ScanNRoll PRIVACY POLICY [0001] Welcome to ScanNRoll Services, a B2B service package offered to and connecting companies and institutions across various industries and professions. The provider of the ScanNRoll Services is Eberlein Innovations Ltd, UIC204581940, Bulgaria, European Union. A company or institution provided with ScanNRoll Services including your company or institution is hereinafter referred to as „Organization“. [0002] Capitalized terms used in this PRIVACY POLICY that are not specifically defined shall have the meanings given to the applicable capitalized terms in the ScanNRoll TERMS OF SERVICE. [0003] This PRIVACY POLICY addresses you as a user acting on behalf of your Organization. Your privacy is important to us. This PRIVACY POLICY explains how we collect, store, use, disclose and otherwise process your personal data when you use the ScanNRoll Services, which include the ScanNRoll Software, data, media content, and processes accessible through its use, user interfaces, buttons, pop-ups, email messages and their attachments, generated and captured IDs to customize products, and all related players, widgets, tools, data, software, APIs and other services provided by ScanNRoll (the “Services”). This PRIVACY POLICY applies to any Service that refers to this PRIVACY POLICY, i.e. by linking to it. [0004] Please take some time to read this PRIVACY POLICY, along with our TERMS OF SERVICE, in order to ensure you understand and are comfortable with our use and disclosure of your personal data. If you do not agree to any of the provisions of this PRIVACY POLICY, you should not use the Services. If you have any questions or concerns about this PRIVACY POLICY, you can contact us at cs@scannroll.com. Please note that for security reasons we communicate only with email accounts associated with ScanNRoll user accounts of your Organization. [0005] We follow European law and the General Data Protection Regulation (GDPR), where applicable to ensure adequate protection of your personal data. As a matter of standardization and consistency, we globally apply GDPR to the maximum extent permitted by the legislation applicable to your Organization. GDPR is a European Union regulation that unifies the rules for processing personal data by both private and public actors across the EU. Roles of Controllers and Processors are defined by the GDPR: [0006] Your personal data are processed in joint controllership between your Organization and the Provider, subject to their JOINT CONTROLLERSHIP AGREEMENT. [0007] The JOINT CONTROLLERSHIP AGREEMENT, which is required under the GDPR, determines the rights and obligations of your Organization and the Provider for the joint processing of your personal data and personal data of other Users of your Organization. In the context of JOINT CONTROLLERSHIP AGREEMENT, the Provider processes personal data created by your company in order to technically enable and maintain User Accounts and to provide technical support, notifications, software updates, technical and organizational security measures, and other communication and interaction which are part of the Services. Your Organization processes personal data by creating and managing these User Accounts and by each User’s use of a User Account. [0008] All the data handled by the application, including personal data, is stored on Microsoft Azure Cloud infrastructure, located in the European Union. [0009] Regular maintenance, updated versions, monitoring of security and technical stability, as well as on-demand technical support relating to the Services are provided by Digital Lights Ltd, UIC 204990174, registered in Bulgaria on behalf of the Provider. Provision of these services can involve access to User Details and data linked to User Details. Digital Lights Ltd therefore is an occasional processor but not a controller of personal data as defined by GDPR. [0010] By default, access to User Details which connect a permanent User ID with personal data, is limited by the type of the User Account and different for System Administrators, Organization Administrators, and other Users. [0011] The Provider acts as System Administrator of the Services. As System Administrator, the Provider created the account of your Organization which involved processing personal data of the initial Organization Administrator(s). The System Administrator may access personal information for technical or security reasons, including violation of the Terms & Conditions. The System Administrator may access personal information either upon request of your Organization or in order to fulfil an obligation under the SERVICE CONTRACT with your Organization. In order to enable support to your Organization, a System Administrator can view all User Account Data comprising User Details of all Organizations as well as technical data, can create, suspend, and delete an account and can reset the password of the account. A System Administrator can edit Name, Surname, phone number, and position stated in the User Details but cannot edit User ID, role (account type), username, and contact email. This ensures continuity of the permanent User ID unaffected by supportive editing of User Details your Organization may request. [0012] An Organization Administrator (a role of your Organization) can view all User Details of all Users only of the own Organization, can create, modify, suspend, and delete an account and can reset the password of the account. [0013] All Users, which are not System Administrators and are not Organization Administrators, cannot edit User Account Data and can view User Account Data only of their own account. Only System Administrators and Organization Administrators have access to personal data of other Users when viewing or editing User Details. [0014] All changes made by editing User Details of a particular User are visible and transparent to that User regardless who made the changes. [0015] ScanNRoll Services process personal information in the forms of (a) User Details of User Accounts, comprising User ID, Role (Account type), Name, Surname, User Name (which can be your Email address), Contact email, Phone number, and Position, (b) User ID only, (c) text written by or content uploaded by Users of the application if such text or content includes personal information. [0016] User Details must contain only information, which your Organization and you consider nonconfidential and available in the public domain. It is not permitted to create User Details which you or your company do not want to be public or which may negatively affect you or your Organization when becoming public. We recommend using corporate or institutional Email addresses and Phone numbers. Within the scope layed out in the SERVICE CONTRACT with your Organization we permit the combination of Name and Surname to be pseudonyms as long as your Organization maintains a record which links each pseudonym to only one person which is a User of your Organization. [0017] By default all features of the ScanNRoll application provided for your use and the use of other Users require only User IDs and do not involve other User Details. This separation of personal information except User ID from all data generated by use of the application ensures that we cannot monitor personal behaviour of any Users but can perform necessary anonymous monitoring of the use of the application. It also ensures that data generated by Users of your Organization and owned by your Organization can be used, shared, or sold by your Organization without unintended disclosure of personal information. This is in particular important whenever ownership of a ScanNRoll ID and data linked to that product ID are transferred to another Organization using the module „Ownership Management“. [0018] Product details linked to ScanNRoll IDs may contain certain personal information which relate to the product such as mentioning of authorship, copyright, or patent ownership. Please read our TERMS OF SERVICE when such information is permitted or required. If it comes to your attention that incorrect or not permitted or required personal information is present in product details please notify an Organization Administrator and notify us immediately at cs@scannroll.com. We monitor compliance with our TERMS OF SERVICE upon such request and take appropriate action. [0019] Media content linked to ScanNRoll IDs may contain certain personal information. Besides mentioning of authorship, copyright, patent ownership, or other rights ownership, persons and personal expressions may appear in media content, e.g. in a tutorial video or recording of a performed task. Please read our TERMS OF SERVICE when such information and content is permitted or required. If it comes to your attention that incorrect or not permitted or required personal information is present in media content please notify an Organization Administrator and notify us immediately at cs@scannroll.com. We monitor compliance with our TERMS OF SERVICE upon such request and take appropriate action. [0020] Other data generated by use of the ScanNRoll application and accessible to Users in general shall not contain personal information except User ID. If it comes to your attention that incorrect or not permitted or required personal information is present in such data please notify an Organization Administrator and notify us immediately at cs@scannroll.com. We monitor compliance with our TERMS OF SERVICE upon such request and take appropriate action. [0021] Personal information present in data linked to ScanNRoll IDs is accessible by Users of the Organization which owns the ID. Personal information present in restricted content is accessible by Users of the Organization which owns the ID. Personal information present in public content is accessible by Users of any Organization. Any combination of these three cases may occur. If it comes to your attention that personal information to be accessed only by Users of your Organization has become accessible by an unauthorized party, i.e. by erroneous transfer of ownership or unauthorized access to a User Account, please notify an Organization Administrator and notify us immediately at cs@scannroll.com. We monitor security and compliance with our TERMS OF SERVICE upon such request and take appropriate action. [0022] The ScanNRoll application only supports ownership management from the owner of ScanNRoll IDs which grant access to User IDs and may grant access to additional personal data in media content. We are unable to perform or interfere with such ownership management and according to the JOINT CONTROLLERSHIP AGREEMENT with your Organization generally do not perform any transfer of personal data between Organizations using ScanNRoll Services including your Organization. [0023] Access to personal data is provided only when being logged in. Personal data are not exported or duplicated or made accessible in any other way. When you are logged in, we cannot rule out a data breach involving personal data caused by your action, by third party monitoring of your action and/or device or by unauthorized access to your account. If it comes to your attention that such a data breach involving personal data may have occured, please notify an Organization Administrator and notify us immediately at cs@scannroll.com. [0024] We receive and process personal information whenever you contact us by Email. We use this information only for serving your requests or acting on technical or security issues, including violations of the Terms & Conditions. [0025] Our documentation of financial transactions and accounting related to the use of ScanNRoll Services do not involve personal data of individual Users. Such documentation and accounting refers to your Organization only. [0026] There is certain personal data that we collect automatically as the result of your use of ScanNRoll Services. This personal data generally includes: (a) User details - Creation, presence, editing, and deletion of User Details; (b) Usage information - User ID in History data which is linked to User details. Refer to [001917]; (c) Log data - User ID in Log data which is linked to User details, Internet protocol (IP) address, access times and duration, access control changes, your browser type and operating system, device information (including available RAM and disk space, brand and model), device event information (e.g. crashes, logs), the interfaces of the ScanNRoll application or the pages of the ScanNRoll.com website which you have viewed or engaged with, analytics data about application usage (duration, frequency, timestamps). This limited personal data is essential for our service and is therefore either based on contractual purposes or on legitimate interest (e.g. improvement of user experience or further development of the Services). Please be aware that we need log data in order to fulfil our contractual and legal obligations. (d) Cookies - The ScanNRoll.com website uses essential cookies as well as cookies you have actively selected. (e) Location data - When you use certain features of the ScanNRoll application we may collect location data linked to your User ID. Each time you use such a feature, location information or device position data is explicitly requested. You may not provide location data by not inputing or selecting location information or by not accepting use of your device’s position data. In that case, we may not be able to provide features which depend on and process location data. Please control or disable the use of location services in the device’s settings. (f) Device Information - We collect data from and about the device you use, including how you interact with the ScanNRoll application, and information about the device itself, such as the hardware model, operating system, IP addresses, cookie information, device settings, mobile carrier information, mobile device identifiers, language, and local settings. This information allows us to monitor and ensure ScanNRoll’s compatibility and usability on your device, to discover and fix bugs, and to further improve your user experience. [0027] ScanNRoll Services as a B2B service package is proviced to Organizations only. We do not sell to third parties or otherwise commercialize personal information. We do not collect or provide your Google Android’s Advertising ID („AAID“). [0028] We may share your personal data in the following cases: (a) Compliance with Laws - We may disclose your personal data to courts, law enforcement agencies, and governmental authorities (i) to comply with our legal obligations, (ii) to comply with legal process and to respond to claims asserted against the Provider of ScanNRoll services, (iii) to respond to verified requests relating to a criminal investigation or alleged or suspected illegal activity or any other activity that may expose us, you, or any other of our users to legal liability, (iv) to enforce and administer our Terms of Use and other agreements with Users, or (v) to protect the rights, property or personal safety of the Provider, its employees, and members of the public. (b) Protecting our rights - We may disclose your personal data if we feel it is necessary in order to protect our legitimate rights and interests, or those of our Users, employees, directors, officers, or shareholders, and/or to ensure the safety and security of the ScanNRoll Services and Users of the Services. (c) Change of control - We may also share your personal data as part of a sale, merger or change in control of the Provider, or in preparation for any of these events. Any other entity that buys us or part of our business will have the right to continue to use your personal data, but only in the manner set out in this PRIVACY POLICY. (d) Cookies - The ScanNRoll website which is part of the Services uses Cookies and similar technologies. You can control cookies through your browser and other tools. Please be aware any use of cookies is subject to your consent, except for technical storage or access for transmitting communication, or as strictly necessary to provide a service which was explicitly requested by a User. [0029] ScanNRoll Services are not intended for use by children. Anyone under the age of 18 is not permitted to use ScanNRoll Services unless otherwise agreed in the SERVICE CONTRACT between the Provider and your Organization. If it comes to your attention that we have collected any personal data from a person not permitted to use ScanNRoll Services, we will delete this personal data as quickly as possible. If you have reason to believe that we may have collected any such personal data, please notify us immediately at cs@scannroll.com. [0028] You may exercise any of the rights described in this PRIVACY POLICY by contacting us at cs@scannroll.com. Please note that we may ask you or an Administrator of your Organization to verify your identity before taking further action on your request. [0029] Data Access and Portability - You may be entitled to request copies of your personal data held by us. While you can access your User Details in the menu „My Account“, you may also be entitled to request copies of personal data you have provided to us in machine-readable format. [0030] Change or Correct Data - Where you or an Administrator of your Organization cannot update your personal data, you have the right to ask us to correct, change, update, or rectify your personal data. [0031] We generally retain personal data for as long as is necessary to provide services to you under your Account, i.e. as long as the Account you are using has not been permanently deleted. In case any of your personal data are present in data or media linked to a ScanNRoll ID, such personal data will become inaccessible for all Users at the expiry data of that ID. We delete data and media linked only to expired IDs as part of regular system maintenance. Such deletion may be automated and not reversible. We may need to retain some of your personal data even after closure of your account and expiry of all the IDs linked to your personal data if reasonably necessary to comply with our legal obligations. [0032] Objection to Processing - You have the right to object to processing your personal data on grounds relating to your particular situation at any time (in particular, where we don’t have to process the personal data to meet a contractual or other legal requirement, or where we are using the personal data on the basis of our legitimate interests). If you object to such processing, the Provider will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defense of legal claims or obligations. Where your personal data is processed for direct marketing purposes relating to ScanNRoll Servies, you have the right to object to such processing of your personal data at any time and ask the Provider to cease processing your data for these direct marketing purposes. However, please be aware that any objection to processing will not necessarily have an impact on the personal data processing before such objection was made, thus such processing will generally be deemed as permissible and will be subject to the usual retention and deletion periods. [0033] Restriction of Processing - You have the right to restrict the processing of your personal data where one of the following applies: your personal data is not accurate anymore; the processing is unlawful and instead of erasing the personal data you request the restriction of use; the personal data is no longer needed by us but required by you for the establishment, exercise or defense of legal claims; you have objected to the use and the decision on the legitimate grounds for objection is pending. [0034] Withdrawing consent - Where you provide consent to the processing of your personal data by the Provider, you may withdraw your consent at any time by changing your account settings or by sending a communication to the Provider specifying the specific consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such content before its withdrawal. [0035] Lodging complaints - You have the right to lodge complaints about the data processing activities carried out by the Provider before a competent data protection authority. A list of EU data protection authorities is available here: https://ec.europa.eu/newsroom/article29/items/ 612080 [0036] We may revise this PRIVACY POLICY from time to time as appropriate. Any revisions will not be retroactive. The last version transmitted to your company will replace the previous version 30 days after the date of transmission, applicable to all users of your company. PRIVACY POLICY shall be deemed to have been transmitted to all Users of your Organization when there is a transmission confirmation confirming that an email or letter has been received by an Administrator of your Organization. This applies regardless of which version is displayed on the home screen of the ScanNRoll Mobile App. Except for changes involving new features or legal reasons, we will provide you with as much as 30 days' notice before any changes to these Terms become effective with respect to the rights and obligations of the parties. If you continue to access and use our Services after these changes become effective, you are agreeing on behalf of and representing your Organization to be legally bound by the revised PRIVACY POLICY. [0037] If you have any questions about this PRIVACY POLICY, please contact us at cs@scannroll.com, Attn. Data Protection Officer. Last amended: September 27th, 2024