Privacy Policy

for “phyphox” by RWTH Aachen University

I. Person Responsible for Data Processing (Data Controller)

The person responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

Rector of RWTH Aachen University
Templergraben 55
52062 Aachen (physical address)
52056 Aachen (mailing address)
Phone: +49 241 80 1
Fax: +49 241 80 92312
Email: rektorat@rwth-aachen.de
Website: www.rwth-aachen.de/rectorate

II. Data Protection Officer

Contact data of the officially appointed Data Protection Officer of the RWTH Aachen University:

RWTH Data Protection Officer
Templergraben 55
52062 Aachen (physical address)
52056 Aachen (mailing address)
Germany
Phone: +49 241 80 93665
Fax: +49 241 80 92678
Email: dsb@rwth-aachen.de
Website: www.rwth-aachen.de/go/id/cxif/lidx/1/

III. Data Processing – General Information

1. Scope of the processing of personal data

RWTH Aachen processes personal data of visitors of the site and users of the app only insofar as this is necessary to provide a functional website and app as well as our contents and services. The collection and processing of the personal data of our users take place only with the user’s consent. An exception applies in those cases where prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law.

2. Legal basis for the processing of personal data

Insofar as RWTH obtains the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a of the EU General Data Protection Regulation (GDPR) serves as a legal basis.

In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as a legal basis. This also applies to processing operations required to carry out pre-contractual activities.

Insofar as processing of personal data is required to fulfill a legal obligation RWTH is subject to, Art. 6 para. 1 lit. c GDPR serves as a legal basis.

If processing of personal data is required to safeguard the legitimate interests of the University or a third party, and if the interests, fundamental rights and freedoms of the data subject do not prevail over these interests, Art. 6 para. 1 lit. f GDPR serves as a legal basis for this processing.

3. Deletion of Data and Duration of Storage

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this is required by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

IV. Data in the app “phyphox”

1. Data recorded by the app

The app “phyphox” does not explicitly collect any personal data. It is designed to collect measurement data without any relation to individuals. However, in some circumstances, this data can bear a connection to personal data. For example, GPS data can exhibit a location or specific experiment configurations (which can be added from external sources) could specifically ask for such data. Any measured data is only stored on the device running the app and it is not submitted to us or any third party unless the user explicitly transmits the data himself (export function) or uses an experiment configuration that includes data transmission (see next section).

Please note the handling of personal data outside of phyphox is bexond our control. So, please refer to such services for additional information. These could be services used to install our app (Google Play, Apple App Store or F-Droid), these could be services that offer experiment configurations (which are loaded by requesting a webpage, so the service can track these requests like the visit from a regular webbrowser) or service to which the user submits the data from phyphox for further analysis, storage or sharing.

2. Experiment configurations with data transmission to a network service

If the users starts an experiment configuration that transmits data to a network service, phyphox will first inform the user about all potentially transmitted data in detail. The possibly transmitted data is grouped into the following categories which are each shown to the user if such data could be transmitted in the experiment:

  • An ID that is unique for the device and the network service to which the data is transmitted. This allows the network service to match all data transmitted by the same user. It does not allow to match this data across different services.
  • Recordings from the microphone or data derived from such recordings.
  • Location data
  • Data recorded from sensors available on the device. The app will list these sensors.
  • Technical details and information about the device and the version of phyphox.
  • Technical details and information about available sensors. The app will list these sensors.

The RWTH Aachen University will only use this data for the experiment described in the app or the experiment configuration. If the data is made available to other users in its entirety or in aggregated form, this will be clearly communicated in the experiment configuration and the submitted ID will always be replaced by a randomized value to enure anonymity. The RWTH Aachen University will make sure that only technical but no personal data will be publicly available.

If you load an experiment configuration from a third party, the data is not under our control after submission. The third party has to provide its own privacy policy for its service.

3. Facetracking in the iOS version of the app

If you use the depth sensor (LiDAR/ToF) feature of phyphox on an Apple device with a front-facing TrueDepth camera, the app will activate the face tracking function for this camera. This has the sole purpose of accessing and providing depth (distance) information for the image. Beyond this no facetracking information is accessed by phyphox and hence it will neither be processed nor stored.

V. Provision of the website and generation of log files

1. Description and scope of data processing

Each time the internet page is accessed, the RWTH Aachen system collects automated data and information from the computer system of the user’s computer.

The following data is collected:

Information about the browser and version used
The operating system of the user
The internet service provider of the user
The IP address of the user
Date and time of access
Websites from which the user’s system is led to our website
Websites accessed by the user’s system via our website
The data is stored in the log files of the University’s system. This data is not stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing

The data is used for the purpose of optimizing the website and ensuring the safety of information technology systems. The data are not evaluated for marketing purposes in this context.

4. Duration of storage

The data will be deleted as soon as it is no longer needed to achieve the purpose of its collection, at latest 90 days after collection.

5. Possibility of Objection and Remedy

The collection of data for the purpose of providing the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

VI. Discussion forum

1. Description and scope of data processing

When using our forums, the website will gather the following additional data if agreed to by either setting up an account or by accepting the cookies-preferences dialog.

Time of last visit and last activity
Which comments, threads and announcements have been read
User name and login state
Preferences like choice of language, declining cookies (which is saved nevertheless to avoid repeated questions) and choice of design
Email address, password and user name (only when creating an account. The user name may be a pseudonym.)

If you create an user account, the following optional personal data can be entered. This data is explicitly added voluntarily to be shared with other users, who therefore can access this data:
User name
Profile picture
Date of birth
Link to a website
Institution (affiliation)
Location
Short biography
Custom signature text
Any text or contribution to discussions

Only the latter, voluntary information will be shared with other users according to the preferences that of the user, which can be changed at any time. All other data is only for the operation of the forum. No data is used for marketing or transferred to a third party.

2. Legal basis for data processing

All data in the forum is only collected after the user explicitly agreed to it.

3. Purpose of data processing

The automatically collected data is used for the operation of the forum, so your settings (language, cookie-preferences etc.), marking comments as read, the login state and the list of contributions since the last visit work as expected. The data contributed by registered users (except for the password and email address) are explicitly collected to be shared with other users.

4. Duration of storage

Automatically collected data is deleted as soon as it is no longer required for the operation of the forum, at maximum after 90 days. The data contributed by registered users is kept while a user account exists. The account can be deleted by the user at any time by sending a message to the administrator. The contributed data will be deleted along with the account.

5. Possibility of Objection and Remedy

Users without an account have to opt in to the automatic data collection via cookies first. This decision can be changed at any time using the settings at the bottom of the forums page. Data provided by registered users can be deleted as they delete their account.

VII. Use of cookies

1. Description and scope of data processing

The phyphox website uses cookies. Cookies are text files that are saved in the user’s web browser or stored by the web browser on the user’s computer system. If a user visits a website, a cookie may be stored in the user’s operating system. This cookie contains a specific string of characters that enables a unique identification of the browser when the website is accessed again.

Cookies store and transmit the following data:

Anonymized IDs to identify the logged-in users and staff of the website
Choice of preferred language (not personally identifiable)

In the discussion forum the following data is collected if the user agrees to its collection:
Read comments, threads and announcements
User name and login state
Preferences like choice of language, declining cookies (which is saved nevertheless to avoid repeated questions) and choice of design

2. Legal basis for data processing

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f GDPR. For the processing of the user’s consent in the context of the storage of cookies, the basis is Art. 6 para. 1 lit. a GDPR.

3. Purpose of data processing

RWTH Aachen University only uses cookies on its website to identify users and staff logged in to the website. For users that did not log in, only the not personally identifiable choice of language is stored in a cookie.

4. Duration of storage, possibility of objection and remedy

Cookies are stored on the user’s computer and transmitted to our site. For this reason, as a user, you have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings of your web browser. Cookies already stored on your computer can be deleted at any time. This can be done automatically as well. If cookies have been deactivated for the RWTH website, it may no longer be possible to use all functions of the website.

Cookies of the forum page can also be deactivated via a dialog on the first visit or the settings at the bottom of the page.

VIII. YouTube

The RWTH website uses plugins from the Google-operated YouTube site. Operator of the site is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.

When you visit one of our pages equipped with a YouTube plugin, a connection to YouTube’s serves is being established. The YouTube server receives information on which of our web pages you have visited.

If you are signed into your YouTube account, you make it possible for YouTube to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account.

YouTube is used in the interest of making our online offerings appealing. The legal basis for this is provided by the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

For further information on how user data are managed and processed, please refer to YouTube’s privacy policy statement: https://policies.google.com/privacy?hl=en.

IX. Rights of the data subject

If any of your personal data is being processed, you are considered a data subject according to the GDPR. Thus, you have the following rights vis-a-vis the person responsible:

1. Right to information

You can ask the responsible person to confirm whether your personal data is or will be processed by RWTH.

If your data is being processed, you can request the following information from the person responsible:

the purposes for which the personal data are processed;
the type/categories of personal data being processed;
the recipients or categories of recipients to whom the personal data have been and/or will be disclosed
the planned duration of the storage of your personal data or, if specific information in this regard cannot be provided, criteria that determine the storage period;
the existence of a right to rectification or deletion of personal data concerning you as a user, a right to limitation of processing by the controller, or a right to object to such processing;
the existence of a right of appeal to a supervisory authority;
any available information on the source of the data if the personal data are not collected from the data subject;
the existence of automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.
You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.

This right to information may be restricted in so far as it is expected to make the realization of research and statistical purposes impossible or severely limits it, and this restriction is necessary for the fulfillment of the research or statistical purpose.

2. Right to demand correction

You have a right of rectification and/or completion vis-à-vis the person responsible if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay.

This right to information may be restricted in so far as it is expected to make the realization of research and statistical purposes impossible or severely limits it, and this restriction is necessary for the fulfillment of the research or statistical purpose.

3. Right to limitation of processing

Under the following conditions, you may request that the processing of personal data concerning you shall be restricted:

if you dispute the accuracy of the personal data relating to you for a period that enables the data controller to verify the accuracy of the personal data;
the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
the data controller no longer needs the personal data for the purposes of the processing, but you do need them to assert, exercise or defend legal claims, or
if you have filed an objection to the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh your reasons.
If the processing of personal data relating to you has been restricted, such data may only be processed – aside from being stored – with your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State.

If the processing restriction has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.

This right to information may be restricted in so far as it is expected to make the realization of research and statistical purposes impossible or severely limits it, and this restriction is necessary for the fulfillment of the research or statistical purpose.

4. Right to deletion

a) Duty to delete

You may request the data controller to delete the personal data relating to you without delay, and the controller is obliged to delete this data without delay if one of the following reasons applies:

The personal data relating to you are no longer necessary for the purposes for which they were collected or otherwise processed.
You revoke your consent, on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and there is no other legal basis for the processing.
You file an objection against the processing pursuant to Art. 21 para. 1 GDPR, and there are no overriding legitimate reasons for the processing, or you file an objection against the processing pursuant to Art. 21 para. 2 GDPR.
The personal data concerning you have been processed unlawfully.
The deletion of personal data relating to you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the data controller is subject.
The personal data relating to you have been collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.
b) Information to third parties

If the data controller has made the personal data concerning you public and is obliged to delete it pursuant to Art. 17 para. 1 GDPR, he or she shall take appropriate measures, including technical ones, and taking into account the available technology and the implementation costs, to inform those who are responsible for processing the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.

c) Exceptions

The right to cancellation does not exist insofar as the processing is necessary

to exercise the right to freedom of expression and information;
for the performance of a legal obligation required for processing under the law of the Union or of the Member States to which the controller is subject, or for the performance of a task in the public interest or in the exercise of official authority conferred on the controller;
for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the law referred to under a) is likely to make it impossible or seriously impair the attainment of the objectives of such processing, or
to assert, exercise or defend legal claims.

5. Right to information

If you have exercised your right to have the data controller correct, delete or limit the processing, he or she is obliged to inform all recipients to whom the personal data relating to you have been disclosed of this correction, deletion or restriction on processing, unless this proves impossible or would involve a disproportionate effort.

You have the right, vis-à-vis the data controller, to be informed of these recipients.

6. Right to data transferability

You have the right to obtain the personal data concerning you that you have provided to the data controller in a structured, common and machine-readable format. In addition, you have the right to pass this data on to another data controller without obstruction by the data controller to whom the personal data was made available, provided that

processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
processing is carried out by means of automated methods.
In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be compromised by this.

The right to transferability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.

7. Right of appeal

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you under Article 6 para 1 lit e or lit. f GDPR; this also applies to profiling activities based on these provisions.

The data controller no longer processes the personal data relating to you, unless he or she can prove compelling reasons worthy of protection for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data relating to you for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct marketing activities.

If you object to the processing for direct marketing purposes, the personal data concerning you are no longer to be processed for these purposes.

You have the opportunity – notwithstanding Directive 2002/58/EC – to exercise your right of objection in connection with the use of Information Society services by means of automated processes using technical specifications.

In addition you have the right, on grounds relating to your particular situation, to object to processing of personal data relating to you, which are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 Art. 1.

This right to information may be restricted in so far as it is expected to make the realization of research and statistical purposes impossible or severely limit it, and this restriction is necessary for the fulfillment of the research or statistical purpose.