Dear ToS;DN community,
As I am a new user, this is my occasion to introduce myself. I am a designer and a Ph.D student researching in the area of user privacy issues in digital services and embedded sensing technologies. Since my research interests covers ToS and Privacy policies I would like to use the ToS;DN platform as a tool to understand privacy issues related to the usage of some 'smart devices' such as the ones listed here <http://enchantedobjects.com/wp-content/uploads/EnchantedObjectsPoster.png>. My first experiment is with Mimo's Privacy policy <http://mimobaby.com/legal/#PrivacyPolicy>. In order to better understand Privacy Policy (PP) I will forward my rating proposals using the new ToS;DN's platform form (when I will be able to use it <https://groups.google.com/d/msg/tosdr/t4Rb8pX88rU/1Q5uOFmDbYoJ>). In addition, I have an open question regarding a particular aspect of the PP, for those in the community interested to answer. I apologize for the length of my email. In order to ease the reading I have put some descriptors. *The final questions are at the end* (/// questions). Thanks in advance to everyone that will take this into consideration and give their opinion. /// What is Mimo Mimo is a cloud base baby monitor that, using the company's words: “[helps parents to] get real-time audio and insights about [their] baby’s sleep activity, right on [the] smart device, from anywhere in the world”. /// brief introduction to Mimo's Privacy Policy It seems that Rest Device Inc., who is the organization owning Mimo, collects 3 principal kind of user information: (1) *personal information*, (2) *aggregated information* and (3) *profile*, which is a combination of both the information gathered from users and acquired from third parties. Even though privacy policy (PP) related to Personal Information are clear and well explained, PP for ‘Profile’ looks to be more ambiguous. (1) *Personal Information* "means information that specifically identifies an individual (such as a name, address, telephone number, mobile number or e-mail address) or other information about that individual that is directly linked to Personal Information. Except for some 'features that give [users] the option to share certain of your information with friends and other third parties, [the service] do not share Personal Information with third parties. Moreover, Personal Information does not include "aggregate" information’. (2) *Aggregated information* are not linked to Personal Information but can be shared with affiliates organizations and business associates e.g. 'aggregated demographic information about our user'. The situation is more complicated for the *Profile* (3). As claimed by the company: It is made ' by storing 'information that we collect through cookies, log files, clear gifs, and/or third party sources to create a "profile" of your preferences'. Moreover, Profile information is shared with third parties in aggregated form only. Again, at least for the moment Mimo 'does not tie users Personal Information, or purchasing history, to information in the profile, in order to provide tailored promotions' etc. that it should means that Profile and Personal Information are kept separately. /// the controversial part The more controversial part came at this point: 'To *enrich our profiles* of individual customers, we tie [information purchased *from third parties*] to the *Personal Information* [that users/individual customers] have provided to us. For me, such sentence sounds like a negation of what has been claimed above, when the company told that Profile and Personal Information are not tied together, and now they are. /// questions *[1] If that is true it means that Profile is a combination of Personal Information and aggregated data that was not supposed to be linked together (?).* *[2] Finally, even though Profile is shared with third parties in aggregated form only, does it mean that Rest Device Inc. does not share users personal data* with third parties?* I am sorry if I made some ingenuity during my explanation and/or if my summary of the Mimo's privacy policy is not so clearly explained. *with ‘Personal Data’ I am taking into consideration the definitions in Article 2 of EU Directive 95/46/EC: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. -- tosdr.org | twitter.com/tosdr | github.com/tosdr --- You received this message because you are subscribed to the Google Groups "Terms of Service; Didn't Read" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/tosdr. For more options, visit https://groups.google.com/d/optout.
