SECTION 1 - WHAT INFORMATION DO WE COLLECT AND HOW DO WE USE IT?
The Services gather certain information automatically, some of which may be considered personal information under applicable law. Access our data processing addendum here.
We may collect, among other things, the following types of information:
- Telephone number
- Email address
- Professional information, such as employer or organizational affiliation for a customer or partner
- Payment or financial information for billing purposes
- Any data in any files uploaded, emailed or otherwise provided by customers for support and QA
- Operating system type and version, web server type and version, database type and version
- Unique IDs such as a cookie placed on a computer or mobile device, or device IDs
- IP address or MAC address, and information derived from an IP or MAC address, such as geographic location
- Browsing activities, cookies and similar data, and platform or mobile application use data
- Referring domain, destination domain and destination path
- Geolocational data, including latitudinal and longitudinal data
- User IDs and passwords for customers with Service accounts
- Information about the performance, security, software configuration and availability of our software on your servers and network
- Website user statistics and website and portal use and viewing activity records
- Communication preferences
- Other similar information
We may also collect information, including personal information, in the following situations:
- Registration, purchase and use of the Services: Information such as name, email address, company/organization, financial information, and other information, may be collected in connection with registration for, purchase of or use of the Services (for example, to sign-up for and log into the Services). Customers may update their information by logging into their account. Information may also be collected to track license use.
- Communications: Personal information such as name, email address, and other information, may be collected, when provided in any communications, whether via email, telephone or otherwise.
- Support: Personal information may be collected in connection with customer support, whether via email, telephone or otherwise.
- Surveys and Research: We may collect personal information from anyone participating in research and surveys.
We may use the information, including your personal information, collected in connection with the Services for the purpose of providing the Services to you and our customers, as well as for supporting our business functions, such as fraud prevention, marketing, analytics and legal functions, and other legitimate purposes.
To the extent permitted by applicable law and, for customer data, as permitted by our customer agreements, we may use information collected in connection with our Services:
- To operate the Services and provide support.
- To fulfill customer requests, such as to create a Services customer account or complete customer purchases.
- To communicate with our customers.
- With customer consent, to inform customers and users of products, programs, services and promotions.
- To send customers information regarding the Services and issues specifically affecting Services.
- To respond to reviews, comments, or other feedback provided to us.
- In the case of server logs, to help us statistically monitor how many people are using our site and for what purpose.
- To protect the security and integrity of our Services, content, and our business.
- For benchmarking, data analysis, audits, developing new products, enhancing the Services, facilitating product, software and applications development, improving our services, conducting research, analysis, studies or surveys, identifying usage trends, as well as for other analytics purposes.
- To meet our contractual requirements, to comply with applicable legal or regulatory requirements and our policies, and to protect against criminal activity, claims and other liabilities.
- For any other lawful purpose for which the information is provided.
SECTION 2 - CONSENT
How do you get my consent?
When you provide us with personal information to complete a transaction, verify your credit card, place an order or return a purchase, you are consenting to our collection and use of that personal information for that purpose, and to our disclosure of such personal information to our service providers that help us achieve those purposes.
By signing up for our service, you are consenting to our use of your personal information to communicate with you, provide you services, market our services to you, to improve our services and systems, for legal and security purposes, and for purposes for which we provide specific notice at the time of collection. You are also consenting to our disclosure of your personal information to our service providers that help us achieve the foregoing purposes.
How do I withdraw my consent?
If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at any time, by contacting us at firstname.lastname@example.org or mailing us at: HackEDU, Inc., d/b/a Security Journey, 40 24th Street, 4th Floor, Pittsburgh, PA 15222, United States of America.
SECTION 3 - DISCLOSURETo the extent permitted by applicable law, Provider may share and disclose your information, including personal information, as set forth below:
- Customers. If you are using Services on behalf of a customer, we may share information with such customer and their service providers and other platforms that may assist such customer.
- Affiliates and Agents. We may share information with our affiliates or any business partners or agents acting on our behalf.
- Service Providers. We may share information with our service providers, agents, vendors and other third parties we use to support the Services and our business. We share personal information with such third parties to the extent necessary to provide services to us, and pursuant to binding contractual obligations. A list of such providers can be accessed here.
- Advertising and Marketing. To the extent permitted by applicable law, we may share information with third parties for marketing, advertising, promotions, contests, or other similar purposes. If required by applicable law, we will share such data for advertising and marketing purposes only in an aggregate, anonymous, and de-identified manner.
- Mergers, Acquisitions, Divestitures. We may share, disclose or transfer information to a buyer, investor, new affiliate, or other successor in the event Provider, or any affiliate, portion, group or business unit thereof, undergoes a business transition, such as a merger, acquisition, joint venture, consolidation, reorganization, divestiture, liquidation or dissolution (including bankruptcy), or a sale or other transfer of all or a portion of any assets of Provider or any affiliates or during steps in contemplation of such activities (e.g., negotiations and due diligence).
- Law Enforcement and National Security. We may share information with legal, governmental, or judicial authorities, as instructed or required by those authorities or applicable laws, or to comply with any law or directive, judicial or administrative order, legal process or investigation, warrant, subpoena, government request, regulatory request, law enforcement or national security investigation, or as otherwise required or authorized by law.
- Protection of Rights, Property or Safety. We may also share information if, in our sole discretion, we believe disclosure is necessary or appropriate to protect the rights, property or safety of any person, or if we suspect fraud or other illegal activity,
- Provider may also disclose personal information for other purposes or to other third parties when an individual has consented to, or requested, such disclosure, or where a customer has obtained permission from such individual, or where such disclosure is otherwise legally permitted for legitimate business purposes, and, for customer data, with such customer’s authorization or otherwise in accordance with Provider’s agreement with such customer.
SECTION 4 – HOSTED SERVICES
Our Services are hosted on one or more third-party cloud platforms. They provide us with a platform that allows us to provide our products and services to you.
Your data is stored through third-party data storage, databases and the general cloud application. They store your data on a secure server behind a firewall. Our hosting service providers are included in the list of service providers here; their specific security policies and practices may be accessible through their website or other publicly available links.
If you choose a direct payment gateway to complete your purchase of the Services, then a third-party credit card data service provider stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary for us to provide Services to you.
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover.
PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more insight, you may also want to read Provider’s Terms of Service.
SECTION 5 - THIRD-PARTY SERVICES
In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.
However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.
For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.
Our third-party providers are listed here. All of our third-party providers process and store data in the United States of America.
In particular, remember that certain providers may be located in or have facilities that are located in a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.
As an example, if you are located in Canada and your transaction is processed by a payment gateway located in the United States, then your personal information used in completing that transaction may be subject to disclosure under United States legislation, including the Patriot Act.
SECTION 6 - SECURITY
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
SECTION 7 - AGE OF CONSENT; CHILDREN
By using this site, you represent that you are at least the age of majority in your state, province or country of residence and you have given us your consent to allow any of your minor dependents to use this site.
Specifically, we recognize the importance of protecting the privacy and safety of children. The Services are not intended for children under 13 years of age – and for European residents, for children under 16 years of age. We do not knowingly collect personal information from children under 13. Anyone under 13 should not use the Services. If we learn we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us as set forth in the Contact Information section below.
SECTION 8 - COOKIES
What Are Cookies?
We may collect information using “cookies.” Cookies are small data files stored on the hard drive of your computer or mobile device by a website. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them) to provide you with a more personal and interactive experience on the Services.
We use two broad categories of cookies: (1) first party cookies, served directly by us to your computer or mobile device, which are used only by us to recognize your computer or mobile device when it revisits the Services; and (2) third party cookies, which are served by service providers on the Services, and can be used by such service providers to recognize your computer or mobile device when it visits other websites.
Cookies We Use
Our Services use the following types of cookies for the purposes set out below:
These cookies are essential to provide you with services available through our Services and to enable you to use some of its features. For example, they allow you to log in to secure areas of our Services and help the content of the pages you request load quickly. Without these cookies, the services that you have asked for cannot be provided, and we only use these cookies to provide you with those services.
These cookies allow our Services to remember choices you make when you use our Services, such as remembering your language preferences, remembering your login details and remembering the changes you make to other parts of our Services which you can customize. The purpose of these cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you visit our Services.
Analytics and Performance Cookies:
These cookies are used to collect information about traffic to the Services and how users use the Services. The information gathered does not identify any individual visitor. It includes the number of visitors to our Services, the websites that referred them to our Services, the pages they visited on our Services, what time of day they visited our Services, whether they have visited our Services before, and other similar information. We use this information to help operate our Services more efficiently, to gather broad demographic information and to monitor the level of activity on our Services. We may use Google Analytics or similar tools for this purpose. Google Analytics or similar tools uses their own cookies. We only use these tools to improve how our Services works. You can find out more information about Google Analytics cookies here: https://developers.google.com/analytics/resources/concepts/gaConceptsCookies. You can find out more about how Google protects your data here: www.google.com/analytics/learn/privacy.html. You can prevent the use of Google Analytics relating to your use of our Services by downloading and installing the browser plugin available via this link: http://tools.google.com/dlpage/gaoptout?hl=en-GB .
You can typically remove or reject cookies via your browser settings. In order to do this, follow the instructions provided by your browser (usually located within the “settings,” “help” “tools” or “edit” facility). Many browsers are set to accept cookies until you change your settings.
Further information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit www.allaboutcookies.org and www.youronlinechoices.co.uk.
If you do not accept our cookies, you may experience some inconvenience in your use of our Site/Application(s)/Services. For example, we may not be able to recognize your computer or mobile device and you may need to log in every time you visit.
SECTION 9 - PIXEL TAGS
We may also use pixel tags (which are also known as web beacons and clear GIFs) on our Services to track the actions of users on our Services. Unlike cookies, which are stored on the hard drive of your computer or mobile device by a website, pixel tags are embedded invisibly on webpages. Pixel tags measure the success of our marketing campaigns and compile statistics about usage of the Services, so that we can manage our content more effectively. The information we collect using pixel tags is not linked to our users’ Personal Data.
SECTION 10 - DO NOT TRACK SIGNALS
Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to do not track signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
SECTION 11 - FOR USERS OF OUR WEBSITE FROM THE UK, EU, EEA AND SWITZERLAND
Your rights regarding your personal information
Our legal bases for the processing of Personal Data are: (i) consent or (ii) any other applicable legal bases, such as our legitimate interest in engaging in commerce, offering products and services of value to you and the customers of the Services, preventing fraud, ensuring information and network security, direct marketing and advertising, and complying with industry practices. For the purposes of this Section, “Personal Data” shall mean any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of such natural person.
Additional Rights for European Residents. If you are a resident of the European Union (EU), European Economic Area (EEA) or a country following substantially similar legislation regarding the protection of Personal Data, you may have one or more of the following additional rights:
- Access. To request a copy of the Personal Data we have collected about you by contacting us.
- Rectification & Erasure. To request that we rectify or delete any of the Personal Data about you that is incomplete, incorrect, unnecessary or outdated.
- Objection. To object, at any time, to Personal Data about you being processed for direct marketing purposes.
- Restriction of Processing. To request restriction of processing of Personal Data about you for certain reasons, such as, for example, if you consider Personal Data about you collected by us to be inaccurate or you have objected to the processing and the existence of legitimate grounds for processing is still under consideration.
- Data Portability. To request and receive the Personal Data we have collected about you in a commonly used and machine-readable form.
- Right to Withdraw Consent. If Personal Data about you is processed solely based on your consent and not for any other legitimate interest, to withdraw your consent at any time, without affecting the lawfulness of our processing based on such consent before it was withdrawn, including processing related to existing contracts for our products and services.*
- Right to Lodge a Complaint with a DPA. If you believe our processing of Personal Data about you is inconsistent with the applicable data protection laws, to lodge a complaint with your local supervisory data protection authority (“DPA”).
To exercise any of the above listed rights, please contact us at email@example.com or as set forth in the Contact Information section below and provide sufficient details so that we can respond appropriately. We will process any requests in accordance with applicable law and within a reasonable period of time. We may need to verify the identity of the individual submitting a request before we can address such request. If the request relates to data our customers collect and process through the Services, we will refer the request to that customer and will support them in responding to the request. For customers, certain information may be reviewed, corrected and updated by logging into the Services account and editing the profile information.
*Note that withdrawing your consent to our processing of your information will not affect the lawfulness of any processing carried out before you withdraw your consent. You should also be aware that if you do withdraw your consent, we may not be able to provide certain services to you. Where this is the case, we will let you know at the time you withdraw your consent. Please note that even after you have withdrawn your consent we may be able to continue to process your personal information to the extent required or otherwise permitted by law, in particular in connection with exercising and defending our legal rights or meeting our legal and regulatory obligations.
SECTION 12 - PERSONAL DATA TRANSFERRED TO THE UNITED STATES
Until the framework agreement reached between the United States and EU is implemented, Provider relies on the use of Standard Contractual Clauses (and applicable jurisdiction-specific modules) for transatlantic data flows from the United Kingdom, European Union, European Economic Area, and Switzerland.
Provider will transfer Personal Data (as Personal Data is defined under applicable Data Protection Laws and Regulations) from the European Union and Switzerland in accordance with Module 2 of the Standard Contractual Clauses dated June 4, 2021 (the “SCCs 2021”).
The SCCs (2021) shall apply to the extent: (i) Customer is subject to the Data Protection Laws and Regulations in the European Union or European Economic Area; (ii) Personal Data is transferred, either directly or via onward transfer, from the European Union, or European Economic Area to any country not recognized by the European Commission as providing an adequate level of protection for personal data; and (iii) an alternative legal mechanism of ensuring an adequate level of protection for Personal Data is not available with respect to such transfer(s) as set forth herein.
Provider will transfer Personal Data from the United Kingdom in accordance with the UK Standard Contractual Clauses (“UK SCCs”) Addendum issued by the Information Commissioner’s Office (ICO) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 (the “UK Addendum”).
The UK SCCs shall apply to the extent: (i) Customer is subject to the Data Protection Laws and Regulations in the United Kingdom; (ii) Personal Data is transferred, either directly or via onward transfer, from the United Kingdom to any country not recognized by the UK Addendum as providing an adequate level of protection for personal data; and (iii) an alternative legal mechanism of ensuring an adequate level of protection for Personal Data is not available with respect to such transfer(s) as set forth herein.
The Standard Contractual Clauses will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the European Union, European Economic Area, Switzerland, and the United Kingdom, as applicable.
SECTION 13 - CALIFORNIA CONSUMER PRIVACY ACT AND CALIFORNIA PRIVACY RIGHTS ACT
The California Consumer Privacy Act of 2018 (the “CCPA”) and the California Privacy Rights Act of 2020 (the “CPRA”) provides consumers that are natural persons who are California residents (“Consumers”) (i) the right to know what personal information a business has disclosed about them, along with certain details, (ii) the right to “opt out” of allowing a business to sell personal information (as defined in the CCPA) to third parties, (iii) the right to have a business delete their personal information, with some exceptions, (iv) the right to receive equal service and pricing from a business, and (v) other related rights.
To the extent that the CCPA or CPRA is applicable, then: (i) Provider is a service provider (as defined in the CCPA or CPRA) or a contractor (as defined in the CPRA); (ii) Provider shall not retain, use, or disclose personal information for any purpose other than for the specific purposes of performing the Services or as otherwise permitted by the CCPA or CPRA; (iii) Provider shall not sell personal information provided by Consumer or processed on Consumer’s behalf; (iv) Consumer is responsible for verifying a consumer request with respect to personal information processed by Provider before requesting applicable information from Provider; and (v) Consumer is responsible such that its use of the Services will not violate the rights of any identified or identifiable persons to which personal data relates that has opted-out from sales or other disclosures of personal information, to the extent applicable under the CCPA or CPRA.
If the company is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to sell products to you.
QUESTIONS AND CONTACT INFORMATION
If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Privacy Compliance Officer at firstname.lastname@example.org or by mail at:
HackEDU, Inc. d/b/a Security Journey
Re: Privacy Compliance Officer
40 24th Street, Fourth Floor, Pittsburgh, PA 15222, United States of America.