Privacy Policy
Our business involves advertising, marketing and the provision of online safety technology, content and advice (our“products”) to you (the” account holder”) and the persons associated with your account (the “end-users”). We provide products under an agreement with you (the “Customer Terms” which is accessible on our website) and our CustomerPolicies, which include this Privacy Policy.
Our Privacy Policy applies whether you have purchased products from us directly or through resellers and if you download and use our products. If you do not accept our privacy policy then you should not use our products.
Information and ownership
In the course of our business we may collect information from and about you, your end-users and the use of our products.
This Privacy Policy describes how we collect, store, use and distribute this information. It also sets out your options which include how you can avoid capture of certain information and how you can access and update certain information.
Your privacy is of critical importance to us. We collect and use data strictly in accordance with best practices and relevant laws. We collect the minimum information necessary and retain your data only for as long as is necessary to provide our products, or until you tell us to delete it. Your data is never sold to third parties.
With respect the information we collect, generally speaking:
- Data that relates to or identifies you or your end-users is owned by you;
- User content such as content submitted by you into forms or surveys is owned by you;
- Data associated with your use of our products is owned by us; and
- Data which cannot reasonably be attributed to you or an end-user (through de-identification) is owned by us.
You have the right to know what we collect and have collected about you. You have the right to opt-out of providing us information and you have the right to request its removal. We may however not be able to provide you with our products in these circumstances.
End users and consent
Our products may be used by you to monitor and filter the activity of End Users such as students (at a school), your children, guests on your network, your staff or you.
We provide our products to you under our agreement with you. You are responsible for informing your End Users and obtaining necessary consents from them or their parents/guardians with respect to the application of our products and with respect to our collection, use and disclosure of information associated with them in accordance with this PrivacyPolicy.
PRIVACY & SCHOOLS
In providing our products to school clients we will collect personally identifiable information with respect to students, their parents and guardians and school staff (“School Data”).
We appreciate that schools have unique circumstances and specific obligations with respect to privacy and in particular in relation to information associated with students.If you are a school account holder, this section applies to you.
Our role in UK and EU schools
For customers within the United Kingdom andthe European Union, with respect to the GDPR, we act in the capacity of a data processor and you are the data controller with respect to any data captured, used and disclosed by us. These terms are defined in GDPR.
Consents from parents, students and staff
On your behalf we monitor, filter activity and capture, use and disclose School Data with respect to your End Users. We require you to obtain and maintain all necessary consents from these parties,in accordance with your UK regulations.
Extended data storage
By default, we store school cyber safety datafor 15 months however you may request us to extend that period. Where you do so, and where we can do so, then you acknowledge that you are responsible andagree to indemnify us and hold us harmless whatsoever, for any implicationsunder relevant privacy laws in relation to the duration of storage ofpersonally identifiable information; and you undertake to reflect your policywith respect to the duration of storage of personally identifiable informationin your privacy policy and to communicate this to your End Users and theirparents.
Safety & security incidents
You may subscribe to advanced cyber safety andsecurity technology from us which monitors end-user activity for the purpose ofidentifying or recording concerning activity. You are responsible for theefficacy and disclosure of your use of such services to affected parties. Information collected by us using these advanced services is treated as CyberSafety Data in accordance with this privacy policy. Where disclosures of harmare identified our End User Policy applies.
Review, correction or removal of data
We only accept requests to review, change orremove School Data from our main contacts with you and your identified administrators. Parents or legal guardians who request changes to or removal of School Data should go through you.
Student Monitoring
Our products permit schools to monitor student advice and online activity.Where we reasonably can we will only capture information associated withactivity which our products determine to be of a nature requiring escalation tomoderators or school safety leads. Furthermore, we attempt but cannot promiseto avoid capture of information unrelated to identified concerns such aspersonal data.
Where you enable monitoring you are responsible for the efficacy and disclosureof their use to affected parties.
Information collected by us using these advanced services is treated as CyberSafety Data in accordance with this privacy policy.
Data associated with Student Protection
Internet Usage: Use of the internet including online search terms, sites visited and blocked and related meta-data such as device, protocol, website, location, time and date.
Device Location: Geo-location information derived from GPS services available on smart devices.
Incidents: Records of identified incidents detected by our Products or recorded by you or your end-users.
Data associated with Student Monitoring
Internet Usage: Use of the internet including online search terms, sites visited and blocked and related meta-data such as device, protocol, website, location, time and date.
Device Usage: Logs of device activity including apps used, keystrokes entered, features used, networks accessed and screen captures.
Cloud Services: Logs of concerning activity or media found by our services scanning your cloud services.
THE INFORMATION WE COLLECT
Account and user related information
Contacts: When yousign-up we will ask for information to establish an account including your nameand contact details. If you are a company or business, we will ask you for yourbusiness and tax registration details.
Addresses: We do not typically seekyour address however if we need to communicate to you in writing or if ourpayment provider requires your address, post code or zip for verificationpurposes.
Payment Method: If you arepaying us via electronic funds transfer, we will require a payment method (suchas a credit card). We do not store this information. We will pass you to acompliant payment gateway.
Timezone: When you sign up we willcapture your time zone. If we can, we will estimate this through geo-IP(through your internet session). We need a timezone to enable us topre-configure our Products for you and for your account to function.
Support: When you use our supportchannels we will capture the information you share with us through emails,support tickets, over the telephone or in online chat services.
Admin users: When you sign up we willcreate an administrative user for your account. You may create additionaladministrative users. We will require their name and security information such as a password and PIN.
End Users: End Users are those personsthat are affected by our products (e.g. authentication, filtering). End Usersmay be students (at a school), your children, guests on your network, yourstaff or you. Any information received from Google APIs will adhereto Google API Services User Data Policy,including the Limited Use requirements.
Credit information: If you area company or an unincorporated organisation we may complete a credit review onyou and source information available publicly or properly available for suchpurposes from credit reporting, law enforcement or government agencies.
Resellers: We provide our productsthrough resellers such as telecommunications companies and technology vendors.If you have purchased our products through a reseller then they may pass to usyour account set up information and in some circumstances End User and deviceregistration information. We require our resellers to have authorisation fromyou before doing so.
Submissions: We may provideopportunities for you or your end-users to post submissions in a forum,comments in a blog, or to complete surveys and forms. We are not responsiblefor what is submitted or for monitoring or escalating concerning submissions.If submitted into a public forum we are not responsible for any third-party useof what has been submitted.
Sensitive information: Unlesspermitted by law and requested by you or required by law, we will notdeliberately record or use sensitive information. For the purpose of thispolicy sensitive information means information or an opinion about anindividual’s racial or ethnic origin; political opinion; membership of apolitical association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of atrade union; sexual preferences or practices; or criminal record.
Cyber Safety Data
Our products enable you to monitor and controlthe use of the internet by End Users. This includes use of networks and devicesnot owned by you. Our products necessarily capture usage and deviceinformation. We call this Cyber Safety Data and it may include:
Internet usage: Use of the internet including online search terms, sites visited and blocked and related meta-data such as device, protocol, website, location, time and date.
Device location: Geo-location information derived from GPS services available on smart devices. Incidents: Records of identified incidents detected by our products or recorded by you or your end-users.
System related information and analytics
Diagnostic information: Ourproducts log system level activities. We capture this information for qualityassurance purposes only. It is stored for a short period of time.
Transactional records: Ourproducts log certain transactions for the purpose of notifying and reportingsystem events. For example, where a device connects to your network or an EndUser seeks to borrow a device. Transactional data is required for the functionof our products.
Web analytics: Like mostorganisations, we use automatic data collection technology (such as GoogleAnalytics) when you visit our websites. We may collect information such as yourIP address, Internet service provider, browser type, operating system andlanguage, referring and exit pages and URLs, date and time, amount of timespent on particular pages, what sections of the website you visit, number oflinks you click while on the website, search terms, and other data. Thisinformation is collected automatically and pseudonymised. By accessing andusing our website, you consent to the processing of this data by our analyticspartners in the manner and for the purposes set out in this policy. Analytics are collected through services we obtain from third party providers,such as Google. Where possible we will provide at qoria.com/tracking details ofour providers and guidance on how to opt-out from data collection.
Cookies and other tracking technologies: We and ouradvertising and analytics partners, use cookies and other tracking technologies(e.g., web beacons, device identifiers and pixels) to provide functionality andto recognise you across different services and devices. We will not use them tomarket third party products or to gather information on you or your End Usersto sell to others. For more information, please see our Cookies and TrackingNotice below or visit qoria.com/tracking.
Third party authentication services: For yourconvenience we may offer you the ability to sign-in to our products using thirdparty authentication services provided by organisations such as Google and Microsoft.Where you choose such services, we will exchange authentication informationwith them such as your email address. You will be required to accept theirterms of use and policies with respect to the exchange of information. Weonly use these services for the purpose of authentication. You may disableauthentication services at any time through your account.
Purposes for processing your data
The table set out below identifies the data we collect, the purpose for which it is collected and our basis for doing so.
HOW WE SHARE YOUR INFORMATION
In order to deliver to you the services requested and for us to meet our obligations we may from time to time share your information with others as described below.
Service partners: You may request products that require us to direct you to third party providers such as cyber safety experts and providers of technology and equipment. If so, we will need to share relevant information with them. We only work with reputable organisations and when we partner with them, we subject them to checks which require them to have appropriate standards in place to manage your data. We encourage you to read their privacy policies and ensure you are fully informed.
Operational service providers: We work with third-party service providers to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, analysis, customer, technical and sales support services.If a service provider needs to access information about you to perform services on our behalf, they do so under instruction from us, including abiding by policies and procedures designed to protect your information. A list of our sub-processors can be provided on request.
Resellers: We provide our products through third party resellers such as telecommunications companies and technology vendors. If you have purchased our products through a reseller then we will exchange information with them for the purpose of setting up your account, billing you and other operational purposes.
App stores: Where you acquire or download our products from app stores (e.g. Google Play, Google Web Store orApple App Store) we will exchange limited information with them to support the app, extension or application’s installation, update, support and operation.You will be required to agree terms including privacy terms with the relevant store or marketplace owner. The information you share with them is governed by their privacy policies, not ours.
Authentication providers: If you have enabled a “sign in with” service (e.g. through Google or Microsoft) then we will exchange authentication information with them such as end-user name and email address. You and your end-users will be required to accept their terms of use and policies with respect to the exchange of information.
Third party sites: Our products may contain links to websites owned or operated by third parties. Your use of sites and services and any information you submit to them is governed by their privacy policies, not ours.
Schools: Where both a parent/guardian (account holder) and a school (account holder) opt-in then we will share chosen sets of Cyber Safety Data between them with respect to relevant students.
Hot-spots: When End Users connect to our networking products (e.g., access points, network gateways) an authentication process will be triggered. Device and/or authorisation tokens/certificates or a sign-in will allow our products to identify an EndUser (where possible). This is fundamental for the operation of our products.Once registered, devices can be recognised by participating network gateways.We may share your End Users masked names (first name and first initial of last name) and device identification information where they connect to participating networks.
Shared end users: Should you request to share Cyber Safety Data associated with or control of an End User with another account holder then we will disclose your name to that other party. This is required to assist them to determine whether your request should be granted.
Legal reasons: We may disclose your information without your consent if we reasonably believe that doing so is necessary to:
- Satisfy any applicable law, regulation, legal process, or governmental request;
- Enforce applicable Customer Terms, including investigation of potential violations or breaches;
- Detect, prevent, or otherwise address illegal or suspected illegal activities, security or technical issues; or
- Protect against harm to the rights, property or safety of us, our users or the public as required or permitted by law.
If we share School Data pursuant to a court order or legal process, we will provide you with notice unless notice is expressly prohibited by law or court order.
Business transfer: We may share or transfer information we collect under this policy in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our businesses to another company. You will be notified via email and/or a prominent notice if such an event takes place, as well as any choices you may have regarding your information.
Google Workspace Data: We may share non-Google user data with third parties, including resellers, credit agencies, and partners, for business purposes. However, we do not share Google Workspace user data with any third parties, except as required to provide or improve the functionality of the application as explicitly permitted by Google's API Services User Data Policy.
HOW WE SECURE YOUR INFORMATION
Information storage
We use reputable data hosting service providers (such as Google, Microsoft and Amazon Web Services) to host the information we collect, and we use technical measures to secure your data.While we implement safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that data, during transmission through the Internet or while stored on our systems or other wise in our care, is absolutely safe from intrusion by others. We will respond to requests about this within a reasonable timeframe.
Our security procedures
We take information security seriously and have a security program which includes administrative, technical, physical andmanagerial measures that is reasonably designed to protect the information we collect from loss, misuse and unauthorised access or disclosure. For example we:
- Choose to exclusively use Tier 1 data centers provided by Microsoft, Amazon and Google. These data centers facilitate us deploying security and resilience of the highest order.
- Encrypt your data in transit and at rest when stored in the data center using industry standard secure encryption technologies.
- Do not store your payment information. Instead we use a third PCI-DSS compliant party payment provider.
- Require you to provide a unique username and set a password and other security measures from time to time such as PINs.
- Hold passwords encrypted and do not re-issue them (instead you must enter a new one).
- De-identify your information where possible, and in particular End User records.
Your security procedures
We urge you to be diligent in securing your computing networks, devices, usernames and passwords. Should other parties obtain access to these or guess them (because they are too simple) then your information may be compromised.
For convenience we make certain technologies available to you to make it easier to log in to your account or be authenticated to access the network or internet. For example, cookies, remember-me and single-sign-on type technologies. If you use these technologies, then we urge you to use device PINs and to log off your device when you’re not using it.
If you intend to sell or return a device which you have used with us you should remove our application/s, log-out and clear the cache, all browsing information and cookies before doing so.
You are responsible for maintaining the confidentiality of your account access information and for restricting access to your computer or device through which an account is accessed.
How long we keep information
We retain information to provide you with the services and features you have requested and to support the ongoing improvement of our products. We take steps to secure and obfuscate your identity and once it is no longer needed, to de-identify your information or delete it.
How long we keep information depends on the type of information collected.
- We will keep information relating to you and your End Users for as long as it remains necessary for its identified purpose or as required by law, which may extend beyond the termination of our relationship with you. We retain de-identified information for as long as we consider necessary for our business purposes.
- On cancellation of your account we will not automatically delete or de-identify the information we hold relating to you or your End Users. We need to retain some of your account information to comply with our legal obligations such as ensuring we’re capable of resolving disputes, enforcing our agreements and collecting outstanding payments.
- There is some information we hold on you which for legal and legitimate business reasons, we will not be able to delete, even if you request us to do so. For example, under taxation laws we need to maintain a record of your account and the financial transactions we’ve completed. We have obligations to retain information to ensure we’re capable of resolving disputes, enforcing our agreements and collecting outstanding payments.
- When we delete information, it may continue to be stored in backup archives. We will securely store such information and isolate it from any further use until deletion or de-identification is possible.
- Our standard policy is to store Cyber Safety Data for 15 months. After that time related records are aggregated and de-identified. We may offer you the option to extend this storage period.
- For the purpose of quality assurance, or due to technical limitations we may capture temporal Cyber Safety Data even when End Users have been set by you to be “not tracked”. We will however purge such data as soon as practical.
- If you acquired our services through a reseller, cancellation of your account with us and requests for us to remove records of you will not automatically remove records of you in the reseller’s platforms. This is because you were a customer of theirs.
- If you have elected to receive marketing emails from us, we retain information about your marketing preferences unless you specifically ask us to delete such information. We retain information derived from cookies and other tracking technologies for a reasonable period of time, from the date such information was created.
- Notwithstanding the foregoing, Personally Identifiable Information stored by us, relating to End Users under the age of 18 will be deleted in all cases (to the extent that it is reasonably and commercially possible to do so) when it is no longer needed for the purpose for which it was collected.
YOUR RIGHTS
You have a range of options available to you when it comes to your information. Below is a summary of those choices. Where you request action from us, we will respond within a reasonable timeframe.
Access
You can access and modify the information inyour account at any time, this includes all data that is required to providethe services.
Rectification
You can access and modify the information inyour account at any time.
Relevant browser-based cookie controls aredescribed in our Cookies & Tracking Notice.
Some browsers have incorporated "Do NotTrack" (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not yet a common understanding of how to interpret the DNT signal, our Services do not currently respond to browser DNT signals. You can use the range of other tools we provide to control data collection and use, including the ability to opt out of receiving marketing from us as described above.
Erasure
You can delete End Users from your account.
In some cases, you may ask us to stop accessing, storing, using and otherwise processing your information where you believe we don't have the appropriate rights to do so. For example, if you believe an account was created for you without your permission or you are no longer an active user, you can request that we delete your account as provided in this policy.
You may request a deletion of information we hold on you. We will delete information where it is proper and practical to do so.
Restriction
Restriction is the right to stop further processing of your data, this will not affect any processing that has already taken place at the time but will suspend any further processing until the dispute is resolved.
Portability
Data portability is the ability to obtain your information in a format you can move from one service provider to another (for instance, when you transfer your mobile phone number to another carrier). Should you request it, we will provide you with an electronic file of your End User information.
We will provide you with basic account level information without charge, Additional information may incur a reasonable charge. It may not be practical or proper to provide you some information (for example if fulfilling a request would reveal information about or owned by another party).
Objection
If there is a concern with regard to how we are storing, using, transferring, processing or treating your data you can contact us to raise that concern, but this will not affect any processing that has already taken place at the time. When you make such requests, we may need time to investigate and facilitate your request. If there is a delay or dispute as to whether we have the right to continue using your information, we will restrict any further use of your information until the request is honoured or the dispute is resolved. However, we may be entitled to continue processing your information based on our legitimate interests or where this is relevant to legal claims.
Withdrawal of consent
Where you gave us consent to use your information for a limited purpose, you can contact us to withdraw that consent, but this will not affect any processing that has already taken place at the time. When you make such requests, we may need time to investigate and facilitate your request. If there is a delay or dispute as to whether we have the right to continue using your information, we will restrict any further use of your information until the request is honoured or the dispute is resolved.You may opt out of receiving third party promotional communications from us in your account. You may opt out of our promotions by using the unsubscribe link within each email. Even after you opt out from receiving promotional messages from us, you will continue to receive transactional messages from us. You can opt out of some notification messages in your account.
Complaints to the regulator
You also have a right to lodge a complaint with a supervisory authority, where you are located, where we are based or where an alleged infringement of Data Protection law has taken place.Your contact options are set out below.
United Kingdom
Office of the Information Commissioner
https://ico.org.uk/make-a-complaint/
DATA BREACHES
We are committed to transparency with respect to serious data breaches.
When a data breach occurs which is likely to result in serious harm to any individuals whose personal information has been breached, then we will notify the relevant affected individuals (and other parties as required by law) and advise:
- Our identity and contact details;
- A description of the data breach;
- The kinds of information concerned; and
- Recommendations about the steps the individual should take in response to the data breach.
How to contact us
If you have any questions about this PrivacyStatement, the information that we collect from you or your End Users, or the Products, please contact our Privacy & Data Protection Officer as follows:
Contacts
For customers within the United Kingdom:
email: support@utropolis.io
CHANGES TO OUR CUSTOMER POLICIES
We may, from time to time and in our sole discretion, make changes to this policy. We will provide notice to you by email (if you have provided us with one) or when you sign in to your account for the first time after the change.
We will ask you to review and agree to the changes. If you agree to the changes, simply continue using the Products (which will be deemed acceptance of the updated policy). If you object to any of the changes, immediately notify us at support@utropolis.io.