Effective: November 30, 2020
Purpose of this Notice
This privacy notice (“Notice”) aims to give you information on how RealityMine Ltd collects and processes your personal data on behalf of Tobii Pro AB. Tobii Pro AB (“Tobii”) has engaged RealityMine Ltd to provide software applications and data processing services for the purposes set out in this Notice.
This Notice applies to all Tobii’s respondents who agree to participate in research programs (“Program”) that involves downloading and installing to their mobile device or computer a software application (the “App”) developed by RealityMine Ltd.
‘Data Controller’ refers to Tobii as Data Controller, ‘We’, ‘us’ and ‘our, refers to RealityMine Ltd as Data Processor. The Data Controller has appointed a data protection officer (DPO) and the Data Processor has appointed a data protection manager (DPM) each of whom will be happy to address any questions you have in relation to this privacy Notice. If you have any questions about this privacy Notice, including any requests to exercise your Legal Rights, please contact the DPO or DPM using the details set out below.
For further information about our Privacy Notice or our processing of data about you, please contact us by either of the following methods:
Primary contract: Tobii acting as Data Controller
Full name of legal entity: Tobii Pro AB
Name or title: Data Protection Officer
Email address: DPO@tobii.com
Postal address: Tobii AB | Box 743 | 182 17 Danderyd | SWEDEN
Additional contact: RealityMine Ltd acting as Data Processor
Full name of legal entity: RealityMine Ltd
Name or title: Data Protection Manager
Email address: firstname.lastname@example.org
Postal address: Data Protection Manager, RealityMine Limited. Warren Bruce Court, Warren Bruce Rd, Stretford, Manchester, M17 1LB, United Kingdom
You have the right to make a complaint at any time to either the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk), or to Datainspektionen (www.datainspektionen.se), which is the Swedish supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Changes to the privacy notice and your duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
The Information We Hold:
We may collect both personal information and non-personal information from you as described below.
Personal data, or personal information, means any information which relates to an identified or identifiable person. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
• Contact Data includes email address and telephone numbers.
• Technical Data includes applications and websites used, search terms entered, internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use.
The processing and grouping of personal data will be completed by RealityMine. Tobii will store this information for up to 18 months in line with the Data Retention paragraph below.
We do not intentionally collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. However, such data may be collected in connection with the collection of other information (e.g., website visits, search terms entered, etc.) and may be processed and used in connection with our services to or for our client(s). WHILE THE APP IS ACTIVE ON YOUR DEVICE PLEASE DO NOT ENTER DATA/INFORMATION OR USE APPS OR THE INTERNET IN A WAY THAT WILL LEAD TO THE COLLECTION AND PROCESSING OF SENSITIVE PERSONAL DATA.
How we Collect the Information:
We use different methods to collect data from and about you. We have set out below further detail on exactly how data is collected from you when using the Application.
The Application collects ‘clickstream data’ and may also gather diary/survey data if configured. Clickstream data is information generated by you and your device while surfing the Internet and interacting with various sites, services and device functions.
The service will either install the “Meter” (a piece of software on your device to collect the data described above) and/or will establish the “VPN” (a profile on your device to direct all internet data generated by and for your device through RealityMine to enable Us to collect the data). Regardless of whether data is collected via the Meter or the VPN. We will only use the data as described in this Notice.
In greater detail, the Application may collect the following types of information:
1. Online browsing: This includes the sites you visit and apps you use, including news sites/apps or social networks, and your interactions with them.
2. Online activities: This includes the search terms you enter and the results of such searches, the videos you view, the products you shop for online, information you enter into forms, the materials you download or upload, the advertisements you see, cookies on websites you visit, information and content on sites or apps that you visit or use and with which you interact and may include personal, financial and health information (subject to the process described below in the section entitled “Protecting Personal & Sensitive Information”).
3. System information: This includes information about the device and browser that you are running on, including the IP address and phone number of the device, how the Application is operating, and which other applications are installed or running.
4. Mobile Usage Information, which refers to information about your use of your mobile device which we are able to collect if you have downloaded and installed one of our Applications/VPN profiles on your device. Please note this information is collected and transmitted to us ‘in the background’ and does not require any further activation on your part. We call this ‘passive tracking’. This can include the following types of information:
• Information about your internet browsing habits – how much time you spend browsing the internet on your mobile device or computer, the sites you visit or apps you use, and the terms of any search you carry out.
• Information about your usage of other apps and features (such as the camera, though we do not collect any photos) on your mobile device, including the identity of the apps and features, when you downloaded them, how often you use them and for how long.
• Your location (see below)
• Information about the type of mobile device you own, when and for how long you charge it, its battery status, whether it is switched on, off or in a stand-by or ‘Airplane’ mode.
• Information about which mobile network you use, which wi-fi networks you connect to, and at what times.
• Information about the volume of data downloaded to your mobile device, the times that you download that data and the method of connection you use (wi-fi or mobile network).
• Information we can deduce from combining the above information – e.g., what apps you were using just before you searched for particular information using your mobile device’s internet browser, or how often you call, email or text a particular contact, or the geographic location in which you are most likely to charge your device, make a telephone call, or download an app.
• Operating system capabilities to view to contents of your applications such as Accessibility services.
• The AdvertiserID/IDFA of your device.
5. Location Information, meaning data which reveals the geographic location of you and your mobile device, where you have given us your consent to collect such information. When you first download the Application, you will be asked if you agree to your location information being disclosed to us. If you consent, then we may collect and transmit this information on a semi-continuous and passive basis, which does not require any further activation on your part. If you wish at any stage to turn off this passive location tracking, you will need to uninstall the Application, by following all of the defined steps from the instructions set out in the Application Removal section below.
6. Audio Content Information. The devices may sample background audio content using the device’s microphone. The actual audio is never stored, but immediately converted into a “fingerprint” in a non-reversible process. The “fingerprint” is used to try and identify the TV show or commercial being listened to. This feature is disabled during phone calls.
The above list contains examples of the type of data collected and is not a comprehensive list of every single data element.
Protecting Personal & Sensitive Information
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on the Data Controller’s instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We may collect certain information in part through the use of a technology called a “cookie.” A cookie is a small text file that is saved to your device using your browser, which allows sites to recognize you and store preferences and other information if you return to the site using the same device and browser.
We use temporary session cookies during the download and registration process to correctly identify the research panel that you have joined, enable the creation of a unique, anonymous identifier and to trigger the download process.
You may remove cookies and/or control their operation by adjusting your browser settings. Please visit the ‘help’ section of your browser for more information.
How we use your data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
• Where we need to perform the contract we are about to enter into or have entered into with the Data Controller which requires the processing of your personal data. By downloading the Application you consent to us processing your data and acknowledge that we do this pursuant to a contract you have with the Data Controller.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.
• Data analytics to assess the performance and determine improvements in our products and services.
Purposes for which we will use your personal data
We process your data on the basis that we have a legitimate Interest in doing so and to ensure the proper performance of the Contract which we have in place with the Data Controller.
Purposes for which the Data Controller will use your personal data
This section describes how your data – which includes web use, app use, demographic information, survey responses and information we have obtained from third parties – contributes to the kinds of services provided by the Data Controller to their client or clients (‘Clients’). Typically, panel members’ data is combined into consumer segments and reported upon as aggregated (or grouped) results. Consumer segments are pools of users who have common interests or characteristics, for example, “women between the ages of 28-34 interested in travel websites.” Once aggregated, the results and consumer segments are shared with the Clients of the Data Controller and other parties as described in this Notice. On some occasions, the Data Controller may share non-aggregated results for limited purposes. The following are examples of the kinds of services the Data Controller provides, and how your data is used in these services:
Advertising Research – Your data is combined with data from other users into a pool that is then analyzed for exposure to certain advertising. Information about the combined pool, which does not identify any particular user, is shared with the Data Controller so they can understand if and how their advertising spending impacts the consumer journey and consumer decisions. For example, by comparing the behaviors of a group of users who saw a particular online advertisement with another group of users who did not see that advertisement.
Media Use Analysis – Your data is combined with data from other users to form consumer segments that are shared with the Data Controller without identifying any particular user. These segments are typically analyzed on behalf of Clients to understand where consumers go online and how consumers interact with digital media, which includes website content, apps and advertising that they see. For example, the Data Controller may help companies understand the effectiveness of their websites or apps by comparing how users are interacting with their websites or apps versus how users are interacting with their competitors’ websites or apps.
Consumer Analysis – The Data Controller may use your data, including personally identifiable information they have obtained directly or through a trusted third-party vendor, to enhance their or their Client’s consumer segments explained above. The Data Controller uses personally identifiable information in this way when their Client already has this information because it is usually the only way to match their profiles with those of their Clients. Sometimes the Data Controller may gather information from your clickstream data, such as a session ID, and share it with a third party in order to match your information with the information possessed by a third party as part of their services. Although in each of these cases they may permit these other parties and their customers to use your information to enhance their broader consumer segments, to which they then may target advertising. In the normal course of your online activities, you may be a member of a broader consumer segment that sees particular advertising that your data helped create.
The Data Controller may also use your information for purposes of maintaining the configuration and proper functioning of the Application, for database or Application services (such as customer support, email, or surveys), and for purposes of data quality and data cleansing.
As part of the registration process prior to installation of the Application or in connection with your participation in a survey or other service, the Data Controller may directly collect information such as your name, telephone number, email address, birth year, household information, income and gender. This information is part of your consumer profile and used as described above. Of course, the contact information you give also helps the Data Controller reach you with information related to Application maintenance and upgrades and other service related communications.
When working with a third party (such as another data provider) to supplement your profile, the Data Controller protects your privacy by having the data provider sign a confidentiality agreement stating that they will not share personally identifiable information with unauthorized parties. The Data Controller instructs them to maintain the confidentiality, security and integrity of the information we provide and not to use the information for any purpose other than those explicitly authorized.
The Data Controller may share information about you with authorized vendors and service providers, in connection with the services that they perform. These third parties are prohibited from using your information for other purposes.
Additional Disclosure of your Information
In the event We go through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of its assets, your information may be among the assets transferred.
We also reserve the right to disclose your information as required by law, court order, or legal process served on us, when we believe that disclosure is necessary to protect our rights, or to combat suspected fraudulent activities.
You can opt-out of this Program at any time by removing the Application from your device. For instructions on how to do so, please read and follow all defined steps of the Application Removal Instructions which were provided to you when you joined the study. However, an overview of the process for each operating system is outlined below:
a) If you are using an Android phone, simply open ‘Settings’, scroll down to Apps, find RealityMeter, and then click ‘Uninstall’. This will also remove the VPN profile. You will then need to remove the Root Certificate from your settings.
b) If you are using an iPhone, simply hold down on the app icon. When an ‘X’ appears above RealityMeter, tap the ‘X’ to remove the application. You must then remove the VPN profile from your device by going to ‘Settings’, ‘General’, ‘Profiles’ and then removing the VPN profile and root certificate
c) If you are using a Windows machine, find RealityMeter in ‘Programs and Features’, double click to bring up the uninstallation wizard and click ‘Uninstall’. Following these steps will automatically remove all browser extensions.
d) If you are using a OSX machine, Force Quit RealityMeter, drag the application to the trash and then empty the trash. Following these steps will automatically remove all browser extensions.
If you are not able to quickly and easily opt-out from data collection, we can and will help you if you ask. If you have any questions regarding removal or opting-out, you must contact the Data Controller.
If you have set your browser to “private browsing” or a similar setting, the Application may still continue to operate and collect data to be sent to Us. To completely stop the operation of the Application and the collection of data from your device, you must follow the instructions above to remove the Application.
We have put in place appropriate technical and organizational measures to protect your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Security Incident Notification
If We become aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data while processed by Us (each a “Security Incident”), We will promptly and without undue delay (1) notify the Data Controller of the Security Incident; (2) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident in conjunction with the Data Controller.
Notification(s) of Security Incidents will be delivered by the Data Controller to the Data Subject.
We shall make reasonable efforts to assist the Data Controller in fulfilling their obligation under GDPR Article 33 or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.
Our obligation to report or respond to a Security Incident under this section is not an acknowledgement by Us of any fault or liability with respect to the Security Incident.
The Data Controller must notify Us promptly about any possible misuse of data.
Data Access Rights
You have the right to request:
• Access to the personal data we hold about you. You will need to contact your Data Controller.
• The correction of your personal data when incorrect, out of date or incomplete. You will need to contact your Data Controller to correct this.
• That We stop using your personal data.
• That We stop any consent-based processing of your personal data after you withdraw that consent.
If you would like to modify or remove personally identifiable information about you that is being held by Us, then you should contact your Data Controller with your specific requests. Such access rights do not include the ability to modify or remove clickstream data, information that has been inadvertently collected as described above in the Protecting Personal & Sensitive Information section or information that has already been shared with a third party as permitted by this Notice.
If you wish to access the data we hold on you, you can access the Data Subject Access Request (DSAR) form by contacting email@example.com who will provide the form to you within 30 working days. As part of the DSAR, you will be asked to provide two forms of identification to the Data Controller, which should be dated within the last 3 months.
If you wish to lodge a complaint, you can do so by contacting firstname.lastname@example.org, who will respond to you within 30 days.
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
YOUR LEGAL RIGHTS
You have the right to:
Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Your request will be actioned within 90 days following company Notice.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. At the instruction of the Data Controller, We will perform data processing in order to produce our suite of data products. Your Data Controller will then receive a selection of these reports to meet their business requirements.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
We will retain the information described above for as long as the information has value as part of the services we offer to our clients, or as long as is necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.If you opt out of the Program by following the directions to remove the Application as described above in the Application Removal section, we no longer will collect data from you but we will retain and continue to use your data collected prior to your removal of the Application unless you contact us pursuant to the Data Access Rights section above.
We do not seek to collect personal information from users under the age of 15 for use in connection with our online research panels. If we do seek to collect personal information from users under 15 in the future, we will, when applicable, obtain verifiable parental consent and adhere to the Children’s Online Privacy Protection Act and all appropriate data laws and regulations.
Privacy Notice Changes
If we are going to use your information in a manner materially different from that stated in our Privacy Notice at the time of collection, you will be notified by your Data Controller via email. If we make any non-material changes to our privacy practices that do not affect information already stored in our database or for future collection, your Data Controller will post a prominent notice on their website notifying members that there is a change and pointing them to the revised privacy Notice.
If we have any personally identifiable information about you, you may correct, update or delete your contact information by contacting the Data Controller.
If you have questions related to this Notice, the data that has been collected by the Application, or other privacy concerns, please contact the Data Controller.
If you wish to contact the Data Protection Officer of the Data Controller, you can do so by emailing email@example.com
If you wish to contact the Data Protection Manager of the Data Processor, you can do so by emailing firstname.lastname@example.org