There has been a lot of speculation in the media recently on how we handle user data. We wanted to take this chance to clarify how Yandex works with data generally, and how AppMetrica works in particular.
Our commitment to user privacy
For over twenty years, Yandex has served millions of users, working to maintain their trust through our commitment to protecting their privacy and data security online. Our detailed Privacy Policy helps users understand more about what data we collect, how this data is used to improve our services, who has access to that data, and how users can control it.
Yandex takes data security extremely seriously and follows rigorous data protection rules to ensure our users’ data is secure and their privacy is protected. Our services are assessed according to the Data Protection Impact Assessment (DPIA) procedure. We regularly undergo audit procedures and receive certification of a high level of information security and customer data protection, including ISO/IEC 27001/27017/27018, SOC 2/3, PCI DSS etc. In particular, AppMetrica, our mobile analytics service, itself is certified ISO/IEC 27001 compliant.
AppMetrica
AppMetrica is a mobile app analytics solution that helps mobile developers improve the in-app experience by identifying and fixing errors, optimizing advertising settings and building marketing strategies based on in-app user performance. It operates in the same way as international peers such as Google Firebase, Flurry by Yahoo, Adjust and AppsFlyer. In short, AppMetrica is a tool that app developers use deliberately for its core analytical functionality.
AppMetrica doesn’t collect any data on its own – we can only receive the information the app developer shares with the tool to be automatically analyzed and compiled into a report. The app also needs to receive user consent required by the mobile operating systems (OSes), since there is no technical possibility for us to obtain it ourselves. We inform app developers about the functioning of AppMetrica and they are obliged, if required by law, to get consent from their users.
Thus, as per GDPR, app developers have to specifically accept the Data Processing Agreement upon setting up AppMetrica and are expressly offered to mask IP addresses of EU users. Our instructions indicate that it’s the app owner's duty to make sure that the app's Privacy Policy clearly states that it’s using AppMetrica.
Setting up AppMetrica
App developers themselves determine the type and amount of data they want to analyze. We do not collect any sensitive user data concerning users’ names, addresses, phone numbers, payment details, personal ID data or any other sensitive personal details that the user shares with the application. We also do not and cannot collect data about what users do outside the app. AppMetrica is constantly monitored and assessed by Apple and Google for compliance with App Store and Play Store moderation policies, which set high standards for user data protection.
Data received by AppMetrica from app developers is non-personalized, very limited, and contains information on the device, network and IP address (if not masked by the app developer). AppMetrica reports display technical data that is of high value only to the application developers – such as the device model, application version, operating system version, etc. They also show information on the users’ behavior in the application, for instance, time spent, application crashes, in-app purchases, etc. Such information is crucial for improving the user experience — it helps to identify errors and promptly warn developers about them, send notifications to users, optimize advertising settings and, finally, to analyze which products are in highest demand based on purchasing statistics.
Example of a report in AppMetrica
Data storage in Russia
We make no secret of our Russian roots. Our approach to data is in line with other major technology companies around the world. We work in full compliance with international and local laws. Data received from app developers is stored in a distributed storage platform both in Finland and in Russia, as stated clearly in our Privacy Policy. The idea that we ‘secretly’ send this data to Russia is simply wrong. Our Privacy Policy has always been publicly available for anyone.
Our job is to inform developers regarding AppMetrica’s data processing terms and they are obliged, if required by law, to get consent from their users and inform them about the fact that the data is stored in Russia. In our instructions for app developers we even provide a sample alert message that clearly states that the information will be transferred to Yandex and stored on Yandex’s servers in the EU and the Russian Federation. Again, this is compliant with all international laws and regulations regarding data storage.
What does it mean for users? Regardless of where data is stored, our principles for data privacy and security are equally rigorous. We take any government request for access to information extremely seriously (be it in Russia or any other country) and follow the same principles whether it’s coming from the Russian government, or international bodies such as Interpol.
We have never given out any information on users of any apps with AppMetrica installed on them, nor have we ever been asked to.
Still, if we ever were to receive such a request, we have a very strict internal process to identify the legitimacy of the request. Yandex only considers those requests that have been lodged by an authorized entity in accordance with the laws and the due process, and only provides the amount of information that is strictly required in order to fulfill the request. Any requests that fail to comply with all relevant procedural and legal requirements are turned down.
We are fully transparent about all data requests we satisfy, and we publish a detailed report on a regular basis. Please see our transparency report at https://yandex.com/company/privacy/transparencyreport.
Here at Yandex, we take any accusations about possible privacy misconducts close to heart and we are ready to be audited by any international audit companies on the legality of our privacy policies and data collection practices.