This privacy statement (Version 1.2) was last revised September 2020.
Safetrust is committed to data privacy and this Privacy Statement provides you with information about how we protect and manage the Personally Identifiable Information (PII) that is provided and collected when you use our products. It also describes your rights and responsibilities with regards to the PII that is used by our products.
Because our products provide secure and accountable access to buildings or computer networks, we are required to collect sufficient information to allow the organization that has invited you to use our products to positively identify you. You may accept this Privacy Statement either via the consent checkbox presented at your first log-in to Safetrust Wallet or Credential Manager, or by using the consent mechanism provided to you in a third-party application that has incorporated Safetrust functionality into its product. Should you decide NOT to accept this Privacy Statement you will NOT be able to use our products.
Safetrust’s products create and manage digital versions of identity credentials (“Virtual Credentials”) which supplement or replace the physical badges, smart cards, and similar tangible items that organizations currently use to enable building and/or network access. Typically an individual consumer (“User”) will be invited to use our building or network access mobile applications by a third party ‘organization’. For example, that organization might be the User’s employer, or the property manager, the owner of the gymnasium to which the User is a member, etc. In any case, that organization is responsible for specifying the policies that relate to the data that they share with Safetrust and the data that we collect when you use our products.
Our products store and manage PII in accordance with global privacy legislation including the California Consumer Privacy Act (June 2018), European General Data Protection (April 2016) regulations and the Australian Government’s Privacy Act (1988). These regulations require that we clarify the following data privacy items in relation to our products:
- Our products use and store only the PII required to enable and monitor authorised access to sites and networks. The specific items of PII used by our products are described in the following section;
- Our products are designed to protect your PII and your Virtual Credentials by encrypting them so that they are protected when they are in the database, in transit, or on your mobile device;
- We delete your operational data when the organization that has invited you to use our products notifies us that the account should be deleted;
- We retain essential audit information, in an encrypted form, for seven years;
- We do not sell your PII to third parties. Your information is only shared with the organization that has invited you to use our products. Please note that the organization that invited you to use Safetrust products will have its own privacy statement which may have a different policy in relation to the sharing of PII.
You may be invited to use Safetrust products by more than one organization. If so, then your information is managed separately for each individual organization. In Safetrust’s secure cloud application (“Credential Manager”), each organization can set up one or more groups of access devices, such as door readers or turnstiles, that have similar access characteristics (“Identity Systems”),and you may be provided one or more Virtual Credentials for each Identity System in the same way as you would previously have had to carry a different key or access card for each building.
If you have an enquiry regarding the PII used by the products, you must contact the organization(s) that invited you to use our products. Safetrust will provide all requested information promptly upon request from the initiating organization, so that they can respond to you promptly.
The information that we collect
When you use Safetrust’s credential management products, we collect and store the following Personal Information:
- your name;
- the country where you will be using our products;
- either your email address or your mobile phone number or both;
- IP address used by your phone or by access devices when they interact with our service (for security and for your protection);
- Credential Information – information provided to us by the organization that owns Your Identity System to create the Virtual Credential that you will use for building or network access, such as the physical access control or network access credential data assigned by your employer to identify you via an existing employee badge, Prox card or similar physical credential system;
- In some cases, we may store your photo, if that has been provided to us by your Identity System’s owner (again, typically your employer, landlord, or other organization) as part of the information they use to verify your identity (e.g., as part of your employee badge); and
- Details of access events (the Event Data described below).
Depending on how the organization that invited you to use a Safetrust product has designed its interface to Credential Manager, some or all of this information will be provided to Safetrust by you when you create or activate an account on Safetrust Wallet, or it may be that some or all of this information will have been provided to Safetrust by the inviting organization.
In either case, your Personal Information is encrypted when it is stored in Credential Manager or transmitted. Access to this data is tightly controlled, logged and monitored, and it is restricted to the administrators of your Identity System and a small number of Safetrust staff who have this access for the purposes of assisting or supporting your Identity System administrators, or to periodically confirm compliance with our software license. Safetrust employees are bound by contract with your Identity System owner, and by law, to keep this information confidential and use it only for legitimate purposes.
When you download the Safetrust Wallet mobile application to your mobile device, we automatically collect information about your device including the type of device and its operating system. During operation we record whether Bluetooth is active. We use this information for support purposes.
In addition to the above information, Safetrust collects information based on your activities using its products. Specifically, when the Mobile Application interacts with the access control equipment in your employer’s or organization’s buildings or computer systems (e.g., a door reader or a USB reader), the Mobile Application records an “event” that details the nature of the interaction (“Event Data”) — e.g., at this date and time, you successfully obtained access to Door 713. The Mobile Application sends the Event Data back to the Credential Manager application, which may be reviewed by your Identity System owner. Identity System owners may elect to have this data pushed to an analytics engine for monitoring and analysis.
How we use your information
Safetrust only uses your information for the purpose for which it was provided to us. Such purposes include:
- Managing the Virtual Credentials that you use to access buildings or networks;
- Monitoring for fraud or inappropriate activities;
- Responding to enquiries (via the Identity System owner’s help desk) if you encounter a problem that relates to Safetrust functionality;
- Providing the owner of the identity system with reader event information that can be used for business analysis purposes;
- Complying with our obligations to you and/or your employer/organization under our contract or applicable law;
- Quality assurance and training purposes.
We will not use your email address for marketing or unsolicited advertising without your consent. From time to time, however, we may email you to provide you with some operational information, or to advise you if we suspect unauthorized use of your account, or to advise you of any changes or updates made to your information where we feel that such a notification will ensure the security and integrity of the service.
Disclosure of your information
We manage the information provided to us in accordance with the policies specified by the owner of your Identity System(s). Typically account data is synchronised between the Identity System owner’s database and Credential Manager. We will only disclose PII and Event Data to the owner of the specific Identity System.
We will respond to subpoenas, warrants, or other court orders regarding information concerning users of our products. Safetrust will, at its discretion, disclose Personal Information if it is required to do so by law, where such disclosure is necessary to protect Safetrust from legal liability or to protect the integrity of our products and website. If your Identity System’s owner agreed with Safetrust upon procedures that affect such disclosures, Safetrust will abide by that agreement.
Security of your information
We take all reasonable steps (including all measures required by law) to ensure your information is protected and secure at all times. To enable Credential Manager, your data is stored in an encrypted database within the secure Amazon Web Services Hosting Environment and our encryption architecture ensures that Amazon employees do not have access to your Personal Information. Amazon has several data centers geographically spread around the world. Your data is currently stored in Amazon’s data center located in Sydney, Australia. All Amazon sites provide consistent data and communications security services.
When your data is in use by the system, it is protected at all times. When in transit between the browser and the server, it is protected by the industry standard TLS protocol. Data stored on your mobile device is protected by encryption which leverages standard iOS and Android encryption technologies. However, no data protection and security measures are completely secure. Despite all the measures we have put in place, we cannot guarantee the security of your information, particularly in relation to transmissions over the internet. Accordingly, any information which you transmit to us is transmitted at your own risk.
You must take care to ensure you protect your information (for example, by protecting the username, password, and other account details related to your Safetrust account, as well as implementing security features in mobile device such as screen lock and, if available, biometric security features such as Apple’s TouchID and FaceID and similar features in Android). You should notify the administrators at your employer or organization as soon as possible if you become aware of any security breaches regarding your Safetrust account or your Virtual Credentials. Please advise them as soon as possible if there are any changes to your Personal Information or if you believe the information we hold about you is not accurate, complete, or current.
Retention and removal of your information
The owner of each Identity System is responsible for notifying Safetrust when accounts are inactive or have expired. Upon such notification, Safetrust will remove these accounts within 90 days of notification.
How to contact us for questions, concerns or complaints
Safetrust products are designed for use by organizations, and you should direct your privacy enquiries to the administrator of Safetrust products in that organization. Safetrust will respond to such enquiries via the owner of your Identity System.
In all other situations please email your request or concern to email@example.com. We will refer your inquiry or complaint to our Privacy Officer, who will, within a reasonable time, investigate the issue and determine the steps required for resolution. We will contact you if we require any additional information from you and will notify you in writing of the response or determination of our Privacy Officer. If you are not satisfied with our response or determination, you can contact us or raise your concerns with the Australian Privacy Commissioner via www.oaic.gov.au.
Revision of this Privacy Statement
Safetrust may revise this Privacy Statement or any part of it from time to time to ensure we remain compliant with data privacy regulations specific to your geographical location, including those specified in the California Consumer Privacy Act (June 2018), EU General Data Protection Regulation (GDPR) or Australian Government’s Privacy Act (1988). Please review this policy at https://www.safetrust.com/privacy periodically for changes. If we make significant changes to this policy, we may notify you using the contact details provided by you or by putting a notice on our website at https://www.safetrust.com.