Very funny. 'including but not limited to Everything'. Could that mean 'everything else' ?

Honestly, realistically, I don't think anyone will ever be able to make something out of this to your clients disadvantage. Still, if you talk with them again, your strategy maybe should not be how to protect your patrons from this privacy statement, but you should point your contact towards the possibility that THEY (RTS) could be sued...it e.g. is clearly against GDPR, fines are high, and I guess similar regulations are in place in the US. All that's needed is a greedy law firm.
Maybe that will help escalate the issue.

It's lazy app writing.

When writing a program to run on an Android phone (and I assume an Apple as well, though I've never done that myself) you fill out what amounts to a checklist of permissions that your app requires, so the app then asks permission from the operating system to do things. For example, if your app takes pictures then you will have the app request permission to access the camera. If it's sending email, then the app might require permission to access your contact list and network access. And so on.

The folks who wrote your app apparently didn't bother to fine-tune their permission request for what the app actually needs to use in order to function and just checked off "everything" instead.

I assumed they used some form of "template" for the privacy statement and forgot to update that with more "real world" wording.

As it is, all they would need to do is remove the whole "including but not limited to Everything" part of that sentence and it would still make just as much sense.

I'm more worried about how customers perceive it than anything else. I know RTS is a reputable company, but the guy who brought it to my attention was quite exercised about it, said he had immediately deleted the app and won't use it unless they change that to something less terrifying (to him). The big worry is if he starts telling all his friends. We ARE in a small town here.

Here's what your app apparently requests from Android when someone installs it. For what it's for, the only really sketchy permission that I can see is that it will access your precise location. There are probably good reasons for the other permissions listed there.

The good news is that it's not "everything".

The biggest problem I have with all those different entities processing my private data is that most companies don't have a clue what is necessary to keep that data from leaking out into the wild and even if they have a clue, chances are they still won't succeed at it. All those companies hoard lots of data from their customers and customers customers, because someone told them that this data is worth something, but unless you're Google, Facebook or Microsoft, all this data is mostly useless and will eventually come back to haunt you, once one of your systems gets eventually compromised.

We're just living through the fallout created by SolarWinds, which offers enterprise software to monitor all kinds of IT systems. They got their own update servers compromised and as a result, they pushed compromised code to thousands of their customers, among them some of us, but also very high-profile targets, including lots of governments. All those systems that run those SolarWinds agents to monitor systems got compromised in the process. The damage done is still not clear, but could be monumental.

That's why I try to keep my footprint small, although that's increasingly getting more and more difficult. I don't like it when a random company asks me all kinds of data they don't need to provide me the service I want from them. Not because I'm particularly paranoid, but because stuff is in a constant state of disrepair and is being hacked all the time.

Having used RTS for the past 17 years, I can say there is a frequent disparity between the customer-side manners used by some of the software writers vs the owner. Not sure posting his name here would be appropriate, but if you can get ahold of him, you might ask if this is really what they intended to present to the customer. It doesn't really sound like it came from him, but I have dealt with one or two there who I don't think would see the problem.

It looks like a boilerplate document that did not get edited to include only the permissions it intended to access.

That's exactly what I have told those who have asked about it.

The problem is, even though it's probably just a stupid "boilerplate text", it's there and your users need to agree with it in order to use the service. It's interesting to see that people actually still read those things. I wonder if those same people actually read the entire EULA they're offered every time they click on "I agree" when they install something from the likes of Microsoft or Apple. I guess their strategy is to make those documents as long and convoluted as possible, in order to discourage people to actually even try to read it.

I actually spotted it myself too when I first installed the app on my own phone. I just scrolled through the text and the capitalized "Everything" happened to catch my eye. I didn't do anything about it at the time because I figured no one reads these damn things anyway and it would probably be fixed at some point. It was less than a month after we rolled it out when the first customer mentioned it to me and I've had a couple of others mention it since. So I guess people DO read those damn things.

I suppose their non-response to my original email about it was because they have deployed this same app to lots of other theaters and if they change one, they will have to change all of them and it would be a lot of work. That's just a guess on my part.

Still, I think they ought to fix it. My wife (who tests software and apps for a living) even called them about it and left a message, but they have not responded. It's kind of strange because they are usually a pretty responsive company.

That sounds like an example of WDGARA syndrome. (We Don't Give a Rat's Ass)

Makes me happy that I wrote my own app and if I want to change it I can just go ahead and so without asking anyone else's permission.

Perhaps leave them a message that you'll bring it up at the next NATO meeting as I'm sure other exhibitors would want to know, ahead of time, if they will be hit with the same patron concerns.

My concern about this has less to do with privacy and licensing concerns than it does with workmanship issues.

If a software developer uses boilerplate text for its user agreement and doesn't even take the time to correctly fill out the entire template, what ELSE are they not taking the time to do correctly?

It suggests, to me, that there might be security holes or other broken code in their software that could compromise the user's phone such that they could lose data or be subject to a major security breach where information is stolen without anybody knowing until it's too late.

I don't expect the company to jump right on it and immediately change the agreement text but I do expect to hear them say something like, "We'll fix that problem in the next update." Maybe they could even push that update schedule ahead a bit in order to solve the issue but that would be an "It depends..." kind of question.

I understand that people make mistakes. I understand the difference between small mistakes and big mistakes. I don't expect people to always fix every mistake right away. Small mistakes can keep until people get time to fix them. Yes, this is probably a small mistake that doesn't need to be fixed right now.

It's people's attitude about mistakes that concerns me the most.

When people have a bad attitude about mistakes it makes me wonder what else they have a bad attitude about.

It makes me circumspect about using the software, at all.

Well, RTS has long been known for their "coarse" customer service. You get somebody on the phone, they talk a mile a minute and expect you to know as much as they do. And they often come off a bit irritated that you interrupted their day by calling them. It's not good, (and they even acknowledged it as a problem when I visited with one of their guys at a convention). But, on the other side of the coin, normally they ARE very responsive when asked to fix something. So the lack of response on this particular issue is kind of weird.

I had another customer mention it again yesterday. I think it's possibly the same one or two people telling other people about it and the "concern" is going to go viral around here.