1. About this Policy
Chroma Studios AB (company registration number 559303-2930), “Chroma, protects your privacy and always strives for a high level of data protection. This privacy policy explains how we collect and use your personal data. The privacy policy also describes your rights and how you can enforce them. It is important that you read and understand the privacy policy. You are always welcome to contact us with any questions.
It applies to your use of:
The Lux Aeterna app as a user. For example, this includes:
- Your use of Lux Aeterna app on any device
- The personalization of your user experience
- The infrastructure required to provide our services
2. Who is responsible for the personal data that we process?
Chroma Studios AB (company registration number 559303-2930), with the address Skeppargatan 38, 114 52 Stockholm, is the controller for the processing of personal data.
3. How long do we store your personal data?
We store your personal data for as long as it is necessary for the purpose for which it was collected. Depending on the legal basis on which we base the processing, this may a) follow from an agreement, b) be dependent on a valid consent, c) be governed by legislation or d) follow from an internal assessment based on a balance of interest.
4. Personal data we collect about you
These tables set out the categories of personal data we collect and use.
User Data
Personal data that we need to create your account to Lux Aeterna app and that enables you to use the Lux Aeterna app. This may include your:
- profile name
- email address
Usage Data
Personal data collected and processed about you when you’re accessing or using the Lux Aeterna app. There are a few types of information this includes, listed in the following sections.
Information about how you use the Lux Aeterna appExamples include:
- your actions with the Lux Aeterna app (including date and time), such as:
-
- positioning in the app
- control actions, i.e jump, acceleration
- coins collected
- onboarding completed
Examples include:
- online identifiers such as IP addresses
- information about the devices you use such as:
-
- device IDs
- network connection type
- provider
- network and device performance
- language
- operating system
- app version
- information which enables us to discover and connect with third-party devices and applications. Examples of this information are the device name, device identifiers, brand and version. Examples of third-party devices and applications are:
-
- devices on your wifi network (such as speakers) which can connect to the Lux Aetherna app
- devices made available by your operating system when connecting via Bluetooth, plugin, and installation
Your general location includes country, region or state. We may learn this from technical data (e.g. your IP address, language setting of your device).
We need this to:
- meet geographic requirements in our agreements with the owners of content on the Lux Aeterna app
- deliver content and advertising that’s relevant to you
5. Our purpose for using your personal data
The table below sets out:
- our purpose for processing your personal data
- our legal justifications (each called a 'legal basis') under data protection law, for each purpose
- categories of personal data which we use for each purpose.
Here is a general explanation of each 'legal basis' to help you understand the table:
- Performance of a Contract: When it's necessary for Chroma (or a third party) to process your personal data to:
-
- comply with obligations under a contract with you. This includes Chroma's obligations under the Terms of Use to provide the Lux Aeterna app to you, or
- verify information before a new contract with you begins.
- Legitimate Interest: When Chroma or a third party has an interest in using your personal data in a certain way, which is necessary and justified considering any possible risks to you and other Chroma users. For example, using your Usage Data to improve the Lux Aeterna app for all users.
- Consent: When Chroma asks you to actively indicate your agreement to Chroma's use of your personal data for a certain purpose.
- Compliance with Legal Obligations: When Chroma must process your personal data to comply with a law.
To provide the Chroma Lux Aeterna.
- Performance of a Contract
- Legitimate Interest
- Consent
- User Data
- Usage Data
To understand, diagnose, troubleshoot, and fix issues with the Lux Aeterna app.
- Performance of a Contract
- User Data
- Usage Data
To evaluate and develop new features, technologies, and improvements to the Lux Aeterna app.
- Legitimate Interest
- User Data
- Usage Data
For marketing or advertising where the law requires us to collect your consent. For example, when we use cookies to understand your interests or the law requires consent for email marketing.
- Consent
- User Data
- Usage Data
- Survey and Research Data
To comply with a legal obligation that we are subject to. This might be:
- an obligation under the law of the country / region you are in
- Swedish law (because of our headquarters in Sweden), or
- EU law that applies to us
- Compliance with legal obligations
- User Data
- Usage Data
- Survey and Research Data
To comply with a request from law enforcement. This will only apply when a competent law enforcement authority contacts us. These include the police, the courts, and prisons.
- Compliance with legal obligations
- Legitimate interest
- User Data
- Usage Data
- Survey and Research Data
To fulfill contractual obligations with third parties.
- Legitimate interest
- User Data
- Usage Data
To take appropriate action with reports of intellectual property infringement and inappropriate content.
- Legitimate interest
- User Data
- Usage Data
To establish, exercise, or defend legal claims.
- Legitimate interest
- User Data
- Usage Data
- Survey and Research Data
To conduct business planning, reporting, and forecasting.
- Legitimate interest
- User Data
- Usage Data
To conduct research and surveys.
- Legitimate interest
- User Data
- Usage Data
- Survey and Research Data
Note: According to recital 14 in the preamble to the General data protection regulation, GDPR, it does not cover the processing of personal data concerning legal persons, for example, information about the name and type of legal person and contact details. The processing of personal data concerning member registers, including contact information for the member (company), may therefore fall outside the scope of the Data Protection Regulation.
6. Who can we share your personal data with?
Processor: In cases where it is necessary for us to be able to offer our services, we share your personal data with companies that are so-called processors for us. A processor is a company that processes the information on our behalf and according to our instructions, e.g. cloud service providers or similar.
7. Where do we process your personal data?
We always strive for your personal data to where commercially practical be processed within the EU/EEA, and most of our own IT systems are located within the EU/EEA, when not processing your data within the EU/EEA we have taken necessary measures in accordance with Standard Contractual Clauses. We have entered into a data processing agreement with all our processors. The data processing agreement regulates how the processor may process the personal data and what security measures are required to process personal data.
8. What are your rights as a data subject?
Privacy laws, including the General Data Protection Regulation (GDPR), give individuals rights over their personal data. You are the one who decides over your personal data. We always strive to ensure that you can exercise your rights as efficiently and smoothly as possible. You can send an e-mail to legal@chroma.co, and we will help you take advantage of your rights.
The table below explains:
- your rights
- circumstances when they apply (such as the legal basis required)
Your rights
Access
You always have the right to receive information about the personal data processing that concerns you. We are always open and transparent about how we process your personal data. If you want a deeper insight into which personal data we process about you, you can request access to the data (the information is provided in the form of a register extract stating the purpose, categories of personal data, categories of recipients, storage periods, information about where the information came from collected and the existence of automated decision-making).
We only disclose information if we have been able to ensure that it is you who is requesting the information. Therefore, keep in mind that if we receive a request for access, we may ask for additional information to ensure efficient handling of your request and that the information is provided to the right person.
Be informed
Be informed of the personal data we process about you and how we process it.
Rectification
You can request that your personal data be corrected if the information is incorrect. You also have the right to request a supplement to any incomplete personal data.
Erasure
You can request deletion of personal data that we process about you if:
- The personal data is no longer necessary for the purposes for which it was collected or processed.
- You object to a balance of interests we have made based on legitimate interest and your reason for objection outweighs our legitimate interest.
- You object to processing for direct marketing purposes.
- Personal data is processed illegally.
- Personal data must be deleted in order to fulfill a legal obligation to which we are subject.
Please note that we may have the right to deny your request if there are legal obligations that prevent us from immediately deleting certain personal data. These obligations come from, for example, accounting legislation and tax legislation or banking and money laundering legislation. Processing may also be necessary for us to be able to establish, assert or defend legal claims. Should we be prevented from complying with a request for deletion, we will instead block the personal data from being used for purposes other than the purpose that prevents the requested deletion.
Restriction
You have the right to request that our processing of your personal data be restricted. If you believe that the personal data we process is incorrect, you can request a limited processing for the time we need to check whether the personal data is correct. If we no longer need the personal data for the stated purposes, but you do need them to be able to establish, assert or defend legal claims, you can request limited processing of the data from us. This means that you can request that we do not delete your information.
If you have objected to a legitimate interest assessment that we have made as a legal basis for a purpose, you can request limited processing for the time we need to verify whether our legitimate interests outweigh your interests in having the data deleted.
If the processing has been restricted according to any of the above situations, we may only, in addition to the storage itself, process the data to establish, assert or defend legal claims, to protect someone else's rights or if you have given your consent.
Object
You always have the right to avoid direct marketing and to object to any processing of personal data based on a balance of interests.
Data portability
In certain cases, you have the right to request that personal data about you and personal data you have provided to us, be transferred to another controller (so-called data portability). A prerequisite for data portability is that the transfer is technically possible and can be automated. What is written about the rights above only applies to the processing of personal data covered by the GDPR.
Direct marketing
You have the right to object to your personal data being processed for direct marketing. The objection also includes the analyzes of personal data (so-called profiling) that are performed for direct marketing purposes. Direct marketing refers to all types of outreach marketing measures (e.g. via mail, e-mail and SMS). Marketing measures where you as a customer have actively chosen to use one of our services or otherwise contacted us to find out more about our services do not count as direct marketing.
If you object to direct marketing, we will stop processing your personal data for that purpose as well as stop all types of direct marketing measures.
Remember that you always have the right to decide which channels we will use for direct mail and personal offers. For example, you can choose to only receive offers from us via e-mail, but not SMS. In that case, you should not object to the processing of personal data as such, but instead limit our communication channels.
You can also object specifically to the analyzes we do (profiling).
Withdrawal of consent
Withdraw your consent to us collecting or using your personal data.
You can do this if Chroma is processing your personal data on the legal basis of consent.
Legitimate interest
Withdraw your consent to us collecting or using your personal data.
Where we use a balance of interests as a legal basis for a purpose, you have the right to object to the processing. In order to continue to process your personal data after such an objection, we need to be able to show a compelling justified reason for the processing in question that outweighs your interests, rights or freedoms. Otherwise, we may only process the data to establish, exercise or defend legal claims.
Right to lodge a complaint
Contact the Swedish Authority for Privacy Protection or your local data protection authority about any questions or concerns. The Swedish Authority for Privacy Protection is the supervisory authority, i.e. responsible for monitoring the application of the legislation. If you believe that a company is processing personal data incorrectly, you can submit a complaint to the Swedish Authority for Privacy Protection.
9. Security
Chroma has taken technical and organizational measures to ensure that your personal data is processed securely and that it is protected from loss, misuse and unauthorized or unauthorized access. Only people who need to process your personal data in order for us to fulfill our stated purposes have access to them.
Organizational security measures are measures that are implemented in working methods and routines within the organization. Our organizational security measures from time to time are, but are not limited to Internal governing documents (policies / instructions), Information security policy and Physical security (premises, etc.).
Technical safety measures are measures that are implemented through technical solutions. Our technical safety measures from time to time are, but are not limited to Encryption, Access list, Access log, Secure network, Regular check of the security level, Two-step verification and Password management software for all passwords.
10. Cookies
When you visit our app, we may send “cookies” to your device. A cookie is a small text file or piece of data that an app that you visit can place or save onto your device. Cookies do not themselves contain any personally identifiable information. However, if you provide such personally identifiable information to us (such as by registering for an Internet related service or password provided by us), such information may be linked to the data stored in the cookie. There are two types of cookies. The first type saves a file for a longer period onto your device, and it can remain on your device after you shut it off. Such cookie could, for example, be used to tell a visitor what information on the app has been updated since his or her last visit to that app. The second type of cookie is called "session cookie." While you are visiting an app, session cookies are temporarily stored in your device’s memory. This could be done, for example, to keep track of what language you have chosen on the app. Session cookies are not stored for a long period of time on your device since they disappear when you close your app. We may use third parties to assist us in collecting or processing information obtained through cookies.
We may use cookies for several reasons, such as:
- to compile anonymous statistics related to patterns and trends of browsing;
- to analyze sales data;
- to conduct marketing research;
- to user adapt website content or functions;
- to aid or track app visits of users, of certain Internet-based services;
- to enable users with passwords to re-enter certain apps without having to re-type previously typed information.
11. How do you contact us most easily with questions about data protection?
You can always contact us at legal@chroma.co. You can reach our Data Protection Officer at the same address - then write “FAO Data Protection Officer” in the subject line.
12. Changes to this Policy
We may make changes to our privacy policy. The latest version of the privacy policy is always available here on the app.