Privacy Policy for Împreună Fără Fum App

Last Updated: January 1, 2023

Effective Date: January 1, 2023

1. Introduction

This Privacy Policy describes how Universitatea Babeș-Bolyai Cluj-Napoca (“UBB,” “we,” “us,” or “our”) collects, uses, processes, and protects your personal information when you use the “Împreună Fără Fum” (Smoke-Free Together) mobile application (the “App”).

The App is part of the research project “Împreună Fără Fum” funded by the National Institutes of Health, USA (Grant No. R33 HD103039) and conducted by UBB in collaboration with the University of Michigan and Wake Forest University.

Contact Information:

  • Data Controller: Universitatea Babeș-Bolyai Cluj-Napoca
  • Address: Strada Mihail Kogălniceanu 1, Cluj-Napoca 400084, Romania
  • Phone: +40-264-405300
  • Data Protection Officer: dpo@ubbcluj.ro

2. Legal Basis for Processing

This App and research study complies with:

  • EU General Data Protection Regulation (GDPR)
  • Romanian Law No. 190/2018 on GDPR implementation
  • Romanian Law No. 365/2002 on electronic commerce
  • Romanian Law No. 363/2018 on personal data processing in criminal matters
  • US NIH guidelines for international research
  • IRB approval from University of Michigan and UBB

3. Data We Collect

3.1 Personal Information

  • Contact Information: Name, email address, phone number
  • Demographic Information: Age, location (city/region), pregnancy stage
  • Support Person Information: Name, email, phone number of your chosen support person (with their consent)

3.2 Health Information

  • Smoking History: Current smoking status, smoking frequency, quit attempts
  • Pregnancy Information: Pregnancy stage, due date

3.3 Technical Information

  • Device Information: Device type, operating system version, app version
  • Usage Analytics: App features used, session duration, interaction patterns
  • Communication Data: None
  • Log Data: App crashes, errors, performance metrics

3.4 Special Categories of Data

We process special categories of personal data including:

  • Health data related to smoking cessation and pregnancy
  • Data concerning your mental health status
  • Information about your motivation and confidence related to smoking cessation and specific barriers and motivators

4. How We Use Your Information

4.1 Primary Purposes

  • Research Study Conduct: To evaluate the effectiveness of the smoking cessation app
  • App Functionality: To provide personalized content, progress tracking, and support features
  • Communication: To facilitate involvement of your support person (exclusively by you, without any in-app messaging)
  • Support Services: To tailor the provision of specialized counseling sessions through the counseling component of the project
  • Assessment: To conduct evaluation questionnaires at specified intervals

4.2 Secondary Purposes

  • App Improvement: To enhance app features and user experience
  • Technical Support: To provide customer support and resolve technical issues
  • Compliance: To comply with legal and regulatory requirements
  • Safety Monitoring: To ensure participant safety and well-being

5. Legal Basis for Processing

We process your personal data based on:

  • Explicit Consent: You provide explicit consent for participating in the research study
  • Performance of Contract: To provide the services you’ve requested through the App
  • Legitimate Interest: For research purposes, app improvement, and technical support
  • Public Interest: For public health research aimed at reducing smoking during pregnancy
  • Legal Obligation: To comply with research regulations and funding requirements

6. Data Sharing and Disclosure

6.1 Research Partners

We share de-identified (anonymous) data with our research partners:

  • University of Michigan (USA): For research analysis and study coordination
  • Wake Forest University (USA): For research analysis and study coordination

Data is shared under formal data sharing agreements ensuring equivalent privacy protection.

6.2 Service Providers

We may share data with:

  • Cloud Storage Providers: For secure data storage (Google Cloud with EU data centers)
  • Analytics Providers: For app performance monitoring (anonymized data only)
  • Technical Support: For app maintenance and customer support

6.3 Legal Requirements

We may disclose information if required by:

  • Legal process or court order
  • Romanian or EU regulatory authorities
  • US NIH or research oversight bodies
  • To protect safety and prevent harm

6.4 No Commercial Sharing

We do not sell, rent, or share your personal information for commercial purposes.

7. Data Security

7.1 Technical Safeguards

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access with multi-factor authentication
  • Regular Audits: Security assessments and vulnerability testing
  • Secure Infrastructure: EU-based data centers with ISO 27001 certification

7.2 Organizational Safeguards

  • Staff Training: Regular privacy and security training for all research staff (PHRP training recertified periodically for all team members)
  • Data Minimization: Collection limited to data necessary for research purposes
  • Access Limitation: Access restricted to authorized research personnel only
  • Incident Response: Established procedures for security incident management

8. International Data Transfers

8.1 Transfers to USA

Data may be transferred to our US research partners (University of Michigan, Wake Forest University) under:

  • Adequacy Decision: Where available
  • Standard Contractual Clauses: EU-approved data transfer agreements

8.2 Safeguards

All international transfers include:

  • Contractual data protection requirements
  • Technical security measures
  • Regular compliance monitoring
  • Data subject rights protection

9. Data Retention

9.1 Active Study Period

  • Personal identifiers: Until study completion + 5 years
  • Health data: Until study completion + 5 years
  • Communication data: Until study completion + 5 years

9.2 Long-term Retention

  • De-identified research data: Up to 10 years for scientific publication and verification
  • Consent documents: 7 years after study completion (regulatory requirement)

9.3 Deletion Schedule

We will delete your data:

  • Upon withdrawal from the study (where legally permissible)
  • At the end of specified retention periods
  • Upon request (subject to legal and research obligations)

10. Your Rights Under GDPR

10.1 Access Rights

  • Request access to your personal data
  • Receive a copy of data being processed
  • Information about processing purposes and recipients

10.2 Correction and Updates

  • Correct inaccurate or incomplete data
  • Update your contact information
  • Modify consent preferences

10.3 Deletion Rights

  • Request deletion of your data (“right to be forgotten”)
  • Subject to research study obligations and legal requirements
  • Partial deletion where full deletion isn’t possible

10.4 Restriction and Objection

  • Restrict processing for specific purposes
  • Object to processing based on legitimate interest
  • Withdraw consent (affecting future processing only)

10.5 Data Portability

  • Receive your data in machine-readable format

10.6 Complaints

  • File complaints with Romanian National Supervisory Authority (ANSPDCP)
  • Contact EU data protection authorities
  • Seek judicial remedies

11. Children’s Privacy

This App is designed for pregnant women and their peer supporters, all 18+ years. We do not knowingly collect information from minors under 18. If you become aware that someone under 18 has provided information, please contact us immediately.

12. Consent Management

12.1 Initial Consent

  • Explicit consent required before study participation
  • Separate consent for research participation and app usage
  • Consent for support person involvement

12.2 Ongoing Consent

  • Annual consent renewal for long-term data retention
  • Consent updates for new research purposes
  • Withdrawal procedures clearly explained

12.3 Withdrawal Rights

  • Withdraw consent at any time
  • Continue using app features not requiring consent
  • Data deletion subject to legal and research requirements

13. Third-Party Services

13.1 Analytics and Monitoring

We use privacy-compliant analytics services:

  • Google Analytics for Firebase: With IP anonymization and EU data processing
  • Crashlytics: For app stability monitoring (anonymized crash reports)

13.2 Communication Services

  • Push Notifications: Via Google Firebase Cloud Messaging
  • Email Services: Via GDPR-compliant email providers

13.3 Cloud Infrastructure

  • Primary Storage: EU-based cloud services (AWS Europe, Google Cloud EU)
  • Backup Storage: Encrypted backups in EU data centers

14. Updates to Privacy Policy

14.1 Change Notification

  • Material changes communicated via app notification and email
  • 30-day advance notice for significant changes
  • Option to withdraw consent for new processing purposes

14.2 Version Control

  • All versions maintained with effective dates
  • Previous versions available upon request
  • Change log maintained for transparency

15. Contact Information

15.1 Privacy Questions

For privacy-related questions or to exercise your rights:

  • Email: impreunafarafum@publichealth.ro

15.2 Study Information

For research study questions:

  • Principal Investigator (local): Oana Blaga, PhD
  • Email: oana.blaga@ubbcluj.ro

15.3 Technical Support

For app technical issues:

  • Support Email: impreunafarafum@publichealth.ro
  • Response Time: Within 48 hours during business days

16. Supervisory Authority

Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

  • Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, București, Romania
  • Phone: +40-318-059-211
  • Email: anspdcp@dataprotection.ro
  • Website: https://www.dataprotection.ro

17. Definitions

  • App: The “Împreună Fără Fum” mobile application
  • Controller: UBB as the organization determining the purposes of data processing
  • Data Subject: You, the individual using the app
  • Processing: Any operation performed on personal data
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Special Categories: Sensitive personal data including health information

Language Notice: This Privacy Policy is provided in English. Romanian and other language versions are available upon request. In case of conflict, the Romanian version shall prevail for Romanian users.

Effective Date: This Privacy Policy becomes effective on January 1, 2023 and remains in effect until superseded by an updated version.