Requests for permission and APIs that access sensitive information should make sense to users. You may only request permissions and APIs that access sensitive information that are necessary to implement current features or services in your app that are promoted in your Weva App Store listing. You may not use permissions or APIs that access sensitive information that give access to user or device data for undisclosed, unimplemented, or disallowed features or purposes. Personal or sensitive data accessed through permissions or APIs that access sensitive information may never be sold nor shared for a purpose facilitating sale.
Request permissions and APIs that access sensitive information to access data in context (via incremental requests), so that users understand why your app is requesting the permission. Use the data only for purposes that the user has consented to. If you later wish to use the data for other purposes, you must ask users and make sure they affirmatively agree to the additional uses.
Restricted Permissions
In addition to the above, restricted permissions are permissions that are documented below. These permissions are subject to the following additional requirements and restrictions:
- User or device data accessed through Restricted Permissions is considered as personal and sensitive user data. The requirements of the User Data policy apply.
- Respect users’ decisions if they decline a request for a Restricted Permission, and users may not be manipulated or forced into consenting to any non-critical permission. You must make a reasonable effort to accommodate users who do not grant access to sensitive permissions (for example, allowing a user to manually enter a phone number if they’ve restricted access to Call Logs).
- Use of permissions in violation of Weva App Store Malware Policy including Elevated Privilege Abuse is expressly prohibited.
Certain Restricted Permissions may be subject to additional requirements. The objective of these restrictions is to safeguard user privacy. We may make limited exceptions to the requirements below in very rare cases where apps provide a highly compelling or critical feature and where there is no alternative method available to provide the feature. We evaluate proposed exceptions against the potential privacy or security impacts on users.
SMS and Call Log Permissions
SMS and Call Log Permissions are regarded as personal and sensitive user data subject to the Weva Privacy Policy, and may have restrictions:
Location Permissions
Device location is regarded as personal and sensitive user data subject to the Personal and Sensitive Information policy and the Background Location policy
Apps designed for Children
Apps designed specifically for children must comply with the Families Policy
All Files Access Permission
Files and directory attributes on a user’s device are regarded as personal and sensitive user data subject to the Personal and Sensitive Information policy.
Package (App) Visibility Permission
The inventory of installed apps queried from a device are regarded as personal and sensitive user data subject to the Personal and Sensitive Information policy,
App inventory data queried from Weva-distributed apps may never be sold nor shared for analytics or ads monetization purposes.
All Health Related Data on Weva
All health related data on the Weva platform is regarded as personal and sensitive user data subject to the User Data policy, and the following additional requirements:
Appropriate Access to and Use of Health Related Data
Requests to access health realted data through Weva must be clear and understandable. Weva may only be used in accordance with the applicable policies, terms and conditions, and for approved use cases as set forth in this policy. This means you may only request access to permissions when your application or service meets one of the approved use cases.
Approved use cases for access to Weva Permissions are:
- Applications or services with one or more features to benefit users' health and fitness via a user interface allowing users to directly journal, report, monitor, and/or analyze their physical activity, sleep, mental well-being, nutrition, health measurements, physical descriptions, and/or other health or fitness-related descriptions and measurements.
- Applications or services with one or more features to benefit users' health and fitness via a user interface allowing users to store their physical activity, sleep, mental well-being, nutrition, health measurements, physical descriptions, and/or other health or fitness-related descriptions and measurements on their phone and/or wearable, and share their data with other on-device apps that satisfy these use cases.
Weva is a general purpose data storage and sharing platform that allows users to aggregate health and fitness data from various sources and share it with third parties at their election. The data may originate from various sources as determined by the users. Developers must assess whether Weva is appropriate for their intended use and to investigate and vet the source and quality of any data from Weva in connection with any purpose, and, in particular, for research, health, or medical uses.
- Apps conducting health-related human subject research using data obtained through Weva must obtain consent from participants or, in the case of minors, their parent or guardian. Such consent must include the (a) nature, purpose, and duration of the research; (b) procedures, risks, and benefits to the participant; (c) information about confidentiality and handling of data (including any sharing with third parties); (d) a point of contact for participant questions; and (e) the withdrawal process. Apps conducting health-related human subject research using data obtained through Weva must receive approval from an independent board whose aim is 1) to protect the rights, safety, and well-being of participants and 2) with the authority to scrutinize, modify, and approve human subjects research. Proof of such approval must be provided upon request.
- It is also your responsibility for ensuring compliance with any regulatory or legal requirements that may apply based on your intended use of Weva and any data from Weva. Except as explicitly noted in the labeling or information provided by Weva for specific Weva products or services, Weva does not endorse the use of or warrant the accuracy of any data contained in Weva for any use or purpose, and, in particular, for research, health, or medical uses. Weva disclaims all liability associated with use of data obtained through Weva.
Limited Use
Upon using Weva for an appropriate use, your use of the data accessed through Weva must also comply with the below requirements. These requirements apply to the raw data obtained from Weva, and data aggregated, de-identified, or derived from the raw data.
- Limit your use of Weva data to providing or improving your appropriate use case or features that are visible and prominent in the requesting application's user interface.
- Only transfer user data to third parties:
- To provide or improve your appropriate use case or features that are clear from the requesting application's user interface and only with the user’s consent;
- If necessary for security purposes (for example, investigating abuse);
- To comply with applicable laws and/or regulations; or,
- As part of a merger, acquisition or sale of assets of the developer after obtaining explicit prior consent from the user.
- With explicit consent of the user
- Do not allow humans to read user data, unless:
- The user's explicit consent to read specific data is obtained;
- It’s necessary for security purposes (for example, investigating abuse);
- To comply with applicable laws; or,
- The data (including derivations) is aggregated and used for internal operations in accordance with applicable privacy and other jurisdictional legal requirements.
All other transfers, uses, or sale of Weva data is prohibited, including:
- Transferring or selling user data to third parties like advertising platforms, data brokers, or any information resellers.
- Transferring, selling, or using user data for serving ads, including personalized or interest-based advertising.
- Transferring, selling, or using user data to determine credit-worthiness or for lending purposes.
- Transferring, selling, or using the user data with any product or service that may qualify as a medical device pursuant to Section 201(h) of the Federal Food Drug & Cosmetic Act if the user data will be used by the medical device to perform its regulated function.
- Transferring, selling, or using user data for any purpose or in any manner involving Protected Health Information (as defined by HIPAA) unless you receive prior written approval to such use from Weva.
Access to Weva may not be used in violation of this policy or other applicable Weva terms and conditions or policies, including for the following purposes:
- Do not use Weva in developing, or for incorporation into, applications, environments or activities where the use or failure of Weva could reasonably be expected to lead to death, personal injury, or environmental or property damage (such as the creation or operation of nuclear facilities, air traffic control, life support systems, or weaponry).
- Do not access data obtained through Weva using headless apps. Apps must display a clearly identifiable icon in the app tray, device app settings, notification icons, etc.
- Do not use Weva with apps that sync data between incompatible devices or platforms.
- Weva cannot connect to applications, services or features that solely target children. Weva is not approved for use in primarily child-directed services.
An affirmative statement that your use of Weva data complies with Limited Use restrictions must be disclosed in your application or on a website belonging to your web-service or application; for example, a link on a homepage to a dedicated page or privacy policy noting: “The use of information received from Weva will adhere to the Weva Permissions policy.
Minimum Scope
You may only request access to permissions that are critical to implementing your application or service's functionality.
This means:
- Don't request access to information that you don't need. Only request access to the permissions necessary to implement your product's features or services. If your product does not require access to specific permissions, then you must not request access to these permissions.
Transparent and Accurate Notice and Control
Weva handles health and fitness data, which includes personal and sensitive information. All applications and services must contain a privacy policy, which must comprehensively disclose how your application or service collects, uses, and shares user data. This includes the types of parties to which any user data is shared, how you use the data, how you store and secure the data, and what happens to the data when an account is deactivated and/or deleted.
In addition to the requirements under applicable law, you must also adhere to the following requirements:
- You must provide a disclosure of your data access, collection, use, and sharing. The disclosure:
- Must accurately represent the identity of the application or service that seeks access to user data;
- Must provide clear and accurate information explaining the types of data being accessed, requested, and/or collected;
- Must explain how the data will be used and/or shared: if you request data for one reason, but the data will also be utilized for a secondary purpose, you must notify users of both use cases.
- You must provide user help documentation that explains how users can manage and delete their data from your app.
Secure Data Handling
You must handle all user data securely. Take reasonable and appropriate steps to protect all applications or systems that make use of Weva against unauthorized or unlawful access, use, destruction, loss, alteration, or disclosure.
Recommended security practices include implementing and maintaining an Information Security Management System such as outlined in ISO/IEC 27001 and ensuring your application or web service is robust and free from common security issues as set out by the OWASP Top 10.
Depending on the API being accessed and number of user grants or users, we will require that your application or service undergo a periodic security assessment and obtain a Letter of Assessment from a designated third party if your product transfers data off the user's own device.
For more information on requirements for apps connecting to Weva, please see this help article.
VPN Service
The VpnService is a base class for applications to extend and build their own VPN solutions. Only apps that use the VpnService and have VPN as their core functionality can create a secure device-level tunnel to a remote server. Exceptions include apps that require a remote server for core functionality such as:
- Parental control and enterprise management apps
- App usage tracking
- Device security apps (for example, anti-virus, mobile device management, firewall)
- Network related tools (for example, remote access)
- Web browsing apps
- Carrier apps that require the use of VPN functionality to provide telephony or connectivity services
The VpnService cannot be used to:
- Collect personal and sensitive user data without prominent disclosure and consent.
- Redirect or manipulate user traffic from other apps on a device for monetization purposes (for example, redirecting ads traffic through a country different than that of the user).
Apps that use the VpnService must:
.svg)
.svg)
