- Details of the Data Controller
Information on Processed Data Types and Their Origin
- Types of data that we automatically collect
Types of data you transmit to us
- User account / profile data:
- Optional profile details:
- Location data:
- Communication data: User
- Communication data: Customer service
- Notification of Device Access
- Social Sign-On:
- Processing Purposes & Legal Bases
To Whom We Transmit Your Data
- To other users:
- To group companies:
- To third parties:
- Processing Purposes & Legal Bases
- Transmission to Countries Outside the EU or the EEA
- How Long Will My Data Be Stored?
- Information on the Voluntary Nature of the Information
- Information About Your Rights
Information About Your Right of Objection
- Right of objection on a case-by-case basis
- Right of objection on the processing of data for advertising purposes
1. Details of the Data Controller
Responsible for data processing is Ideawise Limited, Room 604, Alliance Building, 133 Connaught Road, Central Hong Kong, Hong Kong. Our representative is SmH ServiceCenter.de GmbH, P.O. Box: 20 04 34, 13514 Berlin, support [at] hallokoko.com. Ideawise Limited is also meant when the terms ‘we’ or ‘us’ are used below. You can contact our data protection officer at: dataprotection [at] hallokoko.com. Please note that we are a company based outside the European Economic Area (‘EEA’). As far as you use our Services and data is being processed, these data are transferred to a so-called "third country". Details can be found in section 6 below.
2. Information on Processed Data Types and Their Origin
If we provide the Services for your use, we process personal data from various sources. This is data that we collect automatically - for example, when you visit a website or open an app - as well as other data that you have additionally provided to us.
a. Types of data that we automatically collect
As soon as you open our website or our apps, you submit technical information to our servers. This happens regardless of whether you subsequently register with an account with us to use the Services or not. In any case, this data is recorded every time
- when you visit our website:
Each time a page is accessed, access data is stored in a file, the so-called server log. The following data is stored: Your IP address, the time, the status of your website visit (status means in this case whether the visit of the website was successful or not) as well as the request that your browser has made to the server to open the page, the amount of data transferred and the website from which you came to the requested page (referrer), as well as the product and version information of the browser used (user agent).
- when you open our apps:
When using our mobile applications, the following data is stored:
- IP address
- App identification number, the name of the app, the version number of the app, and the information of which App Store the app has been downloaded from
- Name of the device, type of operating system (iOS / Android)
- Name and version number of the operating system of your device
- Language of the mobile device
b. Types of data you transmit to us
In addition to the data we receive automatically from all visitors of our Services, we also process other data from registered app users. The exact amount of this data depends on how you use the Services. Personal data that you upload publicly to your profile will be visible to other users (and searchable via the search function within the Services). Your privacy settings can be determined by yourself in your profile settings. The data you provide us with includes:
i. User account / profile data:
Types of data you transmit to us
- Sexual orientation
- Email address (either your personal email orin case of Social Sign-On, the e-mail address you use on Facebook)
- Password (personal or with Social Sign-On your Facebook user access token)
- Date of birth
ii. Optional profile details:
The use of the Services is easily possible with only the aforementioned information. However, you may also provide additional personal information in your Profile, such as physical characteristics, personal interests or detailed information about your sexual preferences, political opinions or ideological beliefs. If you like, you can upload personal photos of yourself to your Profile. The scope of this optional data can be determined by yourself via the respective input fields in your Profile settings.
iii. Location data:
When you use our Services, we process your approximate location information to allow you to contact users in your area. You select your location manually when registering or, alternatively,you can give your consent to access the location data transmitted by your device (depending on the device, e.g. via GPS). If you do not select your location manually or grant access to GPS, your location will be determined via IP comparison with MaxMind IP. For more information about these vendors, see Figure 4. Location information and settings can be changed in your Profile or device settings.
iv. Communication data: User
If you communicate with other users of our Services, we save your conversation history so that the conversation history with your chat partners can be permanently displayed.
v. Communication data: Customer service
When you contact Customer Service, written communications between you and our service team staff and notes on such transactions are stored so that we can provide uninterrupted customer service when the communication thread is followed up by other members of our service team.
vi. Notification of Device Access
If you grant Koko access to your camera or photo album, we will only receive the data you actively provide, e.g. photos you upload to the Services and nothing beyond. The same applies to you consenting to the delivery of notifications and the way in which they are displayed. You can change these settings at any time in the device settings and revoke your consent there. Your list of contacts will never be accessed at any time.
vii. Social Sign-On:
You can also use the ‘Login with Facebook’ feature to create your profile. If you choose this feature, you transmit your username on the social network at https://www.facebook.com ("Facebook"), your email address with which you have registered on Facebook, as well as your date of birth and profile photo to us.
3. Processing Purposes & Legal Bases
We process your data exclusively for the following defined purposes:
- To allow you and other users to use the Services and to ensure their functionality
- To provide you with additional Services that you have purchased
- To keep you up-to-date with relevant information about our Services and to send you system notifications to the email address you provide
- To adapt the provision of the Services to your needs
- To display advertising tailored to your interests (including participation in competitions and prize draws)
- To continuously improve the service offer and to correct errors
- To detect and prevent fraud attempts
- To ensure the protection of minors
- To enable the exchange with customer service in case of any such queries
- To assess information published on your profile or shared by you through the Services
- To disclose your personal data to third parties if we are legally obliged to do so
- To assert legal claims and to defend against legal disputes
- To ensure IT security and correct operations of our systems
In doing so, we rely on various legal bases in accordance with the so-called General Data Protection Regulation, the legal framework for the European-wide standardisation of data protection laws (‘GDPR’). We refer in detail to the following legal bases:
Fulfilment of contractual obligations
The processing of personal data takes place simultaneously but also for the provision of the Services in the context of the performance of our contract with you. In many cases, the processing of data is not only justified by your consent, but also because it is necessary to fulfil our contract with you: In order to fulfil your entitlement to the Services described in more detail in our General Terms and Conditions, for example, it may be necessary to process your personal data, e.g. if you wish to pay for your membership at Koko+, and the processing of data for payment processing is required for this purpose.
Safeguarding legitimate interests
Legal requirements or public interest
In addition, we are legally obliged and entitled to provide certain information to criminal prosecution or tax authorities bodies in individual cases upon request.
4. To Whom We Transmit Your Data
We treat your personal data with care and confidentially and will only share them with third parties to the extent described below and not beyond.
a. To other users:
As our Services are platforms for getting to know each other, it is in the nature of things that we transmit your profile data and other data (e.g. messages you write and other communication you conduct with other users of the community) to the corresponding users of the Services at your request and on your behalf.
b. To group companies:
We transfer data to our affiliated companies, which form a group with us, within the framework of strict data protection requirements. This is the case, for example, when you make a customer service request. We will then forward this request to SmH Servicecenter.de GmbH, a service company associated with us. In addition, our development company, TheNetCircle Network Co Ltd. and our Community Management and Marketing teams at Playamedia S.L. receive the information they need to ensure the security and functionality of the Services.
c. To third parties:
In addition, we transmit data to external service providers that enable us to provide the Services. These include hosting providers and providers of analytics platforms. We require these service providers to comply with strict rules to ensure the security of your data when processing personal data on our behalf. Such processing is generally based on contractual regulations. When we state - further below - that there is ‘no adequate level of data protection’, it means that there is no adequacy decision by the European Commission - in these cases, however, we regulate the processing on the basis of other guarantees, such as Data Processing Agreements or standard data protection clauses.
Google LLC is a Privacy-Shield certified provider from the USA. Google Analytics is used to analyse the behaviour of users of our Services. In order to display distances between members or approximate location data in the regional search, we use the services from Google Maps (i.e. Google Geocoding API and Google Places API). We use Google AdWords and its so-called conversion tracking. When you click on an ad placed by Google, a conversion tracking cookie is generated. This cookie loses its validity after 30 days, does not contain any personal data and is therefore not used for personal identification. Google Fabric (including Crashlytics and Answers) and Google Firebase help us monitor the performance of our mobile applications, identify crashes and analyse user behavior. For Android users we also use Google Firebase and its Firebase Cloud Messaging (FCM) service for sending push notifications which can contain personal data. YouTube videos are embedded in our Services in ‘enhanced privacy mode’. While no YouTube cookies are set by this particularly data protection-friendly type of embedding, loading suchpages leads to a connection with YouTube and the DoubleClick network nonetheless. Therefore, a click on an embedded video can trigger further data processing activities which we no longer control.
We use Apple (location USA, Privacy-Shield certified) and its Apple Push Notification Service (APNS) for sending push notifications to iOS users which can contain personal data.
With this survey tool (location Spain, adequate level of data protection) we improve and maintain our community, through means of permanent feedback surveys, as well as regular quizzes, other types of surveys and evaluations. The type of information that is passed on to Typeform depends on the respective survey, and you also decide yourself what content your contribute to such activities.
Sparkpost (location USA, Privacy-Shield certified) is a provider for sending emails. In order to supply you with information via e-mail, we transmit your email address. Sparkpost will delete your email address immediately after an email has been sent to it.
We use Facebook (location USA, Privacy-Shield certified) to facilitate the ‘Log in with Facebook’ feature. All data required during the registration process (e-mail address, date of birth, profile photo) will be transmitted to us by Facebook, on your behalf. We use Facebook's Invite feature to allow users to invite friends from their group of friends on the social network and for usage analysis of our mobile applications. Facebook also publishes advertising through the so-called ‘Facebook Audience Network’ (FAN).
Adjust (location Germany, adequate level of data protection) is used for the evaluation of usage statistics and for the analysis of marketing activities. When you open the app, Adjust collects installation and event data. We use this information to understand how our users interact with our app and to analyze mobile ad campaigns. For such an analysis Adjust uses your anonymized IDFA (iOS) or GAID (Android) and your anonymized IP address. It is not possible to identify you individually.
Kayako (location UK, adequate level of data protection) is our ticketing system to manage customer queries. For each query, your email address, your preview profile picture and your username will be transmitted to Kayako.
This storage service (location Israel, adequate level of data protection) is used to store and deliver users’ videos and images.
Virtual Business Support
In order to approve uploaded images, we work with Virtual Business Support (based in the Philippines, no adequate data protection level). There, uploaded pictures are reviewed and categorised by qualified personnel.
New Relic (location USA, Privacy-Shield certified) enables statistical evaluations of the speed of our apps. For this purpose, New Relic processes system data on hardware and software and times-of-use, so-called application data.
Jira and Confluence from Atlassian (location USA, Privacy-Shield certified) are online applications that we use for error management, troubleshooting and operational project management. Principally, no personal data is processed systematically, but in individual cases, when technical issues are reported , personal data like e.g. a username may be mentioned in so-called "tickets" in order to be able to correct these malfunctions in our technical applications as quickly as possible, especially in the case of malfunctions reported by users of the Services.
Slack (US site, Privacy-Shield certified) is an online application that we use for internal communication. Principally, no personal data is processed systematically, but in individual cases, when technical issues are reported, personal data like e.g. a username may be mentioned in so-called "tickets" and therefore also in internal chats of this platform, in order to be able to correct these malfunctions in our technical applications as quickly as possible, especially in the case of malfunctions reported by users of the Services.
We work with "Sentry" from Functional Software, Inc. (US site, Privacy-Shield certified) to find and remove errors that occur in our backend. In the event of a crash or other unexpected errors, information such as the version of the operating system and technical data about the cause of the error is transmitted to Sentry. However, this information does not contain any personal data. We use this tool data solely to increase the stability of our applications.
Koko uses the GeoIO2-Precision database provided by MaxMind Inc. (US site, Privacy-Shield certified). The database contains approximate location/geolocation data for the IP addresses used. This allows us to offer you special services (e.g. approximate distance from other users, search function by location etc.), even if you do not grant us access to GPS data.
Advertising Networks & Affiliates
- MoPub (location USA, Privacy-Shield certified)
- Liftoff (location USA, Privacy-Shield certified)
- AppLovin (location USA, Privacy-Shield certified)
- Chartboost (location USA, Privacy-Shield certified)
- YouAppi (location USA, no adequate level of data protection)
- Vungle (location USA, no adequate level of data protection)
- Minimob (location Singapore, no adequate level of data protection)
- Apple Search Ads (location USA, Privacy-Shield certified)
- Creative Matters (location Spain, adequate level of data protection)
- Mobiplay (location USA, no adequate level of data protection)
- SpykeMedia (location Germany, adequate level of data protection)
- Appnext (location British Virgin Islands, no adequate level of data protection)
- Ironsource (location USA, no adequate level of data protection)
- Fyber (location Germany, adequate level of data protection)
- Glispa (location Germany, adequate level of data protection)
These cookies and device identifiers can be used to display personalised advertisements. A profile is also created based on look-alike information obtained which Google, Facebook and other third-party ad networks (see list above) receive due to your visits to other websites or apps on their networks. You can disable personalized advertising by changing the settings your device:
On Android, this option is located in the app for Google settings. Depending on the device, this is called ‘Google Settings’ or just ‘Settings’. Under the menu item ‘Google’ -> ‘Ads’ you will find the option ‘Disable interest-based advertising’ or ‘Disable personalized advertising’, depending on the device. Selecting this feature will deactivate personalized advertising.
On iOS, this option is located in the ‘Preferences’ app. Under the menu item ‘Privacy’ -> ‘Advertising’ you will find the option ‘No Ad-Tracking’. The selection can be used to deactivate personalized advertising.
Review of Pictures / Fake Check
In exceptional cases (for example in cases of suspicion of fraud, reporting by other users, etc.) we use the following platforms for checking uploaded images and carry out a so-called fake check by uploading images to the respective search engines:
- Google Search of Google LLC (location USA, privacy-shield certified)
- Tineye (location Canada, adequate level of data protection)
- Bing von Microsoft Corporation (location USA, privacy-shield certified)
- Yandex (location Switzerland, adequate level of data protection)
- Baidu (location China, no adequate level of data protection)
5. Processing of Payment Data
If you wish to use your Profile as a Koko+ account or use other paid offers, depending on the payment method you choose, you will provide such information directly to the Apple App Store or Google Play Store, having accepted Terms and Conditions and Privacy Policies. You make your purchases directly through the respective store.
6. Transmission to Countries Outside the EU or the EEA
All servers of the Services are located in the EEA, hence initially your data does not leave the EEA technically, but the technical provision and processing of the data for the operation of the Services takes place in the European Union. However, when you submit data to us, it will be legally transferred to a country outside the EEA, as we have our registered office in the People's Republic of China. In addition, our development company is also based in China, from where it has technical access to the servers in the European Union.
According to the GDPR, China is a so-called "Third Country" in which an adequate level of data protection cannot be guaranteed in principle; there is no corresponding decision on adequacy and there are also no specific guarantees to compensate for this deficit. However, we have concluded strict Data Processing Agreements and standard contractual clauses that work towards a secure level of data protection. What do we mean with the information about China? It means that we may have to transmit data to government agencies there under less stringent conditions than is the case within the EEA. The legal hurdles to the protection of personal data in China are thus generally regarded as lower from a European point of view, as would also be the case for processing in Australia, Russia or India, for example. Until 17.05.2018 (= preparation of this document) there has not been a single case of disclosure of Data to Chinese authorities, also because as a former British colony, Hong Kong continues to enjoy a special status until at least 2047, despite belonging to the People’s Republic of China. In preparation towards GDPR, we have committed ourselves to full transparency in accordance with the GDPR and are therefore happy to comply with this legal requirement and our voluntary commitment, although this transparent approach may at first unsettle some users. Due to the use of external service providers, some data is also transferred to other so-called "Third Countries". You can see exactly what these are and whether there is an adequate level of data protection in each case under point 4c.
7. How Long Will My Data Be Stored?
We process and store your personal data as long as it is necessary for the fulfilment of our contractual or legal obligations. Therefore, we store the data only as long as our contractual relationship with you exists and also after termination only, as far as the laws of the Federal Republic of Germany and the People's Republic of China require this. If the data are no longer necessary for the fulfilment of such obligations, they will be regularly and promptly deleted, unless their further processing is necessary for the protection of legitimate interests or for the preservation of evidence within the framework of statute of limitations.
8. Information on the Voluntary Nature of the Information
You are not required by law to provide us with the above information. In principle, the contractual relationship that you have entered into with us by agreeing to our General Terms and Conditions does not give rise to any obligation to provide this personal data. However, the transmission of mandatory information is a basic prerequisite for concluding a contract with us. Furthermore, you cannot use the Services, or only to a limited extent, if you do not provide us with certain data or object to their use. This is because our Services are essentially only ‘brought to life’ by the content posted by our users. It is not possible to delete an uploaded and approved profile photo if it’s the only one in your profile. However, you could at any time replace your profile picture or delete the entire profile.
9. Information About Your Rights
You can assert the following rights:
- Your right to information and access under Article 15 GDPR,
- Your right to rectification under Article 16 GDPR,
- Your right to erasure under Article 17 GDPR,
- Your right to restriction of processing under Article 18 GDPR and
- Your right to data portability under Article 20 GDPR.
If you have any questions in this regard, please contact customer service at support [at] hallokoko.com. You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before May 25, 2018. However, this revocation will then only be effective for the future. Processing that took place before the revocation is not affected by this. In addition, you have a right of appeal to the competent data protection supervisory authority. This can be the supervisory authority of the representative named under point 1, or the supervisory authority responsible for your place of residence.
10. Information About Your Right of Objection
a. Right of objection on a case-by-case basis
In addition to the rights already mentioned, you have the right to object at any time for reasons arising from your particular situation to the processing of personal data concerning you, which is based on Article 6 para. 1e GDPR (data processing in the public interest) and Article 6 para. 1f GDPR (data processing on the basis of a balance of interests). If you file an objection, we will no longer process your personal data, unless we can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
b. Right of objection on the processing of data for advertising purposes