Data collection vs data sharing?

[Spitzbua]

According to Google "What kinds of activities can "service providers" perform:

A service provider may only process user data on your behalf. For example, an analytics provider that processes user data from your app solely on your behalf, or a cloud provider hosting user data from your app for your use, will typically qualify as “service providers.” On the other hand, if an SDK provider is building advertising profiles across multiple customers based on your app data, that would not be considered “service provider” activity for purposes of the Data safety section, and would need to be disclosed as "sharing" in your Data safety form.

I believe that means Firebase or any other hosting provider are service providers. They process the data on behalf of the first party.

The example refers to Analytics - does this mean for me that it should be marked as "Collected"?

I do not share the data with Firebase Analytics, but they process the data on my behalf, or am I misunderstanding something here?

Thank you if anyone can clarify this!

Discussed in https://github.com/Privado-Inc/SDK-Privacy-Report/discussions/17

^{Originally posted by **elmoiv** January 19, 2022} For each data type the first question is: **Is this data collected, shared, or both?** Do I have to check both or only **Shared**?  It's somehow confusing for me because the `Android App - SDK Privacy Report.csv` does not have a column for **collected**.

[vaibhavantil2]

Yes, check both. That is correct. Our column name is data collected, I will change that and add a column for Collected.

[Spitzbua]

For instance, in the documentation of RevenueCat it is only collected:

[vaibhavantil1]

Reopening and adding more information

[vaibhavantil1]

@Spitzbua - You are correct, data sharing has only meant to be marked when third-party SDK is processing data not on your behalf. I am going to re-review the entire list and update here.

[vaibhavantil1]

@Spitzbua - I have reviewed and updated the list on updated documentation from different SDK providers and Google. Here is my suggestion

• Firebase Analytics doesn't have official documentation yet. The data you will share will be for Analytics and you don't need to disclose it, but SDK could be automatically be collecting the data and using it for its own purposes. The automatic data collection could be data sharing, we will have to wait on the documentation
• Let's take Admob as an example - https://developers.google.com/admob/android/play-data-disclosure. They have explicitly mentioned the data types which will be collected and shared.

My general take is with ad SDKs sharing is a safe option whereas, for third parties like intercom, stripe, sharing is not needed. Will keep updating as official documentation comes.

Do let me know if you have questions.

[vaibhavantil1]

@Spitzbua closing this. Open this if there are unanswered questions.

[vaibhavantil1]

@Spitzbua - We have launched a free Data Safety Generator tool based on our experience so far. Would you be kind enough to test it?

Link to tool: https://github.com/Privado-Inc/privado

[Spitzbua]

Thank you for the message! I am honoured and will be happy to test the Data Safety Generator in my applications.

Just give me a few days!

[vaibhavantil1]

Thanks @Spitzbua - look forward to your feedback!

[vaibhavantil1]

Thank you for the message! I am honoured and will be happy to test the Data Safety Generator in my applications.

Just give me a few days!

Hey @Spitzbua - Really looking forward to you using the tool and your feedback :)

Link to the tool: https://github.com/Privado-Inc/privado

[vaibhavantil1]

Thank you for the message! I am honoured and will be happy to test the Data Safety Generator in my applications.

Just give me a few days!

@Spitzbua - Did you get chance to test the tool? Let me know if you need any help!