Realeyes Privacy Policy for Mindfully mobile application
Last updated 18th May 2022, version 2.0
1. Privacy Overview
Realeyes OÜ (Vahe 15, Tallinn 11615, Estonia, registry code: 11730664; “Realeyes”) offers a mobile measurement service to enterprise customers based on patented facial feature tracking. This service is called RealView, which builds on information derived from users of our digital wellbeing mobile application, Mindfully (also referred to as ‘mobile application’) to provide media measurement insights.

This Privacy Policy (“Policy”) describes how we collect and manage the Personal Information (aka ‘personal data’) that we collect from our participants while they use and interact with our Mindfully mobile application (“Service”) and at the same time carrying out the measurement service.

Please read our Policy carefully to make sure that you understand our processing activities. When you download our mobile application or otherwise engage in the Service, you are agreeing to this Policy. We cannot provide you the Service without collecting some personal information from you, therefore, for you to be able to participate and use the Service, it is important that you understand the terms of this Policy.

Please note that Realeyes does not knowingly obtain Personal Information from any of our products, study data, or survey responses from participants under the age of 16. You must confirm that you are 16 years of age or older before consenting to our processing of your personal data in relation to the Realeyes mobile measurement. Should we discover that any data has been collected from a participant under the age of 16, we will immediately delete it.

Realeyes is the data controller for the data we collect. Our contact details are provided under Section 9 below.
2. Mindfully mobile app
This part of the Policy explains the personal information processing activities associated with our mobile application.

Please note that your use of our mobile application is voluntary. You should indicate your consent when starting to use our application by reading and accepting this Policy and by providing the necessary device permissions to utilize the features of the application.

If you do not grant permission for us to access your front facing camera on your mobile device, you cannot start using the mobile application and we will not collect your information. You may at any time withdraw your permission from us to process your personal information by following the instructions in Sections 2.3 and 8 below.
2.1. Information Categories
A) Information related to media measurement
(i) If you consent to participate in a measurement carried out by our mobile application, then we will collect the following information about your device:
  • Telemetry events related to your device:
    • device model;
    • device brand;
    • device operating system;
    • device language;
    • device time changes;
    • device shutdown or reboot info;
    • screen power state changes;
    • information whether local storage is full;
    • audio play state changes;
    • device volume changes;
    • screen orientation changes;
    • your device’s battery consumption.
  • Network connection related events:
    • network connectivity changes;
    • country code derived from IP address if network connectivity changes.
  • For each app user, we use and store a tracking ID (PublicParticipantId) which enables us to assign a unique identifier to your mobile app. If you use multiple apps on different devices, the information associated with each app will be processed differently. The IDs we set are described in your mobile app settings and are used to link all measured data to a single device-app combination. Once you request the removal of your data, the link between the tracking ID and your device will be irrevocably deleted so the data collected from you cannot be again linked to you and your device.
(ii) For the mobile application to work as intended, we request your permission to use the front-facing camera on your mobile device. Our software then collects the following separate data-points:
  • Telemetry events related to the camera of your device:
    • camera available / unavailable;
    • other camera information.
  • Whether a face is detected and, if so, the position and orientation of the face relative to the screen.
  • The extent to which the person in front of the device camera appears to be paying attention to the content.
  • A numerical encoded reaction to the content (levels of overall emotion displayed, such as happiness, surprise, sadness, fear, confusion, contempt or disgust).
Please note - Realeyes does not store video or images from your camera on your device or our systems, servers or cloud storage, and the software is not used for facial recognition purposes. Any images accessed from the camera will be discarded immediately after processing it on your device, such processing should not take longer than 1 second at most. However, data derived from images may be stored on your device until you delete the mobile application, opt-out or request deletion of your data.
(iii) For the mobile application features to work, access to usage statistics of applications running on the device is required. Our software collects the following related data-points if you grant permission to such processing in your device operation system:
  • Your interactions with various mobile applications via the device:
    • Names of mobile apps used;
    • Time spent on each mobile app.
  • Mobile app related events:
    • Measurement host app information
    • Measurement host app start
    • Measurement SDK initialization
    • Available app permissions
    • Measurement host app screen changes
    • Foreground app changes
    • Event count quality markers
For ultimate app experience, your age and gender data can be voluntarily provided by users to unlock additional features.

Additionally, if you want to send direct feedback to our application development department, you can optionally provide your email address which enables us to reply to your request.
B) Information related to YouTube feature

For the mobile application’s YouTube feature to work and provide insights on how your YouTube usage affects your emotions and mood and for media measurement purposes, our software collects and processes information on how you usually use YouTube and how you react to and interact with specific paid (such as advertisements on YouTube) and non-paid contents. We also collect and process information on other activities that you do on YouTube (e.g. browsing, subscriptions to YouTube channels) and how you use community and social functions of YouTube. We obtain these information by using MediaController and the Accessibility API of your mobile’s operation system based on your specific consent for such data processing activities. With the use of Accessibility API, we can make screenshots of YouTube video player (for more detail on this please refer to the below paragraph).

For users with background on the field of IT and technology, we detail the processed data categories below:

(i)         Data collected through Accessibility API:
  • YouTube in-stream advertisement sessions;
  • Various advertisement-related information such as call-to-action button label, display URL, timer progress, skip / play button interactions, and YouTube brand survey questionnaires;
  • Your YouTube account subscription type (standard/premium) and YouTube channel subscription statuses.
In addition to the above-mentioned data, we also collect the following information through MediaController – if you consent to such processing – to enable the mobile application’s YouTube feature to provide even more accurate insights on how your YouTube usage affects your emotions:
  • YouTube channel name;
  • Video title;
  • Video thumbnail;
  • Video duration.
The data that we collect through MediaController is collected for the purpose of providing insights on the impact of your YouTube use has on your emotions and mood. However, such data only serves its intended purpose if we are also able to process your YouTube advertisement related information (as specified in the first part of this Section 2.1 (b)).

Please note - we do not directly associate any specific viewed content with your mobile application use.  All the content you view on your mobile device remain unknown for Realeyes except for the content of the measurement host application.
2.2. Information Use
Realeyes specializes in market research and measures how people feel when they view on-screen media. We provide you insights with how the use of different mobile applications affect your emotions and awareness. If you have consented to such processing, we also analyze these reactions to help our customers improve their mobile application user experience, mobile application content and advertising. We process your personal data only if we have proper legal basis for that.

We may use collected information for the following purposes and on the following legal bases:
  • For media measurement purposes, if you have consented to such processing, for instance to carry out analysis and produce reports for our clients who have commissioned us. The reports we give to our clients contain only aggregated, anonymized data, and we do not disclose data relating to any individual participant in our media measurement. The purposes for conducting the analysis include:
    • benchmarking advertising campaigns within mobile applications against other comparable campaigns;
    • helping clients improve their mobile application user experience;
    • conducting academic or other research to benefit the public interest.
  • To develop the Service that we provide, by helping our system to learn from the data we collect from you, and to make our system and Service more accurate, in which case the legal basis of processing is our legitimate interest to improve our Services to better meet the needs of our users;
  • In certain circumstances to offer, manage and issue incentives to participate in media measurement, if you have consented to such processing;
  • To manage and provide the Service and to complete a specific request, such as providing you with various types of emotional awareness data through our app, in which case the legal basis for processing is the need to perform the contract concluded between us;
  • To send retargeted advertisements for advertisement performance optimization research, if you have consented to such processing;
  • To prevent fraud or abuse of incentives and to ensure security, in which case the legal basis for processing is our legitimate interest to prevent fraud and ensure security of our service;
  • To protect our legal rights, including file claims or protect us against claims, in which case the legal basis for processing is our legitimate interest to protect our rights;
  • To perform our obligations arising from applicable legal acts.
In addition, if in relation with particular media measurement we want to use your personal information for specific purposes materially different from those specified here, we will request your consent.

If the legal basis for processing is your consent, you have the right to withdraw the consent at any time. Please note that the withdrawal of your consent does not affect the lawfulness of the processing carried out under the consent prior to the withdrawal and therefore does not apply retroactively. If the legal basis for processing is our legitimate interest, we have, as a result of weighing the relevant interests, come to the conclusion that in the particular case our legitimate interests override your interests, fundamental rights and freedoms which require protection of personal data. You have the right to file an objection at any time against such processing. If you object, we will refrain from further processing of your personal data, except if we prove that the personal data is being processed due to a compelling lawful reason which overrides your interests, rights and freedoms, or if we process your personal data for the purpose of preparing and filing legal claims or protecting against claims filed against us.
2.3. Your Controls
You can control or opt-out of our collection and processing of your unique mobile measurement information in the following ways:
  • You can pause measurement by tapping on the Android top notification bar and navigating to the settings within the mobile application;
  • You can pause measurement by launching the mobile application and navigating to the app settings;
  • You can turn your front-facing camera off at any time. Turning your camera off will mean that we will no longer be deriving any data from images taken via your camera, but you will not be fully opted out and other data collection (e.g., app interactions and window events) will continue to be recorded. For Samsung Android users, you can control your camera by navigating to Settings/Privacy/Permission Manager/Camera;

    Please note that if you disable access to your front-facing camera by default, you may be asked by the mobile application again on a periodic basis to resume access;
  • You can withdraw your consent concerning our processing activities relating to the YouTube feature (as described in detail under Section 2.1 (b) above) by navigating to the mobile application’s opt-out settings (Settings/Manage permissions) and then choosing ‘YouTube permissions’ option. After clicking on ‘YouTube permissions’ button, you will be taken into the settings of your device’s operation system, where you can withdraw the said permission. Please note that revoking your YouTube insights permission will also result that we stop processing the information about you that we collect through MediaController as specified under Section 2.1 (b) above.
  • You can delete the mobile application from your device. However, any information collected will continue to be stored until the one-year inactivity period is reached.
Data retention measures are discussed in Section 7 of this Policy.
3. Information Sharing
When reporting the results of our mobile measurement activities to our enterprise customers, we will only share information in aggregated, anonymous form. We might share basic identification information (i.e. your ExternalParticipantID) with our third party service provider facilitating the payment of monetary incentives to provide such incentives if you have consented to them. For example, if as part of the media measurement we have collected data about whether you looked at a particular video, we might then explain in our report what percentage of the participants in the media measurement looked at the video concerned. In such a case where basic reporting information is shared, it will be devoid of any uniquely identifiable measurement information.

We may share your personal information with vendors or service providers where this is necessary to provide services to us, such as tasks that support us in providing measurement services. Such vendors and service providers act as data processors and process your personal information on behalf of us. In each such case, we will have a data processing contract in place with the vendor or service provider which protects your personal information against unauthorized use or disclosure and limits use in accordance with our instructions. We only use data processors that have provided us with a sufficient guarantee that they implement relevant technical and organizational measures to ensure the protection of your personal information. We remain liable for ensuring the protection of your personal information processed by our processors.

If we have a legal basis, we may share your personal data with third parties who act as independent data controllers. We may share your personal information with third parties to fulfil our obligation arising from legal acts. We may also share your information with affiliated companies or divisions of Realeyes, or if any of our business is purchased or otherwise transferred to another entity. In such an acquisition or transfer event, we will endeavor to require the transferee to continue to process it in accordance with this Policy, unless you provide consent for another use.
4. International Transfer of Personal Information
We may choose to host or transfer your Personal Information to countries outside of the European Economic Area (EEA). If these transfers are to a country for which the European Commission has not issued an adequacy decision (such as the US), Realeyes will either conclude contracts with the recipients including the EU standard contractual clauses adopted by the European Commission or will rely on Binding Corporate Rules.
5. Data Security
We use industry standard technical and organizational security measures designed to protect your data against unauthorized disclosure or processing. These measures vary depending on the sensitivity of the information we have collected from you. However, no method of transmission over the Internet or via mobile device, or method of electronic storage is absolutely secure. Therefore, while we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.
6. Local device storage based tracking methods
Like many apps, our mobile application also uses local device storage tracking technologies such as software development kits (SDKs) and local device storage (hereinafter such technologies are collectively referred to as ‘cookies’) These technologies allow us to store information or gain access to information stored on your device to enable certain features and distinguish your device from others (i.e. recognizing that a device is the same as one used previously). Such technologies also help us understanding some of its characteristics so that we can deliver products and application features, and generally improve your experience. Annex 1 to this Policy explains how we use such technologies, and your controls over them.
7. Data Retention
We will anonymize the personal information we collect from you during mobile media measurement following six months from the last date on which you participate in the mobile media measurement. If you choose to delete the measurement host app, please note we will continue to retain any information collected until the six months inactivity period is reached.

After the retention period, except any data that has been anonymized (which will no longer constitute personal information relating to you, and which we will retain), we will delete the relevant personal information. If, at any time, you withdraw your consent, or otherwise opt-out of, our processing your personal information, then we will anonymize or delete your personal information.

If you exercise your right to delete your personal information, we will do so as expeditiously as possible following your verification, unless otherwise stated here.

In all circumstances, we will not store your personal information for longer than necessary to fulfill the measurement or other purposes we collected it for, unless we are required to retain it to satisfy a legal, regulatory, tax, or accounting requirements.
8. Rights of Data Subjects
You are entitled to exercise the following rights with regards to your personal data to the extent prescribed in applicable law:
  • Access your personal data: Any request to access your information shall be subject to providing the acceptable proof of identification. Once we have identified you, you will be provided with the copy of your personal data. If a person’s request for information or measures are clearly unjustified or excessive, a reasonable fee may be asked, or the action taken may be refused.
  • Right of rectification/modification: You can have your personal data corrected at any time in case it is inaccurate or incomplete.
  • Right of erasure/deletion: You can request to delete your personal data at any time.
  • Right to restrict processing/object/opt-out: In certain circumstances, you have a right to restrict or block us from processing your personal data. We have referenced some of these options in the ‘Your Controls’ sections.
  • Right to withdraw your consent:  If the processing is done based on your consent, you have the right to withdraw your consent to processing of your personal data at any time. We have referenced some of these options in the ‘Your Controls’ sections.
  • Right to data portability: You have a right to request the personal data from us and reuse this data for other services. However, at this time, personal information processed through the Realeyes Service are proprietary in nature, and unavailable for portability.
  • Right to lodge a complaint: If you think that the rights regarding your personal data have been breached, we ask you to notify us thereof using the contact details below. You also have the right to lodge a complaint with the competent supervisory authority (e.g. the Estonian Data Protection Inspectorate, you may find their contact details here) or turn to the courts.
You may exercise any of these rights at any time by emailing us at dpo@realeyesit.com with the unique identifiers associated with RealView mobile measurement, or ‘Participant ID’ found in the app privacy section of the settings menu.
9. Contacting us
Please contact us if you have any comments or questions about our Privacy Policy or about information that we hold.
  • For European residents, send an email to dpo@realeyesit.com under the subject heading “Privacy Policy”.
  • For non-European residents, send an email to privacy@realeyesit.com under the subject heading “Privacy Policy”.
  • Write to us at Realeyes, Brook House, 19 Langham Street, London, W1W 6BP
10. Changes to Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of changes by posting an announcement on our Service or Website. You are bound by any changes to our Privacy Policy when you use our Service after you are notified of these changes.
11. Disputes
The Privacy Policy is governed by legislation of Republic of Estonia. Any disputes in connection with this Policy shall be settled through negotiations. If the Parties fail to resolve the dispute through negotiation, the disputes shall be settled by Harju Maakohus (Harju County Court), pursuant to the procedure provided by the law of the Republic of Estonia.
12. Illinois Consumer Statement
In the course of providing our Service, Realeyes may collect and process “biometric information” as defined in the Illinois Biometric Information Privacy Act (BIPA). As defined under BIPA, “Biometric identifier” includes a scan of face geometry, but may not include photographs, demographic data, or physical descriptions. In addition, BIPA defines “Biometric information” as any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.

If and to the extent that Realeyes may collect or otherwise processes Illinois consumers biometric information, Realeyes will:
  • Inform users in writing, either through our own Privacy Policy or as contractually required with our enterprise customers, that biometric information may be processed;
  • Inform users in writing of the specific purposes and retention periods in which the users biometric information may be processed; and
  • Receive express consent authorizing Realeyes or our enterprise customers to process or disclose biometric information for the specific purposes disclosed in the Privacy Policy.
Any biometric information processed by Realeyes related to Illinois consumers is rendered anonymous or otherwise disclosed exclusively in the aggregate. Realeyes does not sell, lease, trade, or profit from Illinois consumers biometric identifiers or biometric information.
13. California Consumer Statement
13.1. Definitions
The terms “Business Purpose(s)”, “Personal Information”, “Sell” (or “Sale”), “Service Provider(s)” and “Third Parties” have the meanings given in the California Consumer Privacy Act of 2018 (CCPA). These term references and disclosures are limited to this section of the Privacy Policy and designated exclusively for California Consumers.
13.2. Categories of Personal Information
Encoded facial emotional identifiers, proprietary user identifiers, mobile device identifiers, mobile ad IDs (IDFAs for iOS and Android Ad IDs), age, gender, timestamps, user agent strings, country code derived from IP addresses, optionally given email addresses.
13.3. Purposes for collection and use of Personal Information
We use Personal Information for the purposes as specified under 2.2 of this Policy above.
13.4. Categories of sources from which Personal Information is collected
Mobile applications in which RealView SDK has been integrated.
13.5. Categories of Personal Information we sell
We do not sell Personal Information.
13.6. Purposes of selling Personal Information
We do not sell Personal Information.
13.7. Categories of Third Parties to whom Personal Information is sold
We do not sell Personal Information.
13.8. Categories of third parties with whom information is shared for a business purpose
Mobile application management services, technology platforms, marketing services, incentive fulfillment services, mobile application analytics.
13.9. California Consumer Rights & Options
You can access or delete your personal data by sending an email to us at privacy@realeyesit.com. Please note we may not accept a request to access or delete your Personal Information where we cannot verify your Personal Information, where we require the Personal Information to comply with legal obligations or in case it is subject to any legal claim.


© 2022 Realeyes Data Services Ltd
Annex 1 – Cookie Policy
1. What are cookies and other technologies (like APIs, SDKs or local device storage) and how we use them?
Cookies are small text files containing a string of characters that can be placed on your device, which uniquely identifies your device. Cookies can be ‘persistent cookies’ as well as 'session-based' cookies. Our application only uses 'persistent' cookies‘ which will remain on your device until you exercise your controls detailed under Section 4. We do not use 'session-based' cookies in our mobile application.

An API (Application Programmable Interface) is a piece of software which helps two or more applications to talk to one another. We use them to communicate between our mobile application and your device’s operation system.

Software Development Kits (SDKs): SDKs are tools that enable data to be collected about your device and device usage. These generally operate by assigning your device a unique number.

Local storage is a secure, application specific file that can only be accessed by the app process. The user does not have the ability to view this file, however you may delete it any time by exercising any of your controls under Section 4 of this Annex 1. We use this file to store a unique identifier to identify returning users, as well as user settings.
2. What cookies we use in our mobile application?
Local storage
What it is used for: User settings, User ID
Type (essential/performance - functionality/targeting – advertising): Essential
Duration: Until any of the user actions are exercised by the user as specified under Section 4 below
Legal basis of processing: GDPR Art. 6 (1) f)

Firebase SDK
What it is used for: Performance optimization, Crash analytics
Type (essential/performance - functionality/targeting – advertising): Performance and functionality
Duration: Until either user control under Section 4 (a) or 4 (b) is exercised
Legal basis of processing: GDPR Art. 6 (1) a)

Google Analytics SDK
What it is used for: Performance optimization, Crash analytics
Type (essential/performance - functionality/targeting – advertising): Performance and functionality
Duration: Until either user control under Section 4 (a) or 4 (b) is exercised
Legal basis of processing: GDPR Art. 6 (1) a)
3. First Party and Third Party technologies
Tracking technologies can either be “first-party” or “third-party”. First-party tracking technologies are tracking technologies that belong to us directly. Third-party tracking technologies may be placed on your device by third parties (such as our analytics or advertising service providers).

We deploy the following third-party tracking technologies for analytics and performance purposes:

Google Analytics (
https://policies.google.com/privacy)

Firebase (
https://firebase.google.com/support/privacy)
4. What controls I have over these technologies?
Upon first opening up the application you may opt to decline non-essential cookies. Should you change your mind and would like to decline already accepted non-essential cookies, you may do so in the cookie settings of the application.

However, as some of these technologies are essential for the functioning of our mobile application, you cannot deactivate these cookies, if you wish to use our mobile application.

You may also have the following controls at your disposal to clear cookies already deployed on your device: (a) you delete the mobile application from your device, (b) you use ‘clear application data and cache’ option under your application specific operation system settings (This will result the application being “reset”, as if the application has just been installed), or (c) you navigate to the privacy policy settings within our application and submit the opt-out form, following which the collected data either gets deleted or cannot be linked any longer to you.
5. Where can I read about these technologies in detail?
If you would like to find out more about these technologies, please kindly refer to any of the following links:

-        
All about cookies;
-        
EU Guide to Cookies;
-        
Your Online Choices.
6. Changes to this Policy
We may change our use of the above-mentioned technologies any time. In such cases, we will update our Cookie Policy accordingly. We will notify you of such changes by posting an announcement in our mobile application or Website.
7. Privacy information with regard to the technologies we use
a) Privacy information about First Party technologies:

Name and registered address of data controller:
Realeyes OÜ (address: Vahe 15, Tallinn 11615, Estonia, registry code: 11730664)

Name and contact details of data protection officer:
dr. Gergő Ruisz, LL.M. (address: Realeyes Kft., Tölgyfa street 24, Budapest 1027, Hungary, e-mail address: dpo@realeyesit.com


b) Privacy information about Third Party technologies:

With respect to personal data collected by Third Party technologies, the privacy policy of the third parties using the given third party technology shall be applicable.
8. Contact us
Should you have any questions or comments about this policy, or our practices on the use of technologies, please do not hesitate to contact us at any of the availabilities listed under Section 9 of our Privacy Policy above.