We're Hiring!
Approov
Request Demo

Privacy Policy

Last Updated: 18 March 2025

This privacy policy explains the types of personal data that we may collect about visitors to our website, those who subscribe to our services, users of apps that embed the Approov mobile protection service, and job applicants. It covers how that personal data may be used, who we share it with and the rights you have in relation to that information. We are committed to protecting your personal data and to being transparent about the types of information that we hold.

We comply with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018. For international data transfers, we rely on the Data Privacy Framework for certified service providers or Standard Contractual Clauses to ensure the protection of personal data when exported outside the EEA to countries not deemed by the European Commission to provide adequate data protection.

Who We Are and How to Contact Us

The websites (https://www.approov.io and https://www.criticalblue.com), Approov branding, and associated digital properties belong to Approov Limited (Company registered in Scotland, No. SC224237). Approov Limited are responsible for and control the processing of your personal data unless stated otherwise.

If you have any questions or concerns regarding this privacy notice, please contact us:

Email: privacy@approov.io

Post: Chief Information Security Officer, Approov Limited, 181 The Pleasance, Edinburgh, EH8 9RU, United Kingdom.

How and Why We Collect and Process Personal Data

This section explains

  • the ways in which we collect your personal data
  • the purpose for processing your personal data, and
  • the lawful basis that we rely on for processing your personal data (we can only process your personal data if we have a lawful basis for doing so)

We work with several third-parties to provide and improve our services. These third-party services help us process your data for various purposes such as optimising our website, managing customer subscriptions, processing payments, scheduling meetings, and hosting events. The third-party services we use include:

  • Google Analytics: We use Google Analytics to collect standard log data and behaviour patterns for visitors to our website. IP addresses are anonymized to prevent storage of full IP address information. Individuals cannot be identified from this information alone. Details on how you can control the information collected by Google from websites or apps that use their services can be found here. To opt out of Google Analytics you can use a browser add-on, more information can be found here.
  • Lead Forensics: Lead Forensics identifies business visitors by tracking IP addresses and analyzing publicly available business data; individual users are not identified. We use it to help us generate B2B leads and analyze website interactions. More information on LeadForensics’ Privacy Policy can be found here.
  • HubSpot: HubSpot is our Customer Relationship Management (CRM) system. We use this to help us manage website content, track visitor behavior, handle meeting scheduling, store event registration data, and manage customer interactions. HubSpot ensures GDPR compliance, and you can review their privacy policy here.
  • Zoom: We may use Zoom to host meetings and webinars. When you participate, Zoom collects data such as your name, email address, device details, and other participation data. This data is processed in accordance with Zoom’s Privacy Policy.
  • Opsgenie: Opsgenie is used for managing on-call support notifications. When a technical support request is submitted, data is sent to Opsgenie and they process this data in accordance with their privacy policy.
  • Chargebee: We may use Chargebee to manage paid subscriptions and recurring payments. If you subscribe to Approov services, Chargebee collects your contact and billing information directly on our behalf. Chargebee securely stores your contact information in line with their privacy policy. Chargebee does not store or have access to your full payment card details.
  • Stripe: We may use Stripe to process your payment information via a secure payment gateway. Stripe handles your full payment card details and processes them in accordance with their privacy policy. We do not store or have access to your complete payment card information.
  • LinkedIn Insights Tag: We use the LinkedIn Insights Tag, an analytics and retargeting service provided by LinkedIn Ireland, to better understand our audience and help promote our business. The tag collects information on how visitors interact with our website, which helps us improve our marketing efforts and deliver more relevant content to you. LinkedIn processes this data in accordance with their privacy policy.

Personal Data That We May Collect

We may collect and process the following types of data when you interact with our services:

  • Website Usage Data: Information about your interactions with our website, including pages visited, session duration, and navigation patterns, collected via cookies, server logs, and analytics tools.
  • Contact Information: Information you provide when scheduling meetings, registering for webinars, or filling out forms, such as name and job title, email address, address, telephone and mobile number.
  • Billing and Payment Information: Data required for billing and payment processing when subscribing to our services. This data is processed securely via Chargebee and Stripe.
  • Biographical Information: Information provided when applying for a job, including your CV, education, and employment history.
  • Web Server Logs: Data logged when you visit our website, such as IP addresses, browser types, referral pages, and timestamps. Individuals cannot be identified from this information alone. This data is collected by our website hosting providers, AWS and HubSpot.
  • Support Requests: Information you provide when submitting a technical support request, including your contact details and the nature of the issue.

We do not knowingly collect or process any special category data. Special category data is data that is more sensitive e.g. information about an individual's race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.

How And Why We Collect and Process Your Personal Data

We process your data for the following purposes:

  • Service Delivery: To manage and administer accounts and process payments.
  • Marketing and Communication: To send promotional emails, event reminders, and follow-ups.
  • Business Development: To generate B2B leads, schedule meetings and tailor communications.
  • Website Optimization: To monitor website traffic and user behaviour for performance improvements.
  • On-Call Management: To manage technical support requests and on-call incidents.
  • Recruitment: To process job applications.
  • Event Management: To manage webinar registrations, attendance, and post-event communications.

Legal Basis for Processing

The lawful bases that we rely on to process your personal data are:

Consent: We may process your personal data when you have given explicit consent for a specific purpose. This includes instances where you have opted to receive marketing communications.

Contractual Necessity: Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. For example, this applies when fulfilling obligations related to subscriptions, meetings, and support requests.

Legitimate Interests: We may process your personal data where it is necessary for our legitimate interests, provided that these interests do not override your rights and freedoms. This includes activities such as enhancing user experience, analyzing website behavior, evaluating the success of marketing campaigns, or engaging in business-to-business communications.

We may also process your personal data when we have a legal obligation to do so:

  • when the processing is necessary for us to comply with the law (not including contractual obligations), such as to comply with a court order or similar legal process, or
  • when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Information Processed On Behalf Of A Client

Approov Limited has developed its solutions with privacy in mind (“Privacy by design”). The intent is to support our client’s requirement to comply with the most stringent of privacy regulations.

When a client signs up for an Approov account, we collect and process information about their end users; specifically, a unique app instance identifier (Install ID) and an IP address. Note that Install ID is referred to as Device ID in the Approov documentation. Install IDs and IP addresses are masked to afford data subjects reasonable anonymity and to assure their rights to privacy are balanced with the legitimate business interest of our clients to protect their assets through our software and services.

If you use an app that is using the Approov service, then we will retain the above data as long as the Approov account, with which the app is registered, is active. We will also continue to retain this data after the account is terminated if it is necessary for tax and financial reporting purposes or to comply with our legal obligations.

Profiling And Automated Decision Making

We do not use automated decision making (making a decision solely by automated means without any human involvement).

We may use profiling (automated processing of personal data to evaluate certain things about an individual). Based on your personal information, or data that we have gathered through your use of the website or services, we may apply scripted logic to enable us to send you more relevant communications, or to offer you additional resources or services.

The purpose for processing your personal data in this way is to help us to improve the way that we promote and market our services to you.

The legal basis we rely on for processing your personal data is Article 6(1)(f) of the GDPR, when the processing is necessary for our legitimate interests in a way which might be reasonably expected in order for us to run our business.

Data Transfers

Our head office is based in Edinburgh, UK and we have offices in the US. Customer data will be shared with select sub-processors in the US who have a legitimate business need to access that data, such as customer onboarding or technical support. Some of our third party providers, such as OpsGenie, Zoom and HubSpot may process data outside the EEA. In these circumstances, we have adequate measures in place and the transfer of personal data is governed by Standard Contractual Clauses.

Information Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Your Rights

You have a number of rights with regard to your personal data:

  • The right to be informed about the collection and use of your personal data.
  • The right to access the personal data that we hold about you.
  • The right to have your personal data rectified if it is inaccurate or incomplete.
  • The right to have your personal data erased, in certain circumstances.
  • The right to restrict or suppress your personal data, in certain circumstances.
  • The right to object to us processing any personal data that we process where we are relying on legitimate interests as the legal basis of our processing.
  • The right to data portability.
  • The right to ask us not to use your personal data for marketing purposes.

Further information about your rights can be found on the ICO’s website https://ico.org.uk/

Please contact us if you wish to exercise any of these rights, our contact details are listed at the end of this policy. There is no charge for us providing you with this data and it will usually be provided within a month of the request (unless the request is unfounded or excessive).

In order to protect your data, we may ask for proof of your identity before proceeding with any request you make under this privacy notice.

If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time. This will not affect the lawfulness of the processing before your consent was withdrawn.

You have the right to lodge a complaint to the Information Commissioner’s Office if you are unhappy with the way we have processed your personal data.

Children’s Privacy

Our website and services are not aimed at children under the age of 16 and to the best of our knowledge we have not gathered personal data from any children under the age of 16. If you have reason to believe that a child under the age of 16 has submitted personal data to us, please contact us at privacy@approov.io so that we can delete it.

Links

Our website contains links to other sites. Please be aware that we are not responsible for the content or privacy practices of other sites. We encourage you to read the privacy statements on the other websites you visit.

Cookie Policy

We use cookies to improve functionality, personalize user experiences, and analyze website traffic. For more details, please see our Cookie Policy.

Changes To Our Privacy Policy

We may update this privacy policy occasionally; therefore, please revisit this page frequently. Any changes will be posted on this page with an updated effective date.

Please contact us if you would like to see previous versions of our privacy policy.

Request a Demo

Give us 30 minutes and our security experts will show you how to protect your revenue and business data by deploying Approov to secure your mobile apps and your APIs

REQUEST A DEMO

Get a Trial

Approov offers a complimentary 30 day trial (no credit card necessary) to give you immediate and valuable insight into the security risks of your mobile apps and the devices they run on.

GET A TRIAL