Privacy Policy
Last updated March 10th, 2021
This Privacy Policy (“Policy”) describes the privacy practices applicable to the website at www.novid.org (“Website”) and your use of the NOVID mobile application software (“App”), which is offered by Expii, Inc. (“us,” “our” or “we”). This Policy also applies to any of the services, functions and features accessible through the App (“Service(s)”) unless you are provided access to a separate privacy policy that applies to a particular Service (“Service Policy”), in which case the Service Policy will apply to that Service instead of this Policy. You may also be provided with a supplemental privacy notice for a particular Service (“Supplemental Policy”) in which case the Supplemental Policy and this Policy will apply to that Service, with the Supplemental Policy superseding any conflicting terms in this Policy. This Policy explains how data about you may be collected, used, and disclosed by us, and certain rights and choices you may have regarding your data. Please read the following carefully to understand our practices regarding your personal data before accessing the Website or downloading and using the App or Services.
1. INFORMATION WE COLLECT AND ITS USE
We may collect, receive and use the following information:
User ID, notification tokens and passwords
When you first install the App, we generate a random user ID and password to represent your device’s identity for the purpose of the App and all Services. We also generate a notification token that is unique to your copy of the App, which we use to provide notifications. We do not link the user ID, password, or notification token to other information that could specifically identify you or your device, such as your name or device ID (i.e., the Identity for Advertisers on Apple devices or Google Play Services ID on Android devices, or any hardware identifiers on your device).
Microphone and Ultrasonic Signals
The App uses a combination of ultrasound and Bluetooth technology to measure distances between App users. This technology requires the App to have access to and open your device’s microphone to measure distances. We focus on ultrasonic frequencies when we process the microphone signals. We do not collect audio recordings of voice conversations through the microphone.
Wi-Fi Access Points, Partial IP Addresses and Related Information
The App collects your device’s WiFi access point BSSID (Basic Service Set Identifier) and SSID (Service Set Identifier) to which the device is connected. In the event that your BSSID is locally administered (not globally unique), the App collects the first half of your device’s IPv4 IP (Internet Protocol) address (i.e., the App does not collect the last two parts, or last two octets, of the IP address). In addition, depending on your device’s operating system, the App may periodically scan for nearby SSIDs, BSSIDs, relative signal strength indicator levels and transmission frequency information. This is classified as location information because it could theoretically be abused to deduce your location. However, we never store any persistent association between your User ID and any of this WiFi or IP address information; rather, our system assigns random, anonymized tokens (which are periodically overwritten) to WiFi access point BSSIDs, and we do not persistently store the association between these tokens and actual BSSIDs. We store the association between these tokens and your User ID. All of the above information is used for analysis, including identifying App users that have been in proximity to one another.
Device Information
We collect information from your device, such as your device make and model, OS version, language preference, and information about Bluetooth and ultrasonic signals, in order for the Services to function and to troubleshoot, analyze and improve the Services.
Contact Information
The App creates an alias ID and maintains it on your device at all times. This alias ID does not personally identify you and is different than your user ID. Alias IDs are periodically refreshed. The App on your device performs vicinity scans to sense nearby devices running the App (a “Contact”). When a Contact is located, the App exchanges the alias IDs of your device and the Contact’s device. The App does not use the GPS functions of your device to collect your latitude and longitude. We link alias IDs and actual user IDs and store such information on our servers. This information enables us to provide and improve the App and Services functionality, such as providing you notifications about a Contact.
Self-reported Results
You may submit information indicating you have or have not tested or been diagnosed as positive for COVID-19. We may use that information to notify a Contact that you were in proximity to them and approximate duration of the contact, without personally identifying you. The App may provide a function for you to input a code or other identifier provided by a medical person or facility or testing facility up to confirm you received a positive test or diagnosis.
Community Codes
You may be able to submit a code or token to your App to self-identify as a member of a community, such as a college campus or city. This code or token does not personally identify you. It is used to aggregate data from the App related to the particular community.
App usage Information
We may collect information about how and when you use the App and features within the App, in order to analyze and improve our Services.
Personal Information
If you choose to contact us on the Website or through the App, send us feedback on the App, or contact us by other means, you may provide your name, email address, organization and other information from which you may be personally identified (“personal information”). Personal information does not include deidentified, aggregated, anonymized, pseudonymized information or other information excluded by applicable law. We collect personal information in order to respond to your requests or other correspondence, develop partnerships and other business purposes. You are not obligated to provide us with personal information. However, without your personal information, we may not be able to perform certain functions, such as responding to your inquiries or developing partnerships with you.
Cookies and Similar Technologies
We may use cookies and/or other tracking technologies when you visit the Website and/or use the App. Cookies are small files of information that are stored on your device. Cookies help the App and Services operate more efficiently and improve your experience by performing functions like allowing the Website or App to recognize you when you return. We may also use cookies for statistical and analytical purposes, such as counting how many unique visitors have accessed the App and analyze usage patterns. We use Google Analytics. You may delete cookies from your device or set your device to reject cookies. However, doing so may limit some functionalities of the Website, App or Services. In addition, blocking or deleting browser cookies may not block other types of cookies or technologies. You can review how Google uses the information they collect and how you can control information collected by Google Analytics here. The Website and App do not respond to “Do Not Track” or other automated signals on browsers.
External Storage
Users of the NOVID mobile app may contact NOVID by tapping the "Send Feedback" button in the Settings page of the app. When we refer to Intercom, we mean Intercom R&D Unlimited Company, a company registered in Ireland with a registered address at 2nd Floor, Stephen Court, 18-21 Saint Stephen's Green, Dublin 2. Intercom is a chat service which enables NOVID to communicate with anonymized users. If a user wishes to send information like files or photos to NOVID via the Intercom chat service, External Storage permissions are necessary in order to send external files to the NOVID support team. The use of this permission is optional. Users should avoid sending sensitive information to the NOVID support team.
2. DISCLOSURES OF INFORMATION
We will not sell personal information to third parties without your prior express consent. We may share personal information and other information with third parties as follows:
Contacts
When a contact between you and a Contact occurs, your alias ID is sent to the Contact’s device and the Contact’s alias ID is sent to your device. The App does not provide any other identifying information directly from your device to Contacts’ devices.
When you report a positive test result, the App informs certain Contacts that they had a direct or indirect contact with someone with a positive COVID-19 test result or diagnosis. The notification does not include your personal information, such as your name. However, a Contact may be able to determine that you are the source of the notification based on the recollection of their own movements. For example, upon receipt of a notification of a new positive test report, a Contact may know that you were the only person with whom they were in close contact in the past week and may therefore deduce that you reported a positive test result.
Service Providers
We may share information with companies that we engage to provide services to us, such as hosting services, for the purpose of fulfilling the engagement. We use Google Analytics to analyze usage of the Sites. You can review how Google uses this information and how you can control information collected by Google Analytics here.
Aggregated and de-identified information
We may share, publish, sell or allow third parties to sell aggregated information and/or de- identified, anonymized and/or pseudonymized information if such information does not personally identify you. For example, we may compile and sell statistics and related data tools about the rate of positive COVID-19 reports in a community and the proximity of the App users in such community based on information we have collected from you and other users, as long as the statistics do not personally identify you. As another example, we may share aggregated and/or de-identified information with researchers, health professionals and others in the medical community in order to analyze the symptoms and infection rates of COVID-19.
Legal Obligations
We may disclose information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).
Vital Interests
We may disclose information where we believe it is necessary to protect our interests and the interests of you and other parties, including to investigate, prevent, or take action regarding potential violations of our policies, to prevent fraud and address suspected fraud, to fulfill contractual obligations, in situations involving potential threats to the safety of any persons or property, to address illegal activities, and in legal proceedings in which we are involved. We may also disclose information to third parties to whom we may choose to sell, transfer or merge parts of our business or our assets.
3. CROSS-BORDER TRANSFERS
The App is designed for use in the United States. Any information we collect, including personal information you provide to us, may be transferred to and processed in the U.S. If you are located outside the U.S., please be advised that the U.S. does not offer safeguards to protect personal information that are as stringent as some other jurisdictions in the world. For example, the European Union does not consider U.S. privacy safeguards to be adequate to protect personal information.
4. DATA RETENTION
We retain personal information for as long as necessary for the purposes set out in this Policy, including fulfilling your inquiries, developing and maintaining partnerships and administering the App and Services, unless a longer retention period is required or permitted by law.
5. SECURITY
Although we employ technical and organizational controls that we believe are reasonably appropriate to protect your information, we do not guarantee that our security precautions will protect against the loss or misuse of your information. Similarly, we cannot guarantee the privacy of information you transmit over the Internet or that may be collected in transit by others, including contractors that provide services to us.
6. YOUR DATA CHOICES
You may request a copy of your information or submit a request to delete your information. You must provide your temporary contact ID when submitting a request. Your temporary contact ID will be generated when you click on the Privacy Policy button in the App and will appear as a string of numbers and letters in Section 6. Copy or type this string into the “Fill in your user ID” email subject lines as described below.
Temporary Contact ID: My ID
To request a copy of your information, please send an email to privacy@expii.com with subject line "Requesting Info: My ID".
To delete your information from the App, please send an email to privacy@expii.com. with subject line "Delete: My ID". If you have provided personal information on the Website, App or through other means and want to obtain a copy or request that it be deleted, please send an email to privacy@expii.com with sufficient information (such as your name and email) for us to identify your personal information.
We may retain certain information, including a record of your request to delete information, to prevent fraud, troubleshoot problems, assist with any investigations, enforce our Terms of Use and other policies, and/or to comply with internal policies or legal requirements. We may also retain your information in aggregated and/or de-identified, anonymized and/or pseudonymized form.
7. OTHER WEBSITES AND LINKS
The Websites or App may contain links to other websites. We are not responsible for the information collection or privacy practices of other websites. You should consult the privacy policies of other sites before you visit those sites or provide any information to those sites. We do not control the privacy practices of such third-party sites.
8. REVISIONS TO THIS POLICY
We reserve the right to revise this Policy at any time. Please review this Policy periodically for changes and at any time you provide information to us. We will post any revised versions of the Policy on the Website and in the App. The updated version will be effective upon posting. If required by law, we may notify you of changes either by posting a notice of such changes or by directly sending you a notification. By continuing to access or use the Website and App after changes become effective, you agree to be bound by the terms of the revised policy. We may also require your consent to the revised Policy in order to continue using the Website and/or App.
9. CONTACTING US
If you have questions or comments about this Policy, you may email us at privacy@expii.com or write to us at Expii, Inc., 260 Atwood Street, Pittsburgh, PA 15213.
