Apklab.io privacy notice

Apklab.io is a mobile threat intelligence platform provided and managed by Avast Software s.r.o., with its registered office at Pikrtova 1737/1a, Nusle, 140 00 Praha 4, Czech Republic, ID No. 02176475 (“we” or “Avast”). When you use this platform, we will process some of your personal data for various purposes, which allows us to facilitate your participation in this platform. Below we describe what data we get from you and how, how we use it and how you can get in touch with us if you want to talk to us about your data.

The apklab.io mobile threat platform (the “Platform”) allows for exchange of certain threat intelligence information between security industry professionals and foster relationships with the cybersecurity community. Participation in this Platform is open only to those members of the cybersecurity community who have been specifically invited and is not generally available to the public.

1. User Account and Registration

We extend the invitation only to those who we either know from our previous interactions or to those who were referred to us by people we trust. Those invited to participate in the Platform then create a user account, which is administered by us. To those ends, we keep a list of members who are allowed to access the Platform, which identifies them by name, as well as their contact information in order to respond to queries, if they have any.

In order for us to communicate with you, create your registration and establish your account, we need your name, surname, email address and information about the company you work for. In some instances, we may contact you via Twitter or other social media platform, in which case, we will also need the link to your social media account (although we will not use the information posted to your account).

Once a user has their account set up, their personal data tied to that account is stored in our systems for as long as the account exists. In the event that the user decides to delete their account, they can do so through the user interface, by accessing the “Delete Account”. This will also erase all of the user’s personal data and no record of that account will remain stored in our systems. Sample files uploaded by you will remain, but it will not be possible for us to associate them with your specific account once you delete the account by us or other parties.

We reserve the right to terminate your access to the platform and delete the data associated with the terminated account at any time in accordance with the EULA.

2. Samples and Submission of Samples

The Platform allows the participants to exchange samples of suspicious files in order to analyze them and determine whether the suspicious file is a malware or not.

These samples are all .apk files and the Platform only accepts samples in the .apk format (.apk files). The sample itself is a container with the application information (source code) required to execute inside a device. This type of file is not intended for the storage of personal data and will be processed by us as non-personal data. The only data a sample file contains relate to the malware source and it will not be connected to any data from you as a user of the platform or from your device.

We get these samples from the following sources:

2.1 Our own activities

These are threat samples or suspicious files that we have come across from our own activities and our own threat intelligence. These samples do not contain any personal identifiers.

2.2 Samples uploaded by the Users of the Platform

As was already discussed, the Platform allows its users to upload their own samples into the database. Users may only upload samples which do not contain any personal data. For any user-uploaded sample, we require our users to attest that they are the original owner of, or have all necessary rights and permissions to information (including any personal data, even if incidental) contained in, any sample uploaded to the Platform and clarify that the purpose of the user’s submission is to share the sample with the community. On that note, please be aware that certain samples, such as executables and other packaged software, may contain metadata that includes personal information that could relate to someone other than you. We therefore urge you that you pay increased attention when uploading these types of files as to what they actually contain.

By registering in the Platform, the users accept the Platform’s EULA and are obligated to abide by its terms. We prompt users to verify each sample before it is submitted to ensure it is intended and suitable for upload and that it does not contain any personal data. We note that, in line with our EULA, we are not obligated to check whether the samples comply with these requirements and presume they do.

At the same time, we reserve the right to investigate any samples that the Platform’s users have uploaded and to take steps to remedy the situation in the unlikely event that a sample is confirmed to contain personal data or other data where the risk to the Platform’s community is not outweighed by the potential harm to an individual or an entity.

If you as a participant in the Platform submit samples, we will collect all of the information in the sample itself and information about the act of submitting it. We will not, however, publish all of this information – for example, if you submit a sample, other members of the community will not be able to see that you were the one who submitted that specific sample, but they will be able to see the sample itself.

2.3 Sample Processing on the Platform

The Platform is designed to collect and analyze samples and display additional information about them. This additional information that is displayed and which the Platform gains access to in real-time, may include IP addresses, domains and full URLs the sample communicated with. Based on these, an approximate publicly available city-level location is retrieved from a GeoIP database (we are using MaxMind GeoIP database) for each IP address. It is important to note that the information describe only publicly accessible internet servers and never any user device. The location is always retrieved from the GeoIP database in real time (as was mentioned above) and is never retained by us.

We use this information in order to provide additional intelligence against the threat identified in the sample, track the threat and map its behavior, as well as spread of the contagion.

3. Platform (website) use and Cookies

The Platform scans the IP address in order to facilitate communication between it and your device. The Platform also uses cookies, although to a very limited degree - we use only “functional” cookies, i.e., the cookies we need in order to facilitate your login and to provide the Platform’s functionality.

The Platform does not utilize any third-party cookies, including that no on-website analytics are used. The only information we get about traffic are standard server logs, which include information about timestamps, IP address and the Platform URL being visited. We use this data in order to facilitate and manage traffic to the Platform, as well as to ensure that it is secure, optimized and stable. We delete this data regularly after 180 days.

4. Storage, Retention and Deletion of your Personal Data

4.1 Storage of Information

We store information that we collect within the Avast server infrastructure - this includes our own servers, the servers of our subsidiaries or affiliates, as well as the servers we are leasing from our partners or service providers. The account data are kept on our own servers.

The data on our servers can only be accessed from our physical premises, or via an encrypted virtual private network (“VPN”). Access is limited to authorized personnel only, and company networks are password protected and subject to additional policies and procedures for security.

4.2 Access by our contractors

We or our contractors, affiliates, representatives, or agents, who are working on our behalf undertake regular maintenance of personal data we process. All third parties processing personal data on our behalf must agree to observe the privacy of our users, and to protect the confidentiality of their personal information. This means your personal data cannot be shared with others, and there must be no direct marketing by the third parties.

4.3 Retention and Deletion of Your Personal Data

We retain your personal data for limited periods of time when it needs to be kept in order for us to provide you with access to the Platform, manage your account, as well as for our legitimate business or legal purposes. Some of the retention periods we use are mentioned in the previous sections of this Privacy Notice. As a general approach, for each type of data, we set retention timeframes based on the reason for its collection and processing. We do not delete data that we need for our legitimate or legal purposes, even upon request, until the purposes expire.

We have operational and legal requirements that require we retain certain personal data, for specific purposes, for an extended period of time. Reasons we might retain some data for longer periods of time include:

1. Security, fraud & abuse prevention;
2. Complying with legal or regulatory obligations, including for investigations, enforcement, or when legally actionable;
3. Ensuring the continuity of our activities; and
4. Direct communication with you and the organizations we cooperate with, such as for additional reporting, providing information about our other activities, open projects and opportunities for cooperation.

5. Who else has access to your data?

Avast does almost all of its processing operations necessary to provide and maintain the Platform internally, without the use of processors or involvement of other third parties.

In some circumstances we may need to give access to our data, which may include personal data, to other parties, such as our service providers, partners or Avast, our founding company; even in those instances, however, we make sure that any personnel that may have access to this data has access only to the smallest extent necessary, is bound to confidentiality, does not compromise the security of our data, and that additional appropriate safeguards are put in place to keep the data safe and secure.

6. Across Borders

The Platform is operated locally, and so there is generally no need for us to transfer data outside of the Czech Republic or, as the case may be, the European Economic Area. If a situation occurs that we would have to transfer the Platform data outside of this territory (for instance, when during an outage we need to ensure service continuity and have no other option but to host the Platform elsewhere), but in some of these cases data may be transferred to other countries, including countries outside of the European Economic Area, where the local law provides a different level of protection to personal data than the law of the Czech Republic and the European Union. In all such cases, however, we always make sure to put in place appropriate safeguards to ensure that any data we send out are protected and that your rights and legitimate interests are protected.

7. Your Rights

As a data subject under European data protection law, you have certain rights. You have the right to information about whether and how we process your personal data, the right of access to your personal data, and the right to rectification and erasure of personal data or restriction of processing. You have the right to object to the processing of your personal data as well as the right to data portability. You also have the right to lodge a complaint with the supervisory authority. Where the processing of your personal data is based on consent, you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal. More details about your rights can be found in our general privacy policy, which can be found here.

You have the right to object to processing based on legitimate interests in which case we will re-examine the processing in order to ensure compliance with all legally binding rules and applicable regulations. Specifically, you can directly opt-out of receiving certain emails (e.g., marketing communications) at any time by following the relevant unsubscribe process outlined in the applicable email.

You can exercise your rights by sending an email with the words “PRIVACY REQUEST” in its subject line to privacy@avast.com. You may also send paper mail to Avast Software s.r.o., Pikrtova 1737/1a, 140 00, Prague 4, Czech Republic. Please write "Attention: PRIVACY" in the address.

Avast has appointed a Data Protection Officer, who can be reached at dpo@avast.com.

8. Changes to this Privacy Notice

We reserve the right to change this Privacy Notice at any time, and will indicate the date the Privacy Notice was most recently updated for your convenience. We encourage you to periodically review this page for the latest information on our privacy practices.