Effective Date: August 2, 2021
About the Service
The Service allows you to store all of your company passwords in protected vaults, collaborate with teammates, manage user rights, track all changes, monitor security and use one click logon.
We do not intentionally collect children’s personal data, unless parents decide, at their sole discretion, to provide such data to us. If you, as a parent or a legal guardian of a child, become aware that the child has submitted his/her personal data to us, please contact us immediately. We will delete your child’s personal data from our systems without undue delay.
Term and termination
2. We as a Data Controller and Our Contact Information
The data controller who is responsible for the processing of your personal data through the Service is Passwork Oy having a registered business address at Pasilankatu 2, 00240 Helsinki, Finland, and the business registration number 2840821-9 We act as a data controller because we make decisions about the personal data that needs to be collected through the Service and the purposes for which it is used.
3. We as a Data Processor
We act in the capacity of a data processor with regard to the data submitted or generated by you through the Service for our processing like passwords (“Your Data”) and Your Data contains your or other individuals’ personal data. We do not own, control, or make decisions about Your Data. We process Your Data only in accordance with the instructions issued by you, as our data controller. To ensure that Your Data is processed in accordance with the strictest data protection standards, we offer for conclusion a data processing agreement. You can receive a copy of such an agreement by contacting us at [email protected].
4. When Do We Collect Personal Data?
We collect personal data on persons who use the Service or if the collection of personal data derives from a legal obligation:
- Most of the personal data is collected directly from you (for example, when you create your user account and/or use the Service).
- Updates to the personal data may also be received from authorities, organizations, companies offering updating services, public directories and other public sources of information.
- When visiting the Website or using the Service, certain technical and other information (that may be personal data) may be automatically sent by your computer to us (for example, your IP address, the type of your browser and the source of your visit).
- Any or all of the activities with regard to Website usage information may be performed on our behalf by our service providers, including, for example, our analytics vendor(s) and our e-mail management partner(s). For a list of our data processors, please refer to the “How do we share your personal data?”.
- In the event we make message boards and forums available to you(collectively, "Forums"), you will be solely responsible for the information and any other content you post on and through these Forums and you should be aware that when you voluntarily disclose personal data (for example, your name, e-mail address, telephone number) on or through these Forums, such information is generally accessible to, and may be collected and used by, other users. This may result in unsolicited messages from third parties, and such messages are beyond our control. We do not exercise control over any users, and in no way are we responsible, nor do we have any liability whatsoever, for any collection or use of information you may disclose through the Forums. You are encouraged to exercise discretion when providing personal data about yourself in and through Forums. Please do not post any personal data on the Website that you expect to keep private.
- Forums. You are encouraged to exercise discretion when providing personal data about yourself in and through Forums. Please do not post any personal data on the Website that you expect to keep private.
5. What Personal Data Do We Collect and for What Purposes We Use It?
- Registration of your account
When you register your user account, we collect your email address, password, and avatar. We use such information to register and maintain your user account, enable your access to the service, provide you with the requested services, contact you, if necessary, and maintain our business records. The legal bases on which we rely are ‘performing a contract with you’ and ’pursuing our legitimate business interests’ (i.e., operate, analyse, grow, and administer the Service). We keep your personal data until you delete your user account.
When you contact us by email, we collect your name, email address, and any information that you decide to include in your message. We use such data to respond to your inquiries. The legal bases on which we rely are ‘pursuing our legitimate business interests’ (i.e., to grow and promote our business) and ‘your consent’ (for optional personal data). We keep your personal data until you stop communicating with us.
When you make a payment, you will be asked to provide your email address, country, payment details (like your name, credit card number, expiration date, security code, billing address, or PayPal details), company name, VAT number, and address. Please note that we do not process payments - it is done by our third-party payment processors Paddle and PayPal. Your payment data is used to process your payments, issue invoices, and maintain our business records. The legal bases on which we rely are ‘performing a contract,’ ’pursuing our legitimate business interests’ (i.e., administering our business), and ‘complying with our legal obligations’. We keep your personal data for 6+1 years, as required by law.
- IP address
When you use the Website, we or our third-party analytics service providers (as explained below) collect your IP address. We use your IP address to analyse the technical aspects of your use of the Website, prevent fraud and abuse of the Website, ensure the security of the Website, and tailor the Website for your location. The legal basis on which we rely when processing your IP address is ‘pursuing our legitimate business interests’ (i.e., to analyse and protect the Website). We keep your personal data as long as it is necessary for analytics purposes.
We do not collect or have access to any special categories of personal data (“sensitive data”), unless you decide, at your own discretion, to provide such data to us. Sensitive data is information that relates to your health, genetics, biometrics, religious and political beliefs, racial origins, membership of a professional or trade association, sex life, or sexual orientation. If you provide us with such sensitive data or Your Data contains the said sensitive data, we will process such data for the purpose of fulfilling our contractual obligations. As soon as the processing is completed, we will securely delete it from our systems.
Processing of Your Data
When you upload or create Your Data onto the Service, we process Your Data as requested by you, including any personal data Your Data may contain. Your Data may contain the following information: passwords and company information. We process Your Data in order to (i) provide you with the requested services and (ii) perform our contractual obligations. The legal basis on which we rely is ‘performing a contract with you’. As soon as the processing of Your Data is completed, we will securely delete it from our systems.
Refusal to provide personal data
If you refuse to provide us with your personal data when we ask for it, we may not be able to perform the requested operation and you may not be able to use the full functionality of the Service or get our response. Please contact us immediately if you think that any personal data that we collect is excessive or not necessary for the intended purpose.
6. What Non-Personal Data Do We Collect?
When you use the Website and/or Service, we receive and store certain technical non-personal data, such as the total number of visitors to our Website, the number of visitors to each page of our Website, device and browser information as well as Service usage data. We cannot currently use this information to identify you. It is important to note that no personal data is available or used in this process. We collect such information to better understand your behaviour and trends, detect potential outages and technical issues. All log analysis is done in an anonymous, aggregate, non-personally identifiable manner.
In an ongoing effort to better understand and serve our users, we conduct research on user demographics, interests and behaviour based on the personal data and other information provided to us. We compile and analyse this research on an aggregate basis, and may share this aggregate data with our data processors. This aggregate information does not identify you personally. PassworkWe may also disclose aggregated user statistics in order to describe our services to current and prospective business partners, and to other third parties for other lawful purposes.
7. How Do We Disclose and Transfer Personal Data?
Our data processors
Due to the technical and practical requirements, some of the personal data may be processed by our data processors located outside the European Union (EU) or European Economic Area (EEA) or at the processors’ servers outside the EU or EEA. If any personal data is transferred outside the EU or EEA, we will ensure that the country to which the personal data is transferred is approved as having a sufficient level of privacy protection by the European Commission, or by using standard contractual model clauses approved by the European Commission. The disclosure and transfer of your personal data is limited to the instances when this is necessary to ensure the proper operation of the Service, provide you with the requested services or information, pursue our legitimate business interests, enforce our rights, prevent fraud, and ensure security, or carry out our contractual obligations. Our data processors include:
- Our hosting service provider Amazon Cloud located in the USA;
- Our newsletter service providers SendInBlue located in France and MailerLite located in Lithuania;
- Our marketing service provider Bitrix24 located in the USA;
- Our analytics service provider Google Analytics located in the USA;
- Our payment service providers Paddle and PayPal located in the USA; and
- Our independent contractors and advisors.
Disclosure of technical (non-personal) data
Your technical (non-personal) data may be disclosed to third parties for any purpose. For example, we may share it with prospects or partners for business or research purposes, for improving the Service, responding to lawful requests from public authorities or developing new products and services.
If we are contacted by a public authority, we may need to disclose information about you to the extent necessary for pursuing a public interest objective, such as national security or law enforcement.
Selling personal data
8. How Long Do We Store Your Personal Data?
Retention of personal data
Retention of technical (non-personal) data
Retention as required by law
In certain cases, we are required by law to store your personal data for a certain period of time (e.g., for accounting records). Thus, we keep your personal data for the time period stipulated by the applicable law and securely delete it as soon as the required storage period expires.
9. How Do We Protect Your Personal Data?
We use technical and organizational measures to protect your personal data against unauthorized access, transfer, deletion or other handling that may compromise information security. Such methods include the use of firewalls, encryption technologies and safe server rooms, proper access control systems, the controlled provision of user rights and supervision of their use, providing instructions for data processors, and the thorough selection of competent subcontractors who comply with industry standards for information security management.
Only our and our processors’ appointed personnel are entitled to access and use your personal data.
Notification of breach
In the event a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you, as soon as feasible, of the nature of the breach, the likely consequences of that breach and the steps you can take to mitigate the possible consequences of that breach.
10. How Can You Manage Your Personal Data?
You may at any time contact us to exercise the following rights (unless, in very limited cases, the applicable law provides otherwise):
- Right of access: you can get a copy of your personal data that we store in our systems and a list of purposes for which your personal data is processed;
- Right to rectification: you can rectify inaccurate personal data that we hold about you;
- Right to erasure (‘right to be forgotten’): you can ask us to erase your personal data from our systems;
- Right to restriction: you can ask us to restrict the processing of your personal data;
- Right to data portability: you can ask us to provide you with a copy of your personal data in a structured, commonly used and machine-readable format and move that personal data to another processor;
- Right to object: you can ask us to stop processing your personal data;
- Right to withdraw consent: you have the right to withdraw your consent, if you have provided one; or
- Right to complaint: you can submit your complaint regarding our processing of your personal data.
If you would like to launch a complaint about the way in which we process your personal data, we kindly ask you to contact us first and express your concerns. If we receive your complaint, we will investigate it and provide you with our response as soon as possible. If you are not satisfied with the outcome of your complaint, you have the right to lodge a complaint with your local data protection authority.
We do not discriminate against you if you decide to exercise your rights. It means that we will not (i) deny any goods and services, (ii) charge you different prices, (iii) deny any discounts or benefits, (iv) impose penalties, or (v) provide you with lower quality services.
11. How Do We Communicate With You?
We may, from time to time, send you a newsletter informing you about the latest developments related to the Service and our special offers. You will receive our newsletters by email in the following instances:
- If we receive your express (“opt-in”) consent to receive marketing messages; or
- If you voluntarily subscribe for our newsletter; or
- If we decide to send you information closely related to services already used by you.
You can opt-out from receiving our commercial communication at any time free of charge by clicking on the ‘unsubscribe’ link that you can find in each newsletter or by contacting us directly.
The newsletters sent by us may contain tracking pixels that allow us to conduct analysis of our marketing campaigns. Tracking pixels allow us to see whether you opened the newsletter and what links you have clicked on. We use such information to conduct analytics and pursue our legitimate business interests.
If necessary, we will send you important informational messages, such as updates, technical emails, and other administrative updates. Please note that such messages are sent on an “if-needed” basis and they do not fall within the scope of commercial communication that may require your prior consent. You cannot opt-out from service-related notices.
12. Third-Party Sites and Privacy Practices