• the right to information, 
• the right to rectification or erasure, 
• the right to restrict processing, 
• the right to object to the processing,
• the right to data portability. 
(2) You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us. Please address this complaint to the competent supervisory authority under www.lda.bayern.de If you need help in implementing your rights, please contact us.   

Objection 
You have the right to object to the processing of your personal data at any time. Please send this in writing by email or by post to the address of the ImmerVR GmbH. We kindly point out that the exercise of their rights may, in individual cases, be subject to certain conditions.    

Ensuring data security and data protection 
To ensure the protection and security of your personal data, we are implementing a large number of technical and organisational security measures, the effectiveness of which we regularly review.       

8th July, 2024