Internet privacy is one of the big challenges we face in this decade. Exchanging data creates benefits and extra value for the user, but probably exposes information one wants to keep private too. For APEX Pro (and all our apps), we try to run a policy that both creates great value from data exchange and keep things private were they should be. Our key approach to doing this is transparency on what APEX Pro is actually sending and receiving.
We will not use any data we get access to for marketing purposes. In addition to transparency on data exchange, this page includes a long list of privileges APEX Pro requests from the smartphone operating systems and why. In all areas no explicit statement is made here, Privacy Policies included in Apple’s and Google’s End User Licenses apply.
Please note everything on this page is applicable to unmodified operating systems. In case you root your Android device or jailbreak your iPhone no guarantee on anything can be given.
Before going into the details, it makes sense to give an overview on the situations your APEX Pro app will communicate outside of its so called “sandbox”. The concept of a sandbox is implemented in all modern operating system. It defines a set of resources strictly separated from the rest of the system. APEX Pro apps and their local data areas are such sandboxes. They cannot be accessed from outside (except by super users / administrators). Vice versa, an app operated in a sandbox is not allowed to access resources outside the sandbox – except it is explicitly requested and agreed on by the user as an extended privilege / permission (see below):
- APEX Pro Server: APEX Pro clients (all editions) communicate with our server to provide features as described here. These features include but are not limited to: submission of lap times and positions on track, requesting information from the server, and exchanging data between users. The server is a dedicated machine operated by APEX Pro.
- Tracks Database: APEX Pro provides a huge set of predefined tracks to APEX Pro users. The track sets are hosted on a 3rd party web space, they are downloaded only.
- Track, Challenge, and Vehicle submissions / certifications: users can contribute their own track setups and vehicle definitions to APEX Pro’s repository, or share own recordings of laps with all users, or a private peer group.
- Internal and External Sensors: APEX Pro clients access all kinds of sensors (GPS, acceleration, microphone, cam, etc.), both built-in and sensors connected externally. External sensors are connected wired or wireless.
- External Storage: APEX Pro stores data and media to external storage. This external storage includes the Photo Library for iOS, an optional SD Card for Android, iCloud for iOS, Dropbox for both iOS and Android, and Mail for all platforms.
- Crash Reports: Both Google and iOS allow the user to select whether they want to report and send crash logs to allow the developer to fix them.
- Push Notifications: APEX Pro supports push notifications. Push notifications are short messages shown as banners both for iOS and Android. These messages appear even while APEX Pro is not started.
APEX PRO SERVER
In general, only data required to provide APEX Pro functionality is transmitted to APEX’s server. In detail, information sent is made up from the nickname/username, current positions as polar coordinates, a track identifier, times lapped in hundreds seconds, a device identifier, and the current vehicle. The device identifier is needed to match incoming data with existing data. It is generated when the app is started the first time after installing it and will be kept until the app is uninstalled. For privacy reasons, it is not possible to derive a specific device from this identifier once the app is uninstalled. The identifier can be compared to Cookies used by web browsers.
Whether data is transmitted at all depends on a user’s participation in groups. In case a user is not active in any group, APEX Pro will use the server to generate the identifier discussed only.
This is a database of track sets submitted by users and developed by APEX and friends. The track sets are hosted on a 3rd party web server. Clients update the overall list of available track sets regularly when opening the Add-ons / Tracks List. Track sets are loaded on demand. Loading track sets requires a working Internet connections, your telco provider may charge you an extra fee for data transfer.
TRACK, CHALLENGE, AND VEHICLE SUBMISSIONS
All of these actions are triggered by the user and will not take place except when explicitly requested. When sharing tracks and vehicles, the user transfers using rights for this data to us. For tracks, data transferred are triggers and points of interest. All data transferred is visible in the mail generated. The user can decide if his / her name is listed in APEX Pro list of tracks once the track has been quality assured and placed on the server for others.
INTERNAL AND EXTERNAL SENSORS
APEX Pro is an extremely sensor intensive application. It records GPS, OBD, acceleration, and can record video and audio. Although internal sensors (GPS, acceleration, video, audio) can be accessed through operation system interfaces, this channel is not “open” by default. Depending on the operating system, you will be asked to approve access to GPS and microphone when these services are accessed the first time (iOS) or when installing the app (Android). APEX Pro will record data from all the named sensor and store this data into its local database. Recorded data will be transferred to APEX’s Server as long as this service is not turned off, and will be exported to external storage if requested. There is no other transfer of data recorded.
To access external sensors, APEX Pro will access network interfaces. Access to video and audio sources are treated just the same as the other sensors in APEX Pro. Both Android and iOS take care APEX Pro will not be able to access cam or audio without your confirmation. For more information, please see Privileges Requested below.
APEX Pro will transfer data to selected external storage on demand. All operations except iCloud transfer are user triggered and will not be initiated by APEX Pro itself. Export of APEX Pro data is often done using standard mail. Please keep in mind that data transfer is not encrypted by default – you need to add encryption to the Mail client yourself. For Dropbox and iCloud, providers claim that the transfer is encrypted.
Crash reporting is controlled by your iOS or Android device settings (see “Sharing Data with Developers”).
As introduced with the concept of a sandbox, APEX Pro needs to be granted permissions to access resources outside its sandbox.
This is the list of permissions you will be prompted for in iOS:
- Bluetooth Access: Bluetooth is used for the obvious BT sensor connections, and for device to device communication. The latter is used for connection to APEX Pro hardware, and when transferring data from one device to another.
- Notifications: this permission allows APEX Pro Server to send information on track updates, new app updates, etc.
For older Android versions, you need to grant permissions during the install process. In case you do not agree to grant any of the permissions below, you cannot install and use APEX Pro.
- Read phone status and identity: APEX Pro will use the phone identity to derive a simplified UDID (see Online Racing). It will not access the phone otherwise.
- Find accounts on the device: required by Android to establish a connection between Google server and the smartphone; used for Push Notifications
- Read Google service configuration: needed to access Google Maps utilized in APEX Pro’s Map view.
- Full network access etc.: used for communication with APEX’s Server, for track database access, and for Wi-Fi sensor access.
- Access Bluetooth access: used to access Bluetooth connections to APEX Pro external hardware.
- Google Play billing service: used to allow InApp purchases on user’s request.
For recent Android versions, permissions are requested individually just like for iOS. Please see the list above for permissions requested and their effect.
EUROPEAN UNION’S GDPR
(General Data Protection Regulation; for Germany, EU-DSGVO)
The data security officer is APEX Pro’s founder Austin Gurley.