Privacy Policy

Last updated: January 1st, 2023

1. Introduction

1.1 This data protection and privacy policy (the “Policy”) describes how we collect and process your personal data when you purchase or visit from (the ‘’Site’’) or any Subdomains hosted by Aioray (‘’unlock pages’’).

1.2 The Policy is prepared and made available to provide you with information about the processing in a concise, transparent, intelligible and easily accessible form, using as clear and plain language as possible, as it is required from the general data protection regulation (2016/679 of 27 April 2016) (the “GDPR”).

2. Collecting personal data

2.1 When you use the site, we collect device information using these technologies:

  • ‘’Log files’’ are trackers of your actions when interacting on the Site, these include collecting your IP address, internet service provider, browser type, exit and referring pages, and time/date stamps.

  • ‘’Web beacons’’, ‘’pixels’’, and ‘’tags’’ are files used to record information on your usage when browsing the Site.

  • ‘’Cookies’’, small text files that are placed on your device. Some of these are necessary for the site to function while others are used to improve our services. Cookies that are not necessary for the site will only be placed on your device if you have given consent to such placement in accordance with section 3 of the Danish Cookie Order (No. 1148 of 9 December 2011).

2.2 If you wish to limit or decline the cookies placed on your device when visiting our site, you can do so at any time by changing the settings on your device or deleting your cookies. However, you should be aware that if you decline or reject cookies it may impact the functionality of the site, which means that you may not be able to use some or all parts of the site.

2.3 If you have consented to the placement of cookies that are not strictly necessary for the functionality of the site, we will disclose and/or share data collected from such cookies with the following companies:

(a) “Google LLC” and sub-processors to provide the Google Analytics tool, which is used for anonymization and aggregation of data to create insight for the improvement of the site.

Such cookies can be used to gather information about your device for a maximum of (a) two years in the case of Google Analytics, since the last time you used the site. If you use the site again within the period, the expiry date is then prolonged for another two years or three months, respectively.

3. Types of personal data processed

3.1 We process personal data about you when this is necessary and in accordance with the applicable legislation. Depending on the specific circumstances, the processed personal data include the following types of personal data:

(i) Basic personal data (for example postal code, city of residence, country of residence, mobile phone number, initials, email address, date of birth).

(ii) Contact information (for example addresses, email, phone numbers, social media identifiers, emergency contact details).

(iii) Pseudonymous identifiers.

(iv) Location data (for example, Cell ID, IP address, geo-location network data, location by start call/end of the call. Location data derived from use of Wi-Fi access points).

4. Purposes for processing the personal data

4.1 We only process personal data for legitimate purposes in accordance with the GDPR. Depending on the circumstances, the personal data is processed only (a) to provide the site, and (b) for our own and our data processor’s legitimate business operations, each as detailed and limited below.

Processing to provide the site:

For the purposes of the Policy, “to provide” the site consists of:

• Delivering the site, including providing personalized user experience.

• Troubleshooting (preventing, detecting, and repairing problems).

• Ensuring compliance with the obligations pursuant to articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available.

• Ongoing improvements (installing the latest updates and making improvements to user productivity, reliability, efficacy, and security), including anonymizing personal data and using the anonymized data to create statistics and other types of insights into the use of the site in order for us and our data processors to improve our/their services and products.

Processing for legitimate business operations:

For the purposes of the Policy, our and the data processor’s “legitimate business purposes” consist of the following, each as incident to delivery of the site: (1) billing and account management; (2) compensation (e.g. calculating commissions and partner incentives); (3) internal reporting and modeling (e.g. forecasting, revenue, capacity planning, product strategy); (4) combating fraud, cybercrime, or cyber-attacks that may affect the data processor or the data processor’s services and products; (5) improving the core functionality of accessibility, privacy or efficiency; and (6) financial reporting and compliance with legal obligations; and (7) to provide the necessary data for the Seller’s on Aioray to fulfill their orders to you, and (8) to verify your identity through the Unlock phygital stores.

5. Legal basis for processing personal data

5.1 We only process your personal data when we have a legal basis to do so in accordance with the GDPR. Depending on the specific circumstances, the processing of personal data is done on the following legal basis:

(i) When asking for your consent for the processing of personal data, the legal basis for such processing is a consent in accordance with article 6(1)(a) of the GDPR. Consent can always be withdrawn by contacting us via the contact details provided at the end of the Policy without affecting the lawfulness of processing based on consent before the withdrawal, and, if the consent is withdrawn, the personal data processed on the basis of consent is deleted, unless it can or must be processed, for example to comply with legal obligations.

(ii) The processing may be necessary for the performance of the contract concluded with you or to take steps at your request prior into entering a contract, cf. article 6(1)(b) of the GDPR.

(iii) The processing may be necessary for compliance with legal obligations, cf. article 6(1)(c) of the GDPR.

(iv) The processing may be necessary for the purposes of the legitimate interests as specified in section 4.1, which is pursued by us, our data processor or other third parties, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, cf. article 6(1)(f) of the GDPR.

5.2 We may process your personal data for one or more of the following purposes, if and only to the extent that you have consented hereto: (1) GPS tracking; (2) disclosure of personal data to third-parties in order for the third-parties to use the personal data for marketing activities on their own behalf; (3) integration of personal data collected from different sources; (4) analysis of individual user or users’ personal preferences and/or behavior with the purpose of using such analysis for marketing, sales or similar commercial activities; and (5) direct marketing, including by emails.

6. Disclosure and transfer of personal data

6.1 We only pass on personal data to others when the law allows it or requires it, including transfer of personal data to the following types of recipients from the EU/EEA: (1) Tax authorities (for example in connection with accounting); (2) banks (for example in connection with payments; (3) data processors; (4) suppliers; (5) sellers, and (6) other data controllers, including group companies.

6.2 From time to time we use external companies as suppliers to assist in delivering our services. The external suppliers will not receive or process personal data unless the applicable law allows for such transfer and processing. Where the external parties are data processors, the processing is always performed on the basis of a data processing agreement in accordance with the requirements herein under the GDPR. Where the external parties are data controllers, the processing of personal data will be performed on the legal basis specified in their data privacy policy, which the external parties are obligated to inform about unless the applicable legislation allows otherwise.

6.3 We transfer personal data to countries or international organizations outside the EU/EEA as specified in the following:

(i) Personal data is transferred to the USA. Such transfers are based on the recipients’ self-certifications under the “EU-U.S. Privacy Shield” for the recipients that are self-certified under the framework. For the recipients that are not self-certified the transfer is based on the standard contractual clauses of the European Commission.

(ii) Personal data may be transferred to Argentina, Canada, Israel, Japan and/or Switzerland. The basis for such transfers is adequacy decisions by the European Commission deeming the general provision of adequate data protection through legislation or through other measures in such countries.

(iii) Personal data may also be transferred to countries where Google or any of their sub-processors maintain facilities as specified in the applicable terms (currently for Google Data center locations and Subprocessors). Currently this includes the following countries in addition to those specified in section (i) and (ii) above: Australia, Brazil, Chile, Columbia, Philippines, United Arab Emirates, India, Kenya, Malaysia, Mexico, Peru, Singapore, United Kingdom, South Africa, Tai-wan, United States, and Turkey. Such transfers are based on the standard contractual clauses about data protection made or approved by the EU Commission and possibly approved by a national supervisory authority, ensuring a sufficient level of protection.

6.4 If you have any questions about our use of data processors, cooperation with other data controllers, including subsidiary companies, or transfers of personal data to third countries, please contact us for more information or documentation of our legal basis for said transfers.

7. Erasure and retention of personal data

7.1 We ensure that the personal data is deleted when it is no longer relevant for the processing purposes as described above. We also retain personal data to the extent that it is an obligation from applicable law, as is the case with for example accounting and bookkeeping materials and records. If you have any questions about our retention of personal data, please contact us via the contact details provided at the end of the Policy.

8. Data subject rights

8.1 You have several rights that we can assist with. These may vary depending on your country of residence. Such rights include:

(i) The right of access: You have the right to ask for copies of the information that we process about you, including relevant additional information.

(ii) The right to rectification: You have the right to ask for rectification of your personal data if it is inaccurate.

(iii) The right to erasure: In certain situations, you have the right to obtain the erasure of your personal data before the time when erasure would normally occur.

(iv) The right to restrict processing: In certain situations, you have the right to have the processing of your personal data restricted. When you have such a right, your personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest in the European Union or of a European member state.

(v) The right to object: In certain situations, you have the right to object to the legal processing of your personal data. Objection can also be to the processing of personal data for the purpose of direct marketing.

(vi) The right to data portability: In certain situations, you have the right to receive your personal data in a structured, commonly used and machine readable format and the right to transmit those data to another data con-troller without hindrance from the data controller to which the personal data has been provided.

8.2 More information about data subject rights can be found in the guidelines of the national data protection authorities. In Denmark, such guidelines are available at If you want to make use of any of the rights listed above, we ask that you contact us via the contact details provided at the end of the Policy.

8.3 We strive to do everything that we can to accommodate your wishes regarding our processing of your personal data, including your rights as a data subject. If you or others, despite our endeavours, want to file a complaint, this can be done by contacting the national data protection authorities. In Denmark, this can be done via the website listed in section 8.2.

9. Changes to this Policy

9.1 We reserve the right to update and amend this Policy. If we do, we correct the date and the version at the bottom of this Policy. In case of significant changes, we will provide notification in the form of a visible notice, for example on our website or by direct message.

10. Minors

10.1 Please note that The Site is not intended for individuals under the age of 18.

11. Do not track

11.1 We do not alter our Site’s data collection and usage practices when we register a ‘’Do Not Track’’ signal from your browser.

12. Contact

12.1 If you have any questions or comments or if you would like to invoke one or more data subject rights, please contact us at

Image of a bold, white letter 'a' outlined by a white box with soft corners

Our mission is to transform traditional e-commerce by bridging the physical and digital items & experiences through tokengating. We believe it is the next step for commerce and we want to lead the transition.