Preava, Inc. ("Preava", "we", "us", "our") takes the protection of personal data ("Personal Data") very seriously. Please read this privacy notice (the "Notice") to learn what we are doing with your Personal Data, how we protect it, and what privacy rights you may have under the European Union General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act of 2018 ("CCPA").
What Is Covered by this Privacy Notice?
This Notice addresses data subjects (which includes both individuals and households) whose Personal Data we:
- receive directly through our website(s);
- receive from our business partners; or
- process to promote our products and services.
What Is Not Covered in this Privacy Notice?
Application Personal Data
This Notice does not apply to the Personal Data received from our direct customers ("Customers") in our web-based software application (the "Application). Please see the Application Privacy Notice for more information.
Human Resources Personal Data
This Notice does not apply to the Personal Data of employees, job applicants, contractors, business owners, directors, officers, and medical staff of Preava.
Information Which Does Not Constitute Personal Data
If we do not maintain information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household, such information is not considered "Personal Data" and this Notice will not apply to our processing of that information.
Personal Data Processed in Business to Business Communications and Transactions
This Notice does not apply to Personal Data reflecting communications or transactions between us and you when you are acting as an employee, owner, director, officer, or contractor company, partnership, sole proprietorship, nonprofit, or government agency ("Your Entity") and when we are conducting due diligence regarding Your Entity or providing or receiving a product or service to or from Your Entity.
What Can You Find in this Notice?
This Notice tells you, among other things:
- What Personal Data we collect about you and how we obtain it;
- The legal bases for processing your Personal Data;
- For what purposes we use that Personal Data;
- How long we keep your Personal Data;
- With whom we share your Personal Data;
- Your rights about the Personal Data we collect about you and how you can exercise those rights;
- How we protect your Personal Data; and
- How to contact us.
Our Role with Respect to Your Personal Data
There is Personal Data that we process for own purposes and Personal Data that we process on behalf of our Customers. This means that we do not always have the same degree of decision-making with respect to why and how each piece of Personal Data will be processed.
- Regarding the Personal Data of employees, job applicants, contractors, users of our website(s) generally or business contacts and prospects of Preava, we decide the purposes and means of processing, and consequently act as a data controller or "business".
- Regarding the Personal Data of individuals which we receive from our direct customers ("Customers") in our web-based software application (the "Application), we process Personal Data as "service providers" or data processors on behalf of our Customers, who use our Application to store and process Personal Data of themselves, their own customers, clients, employees, and others. Please see the Application Privacy Notice for more information. Where you give your data to one of our Customers or where we collect your Personal Data on their behalf, our Customer’s privacy notice, rather than this Notice, will apply to our processing of your Personal Data. If you have a direct relationship with one of our Customers, please contact them to exercise your privacy rights.
Lawful Bases for Processing
We must have a valid reason to use your Personal Data. This is called the "lawful basis for processing". When operating as a data controller, we may process your Personal Data on the basis of:
- your consent;
- our legitimate interests or those of a third party, such as our interest in marketing our services;
- the need to comply with the law; or
- any other ground, as required or permitted by law.
Where we process your or your child’s Personal Data based on your consent, you may withdraw it at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect the validity of our processing of Personal Data performed on other lawful grounds.
What Personal Data We Process and How We Obtain It
The table below describes the categories of Personal Data we have collected about you in the last twelve months.
We will not collect additional categories of Personal Data without informing you.
We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but always have an expiration date. Most of the cookies placed on your device through our websites are first-party cookies which are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our websites. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.
If you would prefer not to accept cookies, you can change the setup of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all features of our Services. For more information, please visit https://www.aboutcookies.org/.
You may also set your browser to send a Do Not Track (DNT) signal. For more information, please visit https://allaboutdnt.com/. Please note that our Services do not have the capability to respond to "Do Not Track" signals received from web browsers.
For What Purposes Do We Use Your Personal Data?
We may process your Personal Data for the following business purposes:
- providing you with information that you request from us;
- responding to your requests or questions;
- fulfilling legal obligations and enforce our rights;
- improving our websites;
- improving our products and service offerings; and
- sending you email marketing communications about our business which we think may interest you.
How Long We Keep Your Personal Data
When the purposes of processing are satisfied, we will delete the related Personal Data within six (6) months or upon receipt of a verified request.
Sharing Personal Data with Third Parties
We do not sell your Personal Data to third parties. In the preceding twelve (12) months however, we have disclosed the following categories of Personal Data to other parties for business purposes:
- Special categories of Personal Data
- Protected characteristics
- Commercial information
- Internet or other similar network activity
- Geolocation data
- Professional or employment-related information
- Inferences drawn from other Personal Data
The categories of third parties to which we may disclose your Personal Data for our business purposes include:
- Infrastructure services providers
- Customer service providers
- Internet service providers
- Cloud service providers
- Office tools providers
- Payment processing providers
- Customer survey providers
- Email service providers
- Web analytics providers
- Enterprise open source solutions providers
- Project management tool providers
- Secure office messaging software providers
- Customer relationship management (CRM) providers
When you use the websites, certain third parties may collect Personal Data about your online activities over time and across different websites or online services. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.
Some of these third parties may be located outside of the European Union or the European Economic Area ("EEA"). In some cases, the European Commission may have determined that in some countries, their data protection laws provide a level of protection equivalent to European Union law. You can see here the list of countries that the European Commission as recognized as providing an adequate level of protection to personal data. We will only transfer your Personal Data to third parties in countries not recognized as providing an adequate level of protection to personal data when there are appropriate safeguards in place. These safeguards may include the Standard Contractual Clauses as approved by the European Commission under Article 46.2 of the GDPR.
Other Disclosures of Your Personal Data
We may disclose your Personal Data to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.
We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.
We reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.
What Privacy Rights Do You Have?
You have specific rights regarding your Personal Data that we collect and process. Please note that you can only exercise these rights with respect to Personal Data that we process about you when we act as a data controller or as a "business" under the CCPA. To exercise your rights with respect to information processed by us on behalf of one of our Customers, please read the privacy notice of that Customer.
In this section, we first describe those rights and then we explain how you can exercise those rights.
Right to Know What Happens to Your Personal Data
This is called the right to be informed. It means that you have the right to obtain from us all information regarding our data processing activities that concern you or your child, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things.
We are informing you of how we process your Personal Data with this Notice.
Right to Know What Personal Data Preava Has About You
This is called the right of access. This right allows you to ask for full details of the Personal Data we hold on you, including confirmation of whether or not we process Personal Data concerning you or your child, and, where that is the case, a copy or access to the Personal Data and certain related information.
Once we receive and confirm that the request came from you or your authorized agent, we will disclose to you:
- The categories of your Personal Data that we process;
- The categories of sources for your Personal Data;
- Our purposes for processing your Personal Data;
- Where possible, the retention period for your Personal Data, or, if not possible, the criteria used to determine the retention period;
- The categories of third parties with whom we share your Personal Data;
- If we carry out automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you;
- The specific pieces of Personal Data we process about you in an easily-sharable format;
- If we sold or disclosed your Personal Data for a business purpose, the categories of Personal Data and categories of recipients of that Personal Data for disclosure;
- If we rely on legitimate interests as a lawful basis to process your Personal Data, the specific legitimate interests; and
- The appropriate safeguards used to transfer Personal Data from the EU to a third country, if applicable.
Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.
The CCPA does not allow us to disclose Social Security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medical identification numbers, account passwords, or security questions and answers. We can inform you that we have this information generally, but we may not provide the specific numbers, passwords etc. to you for security and legal reasons.
Right to Change Your Personal Data
This is called the right to rectification. It gives you the right to ask us to correct without undue delay anything that you think is wrong with the Personal Data we have on file about you or your child, and to complete any incomplete Personal Data.
Right to Delete Your Personal Data
This is called the right to erasure, right to deletion, or the right to be forgotten. This right means you can ask for your Personal Data to be deleted.
Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.
Right to Ask us to Change How We Process Your Personal Data
This is called the right to restrict processing. It is the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.
Right to Ask Us to Stop Using Your Personal Data
This is called the right to object. This is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party). You may also object at any time to the processing of your Personal Data for direct marketing purposes.
We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.
Right to Port or Move Your Personal Data
This is called the right to data portability. It is the right to ask for and receive a portable copy of your Personal Data that you have given us or that you have generated by using our services, so that you can:
- Move it;
- Copy it;
- Keep it for yourself; or
- Transfer it to another organization.
We will provide your Personal Data in a structured, commonly used, and machine-readable format. When you request this information electronically, we will provide you a copy in electronic format.
Right to Withdraw Your Consent
Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. If you withdraw your consent, our use of your Personal Data before you withdraw is still lawful.
If you have given consent for your details to be shared with a third party and wish to withdraw this consent, please also contact the relevant third party in order to change your preferences.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your privacy rights. Unless the applicable data protection laws permit it, we will not:
- Deny you goods or services;
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits or imposing penalties;
- Provide you a different level or quality of goods or services; or
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Right to Lodge a Complaint with a Supervisory Authority
If the GDPR applies to our processing of your Personal Data, you have the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your Personal Data.
Specifically, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or the alleged violation of the GDPR.
How Can You Exercise Your Privacy Rights?
To exercise any of the rights described above, please submit a request by either:
- Contacting us by email at email@example.com;
- Writing to us by postal mail at:
Attn: Chief Privacy Officer
22 Essex Way #8203
Essex, VT 05451
Verification of Your Identity
In order to correctly respond to your privacy rights requests , we need to confirm that YOU made the request. Consequently, we may require additional information to confirm that you are who you say you are.
We will verify your identity via the following method: checking information provided by you for verification purposes against your account with us, and by sending a verification code through to your email account in line with Article 4 of the AG Proposed Regulations.
We will only use the Personal Data you provide us in a request to verify your identity or authority to make the request.
Response Timing and Format of Our Responses
We will confirm the receipt of your request within ten (10) days and, in that communication, we will also describe our identity verification process (if needed) and when you should expect a response, unless we have already granted or denied the request.
Please allow us up to thirty (30) days to reply to your requests from the day we received your request. If we need more time (up to 90 days in total), we will inform you of the reason why and the extension period in writing.
If we cannot satisfy a request, we will explain why in our response. For data portability requests, we will choose a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty.
We will not charge a fee for processing or responding to your requests. However, we may charge a fee if we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request.
Privacy of Children
The websites are not directed at, or intended for use by, children under the age of 13.
Data Integrity & Security
We are strongly committed to keeping your Personal Data safe. We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your Personal Data from unauthorized processing. Unauthorized processing includes unauthorized access, exfiltration, theft, disclosure, alteration, or destruction. Some of those protection measures include encryption and redaction and we also have dedicated teams to look after information security and privacy.
Data Transfer Mechanisms
Preava uses the SCCs as its primary data transfer mechanism for transferring Personal Data from the EEA. The SCCs are formally integrated into our agreements with third parties from whom and on behalf of whom we receive EEA Personal Data.
In addition, Preava regularly reviews and confirms its compliance with the most up-to-date guidance and obligations on valid data transfer under applicable privacy regulations. If we find it necessary to update the data transfer mechanism used, we will update this Privacy Notice accordingly.
U.S. Regulatory Oversight
Preava is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
European Union Supervisory Authority Oversight
If you are a data subject whose Personal Data we process, you may also have the right to lodge a complaint with a data protection regulator in one or more of the European Union member states.
Changes to this Notice
If we make any material change to this Notice, we will post the revised Notice to this web page. We will also update the "Effective" date. By continuing to use our websites after we post any of these changes, you accept the modified Notice.
If you have any other questions about this Notice or our processing of your Personal Data, please write to our Chief Privacy Officer by email at firstname.lastname@example.org or by postal mail at:
Attn: Chief Privacy Officer
22 Essex Way #8203
Essex, VT 05451
Please allow up to four weeks for us to reply.
European Union Representative
We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: or via telephone at: +420 228 881 031.
Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Data Protection Officer
We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:
22 Essex Way #8203
Essex, VT 05451
Get started with Preava
Keep safe from unwanted data breaches and the destruction of sensitive information. Enter your email and get started!