For the Point of Sales Application (tabtap SHOP) and Data Terminal (tabtap STATION)
Groots Consulting UG (haftungsbeschränkt) (“we,” “our,” or “us”) is a technology company that provides shop owners and their local retail businesses innovative user interfaces to provide data analytics and insights to enhance business performance and revenue streams. It does further provide localized insights and aggregated data from semi-urban and rural communities in emerging markets to public and private companies.
Our partners (“Partners”) are shop owners and local retail businesses that have access to certain customer information (“User Data”) and their own information (“Partners Data”) that they wish to use to improve their business performance. Our services include data analytics, insight and data aggregation (“Services”) by using our products: (i) Point of Sales Application and/or (ii) Data Terminal (“Products”). You can learn more about our Services on our website at https://groots.com/services/.
We work to ensure that our Services respect users’ privacy rights. To accomplish this goal, we adhere to privacy-by-design and privacy-by-default principles throughout the process of designing, building, and delivering our Services.
The terms of this Policy apply to all User Data (meaning the Partners themselves or customers of the Partners) and Partner Data (shop owners and local retail businesses) to the extent it contains your personal data as defined in the applicable laws and regulations.
This Policy also does not apply to information collected by other additional third parties who may provide information to us, as their information handling practices are covered by their own privacy policies.
The Policy’s wording can be technical; in case you have any questions, do not hesitate to write to firstname.lastname@example.org.
Our external Data Protection Officer is
TechGDPR DPC GmbH (techgdpr.com)
WHAT PERSONAL DATA DO WE PROCESS:
To use our services, Users and Partners must create an account via the application. If you are a Partner and you create an account, we collect the following details from you: name, country, phone number, shop lD, birthday, gender, language, payment details (Bank account details will be used to reward Partners for every customer that completes a survey.) If you are a User we collect your name and email address. The applied legal basis under the GDPR for this processing is our legitimate interest (GDPR Art. 6.1.f)
Additionally, during the registration process, with prior explicit consent Article 6(1)(a) in conjunction with Article 9(2)(a) GDPR), we will also collect biometric data (finger prints) .The purpose of the biometric information is to allow low literacy individuals from registering onto the Data Terminal platform without the need to provide traditional login and password information and award Partners and Users once they fill out the respective surveys.
We collect biometric data to prevent fraud use of our Services by preventing repeat Partners and Users from using the system to obtain a monetary or product incentive when we only need one response to the survey questions from each Customer. In other instances when there are more than one survey to complete (i.e. a single customer can use the platform multiple times to complete all the different surveys), then the biometric registration will be used to track individual Customers to sequentially present surveys for completion.
We do not share this data with anyone.
Point of Sales Application or Tabtap Shop- Sales Tracking Data
Our Partners have access to the User Data and/or Partner Data while conducting their businesses, recording and tracking their daily sales in our product “Point of Sales Application” improving in that way their business performance.
As soon as you create an account with us, Partners are asked to provide certain information by means of a survey component.
Those surveys may contain questions related to what the GDPR refers to as “sensitive data or special categories of data ”, meaning Groots may ask Partners to provide information revealing racial or ethnic origin, data concerning health. Additionally, it might contain questions related to the number of childs in their houses,, socio-economic data, schooling education, among others.
We share the above information with our clients. Our clients (“Clients”) are private and public companies and institutions, including NGOs, International Organisations (IO, such as e.g. UN institutions), Companies (such as e.g. insurance companies, Fast-moving-consumer-goods manufacturers, media, academics, consultancies), and Government Institutions (e.g. Health Ministries) that wish to have access to certain insights and aggregated data for successful project management, product design, implementation of interventions, and Monitoring and Evaluation (M&E) activities.
By using our Services, our Clients may have access to (i) anonymised data and/or (ii) raw data and/or (ii) de-identified aggregate data sets helpful for statistical analyses, predictions, and insights for their own projects. These analyses can be descriptive in nature (e.g. estimates of averages of certain socio-economic indicators) or include inference (e.g. statistical comparisons of indicators across certain sub-groups). Analytical methods used to produce such estimates will be standard statistical approaches (e.g. regression analysis) or also borrow from modern data science methods (e.g. Machine Learning approaches such as random forests). Analyses will generally target population level or aggregate level estimands, answering questions at those aggregate levels. A typical question would be: “On average, what socio-economic characteristics of households are associated with higher probabilities of having access to clean drinking water?”. We will also sometimes conduct longitudinal studies, i.e. studies in which certain users or partners are tracked over time. The objective of such analyses will be to identify trends of indicators over time and to see whether these are influenced by any outside factors – such as e.g. the implementation of a certain programme or policy.
The applied legal basis for storing, processing and sending Partner’s and User’s data to our Clients is valid consent (GDPR Art. 6.1.a). You may revoke your consent at any time. Doing so will bar us from further processing of your personal data based on your consent but will not impact the lawfulness of processing based on your consent before it was withdrawn.
We will store this data for 2 years.
Data Terminal or Tabtap STATION
Our Partners and Users collect different type of data through the usage of the terminal installed at their premises that run simple surveys (“Data Terminal”).In addition to the product sales and survey related information being harvested in the Point of Sales Application platform, Groots may ask Partners and Users to complete a survey. We receive ,depending on the type of project, the following categories of User Data and/or Partner Data(i) geographic information (such as e.g. geolocation, city, region, province) (“Geographic data”); (ii) demographic information (such as e.g. age, gender or sex, household member composition, language spoken) (“Demographic data”); (iii) socio-economic information that broadly describes the living conditions of individuals and households (such as e.g. income, consumption, education level, infrastructure conditions, housing conditions livestock and crop composition, farm productivity, and seasonal crop incomes (“Socio-economic data”); (iv) purchase and sales data (such as e.g. number of items sold, number of times certain items were bought) (“Sales and purchase data”) ; (v) names, email addresses, and phone numbers (“Identity data”); (vi) self-reported health data (such e.g. on the appearance of certain symptoms related to the flu) (“Health data”); (vii) knowledge, attitudes, and practice (KAP) data on certain topics (such as e.g. knowledge, attitude, and practices of water treatment in a household) (“KAP data”).In some instances, we might receive voice recordings (e.g. as answers to specific questions) or pictures of certain objects (e.g. water installations in the house).(See Section below for more information)
We use this information to provide to our Clients (i) anonymised data and/or (ii) raw data and/or (ii) de-identified aggregate data sets helpful for statistical analyses, predictions, and insights for their own projects.
Nevertheless, we also process this data for our own business purposes. The applied legal basis for storing, processing and sending to Clients categories of User Data and/ or Partner Data is valid consent (GDPR Art. 6.1.a). You may revoke your consent at any time. Doing so will bar us from further processing of your personal data based on your consent but will not impact the lawfulness of processing based on your consent before it was withdrawn.
We will store this data for 2 years.
We create different types of surveys depending on each Client’ project. The following list gathers the data collected by us depending on the project we are working on with our Clients:
(i) geographic data
We may obtain information about the geographical location of shops and users’ households. This might include specific geolocation data collected via GPS technology (i.e. location measured in latitude and longitude). More commonly, this will include information on administrative areas a shop is located in (e.g. country, province, city, etc.) and on the addresses of a shop. It might also include information on certain characteristics of a location – e.g. whether this is an urban, semi-urban, rural location.
Groots uses this data to aggregate information and estimates at the appropriate geographical and administrative level, such as for example estimating the proportion of shops and households that have received electricity in the past week in a certain province or city. Similarly, Groots uses this information to compare estimates across geographic and administrative areas. Finally, Groots uses geographical information in multivariate analyses to control for potential biases introduced by geographical factors.
(ii) demographic data
We may obtain demographic User Data and/or Partner Data from our Partners, such as e.g. age, gender or sex, household member composition, language spoken in a household. Such demographic data is data commonly collected in surveys implemented e.g. by national statistics offices or international organizations, such as the World Bank. This data is used to describe the general demographic characteristics of a population.
Groots uses this information to create demographic segments about users, for example users who are “males, 30 to 34, have access to clean water”. It will use this information to compare estimates of certain indicators across groups of individuals (e.g. proportion of households with access to clean water among female and male-headed households). It will also use this data to assess representativeness of estimates by comparing aggregate demographic information of its users to demographic characteristics of a reference population, derived from publicly available data (e.g. census or survey data). Finally, it will use this demographic data in multivariate analyses to control for any variation that might be due to demographic characteristics.
(iii) socioeconomic data
We may obtain information about the socioeconomic status of individuals and households. This will include information about e.g. income, consumption, education level, infrastructure conditions, housing conditions. Such socioeconomic data is commonly collected in surveys implemented by national statistics offices or international organizations, e.g. via the LSMS surveys of the World Bank. The data is used to describe livelihoods and wellbeing of individuals and households.
Groots uses this information to describe, at an aggregate level, the living conditions of individuals and households. It will also compare estimates of certain indicators across groups of households that share similar conditions. Finally – as before – it will include this information in multivariate analyses.
(iv) sales & purchase data
We may obtain purchase data from our Partners, such as items that have been bought in stores, the number of certain items sold over a period of time, and the prices of those items. Overall, this data will describe transactions in a shop – both in terms of sales but also in terms of purchases by shop-owners e.g. to restock items.
Groots uses this information to describe sales transactions across shops. It also uses price information to calculate price indices of certain items.
(v) names, email addresses and phone numbers (“identity data”)
We may collect such information to identify Partner’s customers, and to potentially contact them via messages and emails. This data will not be used in analyses. This “Identity data” will also not be shared with our Clients.
(vi) health data
We may collect self-reported health data. This means that we might ask our Users and Partners questions about health-related issues, e.g. whether they are experiencing any flu-related symptoms or symptoms of digestive problems. We will not collect any human bio samples or health measurement data directly.
Groots will use self-reported health data to produce aggregate estimates of the prevalence of certain self-reported health related conditions, such as for example the flu.
(vii) knowledge, attitude, and practices (“kap data”)
We may ask Users and Partners about their knowledge of, views on, and behaviour with respect to certain issues that might be of interest to our Clients. For example, we might ask them about whether they know about certain hygiene practices (e.g. washing hands), whether they think they are important, and whether they implement them.
Groots will use this data to report, at an aggregate level, about the prevalence of certain KAP indicators and to compare these across different sub-groups of users. The results of such analyses will then be shared with Clients.
WITH WHOM DO WE SHARE USER DATA
We share User and Partner Data with the following categories of third parties: (i) our hosting provider Amazon Web Services; (ii) NGOs, (iv) companies, (v) International Organisations, (vi) Government Institutions.
NGOs we work with might include international NGOs such as OXFAM, CIFF, and the Bill and Melinda Gates Foundation.
Companies we work with might include international insurance companies or consultancies, media outlets, FMCG manufacturers and distributors, academics and others.
International Organisations (IO) we work with might include those of the UN System (e.g. UNICEF), the World Bank, the European Union, and other IO working in International Development.
Government Institutions we work with might include ministries and other Government agencies, such as e.g. energy agencies, health ministries, etc.
User and/or Partner Data shared can include data that allows for identification of the individual. Where possible, only aggregated data will be shared with Clients. We will also disclose your User Data and/or Partner Data in response to valid legal processes, for example, in response to a court order, a subpoena or other legal request for information, and/or to comply with applicable legal and regulatory reporting requirements. We also may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or to verify or enforce compliance with the policies governing our products and/or services and with applicable laws, or as otherwise required or permitted by law or consistent with legal requirements. We are required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In addition, we may transfer your information to an entity or individual that acquires, buys, or merges with us, or our affiliates. In these cases, we will require the acquiring company to carry on the material terms of this Policy, including the requests for deletion.
WHEN WE TRANSFER USER DATA INTERNATIONALLY
When we share User Data and/or Partner Data with the recipients described above, such sharing may constitute a transfer outside of your home location. By law, we are required to ensure that the level of protection guaranteed for your personal data by the European laws is not undermined by such transfer. To ensure compliance with data protection requirements on international transfers, the Standard Contractual Clauses (SCC) as adopted by the European Commission’s Implementing Decision of 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council are signed with our Clients and/or Service Providers.
HOW WE PROTECT PERSONAL DATA
We take appropriate technical and organizational safeguards to protect any personal data we receive from theft, loss, and unauthorized access. We follow generally accepted standards to protect personal User Data and/or Partner Data throughout the entire use cycle starting from the initial transfer until deletion. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
YOUR RIGHTS WITH RESPECT TO YOUR PERSONAL DATA
Your personal data belongs to you. You have the following rights with respect to your personal data:
- The right to object against the processing of your information.
If we process your information for our legitimate interests (e.g., for direct marketing emails or for our marketing research purposes), you can object to it. Let us know what you object against and we will consider your request. If there are no compelling interests for us to refuse to perform your request, we will stop the processing for such purposes. If we believe our compelling interests outweigh your right to privacy, we will clarify this to you.
- The right to access your information.
You have the right to know what personal data we process. As such you can obtain the disclosure of the data involved in the processing and you can obtain a copy of the information undergoing processing.
- The right to verify your information and seek its rectification.
If you find that we process inaccurate or out-of-date information, you can verify the accuracy of your information and/or ask for it to be updated or corrected;
- Restrict the processing of your information.
When you contest the accuracy of your information, believe we process it unlawfully or want to object against the processing, you have the right to temporarily stop the processing of your information to check if the processing was consistent. In this case, we will stop processing your data (other than storing it) until we are able to provide you with evidence of its lawful processing;
- The right to have your personal data deleted.
If we are not under the obligation to keep the data for legal compliance and your data is not needed in the scope of an active contract or claim, we will remove your information upon your request.
- The right to have your personal data transferred to another organisation.
Where we process your personal data on the legal basis of consent you provided us or on the necessity to perform a contract, we can make, at your request, your data available to you or to an organisation of your choosing.
You can formulate such requests or channel further questions on data protection by contacting us at email@example.com. We will delete all User Data and/or Partner Data associated with such request. The deletion request will be forwarded to all Clients that might have received access to the relevant Users Data.
Some data will remain stored in anonymised form in order to allow future analyses to be carried out. This means that we will remove all information that allows to personally identify individuals or households. This relates to the “Identity data” but also to any geographic, demographic and socioeconomic data that could reasonably be used for identification purposes.
Apart from all the above rights, you can also lodge a complaint with a supervisory authority if you believe we or our Clients infringed upon your rights.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. We retain data until the occurrence of the following events: (i) request from a Partner to delete certain User Data; or (ii) the User submits a deletion request of associated data; or (iii) expiration of Groots defined retention period of:
- For each Partner: 24 months from the last usage of the Point of Sales Application.
- For each User: 24 months from the last data collection point. We might conduct longitudinal studies in which the same users will be asked to provide information about certain issues repeatedly over time. Generally, the pauses between such points in time will not be longer than 24 months. This means that we will get in touch with users within that time frame to ask them to provide information again. Hence, this data will generally not be stored beyond this time period after the last data collection point.
Some data might be stored for the purpose of future research without retaining any identifiable information. This means that we will remove any data that we consider to be data that can be used to identify individuals or households (e.g. names, birth dates, addresses, GPS locations, biometric information). The purpose of this is to ensure that future analyses can be conducted by referring back to longitudinal data as well – e.g. from a certain area. Where possible, we will store such information in aggregate form that will still allow to carry out key analyses.
We do not knowingly collect data directly from children, the features of the Data Terminal are intended to prevent any use by children (i.e. the height of the Terminal shall be unreachable by users under the age of sixteen (16)).
We might collect data of children from their parents and, in such cases, we take additional steps to protect children privacy, including: (i) re-notifying parents about the types of information we may collect on their children and related usage; (ii) obtaining their explicit parental consent.
We use “Google Firebase”, a platform for developing apps for mobile devices that provides us with the following features: (i) information on how the users interact with our App (such as, i.e. the first time an app is opened, the uninstalling of an app, updates, crashes or the frequency of use of the app are recorded); (ii) analytics reports based on such information.
These data help us understand clearly how the Users behave while using our App, so that we can make informed decisions regarding our App features and performance optimizations.
The applied legal basis under the GDPR for this processing is our legitimate interest (GDPR Art. 6.1.f)
If you have any questions or suggestions about this Policy and our privacy practices, please contact us at: firstname.lastname@example.org
Groots may from time to time change this Policy at any time with or without notice. However, if this Policy is changed in a material, adverse way, Groots will post a notice advising of such change at the beginning of this Policy and on this site’s home page for 30 days. We recommend that you revisit this Policy from time to time to learn of any such changes to this Policy.