Terms of Use and Privacy Policy

This document describes Terms of Use and Privacy Policy for Device Monitor. It constitutes the entire and only agreement between you and Device Monitor. We may amend this document at any time and we will notify you about this by posting an announcement on our website. By accessing or using our website and/or application, you accept and agree to be bound by and abide by these terms and conditions, so please make sure to review them carefully.

This document governs your use of the software application Device Monitor ("Application") for mobile devices that was created by XLAB d.o.o. Device Monitor is part of the network security solution used to analyze network data traffic in order to detect malicious networks (botnets) and malicious software on mobile devices. Device Monitor interacts with service GCMServer ("Service"), also created by XLAB d.o.o.

By downloading and using the Application, you accept these terms and privacy policy. Please read them carefully. If you wish to stop the collection of Data specified in this Privacy Policy, you can do so by uninstalling the Application. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace.

By using the Application users monitor their device for malicious activities that may be running in the background of the device and user is not aware of them. Application monitors connections to external resources, and in case of detected connection to known malicious end-points notifies the user and issues report to the Service. The information gathered is anonymized to a high degree and no other personal data is exposed. See Data Collected section for more details. Device Monitor also inspects installed applications for known exploits and in case of detection of such it reports these to the Service.

Contacting Us

If there are any questions regarding this privacy policy you may contact us using the information below.

Contact: acdc[at]lists.xlab.si

Data Collected

Device Monitor observes behavior of software on your device and detects malicious activity. In order to do this, it has to collect some data from your device and report them to our server. To protect your privacy, the information gathered is anonymized to a high degree. Device Monitor does not collect your name or contact information. Device Monitor periodically reports the IP address of your device. Other data is sent only when abnormal behavior is detected on your device. That data includes:

The data reported to the Service can be later analyzed to find abnormalities in groups of devices. You can see all the data that is shared with the server in the "Event Viewer" section of Device Monitor.

Mode and place of processing the collected Data

Method of processing

The Data Controller processes the Data of Users in proper manner and shall take appropriate security measures to prevent unauthorized access, disclosure, modification or unauthorized destruction of the Data. Access to the Data may be available to Data Processors such as employees involved with the processing or to external parties (Consortium) providing services to the Data Controller, third party technical service providers, mail carriers, hosting providers, IT companies, communication agencies. For details see section The Consortium.

Place

The Data is processed at the Data Controller headquarters, unless stated otherwise in the rest of this document.

Conservation Time

The Data is kept for the time necessary to provide the service as stated by the purposes outlined in this document, and the User can request the Data Controller for suspension or removal of the data related to the User. In some cases the Data can not be related to the User (e.g. IP address has changed or is behind proxy server).

The use of the collected Data

Detailed information on the processing of Personal Data

Personal Data is collected for the following purposes and using the following services:

Analytics

The Service's component is capable of analysing and correlating of the data which has been aggregated during the time of Application's use. Results of the correlation may be shared with third parties restricted to the Consortium.

Push notifications

This Application may send push notifications to the User using Google Cloud Messaging mechanism.

Additional information about Data collection and processing

Legal Action

The Data collected may be used for legal purposes by the Data Controller, in Court or in the stages leading to possible legal action arising from improper use of this Application or the related services.

Information not contained in this policy

More details concerning the collection or processing of Personal Data may be requested from the Data Controller at any time at its contact information.

The rights of Users

Users have the right, at any time, to know whether their Personal Data has been stored and can consult the Data Controller to learn about their contents and origin, to verify their accuracy or to ask for them to be supplemented, cancelled, updated or corrected, or for their transformation into anonymous format or to block any data held in violation of the law, as well as to oppose their treatment for any and all legitimate reasons. Requests should be sent to the Data Controller at the contact information set out above.

Changes to this privacy policy

The Data Controller reserves the right to make changes to this privacy policy at any time by giving notice to its Users on this page. If a User objects to any of the changes to the Policy, the User must stop using this Application and can request the Data Controller to erase the Personal Data. Unless stated otherwise, the then-current privacy policy applies to all Personal Data the Data Controller has about Users.

Definitions and legal references

Personal Data (or Data)

Personal Data is any information regarding a natural person, a legal person, an institution or an association, which is, or can be, identified, even indirectly, by reference to any other information, including Internet Protocol Address (IP). We follow the opinion of the Article 29 Working Party which considers that IP addresses shall be treated as personal data in almost all situations.

Usage Data

Information collected automatically from this Application, which can include: the IP addresses of the device utilized by the Users who use this Application, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), and the operating system utilized by the User and other parameters about the device operating system.

User

The individual using this Application, which must coincide with or be authorized by the Data Subject, to whom the Personal Data refer.

Data Subject

The legal or natural person to whom the Personal Data refers to.

Data Processor

The natural person, legal person, public administration or any other body, association or organization authorized by the Data Controller to process the Personal Data in compliance with this privacy policy.

Data Controller (or Application Owner, or Owner)

The natural person, legal person, public administration or any other body, association or organization with the right, also jointly with another Data Controller, to make decisions regarding the purposes, and the methods of processing of Personal Data and the means used, including the security measures concerning the operation and use of this Application. The Data Controller, unless otherwise specified, is the Owner of this Application.

This Application

Device Monitor, the software tool, which is used to collect the User's Data.

The Consortium

The Consortium consists of partners within EU funded project Advaced Cyber Defence Center (ACDC). The updated list of members of the Consortium is available here: http://www.acdc-project.eu.

Legal information

This privacy statement has been prepared in fulfillment of the obligations under Art. 10 of EC Directive n. 95/46/EC. To protect the fundamental rights and freedoms of users, especially the right to privacy with respect to the processing of personal data, we declare that we are in compliance with the European Data Protection Directive.

In order to process personal data, Data Controller must first justify their data processing activities on one of the legal grounds listed in Article 7 of Directive 95/46/EC. By accepting these Terms of Use and Privacy Policy the User gives her consent, therefore we declare we are in compliance with Article 7(a) of Directive 95/46/EC. Moreover, the processing is necessary in order to protect the vital interests of the data subject (protection from botnets).