Protection of personal data and privacy of the users

Note:

Within this document, the company employees involved in the recording process will be referred to as users.
The term customer refers to companies and other various organizations that have signed an agreement to install and use the Task Mining system.
The recording application used by Task Mining captures screenshots, clicks, and movements for the applications when enabled by the company employee assigned as platform administrator.
The recording is made for each of the users who have installed the recording application on their machine.
The persons defined as users or company employees assigned as platform administrators and whose data is being captured and processed are referred to as data subjects.

Task Mining provides insight into and discoveries from the daily and constant activity of the workforce and therefore needs access to record the actions performed by users on a continuous basis. These actions are taken in aggregate and analyzed by the ML algorithm to produce the results, which may contain and be influenced by any and all actions recorded during the recording period. It is important to have constant ingestion of customer data to provide complete and comprehensive results.

After capturing the data, the customer and its users have the option to curate it before sending it to the UiPath cloud for analysis. UiPath will save the data in a highly secured storage. Customers can request for their data to be removed from our system. In this case, the data will be deleted as per the customer’s request and the customer will be notified as soon as the request is completed.

UiPath will be using the data for two main purposes, namely:

Analyzing the data to identify actionability.
Analyzing the data to determine if the machine learning algorithms are working properly.

Although UiPath does not explicitly require any personal data, it is expected to receive any kind of personal data since the screens of the users will be captured and, as a result, a DPA is attached by default to any agreement concluded with any customer. UiPath is expressly forbidding the processing of Health Information and Credit Card information.

The Admin Console platform component allows the control, deletion, or accessing of the data by the customer, it also allows the identification of data coming from one specific user. The company employee assigned as platform administrator has full control (setup, view, update, and delete) over the above mentioned Admin Console platform feature.

As a result, the customer has the possibility to request the deletion or extraction of the data that it is being manually sent to UiPath by submitting a request in this respect to UiPath Support.

The personal data received by UiPath is the property of the customers (or the users) and they are the only ones who can decide what data is being processed and for what purpose. The users are in full control over the processing of their data, as they have access to view and edit the data collected and stored locally on the device. Each user can pause the recording application and also see the full list of applications and system interaction that is being recorded.

The customer is the controller and is responsible for the relationship with the data subjects (meaning the actual persons whose data is being processed) and for respecting the applicable legislation. The customer must take all the appropriate legal measures in order to ensure that data subjects are duly notified about the data capturing and processing initiative.

Informing data subjects is the responsibility of the customer as UiPath has no technical possibility of identifying or taking consent from data subjects.

The following measures have been implemented in order to assure the privacy of the data:

The data is not being automatically sent to UiPath. The customer through the company employee assigned as platform administrator and the involved users have the possibility to curate and select the data that is to be transferred.
The sent data is being encrypted both in transit and at rest.
The users have the possibility of pausing at any time during the recording. The pause time is limited to a maximum of 1 hour still the pause instances are not limited.
The Admins and the Users can define only applications they want to be captured in the recording.

Personally identifiable information (PII) data is masked automatically during the processing stage and the original screenshots aren't stored.

Information about the collected data

Please find below an overview of the data that is collected during the Task Mining usage and the location where it can be accessed.

User data

Raw data

While the Client App is running, it captures raw data about each user action, click, or type. By default, the data is written to \AppData\Roaming\Task Mining\Projects\{projectID}\{userID}\captured\{action#} where:

projectID and usertID are collected from Admin Portal after completing the Sign In
the action# is a folder created for each captured action. Each file contains the following data:
1. CSV metadata file: where the information about the captured action and user environment is captured.
  Note: For browser applications, the CSV includes the captured page URL and domain. The following browsers are supported: Firefox, Edge, Chrome (English only), Internet Explorer.
2. Screenshot: screengrab of the active window where the action is recorded in .jpg format.

Processed data

Raw data is automatically sent to the Processing Queue where it's updated for the analysis and anonymization processes. By default, the Processed Data that is Ready for Analysis is stored in \AppData\Roaming\Task Mining\Projects\{projectID}\{userID}\ready\{action#.zip}.

While processing is in progress, intermediate folders are created under the \Projects\{projectID}\{userID}\ folder still the final output is a ZIP file that contains the following:

CSV metadata file
Screenshot
OCR result

Warning: If the analysis is to work it's very important not to change the files in any way, not even zipping them again.

Application data

Client app logs

These logs are accessible from the Client App via the Working with the client app section. 'Save' option would suggest archiving all the logs into a .zip file which is a preferred way of sharing the logs for an investigation.

To find logs from the File Explorer, access the following location: %AppData%\Task Mining\logs. The log files are located in corresponding folders named after projectID's users were invited to along with a file named main.log. When sharing the logs for an investigation, it's preferable to archive the entire 'logs' folder.