This privacy statement (Version 1.3.2) was last revised December 2021.
‘Credential Manager’ and the associated ‘Wallet’ mobile application are designed to comply with global privacy legislation. This Privacy Statement provides you with information about how we protect and manage the Personally Identifiable Information (PII) that is provided and collected when you use our products. It also describes your rights and responsibilities with regards to the PII that is used by our products.
Because our products provide secure and accountable access to buildings or computer networks, we are required to process and maintain sufficient information to allow the organization that has invited you to use our products to positively identify you. You may accept this Privacy Statement either via the consent checkbox presented at your first log-in to the Wallet application or Credential Manager, or by using the consent mechanism provided to you in a third-party application that has incorporated this functionality into its product. Should you decide NOT to accept this Privacy Statement you will NOT be able to use our products.
Our products create and manage digital versions of identity credentials (“Virtual Credentials”) which supplement or replace the physical badges, smart cards, and similar tangible items that organizations currently use to enable building and/or network access. Typically an individual consumer (“User”) will be invited to use our building or network access mobile applications by a third party ‘organization’. For example, that organization might be the User’s employer, or the property manager, the owner of the gymnasium to which the User is a member, etc. In any case, that organization is responsible for specifying the policies and privacy controls that relate to the data that is collected when you use our products.
Our products use PII in accordance with global privacy legislation including the California Consumer Privacy Act (June 2018), European General Data Protection (April 2016) regulations and the Australian Government’s Privacy Act (1988). These regulations require that we clarify the following data privacy items in relation to our products:
- Our products use only the PII required to enable and monitor authorised access to sites and networks. The specific items of PII used by our products are described in the following section;
- Our products are designed to protect your PII and your Virtual Credentials by encrypting them so that they are protected when they are in the database, in transit, or on your mobile device;
- When the organization that has invited you to use our products deletes your account that triggers the automatic deletion of your operational information from our database;
- We retain essential audit information, in an encrypted form, for three years;
You may be invited to use the Credential Manager and the Wallet application by more than one organization. If so, then your information is managed separately for each individual organization. In Credential Manager, each organization can set up one or more groups of access devices, such as door readers or turnstiles, that have similar access characteristics (“Identity Systems”),and you may be provided one or more Virtual Credentials for each Identity System in the same way as you would previously have had to carry a different key or access card for each building.
If you have an enquiry regarding the PII used by the products, please contact the organization(s) that invited you to use our products.
The information that we process
When you use the Credential Manager and the Wallet application, we collect and store the following Personal Information:
- your name;
- the country where you will be using our products;
- either your email address or your mobile phone number or both;
- IP address used by your phone or by access devices when they interact with our service (for security and for your protection);
- the friendly name that you have assigned to your mobile device (because it is typically personalized);
- Credential Information – information provided to us by the organization that owns Your Identity System to create the Virtual Credential that you will use for building or network access, such as the physical access control or network access credential data assigned by your employer to identify you via an existing employee badge, prox card or similar physical credential system;
- In some cases, we may store your photo, if that has been provided to us by your Identity System’s owner (again, typically your employer, landlord, or other organization) as part of the information they use to verify your identity (e.g., as part of your employee badge); and
- Details of access events (the event data described below).
Some, or all, of this information will be provided to the Credential Manager Web Application by you when you create or activate an account on the Wallet, or it may be that some or all of this information will have been provided by the inviting organization.
In either case, your Personal Information is encrypted when it is stored in Credential Manager or transmitted. Access to this data is tightly controlled, logged and monitored, and it is restricted to the administrators of your Identity System and a small number of support staff who have this access for the purposes of assisting or supporting your Identity System administrators, or to periodically confirm compliance with our software license. Support staff and administrators are bound by contract with your Identity System owner, and by law, to keep this information confidential and use it only for legitimate purposes.
When you download the Wallet mobile application to your mobile device, we automatically collect information about your device including the type of device and its operating system. During operation we record whether bluetooth is active. We use this information for support purposes.
In addition to the above information, we collect information based on your activities using our products. Specifically, when the Wallet mobile application interacts with the access control equipment in your employer’s or organization’s buildings or computer systems (e.g., a door reader or a USB reader), the Mobile Application records an “event” that details the nature of the interaction (“Event Data”) — e.g., at this date and time, you successfully obtained access to Door 713. The Mobile Application sends the Event Data back to the Credential Manager application, which may be used for monitoring and analysis purposes by the Organization that invited you to use the System.
How we use your information
Your information is only used for the purpose for which it was provided to us. Such purposes include:
- Processing changes to the Virtual Credentials that you use for access to buildings or networks;
- Monitoring for fraud or inappropriate activities;
- Responding to enquiries referred to us from the Organization that invited you to use the System should you have a problem that relates to Credential Manager or Wallet functionality;
- Providing the Organization that invited you to use the System with reader event information that can be used for business analysis purposes;
- Complying with our obligations to you and/or your employer/organization under our contract or applicable law;
- Quality assurance and training purposes.
We will not use your email address for marketing or unsolicited advertising without your consent. From time to time, however, we may email you to provide you with some operational information, or to advise you if we suspect unauthorized use of your account, or to advise you of any changes or updates made to your information where we feel that such a notification will ensure the security and integrity of the service.
Disclosure of your information
We manage the information provided to us in accordance with the policies specified by the Organization that invited you to use the System. Typically account data is synchronised between that Organization’s building system database and Credential Manager. We will only disclose PII and event data to the Organization that invited you to use the System.
We will respond to subpoenas, warrants, or other court orders regarding information concerning users of our products. We will, with discretion, disclose Personal Information if we are required to do so by law, where such disclosure is necessary to protect us from legal liability or to protect the integrity of our products and website. If your Identity System’s owner enforces procedures that affect such disclosures, we will abide by that agreement.
Security of your information
We take all reasonable steps (including all measures required by law) to ensure your information is protected and secure at all times. To enable Credential Manager, your data is stored in an encrypted database within the secure Amazon Web Services Hosting Environment and our encryption architecture ensures that Amazon employees do not have access to your Personal Information. Amazon has several data centers geographically spread around the world. Your data is currently stored in Amazon’s data center located in Sydney, Australia and in Northern California, USA. All Amazon sites provide consistent data and communications security services.
When your data is in use by the system, it is protected at all times. When in transit between the browser and the server, it is protected by the industry standard TLS protocol. Data stored on your mobile device is protected by encryption which leverages standard iOS and Android encryption technologies. However, no data protection and security measures are completely secure. Despite all the measures we have put in place, we cannot guarantee the security of your information, particularly in relation to transmissions over the internet. Accordingly, any information which you transmit to us is transmitted at your own risk.
You must take care to ensure you protect your information (for example, by protecting the username, password, and other account details related to your account, as well as implementing security features in mobile device such as screen lock and, if available, biometric security features such as Apple’s TouchID and FaceID and similar features in Android). You should notify the administrators at your employer or organization as soon as possible if you become aware of any security breaches regarding your account or your Virtual Credentials. Please advise them as soon as possible if there are any changes to your Personal Information or if you believe the information we hold about you is not accurate, complete, or current.
We take all reasonable steps (including all measures required by law) to ensure your information is protected and secure at all times. To enable Credential Manager, your data is stored in an encrypted database within the secure Amazon Web Services Hosting Environment and our encryption architecture ensures that Amazon employees do not have access to your Personal Information. Amazon has several data centers geographically spread around the world. Your data is currently stored in Amazon’s data center located in Sydney, Australia. All Amazon sites provide consistent data and communications security services.
Retention and removal of your information
The Organization that invited you to use the System (the Data Controller) is responsible for ensuring that expired or unused accounts are deleted and will retain only the PII associated with active accounts. Audit records are retained for three years.The owner of each Identity System is responsible for notifying Safetrust when accounts are inactive or have expired. Upon such notification, Safetrust will remove these accounts within 90 days of notification.
How to contact us for questions, concerns or complaints
You should direct any privacy enquiries that you may have to the Privacy Contact Officer at the organization that invited you to use the Credential Manager and the Wallet application.
Revision of this Privacy Statement
We may revise this Privacy Statement or any part of it from time to time to ensure we remain compliant with data privacy regulations specific to your geographical location, including those specified in the California Consumer Privacy Act (June 2018), EU General Data Protection Regulation (GDPR) or Australian Government’s Privacy Act (1988).
Need to get in touch with our security team? Send us a note at firstname.lastname@example.org, and we’ll be in touch.