Privacy Policy

DATA USAGE POLICY
GDPR COMPLIANCE FRAMEWORK

INTRODUCTION

We are SCIMM, a private limited liability company incorporated under Belgian law, having its registered office at Léon Stynenstraat 53 box 402, 2000 Antwerp, Belgium ("SCIMM") and registered with the Crossroads Bank for Enterprises (Kruispuntbank van Ondernemingen or KBO) under enterprise number 0801.235.242.
In the course of our business, we may collect personal data from customers, prospects, users of our services, visitors to our website, persons who provide their business card or otherwise their contact details to us, and persons who contact us by e-mail or otherwise.

This policy outlines how SCIMM manages personal data in compliance with the applicable data protection law, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"). It establishes the framework for data collection, processing, storage, transfer, and deletion to ensure lawful and transparent data practices.


Important information when you access this solution via a brand

If you are using this fitting solution through a brand, retailer or other partner (the “Brand”), please note the following:


In this context, SCIMM acts solely as a data processor on behalf of the Brand. This means that the Brand is the data controller and determines which personal data are collected, for which purposes and how they are further used. In particular, the Brand may decide to use the personal data you provide for its own purposes, such as customer relationship management, marketing or commercial communications, in accordance with its own privacy policy.

SCIMM only processes your personal data on the documented instructions of the Brand and does not independently decide to use your data for the Brand’s purposes.

For full information on how your personal data are used by the Brand, including your rights and how to exercise them, please consult the Brand’s privacy policy.

This privacy policy describes how SCIMM processes personal data when acting as a data processor, and, where applicable, when acting as a data controller in other contexts.



1. What Personal Data Do We Request and Why?
SCIMM processes the following categories of personal data:

WHY? WHICH DATA? ON WHAT BASIS?

To create an account Name, email address, age, gender Prior, express, free, specific and informed consent (art. 6.1 a) GDPR)
To capture and process 3D body scans for size recommendations and fit analysis 3D body scan images, body measurements, biometric identifiers, physical characteristics Explicit consent (art. 9.2 a) GDPR) - special category biometric data
To improve ML sizing accuracy (optional) Pseudonymized body scan data for model training Separate explicit consent (art. 9.2 a) GDPR) - users may opt out
To help with technical problems or other questions Data required to resolve these issues Necessary for the exercise of our legitimate interests (art. 6.1 f) GDPR), in particular to enhance the quality of our services
To provide information about new functionalities of the services Name, email address Necessary for the exercise of our legitimate interests (art. 6.1 f) GDPR, in particular communicate relevant information
To analyse statistics about visitors to the website in order to improve the website Data on visitors' behaviour, cookies, IP addresses Prior, express, free, specific and informed consent (art. 6.1 a) GDPR)
To comply with legal obligations Data required by applicable law Necessary to comply with a legal obligation (art. 6.1 c) GDPR)
To prevent, detect and combat fraud and other illegal or unauthorised activities Data required for detection of fraud and illegal activities Necessary for the exercise of legitimate interests (art. 6.1 f) GDPR, in particular the prevention of fraud and other illegal activities
To fulfil payment obligations Email address, financial information Necessary for the exercise of legitimate interests (art. 6.1 f) GDPR
For newsletters Name, email address Prior, express, free, specific and informed consent (art. 6.1 a) GDPR)

2. With Whom Do We Share Personal Data?
SCIMM may disclose personal data to the following parties:
With service providers and partners: SCIMM uses third parties to help operate and improve its services. These include:
- Hosting and infrastructure: Supabase (database), Vercel (hosting)
- Body scanning technology: Meshcapade (3D body model processing)
- Analytics: Website analytics providers (as disclosed in Cookie Policy)
- Payment processing: Payment service providers
- Brand partners: Fashion and sports equipment brands (who receive only sizing recommendations, not body scan data)
With law enforcement/when required by law: SCIMM may disclose personal data if reasonably necessary: (i) to comply with a legal process, such as a court order, subpoena or search warrant, government/law enforcement investigation or other legal requirements; (ii) to assist in the prevention or detection of crime (subject in each case to applicable law); or (iii) to protect the safety of any person.
When transferring personal data to third parties, SCIMM always ensures to implement appropriate technical and organisational protection measures. Where necessary, SCIMM will conclude a data processing agreement which sets out restrictions on the use of personal data and obligations in respect of the security of personal data.
Personal data will not be lent or sold to third parties for marketing purposes without any prior express consent.

3. Data Transfer and Export
SCIMM acknowledges the following regulations regarding data transfer:
Personal data may be transferred freely within the European Economic Area (EEA)
Transfers outside the EEA require appropriate safeguards: Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or Adequacy decisions by the European Commission
Special category data transfers (including biometric data) are subject to stricter requirements
All international transfers will be documented and risk-assessed

4. Cross-Border Data Use Within Benelux

SCIMM confirms that:
Personal data collected in Belgium may be processed in the Netherlands and Luxembourg without additional transfer mechanisms
GDPR compliance remains mandatory across all Benelux operations
Internal data sharing agreements will document all cross-border processing activities

5. Data Rights and Ownership
SCIMM recognises that:
Individuals (data subjects) maintain fundamental rights over their personal data
SCIMM acts as a data controller with responsibilities for lawful processing

Customers retain the following rights:
Access their personal data: Individuals have the right to obtain confirmation from SCIMM as to whether or not it is processing personal data, to obtain access to that personal data and how and why it is being processed, as well as to receive a copy of that data.

Request rectification of inaccurate data: Individuals have the right to obtain a correction of their personal data or to request that SCIMM will complete personal data in case of incorrect or incomplete processing.

Request erasure ("right to be forgotten"): Individuals have the right to obtain data erasure in certain specific cases.

Object to certain types of processing: Individuals have the right to object to the processing of their personal data if the processing is carried out on the legal basis of a legitimate interest, including profiling. Individuals also have the right to object to the processing of their personal data for direct marketing purposes. This right is absolute - SCIMM will always comply with it.

Data portability: Individuals have the right to obtain the personal data they have provided SCIMM with in a structured, commonly used and machine-readable form, and to transfer that personal data (or have it transferred) to another controller.

Withdraw consent: Individuals have the right to withdraw consent at any time where they have previously given consent to the processing of their personal data. This includes the right to withdraw consent for body scan data collection or ML model training separately.

Restriction: Individuals have the right to have the processing of their personal data restricted in certain specific cases.

Individuals may exercise the above rights by sending an e-mail to privacy-enquiries@scimm.eu or in the case of the right to object to direct marketing also via the opt-out link included in our marketing e-mails. The exercise of these rights is in principle free of charge. Only in case of unreasonable or repeated requests may SCIMM charge a reasonable administrative fee. SCIMM will always try to answer requests or questions as quickly as possible (within one month of receipt). It is possible that SCIMM will first ask for a proof of identity. For further information and advice on the above rights, please visit the website of the Data Protection Authority: www.gegevensbeschermingsautoriteit.be.
In addition to the above rights, individuals also have the right at any time to lodge a complaint with the Data Protection Authority in connection with the processing of their personal data via contact@apd-gba.be or by mail at Gegevensbeschermingsautoriteit, Drukpersstraat 35, 1000 Brussel.

6. Biometric and 3D Avatar Data
For 3D body scan data and resulting avatars, SCIMM acknowledges:
This constitutes special category personal data under GDPR Article 9 (biometric data)

Processing requires explicit consent or another valid legal basis under Article 9.2 GDPR

SCIMM will:
- Complete Data Protection Impact Assessments (DPIAs) for body scanning operations
- Implement enhanced security measures including encryption at rest and in transit
- Clearly communicate how this data will be used before collection
- Honor individual rights requests regarding this data with priority
- Limit access to authorized personnel only on a need-to-know basis
- Provide separate consent mechanisms for body scanning and ML model training

7. Automated Decision-Making and Profiling
SCIMM uses automated processes to generate size recommendations based on body scan data. Individuals have the right to:
Obtain human intervention in the recommendation process
Express their point of view regarding automated recommendations
Contest automated decisions that significantly affect them

8. Data Usage Principles
SCIMM commits to processing personal data according to these principles:
Lawfulness: All processing will have a valid legal basis
Purpose limitation: Data will only be used for specified purposes
Data minimisation: Only necessary data will be collected
Accuracy: Data will be kept accurate and up-to-date
Storage limitation: Data will be retained only as long as necessary
Integrity and confidentiality: Appropriate security measures will be implemented
Accountability: SCIMM will document compliance and demonstrate responsibility

9. Data Retention and Deletion
SCIMM establishes the following data retention periods:
Account data: Retained until account deletion, then archived for 30 days before permanent deletion
Body scan data: Retained for 24 months after last use, or until consent is withdrawn
ML training data: Pseudonymized data retained for model improvement purposes until consent is withdrawn
Marketing data: Retained until consent is withdrawn, then deleted within 30 days
Analytics data: Retained for 26 months as per analytics provider retention policies
Financial records: Retained for 7 years as required by Belgian accounting law
Support communications: Retained for 12 months after case closure

SCIMM will:
Conduct regular reviews of retained data to ensure compliance with retention policies
Implement secure deletion processes when retention periods expire
Document all deletion activities in compliance logs
Retain data beyond standard periods only when required by law or other valid legal grounds

10. Data Security Measures
SCIMM implements comprehensive technical and organizational security measures to protect personal data:
Encryption: All body scan data is encrypted at rest (AES-256) and in transit (TLS 1.3)
Access controls: Role-based access control with multi-factor authentication for personnel
Pseudonymization: Body scan data used for ML training is pseudonymized
Regular audits: Quarterly security audits and penetration testing
Breach notification: SCIMM will notify affected individuals and the Data Protection Authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms

11. Cookies and Tracking Technologies
SCIMM uses cookies and similar tracking technologies to enhance user experience and analyze website usage. We use the following types of cookies:
Strictly necessary cookies: Essential for website functionality (no consent required)
Analytics cookies: Used to understand how visitors interact with the website (requires consent)
Marketing cookies: Used to deliver personalized advertisements (requires consent)
Users can manage cookie preferences through our cookie consent banner or by adjusting their browser settings. Withdrawal of cookie consent does not affect the lawfulness of processing based on consent before withdrawal.
For detailed information about specific cookies used, please refer to our Cookie Policy available on our website.

12. Children's Privacy
SCIMM's services are not directed to children under the age of 16. We do not knowingly collect personal data from children under 16.
For users between 16 and 18 years old, we may require parental consent for the processing of body scan data (special category data) depending on national law requirements.


If we become aware that we have collected personal data from a child under the appropriate age without proper consent, we will take steps to delete such information as quickly as possible.


13. References to Other Websites
The website may contain links to other sites that are not operated by SCIMM. By clicking on a third-party link, individuals will be redirected to that third-party site. SCIMM strongly recommends reviewing the privacy policy of each site visited.
SCIMM has no control over, and assumes no responsibility for the content, privacy policies, or practices of any third party website or platform.

14. Changes to the Privacy Policy
From time to time it may be necessary to amend this privacy policy. When SCIMM posts changes to the privacy policy, it will change the "last updated" date at the end of the document. Material changes will be communicated to users via email or prominent notice on the website.
The most recent version of this privacy policy will be available on the website at all times. Continued use of SCIMM services after changes indicates acceptance of the updated policy.

15. Contact and Data Protection Officer
In case of questions or concerns regarding this privacy policy or our processing of personal data, please contact SCIMM at:
Email: info@scimm.eu
Address: Léon Stynenstraat 53 box 402, 2000 Antwerp, Belgium
KBO: 0801.235.242
_______________________________________________
Last updated: October, 2025
SCIMM BV
2000 Antwerp, Léon Stynenstraat 53, bus 402
Registration: 0801.235.242

We Are SCIMM
About us
About us
Contact us
Contact us
Privacy policy
Privacy policy
Terms & Conditions
Terms & Conditions
Events
Our Solutions
What We Do
Our mission
Who It Is For
Our team
What We Offer
Testimonials
Testimonials
Testimonials
Subscribe to be in touch with latest updates
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© SCIMM 2023. All Rights Reserved