Skyhook Services Privacy Policy

Effective Date: 05/25/2018

Skyhook values the personal privacy of our customers, prospects and end users, and we are committed to maintaining the trust placed in us by our customers since Skyhook’s founding 2003. A critical part of that trust involves transparency – the responsibility to be clear about the information which we may collect, how we intend to process and store that data, and how we may use this data. Accordingly, this Services Privacy Policy explains how Skyhook will collect and use information that is obtained from our location-based services technology or transferred to us from partners (the “Skyhook Services”). 

As part of our commitment to privacy and transparency, Skyhook is an active participant in a number of industry privacy forums.  We are a member of the Network Advertising Initiative (NAI) and complies with the NAI Code of Conduct, including its requirements as to transparency, notice and user control.  In addition, as described in our Privacy Shield Notice, Skyhook complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. 

1. Scope and Applicability of Privacy Policy

This Services Privacy Policy applies to any and all use of the Skyhook Services, including our Precision Location product or Geospatial Insights data.  It covers the data we collect from the Skyhook Services, and other data we compile from third parties in order to provide the Skyhook Services.  It does not cover the Skyhook Websites.  All Website actions that do not form a part of the Skyhook Services are covered by our separate Website Privacy Policy.  We encourage you to read that policy if you have questions regarding online data collection through our Websites.

One additional limitation applies to this Services Privacy Policy.  As an enablement technology provider to mobile devices, application providers, and advertisers, Skyhook does not have a direct relationship with end users of devices or mobile applications which may incorporate the Skyhook Services.  We impose tough contractual requirements on our customers that require adherence to privacy requirements that are generally more stringent than common industry practice. However, the ultimate nature, scope and use of information that is collected from users of devices or mobile applications is subject to the privacy policies of our Customers, and not Skyhook.  If you have questions or concerns about data collected by a particular device or application, you should contact that provider or refer to such device or application-specific privacy policy. 

2. Overview of the Skyhook Services

So that you can better understand the types of Skyhook Services that are available, and how and why data collection is important to the provision of these services, below is a brief description of the main types of products and services offered by Skyhook.

Location Determination: Skyhook offers a software (SDK) and cloud-based (API) technology platform that may be used to calculate the approximate geographic location of a device. See http://www.skyhookwireless.com/products/precision-location. The Skyhook geolocation technology determines the location of a device by interfacing with Global Navigation Satellite Systems (such as GPS), as well as by utilizing the IP address of the device and nearby Wi-Fi access points and cell towers visible to the device. This information is then processed on the device or on Skyhook’s servers to calculate and return the approximate geolocation (i.e., latitude/longitude) of the device.

Geofencing: Skyhook’s on-device software may also be used to determine a device’s proximity to nearby points of interest, or whether a device has entered or exited a pre-defined geographic perimeter. For example, an application developer may use Skyhook software to understand when a user is in proximity of a coffee shop, in order to deliver a relevant coupon, advertisement or different user experience.

Geospatial Insights: Skyhook also offers data services to application developers, enterprises, and advertisers that measure foot traffic visits to venues or locations and segment the interests or demographics of device users into defined profiles based historical location data. The Skyhook technology will infer demographic information (such as gender, age, etc.) based on a device user’s presumed home census block and will infer interests and behaviors (apparel shopper, coffee drinker, business traveler) based on the venues a user visits over time. For example, if historical geolocation data suggests that a device has visited multiple auto dealerships in the past month, the Skyhook technology may characterize the device user as an auto buying intender. This information may be used to help partners better understand their users, to target users with more relevant experiences or advertisements, and to measure the efficacy of advertising campaigns or offers.

3. Information Collected by the Skyhook Services

When end users engage with mobile devices or customers that integrate or leverage the Skyhook Services (including via SDK, API or otherwise), Skyhook may collect data that may (but does not necessarily) include the following:

• Precise geolocation information (latitude/longitude);

• Information regarding the identity (e.g., MAC Address or Cell ID) of wireless routers or cell towers in proximity to a mobile device, along with received signal strength measurements;

• IP Address of a requesting device; 

• In some, but not all implementations, an advertising identifier or device ID (IDFA for iOS, Android ID for Android devices or a hashed partner ID that may specified and passed to Skyhook);

• Time that a device is detected at a given location;

• Network information, including information regarding connected MAC addresses;

• Sensor information such as barometric pressure, accelerometer measurements, gyroscope measurements, device orientation, magnetic field measurements, direction of travel, motion activity (e.g. walking), or other similar sensor measurements;

• General information about the device, including the device manufacturer, model, platform or operating system, time zone, network status (connected to Wi-Fi, etc.), timestamp and other similar information; 

• Information about the version and use of the Skyhook technology.

4. Information Obtained from Partners

Skyhook may also receive information from our partners, which are usually mobile advertising networks, data aggregators and application developers/publishers. These partners may deliver mobile software, services or advertising onto your mobile device and, through them, we may receive geolocation information (latitude/longitude), usually including a unique identifier or device ID (IDFA for iOS, the Android ID for Android devices or a hashed partner ID), a time stamp, and in some cases, an IP address.

5. How We May Use Information

In general, Skyhook uses the information collected in order to operate, maintain and deliver the Skyhook Services and to develop new products, services or datasets. In particular, Skyhook uses the information generated or collected as follows: 

• To provide location-enabling service(s) by calculating and providing geographic location to application developers, device makers and operating systems, when users have opted in;

• To improve the quality, accuracy and precision of Skyhook’s location database by adding the estimated location of new access points or cell towers or refining the estimated positions of existing access points or cell towers;

• To infer that a user is nearby, approaching or inside a particular venue or point of interest (i.e., a geofence), which may be used by our partners to provide more relevant content, advertising and user experiences;

• To help brands, publishers, advertisers, enterprise, developers, and other companies and organizations learn more about the real-world actions of their consumers and customers;

• Except with respect to devices located within the European Union, to build anonymous location-based audience segments that infer demographic attributes and behavioral interests and activities;

• Except with respect to devices located within the European Union, to predict device relevant interests or buying intent of consumers;

• Except with respect to devices located within the European Union, to determine if a device user visited a venue or store after being exposed to advertising messages or campaigns campaign

• To aggregate geolocation data in an anonymous, de-identified manner in order to provide Skyhook and our partners with insights into the number and frequency of location requests in a particular area during a particular time interval; and

• To approximate the geographic location where IP addresses are used for use in developing and marketing an IP geolocation services to partners, including publishers, data exchanges and advertising companies;

• To offer anonymized and aggregated data to market research, and business intelligence or information products to third parties.

6. Opt-Out Choices

Skyhook requires all clients and third parties using the Skyhook location and context services to provide notice regarding data collection and use, and to obtain all opt-ins, consents or permissions required, including without limitation any data such party collects, uses, and/or discloses from its users, the provision of such data to Skyhook, and the other party’s use of such data.

In addition, Skyhook also allows users to directly opt-out from Skyhook’s Services as follows:

Location Information: For users who do not want any location data to be collected, the application, device, or operating system provides controls for disabling all location services.  This choice may limit the functionality of the device or installed applications.

Device ID: If you wish to opt out of the Skyhook’s use of your Device ID to assist our partners with identifying your demographic information and interest segments for purposes of providing you with targeted ads, you may opt-out by clicking here. If you choose to opt out your Device ID(s), Skyhook will delete any collected data about this Device ID from Skyhook database, and quarantine the device ID so that Skyhook does not collect any data about this Device ID in the future or return or share any information about the Device ID to API or SDK requests.  

Skyhook also respects platform-level controls and restrictions, so that if you disable targeted advertising through controls offered by the application and/or through the iOS or Android “Limit Ad Tracking” or “Opt out of interest-based advertising” settings, we will abide fully by those setting. More information on how to access these settings is provided on the Skyhook opt out page, which can be accessed by clicking here. If a user chooses the “Limit Ad Tracking” or “Opt out of interest-based advertising” settings on iOS or Android, Skyhook will quarantine the device ID so that Skyhook does not collect any data about this device ID and will not return or share any information about the Device ID in response to API or SDK requests, instead returning an error code when the device ID has been opted out. Skyhook will also delete any encrypted device identified data from the opted-out user’s device.  

MAC Addresses: If you wish to opt out of Skyhook’s use of your MAC address to provide location, you may opt-out by clicking here. If you choose to opt out, Skyhook will (if applicable) delete the positioned record for that MAC address from the Skyhook database and will blacklist that MAC address so that we will not process or use that MAC address information in the future.

IP Addresses: If you wish to opt out of Skyhook’s use of your IP Address, you may opt-out by clicking here. If you choose to opt out, Skyhook will (if applicable) remove the positioned record for that IP address from the Skyhook database and will blacklist that IP address so that we will not process or use that IP address information in the future.

7. Data Retention and Data Security

Data on Device:  Skyhook may store an encrypted local cache of all Wi-Fi access points and cell towers in a surrounding area on the device to allow the device’s location to be determined without connecting to our servers.  A temporary encrypted history of scanned Wi-Fi access points and cell towers nearby may also be kept in memory on the user’s device and later transmitted to our servers. A maximum of 100 historic scans will be retained on device. This encrypted cache information will be deleted from the device the next time the Skyhook technology connects to the Skyhook servers, when the application terminates, or when the device is turned off.

Data Retention:  For all device identified data (i.e., location history that is associated with an Advertising ID or another persistent Device ID, hashed or otherwise), Skyhook will retain such data for up to two (2) years. After that time, some of the information we have (such as anonymous location logs) may be aggregated and anonymized for statistical purposes and stored indefinitely. Other anonymous location data that is not associated with any unique identifier, device ID or any other personally identifiable information may be stored indefinitely and used for purposes of improving and maintaining our location service.

Data Security: Skyhook is committed to protecting the security of information that is collected by its technology. We follow generally accepted industry standards to protect the information submitted to us, both during transmission and once we receive it. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee the absolute security of all information.

8. How We May Share Information

Skyhook may share information that we collect from our Location Services or obtain via partners as follows:

• With our customers to provide location-based services, including location determination, geofencing, and/or proximity-based marketing;

• With brands, publishers, agencies, advertisers and other companies to provide data analysis, location-based targeting and advertising;

• With advertising platforms (such as demand-side platforms, data management platforms, or other advertising technology providers) to enable location-based advertising and content delivery;

• With third party market research and information companies, to create anonymous data, market research, business intelligence or information products which analyze and monitor location behavior;

• With agents, vendors or service providers that help Skyhook to process the data or operate our business;

• As required by law, such as to comply with a subpoena, court order or similar legal process;

• When Skyhook believes in good faith that disclosure is necessary to protect our legal and contractual rights or the safety of others, investigate fraud, or respond to a government request;

• If Skyhook is involved in a merger, acquisition, or sale of all or a portion of our assets, in which case users will be notified via a prominent notice on our Web site of any change in ownership or uses of the information; or

• Where you have granted us permission.

Except as described in this Privacy Policy, Skyhook will not share any information that is collected by the Skyhook services with third parties.

9. Children's Privacy

The Skyhook Services are not developed or intended for persons under 13 years of age. We do not knowingly solicit or collect any personally identifiable information including from children under the age of 13, nor do we knowingly market our Services to children under the age of 13.

10. GDPR and Data Protection

As of May 25, 2018, with respect to individuals in the European Union, the European Economic Area and Switzerland who use the Skyhook Services, the following policies, clarifications and rules also apply.

Key Terms

“Personal Data” means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of such natural person.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Purposes and Legal Bases for Processing Personal Data

Skyhook processes data for the purposes as set forth in this Services Privacy Policy, including to provide the Skyhook Services to our customers. To fulfill these purposes, Skyhook may access information, which may include Personal Data, to provide the Skyhook Services, to develop additional products or features, or in response to contractual requirements. Please see the sections above for additional details on how we collect, use, disclose and share data, make automated decisions and retain data, including Personal Data.

In general, the lawful bases for Skyhook’s Processing of Personal Data are: (i) informed consent, including as obtained via partners through contractual requirements and/or established consent frameworks or (ii) any other applicable legal bases, such as our legitimate interest in and compliance with industry practices.

In particular, with respect to processing, retention and use of any device-identified location data which may constitute Personal Data (i.e., location history that is associated with an Advertising ID or another persistent Device ID, hashed or otherwise – as opposed to data which is aggregated and not able to associated with any particular device), Skyhook relies upon the informed consent of the end user, as received through our customers and partners.

With respect to the collection of the approximate location of wireless hotspot information (MAC address, received signal strength, and location-related information), Skyhook relies upon legitimate interest as a basis for collection and processing. 

With respect to the collection of IP addresses and approximate location associated with their use, Skyhook is not an Internet Service Provider (or ISP) providing the connectivity and does not maintain or have access to information linking the IP address to an individual subscriber. Nevertheless, to the extent that such information might constitute Personal Data as Skyhook uses it to develop a coarse (greater than 100m) geolocation position, Skyhook relies among other things on legitimate interest as a basis for processing and collection.

The foregoing statements of legal bases for processing are intended to be non-exhaustive, and do not preclude Skyhook’s reliance on additional legal bases either now or in the future.

Additional Rights for Individuals in Europe

You may have one or more of the following additional rights available to you:

• Access. With the exception of customer account information (signed up for at my.skyhookwireless.com), which is governed by the Website Privacy Policy, Skyhook does not maintain any information regarding names, e-mail addresses, home addresses, nor do we attempt to link any location data to such fields. Accordingly, while you may request a copy of the Personal Data we have collected from you by contacting us at privacy@skyhook.com, you must provide an applicable Advertising ID or IP Address in order for Skyhook to locate any information that might constitute Personal Data.

• Objection / Opt-Out / Erasure. To object to or correct Personal Data about you (e.g., online identifiers such as an Advertising ID or IP Address) being Processed for direct marketing purposes, you may contact us at privacy@skyhook.com. In addition, as described above, you may directly opt-out from Skyhook’s use of certain online device identifiers (including Advertising ID, MAC Address, or IP Address), by visiting our opt-out page available here.  In general, upon receipt of an opt-out request, within a reasonable time period, Skyhook will delete any collected data about this the requested online identifier from Skyhook’s database, and quarantine the identifier so that Skyhook does not collect any future data or share any information about the online identifier.

• Right to Lodge a Complaint with a DPA. If you believe our Processing of Personal Data about you is inconsistent with the applicable data protection laws, to lodge a complaint with your local supervisory data protection authority (“DPA”).

To exercise any of the above-listed rights (with the exception of the right to lodge a complaint with a DPA, which you may do directly to a DPA), please contact us at privacy@skyhook.com. We will process any requests in accordance with applicable law and within a reasonable period of time. We may need to verify your identity before processing your request.

Compelled Disclosures.

Skyhook may be required to disclose Personal Data in response to lawful requests by public authorities, including disclosures necessary to meet national security or law enforcement requests or requirements, or pursuant to judicial orders, subpoenas, or similar legal process.

11. Cross-Border Transfers

Skyhook is a global organization, with legal entities, business processes, and technical systems that operate across borders. The information we collect is stored and processed on servers located in the United States.  We may transfer information that is collected to affiliated entities, or to other third parties across borders and to other locations around the world. Use of the Skyhook technology and services constitutes consent to the transfer of the information described in this Privacy Policy to locations that may be outside of the country in which you live, and such places may be in the United States, within one or more European countries, and/or in one or more countries within Asia.

If you are located in the European Economic Area (“EEA”), Skyhook has certified to the EU-U.S. Privacy Shield Framework for the transfer of Personal Information from the EEA to the United States, as described in our Privacy Shield Notice. To learn more about the EU-U.S. Privacy Shield Framework and to view our certification, please visit www.privacyshield.gov.

12. Your California Privacy Rights (For California Residents Only)

Section 1798.83 of the California Civil Code requires select businesses to disclose policies relating to the sharing of certain categories of customers' personal information with third parties. These businesses are required to accept requests for disclosures of these policies from customers but are only required to honor one request per calendar year. Businesses have thirty (30) days to respond to each inquiry to the designated address. Each inquiring customer will receive an explanation of the categories of customer information shared and the names and addresses of any third-party businesses. In limited circumstances, customers' failure to submit requests in the manner specified will not require a response from the business.

If you are a California resident, you may request such information from us by sending a letter to the address listed below.  In your letter, please provide your name, address and email address, as well as a request that we provide such information to you, by using the following or similar language, “I request that Skyhook provide its third-party information sharing disclosures required by section 1798.83 of the California Civil Code.”

Attn: General Counsel

Skyhook Wireless, Inc.

41 Farnsworth St.

Boston, MA 02210

13. Updates and Changes to Privacy Policy

Skyhook may amend this Privacy Policy from time to time. When we do, we will also revise the “last updated” date at the beginning of the policy. We encourage you to review this policy periodically to stay informed about how we collect, use, and disclose data that we collect.

14. Privacy Questions / Contact Information

If you have any questions, concerns or complaint regarding our privacy practices, or if you’d like to exercise your choices or rights, you can contact us:

• By email at privacy@skyhook.com
• By mailing to Skyhook, Attn: Legal, 41 Farnsworth St., Boston, MA 02210

We will make every effort to resolve your concerns.

Skyhook Privacy Policy Version: 2018.2