Last updated March 10, 2021
1. INFORMATION WE COLLECT AND ITS USE
We may collect, receive and use the following information:
User ID, notification tokens and passwords
When you first install the App, we generate a random user ID and password to represent your device’s identity for the purpose of the App and all Services. We also generate a notification token that is unique to your copy of the App, which we use to provide notifications. We do not link the user ID, password, or notification token to other information that could specifically identify you or your device, such as your name or device ID (i.e., the Identity for Advertisers on Apple devices or Google Play Services ID on Android devices, or any hardware identifiers on your device).
Microphone and Ultrasonic Signals
The App uses a combination of ultrasound and Bluetooth technology to measure distances between App users. This technology requires the App to have access to and open your device’s microphone to measure distances. We focus on ultrasonic frequencies when we process the microphone signals. We do not collect audio recordings of voice conversations through the microphone.
Wi-Fi Access Points, Partial IP Addresses and Related Information
The App collects your device’s WiFi access point BSSID (Basic Service Set Identifier) and SSID (Service Set Identifier) to which the device is connected. In the event that your BSSID is locally administered (not globally unique), the App collects the first half of your device’s IPv4 IP (Internet Protocol) address (i.e., the App does not collect the last two parts, or last two octets, of the IP address). In addition, depending on your device’s operating system, the App may periodically scan for nearby SSIDs, BSSIDs, relative signal strength indicator levels and transmission frequency information. This is classified as location information because it could theoretically be abused to deduce your location. However, we never store any persistent association between your User ID and any of this WiFi or IP address information; rather, our system assigns random, anonymized tokens (which are periodically overwritten) to WiFi access point BSSIDs, and we do not persistently store the association between these tokens and actual BSSIDs. We store the association between these tokens and your User ID. All of the above information is used for analysis, including identifying App users that have been in proximity to one another.
We collect information from your device, such as your device make and model, OS version, language preference, and information about Bluetooth and ultrasonic signals, in order for the Services to function and to troubleshoot, analyze and improve the Services.
The App creates an alias ID and maintains it on your device at all times. This alias ID does not personally identify you and is different than your user ID. Alias IDs are periodically refreshed. The App on your device performs vicinity scans to sense nearby devices running the App (a “Contact”). When a Contact is located, the App exchanges the alias IDs of your device and the Contact’s device. The App does not use the GPS functions of your device to collect your latitude and longitude. We link alias IDs and actual user IDs and store such information on our servers. This information enables us to provide and improve the App and Services functionality, such as providing you notifications about a Contact.
You may submit information indicating you have or have not tested or been diagnosed as positive for COVID-19. We may use that information to notify a Contact that you were in proximity to them and approximate duration of the contact, without personally identifying you. The App may provide a function for you to input a code or other identifier provided by a medical person or facility or testing facility up to confirm you received a positive test or diagnosis.
You may be able to submit a code or token to your App to self-identify as a member of a community, such as a college campus or city. This code or token does not personally identify you. It is used to aggregate data from the App related to the particular community.
App usage Information
We may collect information about how and when you use the App and features within the App, in order to analyze and improve our Services.
If you choose to contact us on the Website or through the App, send us feedback on the App, or contact us by other means, you may provide your name, email address, organization and other information from which you may be personally identified (“personal information”). Personal information does not include deidentified, aggregated, anonymized, pseudonymized information or other information excluded by applicable law. We collect personal information in order to respond to your requests or other correspondence, develop partnerships and other business purposes. You are not obligated to provide us with personal information. However, without your personal information, we may not be able to perform certain functions, such as responding to your inquiries or developing partnerships with you.
Cookies and Similar Technologies
2. DISCLOSURES OF INFORMATION
We will not sell personal information to third parties without your prior express consent. We may share personal information and other information with third parties as follows:
When a contact between you and a Contact occurs, your alias ID is sent to the Contact’s device and the Contact’s alias ID is sent to your device. The App does not provide any other identifying information directly from your device to Contacts’ devices.
When you report a positive test result, the App informs certain Contacts that they had a direct or indirect contact with someone with a positive COVID-19 test result or diagnosis. The notification does not include your personal information, such as your name. However, a Contact may be able to determine that you are the source of the notification based on the recollection of their own movements. For example, upon receipt of a notification of a new positive test report, a Contact may know that you were the only person with whom they were in close contact in the past week and may therefore deduce that you reported a positive test result.
We may share information with companies that we engage to provide services to us, such as hosting services, for the purpose of fulfilling the engagement. We use Google Analytics to analyze usage of the Sites. You can review how Google uses this information and how you can control information collected by Google Analytics here.
Aggregated and de-identified information
We may share, publish, sell or allow third parties to sell aggregated information and/or de- identified, anonymized and/or pseudonymized information if such information does not personally identify you. For example, we may compile and sell statistics and related data tools about the rate of positive COVID-19 reports in a community and the proximity of the App users in such community based on information we have collected from you and other users, as long as the statistics do not personally identify you. As another example, we may share aggregated and/or de-identified information with researchers, health professionals and others in the medical community in order to analyze the symptoms and infection rates of COVID-19.
We may disclose information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).
We may disclose information where we believe it is necessary to protect our interests and the interests of you and other parties, including to investigate, prevent, or take action regarding potential violations of our policies, to prevent fraud and address suspected fraud, to fulfill contractual obligations, in situations involving potential threats to the safety of any persons or property, to address illegal activities, and in legal proceedings in which we are involved. We may also disclose information to third parties to whom we may choose to sell, transfer or merge parts of our business or our assets.
3. CROSS-BORDER TRANSFERS
The App is designed for use in the United States. Any information we collect, including personal information you provide to us, may be transferred to and processed in the U.S. If you are located outside the U.S., please be advised that the U.S. does not offer safeguards to protect personal information that are as stringent as some other jurisdictions in the world. For example, the European Union does not consider U.S. privacy safeguards to be adequate to protect personal information.
4. DATA RETENTION
We retain personal information for as long as necessary for the purposes set out in this Policy, including fulfilling your inquiries, developing and maintaining partnerships and administering the App and Services, unless a longer retention period is required or permitted by law.
Although we employ technical and organizational controls that we believe are reasonably appropriate to protect your information, we do not guarantee that our security precautions will protect against the loss or misuse of your information. Similarly, we cannot guarantee the privacy of information you transmit over the Internet or that may be collected in transit by others, including contractors that provide services to us.
6. YOUR DATA CHOICES
Temporary Contact ID: My ID
To request a copy of your information, please send an email to email@example.com with subject line "Requesting Info: My ID".
To delete your information from the App, please send an email to firstname.lastname@example.org. with subject line "Delete: My ID". If you have provided personal information on the Website, App or through other means and want to obtain a copy or request that it be deleted, please send an email to email@example.com with sufficient information (such as your name and email) for us to identify your personal information.
7. OTHER WEBSITES AND LINKS
The Websites or App may contain links to other websites. We are not responsible for the information collection or privacy practices of other websites. You should consult the privacy policies of other sites before you visit those sites or provide any information to those sites. We do not control the privacy practices of such third-party sites.
8.REVISIONS TO THIS POLICY
We reserve the right to revise this Policy at any time. Please review this Policy periodically for changes and at any time you provide information to us. We will post any revised versions of the Policy on the Website and in the App. The updated version will be effective upon posting. If required by law, we may notify you of changes either by posting a notice of such changes or by directly sending you a notification. By continuing to access or use the Website and App after changes become effective, you agree to be bound by the terms of the revised policy. We may also require your consent to the revised Policy in order to continue using the Website and/or App.
9. CONTACTING US
If you have questions or comments about this Policy, you may email us at firstname.lastname@example.org or write to us at Expii, Inc., 260 Atwood Street, Pittsburgh, PA 15213.