VALIDSOFT

Privacy Policy

Effective Date: August 1, 2019

This Privacy Policy provides information about, and applies to, the processing (i.e., the collection, further processing, use and sharing) of personal data on visitors to our websites by all entities belonging to the ValidSoft group.

The ValidSoft group consists of VSFT Holdings Inc. (Delaware), Company Number 6140507; ValidSoft Limited (Ireland), Company Number 377068; and VS Labs Limited (UK), Company Number 11000361.

Some special rules apply to processing by us that is subject to the European Union’s General Data Protection Regulation (GDPR), as explained under that heading, towards the end of this Policy.

At the end this policy we also provide basic information on how we build privacy- and data protection law compliance into all our solutions “by design and default” (see under that heading).

Our promise to you, our website visitors:

We are fully committed to protecting your privacy, security, and online safety, all of which are a significant part of our essential mission: to provide industry-leading security software and fraud prevention solutions and services focused on multi-factor authentication, especially through voice biometrics and device-verification solutions, in ways that fully comply with privacy- and data protection laws, including GDPR.

Scope of this policy

This Privacy Policy applies to any personal information or data we obtain from and on you, our visitors to our websites, in connection with your visit to our website and in connection with any follow-up to that visit (e.g., the sending of email updates on our products if you have asked for those).

By “personal information or data” we mean any information or data that relates to an identified or identifiable living person. In the Unites States, this type of information is often referred to as “Personally Identifiable Information or PII, while in Europe, the term “personal data” is used.

What data we collect, how we collect it, and what we use it for

Session cookies:

We collect some information on you and on the device through which you connect to our website that is essential to make our site work. This is mainly done through so-called “cookies” that expire at the end of your visit (“session cookies”). This information can include your IP address, the type of device you are using and the operating system, browser type and version and whether your browser is JavaScript compatible. This information is only used during your visit (the so-called “session”) and deleted immediately when you leave our website (hence the term “session cookies”). You cannot reject the use of these cookies.

Analytics cookies:

We also collect some information on you and your device that we analyse in a de-personalized (pseudonymous) way to help us improve the user experience of visitors to our sites (“analytics cookies”). In addition to the essential information mentioned above, this may include your preferred language; geographic location using IP address, the location of an access point you access while using the Service, or the GPS or wireless technology on your device; date and time of your visit; any searches you conducted on our site; and areas of our site that you visited. We also may log the length of time of your visit and the number of times you visit our site. We may assign you one or more unique identifiers to help keep track of your future visits. This information is generated by various tracking technologies that may include “cookies,” “flash LSOs,” “web beacons” or “web bugs,” and “clear GIFs”.

We may use Google Analytics or similar services to analyse the above information and to create statistics in relation to our website use. In the process of creating the statistics, all identifying elements are removed: the statistical outcome data no longer contain any personal information or data. We use the statistical outcome data for the following purposes:

  • To know how many visitors per day visit our site
  • To know how much traffic we are sending outbound
  • To know which items on our site are being downloaded (e.g. PDFs, long-form reports, short items)
  • To identify items not found, i.e. 404s so that we can fix them
  • To identify the types of operating systems being used and browsers so we can design our site accordingly
  • To identify the time of day when our site is most used in case we want to do syncs and repairs (that result in our site being down temporarily)

These statistics are only available to ValidSoft and our web developers. ValidSoft keeps the aggregate (de-personalized) data indefinitely, and uses this aggregate data to report internally, to our Board and to our investors. For instance, we will report to our Board that a report was downloaded X number of times.

We also allow our web developers to use these logs and other non-personal or fully de-personalised information for their own business purposes, such as for troubleshooting and defining usage patterns.

We do not share any of our analytics data with anyone else, or make it available to anyone else. However, if you want, you can reject the use of these analytics cookies, when prompted at the bottom of the browser window.

Lists and forms:

On our website, you can sign up to several lists and forms, i.e.:

  • Sign up for the mailing list. This form only asks for your email address. These addresses are collected and stored in a MailChimp account and may be used by ValidSoft for email marketing.
  • Contact Us. This form asks only for your name and email address and other contact information which you choose to provide.
  • Become a Partner. This form asks as mandatory data your name, company name, phone number and email address.

The text on the pages where these lists and subscription forms are offered explain the purpose of the list or form and how the information will be used in more detail.

The signing up to any of these lists is of course entirely voluntary – but if you do want to sign up to any of them, you will have to provide the requested information (or least the information requested in the *mandatory fields in the relevant form).

We will only use the information you provide in these contexts to provide you with the service you requested, such as email updates on selected products, or a test account; and in a de-personalised form for analytical purposes (for instance, to see how many visitors from a particular industry sector or a particular country signed up for these services).

You can always unsubscribe from any of these lists, either by re-visiting the relevant webpage and clicking on “Unsubscribe” or, if the service involved the receipt of emails (such as email updates), by emailing privacy@validsoft.com and requesting to “Unsubscribe”.

Our Site may contain publicly accessible blogs or community forums. You should be aware that any information provided in these areas may be read, collected and used by others who access them. To request removal of any personal information for our blog or community forum, contact us at privacy@validsoft.com.

Third party links:

Occasionally, we may point from our websites to other internet services that use cookies or other analytics services over which ValidSoft does not have control.

This is also the case with multi-media services, and with the links that we embed or post on our Twitter, LinkedIn or Facebook accounts or YouTube channel.

If you click on such a link, the third party to which you are directed may collect data on you once you reach their sites or platforms, subject to their privacy policies. This is outside of the responsibility of ValidSoft.

Disclosures of personal data:

We share your data within the ValidSoft Group as and when this is appropriate for our business purposes including the processing described in this Privacy Policy. Other than as described in this Policy, we do not disclose any personal data to third parties (except as and when required by law).

Data retention:

We will only keep any information or data on you for as long as we need the information or data to interact with you (or in rare instances, where this may be needed for legal purposes).

Use of processors (agents):

We use other companies to assist us in the processing of your data, including Google Analytics, MailChimp and other similar cloud providers. They only process the personal data on our behalf and as instructed or agreed by us. In EU data protection law, such agents are called processors. We have contracts in place between us and these processors that meet all the requirements of U.S. and EU privacy/data protection law.

On the requirements of the EU General Data Protection Regulation for contracts with processors, see Article 28 GDPR, available here:

https://gdpr-info.eu/art-28-gdpr/ 

Transfers of personal data on EU individuals to non-EU countries:

When we collect information from and on individuals in the EU, we may transfer those data to servers and processors in non-EU countries, in particular in the USA. When we do so, we do this on the basis of standard data transfer contracts as approved by the Commission of the EU, or on the basis of the so-called “Privacy Shield” agreed between the EU and the USA, for service providers or processors who have self-certified their compliance with the Privacy Shield principles.

For information on the EU standard transfer contracts, see:

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en 

For information on the EU – USA Privacy Shield, see:

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en 

https://www.privacyshield.gov/welcome 

Data security

We use administrative, organizational, technical, and physical safeguards to protect the personal information and data we collect and process. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, and availability. We regularly test our website, data centers, systems, and other assets for security vulnerabilities, and require any companies that assist us in the processing of personal data on our websites to also take all appropriate administrative, organizational, technical, and physical measures needed to ensure the security of the information and data they process.

Your rights in relation to the personal data we collect from and on you when you visit our website:

If you ask us, we will provide you with a copy of the data we collected on you from your website visits (if we still have it in identifiable form), and we will of course gladly correct any errors you may point out. Any corrections will be shared with the other entities in the ValidSoft Group.

As already noted above, under “Lists and forms”, you can always unsubscribe from our mailing list, contact list or partner subscription list.

If you want to exercise any of these rights, or to receive any further information on our processing of your personal information and data, please email our Data Protection Officer (DPO), at: privacy@validsoft.com 

Additional rights and obligations under the EU General Data Protection Regulation:

The EU General Data Protection Regulation (GDPR) applies to our collecting and processing of your personal data in the context of a visit by you to our website if you, our visitor, are in the European Union or the European Economic Area (the EU plus Iceland, Liechtenstein and Norway).

This Privacy Policy in almost all respects already complies with the GDPR, even in relation to visitors who do not come from the EU/EEA, e.g., by fully informing them of the processing of their data (in the form of this Privacy Policy); allowing visitors to disable analytics cookies; processing list and subscriber data only with the full, specific, informed and express consent of the subscribers; limiting data sharing to companies within the ValidSoft Group and processors; limiting the retention periods for personal data; and in the arrangements for the use of processors, and for transfers of personal data on EU persons to non-EU countries; and in terms of data security.

The GDPR is more extensive in relation to data subject rights. In particular, the GDPR requires companies that are subject to it to grants EU/EEA-based data subjects, on request:

  • access to the information so captured (if it is still held in identifiable form) and on matters such as recipients of the information (Article 15 GDPR);
  • the right to correct (rectify) the data if they contain any inaccuracies (Article 16);
  • the right to have the data erased if they were captured or further processed contrary to the GDPR (Article 17);
  • the right to have disputed or challenged data blocked from further use (Article 18);
  • the right to have any third-party recipients of the data informed of the correction(s), erasure or blocking of the data (Article 19);
  • the right to object to the processing and stop it, unless the company can “demonstrate” that it has “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject”, or that the data are necessary for the establishment, exercise or defence of legal claims (Article 21);
  • the right to be notified of any data breach (security breach involving the loss or unauthorised disclosure of the data) that is “likely to result in a high risk to the rights and freedoms” of the data subject (Article 34);
  • the right to complain to an independent supervisory authority (usually called the data protection authority or information commissioner) in the EU Member State where the individual is situated; and
  • the right to receive compensation from the company for any (material or immaterial) damage suffered as a result of any processing that failed to comply with any of the above requirements, or indeed any other requirements of the GDPR (Art. 82), which of course includes in particular (but is far from limited to) compensation for any damages resulting from a data breach.

Where we capture and process any personal data on EU persons, we will fully respect and grant those data subjects those rights.

If you want to exercise any of these GDPR rights, or to receive any further information on our processing of your personal information and data, please email our Data Protection Officer (DPO), at: privacy@validsoft.com – mentioning that you are from the EU/EEA and want to exercise your rights under the GDPR.

Processing of personal data in the use of our solutions:

As explained above, under the heading Scope, this Privacy Policy only applies to the processing of any personal information or data we obtain from and on you, our visitors to our websites, in connection with your visit to our website and in connection with any follow-up to that visit (e.g., the sending of email updates on our products if you have asked for those).

But as we made clear in Our promise to you, our website visitors, we are fully committed to protecting your privacy, security, and online safety in all context in which we are active, including in relation to the processing of personal data in the use of our security software and fraud prevention solutions and services. However, in relation to such processing are role is different from the one we have in relation to the processing covered by the present Privacy Policy, for which we solely determine the purposes and means (like the cookies). By contrast, when a ValidSoft customer uses a ValidSoft solution, that customer is (in European data protection terms) the “controller” of the processing, and we legally act only as the customer’s “processor”.

However, in particular in relation to the use of our solutions by customers who, in this regard, are subject to the GDPR, we have drawn up conditions of use for each solution that ensure, “by design and default”, that if those conditions are complied with, the processing involved in the use of each solution is fully compliant with the GDPR and other EU data protection law (and therefore also with effectively all national privacy- or data protection laws globally, because the GDPR sets the “golden standard” in that respect). Our conditions of use are available on request. We also promise our customers to fully cooperate with them in relation to the exercise by any European data subject in the exercise of their rights under the GDPR and other EU data protection law vis-à-vis that customer (who is the controller and as such has primary responsibility for complying with EU data protection law).

Moreover, we have had this full compliance of our solutions “by design and default” evaluated and certified in the most demanding European data compliance certification scheme currently in existence, European Privacy Seal

https://www.european-privacy-seal.eu/EPS-en/fact-sheet

ValidSoft has been awarded four EuroPriSe seals for its solutions – more than any other company:

Valid-SSD: https://www.european-privacy-seal.eu/EPS-en/Valid-ssd 

Valid-4F: https://www.european-privacy-seal.eu/EPS-en/4F-self-certification 

Valid-ZLC: https://www.european-privacy-seal.eu/EPS-en/ValidSoft-VALid-ZLC 

Valid-POS: https://www.european-privacy-seal.eu/eps-en/valid-pos 

These seals confirm that ValidSoft’s solutions are fully compliant with European data protection law.

If you want any further information on our processing of your personal information and data, by us or our customers, please email our Data Protection Officer (DPO), at: privacy@validsoft.com