Privacy Policy & Collected Data

Revision 0.3.2 - Last updated 04.05.2020

This policy concerns the spreadit app and backend. It is subject to change without notice in the event additional privacy concerns need to be addressed. Any changes will be indicated with an updated (1) revision number and (2) revision date. We strongly encourage you to review this privacy policy frequently.

The spreadit app can be downloaded voluntarily and facilitates the contact tracing process for unknown contacts. With your consent, after you scan a Location QR code, it records your visit to that location, for that instance. The Location QR codes are placed at what we call unknown contact locations.

Use of spreadit allows you to be notified if you were in physical proximity (1) at that location and (2) at the same time, with a spreadit user that has recently been tested positive.

Furthermore, if you choose to scan a Test QR code, spreadit can also notify you of your COVID-19 test results when they are available. We are commited to safeguarding your privacy and ensuring you have full control over your data.

We store limited data

The majority of the data we store is fully anonymised and primarily consists of randomly generated, secure Universally Unique IDs (UUIDs, Version 4) e.g. e4174f73-a3d6-4257-a4c1-d0f6b82e5bec. As such, data we store includes

  • Your User ID (automatically generated upon accepting this Privacy Policy), stored by the UserManager.
  • When you scan a Location-QR, a randomly generated UUID of your scan (Scan ID) together with your User ID and the Location ID, stored by the ScanManager.
  • When you scan a COVID-19 Test-QR to opt for receiving test results, the randomly generated UUID of the test (Results ID), together with your User ID, stored by the ResultsManager.

For further details on how the backend architecture is ensuring your anonymity, please visit the System Design section.

We do not trace your location

spreadit uses QR code scanning to record your visits to locations with a Location-QR code. You control whether to scan your visit to that location or not. Other than this, we do not collect any data about your location.

We do not store any other data

We do not currently use GPS, Bluetooth or any other personally identifying data from your device.

No third-party services identity tracking

Your User ID is private to the app on your device and the UserManager. All data communications between the app and all managers is fully encrypted. This makes it impossible for third parties to track or identify you. Finally, we do not currently (1) use or (2) rely on any third-party services for the functionality currently present in the app.

You are in control of your data

You can choose not to use the app. You can choose not to scan your visit to a location with a Location-QR. You can choose not to scan your COVID-19 Test-QR. You can choose to use the app fully off-line. As this is a crowd-sourced effort, the more useful data we have, the better the modelling, predictions and measures taken can be targeted to fight the spread of the virus. Having said that, it is and will always be up to you.

If you would like your data deleted, you can simply stop using the app online. As the relevant contact tracing data recording period is approximately 15 days, any data older than 15 days is deleted from our servers. This means that by not using the app online, your data will be completely purged from the system as they will no longer be relevant for the unknown contact tracing functionality. You can continue to use the app off-line for your personal records if you so wish.

If you would nevertheless like to contact us regarding your data, you can do so by dropping us an email at privacy <at>

Data usage

The data recorded will solely be used for COVID-19 unknown contact tracing purposes.

To review our website's privacy policy, please visit our general Website Privacy Policy.