Privacy Notice for Niimport

If you have questions, contact rse@aalto.fi.

You have been invited to donate data to a research study. Participation is voluntary. You can discontinue your participation at any time. Should you discontinue your participation, you will not be subject to any negative consequences. This privacy notice describes the use of your data.

1. What is the purpose of this service and of processing personal data?

   Niimport enables participants in research studies to donate data from third-party platforms to Aalto University researchers. The service connects to platforms such as Google and TikTok using their official data portability APIs, downloads the data you authorize, processes it according to the study requirements, and makes it available for the researcher to download.

   Niimport is a data processing pipeline, not a long-term data store. Data is held temporarily while it is processed and made available to the researcher, after which it is deleted.

   Your personal data is: used without identification to perform research analysis. Your data may contain identifying information that cannot be fully avoided.

2. What personal data is processed?

   The specific data collected depends on the platform and the study configuration. Only data types and date ranges specified by the study are collected.

   Google Data Portability API:

   • YouTube watch and action history
   • Google search history
   • Discover activity
   • Google Lens history
   • Google Play Games history
   • Google Play Store history
   • Image search history
   • Video search history

   TikTok Data Portability API:

   • Browsing history, search history, liked list, comments, favorites and hashtags

   In addition, Niimport stores:

   • OAuth tokens (encrypted) used to access the third-party platform on your behalf
   • A pseudonymous participant identifier to link your donations across sessions
   • Timestamps of consent and data processing

3. Personal data is collected from the following sources:

   • Third-party platforms (Google, TikTok) via their data portability APIs, authorized by you

4. How is personal data minimized?

   • Only data types specified by the study are collected.
   • Date ranges can be restricted to the study period.
   • Data which is not needed is not collected or is removed during processing.

5. Legal basis for processing of personal data

   The processing of personal data is required for the performance of a task carried out in the public interest, namely scientific research.

6. Sharing of personal data

   Processed data is made available securely to the approved lead researcher via Niimport's API. Researchers are bound by Aalto University ethical guidelines to use this data solely for the consented scientific study. While data may be securely shared for standard academic requirements (e.g., peer review, institutional archiving), it will never be sold, shared with advertisers, or used for any commercial purpose.

7. Transfer of personal data to non-EU/EEA countries

   Personal data processed by Niimport is not transferred to non-EU/EEA countries.

8. Storage and protection of personal data

   Your personal data is processed in secure IT systems approved by Aalto University. Niimport is hosted on Aalto University-managed hardware within the university's IT infrastructure, subject to Aalto University IT security policies.

   Access to all systems is protected by authentication. Researchers can only access data from donations they created. Administrative access is restricted to service operators at Aalto University.

   • All donated data files are encrypted at rest using industry-standard encryption.
   • OAuth access tokens and refresh tokens are encrypted at rest before storage.
   • All data in transit uses HTTPS/TLS, including communication between your browser and Niimport, and between Niimport and third-party platforms.
   • Encryption keys are managed within the Aalto University IT infrastructure.

   In the event of any known or suspected unauthorized access to user data, affected users and relevant parties (including Google at security@google.com as required by the Data Portability API policy) will be notified within 72 hours, in accordance with GDPR Article 33.

9. Retention and deletion of personal data

   Niimport retains data only as long as needed for processing and researcher download. Data is not archived or retained for further research on this service.

   When you revoke a donation, OAuth access to the third-party platform is revoked immediately and all data and tokens associated with the donation are deleted from Niimport.

   Researchers may have downloaded data prior to revocation. Retention and deletion of downloaded copies is governed by the study's own data management plan.

10. Rights of the research participant

    According to the General Data Protection Regulation (GDPR), a data subject has the right to:

    • receive information on the processing of their personal data
    • access the personal data collected and processed
    • request rectification of inaccurate personal data
    • request that the processing of personal data be restricted
    • object to the processing of personal data
    • right to erasure of personal data if the conditions of Article 17(1) of the Data Protection Regulation are met

    Through Niimport, you can directly:

    • View your donated data through the data preview on your donation page.
    • Revoke your donation at any time, which deletes your data and revokes OAuth access.

    To exercise other rights, contact the Data Protection Officer of Aalto University or the service contact below.

11. Contact details of the controller

    The controller is Aalto University Foundation sr., operating as Aalto University.

    Service contact: Aalto RSE, rse@aalto.fi

    Data Protection Officer: Tel. +358 9 47001, dpo@aalto.fi

    Data requests: datarequest.aalto.fi

    If you feel that your personal data has been processed in violation of data protection legislation, you have the right to lodge a complaint with the Data Protection Ombudsman (tietosuoja.fi).

12. Third-party API compliance

    The use of information received from the Google Data Portability API adheres to the Data Portability API User Data and Developer Policy, including the Limited Use Requirements.

    Niimport complies with TikTok's Data Portability API Application Guidelines for user transparency and data protection.