Obii API Services User Data Policy
Last updated November 9, 2021
Obii API Services, including Obii Sign-In, are part of an authentication and authorization framework that gives you, the developer, the ability to connect directly with Obii users when you would like to request access to Obii user data. The policy below, as well as the Obii APIs Terms of Service, govern the use of Obii API Services when you request access to Obii user data. Please check back from time to time as these policies are occasionally updated.
Accurately represent your identity and intent
If you wish to access Obii user data you must provide Obii users and Obii with clear and accurate information regarding your use of Obii API Services. This includes, without limitation, requirements to accurately represent:
Who is requesting Obii user data? All permission requests must accurately represent the identity of the application that seeks access to user data. If you have obtained authorized client credentials to access Obii API Services, keep these credentials confidential.
Why are you requesting Obii user data? Be honest and transparent with users when you explain the purpose for which your application requests user data. If your application requests data for one reason but the data will also be utilized for a secondary purpose, you must notify Obii users of both use cases. As a general matter, users should be able to readily understand the value of providing the data that your application requests, as well as the consequences of sharing that data with your application.
Be transparent about the data you access with clear and prominent privacy disclosures
Request relevant permissions
Permission requests should make sense to users, and should be limited to the critical information necessary to implement your application.
Don't request access to information that you don't need. Only request access to the minimal, technically feasible scope of access that is necessary to implement existing features or services in your application, and limit access to the minimum amount of data needed. Don't attempt to "future proof" your access to user data by requesting access to information that might benefit services or features that have not yet been implemented.
Request permissions in context where possible. Request access to user data in context (via incremental auth) whenever you can, so that users understand why you need the data.
Deceptive or unauthorized use of Obii API Services is prohibited
You are strictly prohibited from engaging in any activity that may deceive users or Obii about your use of Obii API Services. This includes without limitation the following requirements:
Do not misrepresent what data is collected or what you do with Obii user data. Be up front with users so that they can make an informed decision to grant authorization. You must disclose all user data that you access, use, store, delete, or share, as well as any actions you take on a user's behalf.
You are not permitted to access, aggregate, or analyze Obii user data if the data will be displayed, sold, or otherwise distributed to a third party conducting surveillance.
Overall there should be no surprises for Obii users: hidden features, services, or actions that are inconsistent with the marketed purpose of your application may lead Obii to suspend your ability to access Obii API Services.
Do not mislead Obii about an application's operating environment. You must accurately represent the environment in which the authentication page appears. For example, don't claim to be an Android application in the user agent header if your application is running on iOS, or represent that your application's authentication page is rendered in a desktop browser if instead the authentication page is rendered in an embedded web view.
Do not use undocumented APIs without express permission. Don't reverse engineer undocumented Obii API Services or otherwise attempt to derive or use the underlying source code of undocumented Obii API Services. You may only access data from Obii API Services according to the means stipulated in the official documentation of that API Service, as provided on Obii’'s developer site.
Do not make false or misleading statements about any entities that have allegedly authorized or managed your application. You must accurately represent the company, organization, or other authority that manages your application. Making false representations about client credentials to Obii or Obii users is grounds for suspension.
Maintain a secure operating environment
You must take reasonable and appropriate steps to protect all applications or systems that make use of Obii API Services against unauthorized or unlawful access, use, destruction, loss, alteration, or disclosure.
Additional Requirements for Specific API Scopes
Secure Data Handling: Applications accessing Restricted Scopes must demonstrate that they adhere to certain security practices. These applications must pass an annual security assessment and obtain a Letter of Assessment from a Obii-designated third party.
You must access Obii API Services in accordance with the Obii APIs Terms of Service. If you are found to be out of compliance with the Obii APIs Terms of Service, this Obii API Services: User Data Policy, or any Obii product policies that are applicable to the Obii API Service you are using, Obii may revoke or suspend your access to Obii API Services and other Obii products and services. Your access to Obii API Services may also be revoked if your application enables end-users or other parties to violate the Obii APIs Terms of Service and/or Obii policies.