Privacy Statement for App „vico.secure connect“

1. Responsibility, purpose and the main function of the app
Your host as responsible office and the vico.secure GmbH, Steinweg 28, 36199 Rotenburg a.d. Fulda, Germany, www.vicosecure.de (vico.secure) provides you with the app “vico.secure connect” to perform secure communication with you via video in an encrypted manner.
The video consultation provides a virtual presence not possible with a conventional telephone call. If desired or required your host can invite additional participants to a real-time live video conference.

2. Type of the personal data, which will be processed
a) Usage data: Only the communication ID (config file) will be processed and stored. This file allows an encrypted connection between the communication partners. The communication-ID will be used to show your presence status (if your app is online or if you are ready to start communication). The app doesn’t process or store any other data. No information will be stored while using this app. There will be no information gathered and /or stored about the time, duration or the communication partners.
b) Inventory data: The app has only the communication-ID as inventory data. Other personal details are not stored.
c) Content data: The app doesn’t collect or store any information about the content of the call. No chat-history will be stored.

3. Privacy statement
The privacy statement is available before installation through the app store on the vico.secure web page and can be stored and printed. Additionally the privacy statement and legal notice are available in the app.

4. App permissions
The user will be asked by installation of the app to permit access to the microphone and camera, which is essential for the video communication and the primary objective of the app.
Other permissions, e.g. the location data, are not required.

5. Login data
To use the app for communication with your host you will need a unique activation code (PIN). It is valid for a maximum of 7 days and will be provided by the host. It will exclusively allow communication between you and your host. When activated a communication ID will be generated, which will be stored in your app and on a server located in a secure data center in Germany. Encrypted communication between partners will be enabled on the basis of the communication ID. The config-files are valid only while the customer account is not deleted by the host.

6. Data transmission and data security
The app performs the transmission of the communication ID (contact details) to the connection server in the EU. The host gets notified that you are online (presence status).
The presence status is deactivated, if you close the app or if the app runs in the background. The presence status aims to indicate the current communication readiness.

If you or the host clicks on “Call” in the app, the partner called will be notified about the communication request through optical or sonic signals. The IP address related to the contact address will be transmitted to the application of the communication partner to allow encrypted end to end communication.

If the communication request is accepted, the encrypted end-to-end transmission of the video and audio data will be initialized to the IP-addresses of the devices running the vicosecure customer management application and the vico.secure connect app.
Whether the front or rear camera of the device should be activated during the video communication can be configured by clicking on the camera icon. You can change the settings at any time during the communication process.

The user of the vicosecure customer management application can add a customer account for you, incl. name, surname, display name and optionally customer ID. After activation of your app the contact address of your app will be stored in the vico.secure managment application of your host to allow encrypted calls to you. The host is solely responsible for this part of the data processing.

Data security between parties is of paramount importance. To this end, strict security measures have been built into the software by the developers. The data transmission will be performed using end-to-end encryption utilizing AES 256 in Counter-Mode (CTR). The exchange of the keys works in accordance with the Diffie-Hellman principle (DH) on the basis of the OpenSSL-DH with RFC3526_372 (acc. to the BSI - Federal Office for Information Security in Germany –keys with a length of over 2000 bit are very secure). The keys are valid during the communication process only. They will be not stored, so that the later decryption of the communication is not possible (Perfect Forwarded Secrecy). In addition to the encryption of the data transmission channel, there will be authentication via RSA-signature with 4096 bit key length to avoid „Man-in the-Middle” attacks. The connection to the intermediate servers uses https connections and is secured by certificate.

7. Storage of data in the app
The communication ID (your name and config file, incl. the contact address of your host) which allows you to establish an encrypted communication with your host, will be stored in the internal memory. There will be no other data stored in the app, including profile photos, personal data, date, time and duration of the communication.
If you uninstall the app (delete from device), the communication ID will be deleted. The communication ID will not be stored with the backup. If you decide to reactivate the communication with your host after you deleted the app, a new PIN code provided by the host is required. Your contact address will be stored in the vicosecure customer management application of your host.

8. Data security on the connection server
The connection server is located in a secure and certified data processing center of a German company in the EU and it administered by BRAVIS International GmbH. The encrypted communication ID will be archived there. Thus the data center has no insight which customer communicates with which host.

9. Log- and protocol files
Neither the app, nor the connection server records, who had communicated with whom as well as the duration and/or the communication contents. There will be no tracking, no range measurement and no profiling information archived.

10. Summary
The vico.secure GmbH is a software provider from Germany and the company is governed by the provisions of the strict German and European data security law.
The connection servers are located in certified data processing centers of a German company in the EU. There is no decoding of the video call possible due to the strong end-to-end encryption. There will be no recording, no profiling, no advertising, no sale of data, no storage of conversations, text messages and/or other connection data, no evaluation or storage of location data, no storage of protocol data, no payment transaction data. There will be no stored communication data or metadata.

Version 1.0
Stand 9/2017