GameBus Privacy Policy

Version 2.2 (October 6th, 2019)

Personal Data Controller

Company name: Eindhoven University of Technology

Corporate identity no: 51278871

Address: Groene Loper 3, 5612AE Eindhoven, The Netherlands

E-mail: support@gamebus.eu

Data Protection Officer

Annuska van den Eijnden (dataprotectionofficer@tue.nl).

1. Purpose of the Data Collection

GameBus is a digital platform that encourages and rewards families and friends to stay active socially, mentally and physically in a personalized gaming experience. The platform collects your data to track your progress towards your desirable lifestyle (changes) and to reward you with points that are the basis of a social-ranking system. Furthermore, it leverages your data to apply other behavior change techniques that are constantly evolving by following the scientific state-of-the-art. Finally, GameBus data is used for scientifically advancing the state-of-the-art in the fields of information systems, persuasion strategies and e-Health.

2. Personal data collected by GameBus

To provide you the best service possible, GameBus collects a variety of personal data from you. The types of personal data and their intended uses are listed:

2.1 Personal information for creating account and communication

When registering a GameBus user account, the following personal information is collected:

  • E-mail address,
  • Password,
  • First name surname.

Remarks about these data types:

  • When supplying an invalid e-mail address, your account will be suspended after a few weeks. E-mail is also the main channel of communication between you and GameBus, for example, to send you links to recover your password.
  • We strongly encourage GameBus users to use a unique password for each online service they use. Furthermore, we recommend using a password manager to help users in generating strong passwords without making it complicated to memorize them.
  • We do not force our users to use their real name. However, GameBus users can only find each other well using name search functionalities when names are used that are known to other users.

2.2 Behavioral and health data that are essential to the services

As part of the service, you are continuously requested to provide GameBus with personal data regarding your compliance (or the lack of compliance) to various behavioral goals, such as following a specific diet or taking a walk to a location nearby. This type of information is part of the core mechanism of gamification in GameBus. Note that the specific behaviors you performed are only known to GameBus, but (by default) NOT to other users. Different types of goals and behaviors are transformed to points at an abstract level, so that users can only see your overall compliance rates, e.g., in a social challenge. Users who join a GameBus challenge together (via groups/teams, called “circles” in the following) can see when their circle peers have scored points, along with the name of the game rule associated with those points.

Besides specific behaviors (e.g., walking to a particular location), some goals in GameBus may concern more general goals of improving health status, e.g., to lose a certain amount of weight in a month. Furthermore, GameBus may prompt its users to provide additional self-reported data related to self-esteem, self-regulation and general wellbeing. All such data is handled in the same way as the behavioral data. 

It is the responsibility of each GameBus user to be aware of which circles are in which GameBus challenges, and which circle members can therefore see information related to the points scored for such challenges.

2.3 Images

Specific challenges can involve sharing uploaded images with the challenge sponsor or with the general public. In such cases, the challenge description will clarify that and when joining such a challenge, users explicitly provide their consent. The primary purpose of sharing pictures is to facilitate the promotion of GameBus in order to stimulate its uptake. Users can also upload a GameBus profile picture and an administrator of a GameBus circles (called a “team leader” in the following) can upload a picture for the circle they manage. Images uploaded for user profiles or for circle profiles are visible to the general public.

2.4 Message data

As a social gamification system, GameBus also allows you to send messages to and receive messages from other users. These conversation data are thus collected and stored on the GameBus servers. GameBus personnel adheres to a policy of not checking individual messages. However, all GameBus data, including any type of message is input to research efforts aimed at understanding which user characteristics influence user engagement and health related behaviors. In any case, message data will not be shared to researchers outside the GameBus core research team.

2.5 Third-party personal data

When connecting a third-party data provider (like Google Fit, or Strava, see below), or when enabling location tracking capabilities (within the Android/iOS version of GameBus), data will be collected via a Dutch third-party system named Actev (https://actev.app/ & https://actev.app/policy).

Actev will temporarily store your activity data only (not your email and/or name) in order to merge low-level data into more meaningful timeline views. Actev stores all such data exclusively on servers in European data centers. GameBus-based activity data will be removed from Actev servers within one year.

Through Actev, GameBus enables you to pull in your data from third-party applications, such as:

The specific type of data that is transferred from these third-party applications to GameBus is shown within the GameBus and the third-party application, on the screens to establish the data integration. This involves, but is not limited to, data that is tracked automatically (e.g., on automatically recorded walks, runs, bike-rides, sleep episodes, etc.).

GameBus users who use such third-party applications agree to the individual terms of use and privacy statements available from the providers of those applications (always including Actev). They also opt-in for data exchange explicitly, giving specific consent to data being shared from the third-party applications to GameBus. Once inside GameBus, the data copies are subject to the GameBus policies. Data within the third-party applications remains subject to their original policies and they are outside the control of GameBus. Specifically, the processes to have data removed from GameBus or the third-party platforms are fully disconnected.

2.6 Usage data

These are data automatically collected by GameBus when you connect your device (usually called `Usage data’). This Usage data (e.g. your IP Address for example) collected through these automatic tracking processes are anonymous and are used in order to improve the Application’s quality only. In addition, they could be used for research and scientific publication purposes. For example, in the EUSFLAT 2019 publication entitled “Application of fuzzy modelling to learn personal preferences of mHealth users: a case study”, GameBus researchers have analyzed the relationship between page visits in GameBus and user personality types. The purpose of that study was consistent with the GameBus mission, by aiming to develop more effective health promotion support via personalization.

Please note that the Application will not implement or allow third-party companies to implement automatic tracking processes (cookie or web beacon) for other purposes than those explained in this Privacy Policy, without your prior consent.

2.7 Cookies

Cookies are small text files that are created by the websites you visit and may contain information about you as a visitor. These text files are stored on your computer and they often make later visits to the same websites more convenient, for example, by remembering your username and password for you automatically. The GameBus website uses cookies for improving the user experience and for targeting marketing campaigns and offers to our users. Both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your device for a set period of time or until you delete them) are used.

When you visit the GameBus website using a computer/phone or a web browser for the first time, a pop-up screen will instruct you to read the information about cookies and to choose to accept or reject the use of cookies. You can also modify your choice later by changing the relevant settings of your web browser. You can delete the cookies that have been stored on your computer in the past. In case you choose not to accept cookies, the GameBus website is still usable, but the functionality may be compromised.

3. Consent and legal ground

The legal ground for all data collection by GameBus is that its users opt in and give informed consent explicitly. Furthermore, all GameBus users can opt-out at any time.

4. Data storage and sharing

All personal data are stored at the GameBus server, which is within the European Union. Anonymous data derived from the personal data are shared to the following parties for the purposes of either supporting the operations of GameBus or for scientific research and publications:

4.1 GameBus affiliated research teams

The GameBus core team consists of less than five researchers within Eindhoven University of Technology. However, this team collaborates with national and international peers in order to optimize behavior change methods for health and wellbeing. Before sharing anonymized data openly to the international research community at large, it may be shared with members of smaller consortia. Such members then help in identifying and remedying potential threats to re-identification. See https://www.healthgoal.eu/?page_id=5 for a specific such smaller consortium and https://blog.gamebus.eu/?page_id=1066 for a more complete overview.

4.2 Third-parties within EU

GameBus services are executed on private virtual servers owned by Host Europe GmbH in Germany. Eindhoven University of Technology has a separate data processor agreement with that company in order to safeguard that no employee nor subcontractor of Host Europe ever accesses GameBus data without explicit instruction by the GameBus core team.

4.3 Third-parties outside EU

Encrypted data backups may be stored on cloud infrastructure outside the European Union, on user accounts held exclusively by the GameBus core team. In such cases, decryption keys are managed carefully on other infrastructure.

5. Retention of data

GameBus data is preserved until the GameBus user who has generated it, requests to have it removed. This is critical for the GameBus user experience since the aim of GameBus is to leverage a user’s longitudinal data set to persuade this user to healthier behavior, or otherwise preserve already good health habits. By preserving original data, we ensure specifically that we can apply newly emerging scientific data analysis methods also on older data. If we would only preserve models of data (rather than original data) then we could not optimally support scientific progress and validation.

6. Security

GameBus holds the security and integrity of your personal data with high regard. In a general way, we commit to carry out technical and organizational means to protect all personal data against illegal or fortuitous destruction, fortuitous loss, alteration, diffusion or unauthorized access. Nevertheless, we shall be required to divulgate any information regarding the user to comply with any applicable law or rules, or to respond to any administrative or judiciary order.

Despite these means, personal data collected by digital systems cannot be 100% secure, and there is always a risk of data loss or unauthorized access to your personal data. You assume this risk when you register as a GameBus user. On the user’s side, we highly recommend you use a strong password to your GameBus account, and to keep the password in a safe place. You are also advised to restrain access to your browsers, computers, and phones. In particular, we strongly discourage users to use GameBus on devices they cannot control fully (e.g., public computers, shared tablets, …).

7. Children

Children under the age of 13 are by default not allowed to submit any personal data through GameBus. We urge parents and legal guardians to monitor their children’s uses of smartphones and to instruct them not to provide any personal data through GameBus without their permission. If you notice that a child under thirteen has submitted personal data to GameBus, please contact us at support@gamebus.eu. Special-purpose data management measures may be foreseen for specific studies involving younger children. Children and parents/guardians should then have given their explicit additional consent for such studies.

8. Your rights as a data subject

8.1 Opposition

According to the EU General Data Protection Regulation (GDPR), you as a data subject are the owner of your personal data. Therefore, you have the rights to oppose the collection of any type of personal data by GameBus. Opposing certain types of data collection will negatively influence the services provided to you. For example, opposing the collection of personal information for creating account and communication would imply that you cannot create an account and thus decline to be a GameBus user. Also, if you supply an invalid e-mail address, you will not be able to restore your password in case you forget it.

The GameBus services are designed to motivate you to achieve your lifestyle goals, so as a result you are encouraged to provide as much as behavioral and health data as possible. However, how often you provide such data, and what specific goal-related behaviors or health information you are willing to provide are completely up to you.

There are some types of data collected that can be opposed but the oppositions have negligible influences on the services. The Service Provider may collect and process geolocation data when using the Application with your Mobile phone. You are informed that you can disable the geolocalisation system in the settings of your mobile device. Other automatic tracking features of third-party applications are disabled by default and can be (de-)activated from the profile settings page in GameBus.

8.2 Access

In accordance with relevant regulations, you have the right to access the personal data you provided to GameBus, provided that your request does not infringe the rights and freedoms of others. If you wish to receive your personal data submitted to GameBus, please contact us at support@gamebus.eu.

8.3 Rectification and deletion

For the data already provided, you have the right to request rectification or deletion of these data processed by GameBus. Note that if a rectification or deletion request involves data that are necessary for the functionality of the GameBus services, such requests imply the invalidation of your account and the termination of you being a user of GameBus.

If you wish to exercise this right, please first use the designated app functionalities:

  • Data of individual health activities can be deleted from within the app by (1) clicking the activity details in the app’s Activities section, (2) clicking “Delete Activity” (or the translated variant of that button).
  • Your user account can be de-activated completely by (1) navigating to the profile page in GameBus, clicking “Remove Account” (or the translated variant of that button).

In case you have further requests then please contact us at support@gamebus.eu. An application shall be made in writing and must be signed by you. Alternatively, you can also erase your personal data by deleting your GameBus account.

Note that in case you aim to continue using GameBus yet want to opt out of a specific GameBus based study, then you should follow the procedures detailed in the corresponding extended policy related to that study (see https://blog.gamebus.eu/?page_id=1066).

9. E-Mail and Push Notification Policy

We will communicate with you via e-mails and notifications sent from the GameBus application. For some e-mails, we use a transactional e-mail platform such as MailChimp. In such cases, you can unsubscribe from future e-mails by leveraging the opt-out functionalities of these platforms. If you do not wish to receive notifications on your mobile device, you can turn it off by not allowing notifications from GameBus in the settings of your device. You can also use our built-in app functionality to disable notifications (in the profile settings section of the app).

10. Complaints

If you have any complains about how your personal data are processed by GameBus, you can do so by contacting us at support@gamebus.eu or dataprotectionofficer@tue.nl. You also have the right to issue a complaint through a supervisory authority such as the Dutch AP.

11. Updates of the Policy

When necessary, changes can be made to this Privacy Policy. Therefore, we reserve the right to modify this Privacy Policy at any time by noticing you the updates. Please check the latest version of this Privacy Policy on https://blog.gamebus.eu/?page_id=1066. Sometimes when major changes are made, you will be prompted to review the updated Privacy Policy when you open the GameBus application, and only after your acceptance of the updated version, you are allowed to continue using the services. The version number and the date of the latest update can be found at the top of this Privacy Policy.

12. Contact

Any questions or suggestions regarding our Privacy Policy can be sent to support@gamebus.eu. Please note that if you unsubscribe from the GameBus mailing list you will still be receiving answers to your questions sent to our support e-mail account(s) but you will no longer be receiving promotional e-mails.