Platform privacy policy
What happens when you use our platform and services
We're Egress Software Technologies Limited, part of the Egress Software Technologies Group. More information about our group can be found at www.egress.com/about.
Your information will be held by us for and on behalf of us and our group companies, and this policy sets out how we and they will look after information that you give us, or that we get from other sources, or learn about you through our relationship with you when you use our services.
Below you can find details of:
- the information we collect and how we get it
- how we use that information
- who we may share it with and why
- where we may transfer and process it
- what you need to do if you provide information to us about others
If you have any questions we’d be happy to answer them, just get in touch at DPO@egress.com.
This Service Privacy Policy was last updated on 31 October 2019.
The way we talk about the information we collect
|
CRM Information |
The database, logs and other collections of information about you (and, if you’re a business, your users) that is provided to us by you, your users, or that we obtain in connection with:
|
|
Content |
Data, text, audio, video, images and other materials transferred, stored, shared or hosted on or through the services by you and third parties. It does not include CRM Information or System Data. |
|
System Data |
(i) Usage statistics, system logs, performance and security data, feedback data, records of support requests, and aggregated data about how our sites, services and apps are used (e.g. performance counters, access logs, metrics, associated metadata, unique identifiers for devices, technical information about the devices you use, the network, operating system and browser).(ii) data identified as malicious (e.g. malware infections, cyberattacks, unsuccessful security incidents, or other threats). This may contain limited CRM Information where it appears, for example, in log records but excludes Smart Data. |
|
Smart Data |
The record of individual user email behaviour and associations formed from the machine learning and artificial intelligence led processing, collection and analysis of email metadata (e.g. date and time, sender and recipient email addresses, and other unique message identifiers) and other domain, location and ‘trust’ data. It doesn’t include CRM Information and System Data.. |
The information we collect and how we get it
We collect information about you in a number of ways. We may combine the information that we receive from these various sources as set out further below where we explain how we use this information.
|
From |
How we obtain or receive it |
Examples of the types of information |
|
You |
|
|
|
Third-parties |
|
|
|
Microsoft or Google |
|
|
|
General use of our services |
|
|
|
Risk-based Protection and Email Encryption |
|
|
|
IP address |
|
|
How we use the data that we collect
We use the CRM Information, Smart Data, Content and System Data in each of the following ways.
Relationship management
|
What we use it for |
Our reasons |
Our lawful basis where you’re an individual |
Our lawful basis where you’re a business |
Information type |
||||||||||||||||
|
Manage, track and develop our relationship with you and your employer or organisation |
|
|||||||||||||||||||
Delivery of requested services
|
What we use it for |
Our reasons |
Our lawful basis where you’re an individual |
Our lawful basis where you’re a business |
Information type |
|
Provide the service access and support to you |
To ensure that we meet our contractual obligations to you. |
Performance of contract |
Legitimate interests |
CRM Information, System Data, Content, Smart Data |
|
Provide guidance on our services |
This could include responding to pre-contract questions, and also dealing with support or service questions during our contract with you. |
Performance of contract |
Legitimate interests |
CRM Information, System Data, Content, Smart Data |
|
Respond to and resolve complaints, queries, requests and support tickets |
To respond to your queries, complaints and to ensure that you’re able to use our platform and services appropriately. This may involve the recording of calls that you make to our support desks or sales teams for training and monitoring purposes. We use a ‘follow-the-sun’ support structure which means that calls may be recorded outside the country you’re located in depending on the time of your call and the support staff responding. Processing of Content may be required for resolving some support tickets. |
Legitimate interests |
Legitimate interests |
CRM Information, System Data, Content, Smart Data |
|
Ensure our services are functioning properly |
To ensure that we can provide the services that we’re contracted to provide. This may include both automated and manual processing (but not automated decision making in the context of the Data Protection laws in the UK). |
Legitimate interests, Performance of contract |
Legitimate interests |
CRM Information, System Data, Content, Smart Data |
|
Alert you to issues or updates to your services |
To ensure that you’re presented with relevant messaging based on the access and services that you’ve purchased from us and our group. |
Legitimate interests |
Legitimate interests |
CRM Information, System Data, Content, Smart Data |
|
Scan meta data to provide you with feedback on the interactions you are about to make, to apply Risk-Based Protection or to decrypt using Smart Authentication, or to encrypt or unencrypt email traffic and Content |
To provide our Risk-based Protection, Smart Authentication and secure email services. Risk-based Protection and Smart Authentication use certain Smart Data in order to understand your, and any of your users’, behaviour and associations. Secure email requires the processing to meet the encryption and decryption obligations where you’ve requested this service. |
Performance of contract |
Legitimate interests |
CRM Information, System Data, Content, Smart Data |
|
Enable third party plug-ins you request |
To integrate with and respond to third party plug-ins in order to provide the requested services. |
Performance of contract |
Legitimate interests |
CRM Information, System Data, Content, Smart Data |
|
Service Information by electronic means |
We may send, or otherwise display, to you information about the services you receive from us (e.g. how you use them, how you could do so more efficiently, faults, issues, updates or notices of times when they’ll not be available). |
Performance of contract |
Legitimate interests |
CRM Information, System Data, Smart Data |
Delivering on contractual obligations and exercising rights
|
What we use it for |
Our reasons |
Our lawful basis where you’re an individual |
Our lawful basis where you’re a business |
Information type |
||||||||
|
Make and manage payments made by, or due to, you |
Processing to achieve this purpose may take place both pre and post contract agreement (e.g. initial subscription payment and renewals). |
Performance of contract, Legitimate Interests |
Legitimate interests |
CRM Information, System Data |
||||||||
|
Meet and perform our audit obligations |
|
|||||||||||
|
Recover money owed to us or other companies in our group |
To ensure that payments are both made and timely. |
Legitimate Interests |
Legitimate Interests |
CRM Information |
||||||||
|
Responding to and actioning any request by you in exercising your legal rights in relation to your personal data |
Processing may be required to provide confirmation of information to you (e.g. if you make a data subject access or data portability request) or in order to action a request that you make (e.g. correction, deletion, erasure or restriction). |
Legitimate interests, Legal obligation |
Legitimate Interests |
CRM Information, System Data, Smart Data, Content |
||||||||
|
Exercising our rights |
We may need to process certain information (including personal data) in order to exercise or enforce our rights under our agreement with you (including this and any other relevant policies). |
Legitimate interests, Legal obligation |
Legitimate Interests, Legal obligation |
CRM Information, System Data |
||||||||
Legal and regulatory risk management
|
What we use it for |
Our reasons |
Our lawful basis where you’re an individual |
Our lawful basis where you’re a business |
Information type |
|
Detect and prevent crime |
To ensure that we and our group can both detect and report criminal activity. |
Legitimate Interests |
Legitimate interests |
CRM Information, System Data, Smart Data |
|
Manage risk for us, our group and our customers |
To ensure that we and our group can manage legal and regulatory risk and do so in the most appropriate and compliant manner. |
Legitimate Interests, Legal obligation |
Legitimate interests |
CRM Information, System Data, Smart Data |
|
Obey our or our group’s legal obligations |
To ensure that we and our group can manage legal and regulatory risk and requests in the most appropriate and compliant manner. This may include adapting the way we and our group operates or engages to meet new or future obligations. |
Legitimate Interests, Legal obligation |
Legitimate interests, Legal obligation |
CRM Information, System Data, Smart Data |
|
Keep our records accurate and up-to-date |
Processing to ensure we meet our obligations in respect of data accuracy (this may include acting in response to your notifications). |
Legitimate Interests, Legal obligation |
Legitimate interests, Legal obligation |
CRM Information |
|
Run our and our group’s businesses in an efficient and proper way |
We use shared systems, activities, suppliers and sub-processors in order to help manage legal and regulatory risk within our group, and to operate in a way that ensures quality, consistency and security of service delivery. |
Legitimate Interests |
Legitimate interests |
CRM Information, System Data, Smart Data |
Innovation and system development
|
What we use it for |
Our reasons |
Our lawful basis where you’re an individual |
Our lawful basis where you’re a business |
Information type |
|
Develop new systems, features, functionality and ways to meet customer needs |
We have a legitimate interest to understand how our services are used, and to look at areas where customer needs could be met either as new functionality, or in improved ways. |
Legitimate Interests |
Legitimate interests |
CRM Information, System Data, Smart Data |
|
Study how customers and users use our services |
We have a legitimate interest to understand how our services are used, and how customers benefit from the services that we provide to them. |
Legitimate Interests |
Legitimate interests |
CRM Information, System Data, Smart Data |
|
Test new products and services |
We have a legitimate interest in ensuring that prior to being launched, products and services operate in a secure and efficient manner. |
Legitimate Interests |
Legitimate interests |
CRM Information, System Data, Smart Data |
|
Show you the right websites |
To ensure that you enter into any contractual relationship with the right company in our group. This also enables us to present content relevant to that jurisdiction where appropriate. |
Legitimate Interests |
Legitimate interests |
CRM Information, System Data, IP address |
|
To create anonymous reports and statistics |
We have a legitimate interest in understanding market risks, trends and activities and, where relevant, utilising the anonymous insights that we can gain from our services in the provision of both internal and publicly available reports, blogs and other communications. |
Legitimate Interests |
Legitimate interests |
CRM Information, System Data, Smart Data |
Marketing and promotion
|
What we use it for |
Our reasons |
Our lawful basis where you’re an individual |
Our lawful basis where you’re a business |
Information type |
|
To develop and carry out marketing activities |
We have a legitimate interest to conduct marketing, promotional and other advertising activities in order to grow our brand, and the awareness of our products and services. We may use information that we source from third-party data providers to contact you where this is permitted by law. We may also use information we collect about the domain of your email address (e.g. about your employer or organisation, it’s sector/industry) or that we can relate back to you (e.g. through cookies) about the products you’re interested in to tailor our communications and make them more relevant to you. When you download a whitepaper through our website, the information you provide may be initially stored in the US or Singapore before being transferred to us if those countries are closer to you than the EEA or UK. |
Legitimate Interests, Consent |
Legitimate interests |
CRM Information, System Data |
|
To enable your participation in competitions and promotions |
Where you’ve elected to take part, we will process your information in order to enable you to participate. |
Consent |
N/A |
CRM Information, System Data |
We may use information that we hold about you (or if you’re a business, your users) to send information about our and our group companies’ products and services. This may be by email or other electronic means available to us in the future. We may use other information available to us in order to tailor our communications. If you’re an individual in most circumstances we’ll only do this if we have your consent but there may be some situations where we have a legitimate interest in doing so (e.g. where you complete a purchase through our online ecommerce platform).
If you’ve given your consent, you can withdraw this at any time, or if we’re reliant on our legitimate interests for sending you marketing you can object. In either case, just let us know using the details at www.egress.com/legal/your-rights.
Free user account information
If you have a free user account with us and the domain of the email address associated with it is owned or controlled by an organisation (like your employer) then:
- we may share details of the email address associated with your account with that organisation (either as a result of a request we receive or as part of discussions with it relating to a potential purchase)
- if that organisation subsequently establishes a relationship with us and wishes to add your account to its own business account, then we’ll transfer your account into its business account and certain information concerning your free user account and your past use of it may become accessible to that organisation and its administrator
If you provide us with information about others
If you or your business provide information to us about another person, or if you or your business send their information or Content using our services, you must make sure you have the right and permission to do so. We’re reliant on this in order to receive and process the information you or your business provide. By providing it, you confirm that you do.
Where you use Risk-based Protection, or where you correspond with an individual or business that does so, your emails and their associated metadata may be routinely monitored to protect against the risk of misaddressed emails and to improve the accuracy of those decisions. This may include the processing of certain Smart Data about you (e.g. domain characteristics, the strength of your association with the sender) by our Smart Authentication service following your receipt of a secure email to determine the level of access that you may be able to have to that Content without registering for an account with us.
Who we may share your information with, and sending information outside the country you’re located in
Details of the sub-contractors used in the provision of our services can be found through the sub-contractor page. We share your information with these third-parties to help with our business activities and delivery of our services. They are only authorised to use your personal information as necessary to provide the services to us that we request from them and must abide by data privacy and security obligations set out in applicable law.
|
Who we may share your information with |
Our reasons |
Our lawful basis where you’re an individual |
Our lawful basis where you’re a business |
Information type |
Data residency |
|
Microsoft |
If you use Microsoft Office Online to edit documents within Egress Workspace, please be aware of how your Content is processed by Microsoft when using this tool. More details can be found here. |
Performance of contract – we action your request to utilise your chosen method of editing documents within Secure Workspace. You can change your election within your account settings |
Legitimate Interests |
Content |
Variable based on Microsoft policy |
|
Salesforce, Inc. |
Our Group’s CRM platform, used by our group companies for customer relationship management services. |
Legitimate Interests |
Legitimate Interests |
CRM Information |
EEA |
|
Egress Group companies |
We use shared systems (such as our CRM platform, account systems and other internal platforms and processes) in order to operate our group effectively. Your information may be stored on these shared systems and therefore be accessible to other companies within our group. |
Legitimate Interests |
Legitimate Interests |
CRM Information, System Data, Smart Data |
Generally hosted within EEA but may be transferred within the Group |
|
Host providers |
If you subscribe to our services, we’ll host your Content on one or more of the providers listed on our website. Your Content will remain encrypted and these providers will not have access to it. |
Performance of contract, Legitimate Interests |
Legitimate Interests |
CRM Information, System Data, Content, Smart Data |
Generally EEA. US hosting may be available through agreement. |
|
Zendesk, Inc. |
Provides our support service system (including support ticket system and online chat service). |
Legitimate Interests |
Legitimate Interests |
CRM Information, data that you provide as part of your support ticket (we ask that this is kept to the minimum necessary and that you don’t include Content) |
EEA |
|
CalliTech Limited (trading as MoneyPenny) |
Provide overflow support call services, and transfer out-of-hours support calls to our engineers. |
Legitimate Interests |
Legitimate Interests |
CRM Information |
UK |
|
Zoom Video Communications, Inc. |
Provide our webinars, conference calls and remote access to your device (if that is required) are provided by this entity. You’re able to determine if these are used (i.e. by accepting an invite to attend a webinar, conference call or by accepting our request to access your device – although this is rare). |
Legitimate Interests, Consent |
Legitimate Interests |
CRM Information |
United States |
|
Marketo, Inc. |
Assist in data collection and the sending out of marketing correspondence (therefore only relevant where you’ve consented to receiving this material). We also use a cookie provided by Marketo, Inc. Please see our Cookie Policy for more information. |
Legitimate Interests |
Legitimate Interests |
CRM Information |
EEA |
|
The IT Service Limited |
May be involved in providing training services to you where you purchase these from us. |
Legitimate Interests, Performance of Contract |
Legitimate Interests |
CRM Information |
UK |
|
Twilio, Inc. |
Provide the SMS service that may be used for two factor authentication or password resets when you use our services. |
Legitimate Interests |
Legitimate Interests |
Limited CRM Information |
United States |
|
MailGun Technologies, Inc. |
Provide mail delivery services in relation to Secure Workspace, Webforms and eDiscovery & Analytics |
Legitimate Interests |
Legitimate Interests |
CRM Information, System Data |
United States |
|
Law enforcement |
We reserve the right to disclose information in order to comply with national, EU or Member State law to which we’re subject, including to meet national security and law enforcement requirements. You can find out more on our approach here. |
Legitimate Interests |
Legitimate Interests |
CRM Information, System Data, Content, Smart Data |
Variable depending on the nature of the request |
Where any transfer outside of the country or region that you’re located in (e.g. the European Economic Area (EEA), the United States or the UK) occurs, we’ll ensure that any such transfer or processing is subject to appropriate legal and technical safeguards with our sub-processors in line with local law requirements.
Content: Your Content will be stored on secure servers in the UK, the European Economic Area or the United States, depending on your location, onboarding choice and the service(s) that you are subscribing to. You acknowledge that our services are software-as-a-service and so you, your users and recipients may access Content outside the country you’re located in or the Content is hosted in (e.g. by logging into an account anywhere in the world). Where this happens, Content may be processed by you, your user or the recipient on the device used wherever that is located. Where a recipient responds to a secure email that you have sent to them, the Content they create in responding to you will be stored in the jurisdiction that they have selected (which may not be the same as you). In each case, we’ll facilitate this processing for the purpose of performing our contract with you or a relevant recipient or user (where you’re an individual) or for our legitimate interests in providing the requested services to you (where you’re a business).
Your Content may be shared with third parties as directed by you through your use of the features of our services. We may share Content (in encrypted format) with other companies in our group and authorised subprocessors where they provide part of the services that you have purchased from us.
If you are a free user or subscribe to our services online, your Content will be stored on secure servers in the UK and/or the European Economic Area.
Transfer of Rights: We reserve the right to transfer our obligations, rights and permissions in CRM Information, System Data, Smart Data and Content to any organisation to which we may transfer our business or assets (including if we, or a relevant part of us or our assets, are proposed to be purchased or acquired by a third party).
Selling your information: We will not, and do not, sell or rent your information to third-parties for: (i) valuable consideration (as defined in the California Consumer Privacy Act) or for their direct marketing purposes; or (ii) monetary consideration for the person to license or sell it to additional persons (as defined in Nevada Senate Bill 220). Your information may be shared with third parties as set out above for our business purposes, including the provision of services to you and/or your organisation or employer.
What we need you to do
We need to make sure that the information that we hold about you (and if you’re a business, your users) is accurate, up-to-date and still relevant. As a result, we need you to tell us promptly if there are any changes to the information that you (or they) have provided by letting us know at DPO@egress.com.
You must ensure that you always have (and if you’re a business, that your users always have) a lawful reason under applicable law for the processing of your Content and any third party email address through your use of our services, and you must comply with all applicable law in respect of how you use it.
How long we'll keep your and your users information for
We’ll keep CRM Information, Content, System Data and Smart Data in accordance with our data retention policies available at www.egress.com/legal including to maintain records required for legal or regulatory reasons, to show that we complied with our contractual obligations, to respond to any complaints or queries, and for research and statistical purposes.
Your rights as an individual
As an individual, you may have certain rights by law in respect of the personal data that we hold about you. These rights may not always apply as your location and the basis on which we’re processing your personal data may affect their availability. You can find out more information about them and our Data Protection Officer at www.egress.com/legal/your-rights
If you no longer wish to receive direct marketing emails from us, you may opt out of receiving these emails by clicking on the Unsubscribe link at the bottom of any marketing email you receive. We are looking to introduce tools to help you manage your marketing preferences with us (e.g. if you’d still like to receive information, but only on certain topics). Once this is available, you’ll find links to it at the bottom of emails as well.
If you ever have a complaint relating to the delivery of our services, or our processing of your personal information, you can find details on how to raise this in our Complaints Policy at www.egress.com/legal.
Privacy Shield
We participate in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and have self-certified to the U.S. Department of Commerce our adherence to the Privacy Shield Principles for all personal information received from countries in the European Economic Area, Switzerland, and the United Kingdom in reliance on the Privacy Shield. To learn more about Privacy Shield, visit the Privacy Shield website at www.privacyshield.gov/list.
Under Privacy Shield, we are responsible for the processing of personal information we receive and subsequently transfer to a third party acting for or on our behalf. We are liable for ensuring that the third parties we engage support our Privacy Shield commitments. The U.S. Federal Trade Commission has regulatory enforcement authority over our processing of personal information received or transferred pursuant to Privacy Shield. We commit to cooperate and comply with the advice of the regulatory authorities to whom you may raise a concern about our processing of personal information about you pursuant to Privacy Shield, including to the panel established by the EU authorities and the Swiss FDPIC. This is provided at no cost to you.
If you don’t feel that we’ve resolved your complaint or concern satisfactorily you can contact our U.S. based third-party dispute provider (free or charge) at https://feedback-form.truste.com/watchdog/request. Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Cookies
To find out more about cookies and how we use them, see www.egress.com/cookies. If you live in California, we need to let you know that some web browsers may transmit “do-not-track” signals to the websites and online services you communicate with. Whilst there is no industry standard that governs what, if anything, we should do if we receive such a signal, our website will not set cookies if you have your browser set to ‘Do not track’.
Changes to this policy
We can change this policy from time to time. You (and, if you’re a business, your users) should check this page periodically to make sure that you, or they, have read our most recent policy. When we do make changes, we’ll change the date at the top of this document. If we make material changes regarding our privacy practices, we may in some instances require you and/or your users to read and accept any changes before continuing to use their account.
About us and applicable law
We're the Egress Software Technologies Group. You can find out more details about us at www.egress.com/about and you can contact us at info@egress.com. When contacting us we strongly recommend you don't email us confidential or personal information. If you do, it's at your own risk although the terms of this policy will apply to our use of that information.
|
Where you’re resident |
Who we are |
Governing law |
Courts with exclusive jurisdiction |
Special terms |
|
North America |
Egress Software Technologies, Inc. |
State of Delaware (without regard to its conflict of law principles) |
State or federal courts in and for Boston, Massachusetts |
Where applicable, each of us hereby waives its respective rights to a jury trial of any claim or cause of action relating to or arising out of this policy. This waiver is intended to encompass all disputes that may be filed in any court and that relate to the subject matter of this policy (including contract, tort, breach of duty and all other common law and statutory claims). |
|
Netherlands, Belgium and Luxembourg |
Egress Software Technologies Limited. |
Dutch Law |
NCC District Court and NCC Court of Appeal Chamber |
All proceedings will be in English. In the event that the NCC District Court and/or the NCC Court of Appeal Chamber are incompetent for any reason, the Courts of Amsterdam, The Netherlands shall have exclusive jurisdiction. |
|
Rest of World |
Egress Software Technologies Limited. |
England and Wales (except if you’re a consumer resident of Northern Ireland or Scotland when you may bring proceedings there) |
Courts of England and Wales (except if you’re a consumer resident of Northern Ireland or Scotland and have brought proceedings there when the Northern Irish or Scottish Courts will have jurisdiction) |
N/A |
EU Representative
If the United Kingdom leaves the European Union and/or the European Economic Area: (i) without a deal; or (ii) with a deal that does not remove any obligation on Us to appoint a representative within the European Union in accordance with Article 27 of the General Data Protection Regulation, Egress Software Technologies Limited (a foreign company registered on the Dutch Chamber of Commerce) further identified in the section above is our EU representative.