Free Trial

Privacy Policy

Last updated: 18 August 2020

This privacy policy explains the types of personal data that we may collect about visitors to our website, those who subscribe to our services, and job applicants. It covers how that personal data may be used, who we share it with and the rights you have in relation to that information. We are committed to protecting your personal data and to being transparent about the types of information that we hold.

Who We Are and How to Contact Us

The websites (www.approov.io and www.criticalblue.com), Approov branding, and associated digital properties belong to CriticalBlue Ltd (Company registered in Scotland, No. SC224237). CriticalBlue Ltd are responsible for, and control the processing of, your personal data unless stated otherwise.

If you have any questions or concerns regarding this privacy notice, please contact us:

Email: privacy@criticalblue.com

Post: Chief Technical Officer, CriticalBlue Ltd, 181 The Pleasance, Edinburgh, EH8 9RU, United Kingdom.

Personal Data That We May Collect

In the course of our business, we may collect the following personal data from you.

  • Contact information such as name and title, email address, address, telephone and mobile number.
  • Billing and payment information such as credit card details and billing address.
  • Usage data such as information on how you use our website and services.
  • Technical data such as IP address, time zone and location, device and software being used to access our website.
  • Biographical and personal information from CVs/resumes and job applications, such as date of birth, academic and professional qualifications gained and employment history.

We do not knowingly collect or process any special category data. Special category data is data that is more sensitive e.g. information about an individual's race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.

How And Why We Collect And Process Personal Data

This section explains:

  • the ways in which we collect your personal data,
  • the purpose for processing your personal data, and
  • the lawful basis that we rely on for processing your personal data (we can only process your personal data if we have a lawful basis for doing so).

When You Visit Our Website

Web server logs

We use third party service providers, HubSpot and Amazon Web Services, to host our website. Both Amazon Web Services and HubSpot may automatically collect standard log data including your IP address, the pages you have accessed, any information requested, the date and time of the request, your browser version and operating system, and the referral source. Individuals cannot be identified from this information alone.

Our Amazon Web Services server is based in Ireland. The Amazon Web Services privacy policy is available here https://aws.amazon.com/privacy.

HubSpot is based in the US and may store your information outside of the European Economic Area. HubSpot agrees to abide by and process European Data in compliance with the Standard Contractual Clauses approved by the European Commission. Their privacy policy is available here https://legal.hubspot.com/privacy-policy.

Purpose for processing

The purpose for processing the above data is:

  • To measure our website traffic and usage in order to improve the content of the website and to help us identify errors in our services.
  • To prevent fraud and to ensure the security of our services.
  • To evaluate marketing activities such as visitor retention, referral evaluation, and channel validation.

The lawful basis that we rely on to process your personal data is Article 6(1)(f) of the GDPR which allows us to process personal data when it is necessary for the purposes of our legitimate interests in order for us to run our business.

Analytics

We use a third party service, Google Analytics, to collect standard log data and behaviour patterns for visitors to our website. IP addresses are anonymized to prevent storage of full IP address information. Individuals cannot be identified from this information alone. Google Analytics collects this data solely on our behalf and we use the information to improve the content and performance of our website.

Details on how you can control the information collected by Google from websites or apps that use their services can be found here

https://policies.google.com/technologies/partner-sites

To opt out of Google Analytics you can use a browser add-on, more information can be found here https://tools.google.com/dlpage/gaoptout/.

We use FullStory, a web analysis tool, to capture visitor behaviour on our website. FullStory may record usage patterns (pages visited, links clicked and mouse movements) and technical information (browser and device type, operating system, IP address and script errors). We use this information to improve our services. We do not store any personal information, including information entered in form fields, and we have enabled the "Discard user IP addresses" extension to ensure that FullStory does not transmit your IP address to us.

You can find out more about the information collected by FullStory here https://www.fullstory.com/resources/fullstory-gdpr-you/. Their privacy policy is available here https://www.fullstory.com/legal/privacy/.

You can opt out of FullStory data capturing here: https://www.fullstory.com/optout/.

Cookies

We use cookies and other tracking technologies to generate or collect some information from your computer or device automatically as you use our website. Cookies are small data files that are stored on your device. Our website uses such technologies enabled by us or third parties in order to operate and personalize the website, track how you use the site and to serve ads to you on other websites. We use a cookies tool on our website to request consent for any optional cookies that we use. Cookies that are strictly necessary for you to use and browse our website are always on (unless you adjust your browser settings).

HubSpot sets cookies that track how users interact with our website and this information is anonymized. However, if you have provided personal information to us e.g. by submitting a form on our website, it is possible that HubSpot will be able to identify other interactions that you have with us online.

You can find out more information about HubSpot cookies and how they are used in their privacy policy https://legal.hubspot.com/privacy-policy

Strictly Necessary Cookies

These are needed to enable you to use and browse our website.

Purpose for processing
  • To enable the core functionality of our website on your specific device.
  • To store your preferences.

The lawful basis that we rely on to process your personal data is Article 6(1)(b) of the GDPR which allows us to process personal data when it is necessary to perform a contract or to take steps at your request to enter into a contract.

Purpose for processing
  • To help us to improve our website by collecting and reporting information on usage (analytical cookies).
  • To enable us to improve the relevancy of marketing communications and advertising campaigns that you receive (marketing and online advertising cookies).
  • To enable you to share certain pages of our website on social media (social sharing cookies).

The lawful basis that we rely on to process your personal data is Article 6(1)(a) of the GDPR which allows us to process your personal data when you have given us clear consent to do so for a specific purpose. Where we process your personal data based only on your consent, you can withdraw this consent at any time by contacting us.

Targeted Advertising

We use a third party service, Adroll Group, to manage advertising of our services on other sites. When you visit our website, Adroll may use cookies and tracking pixels for targeted advertising purposes. You can find out more in their privacy policy which can be found here https://www.adrollgroup.com/privacy.

To opt out of targeted advertising, please visit:

If you opt out of receiving targeted adverts, you will still be served generic adverts while browsing other sites.

For more information about how we use cookies, see our Cookies Policy https://www.approov.io/cookies

When You Contact Us

Complete an enquiry form

If you complete an enquiry form on our website, details of the information you submit will be collected and stored on our behalf by HubSpot, a third party CRM service provider. We will collect information such as your first and last name, email address and details of your enquiry. This information is mandatory and if you do not provide it then you will not be able to submit the form. You may also provide additional optional information such as phone number, country of residence and job function. We receive an email notification when a form has been submitted on our website, and this will contain a copy of the information you have provided.

Purpose for processing
  • To send you the sales and technical information required to access and use our services and products.
  • To respond to any communications that we receive and to keep a record of correspondence.

The lawful basis that we rely on for processing your personal data is either Article 6(1)(b) of the GDPR where the email relates to us providing you with information on our products or services and it is necessary in order to perform a contract, or Article 6(1)(f) where it is necessary for our legitimate interests e.g. to keep a record of all correspondence that we receive.

Submit a request for technical support

We use a third party service, Zendesk, to manage technical support requests. When you submit a support request on our website, Zendesk will collect your contact information (email address) and details of your request directly from you on our behalf. This information is stored securely by Zendesk in accordance with their privacy policy

https://www.zendesk.co.uk/company/customers-partners/privacy-policy/.

Zendesk is based in the US and may store your personal data outside of the EEA. Zendesk has obtained approval for its Binding Corporate Rules as a data processor for its customers’ data to facilitate safe transfers of personal data from the EEA to members of the Zendesk family of companies. In addition, Zendesk offers its customers protections under the Standard Contractual Clauses.

We receive an email notification when a support request has been submitted and this will contain a copy of the information you have provided. We use a third party provider, OpsGenie, for our on-call management system. When a technical support request is made a copy of the information you submit is also sent to our on-call management system. This information is stored securely by OpsGenie in accordance with their privacy policy, which can be found here https://www.opsgenie.com/privacy.

OpsGenie is based in the US and may store your personal data outside of the EEA. Information is transferred under Standard Contractual Clauses approved by the European Commission and OpsGenie are bound by these clauses to safeguard this information.

Purpose for processing
  • To respond to any communications we receive relating to our products or services.
  • To send you the sales and technical information required to access and use our services and products.

The lawful basis that we rely on to process your personal data is Article 6(1)(b) of the GDPR which allows us to process personal data when it is necessary to perform a contract or to take steps at your request to enter into a contract.

Send us an email

If you send us an email we will collect your email address and any other information that you have provided. We use a third party provider, Gmail, for our email services, their privacy policy can be found here https://policies.google.com/privacy.

Please be aware that any emails we send or receive may not be protected in transit. If you send us an email using the email address(es) on our website, a copy of the information you have provided will be stored on our behalf by HubSpot, a third party CRM service provider.

Purpose for processing

To respond to any communications that we receive and to keep a record of correspondence.

The lawful basis that we rely on for processing your personal data is either Article 6(1)(b) of the GDPR where the email relates to us providing you with information on our products or services and it is necessary in order to perform a contract, or Article 6(1)(f) where it is necessary for our legitimate interests e.g. to keep a record of all correspondence that we receive.

Submit a job application to us

We collect information directly from you if you apply for a job with us or submit your CV/resume. This will include contact information and biographical information. If you submit a job application or your CV to us using the email address(es) on our website, the information you provide will be stored on our behalf by HubSpot, a third party CRM service provider.

Your personal data is stored securely by HubSpot in accordance with their privacy policy which can be found here https://legal.hubspot.com/privacy-policy.

Purpose for processing

To evaluate your suitability for a job with us.

The lawful basis that we rely on to process your personal data is Article 6(1)(f) of the GDPR which allows us to process personal data when it is necessary for the purposes of our legitimate interests in order for us to run our business.

When You Use Our Website

Request a downloadable resource

If you request a downloadable resource from our website (for example, a copy of an e-book or one of our demos) details of the information you submit will be collected and stored on our behalf by HubSpot, a third party CRM service provider. We may collect information such as your first and last name, email address and job function. Some of this information is mandatory and if you do not provide it then you will be unable to download the resource. We receive an email notification when a downloadable resource has been requested and this will contain a copy of the information you have provided.

Purpose for processing

To send any downloadable resources (e.g. our ebooks) to you that you have opted to receive.

The lawful basis that we rely on to process your personal data is Article 6(1)(a) of the GDPR which allows us to process your personal data when you have given us clear consent to do so for a specific purpose. Where we process your personal data based only on your consent, you can withdraw this consent at any time by contacting us.

Sign up to our newsletter

We use a third party CRM service provider, HubSpot, to send out our newsletter and administer our mailing list. Hubspot will collect and store contact information, such as your name and email address, directly from you on our behalf when you subscribe to receive our newsletter. We receive an email notification when someone subscribes to our newsletter and this will contain a copy of your contact information. You can opt out of receiving marketing communications from us at any time by clicking on the “unsubscribe” link at the bottom of our emails, or by sending an email to privacy@criticalblue.com.

Purpose for processing

To send any marketing communications (e.g. our newsletter) to you that you have opted to receive.

The lawful basis that we rely on to process your personal data is Article 6(1)(a) of the GDPR which allows us to process your personal data when you have given us clear consent to do so for a specific purpose. Where we process your personal data based only on your consent, you can withdraw this consent at any time by contacting us.

Subscribe to our Services

When you sign up for a trial subscription of Approov, your contact information will be collected and stored on our behalf by HubSpot, a third party CRM service provider.

We use the following third party services: Chargebee to manage paid subscriptions and to process recurring payments and Stripe to provide a payment gateway. If you sign up for a trial or paid subscription to Approov, Chargebee may collect contact and billing information directly from you on our behalf. Your contact information is stored securely by Chargebee in accordance with their privacy policy which can be found here https://www.chargebee.com/privacy/ .

Chargebee do not store or have access to your complete payment card information. Stripe uses and processes your complete payment information in accordance with their privacy policy https://stripe.com/gb/privacy .

We receive an email notification when someone subscribes to our Services and this may contain your email address and the last 4 digits of your credit card number. We do not store or have access to your complete payment card information.

Purpose for processing
  • To enable us to register you for our products or services.
  • To manage and administer your account.
  • To carry out billing activities.
  • To respond to any communications we receive (where the message relates to us providing you with our products or services).
  • To send you the sales and technical information required to access and use our services and products.

The lawful basis that we rely on to process your personal data is Article 6(1)(b) of the GDPR which allows us to process personal data when it is necessary to perform a contract or to take steps at your request to enter into a contract.

Purpose for processing
  • To respond to any communications we receive and to keep a record of correspondence.
  • To contact you with information on related content, products or services.

The lawful basis that we rely on to process your personal data is Article 6(1)(f) of the GDPR which allows us to process personal data when it is necessary for the purposes of our legitimate interests in order for us to run our business.

Submit a question

We use a third party provider, HubSpot, to manage our pop-up question form. If you submit a query through the pop-up form, your email address and the information you submit will be collected and stored in HubSpot. We receive an email notification when someone submits a question through the website and this will contain a copy of the information you have provided.

Purpose for processing

To respond to any communications we receive and to keep a record of correspondence.

The lawful basis that we rely on to process your personal data is Article 6(1)(f) of the GDPR which allows us to process personal data when it is necessary for the purposes of our legitimate interests in order for us to run our business.

Use our live chat service

We use a third party provider, HubSpot, to manage our live chat service. Your contact details and the information you provide during the live chat session will be collected and stored in HubSpot.

Purpose for processing

To respond to any communications we receive and to keep a record of correspondence.

The lawful basis that we rely on to process your personal data is Article 6(1)(f) of the GDPR which allows us to process personal data when it is necessary for the purposes of our legitimate interests in order for us to run our business.

Interact with our social media channels

We use a third party provider, HubSpot, to manage our social media channels, such as Twitter and LinkedIn. If you interact with us through our connected social channels, a record of this will be stored in HubSpot.

Your personal data is stored securely by HubSpot in accordance with their privacy policy which can be found here https://legal.hubspot.com/privacy-policy.

Purpose for processing
  • To respond to any communications we receive and to keep a record of correspondence.
  • To evaluate the success of our social media and marketing campaigns.

The lawful basis that we rely on to process your personal data is Article 6(1)(f) of the GDPR which allows us to process personal data when it is necessary for the purposes of our legitimate interests in order for us to run our business.

We may also process your personal data when we have a legal obligation to do so: when the processing is necessary for us to comply with the law (not including contractual obligations), such as to comply with a court order or similar legal process, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

The following pages utilize framing techniques to serve content from our partners while preserving the look and feel of our website. Please be aware that you are providing your personal data to these third parties and not to us.

  1. Our subscription sign up page is hosted by Chargebee.
  2. Our support request page is hosted by Zendesk.

Information Processed On Behalf Of A Client

When a client signs up for an Approov account, we collect and process information about their end users; specifically, a mobile device identifier (Device ID) and an IP address. Device IDs and IP addresses are anonymized and individual users cannot be identified using this data.

If you use an app that is using the Approov service, then we will retain the above data as long as the Approov account, with which the app is registered, is active. We will also continue to retain this personal data after the account is terminated if it is necessary for tax and financial reporting purposes or to comply with our legal obligations.

Profiling And Automated Decision Making

We do not use automated decision making (making a decision solely by automated means without any human involvement).

We may use profiling (automated processing of personal data to evaluate certain things about an individual). Based on your personal information, or data that we have gathered through your use of the website or services, we may apply scripted logic to enable us to send you more relevant communications, or to offer you additional resources or services.

The purpose for processing your personal data in this way is to help us to improve the way that we promote and market our services to you.

The legal basis we rely on for processing your personal information is Article 6(1)(f) of the General Data Protection Regulation, when the processing is necessary for our legitimate interests in a way which might be reasonably expected in order for us to run our business.

Sharing Your Data With Others

We may share your data with third party data processors who provide services for us. We have contracts in place with our data processors. We will only provide them with the information that they need to carry out their services and they may only use your data for the purpose(s) specified in our contract with them. When we stop using their services, any data they hold about you must either be deleted or anonymized, unless they require it for tax or financial reporting or to meet legal obligations

Within CriticalBlue, personal data will only be shared between members of staff who legitimately need the information to carry out their normal duties in order to provide you with the service you have requested.

In the event of a merger with or an acquisition by another company, your personal data will, where relevant, be transferred to the new owner under the terms of this privacy notice.

We may disclose your personal data if we conclude that it is required by law, such as to comply with a court order or similar legal process, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Transfer Of Personal Data To Other Countries

Your personal data will be transferred and stored outside of the European Economic Area (EEA) in the following circumstances:

Our head office is based in Edinburgh, UK and we have an office in the US. Customer data will be shared with select sub-processors in the US who have a legitimate business need to access that data, such as customer onboarding or technical support. In these circumstances, we have adequate measures in place and the transfer of personal data is governed by EU standard contractual clauses.

We use a third party provider, HubSpot, to host and manage some of our website and to provide CRM services. When you contact us, use or interact with our website your personal data may be collected by HubSpot and stored outside of the EEA. HubSpot agrees to abide by and process European Data in compliance with the Standard Contractual Clauses approved by the European Commission.Their privacy policy is available here https://legal.hubspot.com/privacy-policy.

Our support request page is hosted by Zendesk, they will collect contact information directly from you on our behalf. Zendesk is based in the US and may store your personal data outside of the EEA. Zendesk has obtained approval for its Binding Corporate Rules as a data processor for its customers’ data to facilitate safe transfers of personal data from the EEA to members of the Zendesk family of companies. In addition, Zendesk offers its customers protections under the Standard Contractual Clauses. Their privacy policy is available here https://www.zendesk.co.uk/company/customers-partners/privacy-policy/ .

We use a third party provider, OpsGenie, for our on-call management system. When a technical support request is made a copy of the information you submit is also sent to our on-call management system. OpsGenie is based in the US and they may store your personal data outside of the EEA. Information is transferred under Standard Contractual Clauses approved by the European Commission and OpsGenie are bound by these clauses to safeguard this information. Their privacy policy is available here https://www.opsgenie.com/privacy .

In limited and necessary circumstances, your information may be transferred outside of the EEA to comply with our legal or contractual requirements, for example, in the event of the merger with or acquisition by another company. In these circumstances, we would ensure adequate measures were in place and we would rely on lawful measures to transfer that information, such as Binding Corporate Rules or EU Standard Contractual Clauses.

How Long Personal Data Is Kept

We will retain your personal data for no longer than is necessary. This will depend on why it was collected, or if we have a continuing lawful basis to do so, such as to fulfil a contract between us, perform a service you have requested or for our legitimate interests. Your personal data will be deleted if we no longer have a valid reason or legal requirement to process it. The following retention periods apply:

  • Website server log information: we retain this information for 6 months.
  • Analytics information: we retain this information for 26 months.
  • Demo or trial subscription: when you sign up for demo or trial subscription to our services, we will retain that information for 12 months.
  • Customer subscription information: when you sign up for a paid subscription to our services, we retain that information for 6 years following the end of the financial year in which your subscription ended. This is in accordance with our legal obligation to keep records for tax purposes.
  • Enquires (including technical support requests): we will retain this information for as long as it takes for us to respond to and resolve your query and for an additional 12 months.
  • Newsletter subscription: we retain this information for as long as you are subscribed.

Information received from unsuccessful job applicants will be retained for the statutory recommended period. If you have given us consent to hold your data for longer in order to be considered for future opportunities then we will retain it for the agreed period. You have the right to withdraw that consent at any time.

If, in the future, we intend to process your personal data for a purpose other than that for which it was collected then we will provide you with information on that purpose prior to doing so.

Information Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Your Rights

You have a number of rights with regard to your personal data:

  • The right to be informed about the collection and use of your personal data.
  • The right to access the personal data that we hold about you.
  • The right to have your personal data rectified if it is inaccurate or incomplete.
  • The right to have your personal data erased, in certain circumstances.
  • The right to restrict or suppress your personal data, in certain circumstances.
  • The right to object to us processing any personal data that we process where we are relying on legitimate interests as the legal basis of our processing.
  • The right to data portability.
  • The right to ask us not to use your personal data for marketing purposes.

Further information about your rights can be found on the ICO’s website https://ico.org.uk/

Please contact us if you wish to exercise any of these rights, our contact details are listed at the end of this policy. There is no charge for us providing you with this data and it will usually be provided within a month of the request (unless the request is unfounded or excessive).

In order to protect your data, we may ask for proof of your identity before proceeding with any request you make under this privacy notice.

If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time. This will not affect the lawfulness of the processing before your consent was withdrawn.

You have the right to lodge a complaint to the Information Commissioner’s Office if you are unhappy with the way we have processed your personal data.

Children’s Privacy

Our website and services are not aimed at children under the age of 16 and to the best of our knowledge we have not gathered personal data from any children under the age of 16. If you have reason to believe that a child under the age of 16 has submitted personal data to us, please contact us at privacy@criticalblue.com so that we can delete it.

Our website contains links to other sites. Please be aware that we are not responsible for the content or privacy practices of other sites. We encourage you to read the privacy statements on the other websites you visit.

Changes To Our Privacy Policy

We’ll keep this information up to date and any changes we make will be posted on our website.

Please contact us if you would like to see previous versions of our privacy policy.

Copyright © 2020 CriticalBlue, Ltd. All Rights Reserved.