Application Privacy Notice

Effective on: October 22nd, 2020

What Is Covered by this Privacy Notice?

This Notice addresses individuals (or "data subjects") whose Personal Data we may receive from our direct customers ("Customers") in our web-based software application (the "Application").

Our Customers license our Application to help prevent data breaches. Since our Application scans email, the Application has access to any Personal Data that each Customer's email messages contain. The Application therefore processes the Personal Data of a variety of types of data subjects, including our Customers themselves (if they're individuals), employees and contractors of our direct Customers (if they're organizations), our Customers' customers or email contacts, and any other individuals whose data our Customers include in an email message scanned by our Application.

Our Customers use our Application to store and process Personal Data of themselves, their own customers, clients, employees, and others. Preava acts only as a service provider, also known as a data processor. We do not decide what Personal Data our Customers submit to or scan with our Application. In general we will only access such Personal Data as necessary in order to provide and maintain our Application, at a Customer's request in connection with technical support or account administration matters, or if we are required to do so by law.

For information about how our Customers use your Personal Data, please contact the relevant Preava Customer directly or refer to the Customer's privacy policy.

What Is Not Covered by this Privacy Notice?

Human Resources Personal Data

This Notice does not apply to the Personal Data of employees, job applicants, contractors, business owners, directors, officers, and other personnel of Preava processed by us for employment purposes.

Information that Is Not Personal Data

If we do not maintain information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household, such information is not considered "Personal Data" and this Notice will not apply to our processing of that information.

What Can You Find in this Notice?

This Notice tells you, among other things:

Our Role with Respect to Your Personal Data

Within the scope of this Notice, Preava acts as an agent, also known as a data processor or "service provider," for the Personal Data we process for our Customers in our Application. This means that our Customers determine the type of Personal Data they provide for us to process on their behalf. We typically have no direct relationship with the individuals whose Personal Data we receive from our Customers, unless the Personal Data is that of our Customers themselves (if they're individuals).

As a data processor, Preava processes Personal Data within the scope of this Notice based on the instructions of our Customers. To learn about the lawful grounds on which they process your Personal Data, please contact the Preava Customer who used our Application to process your Personal Data directly or refer to their privacy notice.

What Personal Data We Process and How We Obtain It

The table below describes the categories of Personal Data we have collected about you in the last twelve months or since this Notice was last updated (whichever is more recent).

 

Personal Data We Collect, Process, or Store How We Obtain It
  • Identifiers

Names, online identifier, Internet Protocol (IP) address, email addresses

 

We obtain identifiers contained in email that our Customers scan with our Application

  • Special categories of Personal Data

We may process sensitive or special categories of Personal Data, including information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric, data concerning health, or data concerning a natural person's sex life or sexual orientation if such data is included, directly or indirectly, in an email processed in our Application

 

While we do not intentionally collect special categories of Personal Data, we have access to all information contained in email that our Customers scan with our Application

  • Protected characteristics

We may process personal information with protected characteristics such as age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, or genetic information (including familial genetic information) if such data is included, directly or indirectly, in an email processed in our Application

 

While we do not intentionally collect personal information with protected characteristics, we have access to all information contained in email that our Customers scan with our Application

  • Commercial information

We may process commercial information such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies if such data is included, directly or indirectly, in an email processed in our Application

 

While we do not intentionally collect commercial information, we have access to all information contained in email that our Customers scan with our Application

  • Biometric information

We may process biometric information such as genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data, if such data is included, directly or indirectly, in an email processed in our Application

 

While we do not intentionally collect biometric information, we have access to all information contained in email that our Customers scan with our Application

  • Internet or other similar network activity

We may process browsing history, search history, and information on a consumer's interaction with a website, application, or advertisement if such data is included, directly or indirectly, in an email processed in our Application

 

We process internet and network activity information contained in email that our Customers scan with our Application

  • Geolocation data

Physical location or movements, including IP addresses

 

We process geolocation data, including IP addresses, contained in email that our Customers scan with our Application

  • Professional or employment-related information

We may process current or past job history or performance evaluations and job title if such data is included, directly or indirectly, in an email processed in our Application

 

We process professional and employment-related information contained in email that our Customers scan with our Application

  • Non-public education information

We may process education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

 

 

While we do not intentionally collect non-public education information, we process all information contained in email that our Customers scan with our Application

  • Inferences drawn from other Personal Data

Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

 

We process all data contained in email that our Customers scan with our Application

We will not collect additional categories of Personal Data without informing you.

According to the CCPA, Personal Data does not include:

  • de-identified or aggregated consumer information; and
  • information excluded from the CCPA's scope, such as:
    • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and
    • the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.

Consequently, we do not refer to such information in this Notice.

Cookies

A "cookie" is a small file stored on your device that contains information about your device. We may use cookies to provide application functionality, authentication (session management), usage analytics (web analytics), to remember your settings, and to generally improve our Application.

We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but always have an expiration date. Most of the cookies placed on your device through our Application are first-party cookies, since they are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our Application. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.

If you would prefer not to accept cookies, you can change the setup of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all of our Application's features. For more information, please visit https://www.aboutcookies.org/.

You may also set your browser to send a Do Not Track (DNT) signal. For more information, please visit https://allaboutdnt.com/. Please note that our Application does not have the capability to respond to "Do Not Track" signals received from web browsers.

For more information about our use of cookies, please see our Cookie Policy.

For What Purposes Do Use Your Personal Data?

If you are a Customer or a Customer employee, we may process your Personal Data for the following business purposes:

  • to enable the use of our Application;
  • to provide you with information or products that you request from us;
  • to respond to your requests or questions;
  • to fulfill legal obligations and enforce our rights;
  • to improve our Application; and
  • to send you email marketing communications about our business which we think may interest you.

If you are an individual whose Personal Data was contained in an email a Preava Customer processed in our Application, we will only process your Personal Data for the purpose of providing our Application, which provides human layer security controls to our Customers.

How Long We Keep Your Personal Data

We retain Personal Data for as long as instructed by the respective Customer. We delete the Personal Data submitted to us by our Customers within six months of the end of our service agreement with the Customer, unless applicable laws require otherwise.

Your Personal Data may need to be retained in our backup systems and will only be deleted or overwritten at a later time, normally 6 months after the purpose for processing your Personal Data has been fulfilled. . This may be the case even when you or a regulator has validly asked us to delete your Personal Data or when we no longer have a legal basis for processing such Personal Data.

Sharing Personal Data with Third Parties

We do not sell your Personal Data to third parties.

We do, however, share your Personal Data with third parties for our own operational business purposes. The categories of third parties to which we may disclose your Personal Data for our business purposes include:

  • Infrastructure services providers
  • Customer service providers
  • Internet service providers
  • Cloud service providers
  • Office productivity software providers
  • Payment processing providers
  • Customer survey providers
  • Email service providers
  • Web analytics providers
  • Enterprise open source solutions providers
  • Project management tool providers
  • Secure office messaging software providers
  • Customer relationship management (CRM) providers

Some of these third parties may be located outside of the United States. However, when the Personal Data is protected by the GDPR, before transferring your Personal Data to these third parties, we will either ask for your explicit consent or require the third party to maintain at least the same level of privacy and security for your Personal Data that we do. We remain liable for the protection of your Personal Data that we transfer to third parties, except to the extent that we are not responsible for the event that leads to any unauthorized or improper processing.

Also, some of these third parties may be located outside of the European Union or the European Economic Area. In some cases, the European Commission may have determined that in some countries, their data protection laws provide a level of protection equivalent to European Union law. You can see here the list of countries that the European Commission has recognized as providing an adequate level of protection to Personal Data. We will only transfer your Personal Data to third parties in countries not recognized as providing an adequate level of protection to Personal Data when there are appropriate safeguards in place. These may include the European-Commission-approved standard contractual data protection clauses under Article 46.2 of the GDPR.

Other Disclosures of Your Personal Data

We may disclose your Personal Data to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.

We may also disclose your Personal Data if we sell or transfer all or some of our company's business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.

We reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.

What Privacy Rights Do You Have?

You have specific rights regarding your Personal Data collected and processed by us. Your rights may include:

  • The right to know what happens to your Personal Data (right to be informed)
  • The right to know what Personal Data a Preava customer has about you (right to access)
  • The right to change your Personal Data (right to rectification)
  • The right to delete your Personal Data (right of erasure or the "right to be forgotten")
  • The right to ask us to change how we process your Personal Data
  • The right to ask us to stop using your Personal Data (right to object)
  • The right to port or move your Personal Data (right to portability)
  • Rights related to automated decision making
  • The right to withdraw your consent
  • The right not to be discriminated against for exercising your privacy rights
  • The right to lodge a complaint with a regulator
  • The right to opt out of the sale of Personal Data
  • The right to opt into the sale of Personal Data

If you contact us to exercise any of these rights, we will inform the Customer who processed your Personal Data in our Application as soon as possible. Please note that it is ultimately our Customers' responsibility to respond to any requests you make to exercise your rights. To exercise your rights with respect to information processed by us on behalf of one of our Customers, please read the privacy notice of our Customer or contact that Customer directly.

Privacy of Children

The Application is not directed at, or intended for use by, children under the age of 13. However, we cannot control what Personal Data our Customers process in our Application.

Data Integrity & Security

We are strongly committed to keeping your Personal Data safe. We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your Personal Data from unauthorized processing. Unauthorized processing includes unauthorized access, exfiltration, theft, disclosure, alteration, or destruction.

As a company founded to help our customers improve their own privacy and security, Preava takes great pride in protecting your Personal Data with industry-leading data protection standards and technical security measures including strong encryption and redaction.

European Union Supervisory Authority Oversight

If you are a data subject whose Personal Data we process, you may also have the right to lodge a complaint with a data protection regulator in one or more of the European Union member states.

Changes to this Notice

If we make any material change to this Notice, we will post the revised Notice to this web page and notify our Customers. We will also update the "Effective" date.

Contact Us

If you have any questions about this Notice or our processing of your Personal Data, or want to submit a verifiable consumer request, please write to our Chief Privacy Officer by email at privacy@preava.com or by postal mail at:
Preava, Inc.
Attn: Chief Privacy Officer
22 Essex Way #8203
Essex, VT 05451
USA

Please allow up to four weeks for us to reply.

European Union Representative

We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form or via telephone at: +420 228 881 031.

Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland

Data Protection Officer

We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe's contact details are:

VeraSafe
22 Essex Way #8203
Essex, VT 05451
USA
Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/

 

Get started with Preava

Keep safe from data breaches and reputation damage resulting from employees accidentally emailing unintended recipients. Enter your email and get started!