Privacy Policy

Updated privacy policy from Dec 3, 2020.

Changes:

  • We now only display the last four digits of dial-in users' phone number in the user-list.

If you do not consent to these changes, please notify us under bbb-ess-ict-tbm@tudelft.nl, and we will remove all data related to your account from our systems, and if so desired provide you with a complete backup of that data.

We at the TBM faculty of TU Delft have set up this instance of BigBlueButton as a pilot for faculty, staff and students at TU Delft and elsewhere to use for online learning during the closure of the university due to measures to contain the COVID-19 Pandemic. It is provided without any guarantees in terms of availability and reliability. This website only collects information necessary to run this instance successfully and is committed to protecting the privacy of its users. We have prepared this Privacy Policy to describe our practices regarding the personal information that may be collected while using this instance of BigBlueButton.

We do not use the personal information we collect about you for any commercial or other purpose than providing you with this service.

Below, you can find the privacy policy for bbb.tbm.tudelft.nl. You can find the general privacy policy of TU Delft here: https://www.tudelft.nl/en/privacy-statement/

1. DATA CONTROLLING ENTITY AND CONTACT

This service is run by:

Tobias Fiebig
TU Delft / Dept. ESS
Faculty of Technology, Policy and Management (TBM)
Building 31
Jaffalaan 5 - room B3.170
2628 BX Delft

You can contact the operators of this service at: bbb-ess-ict-tbm@tudelft.nl

2. YOUR RIGHTS

As a user of this platform, you have the following rights:

  • The right to confirmation whether and which personally identifiable information about you is being processed, information about this data, further information on the data processing activities and a copy of all processed data.
  • The right to correction and completion of false or incomplete data about you.
  • The right to deletion of all your personally identifiable information, as long as retention is not required to fulfill legal obligations.
  • The right to receive a copy of all data we hold on you and the transfer of this data to another service provider in case you request it.
  • The right to file a complaint with the responsible data protection agency in case you conclude that we processed or distributed your personal data in a way that is not compliant with this privacy policy or legal regulations.
  • The right to know with whom we share your data.
  • The right to retract consent for all further data processing.

3. SUMMARY OF COLLECTED AND PROCESSED DATA

All data collected from our service will be deleted as soon as the technical purpose of this data has been reached, and there are no legal requirements necessitating the retention of this data, as long as no deviating practice is documented below.

Data Type What this includes Why we collect this data
Log and Systemfiles
  • Type and version of your webbrowser
  • Your operating system
  • The website from which you switched to our site (Referrer URL)
  • Timestamp of your access
  • Your IP Address
  • The name of the room you joined
  • The name you chose for joining that room
  • Start and end time of that room
  • The number of users in that room
This data is automatically submitted by your client. We use this data to operate our service. For example, we need your IP address to identify problems in our log files, and the number of room users to equally balance load across our cluster.
Data transfer in rooms
  • Your username
  • Audio data you send to the room
  • Video data you send (screensharing, webcam)
  • Uploaded pictures and slides
  • Chat messages
  • Contents of the shared notes
  • Polling results
  • The last four digits of your phone number (if you use phone dial-in)
This data is the core of the web conferencing system, and as such processed by our servers. Of course, this data is only processed in case you use the corresponding service, i.e., explicitly enable your webcam.
For sessions where the host did not configure recordings, all data related to the session is deleted as soon as it ends. Furthermore, there are sessions that are being recorded, e.g., as they are a university lecture the lecturer wants to share with students who could not make it to the live session. In case a session is supposed to be recorded, we will inform you before you join the room, and explicitly request your consent to the recording.
Transfer of data to third parties
  • Your phone number
  • Your audio stream
To offer phone dial-in, we use a SIP operator. When you call the dial-in number for a conference, this operator sees your phone number. Furthermore, the audio stream of that conference will be routed via this operator, so you can hear it via the phone line.
Our system also supports showing external videos to participants in a session. Even though we do not share any data with these external parties, as these resources are directly requested by participants, metadata might be send to the operators of corresponding video platforms.
Cookies
  • Session-Cookies
We only use functional cookies that are necessary for the operation of our service, by associating multiple requests from a client, e.g., if you switch from your home-view to your account settings in the webinterface.
Account data
  • Your name
  • Your email address
  • The (hashed) password you use for our service
In case you create an account to host rooms with our service, we collect the email address you use for sign-up, your user account, and password. This data is necessary for providing the service and authenticating you to your account. You are free to use a pseudonym here. The latter is not possible when authenticating via SURFconext.

4. DATA PROCESSING DETAILS

SECURITY

Data shared with us is transfered encrypted. On clients and our servers, it will be processed in plain-text. At the moment, our system does not support end-to-end encryption.

We operate this service following good practices of system and network engineering, and strive to install security updates as soon as they become available. Furthermore, as set out above, we limit the amount of personal information stored in our systems. Despite these efforts, we cannot guarantee the absolute security of your personal information. Even though passwords are stored in hashed form, we recommend that you do not re-use a password for this service which you use in another service, and consider using, e.g., a password manager.

LOGFILES

Our instance reduces logging to the necessary minimum. Nonetheless, collectd data may include:

  • Type and Version of your Webbrowser
  • Your operating system
  • The website from which you were redirected to our service
  • The exact websites you visited on our service
  • Timestamps of your accesses
  • The IPv4/IPv6 addresses from which you access our service
  • The names of rooms you visit
  • Your phone number if you dial-in via your phone
  • Metadata of the conference system (start/end of sessions, number of users, the name you selected when joining a room)

We collect this data to provide, improve, and secure the service we are providing. Your data will be deleted after seven days, if a longer retention is not necessary to solve immanent technical issues. In any case, it will not be retained longer than legally allowed.

COOKIES

We only use session cookies to enable us to provide the service we offer to you. We do not use any third-party cookies. In case an external video is shared in a conference, these might lead to the operator of that service setting and reading cookies.

Removal of Cookies: You can prevent cookies from being set and read in your browsers settings at any time. In case you prevent cookies for our website, functionality might be limited.

EMAIL

In case you contact us via email, we will retain the full emails you send to us until the request you had has been handled. Messages may be retained longer if they hold legal relevance, e.g., if you inform us of a crime committed via our platform. We will only use your email address to contact you if we are legally mandated to do so, we are replying to a support message, or if this is required for account setup or recovery activities.

WEB CONFERENCE SYSTEM

To offer our services, we use the open source software BigBlueButton, together with the opens source frontend greenlight for managing and creating rooms. Using the open WebRTC protocol, this software stack enables you to share audio, video, text messages and drawings with others. This data includes:

  • Audio and video data of you, e.g., your voice, your picture, or your desktop, depending on whether you use these features when you are joining a conference.
  • The settings you choose, e.g., whether you share audio/video streams, and which username you chose for joining
  • Whatever your write in the chat
  • The presentations you upload
  • Results of votes conducted in sessions
  • Your phone number, in case you use a phone dial-in

In case a room is configured to be recorded, we store the audio, video, chat, and drawing contributions made in that session for an indefinit time. In case you are trying to join a session that is being recorded, we will inform you about this before you join the session and request your consent to the recording. At the moment, it is sadly technically not possible to selectively record only contributions from participants that consented to being recorded. Hence, in case you do not consent to a recording, it is sadly not possible to join such a session.

USER ACCOUNTS

In case you create a user account, we will use the information you enter upon registration (name, email address, password, timestamp) and create while using the service (list of created rooms) only for providing this service for you. This data is not shared with third parties. You can always request the complete deletion of your user account and all associated data, or, prior to that, extraction of all data related to your account. For that, please contact bbb-ess-ict-tbm@tudelft.nl.

BACKUPS

We store daily backups of all data on this platform for seven days. These backups are encrypted and then stored on a data-store provided by Hetzner, located in Finland. In case you request the deletion of your data, we will also remove your data from the collected backups.

5. SHARING OF DATA

GENERAL DATA SHARING

We only share your personal data for the reasons outlined below:

  • You explicitly consent.
  • If it is necessary to provide this service to you, e.g., when using phone dial-in, your data is shared with our SIP provider speakup.nl, and if you authenticate via SURFconext, SURF shares your data with us.
  • If we are legally obliged to share this data, e.g., with law enforcement, to comply with applicable law. Up to this point we did not receive a request for data from any law enforcement agency.

RECORDINGS

By default, recordings are not publicly accessible. However, on the discression of a room's hosts, recording can be made public or shared with others directly via our platform or as downloaded files. As outlined in Section 4, we will solicit your consent to a session being recorded and potentially shared before you can join a room to be recorded. In case you want to retroactively widthdraw your consent to a recording, please contact bbb-ess-ict-tbm@tudelft.nl. However, please note that the recording may already have been shared publicly and/or outside of our platform.

6. SERVER STATISTICS

We collect aggregate statistics to monitor the utilization, performance, and availability of our servers. While this data is agregated, and does not contain personally identifiable information, personally identifiable information may be utilized for computing these aggregate values, e.g., the number of users and rooms per cluster node. Personally identifiable information used during the computation of aggregate statistics is not stored.

We publish the performance overview and statistics of our service at: https://mgmt.bbb.tbm.tudelft.nl/munin/

7. SERVER LOCATION

The servers we use for this service are rented from Hetzner (https://www.hetzner.de/), a German hosting provider. Our platform does not provide a direct interface to Hetzner to access any stored personal data. As an additional measure, we also hold a data processing agreement with Hetzner. All servers used in our service are located in the European Union.

8. CHANGES TO THIS PRIVACY POLICY

We may change this Privacy Policy from time to time. If we make any changes to this Privacy Policy, we will change the Last Updated date above. If such changes impact the collection and processing of your data, a notice of the changes will be posted along with the revised Privacy Policy and you will be asked to consent to the changes. We encourage you to visit this page from time to time for the latest on our privacy practices.

This service requires some cookies to work properly. Only technically necessary cookies are used on this site. Find more details in our Privacy Policy.