SINGULAR KEY, INC.
Last Updated: April 9, 2019
When we mention “Singular Key,” “we,” “our,” or “us,” in this notice, we are referring to Singular Key, Inc. and its group companies. When we say “you” or “End-User” in this Policy, we mean any individual using and accessing our Services. When we talk about an “Organization” or “Customer” in this Policy, we are generally referring to the entity of which you are an employee, contractor, member, or other participants, that have engaged us to provide the services under the terms of a contract. The “Organization Administrators” we talk about in this notice are the individuals authorized by our Customers to help administer our services internally.
By sharing your personal information with us, and by continuing to use our Services, you confirm that you have read and understood the terms of this Policy.
If you have any questions, comments or concerns about any aspect of this Policy or how we handle your information, please reach out to our team using the details provided under the Contact Information section of this Policy.
ABOUT SINGULAR KEY
Singular Key provides security solutions that make modern authentication easy to use, deploy and scale cost-effectively on the web, mobile and other applications. Our solutions include passwordless, multi-factor authentication, trusted access, SDKs and APIs and developer tools for our customers. Find out more here.
OUR PRIVACY PRINCIPLES
Singular Key was started to enable Digital Trust with privacy-by-design principles. Privacy, integrity and transparency are foundational to what we do at Singular Key. We are committed to being open about how we approach privacy and communicate that in a way that is easy for you to understand. We respect individuals’ privacy and only the personal information we need, and “pseudonymize” or get rid of what we don’t. We factor security into everything we do since our founding we engineer privacy into our ideas and products.
NOTICE TO END USERS
In general, our Services are intended for use by Organizations, administered to you by your Organization, and subject to your Organization’s policies, if any. This means that in most cases we are collecting and processing your personal information on behalf of your Organization. In these cases, we are generally acting as a processor of your personal information, processing the information according to your Organization’s instructions, because your Organization is the controller. It is primarily your Organization, as the controller, that controls what personal information about you we collect and how we use it. If you have privacy-related questions or concerns about your Organization’s privacy practices or the choices your Organization has made to share your information with us or any other third party, you should reach out to your Organization’s Administrator or see your Organization’s privacy policies. Singular Key is not responsible for the privacy or security practices of our Customers, which may differ from those set forth in this Policy.
We encourage you to read this entire Policy carefully to help ensure you are fully informed about privacy as it relates to our Services.
WHAT WE COLLECT
We get information about you in a range of ways and recognize that personal information is defined slightly differently across the world. At Singular Key, we define it as any information that could be used to identify you or another individual. This broad definition enables us to better respect your privacy.
The personal information that we collect about you broadly falls into three categories
- Information that is provided by End-User or Organization: Your Organization’s Administrator or you may provide personal information to us through the Services. This may be done, for example, when you are signed up for and use the Services when you consult with our customer support team or you send us an email or communicate with us in any way. We will generally let your Organization’s Administrator or you know prior to collecting your personal information whether the information we are collecting may be provided on a voluntary basis and the consequences, if any, of not providing it.
End-Users: When setting up an account for our Services, your Organization’s Administrator (or you, if you use Singular Key App) will be asked to provide certain basic information about you such as:
- email address
- telephone number
We also collect your Organization’s name and assign you a related account name.
If you ever communicate directly with us, we will maintain a record of those communications and responses.
Organization Administrators: We generally ask for more information about Organization Administrators in order to provide the Services and help manage the Organization’s Account. We ask Organization Administrators to provide the following information about themselves:
- email address
- billing and delivery address
- telephone number
- job title
- Organization name
- information about other Organization Administrators working on related projects
In addition, if you purchase our Services either as an Organization Administrator or on your own behalf, you will need to share payment and billing information such as your credit card details and billing address, and we will maintain a record of your purchases and transactional information.
Credit Card Information
Credit cards, debit cards or other means may be used to pay for our Services. We do not collect this credit card, debit card or personal financial account information. Instead, we use a third party service provider, currently Stripe, Inc., to process our subscription billing. If you provide payment information to pay for the Services, you provide it directly to Stripe, and not to Singular Key. You will automatically be routed to the Stripe website to provide the information Stripe requires to process your transaction. Stripe is a third party vendor and has its own privacy statements. This Policy does not cover information collected by Stripe and Singular Key is not covered by or responsible for Stripe’s privacy practices or statements. To learn about Stripe’s privacy practices, please visit https://stripe.com/us/privacy/
- Information we collect automatically: When you use the Services, we automatically log certain information about your device and how you interact with our Services. We do this to help us provide the Services, and to ensure that we are providing our customers and you the best experiences with our Services. From time to time, we may need to associate the data we automatically collect with other personal information we have collected about you to confirm you as an End User and to check the security of your device
The information we automatically collect through the Services includes:
Device information, such as: device attributes (for example: hardware model; operating system; web browser version; as well as unique device identifiers and characteristics, including if your device is “jailbroken,” if you have a screen lock in place and if your device settings have notifications enabled), connection information (for example, name of your mobile operator or Internet Service Provider, browser type, language and time zone, and mobile phone number); and device locations (for example, internet protocol (IP) addresses and Wi-Fi).
Log data, this includes information that your browser sends whenever you visit a website, included one of ours, or that your Singular Key mobile app sends whenever you are using it. This log data may include how you access the Services (including the device-specific information discussed above and type of integration – in other words, the application – being protected), the dates and times you access the Services, where you access the Services from (by IP address) and device event information such as crashes, system activity, and hardware settings.
Services usage data, such as administrative and support communications with us and information about the features, content, and links you interact with, and what third-party integrations you use, if any.
Cookies. We may log information using cookies and other similar tracking technologies like web beacons (collectively “Cookies”) Cookies are small data files stored on your hard drive by a website. We may use both session Cookies (which expire once you close your web browser) and persistent Cookies (which stay on your computer until you delete them) to provide you with more personal and interactive experience with our Services. We also use “web beacons” to help deliver cookies and gather usage and performance data. Our websites may include web beacons, cookies, or similar technologies from third-party service providers.
This type of information is collected to make the Services more useful to you and to tailor the experience with us to meet your special interests and needs.
You have a variety of tools to control the data collected by cookies, web beacons, and similar technologies.
- Information we process on behalf of your Organization: When your Organization or your Organization Administrator upload, input or generate personal information in the Services about you (their End Users), we will typically act as a processor and process such personal information on behalf of your Organization and our privacy practices will be governed by the contract we have in place with your Organization. This Policy will not apply to such personal information.
USE OF PERSONAL INFORMATION
We use your personal information to provide our Service and operate our business as follows:
- To operate, maintain, and improve our sites, products, and services.
- To manage your Organization’s or your account with us, including for billing purposes as well as for our customer relationship management which includes response to comments and questions and provides customer service.
- To send information including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages.
- To communicate about promotions, upcoming events, and other news about products and services offered by us and our selected partners.
- To protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.
- We use your personal information to provide and deliver products and services customers request.
- To analyze your use of the Services in order to ensure the technical functionality of our products, technology and Services, and to research and develop new products and services.
- To conduct aggregate statistical analysis with “Performance Data.” Performance Data includes aggregate, pseudonymized (i.e., data that cannot be attributed to an individual without additional information) usage data and other aggregate measures of the Services’ performance. We may share aggregated, pseudonymized Performance Data with third parties to help us better understand our customers’ needs and improve the Services.
- To perform other activities consistent with this Policy.
SHARING OF PERSONAL INFORMATION
We may share the personal information described in this Policy with others. We generally do this where it is necessary to complete a transaction, to provide our Services to your Organization or you, where your Organization or you have requested or authorized us to do so, with your consent (where applicable), or as otherwise permitted or required by applicable law. We may share personal information as follows:
- We may share personal information with your consent. For example, you may let us share personal information with others for their own marketing uses. Those uses will be subject to their privacy policies.
- We may share personal information when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding.
- We may share personal information for legal, protection, and safety purposes.
- We may share information to comply with laws.
- We may share information to respond to lawful requests and legal processes.
- We may share information in an emergency. This includes protecting the safety of our employees and agents, our customers, or any person.
- We may share information with those who need it to do work for us.
We may also share aggregated and/or anonymized data with others for their own uses.
SECURING YOUR INFORMATION
Security is what we do, and we take the security of the personal information we have about you very seriously. We use appropriate administrative, organizational, technical and physical safeguards that are designed to protect the personal information we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information and to help ensure that your data is safe, secure, and only available to you and to those with authorized access (as decided by your Organization Administrator or you, as appropriate). However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so you should take care in deciding what information you send us in this way.
INTERNATIONAL DATA TRANSFERS
We are headquartered in the United States and operate internationally. Therefore, you should be aware that we may transfer or process your personal information in countries other than the country in which you are a resident. These countries may have data protection laws that are different than the laws of your country, and in some cases may not be as protective.
Specifically, our Website servers are located in the United States, and our group companies and third party service providers, including Amazon Web Services (“AWS”) and partners, operate in the United States and in other countries around the world. This means that when we collect your personal information we may process it in any number of places around the world.
Wherever your personal information is transferred, stored or processed by us, we will take reasonable steps to safeguard the privacy of your personal information as indicated in this Policy. Additionally, when using or disclosing personal information transferred from the European Economic Area, we use standard contractual clauses approved by the European Commission, adopt other means under applicable law for ensuring adequate safeguards or obtain your consent.
If you would like a copy of our standard contractual clauses or more information on the appropriate safeguards we have implemented with our third party service providers and partners, please reach out to us using the details provided under the “Contact Information” section of this Policy.
HOW LONG DO WE STORE PERSONAL INFORMATION?
We only keep your personal information for as long as we have an ongoing legitimate business need to do so (for example, to fulfil the purposes outlined in this Policy, to provide the Services or to comply with legal, tax or accounting requirements, to enforce our agreements or to comply with our legal obligations).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it. If this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
LEGAL BASIS FOR DATA PROCESSING (EUROPEAN ECONOMIC AREA USERS ONLY)
If you are a user from the European Economic Area, where we are collecting your personal information as a controller, our legal basis for doing so will depend on the personal information concerned and the specific context in which we collect it. However, as it relates to our Services, we will normally collect personal information from you only where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, or where we need the personal information to perform a contract with you if you have signed up for the Services on your own behalf. In some cases, we may also have a legal obligation to collect personal information from you.
If we ask you to provide personal information to comply with a legal requirement or to enter into a contract, we will make this clear at the relevant time and let you know if the personal information is mandatory or not (as well the possible consequences if you do not provide it). Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party) that are not referred to in this Policy, we will make it clear to you at the relevant time what those legitimate interests are. Typically, our legitimate interests include improving, maintaining, developing and enhancing our technology, products, services, ensuring the security of the Services and for our marketing purposes.
If you have questions or need further information about the legal basis we rely on to collect and use your personal information, please reach out to us using the details provided under the “Contact Information” section of this Policy.
END USER INFORMATION CHOICES AND CHANGES
Our marketing emails tell you how to “opt-out.” If you opt out, we may still send you non-marketing emails. Non-marketing emails include emails about your accounts and our business dealings with you.
You may send requests about personal information to our Contact Information below. You can request to change contact choices, opt-out of our sharing with others, and update your personal information.
You can typically remove and reject cookies from our Services with your browser settings. Many browsers are set to accept cookies until you change your settings. If you remove or reject our cookies, it could affect how our Services works for you.
As we noted in the “Notice to end users” section of this Policy, for much of the personal information we collect and process through the Services, Singular Key acts as a processor for its Customers, the Organization. If you would like to exercise data protection rights for this personal information – including your rights to access, correct, or delete such data – you should contact your Organization directly and it will deal with your request. Where required, we may provide assistance to the Organization.
However, in those cases where we are the controller, we provide ways for you to exercise certain rights, controls and choices.
Where we are a controller of your personal information, you have the following rights, controls and choices:
- You can access, review, change, update or delete your personal information at any time. Please note that we may impose a small fee for access and disclosure of your personal information where permitted under applicable law, which will be communicated to you. We do not charge you to update or remove your personal information.
- If you are resident in the European Economic Area, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.
- If we have collected and processed your Personal Information with your consent, then you can withdraw your consent at any time. Please note, though, that withdrawing your consent will not impact the lawfulness of any processing we conducted before you withdrew your consent, nor will it impact the processing of your personal information we conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of your personal information. Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries (including the US and Canada) are available here.)
In addition, many of our products and features contain settings that allow Organizations or Organization Administrators or End Users to control how information is collected. Please see the relevant product documentation or contact us through the appropriate technical support channel for assistance.
If you would like to exercise any of your rights relating to your personal information, please start by contacting us using the contact details provided under the “Contact Information” section of this Policy.
We respond to all requests we receive from individuals wishing to exercise their data protection rights under applicable data protection laws. To protect your privacy and security, we take reasonable steps to verify your identity before granting you account access or making corrections to your personal information.
The Services are neither intended for nor directed to individuals that are deemed to be children under applicable data protection or privacy laws, and we do not knowingly collect personal data from a child below the age of sixteen (16), or the equivalent minimum age in the relevant jurisdiction, without parental consent. We encourage parents (or guardian) to take an active role in a child’s online activities and interests while using our Services. If you are a child, please seek parental consent before your use of our Services. You may submit your personal data with parental (or guardian’s) consent to us only.
In the event of a conflict, the English language version shall govern.