Zappar Privacy Notice
Last updated: 1st December 2023
Why have we prepared this Privacy Notice?
At Zappar we understand that privacy is important and are committed to ensuring that personal information is processed in accordance with applicable data protection and privacy laws. We have put together this Privacy Notice which you are currently reading to help you understand what information we collect about users of our technology and services, the Zappar website (zappar.com) and any related applications (including the Zapvision and Zapbox applications) and how we use and share this information. It also contains important information about your rights. The Privacy Notice is an essential part of your engagement with Zappar and it is important that you read it carefully. By engaging with us in the ways set out in this notice, you confirm that you have read and understood the entirety of this notice, as it applies to you.
This Privacy Notice applies to your use of those Zappar Services that display or provide an authorised link to this notice.
This Privacy Notice does not apply to personal data and other information which we collect about users of our Zapworks service. Users of Zapworks should refer to the specific Privacy Notice provided with that service available at https://zap.works/privacy/ Equally, this Privacy Notice does not extend to any websites or services of third parties which can be accessed from the Zappar Services, including any links we may provide to social media sites.
What means what?
In this Privacy Notice some of the words we use have capital letters. This is because we have given these words a particular meaning. These words are listed below:
“Accessible QR Code” means the QR Code with (patent pending) D3 surround, developed and owned by Zappar, including any developments or improvements of the same;
“Anonymous Information” means information that does not identify and cannot reasonably be used to identify a specific individual. When Anonymous Information is linked with Personal Data, this Anonymous Information is normally treated by Zappar as Personal Data.
“Content” means content made available on or via the Zappar Services. This might include Zaps, animation, mini-games, documents, images, links, sound files, videos, text, QR codes, Accessible QR Codes and other content.
“Information” (depending on the context) means any or all information that you or your device send, submit or transmit to Zappar via the Zappar Services. Information also includes information automatically collected by us and information about you, which we obtain from other sources.
“IP Address” means an Internet Protocol address, a number that is automatically assigned to your device when you use the internet and which may vary from session to session.
“Personal Data” means any information we hold about you which could be used to identify who you are, e.g. your name, email, home address, IP Address and may include other information such as identification numbers and location data.
“Third Party Content” means Content which is owned or controlled by a person other than Zappar, including (a) Content which is created by Zappar for a brand, entertainment franchise or other client and (b) Content which is published on our platform by users of our ZapWorks service.
“you” means you, the natural person accessing, browsing, downloading or using any Zappar Services.
“Zap” means an augmented, virtual or mixed reality content experience.
“Zapbox App” means any application developed by Zappar for use with our mixed reality kit called ZAPBOX, including all versions of that application published by Zappar.
“Zappar” or “we” means Zappar Limited, a private limited company incorporated in the United Kingdom and registered in Scotland with company number SC394617.
“Zappar App” means our augmented reality mobile application called ZAPPAR, including all versions of that application published by Zappar.
“Zappar Services” means collectively the Zappar App, the Zapbox Apps, the Zapvision App, the Zappar Website, our Zappar Powered products, Zappar WebAR and any other applications, products or services of Zappar covered by this Privacy Notice. A reference to Zappar Services includes any and all related databases, features, functionality, plug-ins, software and web pages.
“Zappar Website” means the official ZAPPAR website available at https://www.zappar.com/
“Zapvision App” means our application called ZAPVISION relating to the scanning of Accessible QR Codes and delivery of Content, including all versions of that application published by Zappar.
Where we refer to a “person” this includes individuals, companies, corporations, partnerships, limited liability partnerships, co-operatives, associations and other natural and legal persons.
When we use the words “includes” or “including” in this Privacy Notice we are not limiting ourselves in any way and mean “includes or including without limitation”.
Identity of the Data Controller
The data controller is Zappar Limited, a private limited company incorporated in the United Kingdom and registered in Scotland (company number SC394617). Our contact details are shown below in the section headed “Contacting Us”. Third parties, such as zapcode publishers or Accessible QR Code publishers, are the controllers with regard to the processing of your personal information in connection with your use of Third Party Content and, in that capacity, are solely responsible for compliance with applicable data protection and other legislation and regulation with regard to such processing.
As a data subject, you have the following rights under UK and EU data protection legislation (including the European General Data Protection Regulation (GDPR)), which we will always work to uphold:
- The right to be informed about our collection and use of Personal Data;
- The right of access to the Personal Data we hold about you (see “How can you access your Personal Data?”);
- The right to rectification if any Personal Data we hold about you is inaccurate or incomplete (please contact us using the details in “Contacting Us”);
- The right to be forgotten – i.e. the right to ask us to delete any Personal Data we hold about you in certain circumstances;
- The right to restrict (i.e. prevent) the processing of your Personal Data in certain circumstances;
- The right to data portability. This means that, if you have provided Personal Data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that Personal Data to re-use with another service or business in many cases;
- The right to object to us using your Personal Data for a particular purpose or purposes; and
- Rights with respect to automated decision making and profiling.
When making a request, please be aware that we may be unable to delete Information that resides in our archives, and the requested removal of certain Information may mean we are no longer able to provide you with all or certain parts of the Zappar Services.
If you have any cause for complaint about our use of your Personal Data, please contact us using the details provided in “Contacting Us” and we will do our best to solve the problem for you. If we are unable to help, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office (ICO)
The ICO’s contact details are:
Information Commissioner’s Office
Helpline number: 0303 123 1113
European Representative under Article 27 of GDPR
We have appointed EU Rep as our Representative under Article 27 of the EU General Data Protection Regulation (“GDPR”). All GDPR queries from EU Data Subjects or Data Protection authorities should be addressed to firstname.lastname@example.org. BizLegal Ltd trading as EU Rep have their registered office at 27 Cork Road, Middleton Co. Cork, Ireland. Company number 635921.
Information that we may collect
As and when you visit, browse or use Zappar Services we may collect certain Information from you. Some of this Information may be Personal Data and some of the Information may be Anonymous Information. We use your Information in accordance with the terms of this Privacy Notice.
Below is a list of some of the Information we may collect from you, depending on how you interact with Zappar:
- Information to enable the use of certain features
- Emails sent to Zappar and messages submitted via the Zappar Website
- Zapbox orders
- Competition entries
- Responses to surveys and feedback requests
- User Generated Content
- Information given to us by other companies
- Device information, including location where required for the correct provision of the service, the camera where required for scanning the Accessible QR Code (all used in local mode, no images are sent outside of the mobile device)
- Information relating to your use of the Zappar App, a Zapbox App, the Zapvision App and WebAR
- Log Data – Zappar websites
Use of certain features
You are not required to register with Zappar simply to use one or more Zappar Services.
There are, however, some features of the Zappar Services that may require you either to confirm your country and age (*) and/or opt-in before you can access those features (e.g. photo share, newsletter, zapcode ‘upload feature’). You may be asked to provide certain Information about yourself when doing this. This could be one or more of the following items of Personal Data: your name, your email address, your postcode or zip code, your country of residence, username and password.
* Age information is not stored by us
Emails and other Information submitted to Zappar
If you choose to email or write to Zappar about the Zappar Services, or you fill in an online contact or support request form, we may collect Information about you from the content of your letter, email or other message e.g. your name, your email address, and what you like or dislike about Zappar. If you participate in a competition or promotion, or respond to a survey or feedback request then in addition to your entry or response we may collect your name, email and/or other contact details.
If you order a Zapbox from us we will collect some Information from you to enable us to process your order, e.g. your name, address and other contact details, and details of your transaction history
User Generated Content
Some features of the Zappar Services may allow you to create, submit, post, display, transmit or share content (e.g. photos, videos, comments, messages, and other materials) on or through the Zappar Services (we call this “User Generated Content”). This includes any ‘upload feature’ which is attached to a zapcode published by a third party (i.e. a person other than Zappar). You may find zapcodes printed on third party products or see them within third party services and publications. These codes enable you to unlock digital content on your mobile device by scanning (‘zapping’) the code.
When you use the Zappar App we will only collect and store your User Generated Content, if you choose to share an animated GIF from within an experience, or you upload content to a zapcode. We do not collect or store any photos or videos that you take within an experience, even if you choose to share that content with others.
Some of your User Generated Content may contain personal information about you or other natural persons, e.g. audio, photos or videos featuring you or your friends. We therefore advise you to be selective about what personal information you include in User Generated Content, and not to include any of the following types of personal information in any submission to any publicly available area of the Zappar Services: telephone numbers, physical addresses, full name or any other information of a sensitive nature. If you upload personal information about or depicting other individuals (e.g. a photo of a friend), you must obtain their consent first.
Please be aware that even if you remove personal information that you post to the Zappar Services, copies may still remain in cached and archived pages of the Zappar Services or on another user’s device.
IT IS ALSO IMPORTANT TO NOTE THAT YOU AND NOT ZAPPAR ARE RESPONSIBLE FOR, AND CONTROL YOUR USER GENERATED CONTENT. IF YOUR USER GENERATED CONTENT CONTAINS ANY PERSONAL INFORMATION OF OTHERS THEN UNLESS YOU ARE DOING THIS AS PART OF A PURELY PERSONAL OR HOUSEHOLD ACTIVITY YOU MAY HAVE OBLIGATIONS AS A ‘DATA CONTROLLER’ UNDER APPLICABLE DATA PROTECTION LAW THAT YOU NEED TO COMPLY WITH.
Information collected from other sources
Zapalytics and information about your device
When you use the Zappar App, the ZapBox App or our WebAR, our servers will automatically access or collect information from your device (e.g. smartphone), including the following:
- an Installation ID (see below);
- the IP Address linked to the device: we will process this to infer coarse user location (Country and City), and then discard the IP Address;
- the time;
- the make and model of your device (including operating system version);
- the version of the application being used; and
- information about your use of the application (we call this information “Zapalytics”).
We may use this Anonymous Information in the following ways: (i) to analyse and optimise your use of the Zappar Services; (ii) to provide notifications within a Zap based on your in-Zap activities; (iii) to develop new features and functionality; and (iv) to develop new products or services which we believe may be of use to you or other users of the Zappar Services.
Zapalytics Installation ID
The Installation ID is a unique installation ID generated by the Zappar App or ZapBox App when it is first run. In the case of WebAR, we use a cookie to set the ID on your device. The ID is a random number seeded from the system time and cannot be used to identify who you are. The ID is stored in the app’s storage directory (or locally) on your device and is used to anonymously track your use of the mobile application or WebAR in various ways, e.g.
- when you open the mobile application or launch WebAR;
- when you tap “ZAP”;
- the names and time of scan of Zaps accessed;
- How long you spend interacting with a Zap;
- when you perform certain actions during a Zap e.g. completing a game, high score achieved.
The Installation ID is not accessible to other apps or sites on your device and does not track you beyond the mobile application or WebAR site. We do not share the Installation ID within any third party.
Log Data – Zappar websites
Our systems will automatically record and store information created by your access to and use of our websites, including specific actions performed by you within these Zappar Services (collectively, “Log Data”). This may include information about your device, your IP Address, browser type, the pages that you visit, time spent on pages and other statistics. We use this information to better tailor the Zappar Services to our users’ needs and to provide you with targeted communications that you are happy to receive from us. We may also link this automatically collected information to Personal Data (e.g. if you submit a CONTACT US request or register for a Zapworks trial). We may also add Log Data to our customer relationship management system. We do not use any Log Data to track you outside of the Zappar Services.
GPS Location Data
Zappar does not currently receive or process any GPS location data provided by you or which we receive from location service providers. We may however wish to do so in the future to tailor the Zappar Services offered to users in a particular geographical location. If this becomes the case, we will only process GPS location data for which you have given us your consent, including your GPS location, which were provided by you or which we receive from GPS location service providers, but only for so long as this is necessary for delivering the Zappar Services and/or to the extent required as permitted by applicable law.
Legal basis for processing Personal Data
Our legal basis for collecting and using your Personal Data will depend on the Personal Data concerned and the specific context in which we collect it. However, we will normally collect Personal Data from you only where (i) we need the Personal Data to perform a contract with you; (ii) the processing is in our legitimate interests and not superseded by your rights; (iii) we have a legal obligation to process your Personal Data; or (iv) we have your consent to do so (e.g. you have ticked a box, or signed up for a newsletter).
We process your Personal Data on the basis of our “legitimate interests”, for example, when we provide you with the Zappar Services, carry out marketing, keep the Zappar Services secure, for engineering purposes, analysing users behaviour across the Zappar Services, providing customer support, and running, growing and developing our business.
We have a “legal obligation” to process your Personal Data when complying with a legal obligation, such as preventing a crime or fraud or maintaining tax records. This ground may also include our obligation under the UK Data Protection Act 2018 and GDPR to protect your Personal Data.
If you have questions about the legal basis for collecting and using your Personal Data, please contact us using the contact information provided in the “Contacting Us” section below
How does Zappar use your information?
We may use your Information for the following purposes:
Lawful Basis for Personal Data processing
To fulfil your Zapbox order and to satisfy our contract with you to supply your Zapbox.
Performance of a contract - if you do not provide the Personal Data requested we cannot fulfil your order.
To enable us to provide you with all of the features and functionality of the Zappar Services and to enable you to consume Content.
Performance of a contract, or (where no contract exists between us) legitimate interests. If you do not provide the Personal Data we may not be able to provide you with the requested service.
To enable you to create and share User Generated Content.
Legitimate interests - providing the Zappar Services and carrying out the action you have requested.
To provide you with personalised content and promotional communications that you are happy to receive from the Zappar Services.
Legitimate interests - marketing; providing the Zappar Services and carrying out an action you have requested.
To provide customer service in relation to your use of the Zappar Services, e.g. service updates, responding to support requests.
Performance of a contract, or legitimate interests. Where no contract is in force, the legitimate interests are providing you with customer care and product support.
Generally, to administer, support, analyse, improve and develop the Zappar Services, including updating the Zappar App, Zapbox App or Zapvision App on your device.
Legitimate interests - providing the Zappar Services and running, growing and improving the Zappar Services.
To understand how users navigate our online ecosystem in order to inform strategy for ongoing improvements.
Detecting, preventing, or otherwise addressing fraud, security or technical issues.
Legal obligation, i.e. compliance with data protection law.
Our legitimate interest in keeping our platform secure.
To exercise, establish or defend our legal rights, or to protect your vital interests or those of any other person.
As otherwise described in this Privacy Notice.
Please refer to the relevant section.
Profiling and automated decision making
We do create and maintain user profiles relating to some visitors to our websites. These profiles are created when a visitor fills in a form on zappar.com or zap.works, or registers for a Zapworks trial or for Zapvision CMS. No profiles are created for visitors who just browse the site(s). Our aim is to limit the Personal Data contained in these profiles to that required to achieve our legitimate interest of helping users get the best from our tools and better tailoring communications we send people.
We also apply some automatic decision making: we use a marketing automation tool called HubSpot which decides the type of communication you will receive (e.g. email, newsletter, blog content, tutorial content) based on who you are (e.g. a designer) and what actions you have performed within the Zappar Services. This means you may receive a different communication from someone else. In our view, this is the only consequence of the automation tool we use.
We may use your Information to send you notifications and information about the Zappar Services and other Zappar products and services we think may be of interest to you. If you have consented to receive marketing, you may opt out at a later date. If at any time you no longer wish to be contacted for this purpose, please let us know and we will remove you from our mailing list. Please note that you may not opt out of service related emails as these are necessary for the security and performance of the Zappar Services.
Where will your information be stored?
Your Personal Data may be transferred to, and processed in, countries other than the country of which you are a resident. These countries may have data protection laws that are different from the laws of your country.
We use Amazon Web Services (“AWS”) to store and process data on our behalf in connection with the Zappar Services. We primarily use AWS servers located in Ireland to store and process your Information; however AWS also use various servers located around the world to cache data locally and speed up access to Content.
We may engage other businesses to carry out data processing on our behalf. For example, we may engage someone to provide payment services, to host the Zappar Services, to administer electronic mailings on our behalf, or to provide analytics services. We will continue to be the data controller in respect of any Personal Data transferred to or shared with such third parties and shall remain responsible for the processing undertaken by them.
The following is a list of the main businesses who currently process data on our behalf in relation to the Zappar Services:
Data Storage Location
Amazon Web Services
Content hosting & serving
Primary storage location is Ireland but content may be cached locally to improve content delivery performance
User support requests
Business email and analytics services
Customer relationship management tools
Payments for Zapbox and order fulfilment
Spiral Galaxy Games
Order fulfilment for Zapbox
We may also share Information between our group countries, which are located in countries worldwide, including the United States.
Transfers outside of United Kingdom and Europe
If you use the Zappar Services while you are outside the United Kingdom or European Economic Area (EEA), your Personal Data may be transferred to countries outside the United Kingdom or EEA to enable us to provide you with those services. The circumstances in which this may happen are:
If any of our servers are located outside the United Kingdom or EEA or our service provider is located outside the United Kingdom or EEA (see the table above).
When you use one of our Zappar’s applications or the Zappar WebAR. These Zappar Services are made available by us for use internationally. This means it is possible that any Personal Data contained in your User Generated Content (e.g. your picture) that you publish on our platform (e.g. by connecting content to a zapcode, or sharing an animated GIF) may be automatically transferred by our servers to a device, server or other computer equipment being used in a country outside the United Kingdom or EEA.
Countries outside of the United Kingdom and EEA may not have similar data protection laws to the GDPR and UK Data Protection Act. If we do transfer any of your Personal Data outside the United Kingdom or EEA (e.g. to a data processor located outside the United Kingdom or EEA) we shall take all steps reasonably necessary to ensure that your Personal Data is adequately protected by: (i) only using processors who comply with UK and EU data protection laws (as applicable); (ii) the use of the European Commission's Standard Contractual Clauses or similar clauses adopted by the UK regulator in the case of transfers governed by UK law; and (iii) (in the case of transfers to the United States) the transfer of Personal Data to service providers and partners that are certified under any approved certification program in place at that time between the EU and the United States.
BY USING THE ZAPPAR SERVICES YOU SPECIFICALLY GIVE YOUR CONSENT TO THE INTERNATIONAL TRANSFERS REFERRED TO IN THIS SECTION
When might Zappar share your information with others?
We may disclose your Information to or share it with the following types of recipients:
- other users where you allow Information to be made public;
- social media services you choose to share Information with;
- any third party to whom disclosure is required to enable us to provide you with the Zappar Services, including our server provider(s);
- other companies that we have engaged to provide services on our behalf e.g. providers of analytics services and customer relationship management tools;
- any third party to whom we believe disclosure is necessary to protect the rights, property or safety of the Zappar Services, its users and the public. This includes exchanging Information with other companies and organisations for fraud protection and spam prevention;
- users of ZapWorks, i.e. creators and publishers of zapcodes and Zaps who will get to see information about your device and your use of the Zappar App or WebAR, but only in de-identified and aggregated form;
- users of Zapvision, i.e. manufacturers and producers who wish to publish Accessible QR Codes on their products, who will get to see information about your device and your use of the Zapvision app in de-identified and aggregated form;
- the publisher of a zapcode where you have chosen to upload content to their zapcode;
- our business partners, which may include advertising, brand and retail partners for the purposes of providing certain services available within the Zappar Services that are offered in conjunction with those partners. This Information would, for example, allow third-party advertising networks to, among other things, deliver targeted advertisements that they believe will be of interest to you;
- to inform business partners about use of the Zappar Services and products and services made available through the Zappar Services, in the form of aggregated statistics or otherwise in a format that does not identify you personally;
- any prospective purchaser of Zappar Limited, its parent company, or the Zappar Services or any part thereof (see below);
- any subsidiary or holding company of Zappar Limited or any subsidiary of any such holding company for use by them in accordance with this Privacy Notice; and
- other outside parties (e.g. judicial, government or regulatory authorities) to comply with the law and legal obligations.
We will not sell, trade or rent your Personal Data to anyone.
Controlling the use of your information
You may withdraw your consent for Zappar to process your Personal Data for direct marketing purposes at any time by notifying us in writing (an email will suffice).
You can opt-out from the future collection of Information by Zappar in accordance with this Privacy Notice by uninstalling all Zappar applications from your devices and discontinuing your use of the Zappar Services.
Changes of business ownership and control
Zappar may choose to expand or reduce our business and this may involve the sale and/or transfer of control of all or part of Zappar or the Zappar Services. Information provided by users will, where it is relevant to any part of our business so transferred, be transferred along with that part as one of the transferred assets. The new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use the Information for the purposes for which it was originally supplied to Zappar.
We also reserve the right to disclose de-identified user data to the prospective buyer of such business or assets.
Links to Non-Zappar Services
The Zappar Services may contain links to websites, microsites and other on-line services that are operated by third parties i.e. businesses other than Zappar (collectively, “Third Party Services”). Zappar does not control these Third Party Services and is in no way responsible for their content, or information collection practices. This Privacy Notice DOES NOT apply to your use of any Third Party Services.
How do we keep your Personal Data secure?
Data security is of great importance to Zappar. We have put in place commercially reasonable physical, electronic and managerial security measures to protect your Personal Data from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage. Specifically, we use the following measures:
- The Information you send Zappar is protected by SSL/TLS end-to-end encryption when transmitted from your device to our servers.
- Information stored on our servers is protected by encryption, key authentication and by firewalls. Your Information will only be accessed by authorised employees. These employees are obliged to preserve the confidentiality of all information that comes to their attention unless disclosure is compulsory by law or necessary for the fulfilment of their duties.
Even though we have taken the above security measures given the nature of online communications we cannot 100% ensure the security of your Information or guarantee that your Personal Data will not be accessed, disclosed, altered or destroyed by an unauthorised person who is determined to circumvent our security measures.
How long do we keep your Personal Data for?
We will retain your Personal Data for the duration of your use of the Zappar Services and for a reasonable period thereafter for backup, archival and/or audit purposes or for as long as the law otherwise requires.
Where you have chosen to upload User Generated Content to a zapcode of a third party we will need to continue to store your content on our servers for so long as the third party wishes to have access to your content in accordance with any agreement you or Zappar may have entered into with that party.
User profiles created by our marketing automation tool (Hubspot) are subject to a retention period, which we keep under review. If you wish your profile deleted earlier, please contact us (see below).
How can you access your Personal Data?
You have the right to ask for a copy of any of your Personal Data held by us (where such data is actually held by us and we can identify who you are). We will normally provide copies in response to your request free of charge. We do, however, reserve the right to charge a reasonable fee for requests which are manifestly unfounded or excessive, particularly if it is repetitive and for further copies of the same Information.
We will ask you to provide reasonable proof of your identity before we disclose any Information to you.
Children’s Privacy and the Children’s Online Privacy Protection Act (COPPA)
This section of the Privacy Notice applies if any Zappar Services are accessed from within the USA or any other country which requires parental consent to be obtained before any collection of personal information from a child under the age of 13.
Zappar does not knowingly collect or solicit personal information from children under the age of 13. The Zappar Services and their Content are not intentionally directed at children under the age of 13 and we do not target children under 13 as our primary audience. In the event we learn that we have inadvertently collected personal information from a child under the age of 13, and that child lives in a country which does not permit such collection without prior parental consent, we will delete that information as quickly as possible.
If a parent or legal guardian becomes aware that their child under the age of 13 has provided us with personal information without prior parental consent, please contact us at the address below and we will delete such information from our files.
So we can comply with international privacy laws, we may use age screens for some Zaps. We do not store any individual’s date of birth.
Cookies, analytics and similar technologies
For more information on the privacy practices of Hubspot, please visit https://hubspot.com/privacy-policy.
If you would like to opt out of having this information collected by or submitted to Hubspot, please contact us.
Changes to our Privacy Notice
The Zappar Services, our collection and use of Personal Data and other information, and the laws and regulations which apply will change over time. We reserve the right to make changes to this Privacy Notice. When we update the Privacy Notice, we will post the new version to https://www.zappar.com/privacy/ and change the “Last Updated” date. We encourage you to visit this page from time to time for the latest on our information collection practices.
If you have any questions about the Zappar Services or this Privacy Notice, please contact us by email or by post using the details below. Please ensure that your query is clear, particularly if it is a request for information about the Personal Data we hold about you.
Postal Address: Data Protection, Zappar Limited, The Barley Mow Centre, 10 Barley Mow Passage, London, W4 4PH, United Kingdom
Irrespective of which country you live in or submit Information from the law which applies to this Privacy Notice shall be the law of England.