SDK Developer Privacy Guidelines
This SDK contains software which collects facial images and processes those images into user facial feature data for VIVE Pro Eye or other HTC VR products. Facial feature data includes eye tracking data (such as gaze position, pupil size and eye openness), but not actual images or representations of the face, eyes or lips. Facial feature data but not actual facial images or representations are available to the SDK developer. Information about how this SDK collects and processes facial feature data that the SDK developer can collect and use can be found in the Vive Eye Tracking section of the HTC Learn More page. We recognize the importance and privacy of user data, and to create a platform that supports these values we require developers who use this SDK to conduct the following self-review privacy checklist:
- You must post a conspicuous privacy statement to users in your application disclosing the use of facial tracking technology and collection of facial feature data. Such privacy statement shall describe your collection and use of facial feature data, including what data is collected, how data is being collected and used, purpose of data usage, whether any data is shared with third parties, data retention etc.
- You must keep your privacy statement up-to-date as you make changes to your data processing practices such as what type of facial feature data you collect, and how you use it or if you add new features and functionality to your application that may affect user privacy.
- You must get explicit opt-in consent before you collect facial feature data where required by applicable laws.
- You must only collect or provide access to facial feature data which is required to accomplish the task or functionality in your application and as disclosed in your privacy statement.
- While this SDK might allow you to access certain facial feature data, you must not, and must not attempt to, collect, store, distribute or transfer eye image data.
- You must not use any facial feature data, on its own, as an identifier to identify or recognize an individual.
- You must not share facial feature data with third parties without user consent or otherwise complying with data protection law.
- If you share or make available facial feature data to any third party, you must ensure that third parties comply with the same requirements in these guidelines.
- If you collect or use facial feature data for profiling or behavioral analysis, you must provide a mechanism for users to reject profiling and behavioral analysis.
- If you process facial feature data about individuals in the European Union, you must comply with all terms of European Union’s General Data Protection Regulation (“GDPR”) and any corresponding or equivalent national laws or regulations.
- If you collect facial feature data of a minor (subject to the definition of children age under applicable laws), you must comply with applicable data protection laws meant to protect children (such as the U.S. Children’s Online Privacy Protection Act (“COPPA”)).
- If you use, collect or process facial feature date for healthcare or health research use, you must comply with applicable data protection laws and relevant healthcare or medical regulations and determine for yourself if our product meets your compliance needs (we note that we are not and do not desire to be a business associate, under HIPAA, with respect to your application).
- You must implement appropriate security measures to protect the confidentiality and integrity of facial feature data and prevent unauthorized access, use or disclosure, such as using industry standard encryption methods when appropriate.
- Don’t sell or license any facial feature data received through this SDK.
- Don’t use a service provider to process facial feature data you received through SDK unless you make them sign a contract to: (a) protect any facial feature data you received through us (that is at least as protective as our terms and policies), and (b) limit their use of that facial feature data solely to using it on your behalf to provide services to your application (and not for their own purposes or any other purposes). You must ensure they comply with our terms and policies (and you are responsible for their non-compliance).
- Don’t use facial feature data obtained through this SDK to discriminate (including based on race or gender) or make decisions about eligibility to participate in plans or activities, including to approve or reject an application or charge different interest rates for a loan.
Published May 2019