The Maptology web applications, the mobile application and the associated service collect and process your data to provide their functions. In addition to general usage data, this also includes personal data, such as your location.
Version and Change History
Version 1 – Created on March 5th, 2018
Version 2 – Created on February 2nd, 2020 10.02.2020 (more detailed explanation of your rights)
Responsible Person and Contact
The person responsible within the meaning of the General Data Protection Regulation (GDPR) §4 (7) is Dr. Marcus Handte. If you have any questions or comments about this please, please contact us at:
Networked Embedded Systems
Dr. Marcus Handte
What data is collected and for what purpose?
- Data that you give us: To use all functions of the Maptology applications, you can create an account. For this we ask you for your name, your email address, a login name and a secret password. We use the email address and your name to contact you and to offer you automatic functions such as resetting your password via your email account. We use your account name and password to authorize access to your account. To prevent unauthorized access, you must keep your password secret.
In addition, the mobile application allows you to create location shares that you can forward to your friends, for example. During the creation, you have the option of providing the location share with freely selectable texts and an expiry time. We save the texts and the expiry date, and we make them available on request to anyone who has the release link. As soon as the expiry date has passed or you delete the approval, the share is deemed to have ended and the content will not be passed on to others. The processing of this data is necessary for the implementation of the functions of the service and takes place on the basis of GDPR §6 (a) with your consent.
- Data on the use of the service: Both the web application and the mobile application communicate with the service via the HTTPS protocol. With every interaction, we save the connection and request data such as the time of the request, the current IP address of the requestor, the requested URL and the parameters contained in the request as well as the duration and results of the request. The purpose of this recording is the (possibly retrospective) detection, analysis and combating of attacks through automatic mechanisms as well as the elimination of program errors and the improvement of the function and performance of the service and the applications. Accordingly, the collection takes place according to GDPR §6 (f).
- Data via your mobile device: When you use the mobile application on your device for the first time, we ask you to register the device. When registering, we collect and save device-specific data such as the manufacturer and the device model. We will show you this data in the web application if you link your mobile device to an account. The aim of the acquisition is to fix device-specific errors and to improve the function and performance of the service and the applications. Accordingly, the collection takes place according to GDPR §6 (f).
To be able to clearly identify your mobile device at a later point in time, we assign each device a random but unique number when it is registered. From now on, this number will be sent to the service with every request from the device. In this way we prevent another device from changing your data (e.g., your current location and your shares). This identification is required for the implementation of the service and is based on GDPR §6 (a).
In addition, as part of some requests, we will transmit the version of the mobile application that you have installed on your device. The purpose of this recording is to correct errors in the mobile application within the service implementation as well as the statistical analysis of the versions of the mobile application used. For this reason, the collection is based on GDPR §6 (f).
- Data about your location: The primary function of the mobile application is the automatic recording of your device location with the purpose of a (time-limited) controlled transfer of the current location to other users. For this purpose, the mobile application continuously records the location of your device as well as changes in location with the help of the available data sources (GPS, WLAN, motion sensor, etc.) and transmits this to the service.
The transmitted data includes the current position in the form of a WGS84 coordinate with longitude, latitude and altitude as well as the speed and direction of movement, the accuracy of the position information or the state of movement (e.g., no motion).The location is recorded and transmitted in the background, i.e., especially when the mobile application is not actively used. However, it can be switched off completely at any time via the application’s settings screen. In addition to the storage, the location is also passed on to other users who have a valid (i.e., not expired, not deleted and not paused) share link.
In addition, if you have an account and have activated this in the settings of the mobile application, the location can also be used for automatic analysis. The service recognizes places where you are for a period of several minutes. If such a place is recognized, it will be linked to your account and the time of visit to the place will be saved.
You have the option to allow us to use your location data for research purposes via a setting. If you opt-in, we will save the location anonymously in a specially designed database. This database does not contain any further information about users of the service.
The processing of your location data is necessary for the implementation of the functions of the service and takes place with your consent on the basis of GDPR §6 (a).
What alternatives are there and what are their effects?
Use without an account: With the mobile application you can share your location with other users without an account. With this type of use, the service saves the device-specific data, the data on releases that you have created, the data on the use of the service and the last transmitted device location. Older information is irrevocably lost when the location is updated.
Use with an account but without analysis: If you create an account, you can link your devices to the account when you register. In that case, you can use your account name and password to view the current location of your devices via the web application at any time. When used in this way, the service basically stores the same information as when used without an account. In addition, however, the account information (your name and email address as well as the account name and the associated password) and the associated devices are stored. However, you can delete the linked devices from the account at any time via the web application.
Use with account and with analysis: If you have connected your mobile device to your account, you can activate the automatic analysis for the device. When the analysis is activated, the service basically records the same information as when using an account without analysis. For the evaluation, however, the service must also keep the last 10-20 location updates available. In addition, the service saves the recognized locations and the respective recognized visiting times of these locations. You can delete individual visits and locations from your account at any time using the web application.
Release of location data for research purposes: Regardless of the type of use and analysis, you can release your location data for use in research. If you give this approval, all location data that is recorded during a given approval will be permanently stored in an anonymized form. If required, extracts from the data are made available to scientists at the University of Duisburg-Essen for their research.
Where is the data stored and processed?
The data is currently stored and processed exclusively on servers in Germany at the University of Duisburg-Essen.
Who will the data be passed on to?
People with shares: If you generate location shares with the service, we will pass on your current location data during the period of validity of the location share to everyone who has the associated sharing link. Please note that people to whom you give the sharing link can also pass it on to other people. However, the applications offer you several options to end the location sharing at your request. For example, you can pause or delete your shares. You can also change the period of validity of existing shares.
Scientists at the University of Duisburg-Essen: We pass on the data you have released for research purposes in anonymized form to interested scientists at the University of Duisburg-Essen.
Authorized bodies: If we are legally obliged (e.g., by a valid court order) to give data to an authorized body, we will pass on your data to such a body and inform you (if this is legally possible) about the transfer.
How long will the data be stored?
The storage period depends on the type and use of the data. Data on the use of the service are usually overwritten after a few days through regular rotation. This time can increase in individual cases (e.g., when analyzing past attacks). We keep data on your account, your shares and devices as well as their locations until you delete them.
Regardless of the type of data, we try to keep the storage period short. However, we strive to operate the service in a way that protects the data of all users from system failures and willful damage by third parties. That is why we use regular backups and delay irrevocable deletion processes for a certain period (usually a few days). Due to these measures, it may happen that unused data or data that has been released for deletion is not immediately deleted from our computer and security systems.
Which rights can be asserted?
Your rights are described in detail in Chapter 3 of the GDPR and the rights to which you are entitled are not affected by this data protection declaration. Your rights include, among other things:
- Right to confirmation and information (DSGVO §15), right to correction (DSGVO §16) and right to deletion (DSGVO §17): You have the right to free information about your stored personal data, origin, within the framework of the applicable legal provisions the data, their recipients and the purpose of the data processing and, if necessary, a right to correct, block or delete this data. In this regard, please contact the responsible person mentioned above.
- Right to restriction of processing (GDPR §18), right to object to processing (GDPR §21) and right to revoke consent under data protection law (GDPR §7): Some data processing operations are only possible with your express consent. The consent already given can be revoked at any time. An informal notification by email is sufficient for the revocation. The legality of the data processing carried out up to the point of withdrawal remains unaffected by the withdrawal.
- Right to data portability (GDPR §20): You have the right to have data that we process automatically handed over to you or to third parties. It is provided in a machine-readable format. Please also note that you can export your data yourself in CSV format via the web application at any time. If you request the direct transfer of the data to another person responsible, this will only be done if this is technically feasible.
- Right to lodge a complaint with a supervisory authority (GDPR §77): As a data subject, you have the right to lodge a complaint with the responsible supervisory authority in the event of a breach of data protection law. The responsible supervisory authority regarding data protection issues is the state data protection officer of the federal state of North Rhine-Westphalia. You can find the contact details of the data protection officer here.
If you have any questions, concerns, or requests for information, we ask you to contact the person responsible mentioned above.
Information on Online Dispute Resolution
The EU Commission provides an internet platform for the online settlement of disputes (so-called “OS platform”) in accordance with Art. 14 Par. 1 ODR-VO (EU Regulation No. 524/2013). The OS platform serves as a point of contact for out-of-court settlement of disputes. You can reach the OS platform via this link.