Privacy Information

StreamUnlimited Engineering GmbH, a corporation duly organized and existing under the laws of Austria and having its principal office and place of business at High Tech Campus Vienna, Gutheil-Schoder-Gasse 10, A-1100 Vienna, processes your personal data for specific purposes, which are listed individually below. StreamUnlimited Engineering GmbH (hereinafter referred to as “SUE”) processes your data in compliance with data protection requirements.

We herewith inform you about the content of the processing in accordance with Art 13 and 14 GDPR below.

I. Contact details of SUE as the controller The controller responsible for the processing of your personal data in accordance with data protection regulations is

StreamUnlimited Engineering GmbH
Gutheil-Schoder-Gasse 10,
A-1100 Vienna
Phone: +43 1 667 2002 4014
E-Mail: info@streamunlimited.com

II. Scope of the processing of personal data 
1. Type of processed data and processing activities
We process the following aggregated and pseudonymized data from the user of a device without identifying the user personally: The installation identifier, the model identifier (common for all devices of the same kind) and the data about the device (which are Ethernet/Wi-Fi; Distribution of Wi-Fi connection strength (dB); Device settings; Firmware version; Locale / country / region;  Power states; Uptime; Factory resets; IOs/Android control app usage; Track codec / filetype usage) as well as data about specific processes running on the device (Listening time per service; Physical inputs and outputs usage; Distribution of values; Button usage; Interaction surfaces) (together “Raw data”).

The device may communicate with a Cloud Server during any operation – but usually limited to once every 24 hours. The collected data is aggregated and pseudonymized on the device before uploading it to the Cloud Server where we identify the device and generate statistics about its activity. All devices have a unique installation identifier, which is stored unencrypted on the device. The installation identifier is deleted when performing a factory reset of the device. Additionally, a model identifier is stored which is specific to the kind of hardware and cannot be changed. Either identifier cannot be read by the End User but it is accessible to any process running on the device.

The Raw data are stored for 24 hours on the device, and after these 24 hours a hash value is automatically derived from the model and installation identifier, and the Raw data are then sent to SUE and stored in a separate database for 30 days, and automatically deleted – which therefore includes the anonymization of the data by removing any direct or indirect reference to persons – after the time has elapsed. Hence, every 24 hours the gathered Raw data are newly encrypted and sent to a Cloud Server as an aggregated daily report (no individual actions are reported). If a device cannot access the Cloud Server, the gathered Raw data is stored on the device until a connection can be established.

The Raw data are then processed by SUE for statistical purposes together with the Raw data of other devices (the “Processed Data”). It is not possible to identify the person from the Processed Data without having the device itself – after a device was factory reset, it is not even possible with the device at hand.

2. Lawfulness of processing the Raw data 
Insofar as indirectly personal (pseudonymised) data are processed by combining characteristics of a device that enable a reference to the history of the device’s activity over the storage period of 30 days, SUE’s legitimate interest (Art 6 para 1 subpara f GDPR) in the evaluation of user behaviour at a pseudonymized level in order to gain insights for the improvement of products and services is cited as the legal basis. These interests of SUE in general analysis (which are recognized by the GDPR under recital 29) are not overridden by the interests or fundamental rights and freedoms of the data subjects. The data are pseudonymized directly on the device and hence, before they are processed.

It is, therefore, not possible for SUE or a third party to calculate back from the Processed Data to an individual device without further information, and in particular without disposing over the device physically. Further, the statistics made from the Processed Data do not couple with an identifiable singular device, and are therefore qualified as non-personalised results (“Insights”).

Even if it cannot be excluded that the combination of the data about the device in the Processed Data would allow to track the activity of the device for the storage period of 30 days, even if the installation identifier is anonymized, this, however, is not intended by SUE. Therefore the privacy interests of the data subject worthy of protection are not violated.

Under these circumstances and taking into account that it is not possible to identify the person from the Processed Data without having the device itself, the interests or the fundamental rights and freedoms of the data subject are not overriding.

3. Purpose of data processing
We collect the data in connection with the use of the streaming audio offer on the end device, without carrying out personal evaluations or otherwise achieving personal results, in order to document the use of the offers and to gain insights for quality improvement, product optimisation or adaptation of the offer. These measurements and analyses are, therefore, only used to analyse the intensity of use, the number of users and the streaming behaviour, e.g. to determine which parts of the offering are used and how often across all products.

In particular, we do not process your data to analyse your interests, to create a customer profile or to send you advertising based on your interests.

We do not share the Raw data with any third party. We, eventually, only share the Insights, which are no longer personal data under the GDPR, with any third party. The recipient of such Insights have no additional information that would enable them to identify the data subjects and further, have no legal means of accessing such information.

4. Data recipients
Only Processed data and hence, the data in any anonymized form, are shared with the manufactures of the devices.

The encrypted Raw data and Individual data are stored in a Cloud server that is hosted by Google, USA. The EU Standard Contractual Clauses (Module 2: Controller-to- Processor) have been entered into (see https://cloud.google.com/terms/sccs/eu-c2p).

5. Storage period
The Raw data is stored for 30 days, and thereafter deleted. This results in that they are anonymized.

6. Information on the existence of automated decision-making
We do not carry out automated decision-making, including profiling, in accordance with Art 22 (1) and (4) GDPR and therefore do not use it.

III. RIGHTS OF THE DATA SUBJECT
The data subject has the following rights under the GDPR:
1. Right to information (Art 15 GDPR)
2. Right to rectification and right to restriction of processing (Art 16 GDPR; Art 18 GDPR)
3. Right to data portability (Art 20 GDPR)
4. Right to erasure (Art 17 GDPR)
5. Right to object (Art 21 GDPR)

For the specific data processing, however, we only process data (raw data and processed data) in such a way that the data subject is not identified in the data and they therefore have no direct personal reference (Art 11 (1) GDPR). As we could therefore not easily identify you when exercising the rights of the data subject, the above rights do not apply in principle, unless you provide additional information to exercise your above-mentioned rights, which exceptionally enables us to identify you.

7. Supervisory authority
Irrespective of the possibility of a complaint to the regional court in accordance with Section 29 (2) of the Data Protection Act and any other legal remedies, there is a right to lodge a complaint with the competent national supervisory authority if unlawful processing of personal data is assumed. In Austria, the Austrian Data Protection Authority, Vienna, is responsible.