PRIVACY POLICY
developed for “COGNITY” VR app published in MetaQuest Store in compliance
with Meta´s Developer Data Use Policy and VRC Requirements and Articles 13 and 14 GDPR
1. Introduction
This Privacy Policy explains how Deutsche Telekom IT & Telecommunications Slovakia s.r.o.., with registered seat Moldavská cesta 8B Košice - mestská časť Juh 040 11, Slovakia, ID. No. 52 934 039 registered in Commercial Registry of City Court Košice, section: Sro, insert No.: 48210/V (hereinafter referred as the “DT ITTEL SK” or “Controller” or “We”) as publisher of Cognity application process user data in compliance with Developer Data Use Policy and VRC Requirements as well as in compliance with Article 13 GDPR as the relevant applicable law.
DT ITTEL SK has appointed qualified Data Protection Officer (DPO) who may by contacted directly by Cognity users anytime via email: FMB_dataprivacy@t-systems.com.
Cognity is a unique VR app creating relaxing environment that trains cognitive functions like memory, visuospatial perception or motor skills developed for Meta Quest, Meta Quest 2 and Meta Quest Pro devices and published by the DT ITTEL SK in Meta Quest Store for downloading by the end customer (hereinafter referred as the “Cognity” or “VR App”).
2. What User Data we are processing ?
DT ITTEL SK as developer of VR apps may in general process MPT User Data and Device User Data according of their meaning defined in the Meta´s Developer Data Use Policy (e.g. any data associated with a person, device, or unique identifier (including anonymized or hashed user IDs), including data collected from SDKs from sensors such as a microphone or camera and the position of a user’s headset, hand tracking data, face (i.e., abstracted facial expressions data), and eyes (i.e., abstracted gaze data).
In general, we may also process data related to app user´s avatars created by the users in Meta environment, therefore in some of our app’s users may use personalized skins and clothes of their arms or tools during using apps supporting avatar´s features.
Real extent of User Data processed within development and improvement of Cognity is not so privacy intrusive as above-mentioned general description of User Data.
DT ITTEL SK are in fact processing or theoretically may process only following categories of User Data within the Cognity:
- Device ID, User ID, language of system used by Cognity (Slovak or English), VR pupillary distance, VR field of view, VR play, VR movement, usage time, system version, app name, build version, SDK version, hardware info, session info, flags, data from casting of your gameplay or usage of VR App;
- User of Cognity also selects his difficulty, profile picture, and is given a random name directly in user interface of the VR App. All data about in App activities are stored in Statistics board – e.g. number of the collected objects, time, coordinates, distance and are part of User Data.
Based on your preferences and choices made in compliance with Supplemental Meta Platforms Technologies Privacy Policy we may collect also next categories of User Data which you choose and affirmatively share with us (e.g. if you enable eye tracking or Natural Facial Expressions in Meta Quest Pro, VR App can access user´s abstracted gaze data or abstracted facial expressions data).
Please be aware that Meta can provide us also with game or platform services therefore we can gain from them data related to high scores or other users of VR app achievements. In some cases, Meta will share information with developers to enable these experiences and in others the developer will share this information with Meta. For example, if you choose to make a purchase (such as a one-time purchase or a subscription) from VR app, Meta will share information with us to provide the product or service you purchased.
Through Meta dashboards, DT ITTEL SK or other developers can track aggregated metrics like app performance, installs, and revenue. In March 2018, Meta launched new PC and Mobile Hardware Reports, which provide developers with ecosystem-level metrics (also aggregated and anonymized) to help to optimize and build better VR experiences. For example, when you activate Guardian, the boundary information not only helps Meta keep you safe in VR, but it also helps us understand the average play area people have at their disposal, which can in turn inform better level design.
In addition to information and data which Meta may provide developers, developers also collect information about your use of the VR app while you’re using them. For example, in general developers may collect information about Spatial Anchors that represent points of interest and enable you to place virtual content in physical space that can be persisted between sessions; this information includes Spatial Anchor IDs and the current position of your headset relative to those Spatial Anchors.
3. How the Cognity is using User Data ?
Cognity may process User Data only on purposes defined and clarified in this Privacy Policy (see question 6 below). Any other use of User Data is forbidden except situation when individual consent of the Cognity user is granted for particular processing operation (e.g. sharing data with the third party).
DT ITTEL SK strictly complies with Prohibited practices pursuant Section 5. Prohibited Uses of User Data according to Meta´s Developer Data Use Policy and Terms of Use of the Cognity App as well as with License Agreement concluded directly with all business customers of Cognity App..
4. How may the user request for deletion of User Data processed within the VR App ?
User of Cognity efficiently command deletion of all User Data processed by DT ITTEL SK by deletion of VR App from its end device (VR headset MetaQuest, MetaQuest 2 and MetaQuest Pro).
In case when the Cognity User want delete User Data without necessity of erasure of the VR App from its end device you need to contact DT ITTEL SK´s Data Protection Officer: FMB_dataprivacy@t-systems.com
Remind that, if you delete all User Data related to VR App there still be processing of your Meta Quest Move Data and your Meta Horizon Profile Data. If you want delete also such data you need to use functionalities for deletion developed directly by Meta available in MetaQuest Privacy Center.
5. Can User Data be considered as personal data pursuant to GDPR ?
Altough, DT ITTEL SK not used User Data of Cognity users to direct identification of natural persons using VR App we have concluded that User Data should be pursuant criterions clarified in recital 26 GDPR considered as personal data preventively, because for Meta and its affiliates User Data should be definitely considered as personal data pursuant to GDPR.
Pursuant to requirements on Privacy Policy stemming from Meta´s Developer Data Use Policy we therefore add to this Privacy Policy also all necessary information according to Article 13 GDPR which DT ITTEL SK providing to users of Cognity as the controller to data subjects.
6. For what purposes and on what legal bases DT ITTEL SK process User Data collected from VR App?
|
Purpose of the processing User Data |
Legal basis for the processing User Data |
Closer characteristic of processing operations performing with User Data during achievement of related purpose. |
|
Software development, enhancement, and testing of VR App |
Legitimate Interest pursuant Article 6 (1) letter f) GDPR |
All necessary processing operations for conducting analytics pertaining to Cognity content (User Data), and using such insights to improve the VR App, provided that such insights are aggregated, de-identified, or anonymized that cannot be identified any individual users or devices from the analytics. |
|
Personnel and payroll purposes |
Contract pursuant Article 6(1) letter b) GDPR |
All necessary processing operations performing during presentations of VR apps within propagation of DT ITTEL SK for job attendants or potential customers or visitors of various events etc. by signed and logged employees of DT ITTEL SK into MetaQuest Platform.
|
|
Marketing and PR purposes |
Legitimate Interest pursuant Article 6 (1) letter f) GDPR |
All necessary processing operations for providing a user of VR App with information about or the opportunity to obtain new or existing features or functionality in VR App or in other applications being offered by DT ITTEL SK in MetaQuest / Occulus Store. |
|
Statistics and analytics |
Legal bases of compatible purposes of the processing based on recital 50 GDPR and Article 89 GDPR |
All necessary processing operations for creating and using aggregated and anonymized statistics and analytics dashboards about VR App Usage based on processing User Data.
If there will be created any statistics from in App Event Data based on usage of Meta Business Tools (e.g. SDK or other tools listed here) we may process personal data as joint controller with Meta pursuant to this Controller Addendum. |
7. How long we will process User Data ?
|
Purpose of the processing |
Maximum retention period of User Data |
|
Software development, enhancement, and testing of VR App |
Until deletion of VR App from end device or until DPO of DT ITTEL SK resolve the user´s objection against processing User Data for this purpose. |
|
Marketing and PR purposes |
Until deletion of VR App from end device or until DPO of DT ITTEL SK resolve the user´s objection against processing User Data for this purpose. |
|
Personnel and payroll purposes |
Until the end of employment with employee who as logged in user of VR App participate on presentation of the App for potential customers, job attendants and visitors of various events. |
|
Statistics |
Until creation of aggregated and anonymized statistics and analytics. |
8.What legitimate interests we pursue?
During providing VR App DT ITTEL SK as controller pursue following legitimate interests:
- Software development, enhancement, and testing of Cognity
- Direct marketing of new features, add-ons, functionalities of Cognity or similar VR apps published in Meta Quest / Oculus Store.
You as the Cognity User have right to object against processing of User Data based on above mentioned legitimate interests according to Article 21 GDPR.
9. Who are recipients of your User Data?
User Data are available to our recipients on need-to-know basis maintaining the confidentiality of the data recipients. Depending on the purpose of processing and particular circumstances typical recipients of Customer Data are or may be:
- Our developers from ranks of professionals and employees working for DT ITTEL SK bounded by confidentiality obligations and instructions of the Controller for keeping the high level of privacy and personal data protection;
- Providers of platforms for developing and improving the VR App based on analytics and various cloud SaaS tools (e.g. Meta, Inc., Unity Software, Inc.) and their authorized sub-processors;
- Customers owning the end device (MetaQuest, MetaQuest2, MetaQuest pro), whose have bought license key for VR app.
- Potentially to other third-parties or your friends to whom you allow to share broadcasting of usage your App to their own devices.
If we are requested by the public authorities to provide your User Data, we examine the conditions laid down in the legislation to accept the request and to ensure that if conditions are not met, we do not adhere to the request. In general, we don´t provide any User Data to any public authorities from third countries outside EU/EEA and we have not any practical experience related to such requests to us or to our vendors.
10. What countries do we transfer your User Data to?
By default, we seek not to transfer your personal data outside the EU and/or EEA[1] where not necessary. As a rule, we seek to have all cloud and servers located in the EEA. However, some of our processors or sub-contractors might be based or their servers might be located in the United States of America (U.S.) or in other country regarded as third party not ensuring adequate level of protection.
On 10 July, 2023 the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The adequacy decision concludes that the United States ensures an adequate level of protection – compared to that of the EU - for personal data transferred from the EU to US companies participating in the EU-U.S. Data Privacy Framework. The adequacy decision follows the US' signature of an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities', which introduced new binding safeguards to address the points raised by Court of Justice of the European Union in its Schrems II decision of July 2020. Notably, the new obligations were geared to ensure that data can be accessed by US intelligence agencies only to the extent of what is necessary and proportionate, and to establish an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.[2]
However we ensure the third-party recipients concluded EU standard contractual clauses for the transfer of personal data to third countries [3] (the “EU SCC”) with us or our sub-processors. In addition to EU SCC, we may seek to adopt additional safeguards to be compliant with the highest safety standards anytime (e.g. in case of invalidation of Data Privacy Framework or non.renewal of data importer´s Data Privacy Framework certification) .
For transparency and more detailed information about cross-border transfers which may arise in relation to processing User Data please see the following:
|
Identification of vendor as potential data importer from third country |
Identification of provided services by the data importer and link to its Privacy Policy |
Adopted safeguards for Cross-border Transfer to third countries pursuant Article 46 GDRP |
Adopted safeguards for Cross-border transfer to third country pursuant Article 45 GDPR |
||
|
Meta, Inc. (USA) as the affiliate / sub-processor of Meta Platforms Ireland Ltd. Meta Platforms, Inc. 1601 Willow Road Menlo Park, CA 94025, USA as the affiliate / sub-processor of Meta Platforms Ireland Ltd. |
Platform Services provided by Meta within Oculus for Business and MetaQuest for Business |
Oculus for Business Data Processing Addendum European Data Transfer Addendum and Standard Contractual Clauses between EU and non-EU countries OR Meta Data Processing Amendment Additional Supplementary measures adopted by Meta Article 10 of Meta Platform Terms Section 11 of Developer Data Use Policy |
Commission’s adequacy decision applies to Meta Platforms, Inc. EU-US Data Privacy Framework Meta´s certification can be verified here. |
||
|
Unity Software Inc. (USA) as processor of DT ITEL SK |
|
Data Protection Addendum with incorporated Standard Contractual Clauses between EU and non-EU countries. |
N/A |
[1] EEA stands for European Economic Area which includes all EU Member States plus Norway, Iceland and Lichtenstein.
[2] https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3752
[3] https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
11. How we collect your User Data?
All User Data are collected directly from end devices (MetaQuest, MetaQues2, MetaQuest pro) during usage of the VR app and are strictly necessary to providing the information society services which are requested by the User of Cognity by accepting the Terms of Use of Cognity.
We do not collect and enrich User Data with other data collected from external resources. Only one exemption may be the situation when we will use crash and exception reports as well as user reports and cloud diagnostics or various gaming solutions (e.g. user´s analytics, multiplayer or monetization features) provided by Unity (https://unity.com/legal),
From Unity as external source of User Data we may collect crash and exception data including device, version, operating system, and number of users impacted in real-time, all automatically aggregated in the Unity Dashboard bug reports including screenshots, metadata, and events shared by VR app users.
12. Do we process User Data via automated means which produces legal effects concerning you?
No, we do not currently conduct processing operations that would lead to the decision which produces legal effects or similarly significantly affects concerning you as user of VR App based solely on automated processing of your personal data / User Data.
13. Do you have contractual or legal obligation provide us with your personal data ?
All User Data collected by the VR App are strictly necessary for providing end customer with information society services pursuant to Terms of Use . Not providing of User Data may cause inability to provide services in agreed manner and extent (e.g. in relation to maintenance, updates, improvements etc.) by the Controller and may lead to worse VR experience.
Only User Data determined by granting user´s permission or consent within interface of the VR app relating to the processing User Data are not considered as contractual obligation related to proper providing of information society services pursuant to Terms of Use.
In relation to all processing operations, where are legal basis the consent is provision of your personal data fully voluntary and can´t be considered as any legal or contractual demand on you. In case of not provision of your personal data in such cases is only consequence our inability to achieve processing operation with no contractual consequences on you as the customer.
In relation to all purposes where the legal basis for the processing personal data is contract may be provision of your personal data as employee of DT ITTEL SK contractually requested or necessary for conclusion or proper fulfillment of the contract. In case of not provision of your personal data in such cases may be the consequence our inability to conclude the contract or properly fulfill our contractual obligations or ruining a business opportunity to deal new contract with potential customer or job attendant. Therefore, please be careful and try to avoid the arising of business damage.
In relation to all purposes where the legal basis is legitimate interests is provision of your personal data not considered as legal obligation or contractual obligation. Not provisioning of your personal data may lead to worse user´s VR experiences and distortion of statistics and analyzes important for the development and improvement of the VR applications developed by DT ITTEL SK.
14. Do we use any parental settings and controls within protection of minors privacy ?
Our VR app is available for minor’s underage of 16 only under conditions pursuant to Terms of Use after verification of parental consent by payment.
If our end customer as separate controller decides to allow use the VR app to minors, then is fully responsible for such processing of the User Data of children users and should collect proper legal ground for such processing as separate controller.
In this way please see more information related to VR Parental Supervision tools available for MetaQuest devices.
15. What rights do you have as data subject according to GDPR ?
You have the right to withdraw your consent at any time, if the consent is legal base for the processing of your personal data / User Data.
You also have a right to object to any direct marketing processing of your personal data including profiling.
You have right to object to any processing that is based on legitimate interest including to profiling based on such legitimate interest pursuant to the Article 21 GDPR. You have right to objection to processing on statistics purpose.
In case of exercising the right we will gladly demonstrate to you how we have evaluated these legitimate interests as compelling over the rights and freedoms of data subjects.
The GDPR lays down general conditions for the exercise of your individual rights. However, their existence does not automatically mean that they will be accepted by us because in a particular case exception may apply. Some rights are linked to specific conditions that do not have to be met in every case. Your request for an enforcing specific right will always be dealt with and examined in terms of legal regulations and applicable exemptions.
Among others, you have:
- Right to request access to your personal data according to Article 15 of the GDPR. This right includes the right to confirm whether we process personal data about you, the right to access to personal data and the right to obtain a copy of the personal data we process about you if it is technically feasible.
- Right to rectification according to Article 16 of the GDPR, if we process incomplete or inaccurate personal data about you.
- Right to erasure of personal data according to Article of the 17 GDPR, if one of the conditions for erasure is fulfilled and no exception applies.
- Right to restriction of processing according to Article 18 GDPR, if one of the conditions for restriction is fulfilled.
- The right to data portability according to Article 20 of the GDPR, the processing is based on consent pursuant to point (a) of Article 6 (1) or point (a) of Article 9 (2) or on a contract pursuant to point (b) of Article 6 (1) GDPR.
You have a right to lodge a complaint related to personal data to the relevant data protection supervisory authority or apply for judicial remedy. Please note that our competent data protection authority is the Office for Protection of Personal Data of the Slovak Republic (www.dataprotection.gov.sk). In any case we advise to primarily consult us with your questions or requests.
16. Where can I find the next important privacy information ?
This Privacy Policy provides an overview of the items which apply to DT ITTEL SK processing your data in VR app.
Further information, including information on data protection in general and in specific products, is available at https://www.deutschetelekomitsolutions.sk/en/privacy/privacy-policy.
If you have any questions, comments and requests regarding this Privacy Policy please contact our Data Privacy Officer electronically to FMB_dataprivacy@t-systems.com.
Changes of this Privacy Policy
We may update our Privacy Policy from time to time. Thus, you are advised to review this page periodically for any changes. We will notify you of any substantial changes by posting the new Privacy Policy on this page. These changes are effective immediately after they are posted on this page.