Privacy Policy

Effective Date: August 2, 2021

1. General

About this Privacy Policy
Passwork Ltd (“we,” “us,” and “our”) takes your privacy matters very seriously. This privacy policy (“Privacy Policy”) details how we receive, collect and use personal data in connection with our website (the "Website") and the related services and products provided through the Website (collectively, the “Service”). Please read this Privacy Policy carefully.
About the Service
The Service allows you to store all of your company passwords in protected vaults, collaborate with teammates, manage user rights, track all changes, monitor security and use one click logon.
Your consent
Before you submit any personal data through the Service, you are encouraged to read this Privacy Policy that is always available on the Website to understand on what legal bases (other than your consent) we rely when handling your personal data. In some cases, if required by the applicable law, we may seek to obtain your informed consent for the processing of your personal data. For example, you consent may be necessary if: (i) we intend to collect other types of personal data that are not mentioned in this Privacy Policy; (ii) we would like to use your personal data for other purposes that are not specified in this Privacy Policy; or (iii) we would like to transfer your personal data to third parties that are not listed in this Privacy Policy.
We do not intentionally collect children’s personal data, unless parents decide, at their sole discretion, to provide such data to us. If you, as a parent or a legal guardian of a child, become aware that the child has submitted his/her personal data to us, please contact us immediately. We will delete your child’s personal data from our systems without undue delay.
Term and termination
This Privacy Policy enters into force on the effective date indicated at the top of the Privacy Policy and remains valid until terminated or updated by us.
The Privacy Policy may be changed from time to time to address the changes in laws, regulations, and industry standards. We encourage you to review our Privacy Policy to stay informed. For significant material changes in the Privacy Policy or, where required by the applicable law, we may seek your consent.

2. We as a Data Controller and Our Contact Information

The data controller who is responsible for the processing of your personal data through the Service is Passwork Oy having a registered business address at Pasilankatu 2, 00240 Helsinki, Finland, and the business registration number 2840821-9 We act as a data controller because we make decisions about the personal data that needs to be collected through the Service and the purposes for which it is used.
For any questions and information about this Privacy Policy or our data processing practices, please contact us by email: [email protected] or, alternatively, by mail: Passwork Oy, Privacy Policy, Pasilankatu 2, 00240 Helsinki, Finland.

3. We as a Data Processor

We act in the capacity of a data processor with regard to the data submitted or generated by you through the Service for our processing like passwords (“Your Data”) and Your Data contains your or other individuals’ personal data. We do not own, control, or make decisions about Your Data. We process Your Data only in accordance with the instructions issued by you, as our data controller. To ensure that Your Data is processed in accordance with the strictest data protection standards, we offer for conclusion a data processing agreement. You can receive a copy of such an agreement by contacting us at [email protected].

4. When Do We Collect Personal Data?

We collect personal data on persons who use the Service or if the collection of personal data derives from a legal obligation:
  • Most of the personal data is collected directly from you (for example, when you create your user account and/or use the Service).
  • Updates to the personal data may also be received from authorities, organizations, companies offering updating services, public directories and other public sources of information.
  • When visiting the Website or using the Service, certain technical and other information (that may be personal data) may be automatically sent by your computer to us (for example, your IP address, the type of your browser and the source of your visit).
  • We can also collect information about your Website usage information by using cookies and other tracking technologies. Please refer to our Cookie Policy for further information.
  • Any or all of the activities with regard to Website usage information may be performed on our behalf by our service providers, including, for example, our analytics vendor(s) and our e-mail management partner(s). For a list of our data processors, please refer to the “How do we share your personal data?”.
  • In the event we make message boards and forums available to you(collectively, "Forums"), you will be solely responsible for the information and any other content you post on and through these Forums and you should be aware that when you voluntarily disclose personal data (for example, your name, e-mail address, telephone number) on or through these Forums, such information is generally accessible to, and may be collected and used by, other users. This may result in unsolicited messages from third parties, and such messages are beyond our control. We do not exercise control over any users, and in no way are we responsible, nor do we have any liability whatsoever, for any collection or use of information you may disclose through the Forums. You are encouraged to exercise discretion when providing personal data about yourself in and through Forums. Please do not post any personal data on the Website that you expect to keep private.
  • Forums. You are encouraged to exercise discretion when providing personal data about yourself in and through Forums. Please do not post any personal data on the Website that you expect to keep private.

5. What Personal Data Do We Collect and for What Purposes We Use It?

We respect data minimisation principles. This means that we collect only a minimal amount of personal data through the Service that is necessary to ensure the proper provision of the Service as described below. We use your personal data for limited, specified and legitimate purposes explicitly mentioned in this Privacy Policy. We do not use your personal data for any purposes that are different from the purposes for which it was provided. When processing personal data, we make sure that we do so by relying on one of the available legal bases. You can find more information about the legal bases below.
  • Registration of your account
    When you register your user account, we collect your email address, password, and avatar. We use such information to register and maintain your user account, enable your access to the service, provide you with the requested services, contact you, if necessary, and maintain our business records. The legal bases on which we rely are ‘performing a contract with you’ and ’pursuing our legitimate business interests’ (i.e., operate, analyse, grow, and administer the Service). We keep your personal data until you delete your user account.
  • Inquiries
    When you contact us by email, we collect your name, email address, and any information that you decide to include in your message. We use such data to respond to your inquiries. The legal bases on which we rely are ‘pursuing our legitimate business interests’ (i.e., to grow and promote our business) and ‘your consent’ (for optional personal data). We keep your personal data until you stop communicating with us.
  • Payments
    When you make a payment, you will be asked to provide your email address, country, payment details (like your name, credit card number, expiration date, security code, billing address, or PayPal details), company name, VAT number, and address. Please note that we do not process payments - it is done by our third-party payment processors Paddle and PayPal. Your payment data is used to process your payments, issue invoices, and maintain our business records. The legal bases on which we rely are ‘performing a contract,’ ’pursuing our legitimate business interests’ (i.e., administering our business), and ‘complying with our legal obligations’. We keep your personal data for 6+1 years, as required by law.
  • IP address
    When you use the Website, we or our third-party analytics service providers (as explained below) collect your IP address. We use your IP address to analyse the technical aspects of your use of the Website, prevent fraud and abuse of the Website, ensure the security of the Website, and tailor the Website for your location. The legal basis on which we rely when processing your IP address is ‘pursuing our legitimate business interests’ (i.e., to analyse and protect the Website). We keep your personal data as long as it is necessary for analytics purposes.
  • Cookies
    When you browse the Website, we collect your cookie-related data. For more information about the purposes for which we use cookies, please refer to our Cookie Policy. It also explains how long your cookies are valid. The legal bases on which we rely are ‘pursuing our legitimate business interests’ (i.e., to analyse and promote our business) and ‘your consent’ (for non-essential cookies).
Sensitive data
We do not collect or have access to any special categories of personal data (“sensitive data”), unless you decide, at your own discretion, to provide such data to us. Sensitive data is information that relates to your health, genetics, biometrics, religious and political beliefs, racial origins, membership of a professional or trade association, sex life, or sexual orientation. If you provide us with such sensitive data or Your Data contains the said sensitive data, we will process such data for the purpose of fulfilling our contractual obligations. As soon as the processing is completed, we will securely delete it from our systems.
Processing of Your Data
When you upload or create Your Data onto the Service, we process Your Data as requested by you, including any personal data Your Data may contain. Your Data may contain the following information: passwords and company information. We process Your Data in order to (i) provide you with the requested services and (ii) perform our contractual obligations. The legal basis on which we rely is ‘performing a contract with you’. As soon as the processing of Your Data is completed, we will securely delete it from our systems.
Refusal to provide personal data
If you refuse to provide us with your personal data when we ask for it, we may not be able to perform the requested operation and you may not be able to use the full functionality of the Service or get our response. Please contact us immediately if you think that any personal data that we collect is excessive or not necessary for the intended purpose.

6. What Non-Personal Data Do We Collect?

Usage data
When you use the Website and/or Service, we receive and store certain technical non-personal data, such as the total number of visitors to our Website, the number of visitors to each page of our Website, device and browser information as well as Service usage data. We cannot currently use this information to identify you. It is important to note that no personal data is available or used in this process. We collect such information to better understand your behaviour and trends, detect potential outages and technical issues. All log analysis is done in an anonymous, aggregate, non-personally identifiable manner.
Aggregated data
In an ongoing effort to better understand and serve our users, we conduct research on user demographics, interests and behaviour based on the personal data and other information provided to us. We compile and analyse this research on an aggregate basis, and may share this aggregate data with our data processors. This aggregate information does not identify you personally. PassworkWe may also disclose aggregated user statistics in order to describe our services to current and prospective business partners, and to other third parties for other lawful purposes.

7. How Do We Disclose and Transfer Personal Data?

Our data processors
Due to the technical and practical requirements, some of the personal data may be processed by our data processors located outside the European Union (EU) or European Economic Area (EEA) or at the processors’ servers outside the EU or EEA. If any personal data is transferred outside the EU or EEA, we will ensure that the country to which the personal data is transferred is approved as having a sufficient level of privacy protection by the European Commission, or by using standard contractual model clauses approved by the European Commission. The disclosure and transfer of your personal data is limited to the instances when this is necessary to ensure the proper operation of the Service, provide you with the requested services or information, pursue our legitimate business interests, enforce our rights, prevent fraud, and ensure security, or carry out our contractual obligations. Our data processors include:
  • Our hosting service provider Amazon Cloud located in the USA;
  • Our newsletter service providers SendInBlue located in France and MailerLite located in Lithuania;
  • Our marketing service provider Bitrix24 located in the USA;
  • Our analytics service provider Google Analytics located in the USA;
  • Our payment service providers Paddle and PayPal located in the USA; and
  • Our independent contractors and advisors.
Disclosure of technical (non-personal) data
Your technical (non-personal) data may be disclosed to third parties for any purpose. For example, we may share it with prospects or partners for business or research purposes, for improving the Service, responding to lawful requests from public authorities or developing new products and services.
Legal requests
If we are contacted by a public authority, we may need to disclose information about you to the extent necessary for pursuing a public interest objective, such as national security or law enforcement.
In case the Service is sold partly or fully, we will provide your personal data to a purchaser or successor entity and request the successor to handle your personal data in line with this Privacy Policy. We will notify you of any changes of the data controller.
Selling personal data
We do not sell your personal data to third parties. However, some of your personal data, including online identifiers (e.g., cookie-generated data and IP addresses) may be used for advertising, marketing, and monetisation purposes (e.g., programmatic advertising, retargeting, third-party marketing, profiling, or cross-device tracking). To make sure that you have full transparency and control over your personal data, we provide you with a possibility to manage your personal data used for such purposes as described in our Cookie Policy.

8. How Long Do We Store Your Personal Data?

Retention of personal data
We store your personal data in our systems only for as long as such personal data is required for the purposes described in this Privacy Policy or until you request us to delete your personal data, whichever comes first. After your personal data is no longer necessary for its primary purposes and we do not have another legal basis for storing it, we securely delete your personal data from our systems.
Retention of technical (non-personal) data
We retain non-personal data pertaining to you for as long as necessary for the purposes described in this Privacy Policy. For example, we can store it for the period of time needed for us to pursue our legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce our agreements.
Retention as required by law
In certain cases, we are required by law to store your personal data for a certain period of time (e.g., for accounting records). Thus, we keep your personal data for the time period stipulated by the applicable law and securely delete it as soon as the required storage period expires.

9. How Do We Protect Your Personal Data?

We use technical and organizational measures to protect your personal data against unauthorized access, transfer, deletion or other handling that may compromise information security. Such methods include the use of firewalls, encryption technologies and safe server rooms, proper access control systems, the controlled provision of user rights and supervision of their use, providing instructions for data processors, and the thorough selection of competent subcontractors who comply with industry standards for information security management.
Only our and our processors’ appointed personnel are entitled to access and use your personal data.
Notification of breach
In the event a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you, as soon as feasible, of the nature of the breach, the likely consequences of that breach and the steps you can take to mitigate the possible consequences of that breach.

10. How Can You Manage Your Personal Data?

You may at any time contact us to exercise the following rights (unless, in very limited cases, the applicable law provides otherwise):
  • Right of access: you can get a copy of your personal data that we store in our systems and a list of purposes for which your personal data is processed;
  • Right to rectification: you can rectify inaccurate personal data that we hold about you;
  • Right to erasure (‘right to be forgotten’): you can ask us to erase your personal data from our systems;
  • Right to restriction: you can ask us to restrict the processing of your personal data;
  • Right to data portability: you can ask us to provide you with a copy of your personal data in a structured, commonly used and machine-readable format and move that personal data to another processor;
  • Right to object: you can ask us to stop processing your personal data;
  • Right to withdraw consent: you have the right to withdraw your consent, if you have provided one; or
  • Right to complaint: you can submit your complaint regarding our processing of your personal data.
The request must be made in writing and it must be signed. If you would like to exercise any of your rights, please contact us by email or by post (you can find our contact details in section 2 of this Privacy Policy) and explain your request in detail. In order to verify your request, we may ask you to provide us with an identifying piece of information that allows us to identify you in our system. We will answer your request within a reasonable time frame but no later than 30 days.
If you would like to launch a complaint about the way in which we process your personal data, we kindly ask you to contact us first and express your concerns. If we receive your complaint, we will investigate it and provide you with our response as soon as possible. If you are not satisfied with the outcome of your complaint, you have the right to lodge a complaint with your local data protection authority.
We do not discriminate against you if you decide to exercise your rights. It means that we will not (i) deny any goods and services, (ii) charge you different prices, (iii) deny any discounts or benefits, (iv) impose penalties, or (v) provide you with lower quality services.

11. How Do We Communicate With You?

We may, from time to time, send you a newsletter informing you about the latest developments related to the Service and our special offers. You will receive our newsletters by email in the following instances:
  • If we receive your express (“opt-in”) consent to receive marketing messages; or
  • If you voluntarily subscribe for our newsletter; or
  • If we decide to send you information closely related to services already used by you.
You can opt-out from receiving our commercial communication at any time free of charge by clicking on the ‘unsubscribe’ link that you can find in each newsletter or by contacting us directly.
Tracking pixels
The newsletters sent by us may contain tracking pixels that allow us to conduct analysis of our marketing campaigns. Tracking pixels allow us to see whether you opened the newsletter and what links you have clicked on. We use such information to conduct analytics and pursue our legitimate business interests.
Service-related notices
If necessary, we will send you important informational messages, such as updates, technical emails, and other administrative updates. Please note that such messages are sent on an “if-needed” basis and they do not fall within the scope of commercial communication that may require your prior consent. You cannot opt-out from service-related notices.

12. Third-Party Sites and Privacy Practices

The Website may contain links that will let you leave the Website and access another website. Websites linked to or from the Website are not under our control and it is possible that these websites have a different privacy policy. This Privacy Policy applies solely to the personal data that is acquired through the Website or through your use of the Service, and/or your relationship with us. We urge you to be careful when you enter any personal data online. We accept no responsibility or liability for these other websites.