Privacy policy for Android Host

Privacy policy for WiseMo A/S Android Host App

Version 2.2 – 2023-08-23

0. Preface

Your privacy is important to us.  As a provider of secure communications software and services, we know the importance of protecting your information.  Thus, we have established this strong privacy policy to assure you that we will not misuse any information we receive about you.  This policy applies whether you are a company, an organization, a government entity, an individual or any group of individuals.

0.1 Limitation to specific situation

This document contains only the part specific to our Host App for Android

The full policy for all situations is available at https://wisemo.com/privacy/

0.2 Changes from previous versions

0.2.1 Changes from version 2.1

  • Added notice about Android Universal Add-On
  • Fixed some textual errors

This takes effect on 22 September 2023, 30 days after the above publication date, except that for new users it takes effect immediately.

0.2.2 Changes from version 2.0 to version 2.1

  • Added optional use of 3rd party services to check the effectiveness of our own advertising
  • Added information about our upcoming OnDemand Host products
  • Added information about our upcoming myCloud Access Control product feature
  • Added information about unique identifiers
  • Clarified use of Android screen access permissions
  • Added information about notifying Host users about the Guest’s name and account e-mail
  • Streamlined the rules for future updates to this policy
  • Fixed some textual errors

This takes effect on 27 May 2023, 30 days after the above publication date.

0.2.3 Changes from version 1.0 to version 2.0

  • We are not asking for more permissions
  • The fundamental principles are not changed
  • There are now details sections for each of the situations where you give us information
  • Various formalities have been added or changed to comply with the EU GDPR

Because these changes are entirely to your benefit, they take effect without a 30 day delay.

1. Categories of information (General principles)

Our treatment of your information depends on the nature of the information and how we got it.  These are the general rules behind our specific situation policies; we will follow the most restrictive of the situation and general policies.

1.1 Anonymous statistics

Statistical data, which has been reduced, so it contains no information about any single customer, entity or person and cannot be linked back to one either, may be used and even published.

1.2 Generic access logs

Logs of accesses to our web sites and servers are available only to trusted staff of WiseMo A/S and our subcontractors.  We may use this information to manage and improve our web sites and services, to support you and to extract one of the other types of information (which is then subject to those rules).

1.3 User Registrations

Information you provide about yourself and the products and services you have licensed from us may be used to support and maintain the delivery of those products and services to you, to inform you about things we believe may be of interest, to send you newsletters (electronic newsletters only if you subscribe to them), and to support and maintain the general workings of our products.  We will not sell this information to 3rd
parties.  We may share some of this information with our channel partner servicing your area.  If the product or service you acquire from us is clearly labeled as being from another vendor than WiseMo, we may also share some of this information with the vendor of that product or service.

1.4 Accounting information

Orders, invoices, bills, receipts for payments etc. will be retained as part of our accounting records for at least 5 years.  In addition to the uses permitted for User Registrations, accounting information may be available to auditors, tax authorities and others with the legal authority to inspect such records.

1.5 Credit card details

The details of credit cards and credit card authentication codes (such as the CVC code) used when paying us via our web-shops are handled by a professional 3rd party payment gateway (Nexi Group) which has been certified by banks / credit card companies to handle such information (VISA/MasterCard PCI DSS certification).  WiseMo does not have access to your detailed Credit Card information and we cannot and do not use it or store it.  We only have access to truncated information for use on receipts and confirmations that the payment has been completed successfully.

1.6 Processed data

The data that you store on or transmit through our services, as well as any other copies of your own private data which we may gain access to (e.g. in the course of handling a support request from you) will be kept in confidence, will be used exclusively to provide the services you requested us to perform on that data and will otherwise be ignored except in some cases to compute anonymous statistics as defined above.

2. Technology, cookies etc. (General principles)

We may use any appropriate technology to protect, process, handle and obtain the information covered by this policy, including cookies, encryption, paper etc.  This policy applies regardless of the methods and technology used.

2.1 Processing in other countries

The computer systems, people and subcontractors processing data under this policy may be located anywhere and in any country.  By providing us with data subject to this policy, you consent to the processing of that data occurring in a country other than your own and/or in your country.  All such processors and sub-processors are contractually required to only process data as we tell them to (and we are bound by this policy).  Furthermore, any processors and sub-processors outside the EU (and countries ruled adequate by the EU) are required to sign standard data protection clauses as an appropriate safeguard [GDPR 46(2) (c) or (d)]

2.2 Opting out of cookies

You can opt out of the use of cookies in those WiseMo services that use them by simply using the standard cookie management features of your web browser.  Beware, however, that some of our services may not function properly if you do so.  Furthermore, any cookies or similar used for 3rd party statistics or tracking will be preceded by a specific opt-in prompt (except if you turn off “do not track”/“global privacy control” in your browser)

2.3 Advertising statistics

If you reach our websites or services from an ad that we placed on a 3rd party advertising network, we may allow that advertising network to use cookies or similar techniques to track your subsequent interactions with our websites and services, in order to measure how effective our advertising is at attracting customers.  This may involve a prompt asking for permission to do so.

2.4 Do Not Track

If you have set your browser to send us a “do not track”/“global privacy control” request, we will not enable 3rd party tracking mechanisms unless you separately accept that as an exception to your “do not track”/“global privacy control” setting via a dedicated prompt or by specifically setting your browser to not send a “do not track”/“global privacy control” request.

Skip to #common privacy provisions.

6. Using our Android Host App (#AndHost)

6.1 Data collected from our Android Host App (If you don’t sign up for myCloud)

We collect little or no data from your use of this product:

  • On first run (and on later runs if it fails), the Host App may prompt you to install an Add-On specific to the branding of your Android Device and its firmware, this download will be from either the App Market where you downloaded the Host App or directly from WiseMo servers.  In either case, the Host App may also contact the WiseMo Servers for information about which Add-On corresponds to the device.  This provides us with your IP address, the device model and some technical information about the firmware version.
  • If the feature to check for software updates is enabled, the IP address and operating system and software version may be provided to our web servers in order to do that check, alternatively the App Market where you downloaded the Host App may do this checking itself without contacting us.
  • If you send us a support log or otherwise contact us for support, our #support privacy policy applies to that.
  • If you connect the product to our myCloud service, the myCloud section below also applies.

The detailed web server log files are deleted within 5 years, but derived statistics including top requestor information is kept after that.

6.2 How we use this data

We use the Add-On selection and software update request data to provide you with the requested functionality, to identify missing Add-Ons and to keep the servers doing this running [GDPR 6(1) (b)].  We also use this data to maintain the security of our servers [GDPR 6(1) (f)]

6.3 Additional data collected if you add the Android Host App to a myCloud domain

When you use the myCloud service, it obtains, uses and logs the following data from you:

  • The e-mail address and password of your myCloud login.
  • The name of the device where the Host is running.
  • A unique numerical identifier for each device connected to your myCloud domain using recent versions of our software.  This identifier is used to keep similar devices apart, and to ensure any per device settings you make in myCloud apply only to that device.  A secure algorithm is used to ensure this identifier cannot be used to track you between different myCloud subscriptions.
  • The IP address and thus general geographic area of the device used.
  • The Type, model, operating system and Web Browser (incl. versions) of the device used.
  • The time and date.
  • If and when a myCloud connection is requested to the device.
  • The amount of data transferred through myCloud and the duration of the connection.
  • The number of licenses that you paid for or are allowed to test under a Trial license.
  • If you want or don’t want to also sign up for news e-mails, see our news e-mails privacy policy (#newsmail).

You or the administrator users in your myCloud domain can change or delete this data at any time except for the IP address, general area, device information, unique identifier and timestamp (those can only be deleted) and the internal master log files used by WiseMo for maintenance etc. (cannot be deleted).  The number of licenses paid for can only be changed via payment transactions.

All remaining myCloud customer data except the internal master log files and our internal customer records (purchase history, e-mail, name, domain name) are deleted 8 to 400 days after the myCloud subscription (trial or paid) expires.  Our internal customer records are kept for at least 5 years after the last commercial transaction.

The detailed web server log files are deleted within 5 years, but derived statistics including top requestor information is kept after that.

6.4 How we use this data

We may use the e-mail address for password recovery, to send you important notifications (such as subscription expiry) and to communicate with you about account changes and purchase decisions [GDPR 6(1) (b)].  We use the above data to provide the functionality of the myCloud service (for example, we use the general geographic area to route connections through a nearby server), to provide other services (such as skin downloads) and to keep the myCloud servers running well [GDPR 6(1) (b)].  We also use this data to check that you do not use more than the number of licenses that you paid for and to maintain the security of the myCloud servers [GDPR 6(1) (f)].  We may also share some of the user registration information with our channel partner servicing your area [GDPR 6(1) (b)].

6.5 Data you may process via myCloud

You may cause the myCloud service to process the following data on your behalf.  WiseMo acts solely as a processor of this data, using it only to perform the processing you request:

  • Data transmitted between Host and Guest (This data is end to end encrypted by default so we cannot see it, and we encourage you to not turn encryption off).  This includes the screen data and remote keyboard/touch input via the Universal Add-On or brand specific Add-On.
  • (optional) Any configuration data that you store in myCloud for deployment to devices.
  • (optional) Any permission settings that you store in myCloud for the central myCloud Access Control feature.
  • (optional) The e-mail addresses of users you invite to join your myCloud domain.
  • (optional) The names and phone numbers of devices to which you deploy Host, Guest and other software via e-mails or text messages.

You or the administrator users in your domain can change or delete this information directly as long as it remains in the active part of the service.  The content transmitted (in addition to being encrypted) is not stored by WiseMo.

6.6 Additional data when you purchase myCloud usage or purchase a license directly

When you purchase (additional) myCloud usage licenses, or perpetual licenses for standalone use of the Android Host App, the privacy policy
for our web shops (#shops)
applies.

6.7 Data encryption by default

By default, data transmitted between Guest and Host products is encrypted end-to-end.  You can turn this off if you want to, though that is not recommended.  When you are not using our myCloud service, the data is not sent through our servers at all.

6.8 Android permissions

The Android Host App needs the following permissions to function properly:

  • Internet and Wi-Fi permissions: The purpose of our Host App for Android is to let you or your authorized users control it over Internet and Wi-Fi, so it obviously needs those Android permissions to do that
  • In-app purchase: To allow you to make a onetime purchase of a perpetual license from inside the app.
  • Screen recording permissions and storage (files, media or “photos”) permissions:  These are for things you can access remotely using our Host App for Android, subject to your own choice of in-app security settings.  Because you may be far away from your device when accessing it remotely, we may need to prompt for those permissions when starting the Host App.
  • Permissions not included elsewhere on this list: These are for things you can access remotely using our Host App for Android, subject to your own choice of in-app security settings.
  • Bluetooth and Phone permissions: On some devices, our Host App for Android needs these permissions to determine the name and model of the phone, so your authorized users can select it for connections and see the proper model specific “skin” when you allow them to control your device.
  • Google/Firebase Cloud Messaging and SMS permissions: We may use Google/Firebase Cloud Messaging and SMS to reduce mobile data and battery usage for myCloud subscribers.
  • Root permission: On devices with this ability, we may use the root permission as an alternative to a brand-specific Add-On and to extend the remote file transfer, terminal access etc. available to authorized users (subject to your own choice of in-app security settings).
  • Device Administrator Permission: Our Host application is for remote support and management (which is explicitly described in the app description on Google Play).  When the Host is running, the device can be managed remotely from a WiseMo Guest module.

    On Samsung devices – and Samsung only – we are using the KNOX SDK (Samsung API) that provides additional vendor-specific functionality we find useful for our application.  We are using the following permissions from the KNOX SDK:

    1. android.permission.sec.MDM_SECURITY – to be able to reboot device remotely
    2. android.permission.sec.MDM_REMOTE_CONTROL – control device remotely

    In order to obtain access to these APIs on Samsung our Host App for Android might need to be assigned as device administrator, therefore it needs to include “Device Administrator” permission in the App description (which is the same for all devices) as described in the Samsung KNOX SDK to get access to the Remote Control API and to be able to reboot the device

    Below are additional details about the device admin handling in our WiseMo Host app on Android:

    1. If the app runs on a Samsung device with KNOX SDK support, our application might ask the user to accept assigning device administrator rights to our Host app.  We do not ask the user to assign device administrator rights on non-Samsung devices.
    2. If the user accepts the Host app to run as device administrator, Host configures the KNOX SDK, so the device can be managed remotely.  This will show some generic Samsung warnings about what other apps could do with that permission; we only use the “Allow Remote Control of device” part, which is the purpose of our WiseMo Host for Android.  There will also be a second prompt about Samsung’s own privacy policy for this feature, which you may want to read as it is beyond our control.

6.9 Android permissions for brand specific Add-Ons

The Add-Ons need the following permissions to function properly:

  • Read Frame Buffer: To be able to send the screen content to the Guest, if permitted in the Host security settings
  • Inject Events: To be able to receive keystrokes and touches from the Guest, if permitted in the Host security settings
  • Shutdown and Reboot: To be able to shutdown or reboot the device on command from the Guest, if permitted in the Host security settings

6.10 Universal Add-On

The Universal Add-On app is an add on for the Remote Desktop Host app.  The Universal Add-on app uses the Accessibility API to collect and share screen data with an authenticated remote user.

On first run (and on later runs if it fails), the Remote Desktop Host App may prompt you to install the Universal Add-On if suitable for your device.  After having installed the Universal Add-on, it can be enabled (switched on) via Android Accessibility services.  The Remote Desktop Host app will prompt you with an applicable ‘prominent disclosure’ screen, with option to go to Android’s Accessibility services, where the Add-on can be enabled. IF enabled via the accessibility services, the remote user can support you by seeing your device screen and interacting with applications on your behalf by tapping, swiping and typing text remotely.

The Universal Add-On collects and transmits screen data to facilitate remote desktop control; also, when the app is in the background.  Screen data is only collected during a remote support session and is only sent to the person(s) providing you remote support.  Nothing is shared with WiseMo or any other third party.

The Screen data collection, transmission and injection of taps, swipes and text are necessary to provide full remote control support of your device. Remote control is a core functionality of the product.

6.11 Outsourcing

The Add-On detection, update checking and myCloud services are partially outsourced to companies that operate under our command and within this policy, inside and outside the EU.

6.12 General

For details, disclaimers, statutory rights etc. see our #common privacy provisions.

Common part (#common)

17. General exceptions

Regardless of the rules above, the following situations are exempted:

17.1 Your requests

If you ask us to do something that requires that we access your data, we may access your data to do so.

Similarly, if you explicitly grant us additional permissions beyond those in this policy, those permissions apply to your data regardless of this policy.  [GDPR 6(1) (a)]

17.2 YouTube videos and App stores

  • If you click to play any of the YouTube videos on our websites, your browser will connect directly to Google’s YouTube service, and they will probably set cookies and otherwise collect data on your visit.  This is between you and Google, and is beyond our control.
  • If you follow any of our links to online App stores, such as Apple’s App Store or Google’s Play store, you will be connecting directly to those stores and they will probably collect data on your visit.  This is between you and that App store, and is beyond our control.

17.3 Law enforcement

If the applicable authorities make a valid legal request requiring us to reveal some of your data, we may comply with such requests regardless of this policy.  We are not responsible for the actions of Law enforcement agencies and/or their officers [GDPR 6(1) (c)].

17.4 Self-defense and exigent circumstances

If we believe in good faith that you are harming or threatening us or the systems and services we use, including but not limited to unreasonable overloads, sending unsolicited bulk email (“Spam”) etc., we may disregard this policy to investigate and protect ourselves.  The same applies if you appear to be using our systems or services to do so to others [GDPR 6(1) (d) and (f)].

17.5 Non-payment etc.

If you fail to pay our invoices on time or a payment bounces, we may use any information at our disposal to locate you and identify you for debt collecting purposes, regardless of this policy.  The same applies if you attempt to deceive us in any way. [GDPR 6(1) (f)]

17.6 Imposters

If you or a 3rd party pretend to be someone else, we might erroneously act in reliance on the truthfulness of such pretense, thus accessing, using or sharing data in a way that would have been permitted only if the pretense was the truth.  Additionally, we might use any information at our disposal to discover or prevent such a situation, but do not warrant that we will always succeed in doing so.  If we discover that we have actually processed or shared your data with an imposter, or that it has otherwise been compromised, we will attempt to contact the
real you as soon as practically possible [GDPR 34].

17.7 Subcontractors

We may employ subcontractors and processors to work on our behalf, and so may you.  Such subcontractors are allowed to do what their principal may do and each party is responsible for actions legitimately done on their behalf [GDPR 28 et seq].  All processors and sub-processors working for WiseMo are contractually required to only process data as we tell them to (and we are bound by this policy).  Furthermore, any processors and sub-processors working for WiseMo outside the EU (and countries ruled adequate by the EU) are required to sign standard data protection clauses as an appropriate safeguard [GDPR 46(2) (c) or (d)].

17.8 Backups

Our major system and database backups may naturally contain (partial) data that has otherwise been deleted due to being on the same storage or in the same image as non-expired data [GDPR 32(1) (b)].

18. Your general rights

In accordance with the EU GDPR, you have at least the following statutory
rights:

  • You have the right to a copy of the personal data we have on you.  For most such data you can see the data directly in the relevant web interfaces, contact us at info@wisemo.com for copies of other personal data we have on you.
  • You have the right to correct any wrong data we may have on you.  For most such data you can change it yourself in the relevant web interfaces, contact us at info@wisemo.com for corrections to other data.
  • You have the right to have much of your data deleted from our systems.  For most such data you can delete it yourself in the relevant web interfaces, contact us at info@wisemo.com for deletions of other data.
  • In the special cases listed in GDPR article 18 you have the right to demand that we restrict processing of your data without actually deleting it.  Such formal demands shall be sent to both info@wisemo.com and
    abuse@wisemo.com.
  • You have the right to object to our otherwise legal processing of your data, send your objection to info@wisemo.com
  • You have the right to receive your main data in a common format suitable for data interchange and to have us send that data to another company on
    your behalf.  Send such requests to info@wisemo.com
  • You have the right to lodge a formal complaint with the authorities as explained under Disputes
  • You may have additional statutory rights that cannot be waved.

19. Disputes, choice of law etc.

19.1 In case of dispute

If you have any questions regarding this policy or believe someone is not complying with it or otherwise using your information unlawfully, you should contact us at our complaints address abuse@wisemo.com, or contact our CEO directly.  Both you and we shall be prepared to negotiate a reasonable amicable solution and seek to avoid formal legal proceedings.

Additionally, you have the right under the EU GDPR to lodge a formal complaint with the Danish Data Protection Authority (Datatilsynet) at www.datatilsynet.dk or with the data protection supervisory authority in the EU/EEA country where you reside [GDPR 77].

19.2 Choice of law

This policy shall be construed and interpreted according to the laws of the Kingdom of Denmark, except for those rules that would specify a different choice of law and/or venue.  In particular, this policy is subject to the EU GDPR, the additional rules in the various data protection laws of Denmark as well as the statutory and customary limits on financial damages.

19.3 Choice of venue

If a formal legal dispute related to this policy is to be settled by formal mediation or court proceedings, such proceedings shall be brought before the courts or other legal institutions having ordinary geographical jurisdiction over the primary residence or place of business of the party against whom such proceedings are brought.  Unless otherwise agreed, the primary residence or place of business of each party is the one specified in pre-dispute business communication amongst the parties or (at the other party’s choice) the place specified in pertinent official
public records.  This does not apply to formal complaints to the data protection supervisory authorities, where the EU GDPR Chapter VI to VIII determines the choice of venue.

19.4 Attorney’s fees etc.

If a matter is settled without formal legal proceedings, neither party shall be required to pay any attorney’s fees or other case handling fees of the other.  If formal legal proceedings are brought, the prevailing party shall be entitled to payment of actual reasonable attorney’s fees, legal fees, actual court fees etc.

19.5 LIMITATION OF LIABILITY

LIABILITY UNDER THIS POLICY IS LIMITED TO AT MOST 1000 DANISH KRONER UNLESS A HIGHER LIMIT (OR NO LIMIT) IS REQUIRED BY APPLICABLE LAW.  LIABILITY RELATED TO PAID PRODUCTS OR SERVICES IS ALSO LIMITED TO THE PRICE ACTUALLY PAID.  LIABILITY IN THE UNLIKELY EVENT OF ACTUAL DEATH OR ACTUAL BODILY HARM IS ALSO SUBJECT TO THE STATUTORY LIMITS OF DANISH LAW.

20. How to contact us

Should you have other questions or concerns about these privacy policies, please contact us at info@wisemo.com.

21. Changes to this policy

Each non-draft version of this policy shall be identified by a version number and date of publication, both of which shall be increased upon any change.  Changes that entirely benefit you, or merely change our location or contact address take effect immediately upon publication.  Changes that go beyond that take effect 30 days after publication, however new users are subject to the most recently published policy at the time of first use.