EVERNYM, Inc. PRIVACY POLICY

Last modified: June 12, 2018

ATTENTION:  PLEASE READ THIS EVERNYM, inc. (“evernym”, “Company”, “WE”, OR “US”) PRIVACY POLICY (“PRIVACY POLICY”) carefully, WHICH IS PART OF THE EVERNYM TERMS OF USE AT www.Evernym.com/terms-of-use/ (COLLECTIVELY “TERMS OF USE”), BEFORE YOU (“YOU”) ACCESS, DOWNLOAD OR OTHERWISE USE THE http://EVERNYM.COM or www.connect.me WEBSITE; mobile applications; other online services; OUR PRODUCTS AND SERVICES INCLUDING OUR identity owner and digital CREDENTIAL-RELATED TECHNOLOGY AND ASSOCIATED SERVICES SUCH AS DATA HOSTING SERVICES (the “identity-related services”); OTHER INTERACTIONS (INCLUDING email, ONLINE, OFFLINE AND BY PHONE OR MAIL) BETWEEN YOU AND US; AND/OR OUR SOCIAL MEDIA ACCOUNTS INCLUDING ALL CONTENT AVAILABLE THROUGH THESE PLATFORMS (COLLECTIVELY, THE “DIGITAL CHANNELS” and, together with OUR IDENTITY-RELATED services. the “services”).

INTRODUCTION

We respect your privacy.  This Privacy Policy describes how we collect, use, and share your personal data in connection with the provision of our Services and when you use our Digital Channels.

The purpose of this Policy is to inform you about our privacy practices and to ensure that you understand the purposes for which We collect and process your personal data. The following is a brief summary of the manner and purposes for which We process your personal data.

ACCESSING, DOWNLOADING OR OTHERWISE USING OUR DIGITAL CHANNELS OR SERVICES INDICATES THAT YOU ACCEPT AND AGREE TO BE BOUND BY THIS PRIVACY POLICY IN FULL.  IF YOU DO NOT ACCEPT THIS PRIVACY POLICY, DO NOT ACCESS, DOWNLOAD OR OTHERWISE USE THE SERVICES.  You acknowledge (a) that You have read and understood this Privacy Policy; and (b) this Privacy Policy shall have the same force and effect as a signed agreement.

APPLICATION

This Privacy Policy relates to your personal data (i.e., data about you, an individual, from which you can be identified).  This Privacy Policy therefore does not apply to any data insofar as it is held, processed, disclosed or published in a form which cannot be linked to a living individual (such as anonymized data or aggregated data, which, in a given form, cannot directly or indirectly be used to identify you as an individual) (“Anonymized and Aggregated Data”). We reserve the right to generate Anonymized and Aggregated Data extracted out of any databases containing your personal data and to make use of any such Anonymized and Aggregated Data as we see fit (including publishing such data and sharing it with third parties).

CHANGES TO THIS PRIVACY POLICY

Please review this Privacy Policy each time You use the Services.  We reserve the right to update or change our Privacy Policy at any time in our sole discretion, and the updated version of this Policy will be effective upon posting on the Digital Channels.  Please check this page to review the most up-to-date version of this Policy.  Your continued use of the Services after We post any modifications to the Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy.

BY USING THE SERVICES, YOU AGREE TO BE BOUND BY THE MOST RECENT VERSION OF THIS PRIVACY POLICY.

RESPONSIBILITY FOR DATA PROCESSING

In the course of providing our technology services to our enterprise clients (“clients”), including data hosting, back-up and data processing services in connection with our digital wallets and identity verification technology, We process personal data records of individuals who are our clients’ customers or otherwise associated with our clients. In those circumstances, We act as processors of data on behalf of our client and on our client’s instructions and the client is ultimately responsible for the processing of your personal data. If you are a customer of one of our clients and believe that We process your data on behalf of one of our clients, please refer to the client’s privacy policy for information regarding the processing of your data.

Evernym collects and processes personal data on its own behalf where the data is collected in connection with the administration of Our business and the promotion and marketing of our technology services, including in the operation of our Digital Channels.  We may also collect personal data from end-users of our technologies if We market and offer our technologies directly to end-users. In those circumstances, Evernym is the entity which is responsible for the processing of personal data.  If you have any questions or concerns about Evernym’s use of your personal data, please contact us at info@evernym.com.

COUNTRIES OF PROCESSING

Our services for our clients include data collection, data processing, and data storage activities conducted in multiple jurisdictions including the United States of America (USA) and European Union (EU). Some of our operations are managed through local subsidiaries or affiliates including in the EU. We store and otherwise process data (including personal data) through third-party cloud service providers and other IT service providers which may be located or operate in other countries, with differing levels of legally mandated privacy guarantees. We will continue to protect personal data according to the terms of this privacy policy even when operating in a jurisdiction that requires fewer protections.

When transferring personal data records between jurisdictions, We comply with the relevant regulations governing that data transfer. When transferring from the EU to a jurisdiction with fewer mandated privacy protections, We put in place appropriate safeguards including data transfer agreements with terms approved by the EU Commission. Where appropriate, We may also rely on your consent for the transfer of your personal data for processing outside the EU.

HOW WE COLLECT AND USE YOUR PERSONAL DATA

(a) Your digital credentials.  Our digital identity technology and digital wallets are designed to provide a secure method for consumers to access and exchange identity-related information (“digital credentials”) when dealing with various organisations including when they use financial and other services and when purchasing goods and services. These digital credentials are stored on the end-user’s device. Where the end-user chooses to upload his or her data to the cloud (for example for back-up purposes), We may host the data on our servers or through third-party cloud service providers.  We may also hold encryption keys relating to your encrypted data.  Where We provide the data hosting service, users’ data is held on our servers in an encrypted form that does not enable the identification of specific individuals, even by Evernym itself.
(b) Data that we receive from our clients.  When providing data hosting services for our clients, We receive encoded data from our clients relating to their customers. That data enables our clients to identify its customers when using our services.
(c) Information That You Provide Directly or Authorize Someone Else to Give Us.  We may ask you to provide certain information including, but not limited to your name, email address, and any other information You choose to provide to Us.  For example, We may collect information from You when You register for and/or use our Digital Channels, contact or interact with Us, fill out a form, apply for employment, respond to a survey, and voluntarily provide Us with Your comments and/or questions and other content in connection with using our Digital Channels.  When You submit a “Contact Evernym” form, We may collect Your name, phone number, email address and any other information You choose to provide to Us.
(d) Analytics information.  We collect, measure and analyze traffic and usage trends in connection with our website and other Digital Channels, and We use third-party analytics tools to help us.  We use Google Analytics to provide analytics services.  We use other third-party services such as Apptentive to analyze personal data of users who provide Us with feedback.  This allows us to understand, among other things, who is using the Digital Channels, how they are using them, and ways to improve the Services.  Such third-party analytics tools and services may use cookies and persistent device identifiers to collect and store information including, but not limited to time of visit, pages visited, time spent on each page, IP address, unique device ID, advertising tags and type of operating system used.
(e) Cookies.  When you use our Digital Channels, We sometimes send one or more cookies (small text files containing a string of alphanumeric characters) to your computer or mobile device that uniquely identify your browser and enhance your navigation on the Digital Channel.  A cookie may also convey information to us about how you use the Digital Channels (e.g., the pages you view, the links you click and other actions you take) and allow us or our third-party analytics tools We use to track your usage of the Digital Channels.  There are at least two different types of cookies: persistent and session cookies.  A persistent cookie remains on your hard drive after you close your browser.  Persistent cookies may be used by your browser on subsequent use of the Digital Channels.  Persistent cookies can be removed by following your Web browser’s directions for removal of cookies.  A session cookie is temporary and disappears after you close your browser. You can reset your Web browser to refuse all cookies or to notify you when a cookie is being sent.  However, some features of the Digital Channels may not function properly if cookies are disabled.
(f) Log File.  Log file information is automatically reported by your browser each time you access a Web page.  When you access or use the website, our servers may automatically record certain log file information, including but not limited to your Web request, Internet Protocol address, browser type, referring/exit pages and URLs, number of clicks and how you interact with links on the website, domain names, landing pages, and pages viewed.
(g) Device Identifiers. When you access or use our Digital Channels using a mobile device, We may access, collect, monitor and/or remotely store one or more “device identifiers,” such as a universally unique identifier.  Device identifiers are small data files or similar data structures stored on or associated with your device that uniquely identify your device.  A device identifier may consist of data stored in connection with the device hardware, operating system or other software, or data sent to the device by us.  A device identifier may convey information to us about how you browse and use the Digital Channel.  A device identifier may remain persistently on your device to enhance your navigation on the Digital Channel.  Some features of our Digital Channels may not function properly if use or availability of device identifiers is impaired or disabled.
(h) Commercial Communications. To the extent permitted under applicable law, We may use the information We collect or receive from you (specifically through the “connect.me” functionality) to communicate directly with you in relation to our services and technologies.  Subject, where necessary, to obtaining your consent to receiving such communications, We may use the information to communicate with you in relation to other services that We and our affiliates offer.  We may also use the information to send you service-related notices (e.g., account verification, technical and security notices).
Use of Certain Service-Type information.  We may use information from cookies, log files, device identifiers, location data, clear GIFs and other tools to: (i) remember information so that you will not have to re-enter it during your visit or the next time you use the Services; (ii) provide custom, personalized content or information to you or others; (iii) monitor the use of our Digital Channels; (iv) monitor aggregate metrics, such as total number of visitors, traffic and demographic patterns; (v) diagnose or fix technology problems; (vi) provide advertising to your browser or device; and (vii) conduct research or surveys.
(j) Use of information with Your Consent.  We may use your personal data for any other purpose for which you specifically provide Us with your consent.

THE PURPOSES FOR WHICH WE USE YOUR PERSONAL DATA

The purposes for which We collect and store your personal data are the following:

(a) Personal data records that We receive in providing data hosting and back-up services are processed on behalf of our clients for the purpose of supporting the client in delivering identity credential-related services and digital wallet services that the client provides to you;
(b) Personal data that We receive from you enables Us to deliver services that We offer to you (including use of our Digital Channels) and to enable you to use them efficiently;
(c) Insofar as permitted under applicable law, to communicate with you in relation to our services and technologies and other services that We or our affiliates offer;
(d) To personalize, test, monitor, improve and upgrade our Digital Channels;
(e) To meet our legal obligations and the regulatory requirements to which We may be subject, for loss prevention purposes and to protect and enforce our rights and meet our obligations to third parties; and
(f) For our internal business purposes, such as compiling and analyzing usage information of our Digital Channels, for general operational, statistical and business purposes.

YOUR RESPONSIBILITIES

It is important that the personal data We hold about you is accurate and current.  If you provided us with any details of personal data, please keep us informed if such details change.

LEGAL BASIS FOR PROCESSING YOUR DATA

Insofar as it concerns our operations in the European Union or services that We offer to individuals in the European Union, We rely on the following lawful bases for the processing of your personal data:

(a) Our legitimate interests in (among other things) delivering our services (including our Digital Channels), conducting commercial research, improving and maintaining our Services, personalising and tailoring content made available to you through our Digital Channels,  protecting the security or integrity of our databases, protecting our business or reputation, taking precautions against legal liability, dealing with our assets in the event of a business change (see further below), protecting and defending our legal rights or property, or for resolving disputes, investigating and attending to inquiries or complaints with respect to your use of our Services;
(b) Where relevant, your express consent, for example, if you use Our services to send your digital credentials to a third-party);
(c) Where relevant, the fulfillment of our contractual obligations to you under our terms and conditions of service; and
(d) Where relevant, for compliance with legal obligations to which we are subject.

HOW WE SHARE YOUR INFORMATION

(a) Service Providers.  We may share your personal data with third-party service providers that perform services on our behalf in connection with our Digital Channels or with our data hosting services, such as cloud service providers that we may use or third-party analytical service providers.  Where your information is shared with such third parties, We ensure that the third-party service provider will deal with your information only on our behalf and on our written instructions and solely for Our benefit (and not for its own benefit).
(b) Business Change.  If We become involved in a merger, consolidation, acquisition, sale of assets, joint venture, securities offering, bankruptcy, reorganization, liquidation, dissolution or other transaction, or if the ownership of all or substantially all of our business otherwise changes, We may share or transfer databases containing personal data of users including your personal data to a successor party or parties in connection with such transaction or change in ownership or legal structure.
(c) Necessary Disclosure.  Regardless of the choices you make regarding your information and to the extent permitted or required by applicable law, We may disclose information about you to third parties to: (i) enforce or apply the terms and conditions of our Services; (ii) comply with laws, subpoenas, warrants, court orders, legal processes or requests of government or law enforcement officials; (iii) protect our rights, reputation, safety or property, or that of our users or others; (iv) protect against legal liability; (v) establish or exercise our rights to defend against legal claims; or (vi) investigate, prevent or take action regarding known or suspected illegal activities; fraud; our rights, reputation, safety or property, or those of our users or others; violation of the Terms of Use, our policies or agreements; or as otherwise required by law.
(d) Sharing information.  We may share certain service-type information, including information obtained through tools such as cookies, log files, device identifiers or location data (such as anonymous usage data, referring/exit pages and URLs, platform types, number of clicks, etc.) with our third-party service providers who may use such information for the purposes described in the section titled “How We Collect and Use Your Information.”
(e) Aggregated data.  As mentioned above, We may also aggregate or otherwise strip information of all personally identifying characteristics and may share that Anonymized and Aggregated Data with third parties or publish it.  This Anonymized and Aggregated Data does not personally identify you and helps us to measure the success of the Services and its features and to improve your experience.  We reserve the right to make use of any such Anonymized and Aggregated Data in our sole discretion.

HOW WE PROTECT YOUR INFORMATION

We take measures to protect personal data you provide through the Services against loss, theft, and unauthorized access, use, disclosure or modification.  These include physical, technological and administrative measures.  However, We cannot ensure or warrant the security of any information you transmit to us or guarantee that information on the Services may not be accessed, disclosed, altered or destroyed.  Email sent to or from the Services may not be secure.  You should use caution whenever submitting information online and take special care in deciding what information you send to us via email.

We cannot guarantee that transmissions of your personal data will be fully secure and that third parties will never be able to defeat our security measures or the security measures of our partners.  WE ASSUME NO LIABILITY FOR DISCLOSURE OF YOUR INFORMATION DUE TO TRANSMISSION ERRORS, THIRD-PARTY ACCESS OR CAUSES BEYOND OUR CONTROL.

YOUR CHOICES ABOUT YOUR INFORMATION

(a) Controlling Your Settings.  You can limit your browser or mobile device from providing certain information by adjusting the settings in the browser, operating system or device.  Please consult the documentation for the applicable browser, operating system or device for the controls available to you.  You can also stop receiving promotional emails from us by following the unsubscribe instructions in those emails.
(b) Changing Your Information.  To change Your information, please contact Us at info@evernym.com.
(c) Email Communications.  You can make changes regarding opting out of or otherwise receiving email communications from Us by contacting Us at info@evernym.com.
(d) Do Not Track. At this time, We do not recognize “do not track” signals sent from Web browsers.  In some cases, your browser may offer a “Do Not Track” option, which allows you to signal to operators of Websites, mobile applications, and services (including behavioral advertising services) that you do not wish such operators to track certain of your online activities over time and/or across different Websites and mobile applications and services.  Disabling tracking mechanisms may disable certain features of the Services.  To disable tracking, please consult the documentation for you browser, operating system or mobile device.  For some devices, it may not be possible to disable tracking mechanisms.  You may also disable tracking by certain third-party services by opting out:

Google Analytics

https://tools.google.com/dlpage/gaoptout/.

HOW LONG WE KEEP YOUR INFORMATION

We will only retain your personal data for as long as necessary to fulfill the purposes We collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, We consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which We process your personal data and whether We can achieve those purposes through other means, and the applicable legal requirements.

CHILDREN’S PRIVACY

The Services are not directed to children and/or persons under the age of majority in their respective jurisdictions and is intended for use by adults and/or persons at or over the age of majority only.  We do not knowingly collect personal data from individuals under eighteen (18) years of age. If you are under the age of eighteen (18), please do not submit any information through the Services and do not provide your consent for the use of your data unless your parent or guardian has approved.

EU PRIVACY RIGHTS

Users based in the European Union have the following legal rights in respect of their information:

(a) The right to require the data controller to confirm whether or not their information is being processed, the purpose of any such processing, the recipients of any information that has been disclosed, the period for which their information is to be stored and whether any automated decision-making processes are used in relation to their information;

(b) The right to require the data controller to rectify inaccurate information without undue delay;

(c) Where the data controller has relied on the ‘consent’ basis for processing that information (see paragraph 9(b) above), the right to withdraw their consent at any time.  This right to withdraw consent does not affect the lawfulness of processing based on consent before its withdrawal;

(d) The right to request the erasure of their information in certain circumstances. You can make a request for erasure where:

(i) the information is no longer necessary in relation to the purpose for which it was collected;

(ii) where the processing of the information is based on the user’s consent (and the other circumstances described in the ‘Legal Basis for Processing Your information’ and ‘How We May Share Your information’ sections above no longer apply), if the user withdraws his or her consent; or

(iii) where the personal data is processed by the data controller solely on the basis of our ‘legitimate interest’ referred to in paragraph 9(a) (and the other legal basis set out in paragraph  do not apply), if the user objects to the processing of his or her personal data and there are no overriding legitimate grounds for the processing (such as, for example, where the processing of the data is required to meet statutory obligations or for the defence of legal claims).

Where the data controller has disclosed the information of a European Union user to a third-party and the user requests the erasure or rectification of the data, the data controller should take all reasonable steps to inform the third-party of such request;

(e) The right to require the data controller to restrict its processing of a user’s personal data in certain circumstances, such as where the accuracy of that data is disputed or an objection has been raised.  In such circumstances, the data controller should only process that information with the express consent of the user, or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest;

(f) Where data is processed based on user’s consent or to fulfil a contractual obligation, the user has the right to receive his or her personal data from the data controller in a structured, commonly used and machine-readable format;

(g) The right to object to the processing of personal data where:

(i) the data controller relies solely on the ‘legitimate interest’ basis for processing that data, in which case we will be legally required to stop processing the user’s information unless we have compelling legitimate grounds for the processing which override the user’s privacy rights and interests; or

(ii) the information is used for direct marketing purposes, in which case we will immediately stop processing the user’s information for such purposes;

(h) Users have the right to lodge a complaint with the data protection supervisory authority of the EU member state where the user resides.

The above legal rights are subject to various conditions and exceptions including where the data is used for statistical or scientific research purposes and the exercise of the right would prevent such purposes from being attained or would seriously impair their attainment.

THIRD-PARTY SITES AND SERVICES

Our Digital Channels may reference or provide links to other websites, applications, or resources.  If you access any website, application, or resources provided by a third-party, our Privacy Policy will not apply.  Your interactions with such websites, applications, and resources are subject to the privacy policies of the third parties that operate them.  Please review those policies carefully to understand how those parties will treat your information.

CALIFORNIA PRIVACY RIGHTS

Under California Civil Code Section 1798.83, if you are a California resident and your business relationship with us is primarily for personal, family or household purposes, you may request certain data regarding our disclosure, if any, of information to third parties for the third parties’ direct marketing purposes.  To make such a request, please send an email to info@evernym.com with “Request for California Privacy information” in the subject line.  You may make such a request up to once per calendar year.  If applicable, We will provide to you via email a list of the categories of information disclosed to third parties for their direct marketing purposes during the immediately-preceding calendar year, along with the third parties’ names and addresses.  Please note that not all personal data sharing is covered by the requirements of California Civil Code Section 1798.83.

QUESTIONS/CONTACTING US

If you have any questions regarding this Privacy Policy, you may email us at info@evernym.com or contact us by mail at:

Evernym, Inc.
13867 S. Bangerter Parkway
Suite 300
Draper, UT
84020