Welcome to SMELLiT! We are committed to protecting and respecting your privacy. This privacy and data protection policy and notice explains how we collect, use and share your personal information when you use the SMELLiT mobile application (the “App” or “SMELLiT”) or participate in follow-up activities related to the olfactory experiment carried out through the App (the “Experiment”).
- Who Are We?
This policy is issued on behalf of D2Smell, a company registered in Israel at Weizmann Institute of Science, Rehovot (“D2Smell”), as well as on behalf of D2Smell’s overseas research partners /beneficiaries (together: “We” or “Us“). Our research partners/beneficiaries include:
- KUNGLIGA TEKNISKA HÖGSKOLAN (KTH), Brinellvägen 8, 114 28 STOCKHOLM, Sweden.
- MAX-PLANCK-GESELLSCHAFT ZUR FÖRDERUNG DER WISSENSCHAFTEN EV (MPG), Hahn-Meitner-Weg 1, 55128 Mainz, Germany.
- KAROLINSKA INSTITUTET (KI), Solnavägen 1, 171 77 Solna, Sweden.
We jointly determine the purposes and means of processing your personal data, and are considered “Joint Controllers” under GDPR and other applicable laws.
- Which Information Do We Collect?
We collect the following information about you:
2.1 Information You Provide:
- Registration Details: when you create an account, we collect your phone number, email address, age and sex;
- Location Data: If you enable the sharing of this data, we collect your general location when using the App (stored at city level);
- Demographics: gender and age;
- Olfactory Data: your answers to smell and environment related pop-up questions and associated environment images, as shared by you within the App. Please note that as described in our Terms and Conditions, such data, whether in text or image, should not include information that may be linked to specific individuals;
- Technical Support Data: any data you provide us in order to receive technical support.
2.2 Information We Collect Automatically:
- Usage Data: analytics information about your interactions with the App;
- Device Information: Information about the device you use to access the App, including IP address, operating system, and mobile network information.
- How Do We Use Your Information?
The aim of the Experiment and data collected via the App is to conduct scientific research regarding olfaction. The goal is to get a deeper understanding of what, when, and how much the human olfactory system is exposed to in natural conditions. This is a part of a long-standing broader olfaction research initiative, funded by a synergy grant.
We will use your data in particular as described below:
- Your email address will be used to send you compensation gift card information following the Experiment.
- Your phone number will be used to authenticate your identity when registering and using the App.
- Olfaction Data, Demographics, Location Data and Survey Data (together: “Research Data”) will be used for the purposes of olfaction scientific research, and stored under internal IDs, separately from any identifying information. This data will be analyzed statistically to characterize how many odorants people typically smell, what these odorants are, when and where they are typically experienced, and what is the variability in these measures. We will also break down by sex, by age, and environment, as permitted by the data.
- Fully anonymized Research Data and aggregated statical data based on Research Data will be uploaded to a public olfactory research database for the benefit of the scientific community. You will not be identifiable in any way from the data on this public database;
- Usage Data and Device Information will be used to operate, maintain, ensure the security of, and improve the App, as well as to send you push notifications to remind you to use the App.
- What Is the Legal Basis for Processing Your Information?
- Contract (Article 6(1)(b) GDPR): The processing of your personal data (such as registration information) is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract.
- Scientific Research (Article 9(2)(j) GDPR): We process Research Data based on our legitimate interest in conducting scientific research, including any processing of special categories of personal data that may be involved, subject to appropriate safeguards.
- Legitimate Interest (Article 6(1)(f) GDPR): We process usage data and device information based on our legitimate interest to operate, maintain, and improve the App, and to ensure its security. This includes understanding how our App is used, enhancing user experience, and ensuring the App’s performance and security.
- How Long Do We Keep Your Information?
We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal or reporting requirements. Generally, your identifying data (phone number and e-mail address) will be retained only for the during of the Experiment. Research Data will be retained for 10 years after the research termination. However, after deletion of your identifying data, we will not be able to identify you from Research Data. Anonymized data uploaded to the public olfactory research database will be retained indefinitely.
Please note that any payment details you supply to our third-party payment service providers are subject to such service providers’ independent privacy policy and retention practices.
- Sharing Your Data
We share personal data with:
Joint Controllers: We’ll share your data between the Joint Controllers described above (see Section 1 above, under ‘Who Are We?”), in order to conduct scientific research. Only limited research staff within D2Smell will have short-term access to your identifying data. Research Data will be shared with the other Joint Controllers without including any identifying data.
Third Parties. We transfer personal data to service providers who provide services on our behalf, such as hosting, mobile application analytics and payment services. We may also share data with the applicable App Stores (e.g. Apple Store and Google Store) for the purposes of App distribution, analytics and compliance with their policies.
We periodically add and remove third party service providers. At present, the main third-party providers to whom we transfer, or plan to transfer, personal data are as listed below:
- GoGift (please note that GoGift is an independent data controller of your payment information. Please refer to their Privacy Policy);
- Appwrite;
- Sentry;
- Firebase.
In addition, we will disclose your personal data to third parties if some or all of our companies or assets are acquired by a third party including by way of a merger, share acquisition, asset purchase or any similar transaction, in which case personal data will be one of the transferred assets. Likewise, we transfer personal data to third parties if we are under an obligation to disclose or share it in order to comply with any legal or audit or compliance obligation, in the course of any legal or regulatory proceeding or investigation, or in order to enforce or apply our terms and other agreements with you or with a third party; or to assert or protect the rights, property, or safety of SMELLiT and its research partners, our users or others.
For avoidance of doubt, we may transfer and disclose non-personal data to third parties at its own discretion.
- International Data Transfers (applicable to EU/UK users)
We are based the EEA and Israel, a jurisdiction recognized as adequate by the EU and UK. Your identifying data will also be hosted only within the EEA. However, some of our service providers are located at destinations outside the EEA and UK that may not be subject to equivalent personal data protection laws to those of the EEA or UK (currently, the U.S.). In such cases, we will take all reasonable steps to ensure that your personal data is subject to appropriate safeguards, such as Standard Contractual Clauses where applicable, and that it is treated securely and in accordance with this privacy policy. For more information, please use the details provided below (“Contact Us”).
- Storage and Security
We take great care in implementing, enforcing and maintaining the security of the personal data we process. We implement, enforce and maintains security measures, technologies and policies to prevent the unauthorized or accidental access to or destruction, loss, modification, use or disclosure of personal data. We likewise take steps to monitor compliance of such policies on an ongoing basis. We further ensure our service providers are committed to maintaining the same level of protection. Note however, that no data security measures are perfect or impenetrable, and we cannot guarantee that unauthorized access, leaks, viruses and other data security breaches will never occur.
We limit access to personal data to those of our personnel who: (i) require access in order for us to fulfil our obligations, including also under our agreements, and as described in this privacy policy, (ii) have been appropriately and periodically trained with respect to the requirements applicable to the processing, care and handling of the personal data, and (iii) are under confidentiality obligations as may be required under applicable law. me level of protection.
We will act in accordance with our policies and with applicable law to promptly notify the relevant authorities and data subjects in the event that personal data processed by the App is lost, stolen, or subject to unauthorized access to it. We shall promptly take reasonable remedial measures to address and mitigate any such incidents.
- Your Rights
Depending on the law that applies to your personal data, you may have various data subject rights, such as rights to access, erase, and correct personal data, and information rights. We will respect any lawful request to exercise those rights.
If you are located in certain jurisdictions, such as in the EU, UK, Israel and certain US states, you have rights under local laws in certain circumstances and with certain exceptions, including, depending on your jurisdiction, all/some of the following rights:
- Access: the right to access the personal data we hold about you, know how we use it, and who we share it with.
- Portability: the right to receive a copy of the personal data we hold about you and to request that we transfer it to a third party.
- Correction: the right to correct any of the personal data we hold that is inaccurate.
- Erasure: the right to delete the personal data we hold about you.
- Restriction of processing to storage only: the right to require us to stop processing the personal data we hold about you.
- Objection: the right to object to our processing of your personal data.
- Withdrawal of consent: Where we rely on consent to process your personal data, you have the right to withdraw this consent at any time.
- Objection to processing based on our legitimate interests: Where we rely on legitimate interest to process your personal data, you have the right to object, on grounds relating to your particular situation, to such data processing, in which case we will assess your claims in accordance with applicable laws.
It is clarified for the removal of doubt, that your rights cannot be exercised in a manner inconsistent with the rights of our employees and staff, with our proprietary rights, and third-party rights. In addition, these rights may not be exercisable where they relate to data that is not in a structured form, or where other exemptions apply. Also please note personal data that already forms part of the scientific research may not be modified or deleted.
If you wish to exercise your data subject rights, may do so by contacting d2mell at support@D2Smell.org or by contacting any of the Joint Controllers of your personal data (see above under “Who Are We?”). Note that we may have to undertake a process to verify your identity. We may keep details of such rights exercised for our own compliance and audit requirements. Please note that your data may be either deleted or retained in an aggregated or fully anonymized manner.
Data subjects in the EU, UK and other jurisdictions have the right to lodge a complaint, with a data protection supervisory authority in the place of their habitual residence. If the supervisory authority fails to deal with a complaint, you may have the right to an effective judicial remedy.
8. Minors
In accordance with our Terms and Conditions, the App is strictly limited to users who are at least 18 years old. We do not knowingly collect or solicit information or data from or about children under the age of 18, or knowingly allow children under the age of 18 to register to or use the App.
If you are under 18, do not register or attempt to register for the App or send any information about yourself to us. If we learn that we have collected or have been sent personal data from a child under the age of 18 without appropriate permissions, we will delete that personal data as soon as reasonably practicable without any liability. If you believe that we might have collected or been sent information from a person under the age of 18, please contact us at: support@D2Smell.org as soon as possible.
9. Changes to This Privacy Policy
We may change this policy from time to time. Any changes will be posted within the App, and where appropriate, notified to you by email. Please review this policy periodically for any updates.
10. Changes to This Privacy Policy
If you have any questions about this policy or data practices, or wish to exercise your data subject rights, you may contact our data protection officer at support@D2Smell.org or by mail to Weizmann Institute of Science, Hertzel 234, mailbox 26, Rehovot, postcode 7610001, Israel.
This privacy policy was last updated on: June 13, 2024