# affinity-privacy-policy 1. Introduction The Affinity mobile application ("Application") is a mobile application that is meant to provide the individuals using our Service and Application ("Users") the possibility to mutually exchange movie ratings in geographic proximity (typically 0~30 meters of radius) using direct wireless communication between mobile devices. The device to device connection is established directly and without intermediaries using wireless transmission technologies such as Bluetooth or WiFi comprised in the Google Nearby Connection API. No central entity is able to observe, track, or monitor data exchanges between other Users. The Application is part of the research endeavor of the Service-centric Networking chair at the Technical University of Berlin in the field of decentralized/distributed recommender systems. In lign with this research, we are eager to explore Device-to-Device (D2D) technologies that foster collaboration between users without central movie recommendation providers such as Netflix. Users are collecting rating information of nearby other Users over time and can thus calculate recommendation on their smartphones locally. In a nutshell, the Application replicates the Word-of-Mouth phenomonen of recommendation in social interactions in digital D2D-fashion interactions. We follow in the footsteps of the PocketLens project. This Privacy Notice only covers data processing carried out by Affinity. The Privacy Notice does not address, and we are not responsible for, the privacy practices of any third parties. 2. Data Collection The personal data collected from Users is limited to device ID, geographic location, the time and date of the use of the Application. We do not collect names, e-mail addresses, home addresses or phone numbers. At the core of the Application lies mutual data exchange of rating information of the form Movie:Rating:Timestamp between Users. A collection of a User's rating information ("User Profile") is at no time collected by the Application. Users' Profiles are only shared between Users in geographic proximity (typically 0~30 meters of radius). We stress that data exchanges do in particular do neither involve nor require an active internet connection. Individuals that have not installed the Application are not eligible for User Profile exchange. For convenience, Users are not asked to give permission to each and every sharing request, instead the user may activate and deactive sharing such that data sharing can happen also when the User is not actively handling the Application. When using the Application we automatically record certain technical information such as the Internet Protocol address (IP address), the device address and/or device type. We do not use Google Analytics, an analytics service provided by Google, Inc. ("Google"). For further information concerning the terms and conditions of use and data privacy at Google please visit: https://www.google.com/analytics/terms/us.html or https://www.google.com/policies/. 3. Purposes We do not process any personal data. 4. Storage Period We store your personal data in accordance with the Statute on the Safeguarding of Good Academic Practice at Technische Universität Berlin for no longer than 10 years for research purposes. We erase personal data after the above described storage period or upon User requests. 5. Legitimate Grounds for Processing The collected data is not used for commercial purposes. 6. Rights of Users Right to access: Any User may contact us to get confirmation as to whether or not we are processing User’s personal data. Where we do process User’s personal data, we will inform User of what categories of personal data we process regarding him/her, the processing purposes, the categories of recipients to whom personal data have been or will be disclosed and the envisaged storage period or criteria to determine that period. Right to withdraw consent: In case our processing is based on a consent granted by the User, the User may withdraw the consent at any time by contacting us or by using the functionalities of our Services. Withdrawing a consent may lead to fewer possibilities to use our Services. Right to rectification: Any User has the right to have inaccurate or incomplete personal data we store about the User rectified or completed. Right to object: Any User has the right to object to our processing at any time, even if our processing is based on our legitimate interest in the operation, maintenance and further development of our Services. We shall then no longer process User’s personal data unless for the provision of our Services or if we demonstrate other compelling legitimate grounds for our processing that override User’s interests, rights and freedoms or for legal claims. Right to restriction of processing: Any User has the right to obtain from us restriction of processing of User’s personal data, as foreseen by applicable data protection law, e.g. to allow our verification of accuracy of personal data after User’s contesting of accuracy or to prevent us from erasing personal data when personal data are no longer necessary for the purposes but still required for User’s legal claims or when our processing is unlawful. Restriction of processing may lead to fewer possibilities to use our Services. Right to data portability: Any User has the right to receive User’s personal data from us in a structured, commonly used and machine-readable format and to independently transmit those data to a third party, in case our processing is based on User’s consent and carried out by automated means. Right to erasure: Any User has the right to have personal data we process about the User erased from our systems if the personal data are no longer necessary for the related purposes, or if we have unlawfully processed the personal data. Any User furthermore has the right to erasure if the User withdraws consent or objects to our processing as meant above, unless we have a legitimate ground to not erase the data. We may not immediately be able to erase all residual copies from our servers and backup systems after the active data have been erased. Such copies shall be erased as soon as reasonably possible. How to use these rights: To exercise any of the above mentioned rights, the User should primarily use the functions offered by our Services. If such functions are however not sufficient for exercising such rights, Customer shall send us a letter or email to the address set out below under Contact, including the following information: device ID. We may request additional information necessary to confirm User’s identity. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded. 7. Security We implement and maintain reasonable and appropriate technical and organizational security measures to protect the personal data we process, from unauthorized access, alteration, disclosure, loss or destruction. Access to the user data is only available to Technische Universität Berlin employees within the group, and only to those who have been granted access explicitly. Should despite of our security measures, a security breach occur that is likely to result in a risk to the data privacy of Users, we will inform the relevant Users and other affected parties, as well as relevant authorities when required by applicable data protection law, about the security breach as soon as reasonably possible. 8. Recipients We only share your personal data within our research group if and as far as necessary for the purposes specified in this Privacy Notice. Our staff members processing personal data are bound to confidentiality. We do not share your personal data with any third party outside of our organization unless one of the following circumstances applies. Necessary for the purposes. We may share your personal data with third parties to the extent our Services foresee such disclosure and Users submit their personal data for that purpose, such as to facilitate our Services. For legal reasons. We may share your personal data with third parties only if we have good-faith belief that their access to and use of the personal data is necessary (i) to meet any applicable law and/or court order, (ii) to detect, prevent or otherwise address fraud, security or technical issues, and/or (iii) to protect the interests, properties or safety of us, our Users or the public, in accordance with the law. We will notify Users about such disclosure, as far as reasonably possible. Upon User’s consent. We may share your personal data with third parties for other reasons than the ones mentioned above, if we obtained User’s explicit consent to do so. The User has the right to withdraw this consent at any time. 9. Location and Transfer We and our research groups operate only from locations based in Germany. Our User´s data however may be transferred by Google to other locations for storage purposes. Google ensures that any personal data processed in different locations receives an adequate level of protection, by meeting the data protection standard stipulated by the EU data protection law. Further information regarding the international transfer of personal data may be obtained by contacting us. 10. Lodging a Complaint In case any User considers our processing of his/her personal data to be inconsistent with applicable data protection law, a complaint may be lodged with the local supervisory authority for data protection. 11. Changes This Privacy Notice is dated February 6, 2020. We may update this Privacy Notice at any time if required in order to reflect changes in our data processing practices, in personal data protection laws or otherwise. For substantial changes to this Privacy Notice, we will use reasonable endeavors to provide notice thereof. The English version of this Privacy Notice shall govern in the event of any conflict with or substantial translation changes into a non-English language. 12. Contact Any User having any question or request on this Privacy Notice or our privacy practices, can contact us • by email at tobias.eichinger@snet.tu-berlin.de Further privacy related questions may be addressed to the Data Protection Office of the Technische Universität Berlin: • by email at k-3-ds@tu-berlin.de • by mail at: Annette Hiller K 3 DS Data Protection Officer (DPO) - legal supervisory affairs of the AS and its commissions, support arrangements for committee members, meeting fees, policy matters in the area of academic self-government Room H 1038 Straße des 17. Juni 135 Berlin, Germany You also have the right to contact the local controlling authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit Friedrichstr. 219 / visitor entrance via Puttkamerstr. 16-18 10969 Berlin, Germany mailbox@datenschutz-berlin.de Get in touch with us! Address: Service-centric Networking Department of Telecommunication Systems Technische Universität Berlin Ernst-Reuter-Platz 7 10587 Berlin Germany, Europe Web: http://www.snet.tu-berlin.de