SUPPORT SFLC.IN

The BTS (Behind The Screens) of Privacy Policies

Posts

The BTS (Behind The
Screens) of Privacy Policies
Decoding the T&C of Popularly Used Applications

In our previous post , we highlighted how privacy policies are drafted using vague, incomprehensible, and inaccessible language. To put this to the test, we analyzed 12 commonly used applications’ privacy policies using the following criteria:

  • Personal information they collect, and consequently whether you can have that deleted from their platform;
  • Where your data goes, i.e. who else will have access to your data once you share it with an app;
  • Whether your data is validly collected, and adequately safeguarded, i.e. adherence to general data protection principles.
  • Whether the policies are simple enough to read and comprehend
Here’s what we found:
  • All but one of the applications assumed that a user continuing to access and use their service would mean they are consenting to changes that may have been made to their policy since they began using it.
  • Only five applications explicitly state that they will notify users of changes through their website or email, and only one app (Koo) stated that a user will be required to read and accept changes to the policy to continue their usage.
  • Only 1 policy provided users the option to read it in languages other than English.
  • Take-it-or-leave-it: In all the applications, users do not have a say when it comes to accessing their services; they must either consent to all their policies or deactivate their account and stop using their service.
Navigation
In the process of conducting this exercise, we developed certain metrics to assess the apps, each represented by different icons.
  1. Where does my data go explains different types of entities that your personal data will be shared with by the app you use.
  2. The Data Protection Score, categorizes each app into three categories: Low Risk, Medium Risk and High Risk.
    You will see how we determined the score when you click on the icon with a checklist like this:

    Our criteria has been based on common data protection principles. If that principle was complied with, you will see that the checkbox has been ticked, but if it has been struck out, then it means it did not comply with the principle. You’ll see that we’ve left some boxes empty- We have done that where the policy was unclear/we don’t have enough information to determine whether the principle was complied with.

    3. What do these principles mean?
    • Lawfulness, transparency and fairness : are they doing this in compliance with law? are they processing data in a manner that isn’t misleading, detrimental or unexpected? Are they clear about how they use your data?
    • Storage limitation: How long do they keep your data, do they mention for what purposes they store it, and why they may need to store it indefinitely (if specified)?
    • Purpose limitation: Do they mention why they need your data, and for what reasons they need the different kinds of your personal data ?
    • Data minimisation: Do they collect an adequate amount of personal data that would be relevant for their service? Or do they collect personal data beyond what is necessary for performing their service?
    • Accuracy: Do they mention that they expect users to have provided reasonably accurate personal information, and not provide misleading information? Do they tell you how you can correct it?
    • Integrity and confidentiality: Does the policy say that they implement data security measures to protect and secure your data?
    • Accountability: do they have policies in place that would explain these principles (terms of use, privacy policy, any other records/measures they mention)
    • Grievance mechanism: Have they provided details of an officer who would handle concerns? Or is it just the email of the support team?

    How did we score this?

    1 Ticked box= 1 point. Empty box/Struck out=0.

  3. Most privacy policies are structured like legal contracts, which are inaccessible and incomprehensible to a common user. It’s important to check if companies have taken any efforts to make their policies easy to read and understand.

    For this, we came up with a Plain Language Readability Rating, which assesses whether the privacy policy contains any tools, resources, materials, or explainers (such as briefs, videos, and interactive media) on their website to simplify the content.

OUR ANALYSIS
  1. Swiggy

    What They Collect From You:

    Necessary and Legitimate Data Collection Intrusive but has legitimate purpose Unnecessary, Intrusive Data Collection
    Your name, email address and mobile phone number (to communicate the status of your order, and information about services) To understand your behavior on their platform:

    • IP addresses
    • Language preference
    • App crashes
    • Pages viewed and exit websites and applications
    • Operating system
    • Date/time stamp
    • Clickstream data
    • What device you’re using
    • Other websites you visit and services you avail on the internet

    Device information:

    • Hardware models
    • File names and versions
    • Unique device identifiers
    • Mobile network information
    • Installed applications on device
    • Phone state

    Analytics Companies may use mobile device IDs to track your usage of the Swiggy Platform

    What happens if I don’t want this data collected?
    What can I do to erase/delete the information they have of me?
    If you want your data deleted, you can write to the support team at: support@swiggy.in . This may take time, up to five business days, and your personal data will not be used unless they have any legal obligations. This does mean, however, that they may not be able to offer certain services after you withdraw your consent.

    Where does my data go?
    It goes to advertisers, data analytics partners, partner restaurants, merchants, and academic partners.

    Data Protection Score

    What do they access



    Plain Language & Readability
    3.5/5
    The policy is contractual in nature, however the language is simplified and structured, and navigating through the relevant parts is a simple scroll option and identification based on the headings. However, there are parts of information, relating to collection of information, that could be communicated more clearly. The policy can be a bit more interactive and visual for a general audience, and flowcharts to showcase how the use and distribution of data takes place would vastly improve its readability.


  2. Practo

    What They Collect From You:

    Necessary and Legitimate Data Collection Intrusive but has legitimate purpose Unnecessary, Intrusive Data Collection
    Contact data (such as your email address and phone number); Financial information such as bank accounts, credit and debit card details or other payment instrument details (for payment purposes); Physical, physiological and mental health condition; medical records and history; information received by body corporate under lawful contract or otherwise; Personally identifiable information;
    For registration purposes: date of birth, pin code,(i.e. location), age.
    Insurance data (such as your insurance carrier and insurance plan);
    Records of electronic communications and telephone calls received and made for making appointments or other purposes for the purpose of administration of Services, customer support, research and development and for better listing of Practitioners.
    Data regarding your usage of the services and history of the appointments made by or with you through the use of Services;    		 Call data records; sexual orientation; gender, passwords, biometric information;
    The URL of websites you visit. Practo also receives the Internet Protocol (IP) address of your computer, email patterns, as well as the name of your ISP (to analyse overall trends, and improve their services)

    What happens if I don’t want this data collected? What can I do to erase/delete the information they have of me?
    You will have to deactivate your account/stop using the services since they have not given you an option to opt out of a part of your data being collected. Their policy states that you should reach out to their customer support to do so; you can write to them at – support@practo.com . Limited usage of services is offered to those who have not registered their account.

    Where does my data go?
    Third parties do get access to your data, it has been suggested that data in anonymised form may be shared with advertisers, sponsors, investors, strategic partners and others. Who they specifically are is not mentioned in the policy.

    Data Protection Score

    What do they access



    Plain Language & Readability
    2/5
    The policy reads as in legal contract language, and while structured, is not easy to read, it’s very textual and requires back and forth to get a full understanding of what is being done with the data. It could do with far more subheadings and could implement the question-answer format that most website policies have now adopted. Implementing flow-charts, and visual graphics would far improve a user’s understanding.


  3. PhonePe

    What They Collect From You:

    Necessary and Legitimate Data Collection Intrusive but has legitimate purpose Unnecessary, Intrusive Data Collection
    Personal details (i.e. your name, phone number, email ID, contacts), PAN card number, KYC, Aadhar information, OTP, bank account details, transaction history (payment purposes). Demographic and photo information (Aadhar number, address, gender, Date of Birth) Financial history (for verifying and authenticating investment transactions), vehicle-related information (for vehicle insurance when opted); SMS stored on your device (for registering the device for payment services, OTPs for logins and payments, enhancing security, recharge reminders and so on). Nominee details; Resume, past employment, educational qualifications (for employment opportunities); Device details such as device identifier, internet bandwidth, mobile device model, browser plugins, cookies, IP Address, location;

    What happens if I don’t want this data collected? What can I do to erase/delete the information they have of me?
    The privacy policy has elaborated on this aspect in detail:
    “You can access and review your Personal Information shared by you by placing a request with us. In addition, you may at any time revoke consent given to us to store your e-KYC information, collected as part of the Aadhaar-based e-KYC process. Upon such revocation, you may lose access to services that were availed on the basis of the consent provided. In some cases, we may continue to retain your information as per the ‘Storage and Retention’ section of this Policy. To raise any of the above requests, you may write to us using the contact information provided under the ‘Contact Us’ section of this Policy. In case you wish to delete your account or Personal Information, please use the ‘Help’ section of the PhonePe Platform. However, retention of your Personal Information will be subject to applicable laws. For the above requests, PhonePe may need to request specific information from you to confirm your identity and ensure authentication. This is a security measure to ensure that Personal Information is not disclosed to any person who does not have a right to receive it or is not incorrectly modified or deleted.”
    Reach out to the company to delete your personal information through the ‘Help’ section on the platform. You have the option to revoke the permission you gave the company to use your e-KYC data, but in doing so you will lose access to the services which are provided on the basis of this information.

    Where does my data go?
    Information may be collected by third parties; we do not know who they are, it is suggested that in the course of your transactions to business partners, service providers, sellers, logistic partners, merchants, entities, subsidiaries, legally recognized authorities, regulatory bodies, governmental authorities, financial institutions, internal teams such as marketing, security, investigation teams and so on.

    Data Protection Score

    What do they access



    Plain Language & Readability
    5/5
    The policy is easy to read, has interactive navigation, and is structured to make navigation easier. The policy is also available in multiple languages, not just English, which makes it accessible to a wider audience of consumers.


  4. Dream 11

    What They Collect From You:

    Necessary and Legitimate Data Collection Intrusive but has legitimate purpose Unnecessary, Intrusive Data Collection
    For availing services: Username, email, date of birth, state, Government ID;
    Sensitive personal information -(for the purpose of payment processing) payment instrument/modes used by a user to make such payments, which may include cardholder name, credit/debit card number (in encrypted form) with its expiration date, banking details, wallet details etc; Information in relation to apps installed on the user’s device (policy says its to improve user experience and their performance).
    Also Record your device-related information, operating system information, network information, location information (the policy says this is to access features, verify identity and keep the account secure).    		 PAN Number (purpose not specified)

    What happens if I don’t want this data collected? What can I do to erase/delete the information they have of me?
    “While you have the option not to provide us with certain personal information, withdraw your consent to collect certain information, request temporary suspension of collection of personal information or request deletion of personal information collected, kindly note that in such an event you may not be able to take full advantage of the entire scope of features and services offered to you and we reserve the right not to provide you with our services.”
    You can request that your account be deleted and personal information be deleted by reaching out to the company and sending an email at this address: helpdesk@dream11.com , requesting them to do so. After you have sent them this request, in addition to any clarifications that they request from you (if required) have been addressed, they will respond to such request within one month at the latest.

    Where does my data go?
    Information may be shared with third parties (including their affiliates, group entities) for the purpose of providing services (data analytics, storage, and improving the services), or for legal reasons and security reasons, or for commercial reasons (marketing, promotional activities and related purposes). We are not informed who these third parties are.

    Data Protection Score

    What do they access



    Plain Language & Readability
    3/5
    The policy does have legal contract language in places, but it is structured. It requires additional structuring to make navigation simpler, and it could be made more visual and interactive so the general audience can understand how their information is handled.


  5. Disney Hotstar

    What They Collect From You:

    Necessary and Legitimate Data Collection Intrusive but has legitimate purpose Unnecessary, Intrusive Data Collection
    • Name
    • Email Address
    • Phone number
    • Age or date of birth
    • Password
    • Payment and other information pertaining to your transactions on the Disney+ Hotstar Service
    		 Location, pin code, area code, and occupation as provided by you; Gender; any other information that users may otherwise choose to provide. Other profile information, such as social media account information and profile image; your phone and social network contacts, with your permission (irrespective of permission, remains intrusive and unnecessary); Information pertaining to content viewed on television through a user’s microphone, with their permission. Uses microphone to capture audio samples and creates files of such audio in real time, which are then matched against film/tv content to identify what content you have been exposed to on Tv;4
    Information pertaining to applications frequently used by a user (with their permission)- ex if they have sports apps, then they get sports content recommendations
    Platforms you visit, your computer browser information,

    What happens if I don’t want this data collected? What can I do to erase/delete the information they have of me?
    If you do not want your data to be collected, you can withdraw your consent by modifying your preferences on the app, or by sending them a request through an email.
    If at some point you do not want Hotstar to use your information any further, you can request that they erase your personal information and close your account (which results in your subscription being terminated, and you will not get any refunds). For this information to be deleted, contact the company at hello@hotstar.com to delete your account.

    Where does my data go?
    Your data may be shared for promotional purposes. The data is transferred to service providers (marketing, analytics, research, communications, infrastructure, IT services, payment processing), their ‘platform entities’ (i.e its parent company, subsidiaries, affiliates, group companies) or other third-party recipients in locations around the world. Your data may be obtained from third parties as well, who have not been named.

    Data Protection Score

    What do they access



    Plain Language & Readability
    3/5
    The policy mostly contains legal contract language. It does have a structure and hyperlinks to the relevant sections, so it barely meets the ease of navigation requirement. It could definitely include a lot more visual and graphic elements, and the UI could be improved upon such that the general audiences’ attention is not reduced; at present parts of information are likely to be skimmed over. It could be simplified significantly.


  6. Flipkart

    What They Collect From You:

    Necessary and Legitimate Data Collection Intrusive but has legitimate purpose Unnecessary, Intrusive Data Collection
    Email address, phone number, credit/debit card, payment instrument details; GST, PAN and KYC information: (i) To check eligibility for certain products and services including but not limited to credit and payment products (ii) For the purpose of enhancing experience on the platform. URLs visited before or after using Flipkart, computer browsing information and IP address; gender, zip code, lifestyle information, demographic and work details; contacts in your directory, camera, photo gallery and device information, SMS, instant messages (if you consent to do so, exact purpose not mentioned);

    What happens if I don’t want this data collected? What can I do to erase/delete the information they have of me?
    You can delete non-mandatory information on their website (in the Profile and Settings sections), and also contact the company for the same if you require assistance with such requests. The contact information posted on their site at present is:

    1. https://www.flipkart.com/helpcentre
    2. The Grievance Officer: Mr. Shremanth M. Designation: Senior Manager (Flipkart Internet Pvt Ltd). Embassy tech village, 8th floor Block ‘B’ Devarabeesanahalli Village, Varthur Hobli, Bengaluru East Taluk, Bengaluru District, Karnataka, India, 560103. Email: privacy.grievance@flipkart.com | Time: Mon – Sat (9:00 – 18:00)

    While you do have an option to withdraw your consent with respect to information you have already provided, it is important to note that this withdrawal is not retroactive, and will be in accordance with the terms of this Privacy Policy, related Terms of Use and applicable laws. When you withdraw your consent, it will affect your access to application, or restrict the services available to you.

    Where does my data go?
    Advertising companies, websites linked to Flipkart (their group companies, affiliates, related companies), and other companies (including credit bureaus for providing products and services such as loans; sellers; business partners), if required.

    Data Protection Score

    What do they access



    Plain Language & Readability
    2.5/5
    The policy contains a lot of legal contract language. It has a basic structure but requires further simplification, such as a contents section to help a user navigate through the policy. Infographics would help a user understand the flow of personal data better.


  7. Woo

    What They Collect From You:

    Necessary and Legitimate Data Collection Intrusive but has legitimate purpose Unnecessary, Intrusive Data Collection
    Mobile device information: geographic location (automatically collected). (Required for registration) Facebook account information- includes information about other Facebook friends who might be mutual friends with other Woo users; type of mobile device (automatically done);
    Obtains Facebook profile information (name and photo) of user as well as user’s friends.

    What happens if I don’t want this data collected? What can I do to erase/delete the information they have of me?
    The policy is not clear on the process for this. You will likely have to delete your account. They will retain that information for a period of three months, post which the data will be deleted or anonymised.

    Where does my data go?
    To payment processors; it may also be shared with third parties, but there is no information about who they are in the policy.

    Data Protection Score

    What do they access



    Plain Language & Readability
    3/5
    The policy is structured, short, and concise. The language is not convoluted, but could be drafted better; there are places where the policy requires additional subheadings to make the information more apparent to a reader.


  8. DocScanner

    What They Collect From You:

    Necessary and Legitimate Data Collection Intrusive but has legitimate purpose Unnecessary, Intrusive Data Collection
    Log data (in case of errors in app functioning)- IP address, device name, OS version, time and date of use of the service; camera, read and write external storage for images; Number of clicks on the app feature, Google Advertising ID (to provide personalised ads, and prevent inappropriate advertisement content).

    What happens if I don’t want this data collected? What can I do to erase/delete the information they have of me?
    This policy does not inform us how you can go about this. They do not have any procedure that would allow you to request the company to delete/erase your data nor withdraw your consent to such data collection.

    Where does my data go?
    It may go to third parties who may use it to identify you, the policy has listed out the following as third party service providers who may collect information to identify you:

    • Google Play Services
    • AdMob
    • Google Analytics for Firebase
    • Firebase Crashlytics
    • Facebook Ads
    • Fabric

    Data Protection Score

    What do they access







    Plain Language & Readability
    2/5
    The language is simple, and the policy is structured enough, improvements could be made to the structure to implement more navigation features (content section, infographics, accessibility features). It is however missing storage retention clauses, and detail on what personally identifiable information will be taken.


  9. Urban Company

    What They Collect From You:

    Necessary and Legitimate Data Collection Intrusive but has legitimate purpose Unnecessary, Intrusive Data Collection
    Contact data (address, location, email address, mobile numbers); Name, username;
    Credit/debit card/UPI details for payment processing;    		 Photographs; demographic data; Gender;
    Marketing data (offers, wants, feedback, comments, chatbox discussion);
    Frequency of usage of the platform; booking history, user taps and clicks, time spent on the app (usage purpose)
    Location data;    		 Device data: IP addresses, browser type, ISP information, OS information, page views, web/mobile activity, date and time stamps;

    What happens if I don’t want this data collected? What can I do to erase/delete the information they have of me?
    If you do not wish to share certain information which is required as per law/ the company’s terms of use, your access and usage of the services will be limited or cancelled.
    You can delete your account as well as personal data that has been stored by the company by sending an email to privacy@urbancompany.com . It can take up to 7 working days for this request to be processed. Once such deletion takes place, you lose access to their services as well:

    Where does my data go?
    Data may be shared with third parties for service professionals, analytics service providers, registered users, or if required by law, to regulators and other bodies.

    Data Protection Score

    What do they access



    Plain Language & Readability
    5/5
    The policy is well structured and the language is plain english with minimal legal jargon. It would benefit users to include more infographics and visual features to simplify the flow of data for a general audience.


  10. Koo

    What They Collect From You:

    Necessary and Legitimate Data Collection Intrusive but has legitimate purpose Unnecessary, Intrusive Data Collection
    Mobile numbers, email address, username, profile photo
    (If provided by user) location, gender, professional details, relationship status, banking information.    		 Government ID for verification of profiles; server logs, IP address, URL information, device information

    What happens if I don’t want this data collected? What can I do to erase/delete the information they have of me?
    They will delete your data whenever you request them to do so. By providing limited information, or opting out of their services or choosing not to disclose certain information, you may have limited access to the services, and certain services may be disabled.

    Where does my data go?
    To third parties providing infrastructure support services, to perform analytics and research and so on. It has been suggested in the policy that this may include Facebook,Twitter, Instagram, UPI, Google, Gpay etc.

    Data Protection Score

    What do they access



    Plain Language & Readability
    4/5
    The policy is well structured, drafted in plain english, and navigating through the policy is intuitive. Inclusion of infographics or flow charts would help simplify the flow of personal data for a user perusing the policy.


  11. Rail Yatri

    What They Collect From You:

    Necessary and Legitimate Data Collection Intrusive but has legitimate purpose Unnecessary, Intrusive Data Collection
    Email address, phone numbers, SMS and message logs,
    Network type;
    Device information (for accessing the site) :URL, destination URL, your operating system, device, browser information, and your IP address.
    Device make, operator name (to optimise features for a user’s device); OS version (to optimise features relevant to that version);    		 Location and city;
    If a user chooses to transact on their application: Transaction behavior (your mobile number, billing address, a credit / debit card number and a credit / debit card expiration date and/ or other payment instrument details)    		 Government ID for verification of profiles; server logs, IP address, URL information, device information

    What happens if I don’t want this data collected? What can I do to erase/delete the information they have of me?
    The policy on the website of this application does not specify any process by which you can delete/erase your information, or withdraw your consent with respect to the collection of your personal information.

    Where does my data go?
    May be shared with third parties for advertising purposes, and with affiliates, but specifies that personally identifiable information will not be shared.

    Data Protection Score

    What do they access



    Plain Language & Readability
    4/5
    The policy does have legal contract language which can be further simplified. It could be also made more visual and interactive so the general audience can understand the flow of their data while using the app.


  12. Threads, an Instagram app:

    What They Collect From You:

    Necessary and Legitimate Data Collection Intrusive but has legitimate purpose Unnecessary, Intrusive Data Collection
    Email address, name, phone number (for signing up) content you create, data from your camera and voice; messages you send and receive; our friends, followers, and other pages and communities you interact with; the apps you use, and what you do on them; information about your contacts if you sync your address book; device information: the type of device,details about its operating system, details about its hardware and software,brand and model, battery level,signal strength, available storage,browser type, app and file names, and types, plugins; location information; demographic information; your purchase information

    What happens if I don’t want this data collected? What can I do to erase/delete the information they have of me?
    You will need to delete information through your Instagram account and the Instagram app’s help centre. If you want, you can deactivate your Threads account at any time, but to delete your Threads account, you need to delete your Instagram account as well.

    Where does my data go?
    The Threads app is integrated with third party services, which means they get access to your information. Advertising, marketing and analytics are some of these services.

    Data Protection Score

    What do they access



    Plain Language & Readability
    4/5
    At this time, the policy is the same as Instagram’s privacy policy, with additional terms in a separate page (applicable to the Threads app). The policy is easy to read, navigate, and understand, and even includes infographics and videos. However navigating to the separate policy specifically for threads is difficult, and the app store link does not, at the time of writing this, link to that policy. It links to the main Instagram policies page, without no navigation option to direct a user to it.


PrintLinkedInShares

Related Posts

Comparing the 2024 Lok Sabha Election Manifestos from the perspective of Technology Rights and Gig Workers

mass content blocking in India

Recent Content Blocking in India

SFLC.in @ Chennai FOSS 2.0