1. What is this document about?

 

This agreement is a binding legal contract between you and Universitat Politècnica Catalunya (UPC). UPC hereby grants you a free of charge, non-exclusive, time-limited, non-transferable, non-sub-licensable, revocable license to use the CO-APS application for non-commercial purposes, subject to these Terms. As required by the General Data Protection Regulation, this agreement contains a privacy policy governing the personal data being processed by the CO-APS app.

You may not use the CO-APS application without agreeing to this agreement: we provide our services only on those terms that users must read and accept fully.

 

2. Purpose of the Co-APS App

 

The CO-APS application is being developed and tested in the context of a European Research Project entitled “Crowdsourced Obtention and Analytics of Data About the Crowding of Public Spaces for the Benefit of Public Transport and Mobility in Cities”. This Project has received funding from the European Institute of Innovation and Technology (EIT), a body of the European Union, under the Horizon 2020, the EU Framework Programme for Research and Innovation, under contract No 20212.

The general goal of the CO-APS project is to fight against the spread of the COVID-19 by providing public transport operators and city authorities with insightful aggregated information needed to limit crowds in public transport and public spaces. Such statistical information is meant to help these stakeholders to enhance different aspects of mobility such as managing the number of passengers in public transport and hubs, promoting spatial distancing and avoiding overcrowding in pedestrian areas or public spaces. In order to achieve that purpose, the Co-APS application estimates the number of people in public spaces to infer the flow of people at specific moments by the means of a participatory approach. This participatory approach is based on “challenges” (questions to travelers about their subjective perceptions of crowdedness at specific times and places). The Co-APS application shows travelers several pictures illustrating crowdy situations and ask them to choose the one which is perceived to be the closest to their perceived reality. On the basis of the quality of their answers, participants earn points which can be exchanged against rewards (such as a public transport ticket or a gift card).

As the CO-APS application is part of a research project, its purpose is also to conduct usability tests as well as pilots to evaluate some statistical models and embedded features (such as the Rewards Platform).

 

3. Using the Co-APS App

 

The CO-APS application is intended for use by users who are 18 years of age or older. If you are under 18, you may not download or use the CO-APS application. Accounts of users under the age of 18 years will be canceled and deleted by UPC, upon receiving notice.

You may use the CO-APS application solely for private and personal purposes. You may not use it commercially. For example, you may not: (i) offer to third parties a service of your own that uses the CO-APS application; (ii) resell the CO-APS application; (iii) offer to rent or lease the CO-APS application; or (iv) offer the CO-APS application to the public via communication or integrate it within a service of your own, without the prior written consent of UPC. For clarity, the examples listed are made for illustrative purposes only; they do not constitute an exhaustive list of restricted activities involving the CO-APS application.

If we discover that you are not a legitimate user of the CO-APS app, we will terminate this agreement immediately as well as any personal data me might have collected about you in the meantime.

To access this service, you have to create an account. Each user login credentials is individual to that user and cannot be used by anyone else.

 

4. Limitation of liability and warranty

 

UPC provides the CO-APS application and content included therein for use on an “as is” and “as available” basis. They cannot be customized to fulfill the needs of each and every user. We hereby disclaim all warranties and representations, either express or implied, with respect to the service, including, without limitation, any warranties of merchantability, and fitness for a particular purpose, features, quality, non-infringement, title, compatibility, performance, security or accuracy. Information may not always be accurate. We try to make sure that the data is correct and up-to-date, but we cannot guarantee that it will always be. Accordingly, we do not accept any liability for any error or omission in the information available or the challenges made through the CO-APS application, and we exclude all liability for any action you may take or loss or injury you may suffer (direct or indirect including loss of income, profit, opportunity or time) as a result of relying on any information available through the CO-APS application. UPC exerts efforts to provide you with a high quality and satisfactory service. However, we do not warrant that the CO-APS application will operate in an uninterrupted or error-free manner, or that it will always be available or free from all harmful components, immune from damages, free of malfunctions, bugs or failures, including, but not limited to hardware failures, software failures and software communication failures.

You agree and acknowledge that you assume full, exclusive and sole responsibility for the use of and reliance on the CO-APS application, and you further agree and acknowledge that your use of or reliance on the CO-APS application is made entirely at your own risk. You further acknowledge that it is your responsibility to comply with all applicable laws while using the CO-APS application.

 

5. Copyright

 

All intellectual property rights related to the CO-APS application and its database, including copyrights, trademarks, industrial designs, patents and trade secrets – are either the exclusive property of UPC or its partners (see section 10). The CO-APS application is protected, among others, by the Spanish Copyright Act as well as by applicable copyright provisions prescribed by any other law, in Spain and elsewhere.

“CO-APS”, the CO-APS logo, and other trade and/or service marks are the property of UPC or its partners and you may not use such logos or marks for any purpose that is not expressly authorized in these Terms without the prior written consent of UPC.

 

6. Data Controller

 

Using the CO-APS application will result into processing data related to identified or identifiable natural persons.

The data controller is Universitat Politècnica de Catalunya (UPC) located in Campus Nord, Carrer de Jordi Girona, 1, 3, 08034 Barcelona, Spain

The main contact person in charge of the CO-APS application at UPC is Josep Lluís Larriba Pey. He can be contacted at larri@ac.upc.edu

7. Information and access to personal data

Information and access to personal data

Identity and contact details of the data controller	Universitat Politècnica de Catalunya DAta MAnagement group — Computer Architecture Department https://www.dama.upc.edu/en/contact larri@ac.upc.edu
Contact details of the data protection officer	Universitat Politècnica de Catalunya https://www.upc.edu/normatives/ca/proteccio-de-dades/normativa-europea-de-proteccio-de-dades/dades-de-contacte-del-delegat-de-proteccio-de-dades
Purposes of the processing	F05.4 Gestió de dades de projectes de Recerca i Innovació. Project CO-APS
Legitimate interests	Based on the consent requested, you can withdraw your consent by contacting the Data Controller.
Recipients or categories of recipients	The data stored in the CO-APS application environment is provided to some members of the CO-APS consortium, as detailed hereunder. These consortium members are considered to be processors and their processing of data on behalf of UPC is governed by binding subcontracts. These processors may only process the transferred data for research purposes in the context of the CO-APS project, as follows: · Sparsity Technologies: For developing the CO-APS app, assessing it and fix the bugs detected in its different versions, Sparsity needs access to the database of CO-APS to all relevant data in order to provide complete functionalities to the users. · AIR Institute: provides the CO-APS analytics tool which is the interface of the transport service operators as well as to the cities registered in CO-APS. Hence, AIR Institute will have access to the data produced by CO-APS application in order to process them statistically and also apply AI algorithms. AIR will have access to the demographic data of the users but not at the users’ ID and email to perform a statistics analysis. Furthermore, AIR will have access to the results of CO-APS challenges. More specifically, AIR will have access to the results of each challenge of the pilots’ sites of CO-APS by knowing the number of participants and their crowdedness perception level which is calculated at the sever of CO-APS. · TMB-Metro, Sofia Development Association, Municipality of Karditsa: These partners are leading the pilots/demonstrations of the CO-APS project. These partners may process the e-mail addresses of the users exclusively to contact them for purposes linked to these pilots/demonstrations. These partners may also process the e-mails to send users rewards (e.g. a gift card).
Rights	Right of access by the data subject. Right to rectification or erasure (‘right to be forgotten’). Right to restriction of processing. Right to object. Right to data portability. More information here: https://www.upc.edu/normatives/ca/proteccio-de-dades/normativa-europea-de-proteccio-de-dades/drets
Period for which the personal data will be stored	Your personal data will be erased on 31th March 2021 when the pilot phase of the CO-APS project ends and that the collected data has been analysed for research purposes.
Complaint	If you have been unable to exercise your rights to your satisfaction, you can file a complaint with the APDCAT. http://apdcat.gencat.cat

8. Categories of personal data being processed

 

• User login
• User registration date
• Email for the purpose of registration to the CO-APS application
• Email for usability tests and on site pilots: Users of the CO-APS application agree to be contacted by e-mail by partners of the CO-APS consortium exclusively for usability tests and on site pilots.
• E-mail to send users’ rewards
• Language
• Location (choose from list: Barcelona, Athens, Karditsa, Sofia)
• Age (choose from list: 18-24, 25-34, 35-44, 45-54, 55-65, +65)
• Gender (choose from list: Male, Female, Other, Prefer not to say)
• Occupation (choose from list: Public servant, Private employee, Self-employed, Student, Retired, Unemployed)
• Usual trip purpose (choose from list: Work, Education, Other)
• Discount holder (choose from list: yes, no)
• Information of how important the occupancy is in a public transport (choose from list: Not important, Somehow important, Very important)
• Information of how important it is to arrive on time (choose from list: Not important, Somehow important, Very important)
• Information about of their advice to others about keeping distance in the public transport (choose from list: Yes, Maybe, No)
• Score computation regarding the perception degree of the user (from 0 to 1)
• Challenges played: challenges have a location and time
• Answers to challenges
• Ranking of the user in their location
• Points obtained per challenge played
• Geolocation data: the Flutter Geolocator Plugin is being used to know if the user’s location matches the location of a challenge. For privacy enhancement, geolocation data is only being processed in the user’s device and no such data is being transferred to CO-APS servers.
• DeviceID (Apple) or the FCM ID (Android): In order to be able to send directed notifications only to the winners of prizes we need to match a user Id with the identification of their device, which is necessary to be able to send the notification only to that mobile app installation

 

9. Data retention period

 

Your personal data will be erased on 31th March 2021 when the pilot phase of the CO-APS project ends and that the collected data has been analyzed for research purposes.

 

10. Recipients and third parties who process your data

 

Apart from the Universitat Politècnica Catalunya (UPC), which is the data controller and the coordinator of the CO-APS project, the CO-APS consortium is composed of Sparsity Technologies, Municipality of Karditsa, Transports Metropolitans de Barcelona (TMB-Metro), Fundación Instituto Internacional de Investigación en Inteligencia Artificial y Ciencias de la Computación (AIR Institute), the International Association of Public Transport (UITP), EGTC Efxini Poli, and Sofia Development Association.

The data stored in the CO-APS application environment is provided to some members of the CO-APS consortium, as detailed hereunder. These consortium members are considered to be processors and their processing of data on behalf of UPC is governed by binding subcontracts. These processors may only process the transferred data for research purposes in the context of the CO-APS project, as follows:

• Sparsity Technologies: For developing the CO-APS app, assessing it and fix the bugs detected in its different versions, Sparsity needs access to the database of CO-APS to all relevant data in order to provide complete functionalities to the users.
• AIR Institute provides the Co-APS analytics tool which is the interface of the transport service operators as well as to the cities registered in CO-APS. Hence, AIR Institute will have access to the data produced by Co-APS application in order to process them statistically and also apply AI algorithms. AIR will have access to the demographic data of the users but not at the users’ ID and email to perform a statistics analysis. Furthermore, AIR will have access to the results of Co-APS challenges. More specifically, AIR will have access to the results of each challenge of the pilots’ sites of Co-APS by knowing the number of participants and their crowdedness perception level which is calculated at the sever of Co-APS.
• TMB-Metro, Sofia Development Association, Municipality of Karditsa: These partners are leading the pilots/demonstrations of the CO-APS project. These partners may process the e-mail addresses of the users exclusively to contact them for purposes linked to these pilots/demonstrations. These partners may also process the e-mails to send users rewards (e.g. a gift card).

When possible to achieve the research purposes of the CO-APS project, the information provided to the above-mentioned consortium members is pseudonymized.

However, when a processor justifies to UPC that it is impossible to fulfill the research purposes of the CO-APS project with anonymized or pseudonymized data, non-pseudonymized data can be transferred to the said processor. In such cases, the processor must a provide to UPC a precise description of the requested non-pseudonymized data as well as a thorough explanation of the reasons justifying their transfer. If such requests are accepted by UPC, the aforementioned contracts impose more rigorous conditions, safeguards and security measures to the said processor(s).

The users’ e-mail addresses (or any other data) will never be sent to any other third party. No transfer of personal data is allowed outside of the CO-APS Consortium. No transfer of personal data is allowed outside of the European Union.

 

11. Security

 

The CO-APS app stores personal data either locally (in the smartphone) and in the CO-APS servers.

The data stored in the mobile app is private and only accessible by the CO-APS app. In principle, operating systems such as iOS and Android guarantee that the data cannot be accessed by other applications.

The CO-APS application servers are hosted in a cloud provider compliant with the following security and privacy standards: ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS and CSA STAR. All servers storing data are behind the cloud provider firewall and are not accessible from the internet. User Login information is stored in a separate database to the rest of the data processed such that data processors cannot relate the user activity with the actual user login information. The chosen Cloud provider to store the data is located in St. Ghislain, in Belgium.

 

12. Modifications to the software

 

UPC may, either partially or in its entirety modify, adapt or change the software of the CO-APS application, its features, the user interface and design, the extent and availability of the contents in the application and any other aspect related to the service. You will have no claim, complaint or demand against UPC for applying such changes or for failures incidental to such changes. However, UPC will provide you prior information if changes impact the processing of personal data described in these Terms.

 

13. Your rights

 

• You have the right to withdraw your consent
• You have the right to access information we hold about you
• You have the right to make us correct any inaccurate personal data about you
• You have the right to restriction of processing
• You have the right to port your data to another service
• You have the right to be ‘forgotten’ by us
• You have the right to to receive this document in any of the local languages supported in the CO-APS pilots (Greek, Catalan, Spanish, Bulgarian) within 2 weeks
• You have the right to lodge a complaint regarding our use of your data. This can be done by contacting the UPC’s data protection officer or the Autoritat Catalana de Protecció de Dades.

All rights can be exercised by contacting UPC. Furthermore, in the mobile app, once a user has logged in, he/she can access to related GDPR actions from its profile. Those actions are accessible via 2 buttons. The first one provides all the information that the system has related to the user and it sends this information via a human readable format. The second one erases all the information related to the user that is in the system.

 

14. Termination of use of the service

 

You may terminate your use of the CO-APS application at any time and for whatever reason. You are not obligated to advise UPC of such termination. However, if you would also like for UPC to delete your CO-APS account and your personal information contained in the account, please use the appropriate button in the CO-APS application.

UPC retains the right to block your access to the CO-APS application and discontinue your use of the service, at any time and for any reason UPC deems appropriate, at its sole and absolute discretion.

 

15. Governing law and jurisdiction

 

These Terms will be governed by the laws of Spain. Any dispute, claim or controversy arising out of, connected with or relating to these Terms, the CO-APS application and the service, will be under the non-exclusive jurisdiction of the competent court in Barcelona. If any provision of these Terms is found to be invalid by any court having competent jurisdiction, the invalidity of such provision shall not affect the validity of the remaining provisions of these Terms, which shall remain in full force and effect.