3.1 Xiaomi Watch, Mi Fitness and Privacy
Introduction
The Xiaomi Watch is a smart device that can be connected to a mobile device and managed via the Mi Fitness app. The Xiaomi Watch can be used to monitor your heart rate, calculate calories burned in different fitness modes, monitor sleep patterns and the SpO2, and receive various notifications from the mobile device it's synced to. Some models also provide NFC function for payment and Bluetooth phone call. The Xiaomi Watch 24-hour heart rate monitoring can accurately monitors you even during high-intensity workouts. It can also automatically save the resting heart rate curve from the past 30 days and continuously track your fitness gains1.
The Mi Fitness app is a platform used to connect your Xiaomi smart wearable devices, allowing you to manage them and view the data measured by these devices, such as your sleep data, exercise records, calories consumed, and steps walked per day.
Data Collection and Usage
1) User Login
When you try to log in to the app, we will collect the account information. The account ID may be the Mi Account ID, phone number or email address.
2) Pairing with Device and Synchronizing Data
In order to support the binding of smart wearable devices and applications, we may collect your Mi Account, identification information of smart wearable devices, identification information of mobile devices (IMEI, IMSI, MAC address, MEID, Android ID, SN and SIM card identification encrypted by a hash algorithm), mobile phone model, system version number, Bluetooth information, and wearable device model.
3) Weather
You can view the weather information in your corresponding city on the device after pairing. We need to collect your rough location information (GPS is accurate to approximately 500m), or else you will need to select the city and district manually. Such data will not be stored in the server and will only be used to provide the weather information.
4) Workouts
You can use the 'workouts' function in your app or on the device to record your route during outdoor exercises. While using workouts, we need to collect your precise location information. You may disable the Sync-with-the-cloud function to stop uploading the workout data to the server.
5) Recording and Display of Activity and Fitness
Your activity and fitness information will be recorded and displayed on your smart wearable devices and in the app. You may check it at any time to ensure that your body is in perfect working order. We will collect and record information related to sports activities of you, including steps, standing activity and duration, workouts, cadence, sports distance, sports time, altitude, heart rate and heart rate related information, stroke times, stroke frequency, moving time, blood pressure and blood oxygen saturation.
In addition, we will collect your personal information, including your nickname, gender, date of birth, height, and weight. This information will be used to calculate and display your heart rate, number of steps, calories burned through exercise, sleep time, etc. on both your wearable device and the app, allowing you to better understand your workouts. Your personal information will also be used to generate personalised workout advice. It will be displayed on wearable devices and application pages, which can be viewed at any time.
It will also use the default value to calculate and display the information about heart rate, steps, calories consumed by exercise, sleep time, etc., and to provide exercise suggestion services if you don't provide personal information (including your gender, height, age, and weight).
You may use the menstrual period recording and prediction function. We will collect your dates and symptoms of your periods for prediction. This information will only be used for display on the device.
You can use the stress function for monitoring your body status. We will collect your heart rate, number of times awakened during sleep, and the length of time awake to calculate your stress level and to show any changes that occur.
6) User Feedback
You may use feedback function when encountering problems during daily use. We may collect your contact information (phone number or email address you provided), uploaded logs (includes exercise data such as exercise distance and exercise duration, and health data such as heart rate, sleep time and stress data). This information will only be used for solving the given problems.
7) App Notification
You may turn on the App notification function in the app (disabled by default). Once turned on, you will receive alerts for your SMS and application notification messages on your device (certain types of devices may not support this function). The text messages and the app notifications may show on the device as a reminder. Such data will only be used for displaying and will not be stored.
8) Calls Notification and Bluetooth Phone Calls
You may turn on the Incoming calls function in the app (disabled by default). Once turned on, you will receive alerts for your calls on your device (certain types of devices may not support this function) and the incoming call number will be displayed on your device. This information will not be stored or uploaded to the server.
9) Payment Services
In some countries or regions, you can enable the payments through by MasterCard or VISA on your wearable device (certain types of devices may not support this function). For verification purposes, MasterCard or VISA may require you provide the following information: your card number, name on the card, expiration date, CVC2/CVV2 (CVC2/CVV2 refers to the last three digits of the number embossed on the back of the card), and phone number or e-mail address linked to your bank account. When you top-up your card or conduct a transaction through NFC, MasterCard or VISA may collect your transaction information, including the amount paid and the order number, and the product description to verify your card.
We will store your card name and the last four digits of the card in your device to enable the payment function when your MasterCard or VISA card is authenticated. This information will only be stored on your device and will not be uploaded to the cloud.
10) Band Display and Watch Face
To ensure that your device display data is not lost when you switch phones or reinstall the app, we will collect the downloaded device display ID, the display layout, and the content and style of the last saved background image.
11) Diagnostics and Analytics
We will collect the following information for device diagnostics and function enabling:
- Device Information: Includes country/region, model, ID, firmware version, and name of the device.
- Device Connection Information: Includes device connection result.
- Device Status Information: Includes battery level, watch face, and NFC information.
- Logs about Device and its Components: Includes logs about system and device errors.
We will collect the following information for product usage and usability analysis:
- Behavior Data: Includes views and clicks of different pages (including health, workout, device, my profile, health details, workout details, workout initiatives, settings, watch face, article/video details, poll details, habit cards, and awards details).
- Information about Functions and Product Usage: Includes the time length you use the software, use frequency of exercise and health functions, number of times you set the health data, and logs about product errors.
This information is collected only if the user has previously agreed to join the User Experience Program.
Privacy by Design
GPS permission access only applies for permissions required from you by the app and device function, such as outdoor sports tracking and update weather info.
The transmission of data between the app and server is based on HTTPS. In addition, all sensitive data is encrypted at rest with varying degrees, such as with AES-256 and AES-128.
We not only provide the functions for your data rights to be met (i.e., by enabling you to access, delete, and download your data), but also support some specific features when we design the functions. For example, all the app permissions and the usages are integrated in "Profile > App permissions" page. You can also find the usage and granted status of each permission clearly.
You can choose to enable or disable the weather function according to your preference in order to prevent GPS information being collected. This can be disabled via the "Device > Weather" page. Once disabled, the rough location data will no longer be collected.
You can also choose to disable the Sync-with-the-cloud function, then your workout and fitness data will not uploaded to the server. And the device will no longer sync these data from your other devices. This can be disabled or enabled via the "Profile > Settings > Sync with the cloud" page.
Appendix 1: Data Inventory for Xiaomi Watch and Mi Fitness app
| Type | Type of Data | Identification Qualifier | Purpose | Data Transmission Encryption Measures | Data Storage Encryption Measures | Data Retention Policy |
|---|---|---|---|---|---|---|
| Identifiers | Mi Account ID | Identified | App Functionality Device Functionality | BLE HTTPS | No Encryption | Per user's request |
| MAC | Identified | App Functionality Device Functionality | BLE HTTPS | No Encryption | Per user's request | |
| SN | Identified | App Functionality Device Functionality | BLE HTTPS | No Encryption | Per user's request | |
| Android ID | Identified | App Functionality Device Functionality | HTTPS | No Encryption | Per user's request | |
| Contact Information | Country | Identified | App Functionality Device Functionality | BLE HTTPS | No Encryption AES-128 | Unpair or Factory Reset Per user's request |
| Email Address | Identified | App Functionality Device Functionality | HTTPS | AES-128 | Per user's request | |
| Phone Number | Identified | App Functionality Device Functionality | HTTPS | AES-128 | Per user's request | |
| Payment Service Information | Card Info (Card Name and Last 4 Digits) | Identified | App Functionality Device Functionality | BLE HTTPS | No Encryption | Unpair or Factory Reset |
| Sensitive Information | Personal Information | Identified | Analytics | BLE HTTPS | No Encryption AES-128 | Unpair or Factory Reset Per user's request |
| Fitness Information | Identified | App Functionality Device Functionality Analytics | BLE HTTPS | No Encryption AES-128 | Unpair or Factory Reset Per user's request | |
| Location Information | Precise Location | Identified | App Functionality Device Functionality | BLE HTTPS | No Encryption AES-128 | Unpair or Factory Reset Per user's request |
| City and District | Identified | App Functionality Device Functionality | BLE | No Encryption | Unpair or Factory Reset | |
| User Content | Display related Information and Settings | Identified | App Functionality Device Functionality | BLE HTTPS | No Encryption AES-128 | Unpair or Factory Reset Per user's request |
| Usage Data | Product Interaction | Pseudonymized | Analytics | HTTPS | AES-128 | Per user's request |
| Diagnostics | Device Information | Pseudonymized | Analytics | HTTPS | No Encryption | Per user's request |
| Device Connection Information | Pseudonymized | Analytics | HTTPS | No Encryption | Per user's request | |
| Device Status Information | Pseudonymized | Analytics | HTTPS | No Encryption | Per user's request | |
| Device and Components Log | Pseudonymized | Analytics | HTTPS | No Encryption | Per user's request | |
| Analytics | Behavior Data | Pseudonymized | Analytics | HTTPS | No Encryption | Per user's request |
| Functions Information and Product Usage | Pseudonymized | Analytics | HTTPS | No Encryption | Per user's request | |
| Other Data | Phone Number & Email Address | Identified | App Functionality Device Functionality | HTTPS | AES-128 | Per user's request |
| Other Mobile Device Information | Identified | App Functionality Device Functionality Analytics | BLE HTTPS | No Encryption | Per user's request | |
| Notification Information | Identified | App Functionality Device Functionality Analytics | BLE | Not Stored | Not Applicable | |
| Feedback Information | Identified | Analytics | BLE HTTPS | User Info: AES-128 Logs: AES-256 | Per user's request | |
| Activity Information | Identified | Analytics | BLE HTTPS | No Encryption AES-128 | Unpair or Factory Reset Per user's request | |
| PIN Code | Identified | App Functionality Device Functionality | BLE | No Encryption | Unpair or Factory Reset |
Note