top of page

Privacy policy

(Last updated: 2025-10-19)

This Privacy Policy explains how personal data is processed in connection with the use of our app (hereinafter referred to as the “App”) by SmartAIs GmbH.

“Personal data” refers to any information relating to an identified or identifiable natural person (data subject), such as name, address, telephone number, date of birth, email address, or IP address. Information that cannot be linked to a specific individual, such as anonymized data, is not considered personal data.

1. Controller

The controller responsible for processing personal data in the context of the App, in accordance with the General Data Protection Regulation (GDPR), is:

SmartAIs GmbH
Munich Urban Colab
Freddie-Mercury-Straße 5
80797 Munich
Germany

For any data protection inquiries or to exercise your data subject rights, please contact:

2.  Data protection officer

Appointed Data Protection Officer:

Kertos GmbH
Brienner Straße 41
80333 Munich
Germany
Email: dsb@kertos.io

3. Data processing within our app

3.1 App provision

Purpose of processing:
We process your data to:

  • Ensure reliable operation of the App

  • Enable user-friendly access to our App

  • Maintain IT security
     

Recipient: Amazon Web Services, Inc. (AWS) One Burlington Plaza, Burlington Road, Dublin 4, DO4 RH96, Ireland

Data processed:

  • IP address of the requesting device

  • Method (e.g., GET, POST), date, and time of the request

  • Information about the operating system used

  • Request metadata (e.g., language, content type, encoding, character sets)
     

Legal basis:
Art. 6 (1)(f) GDPR. This processing is necessary to provide the App and ensure its secure and user-friendly operation.

Storage duration:
Data is deleted as soon as it is no longer required for the operation of the App, but no later than 30 days, unless legal retention obligations apply.

More information: https://aws.amazon.com/privacy/

3.2 Image processing

Purpose: Execution of AI-based analysis, description, and response to user inquiries, in particular scene descriptions based on transmitted RGB images and depth data; enabling and optimizing automated image and object recognition, including processing and returning analysis results.

Recipients: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Data processed:

  • RGB images (e.g., user photos, screenshots)

  • Depth data (e.g., depth maps from camera systems, LIDAR data)

  • Odometry (3D positions)

  • Metadata (e.g., timestamps, device information)

  • User inquiries (e.g., free-text questions about scene descriptions)

  • Technical log data (e.g., IP address [shortened], error logs)

Legal basis: Art. 6 (1)(b) GDPR (performance of pre-contractual measures).

Storage duration: Image data used for processing is stored for one month and then anonymized or deleted.

International data transfers: Transfers to Google LLC in the USA are based on the EU-U.S. Data Privacy Framework (DPF) in accordance with Art. 45 GDPR and supplemented by Standard Contractual Clauses under Art. 46 (2)(c) GDPR. Google is certified under the DPF; additional technical and organizational safeguards are in place. In specific cases, data transfers may occur only with your express consent under Art. 49 (1)(a) GDPR.

More information: https://policies.google.com/privacy

3.3 Analytics and Tracking

Purpose: Providing push notifications and in-app messaging.

Recipients: Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Data processed:

  • Contact data (e.g., email address, username)

  • Log data (e.g., IP address, access time)

  • Usage and interaction data (e.g., click behavior, app usage)

  • Device information (e.g., operating system)

  • Content data (e.g., form inputs, messages)
     

Legal basis: Consent under Art. 6 (1)(a) GDPR in conjunction with § 25 (1) TDDDG.

Storage duration: Depending on configuration and purpose, data is stored between a few days and up to 14 months; instance IDs are retained until the app is uninstalled; crash reports for up to 180 days.

Third-country transfer: Transfers to Google LLC in the USA are based on the EU-U.S. DPF under Art. 45 GDPR and supplemented by Standard Contractual Clauses under Art. 46 (2)(c) GDPR. Google is DPF-certified; additional safeguards are in place. In exceptional cases, data may be transferred only with explicit consent under Art. 49 (1)(a) GDPR.

More information: https://policies.google.com/privacy

4. International data transfers

Personal data is primarily processed within the EU/EEA. Transfers to so-called “third countries” are carried out only in accordance with the GDPR and where adequate safeguards exist. Before transferring data to a third-country service provider, we assess the level of data protection. Transfers are made only if sufficient safeguards are in place. All service providers must sign a data processing agreement. Additional measures apply for providers outside the EEA.

According to Art. 44 ff. GDPR, transfers are permitted if:

  • The European Commission has determined an adequate level of protection.

  • Standard Contractual Clauses are in place with the recipient.

  • Other appropriate safeguards under Art. 46 GDPR exist.

  • One of the exceptions under Art. 49 GDPR applies.

5. Recipients

We only disclose personal data we collect to third parties if:

  • You have given your explicit consent (Art. 6 (1)(a) GDPR),

  • The disclosure is necessary for our legitimate interests or for the establishment, exercise, or defense of legal claims, provided there is no overriding interest in protecting your data (Art. 6 (1)(f) GDPR),

  • We are legally obligated to do so (Art. 6 (1)(c) GDPR), or

  • It is legally permissible and necessary for the performance of a contract with you or for pre-contractual measures upon your request (Art. 6 (1)(b) GDPR).

Potential recipients include:

  • Processors: Group companies or external service providers (e.g., for infrastructure, processing, maintenance, payment handling) who are carefully selected and monitored. Processors may process data only as instructed by us.

  • Public authorities: Government bodies and institutions (e.g., tax authorities, prosecutors, courts) when we are legally required to disclose data for compliance or legitimate interest purposes.

6. Data security and safeguards

We apply appropriate technical and organizational measures to ensure the security and confidentiality of your personal data. These measures protect against unauthorized access, manipulation, loss, or misuse. Our security practices are regularly reviewed and updated to align with current technology and industry standards.

Please note that despite our protective measures, data transmission over the internet may have security vulnerabilities. Especially with unencrypted communication (e.g., standard emails), there is a risk of unauthorized access. We have no control over external parties. We recommend using encryption or other security measures when transmitting sensitive information electronically.

7. Data retention and deletion

Personal data is deleted or blocked as soon as the purpose for processing no longer applies. Data may be retained beyond that period if required by EU or national laws to which the controller is subject. Data is also deleted or blocked once any legal retention period has expired, unless it is required for the fulfillment of a contractual relationship.

8. Your data protection rights

You have the following rights regarding your personal data:

  • a. Right of access (Art. 15 GDPR, § 34 BDSG): You may request information about whether and what personal data we process, for what purpose, who receives it, and how long it is stored.

  • b. Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate or incomplete data.

  • c. Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data, especially if it's no longer needed, your consent is withdrawn, or the data was unlawfully processed.

  • d. Right to restriction of processing (Art. 18 GDPR): You may request restricted processing, for example, if the accuracy of the data is disputed.

  • e. Right to data portability (Art. 20 GDPR): You may request your data in a structured, commonly used, machine-readable format or have it transmitted to another controller.

  • f. Right to withdraw consent (Art. 7(3) GDPR): You may withdraw any consent given at any time with future effect. The lawfulness of processing before the withdrawal remains unaffected.

  • g. Right to object (Art. 21 GDPR): You may object to data processing based on your specific situation – particularly in cases of direct marketing or related profiling.

  • h. Right to lodge a complaint (Art. 77 GDPR): You may file a complaint with a data protection authority if you believe the processing of your personal data violates data protection laws.

Change log

Date: 10.19.2025

Version: 1.0

Reason: First version of revised privacy policy format.

bottom of page