PRIVACY NOTICE FOR EPIDEMICA APPS

Date of latest revision: June 25, 2025

We take your privacy seriously and want you to know how we collect, use, share, and protect your information. This Privacy Notice (Notice) describes how we may collect, store, use, and share information about you and your usage of an Epidemica-based mobile application (app).

What types of information do we collect?

We collect information that you voluntarily provide through the app, as well as data generated through app-based simulations. We do not collect any personally identifiable information.

Specifically, we collect:

• Proximity data: A list of physical proximity contacts between participants and the duration of these contacts, collected via Bluetooth.
• UUID: Each participant is assigned a randomly generated 128-bit Universally Unique Identifier (UUID) upon joining a simulation. This UUID cannot be linked back to your identity.
• Simulation data: Events that occur during a simulation, including the “health state” of your avatar (e.g., “susceptible,” “infected,” “recovered”), and transmission of the digital pathogen between participants.
• Behavioral choice data: Actions you take during gameplay, such as using points to purchase virtual items like masks or PPE. These choices are recorded with timestamps and linked to your anonymous UUID. This helps researchers study how people make decisions under simulated outbreak conditions.
• Attitudinal survey data: Responses to brief, multiple-choice surveys administered during the study. These questions may ask about your perceptions of infectious diseases or protective behaviors. No free-text responses are allowed, and no personal or identifying information is requested.
• App usage data: Anonymous metrics such as the number of sessions, duration of participation, and use of in-app features (e.g., help screens or menus).
• Environmental data: Anonymous sensor data (e.g., temperature, ambient light) from your device, used to understand how environmental context may influence behavior.
• System analytics: Aggregated, anonymized diagnostics collected automatically by Apple and Google, such as crash reports and app retention statistics.

Note: Location services may need to be enabled during a simulation on some devices due to system requirements for Bluetooth sensing. However, no location data is collected or stored by Epidemica-based apps.

Why do we collect this information?

We collect data to:

• Visualize and analyze simulated outbreaks
• Measure behavioral and attitudinal responses during simulations
• Improve app performance and user experience
• Conduct scientific research on infectious disease dynamics and human behavior

How do we collect the information?

• Bluetooth sensing: Strength and duration of Bluetooth signals with nearby devices
• Simulation logging: In-app decisions and events (e.g., item use, transmission) recorded via secure API
• Survey responses: Captured through in-app multiple-choice questionnaires
• System diagnostics: Collected automatically by platform providers (Apple/Google), anonymized and aggregated

What do we do with the information?

The Epidemica-based apps are used to carry our research studies through experimental epidemic games. The anonymized data we collect during these games is used to:

• Apply computational methods to preprocess data, generate descriptive statistics, and summarize key events from the games
• Analyze patterns of interaction, risk perception, and decision-making
• Develop visualizations (e.g., graphs of transmission events or behavior trends)
• Improve models of epidemic spread and inform future research

We may also use attitudinal survey data to evaluate how knowledge, beliefs, or values shape behavior in outbreak scenarios.

We do not sell or rent your information to any third parties.

Who will have access to the information?

We may share your information with:

• The University of Massachusetts Chan Medical School
• The Broad Institute, Inc. (Privacy Policy)
• Amazon Web Services (AWS), which hosts our encrypted cloud-based storage

Data is stored securely using AWS S3 with server-side encryption (SSE-S3 or AWS KMS). Read more in the AWS Data Privacy FAQ.

We may also share information with government or legal authorities when required by law or legal process.

How do I consent?

This Notice is for your information only. Your formal consent to participate in the research study will be obtained separately through an informed consent process within the app.

By continuing to use the app after providing consent, you acknowledge that you have read and understood this Notice.

What about users outside the United States?

The app and supporting infrastructure are located within the United States and third parties with whom we share your information are as well. Our servers are located in the United States, and this is where your data and information will be stored. Information provided to us by users outside of the United States will be transferred to the United States, where data protection laws may differ from those of your home country. By using our app or providing us with your information, you acknowledge that your information will be transferred to the United States, processed, and / or stored on servers in the United States. Your information will be used as provided in this Notice and all reasonable steps will be taken to protect your privacy in accordance with the applicable data privacy laws.

How do we protect your information?

We protect your data through:

• Use of random, non-identifiable UUIDs
• End-to-end encryption of transmitted data
• Secure server infrastructure with access controls
• Collection of only non-personally identifiable information

Do Not Track Signals

Some technologies, such as web browsers or mobile devices, provide a setting that when turned on sends a Do Not Track (DNT) signal when browsing a website or app. Our app does not respond to Do Not Track signals, as there is no standard method of interpreting such signals across devices.

How long will we retain your information?

We retain your anonymized data only as long as needed for the purposes described in this notice. We may also retain your anonymized data if legally required or to fulfill a legitimate interest.

How will you be notified if our Privacy Notice changes?

We reserve the right to change, modify, or otherwise amend this Notice at our sole discretion and at any time as we deem circumstances warrant. The date of the most recent revision is posted at the top. Continued use of the app after changes are made constitutes acceptance of those changes.

How can you contact us?

If you have privacy-related questions, please contact the University of Massachusetts Chan Medical School’s Office of Management at privacyandcompliance@umassmed.edu.

For questions about the app or research study, please contact Dr. Andres Colubri at andres.colubri@umassmed.edu.