Reminder - we sent this email on December 15, but haven't heard back from you

Dear Mujeres a los pies de Jesús team,

We are a team of academic researchers from the CISPA Helmholtz Center for Information Security in Germany, conducting a research project on user consent and GDPR (EU General Data Protection Regulation) compliance of mobile apps.

Please note that this email is part of an academic research project and is not meant to sell any products or services.

As part of our analysis, we investigate the sharing of users' personal information (e.g., user IP address, persistent identifiers, tracking identifiers) with third-party services to show personalized or behavioral advertising. Based on our analysis, your app shares some personal user information to such services without obtaining prior explicit consent from users. We have prepared a detailed report on the analysis methodology, the data being sent out, and the parties involved. You can access this through our (password-protected) Web interface at (please do not publish this URL as it is personalized for your app).

By analyzing the legal documents (e.g., the terms of service, privacy policies, developer guidelines, and contracts) provided by the third-party services in question, we concluded that your app might be non-compliant with the consent requirements by the GDPR [1]. In most cases, in order to be legally compliant, an app is required to obtain explicit consent from users situated in the European Union before sharing users' personal data with third parties for personalized ads, if those third parties act as a data controller. Please note that we do not offer a conclusive legal assessment or consultancy on an individual app's compliance as there might be an alternative lawful basis present for data sharing with a third party other than consent.

As this email is part of a research project in which we are trying to understand the reasons for GDPR compliance issues of mobile apps in the wild, it would be immensely helpful to provide us with feedback regarding your apps.
- Were you aware of the types of data that are being collected and transmitted when you include third-party SDK(s) into your apps? Were you aware that these types of data could be considered personal data under the GDPR?
- Are there specific reasons why your app does not implement explicit consent?
- Are there any changes you plan to apply to remedy the outlined issues? What type of support (e.g., documentation or automated tools) would be beneficial for you?

Should you have further questions or wish not to receive any further communication, please contact us, and we will diligently follow the request.

Best regards
Tin Nguyen

Tin Nguyen | Researcher & PhD Student
CISPA Helmholtz Center for Information Security
Direct e-mail: | Web:

[1] General Data Protection Regulation. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46.