Last modified: June 12, 2018
The purpose of this Policy is to inform you about our privacy practices and to ensure that you understand the purposes for which We collect and process your personal data. The following is a brief summary of the manner and purposes for which We process your personal data.
RESPONSIBILITY FOR DATA PROCESSING
Evernym collects and processes personal data on its own behalf where the data is collected in connection with the administration of Our business and the promotion and marketing of our technology services, including in the operation of our Digital Channels. We may also collect personal data from end-users of our technologies if We market and offer our technologies directly to end-users. In those circumstances, Evernym is the entity which is responsible for the processing of personal data. If you have any questions or concerns about Evernym’s use of your personal data, please contact us at email@example.com.
COUNTRIES OF PROCESSING
We operate data hosting services for our clients primarily from the United States of America (USA) and our data collection and processing activities take place predominantly in the USA. However, We also operate data centers in other jurisdictions through local subsidiaries or affiliates including in the European Union. We store and otherwise process data (including personal data) through third-party cloud service providers and other IT service providers which may be located or operate in other countries, including countries which do not guarantee the same level of protection to privacy as the USA.
When transferring personal data records from the EU to a country outside the EU which does not provide an adequate level of protection to privacy rights, we put in place appropriate safeguards including data transfer agreements on the terms approved by the EU Commission. Where appropriate, We may also rely on your consent for the transfer of your personal data for processing outside the EU.]
HOW WE COLLECT AND USE YOUR PERSONAL DATA
(a) Your digital credentials. Our digital identity technology and digital wallets are designed to provide a secure method for consumers to access and exchange identity-related information (“digital credentials”) when dealing with various organisations including when they use financial and other services and when purchasing goods and services. These digital credentials are stored on the end-user’s device. Where the end-user chooses to upload his or her data to the cloud (for example for back-up purposes), We may host the data on our servers or through third-party cloud service providers. We may also hold encryption keys relating to your encrypted data. Where We provide the data hosting service, users’ data is held on our servers in an encrypted form that does not enable the identification of specific individuals, even by Evernym itself.
(b) Data that we receive from our clients. When providing data hosting services for our clients, We receive encoded data from our clients relating to their customers. That data enables our clients to identify its customers when using our services.
(c) Information That You Provide Directly or Authorize Someone Else to Give Us. We may ask you to provide certain information including, but not limited to your name, email address, and any other information You choose to provide to Us. For example, We may collect information from You when You register for and/or use our Digital Channels, contact or interact with Us, fill out a form, apply for employment, respond to a survey, and voluntarily provide Us with Your comments and/or questions and other content in connection with using our Digital Channels. When You submit a “Contact Evernym” form, We may collect Your name, phone number, email address and any other information You choose to provide to Us.
(e) Cookies. When you use our Digital Channels, We sometimes send one or more cookies (small text files containing a string of alphanumeric characters) to your computer or mobile device that uniquely identify your browser and enhance your navigation on the Digital Channel. A cookie may also convey information to us about how you use the Digital Channels (e.g., the pages you view, the links you click and other actions you take) and allow us or our third-party analytics tools We use to track your usage of the Digital Channels. There are at least two different types of cookies: persistent and session cookies. A persistent cookie remains on your hard drive after you close your browser. Persistent cookies may be used by your browser on subsequent use of the Digital Channels. Persistent cookies can be removed by following your Web browser’s directions for removal of cookies. A session cookie is temporary and disappears after you close your browser. You can reset your Web browser to refuse all cookies or to notify you when a cookie is being sent. However, some features of the Digital Channels may not function properly if cookies are disabled.
(f) Log File. Log file information is automatically reported by your browser each time you access a Web page. When you access or use the website, our servers may automatically record certain log file information, including but not limited to your Web request, Internet Protocol address, browser type, referring/exit pages and URLs, number of clicks and how you interact with links on the website, domain names, landing pages, and pages viewed.
(g) Device Identifiers. When you access or use our Digital Channels using a mobile device, We may access, collect, monitor and/or remotely store one or more “device identifiers,” such as a universally unique identifier. Device identifiers are small data files or similar data structures stored on or associated with your device that uniquely identify your device. A device identifier may consist of data stored in connection with the device hardware, operating system or other software, or data sent to the device by us. A device identifier may convey information to us about how you browse and use the Digital Channel. A device identifier may remain persistently on your device to enhance your navigation on the Digital Channel. Some features of our Digital Channels may not function properly if use or availability of device identifiers is impaired or disabled.
(h) Commercial Communications. To the extent permitted under applicable law, We may use the information We collect or receive from you (specifically through the “connect.me” functionality) to communicate directly with you in relation to our services and technologies. Subject, where necessary, to obtaining your consent to receiving such communications, We may use the information to communicate with you in relation to other services that We and our affiliates offer. We may also use the information to send you service-related notices (e.g., account verification, technical and security notices).
Use of Certain Service-Type information. We may use information from cookies, log files, device identifiers, location data, clear GIFs and other tools to: (i) remember information so that you will not have to re-enter it during your visit or the next time you use the Services; (ii) provide custom, personalized content or information to you or others; (iii) monitor the use of our Digital Channels; (iv) monitor aggregate metrics, such as total number of visitors, traffic and demographic patterns; (v) diagnose or fix technology problems; (vi) provide advertising to your browser or device; and (vii) conduct research or surveys.
(j) Use of information with Your Consent. We may use your personal data for any other purpose for which you specifically provide Us with your consent.
THE PURPOSES FOR WHICH WE USE YOUR PERSONAL DATA
The purposes for which We collect and store your personal data are the following:
(a) Personal data records that We receive in providing data hosting and back-up services are processed on behalf of our clients for the purpose of supporting the client in delivering identity credential-related services and digital wallet services that the client provides to you;
(b) Personal data that We receive from you enables Us to deliver services that We offer to you (including use of our Digital Channels) and to enable you to use them efficiently;
(c) Insofar as permitted under applicable law, to communicate with you in relation to our services and technologies and other services that We or our affiliates offer;
(d) To personalize, test, monitor, improve and upgrade our Digital Channels;
(e) To meet our legal obligations and the regulatory requirements to which We may be subject, for loss prevention purposes and to protect and enforce our rights and meet our obligations to third parties; and
(f) For our internal business purposes, such as compiling and analyzing usage information of our Digital Channels, for general operational, statistical and business purposes.
It is important that the personal data We hold about you is accurate and current. If you provided us with any details of personal data, please keep us informed if such details change.
LEGAL BASIS FOR PROCESSING YOUR DATA
Insofar as it concerns our operations in the European Union or services that We offer to individuals in the European Union, We rely on the following lawful bases for the processing of your personal data:
(a) Our legitimate interests in (among other things) delivering our services (including our Digital Channels), conducting commercial research, improving and maintaining our Services, personalising and tailoring content made available to you through our Digital Channels, protecting the security or integrity of our databases, protecting our business or reputation, taking precautions against legal liability, dealing with our assets in the event of a business change (see further below), protecting and defending our legal rights or property, or for resolving disputes, investigating and attending to inquiries or complaints with respect to your use of our Services;
(b) Where relevant, your express consent, for example, if you use Our services to send your digital credentials to a third-party);
(c) Where relevant, the fulfillment of our contractual obligations to you under our terms and conditions of service; and
(d) Where relevant, for compliance with legal obligations to which we are subject.
HOW WE SHARE YOUR INFORMATION
(a) Service Providers. We may share your personal data with third-party service providers that perform services on our behalf in connection with our Digital Channels or with our data hosting services, such as cloud service providers that we may use or third-party analytical service providers. Where your information is shared with such third parties, We ensure that the third-party service provider will deal with your information only on our behalf and on our written instructions and solely for Our benefit (and not for its own benefit).
(b) Business Change. If We become involved in a merger, consolidation, acquisition, sale of assets, joint venture, securities offering, bankruptcy, reorganization, liquidation, dissolution or other transaction, or if the ownership of all or substantially all of our business otherwise changes, We may share or transfer databases containing personal data of users including your personal data to a successor party or parties in connection with such transaction or change in ownership or legal structure.
(d) Sharing information. We may share certain service-type information, including information obtained through tools such as cookies, log files, device identifiers or location data (such as anonymous usage data, referring/exit pages and URLs, platform types, number of clicks, etc.) with our third-party service providers who may use such information for the purposes described in the section titled “How We Collect and Use Your Information.”
(e) Aggregated data. As mentioned above, We may also aggregate or otherwise strip information of all personally identifying characteristics and may share that Anonymized and Aggregated Data with third parties or publish it. This Anonymized and Aggregated Data does not personally identify you and helps us to measure the success of the Services and its features and to improve your experience. We reserve the right to make use of any such Anonymized and Aggregated Data in our sole discretion.
HOW WE PROTECT YOUR INFORMATION
We take measures to protect personal data you provide through the Services against loss, theft, and unauthorized access, use, disclosure or modification. These include physical, technological and administrative measures. However, We cannot ensure or warrant the security of any information you transmit to us or guarantee that information on the Services may not be accessed, disclosed, altered or destroyed. Email sent to or from the Services may not be secure. You should use caution whenever submitting information online and take special care in deciding what information you send to us via email.
We cannot guarantee that transmissions of your personal data will be fully secure and that third parties will never be able to defeat our security measures or the security measures of our partners. WE ASSUME NO LIABILITY FOR DISCLOSURE OF YOUR INFORMATION DUE TO TRANSMISSION ERRORS, THIRD-PARTY ACCESS OR CAUSES BEYOND OUR CONTROL.
YOUR CHOICES ABOUT YOUR INFORMATION
(a) Controlling Your Settings. You can limit your browser or mobile device from providing certain information by adjusting the settings in the browser, operating system or device. Please consult the documentation for the applicable browser, operating system or device for the controls available to you. You can also stop receiving promotional emails from us by following the unsubscribe instructions in those emails.
(b) Changing Your Information. To change Your information, please contact Us at firstname.lastname@example.org.
(c) Email Communications. You can make changes regarding opting out of or otherwise receiving email communications from Us by contacting Us at email@example.com.
(d) Do Not Track. At this time, We do not recognize “do not track” signals sent from Web browsers. In some cases, your browser may offer a “Do Not Track” option, which allows you to signal to operators of Websites, mobile applications, and services (including behavioral advertising services) that you do not wish such operators to track certain of your online activities over time and/or across different Websites and mobile applications and services. Disabling tracking mechanisms may disable certain features of the Services. To disable tracking, please consult the documentation for you browser, operating system or mobile device. For some devices, it may not be possible to disable tracking mechanisms. You may also disable tracking by certain third-party services by opting out:
HOW LONG WE KEEP YOUR INFORMATION
We will only retain your personal data for as long as necessary to fulfill the purposes We collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, We consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which We process your personal data and whether We can achieve those purposes through other means, and the applicable legal requirements.
The Services are not directed to children and/or persons under the age of majority in their respective jurisdictions and is intended for use by adults and/or persons at or over the age of majority only. We do not knowingly collect personal data from individuals under eighteen (18) years of age. If you are under the age of eighteen (18), please do not submit any information through the Services and do not provide your consent for the use of your data unless your parent or guardian has approved.
EU PRIVACY RIGHTS
Users based in the European Union have the following legal rights in respect of their information:
(a) The right to require the data controller to confirm whether or not their information is being processed, the purpose of any such processing, the recipients of any information that has been disclosed, the period for which their information is to be stored and whether any automated decision-making processes are used in relation to their information;
(b) The right to require the data controller to rectify inaccurate information without undue delay;
(c) Where the data controller has relied on the ‘consent’ basis for processing that information (see paragraph 9(b) above), the right to withdraw their consent at any time. This right to withdraw consent does not affect the lawfulness of processing based on consent before its withdrawal;
(d) The right to request the erasure of their information in certain circumstances. You can make a request for erasure where:
(i) the information is no longer necessary in relation to the purpose for which it was collected;
(ii) where the processing of the information is based on the user’s consent (and the other circumstances described in the ‘Legal Basis for Processing Your information’ and ‘How We May Share Your information’ sections above no longer apply), if the user withdraws his or her consent; or
(iii) where the personal data is processed by the data controller solely on the basis of our ‘legitimate interest’ referred to in paragraph 9(a) (and the other legal basis set out in paragraph do not apply), if the user objects to the processing of his or her personal data and there are no overriding legitimate grounds for the processing (such as, for example, where the processing of the data is required to meet statutory obligations or for the defence of legal claims).
Where the data controller has disclosed the information of a European Union user to a third-party and the user requests the erasure or rectification of the data, the data controller should take all reasonable steps to inform the third-party of such request;
(e) The right to require the data controller to restrict its processing of a user’s personal data in certain circumstances, such as where the accuracy of that data is disputed or an objection has been raised. In such circumstances, the data controller should only process that information with the express consent of the user, or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest;
(f) Where data is processed based on user’s consent or to fulfil a contractual obligation, the user has the right to receive his or her personal data from the data controller in a structured, commonly used and machine-readable format;
(g) The right to object to the processing of personal data where:
(i) the data controller relies solely on the ‘legitimate interest’ basis for processing that data, in which case we will be legally required to stop processing the user’s information unless we have compelling legitimate grounds for the processing which override the user’s privacy rights and interests; or
(ii) the information is used for direct marketing purposes, in which case we will immediately stop processing the user’s information for such purposes;
(h) Users have the right to lodge a complaint with the data protection supervisory authority of the EU member state where the user resides.
The above legal rights are subject to various conditions and exceptions including where the data is used for statistical or scientific research purposes and the exercise of the right would prevent such purposes from being attained or would seriously impair their attainment.
THIRD-PARTY SITES AND SERVICES
CALIFORNIA PRIVACY RIGHTS
Under California Civil Code Section 1798.83, if you are a California resident and your business relationship with us is primarily for personal, family or household purposes, you may request certain data regarding our disclosure, if any, of information to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to firstname.lastname@example.org with “Request for California Privacy information” in the subject line. You may make such a request up to once per calendar year. If applicable, We will provide to you via email a list of the categories of information disclosed to third parties for their direct marketing purposes during the immediately-preceding calendar year, along with the third parties’ names and addresses. Please note that not all personal data sharing is covered by the requirements of California Civil Code Section 1798.83.
13867 S. Bangerter Parkway