This privacy statement (Version 1.1) was last revised on 14 June 2019.
Data privacy is important to Safetrust and this Privacy Statement describes the Personal Information that we collect, hold and use, and with whom we share it. It also describes your rights and responsibilities in respect to the Personal Information that we store about you, the End User. To use our products, you will be required to accept this Privacy Statement. By accepting it, you agree that we can collect, hold, use and share your Personal Information as described in this Privacy Statement.
Typically, the owner of Your Identity System is the organization that issued that credential to you, such as your employer, landlord, or a government agency or other entity with whom you have a relationship that requires them to issue you a credential to authenticate who you are, in order to be permitted building and/or network access. For the sake of simplicity in this Privacy Statement, we will occasionally refer to the owner of Your Identity System as “your employer or organization.”
Safetrust’s products create and manage digital versions of identity credentials (“Virtual Credentials”) to supplement or replace the physical badges, smart cards, and similar tangible items that organizations currently use to enable building and/or network access. Safetrust protects the information associated with these Virtual Credentials by encrypting it so that it is protected in the database, in transit, or on your mobile device. In addition to this, specific items of Personal Information are also protected in our database using a second encryption key which is unique to Your Identity System. This design ensures that operational use of your data is tightly controlled.
We collect and store the minimum amount of Personal Information required to provide you with the building and/or network access as authorized by the owner of Your Identity System. The owner of Your Identity System typically requires that we hold sufficient information to validate your identity and that we log and report system usage in line with their information and security management policies.
The Safetrust product you will likely use most often is the Safetrust Wallet mobile application (“Safetrust Wallet”). Safetrust Wallet is an iOS or Android application that stores Virtual Credentials securely on your mobile phone. The Safetrust Wallet communicates both with (a) devices that provide access control in your employer’s or organization’s buildings or computer systems, and (b) Safetrust’s Credential Manager cloud software, which is accessed via a website (“Portal”) that administrators at your employer or organization will make available to you. The first time you log into your individual account on Safetrust Wallet, you will be required to check a box to confirm your consent to this Privacy Statement and to the license to use the Safetrust products that has been provided to you by your employer or organization. If you choose not to provide your consent you will not be able to use the Virtual Credentials that have been assigned to you by the administrator at your employer or organization, nor to log into Credential Manager Portal.
The information that we collect
The ‘Personal Information’ that is stored and managed by the Safetrust Wallet and Credential Manager is:
- Email address;
- Mobile phone number;
- Various other identifiers such as Facebook, Skype, LinkedIn etc (if provided)
- IP address;
- Photo (if provided); and
- Location information associated with registration and ‘Events’ such as where your credential was used.
In addition we categorise the certificates or credentials that has been provided for authentication purposes as ‘Sensitive Information’.
Depending on how your company or organization has deployed Safetrust products, some or all of this information will be provided by you when you create or activate an account on Safetrust Wallet, or some or all of this information will have been provided by your employer or organization.
Access to Personal information is tightly controlled, logged and monitored within the Safetrust system. Access is restricted to the administrators of Your Identity System and a small number of Safetrust staff, who have this access for the purposes of assisting or supporting Your Identity System administrators, or to periodically confirm compliance with our software license. Safetrust employees are bound by contract with Your Identity System owner, and by law, to keep this information confidential and use it only for legitimate purposes.
In addition to the above information, Safetrust collects information based on your activities using its products. Specifically, when the Mobile Application interacts with the access control equipment in your employer’s or organization’s buildings or computer systems (e.g., a door reader or a USB reader), the Mobile Application records an “event” that details the nature of the interaction (“Event Data”) — e.g., at this date and time, you successfully obtained access to Door 713. The Mobile Application sends the Event Data back to the hosted Credential Manager, which may be reviewed by Your Identity System owner. Identity System owners may elect to have this data pushed to an analytics engine for monitoring and analysis.
When you download the Safetrust Wallet mobile application to your mobile device, we automatically collect information about your device including the type of device, the operating system, and whether Bluetooth is active. We use this information for support purposes.
Disclosure of your information
We may disclose the information you provide us, through your registration and use of our Products, to the owner of Your Identity System. Typically, Your Identity System’s owner provided Safetrust with your account information initially, but if it did not, that information, as well as any changes to that information you make and the Event Data collected regarding your use of your Virtual Credential, will be made available to Your Identity System’s owner. If you have Virtual Credentials from more than one identity system owner (say, your employer and your gymnasium), the owner of any given identity system will have access only to data related to the Virtual Credential issued by that owner.
We will respond to subpoenas, warrants, or other court orders regarding information concerning users of our products. Safetrust will, at its discretion, disclose Personal Information if it is required to do so by law, where such disclosure is necessary to protect Safetrust from legal liability or to protect the integrity of our products and website. If Your Identity System’s owner agreed with Safetrust upon procedures that affect such disclosures, Safetrust will abide by that agreement.
Security of your information
We take all reasonable steps (including all measures required by law) to ensure your information is protected and secure at all times. Your data is stored in an encrypted database within the secure Amazon Web Services Hosting Environment and our encryption architecture ensures that Amazon employees do not have access to your Personal Information. Amazon has several data centers geographically spread around the world. Your data is currently stored in Amazon’s data center located in Sydney, Australia. All Amazon sites provide consistent data and communications security services.
When your data is in use by the system, it is protected at all times. All of the Credential Manager data is encrypted at the database level. Within the database, most of your personal and all of your sensitive information is also protected by an additional layer of encryption to ensure isolation of data by Identity System. The system uses your email address, your mobile number and your name as references internally and these data items are not subject to the second level of encryption. When in transit between the browser and the server, all data is protected by the industry standard TLS protocol. Data stored on your mobile device is protected by encryption which leverages standard iOS and Android encryption technologies. However, no data protection and security measures are completely secure. Despite all the measures we have put in place, we cannot guarantee the security of your information, particularly in relation to transmissions over the internet. Accordingly, any information which you transmit to us is transmitted at your own risk.
You must take care to ensure you protect your information (for example, by protecting the username, password, and other account details related to your Safetrust account, as well as implementing security features in mobile device such as screen lock and, if available, biometric security features such as Apple’s TouchID and FaceID and similar features in Android). You should notify the administrators at your employer or organization as soon as possible if you become aware of any security breaches regarding your Safetrust account or your Virtual Credentials. Please advise them as soon as possible if there are any changes to your Personal Information or if you believe the information we hold about you is not accurate, complete, or current.
Retention and removal of your information
Your Identity System owner is responsible for notifying Safetrust when accounts are inactive or have expired. Upon such notification, Safetrust will remove these accounts within 90 days of notification or as otherwise directed by Your Identity System Owner.
How we use your information
We only use your information for the purpose for which it was provided to us. Such purposes include:
- Managing the Virtual Credentials that you use to access buildings or networks;
- Monitoring for fraud or inappropriate activities;
- Responding to enquiries (via the identity system owners help desk) if you encounter a problem that relates to Safetrust functionality;
- Providing the owner of the identity system with reader event information that can be used for business analysis purposes;
- Complying with our obligations to you and/or your employer/organization under our contract or applicable law;
- To better understand how individuals, interact with our products or website;
- Quality assurance and training purposes.
Safetrust does not sell your Personal Information to third parties. We will not use your email address for marketing or unsolicited advertising materials without your consent. We will, however, email you to provide you with some operational information, or to advise you if we suspect unauthorized use of your account, or to advise you of any changes or updates made to your information where we feel that such a notification will ensure the security and integrity of the service.
How to contact us for questions, concerns or complaints
Safetrust products are designed for use by organizations, and you should direct your privacy enquiries to the administrator of Safetrust products in that organization. Safetrust will respond to such enquiries via the owner of your Identity System.
In all other situations please email your request or concern to email@example.com. We will refer your inquiry or complaint to our Privacy Officer, who will, within a reasonable time, investigate the issue and determine the steps required for resolution. We will contact you if we require any additional information from you and will notify you in writing of the response or determination of our Privacy Officer. If you are not satisfied with our response or determination, you can contact us or raise your concerns with the Australian Privacy Commissioner via www.oaic.gov.au
Revision of this Privacy Statement
Safetrust may revise this Privacy Statement or any part of it from time to time to ensure we remain compliant with data privacy regulations specific to your geographical location, including those specified in the EU General Data Protection Regulation (GDPR). Please review this policy at https://www.safetrust.com/privacy periodically for changes. If we make significant changes to this policy, we may notify you using the contact details provided by you or by putting a notice on our website at https://www.safetrust.com.