Application Privacy Notice
Effective on: October 22nd, 2020
What Is Covered by this Privacy Notice?
This Notice addresses individuals (or "data subjects") whose Personal Data we may receive from our direct customers ("Customers") in our web-based software application (the "Application").
Our Customers license our Application to help prevent data breaches. Since our Application scans email, the Application has access to any Personal Data that each Customer's email messages contain. The Application therefore processes the Personal Data of a variety of types of data subjects, including our Customers themselves (if they're individuals), employees and contractors of our direct Customers (if they're organizations), our Customers' customers or email contacts, and any other individuals whose data our Customers include in an email message scanned by our Application.
Our Customers use our Application to store and process Personal Data of themselves, their own customers, clients, employees, and others. Preava acts only as a service provider, also known as a data processor. We do not decide what Personal Data our Customers submit to or scan with our Application. In general we will only access such Personal Data as necessary in order to provide and maintain our Application, at a Customer's request in connection with technical support or account administration matters, or if we are required to do so by law.
For information about how our Customers use your Personal Data, please contact the relevant Preava Customer directly or refer to the Customer's privacy policy.
What Is Not Covered by this Privacy Notice?
Human Resources Personal Data
This Notice does not apply to the Personal Data of employees, job applicants, contractors, business owners, directors, officers, and other personnel of Preava processed by us for employment purposes.
Information that Is Not Personal Data
If we do not maintain information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household, such information is not considered "Personal Data" and this Notice will not apply to our processing of that information.
What Can You Find in this Notice?
This Notice tells you, among other things:
- what Personal Data we collect about you and how we obtain it;
- the legal bases for processing your Personal Data;
- what purposes we use that Personal Data for;
- how long we keep your Personal Data;
- who we share your Personal Data with;
- your rights about the Personal Data we collect about you and how you can exercise those rights;
- how we protect your Personal Data; and
- how to contact us.
Our Role with Respect to Your Personal Data
Within the scope of this Notice, Preava acts as an agent, also known as a data processor or "service provider," for the Personal Data we process for our Customers in our Application. This means that our Customers determine the type of Personal Data they provide for us to process on their behalf. We typically have no direct relationship with the individuals whose Personal Data we receive from our Customers, unless the Personal Data is that of our Customers themselves (if they're individuals).
Lawfulness of Processing
As a data processor, Preava processes Personal Data within the scope of this Notice based on the instructions of our Customers. To learn about the lawful grounds on which they process your Personal Data, please contact the Preava Customer who used our Application to process your Personal Data directly or refer to their privacy notice.
What Personal Data We Process and How We Obtain It
The table below describes the categories of Personal Data we have collected about you in the last twelve months or since this Notice was last updated (whichever is more recent).
Personal Data We Collect, Process, or Store | How We Obtain It |
Names, online identifier, Internet Protocol (IP) address, email addresses |
We obtain identifiers contained in email that our Customers scan with our Application |
We may process sensitive or special categories of Personal Data, including information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric, data concerning health, or data concerning a natural person's sex life or sexual orientation if such data is included, directly or indirectly, in an email processed in our Application |
While we do not intentionally collect special categories of Personal Data, we have access to all information contained in email that our Customers scan with our Application |
We may process personal information with protected characteristics such as age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, or genetic information (including familial genetic information) if such data is included, directly or indirectly, in an email processed in our Application |
While we do not intentionally collect personal information with protected characteristics, we have access to all information contained in email that our Customers scan with our Application |
We may process commercial information such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies if such data is included, directly or indirectly, in an email processed in our Application |
While we do not intentionally collect commercial information, we have access to all information contained in email that our Customers scan with our Application |
We may process biometric information such as genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data, if such data is included, directly or indirectly, in an email processed in our Application |
While we do not intentionally collect biometric information, we have access to all information contained in email that our Customers scan with our Application |
We may process browsing history, search history, and information on a consumer's interaction with a website, application, or advertisement if such data is included, directly or indirectly, in an email processed in our Application |
We process internet and network activity information contained in email that our Customers scan with our Application |
Physical location or movements, including IP addresses |
We process geolocation data, including IP addresses, contained in email that our Customers scan with our Application |
We may process current or past job history or performance evaluations and job title if such data is included, directly or indirectly, in an email processed in our Application |
We process professional and employment-related information contained in email that our Customers scan with our Application |
We may process education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. |
While we do not intentionally collect non-public education information, we process all information contained in email that our Customers scan with our Application |
Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
We process all data contained in email that our Customers scan with our Application |
We will not collect additional categories of Personal Data without informing you.
According to the CCPA, Personal Data does not include:
- de-identified or aggregated consumer information; and
- information excluded from the CCPA's scope, such as:
- health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and
- the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.
Consequently, we do not refer to such information in this Notice.
Cookies
A "cookie" is a small file stored on your device that contains information about your device. We may use cookies to provide application functionality, authentication (session management), usage analytics (web analytics), to remember your settings, and to generally improve our Application.
We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but always have an expiration date. Most of the cookies placed on your device through our Application are first-party cookies, since they are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our Application. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.
If you would prefer not to accept cookies, you can change the setup of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all of our Application's features. For more information, please visit https://www.aboutcookies.org/.
You may also set your browser to send a Do Not Track (DNT) signal. For more information, please visit https://allaboutdnt.com/. Please note that our Application does not have the capability to respond to "Do Not Track" signals received from web browsers.
For more information about our use of cookies, please see our Cookie Policy.
For What Purposes Do Use Your Personal Data?
If you are a Customer or a Customer employee, we may process your Personal Data for the following business purposes:
- to enable the use of our Application;
- to provide you with information or products that you request from us;
- to respond to your requests or questions;
- to fulfill legal obligations and enforce our rights;
- to improve our Application; and
- to send you email marketing communications about our business which we think may interest you.
If you are an individual whose Personal Data was contained in an email a Preava Customer processed in our Application, we will only process your Personal Data for the purpose of providing our Application, which provides human layer security controls to our Customers.
How Long We Keep Your Personal Data
We retain Personal Data for as long as instructed by the respective Customer. We delete the Personal Data submitted to us by our Customers within six months of the end of our service agreement with the Customer, unless applicable laws require otherwise.
Your Personal Data may need to be retained in our backup systems and will only be deleted or overwritten at a later time, normally 6 months after the purpose for processing your Personal Data has been fulfilled. . This may be the case even when you or a regulator has validly asked us to delete your Personal Data or when we no longer have a legal basis for processing such Personal Data.
Sharing Personal Data with Third Parties
We do not sell your Personal Data to third parties.
We do, however, share your Personal Data with third parties for our own operational business purposes. The categories of third parties to which we may disclose your Personal Data for our business purposes include:
- Infrastructure services providers
- Customer service providers
- Internet service providers
- Cloud service providers
- Office productivity software providers
- Payment processing providers
- Customer survey providers
- Email service providers
- Web analytics providers
- Enterprise open source solutions providers
- Project management tool providers
- Secure office messaging software providers
- Customer relationship management (CRM) providers
Some of these third parties may be located outside of the United States. However, when the Personal Data is protected by the GDPR, before transferring your Personal Data to these third parties, we will either ask for your explicit consent or require the third party to maintain at least the same level of privacy and security for your Personal Data that we do. We remain liable for the protection of your Personal Data that we transfer to third parties, except to the extent that we are not responsible for the event that leads to any unauthorized or improper processing.
Also, some of these third parties may be located outside of the European Union or the European Economic Area. In some cases, the European Commission may have determined that in some countries, their data protection laws provide a level of protection equivalent to European Union law. You can see here the list of countries that the European Commission has recognized as providing an adequate level of protection to Personal Data. We will only transfer your Personal Data to third parties in countries not recognized as providing an adequate level of protection to Personal Data when there are appropriate safeguards in place. These may include the European-Commission-approved standard contractual data protection clauses under Article 46.2 of the GDPR.
Other Disclosures of Your Personal Data
We may disclose your Personal Data to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.
We may also disclose your Personal Data if we sell or transfer all or some of our company's business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.
We reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.
What Privacy Rights Do You Have?
You have specific rights regarding your Personal Data collected and processed by us. Your rights may include:
- The right to know what happens to your Personal Data (right to be informed)
- The right to know what Personal Data a Preava customer has about you (right to access)
- The right to change your Personal Data (right to rectification)
- The right to delete your Personal Data (right of erasure or the "right to be forgotten")
- The right to ask us to change how we process your Personal Data
- The right to ask us to stop using your Personal Data (right to object)
- The right to port or move your Personal Data (right to portability)
- Rights related to automated decision making
- The right to withdraw your consent
- The right not to be discriminated against for exercising your privacy rights
- The right to lodge a complaint with a regulator
- The right to opt out of the sale of Personal Data
- The right to opt into the sale of Personal Data
If you contact us to exercise any of these rights, we will inform the Customer who processed your Personal Data in our Application as soon as possible. Please note that it is ultimately our Customers' responsibility to respond to any requests you make to exercise your rights. To exercise your rights with respect to information processed by us on behalf of one of our Customers, please read the privacy notice of our Customer or contact that Customer directly.
Privacy of Children
The Application is not directed at, or intended for use by, children under the age of 13. However, we cannot control what Personal Data our Customers process in our Application.
Data Integrity & Security
We are strongly committed to keeping your Personal Data safe. We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your Personal Data from unauthorized processing. Unauthorized processing includes unauthorized access, exfiltration, theft, disclosure, alteration, or destruction.
As a company founded to help our customers improve their own privacy and security, Preava takes great pride in protecting your Personal Data with industry-leading data protection standards and technical security measures including strong encryption and redaction.
European Union Supervisory Authority Oversight
If you are a data subject whose Personal Data we process, you may also have the right to lodge a complaint with a data protection regulator in one or more of the European Union member states.
Changes to this Notice
If we make any material change to this Notice, we will post the revised Notice to this web page and notify our Customers. We will also update the "Effective" date.
Contact Us
If you have any questions about this Notice or our processing of your Personal Data, or want to submit a verifiable consumer request, please write to our Chief Privacy Officer by email at privacy@preava.com or by postal mail at:
Preava, Inc.
Attn: Chief Privacy Officer
22 Essex Way #8203
Essex, VT 05451
USA
Please allow up to four weeks for us to reply.
European Union Representative
We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form or via telephone at: +420 228 881 031.
Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland
Data Protection Officer
We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe's contact details are:
VeraSafe
22 Essex Way #8203
Essex, VT 05451
USA
Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/
Get started with Preava
Keep safe from unwanted data breaches and the loss of sensitive information. Enter your email and get started!