1. Purpose
This Privacy Policy relates to the mobile application “XPR Virtual Card” (the “Application”), developed and operated by XPR Group Sàrl, whose registered office is located at Rue de Neudorf 681, L-2220 Luxembourg and whose company registration number is B234480, info@xprgroup.com
(“XPR”).
The Application allows authorized users to store and use virtual access cards compatible with access control systems developed by XPR. These cards may either be “Basic”, generated automatically upon installation of the Application without any guarantee of uniqueness, or “Professional”, issued and managed by the administrator of the access control system of the relevant site, in accordance with the applicable procedures.
In other words, the Application is a mobile app that turns a smartphone into an access badge. Instead of using a physical RFID card, the user presents their phone to a compatible access reader to open a door or gain access to a secured site. The smartphone thus acts as a digital key (mobile credential).
By downloading, installing, or using the Application, the user acknowledges that they have read this Privacy Policy.
2. Personal data
The mere downloading of the Application does not involve any collection, storage or transmission of personal data by XPR to external servers or third-party storage systems.
The Application may access certain device permissions, including Bluetooth and, where required by the operating system, location services. Location access is required by the operating system to enable Bluetooth-based functionalities. Location data is used solely to enable Bluetooth-based functionality, in particular to detect nearby access control devices and estimate proximity. This data is processed in real time only on the user’s device and is neither stored, recorded, nor transmitted to XPR or any third party. It is not used to track users or determine their geographical position. XPR does not have access to this data.
Where the Application generates or uses virtual card identifiers and these are associated with a natural person within an access control system, any resulting processing of personal data, in particular in the context of access management or the logging of access events, falls solely under the responsibility of the administrator of the relevant access control system, and XPR does not intervene in such processing.
The user is therefore invited to consult the data protection statements of the relevant access control system operators to obtain detailed information on the personal data processing activities carried out, including their purposes, legal bases, and the procedures for exercising their rights.