Valid since: March 1st 2021
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
(i) Reactive Reality’s websites www.reactivereality.com and www.pictofit.com (the „Website“) of
(ii), Reactive Reality’s mobile or browser application „Pictofit Shopping“ („App“),
(iii) Reactive Reality’s Software Development Kit („SDK“),
(iv) Reactive Reality’s “Pictofit Content Service” (“PCS”) or when you participate in
(v) Reactive Reality’s recruitment process.
2. Who is responsible for data processing and whom can I contact?
2.1. Reactive Reality is the controller within the meaning of Article 4 (7) GDPR.
2.3. Our contact person for data protection matters is Florian Gruber.
3. For which purposes do we process your personal data?
3.1. Use of the Website
3.1.1. In order to provide you with the Website, we process your below mentioned personal data based on a contract between you and us (Art. 6(1)(b) GDPR); in additional, we process your below mentioned personal data based on our legitimate interests in order to detect, prevent and investigate attacks on the Website (Art. 6(1)(f) GDPR):
(b) Date and time of the call of the Website;
(c) IP address of the used device;
(d) Name and version of the browser;
(e) Type of the browser and settings;
(f) Operating system; and
(g) Referral URL.
3.1.2. The legitimate interest of Reactive Reality is to be able to detect, prevent and investigate attacks on the Website and thus ward off damage to Reactive Reality and the users.
3.1.3. We store the above-mentioned personal data for the duration of your visit to our website.
3.1.4. The provision of the above-mentioned personal data is voluntary. If you do not provide these personal data, you will not be able to use the Website.
3.2. Handling of inquiries
3.2.1. We provide you with the possibility to contact us. In this case, the following personal data will be processed by Reactive Reality for the purpose of answering your inquiry based on our legitimate interests (Art. 6(1)(f) GDPR):
(b) Email address;
(c) Content of the inquiry;
(d) Time of the inquiry;(e) Information about the browser (e.g. browser, version, resolution, color depth, language, operating system);
3.2.2. The legitimate interest of Reactive Reality is to be able to answer inquiries of customers and potential customers and thus to provide a good customer service and to acquire new customers.
3.2.3. We store the above-mentioned personal data as long as necessary to answer the inquiry.
3.2.4. The provision of the above-mentioned personal data is voluntary. If you do not provide these personal data, we will not be able to respond to the inquiry.
3.3. Compilation of anonymous statistics when using the Website
3.3.1. The Website uses Google Analytics, a web analytics service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the Website to analyse how users use the Website. We process your data on the basis of our legitimate interest in creating access statistics in a cost-efficient manner and optimising the Website (Art. 6(1)(f) GDPR).
3.3.2. For the purpose of analysing your use of the Website and generating anonymous statistics, the following personal data is processed by Google on our behalf:(a) Time spent on the Website;
(b) Time spent on each individual page and the order in which individual pages are visited;
(c) Which internal links are clicked by you when browsing the Website;
(d) Previously accessed websites;
(e) First page accessed;
(f) IP address;
(g) Geographical location;
(h) Browser (including plug-ins) and operating system;
(i) Screen resolution and whether Flash or Java is installed in the User’s browser.
3.3.3. Google places the following cookies:
3.3.4. On our behalf, the above-mentioned data on the use of the Website is transmitted to Google servers in the USA and stored there. This Website uses the possibility of IP anonymisation offered by Google Analytics. Your IP address is therefore shortened by Google as soon as Google receives your IP address. You can find further information on IP anonymisation at https://support.google.com/analytics/answer/2763052?hl=de.
3.3.5. Google will process this information on our behalf to evaluate your use of the Website and compile reports on the website activities of the users. The IP address transmitted by your browser within the scope of Google Analytics is not merged with other data from Google.
3.3.6. You can prevent the storage of cookies by adjusting your browser settings accordingly. However, we would like to point out that in this case you may not be able to use all functions of the Website to its full extent. You can also prevent Google from collecting your data in connection with Google Analytics by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
3.4. Registration and use of the App
3.4.1. In order to be able to provide you with the App, we process the following personal data based on a contract between you and us (Art. 6(1)(b) GDPR):
(a) Name and company (employer’s) name;
(b) Email address;
(c) Your role in the company (if voluntarily provided);
(d) Date and time of the registration;
(e) Further information you voluntarily provide to us.
3.4.2. We store the above-mentioned personal data for as long as this is necessary to provide the service respectively for as long as this is necessary to pursue or defend legal claims, or to fulfil legal retention obligations.
3.4.3. The provision of the above-mentioned personal data is voluntary. If you do not provide these personal data, you will not be able to use the App.
3.5. Use of the SDK
3.5.1. In order to be able to provide you with the SDK, we process the following personal data based on a contract between you and us (Art. 6(1)(b) GDPR):
(b) Company name (if relevant);
(c) Birth date;
(d) Email address;
(e) Your role in the company (if relevant);
(f) Address of the company (if relevant)
3.5.2. We store the above-mentioned personal data for as long as this is necessary to provide the service respectively for as long as this is necessary to pursue or defend legal claims, or to fulfil legal retention obligations.
3.5.3. The provision of the above-mentioned personal data is voluntary. If you do not provide these personal data, you will not be able to download and use the SDK.
3.6. Use of the Pictofit Content Service
3.6.1. You can use the PCS either through the mobile or browser-based App or through the SDK. In particular, capturing and creating an avatar in the App or uploading data on any of our Websites uses the PCS.
3.6.2. To provide you with the PCS, we process the following personal data based on a contract between you and us (Art. 6(1)(b) GDPR):
(a) Photos, videos, depth maps and facial landmarks (e.g. acquired through Apple’s TrueDepth APIs), point clouds and other visual data provided by you.
(b) Body dimensions, measurements, shapes and gender.
(c) Avatar names, email addresses, demographic data, geographic data.
3.6.3. The PCS creates augmented reality models from the above data, such as an avatar or a virtual product representation for virtual fashion try-on and other augmented reality applications.
3.6.4. We store the above-mentioned personal data permanently to
(a) create your augmented reality model,
(b) improve our products and services, and
(c) for machine learning purposes.
3.6.5. The provision of the above-mentioned personal data is voluntary. If you do not provide these personal data, you will not be able to use the PCS.
3.7. Recruiting process
3.7.1. We process the following personal data based on our legitimate interests (Art. 6(1)(f) GDPR)in order to be able to process applications and to organize the application process:
(a) Name(b) Prefix;
(f) Date/place of birth;
(g) Driver´s license (yes/no);
(h) Email address;
(i) Telephone number;
(k) Position you apply for;
(l) Letter of application and application documents (diplomas, certificates, etc.);
(m) Type of application (e.g. email, LinkedIn etc.);
(p) Any other personal data provided by you during the application process.
3.7.2. In case you do not provide the above-mentioned personal data to us by yourself, we may collect these personal data by:(a) Public sources;
(b) Personal consultants; and
(c) Online application portals.
3.7.3. We process the above-mentioned data on the basis of our legitimate interests according to Art. 6(1)(f) GDPR, which is to guarantee an efficient application process and to ensure that we fill our vacancies with suitable job applicants.
3.7.4. Provided that you expressly consent within the application process (Art. 6(1)(a) GDPR), we will hold on your above-mentioned personal data in order to be able to consider and contact you for future job advertisements.
3.7.5. We store the above-mentioned personal data either (i) for the duration of the application process or (ii) in case you consent to us holding on to your application for future consideration (please see above section 2.9) until you withdraw your consent. We store the above-mentioned personal data longer only if this is necessary for the pursuit or defense of legal claims, or for the fulfillment of legal retention obligations.
3.7.6. The provision of the above-mentioned data is voluntary. If you do not provide us with these personal data, we may not be able to process your application.
3.8. Establishment, exercise or defence of legal claims
3.8.1. In the event of a legal dispute, we process your personal for the purpose of establishing, exercising our or defending against your claims. The data required for the appropriate prosecution is transmitted to legal representatives and courts.
3.8.2. We process your personal data for the aforementioned purpose on the basis of legitimate legal interests (Article 6 (1) (f) in connection with Article 9 (2) (f) GDPR).
3.8.3. We store the aforementioned personal data for the purpose of pursuing or defending legal claims for as long as this is necessary for the potential conduct of proceedings or until the expiry of the statutory limitation periods, whereby the statutory limitation period for claims arising from the breach of contracts is three years.
4.1. We instruct data processors who perform services on our behalf. The processors may only process the data provided to them in accordance with our instructions and only to the extent necessary to perform services for us. We contractually oblige these processors to guarantee the confidentiality and security of the personal data processed within the scope of the contract.
4.2. The level of data protection in other countries outside the European Economic Area (“EEA”) may not be the same as within the EEA. However, we will only transfer your personal data to countries for which the European Commission has decided that they have an adequate level of data protection or we will take measures to ensure that all recipients in third countries guarantee an adequate level of data protection. To this end, we conclude, for example, the standard contractual clauses issued by the European Commission with these recipients. On request, we will provide you with the concluded standard contractual clauses. For this purpose, please contact us using the contact details provided above.
5. Your rights according to GDPR
5.1. The GDPR grants you as a data subject the following rights:
5.1.1. The right of access according to Art. 15 GDPR regarding the personal data processed by Reactive Reality.
5.1.2. The right of rectification according to Art. 16 GDPR, the right of erasure according to Art. 17 GDPR and the right to restriction of processing according to Art. 18 GDPR.
5.1.3. The right of data portability according to Art. 20 GDPR.
5.1.4. The right of objection according to Art. 21 GDPR.
5.1.5. The right to appeal to the competent data protection authority in accordance with Art. 77 GDPR.
5.1.6. You may revoke your consent to the processing of personal data at any time. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.
5.2. The competent supervisory authority is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna (https://www.dsb.gv.at/).