Data protection

Data protection

Status: February 2026

Scope: ULTIDO Web App and Website

Preamble

At SnapNext GmbH & Co. KG (hereinafter referred to as "SnapNext" or "we"), the protection of your data is particularly important to us. "ULTIDO" is a brand of SnapNext. This privacy policy describes what information we collect within the framework of the ULTIDO platform and web app, how we use this information, and what rights you have.

ULTIDO is a gamified experience platform for amusement parks, zoos, and museums. By scanning QR codes, you can start missions, solve challenges, and collect rewards—all directly in your browser, without downloading an app.

1. Responsible Entity

Responsible for data processing:

SnapNext GmbH & Co. KG

Rommerskirchener Str. 21

50259 Pulheim

Germany

Email: datenschutz@snapnext.de

Data Protection Officer:

Currently, no data protection officer has been appointed.

2. What types of information do we collect?

2.1 Data you provide directly

Registration data (optional):

  • Name, email address (only if you want to redeem rewards or save your progress)
  • Age information (to ensure eligibility)
  • Voluntary information (e.g., interests, preferences for personalized challenges)

Game content and interactions:

  • Answers to quiz questions, puzzle solutions
  • Uploaded photos or videos (in photo challenges)
  • Text content (in creative challenges)
  • Ratings and feedback

2.2 Automatically collected data

Usage data:

  • Which challenges you have started and completed
  • Your game progress (points, levels, achievements)
  • Timestamps of activities
  • Time spent per challenge/station

Location data:

  • Which QR codes you have scanned (indirect location data)
  • We do not use GPS geolocation.

Device information:

  • Browser type and version
  • Operating system
  • IP address (anonymized within 24 hours)
  • Device identifiers (session IDs)
  • Screen resolution (for optimal display)

Cookies and similar technologies:

  • See Section 8 (Cookies & Tracking)

2.3 Special categories of personal data (Art. 9 GDPR)

Photos of individuals:

If you upload images of yourself or others during photo challenges, these may include special categories of personal data (e.g., indications of ethnic origin, health status).

Important:

  • We do not use biometric facial recognition for identification
  • We do not create facial profiles or databases
  • Photos are used solely for challenge participation and possibly for sharing
  • Automatic deletion after 100 days

3. Legal bases for data processing (Art. 6 GDPR)

We process your data only based on the following legal bases:

3.1 Consent (Art. 6(1)(a) GDPR)

  • Gameplay Participation: By scanning a QR code and starting the web app, you give your consent to data processing for gameplay functionality
  • Photo/Video Uploads: Separate consent before each upload
  • Marketing Cookies: Opt-in for tracking and analysis (see Section 8)

Withdrawal:

You can withdraw your consent at any time by:

  • Ending the session (closing the browser)
  • Deleting your data by emailing datenschutz@snapnext.de
  • Deleting your data by emailing datenschutz@snapnext.de

3.2 Contract Fulfillment (Art. 6(1)(b) GDPR)

  • Providing gameplay features (challenges, point system, leaderboards)
  • Redeeming rewards (vouchers, coupons)

3.3 Legitimate Interest (Art. 6(1)(f) GDPR)

  • Fraud prevention and platform security
  • Technical administration and maintenance
  • Anonymized usage statistics for product improvement

4. How do we use this information?

4.1 Gameplay functionality

  • Conducting challenges: Storing your progress, calculating points
  • Leaderboards: Displaying your score (with pseudonym/nickname, if selected)
  • Managing rewards: Issuing and redeeming vouchers/coupons

4.2 Personalization

  • Adaptive challenges: Adjusting the difficulty level and content to your preferences
  • Recommendations: Suggestions for further missions based on your gameplay behavior

4.3 Analytics for park operators

We provide park operators with anonymized and aggregated statistics:

  • Completion rates (How many players complete challenges?)
  • Hotspot performance (Which stations are popular?)
  • Reward redemption (How many vouchers are redeemed?)
  • Average gameplay time and duration

Important: Park operators do not receive any personal data about you unless you have explicitly consented to data sharing (e.g., in partner sweepstakes).

4.4 Product development and improvement

  • Bug fixing and technical optimization
  • Development of new challenge formats
  • A/B testing for better user experience

4.5 Communication

  • Sending reward codes via email/SMS (if provided)
  • Notifications about new challenges or events (with your consent)
  • Customer support and inquiry processing

5. Sharing data with third parties

5.1 Park operators (clients)

The park, zoo, or museum in which you use ULTIDO is our client (B2B). We can provide this operator with the following aggregated data:

  • Total number of players
  • Average completion rates
  • Hotspot visit statistics

Personal data is only shared if:

  • You have explicitly requested this (e.g., when participating in sweepstakes)
  • The operator requires it for contract fulfillment (e.g., to redeem rewards on site)
  • A Data Processing Agreement (DPA) according to Art. 28 GDPR is in place

5.2 Sponsors and partners

If you participate in sponsored challenges (e.g., "Find the secret clue at partner X"), we may share the following data with the sponsor:

  • Number of participants (aggregated)
  • Success rate of the challenge (aggregated)
  • With explicit consent: Your contact details for win notifications or marketing

You decide: Before participating in partner challenges, you will be informed separately about data sharing and can agree or decline.

5.3 Technical service providers (processors)

We use the following third parties for the technical provision of ULTIDO:

Cloud hosting and infrastructure

Framer (Hosting) – Framer may utilize infrastructure and hosting services from Amazon Web Services (AWS).

  • Purpose: Hosting the web app, databases, servers
  • Location: EU (GDPR compliant)
  • Legal basis: Data Processing Agreement (Art. 28 GDPR)

Image and video hosting

Cloudinary (Cloudinary Ltd., Santa Clara, CA, USA)

  • Purpose: Temporary storage and delivery of photo challenge uploads
  • Location: EU servers (no data transfer to the USA)
  • Retention: Automatic deletion after 100 days
  • Legal basis: DPA pursuant to Art. 28 GDPR

Email dispatch

Email service providers (processors)

  • Purpose: Sending reward codes and notifications
  • Location: EU/EEA or with suitable guarantees pursuant to Art. 44 et seq. GDPR
  • Legal basis: DPA pursuant to Art. 28 GDPR

Analytics and monitoring

Framer Analytics (if used) and technical monitoring through log files

  • Purpose: Usage statistics, error detection
  • Anonymization: IP addresses are shortened
  • Opt-out: You can decline tracking (see Section 8)

AI services (optional)

If AI-based features are used:

  • Google Gemini API (Google Ireland Ltd., Dublin, Ireland)
  • Purpose: If used: Support for individual functions within the web app
  • Guarantee: No storage or use for AI training
  • Legal basis: DPA pursuant to Art. 28 GDPR

5.4 Legal obligations

We may disclose your data if:

  • There is a legal obligation (court order, authority request)
  • This is necessary to enforce our terms of use
  • We have legitimate reasons to suspect fraud or illegal activities

6. Data transfer to third countries (outside the EEA)

Principle: We process your data solely on servers within the European Union (EU) or the European Economic Area (EEA).

Exceptions:

If a transfer to third countries (e.g., USA) is necessary, we ensure that:

  • Standard contractual clauses (SCCs) of the EU Commission are in place, OR
  • An adequacy decision from the EU Commission exists, OR
  • Other suitable guarantees pursuant to Art. 44 et seq. GDPR are in place

7. How long do we store your data?

7.1 Game sessions (without registration)

  • Session data: Will be deleted as soon as you close the web app
  • Anonymized statistics: Unlimited (no personal reference anymore)

7.2 Registered accounts (optional)

  • Account data: As long as your account is active
  • Inactivity: After 24 months without login, we send a reminder, followed by deletion after another 3 months

7.3 Photos and videos

  • Challenge uploads: Automatic deletion after 100 days
  • Shared content: As long as you do not delete it yourself (delete function: request to datenschutz@snapnext.de)

7.4 Logs and technical data

  • Server logs: 14 days
  • IP addresses: Anonymization within 24 hours

7.5 Legal retention obligations

  • Invoices/contracts: 10 years (HGB, AO)
  • Tax-relevant documents: 6-10 years

8. Cookies and tracking technologies

8.1 What are cookies?

Cookies are small text files that are stored on your device. They allow us to recognize your session and save preferences.

8.2 Which cookies do we use?

Essential cookies (always active)

These are essential for the functionality of the web app:

  • Session management (login status, game progress)
  • Security (CSRF protection, fraud detection)

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) or contract fulfillment (Art. 6(1)(b) GDPR)

Functional cookies (optional)

Enhance user experience:

  • Language settings
  • Preferences (e.g., preferred challenge types)

Legal basis: Consent (Art. 6(1)(a) GDPR)

Analytics cookies (optional)

Help us understand usage:

  • Frequency of visits
  • Popular challenges
  • Drop-off points (where do users drop out?)

Provider: Framer Analytics (if used)

Legal basis: Consent (Art. 6(1)(a) GDPR)

Marketing cookies (optional)

Enable personalized advertising (if activated):

  • Retargeting (ads on other websites)
  • Social media pixels (e.g., Facebook, Instagram)

Legal basis: Consent (Art. 6(1)(a) GDPR)

8.3 Cookie management

You can change your cookie settings at any time:

  • In the web app: Via the cookie banner or cookie settings
  • In the browser: Via the privacy settings of your browser
  • Opt-out tools: [Browser add-ons for analytics blocking]

Important: Without essential cookies, ULTIDO may not function correctly.

9. Your rights under the GDPR

You have the following rights at any time:

9.1 Right of access (Art. 15 GDPR)

You can request a copy of all data stored about you.

9.2 Right to rectification (Art. 16 GDPR)

If your data is incorrect or incomplete, you can request correction.

9.3 Right to erasure (Art. 17 GDPR - "Right to be Forgotten")

You can request the deletion of your data if:

  • The data is no longer necessary for the original purpose
  • You withdraw your consent
  • The data has been processed unlawfully

Exceptions: Retention requirements (e.g., invoices) take precedence.

9.4 Right to restriction of processing (Art. 18 GDPR)

You can request that we temporarily restrict your data (e.g., during clarification).

9.5 Right to data portability (Art. 20 GDPR)

You can receive your data in a structured, machine-readable format (e.g., JSON/CSV).

9.6 Right to object (Art. 21 GDPR)

You can object to the processing of your data, especially in cases of:

  • Processing based on legitimate interest
  • Direct marketing

9.7 Right to lodge a complaint (Art. 77 GDPR)

You have the right to complain to a data protection authority:

Competent supervisory authority in NRW:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)

P.O. Box 20 04 44, 40102 Düsseldorf

Phone: 0211/38424-0

Email: poststelle@ldi.nrw.de

Website: https://www.ldi.nrw.de

10. Exercising your rights

To assert your rights, please contact us:

Email: datenschutz@snapnext.de

Subject: ULTIDO Data Protection Inquiry

Please indicate:

  • Your request (access, deletion, etc.)
  • Your identification (email address or player ID)

Processing time: We will respond within 30 days (legal deadline according to Art. 12 GDPR).

Identity verification: To ensure that we do not disclose data to unauthorized individuals, we may request additional information to confirm your identity.

11. Data security

We implement technical and organizational measures to protect your data:

11.1 Technical measures

  • Encryption: HTTPS/TLS for all data transfers
  • Firewall: Protection against unauthorized access
  • Backups: Regular backups (encrypted)
  • Access control: Only authorized employees have access

11.2 Organizational measures

  • Training: Employee training on data protection
  • Confidentiality obligations: All employees are contractually obliged
  • Incident response: Emergency plans for data breaches

12. Data protection for minors

Age limit: ULTIDO is aimed at users aged 16 and older.

Under 16 years:

  • Use only with parental consent
  • We intentionally do not collect data from children without permission
  • Parents can request deletion of their child's data at any time

13. Changes to this Privacy Policy

We may update this privacy policy from time to time to:

  • Reflect changes in our practices
  • Comply with new legal requirements
  • Add new features

Notification:

  • We will inform you of significant changes via email (if registered) or through a notice in the app
  • The current version is available on our website
  • Date of last change: Is indicated at the top of this page

Your options:

  • If you disagree with the changes, you can stop using the service and request the deletion of your data

14. Contact and questions

If you have questions regarding this privacy policy or the processing of your data:

SnapNext GmbH & Co. KG

Data Protection Team

Rommerskirchener Str. 21

50259 Pulheim

Germany

Email: datenschutz@snapnext.de

Phone: +49 221 1653 5560