Index
1. Scope of this policy
2. Personal Data Protection: Principles and data subject rights
3. Information Security Practices
4. The services provided by the weblink
5. Information we may collect from you
6. Uses made of the information
7. Disclosure of your information
8. Where we store your personal data
9. Your rights regarding marketing
10. Access to information
11. Changes to data protection policy
12. Contact
Privacy Policy
PURPOSE OF THIS POLICY
PlanetVerify Limited trading as PlanetVerify (“we”) are committed to protecting and respecting your data protection rights and freedoms. The purpose of this policy is as a statement of that commitment.1. Scope of this policy
1.1 This policy (together with our end-user licence agreement (the “EULA”) and any additional terms of use incorporated by reference into the EULA, (together our “Terms of Use”) applies to your use of the Planet Verify online secure Weblink, once you have selected Accept Terms on the PlanetVerify secure Weblink page. 1.2 This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.2. Personal Data Protection: Principles and data subject rights
1. Personal Data Protection Principles:
PlanetVerify undertakes its role to support the Requester of your personal data in performing its responsibilities under the General Data Protection Regulation (GDPR), as follows:
Article 5(1) of the GDPR requires that personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’). (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’). (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’) (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’). (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). Article 5(2) requires that the Requester be responsible for, and be able to demonstrate compliance with these principles (‘accountability’). PlanetVerify assists the Requester with ensuring appropriate security of the personal data. 2. Data Subject Rights: PlanetVerify undertakes its role to support the Requester of your personal data in satisfying your data subject rights under the GDPR, as follows: The right to be informed: You have the right to be informed by the Requester of your personal data to ensure that the processing is fair and transparent, including the identity and contact details of those processing your personal data. PlanetVerify is the processor of your requested personal data acting under instructions from the Requester and can be contacted at info@planetverify.com. PlanetVerify’s Data Protection Officer can be contacted at dataprotectionofficer@planetverify.com. The right of access: You have the right to obtain confirmation from the Requester as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain additional information. You are given the right of access so that you are aware of and can verify the lawfulness of processing. The right to rectification: You have the right to have the Requester rectify inaccurate personal data concerning you. The right to erasure (to be forgotten): You have the right to have the Requester erase personal data concerning you in specific circumstances. The right to restrict processing: You have the right to have the Requester restrict processing of personal data concerning you in specific circumstances. The right to data portability: You have the right to receive from the Requester the personal data you have provided electronically in a machine readable format. The right to object: You have the right to object to the Requester regarding the processing of your personal data in specific circumstances, including when your personal data is used for direct marketing purposes. Rights related to automated decision making and profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you. Right to lodge a complaint with a supervisory authority.3. Information Security Practices
PlanetVerify uses state of the art security features and methods including:- Secure hosted platform employing security controls exceeding industry standards with continuous 7X24 management and monitoring of all events
- Two-factor authentication is available for web services and end-user device apps
- TLS 256-bit encryption is used on all data transfers
- Optional IP restrictions on server account access
- Use of a progressive web app, which increases the security of communications, decreases the numbers of third parties involved, decreases complexity with a single version for all platforms, provides automatic updates, and is network independent
- Continuous vulnerability management and testing of code and infrastructure and regular penetration testing
- Privacy by Design principles have been implemented from the outset such as:
- I share my data if and only when, I decide
- I will only receive data requests from verified PlanetVerify users, which inhibits fraudsters or imposters
- I can see when my data has been viewed
- All server-based personal data is AES 256-bit encrypted and encryption keys are stored in protected key vaults
- Security practices aligned to ISO 27001 and other leading certification standards
- Static code analyses are performed using leading practice OWASP and commercial industry standard tools
- Rigorous and orchestrated incident management procedures based on best practices
- End-user personal data is protected in many ways including encryption, data classification, authorisation, authentication, and detective controls (auditing)
- All personal data in the Dublin data centre are asynchronously geo-replicated to a second data centre within the EEA
4. The services provided by the weblink
The Weblink (a progressive web app) offers the following main services: 1). The Weblink acts as an intermediary between You (the “End-User”) and a third party who has requested that you provide them with a copy of certain personal details and documentation (the “Requester”). The Weblink allows you to add personal details and capture and make copies of your documentation, which may include proof of address, personal references and forms of identification (the “Documentation”). The Weblink also allows you to store this Documentation on your device in a secure encrypted format and transmit securely the Documentation to the Requester. 2). Upon request, the Requester can also use the Weblink to request that the authenticity of the Documentation provider be verified. We carry out this verification for and on behalf of the Requester using the Documentation which You have provided (a “Verification”). 3). At your discretion, You may save the Documentation on the Site for your use in responding to future requests from the same or other Requesters (the “PlanetVerify Secure Vault function”). 4). We offer the Requester a secure central storage where the Documentation of each Information Provider is held. 5). We offer and strongly recommend the Requester, and the PlanetVerify Secure Vault function user, to use 2 Factor Authentication (2FA) for all Documentation held in our secure cloud. This adds significantly to security as it requires a code from your device as well as the secure password in order to access Documentation on a device or computer. 6). We offer the Requester, and the PlanetVerify Secure Vault function user, a “One-Click” option to Purge an entire Information Provider’s Documentation and this can be done with data you provide if you request them to do so. (together, the “Services”). For the purpose of the Data Protection Acts 1988, 2003 and 2018 and the General Data Protection Regulation in the provision of the Service, the data controller is the Requester and we act as Data Processor (to the extent that we process personal data on their behalf). We also act as a data controller for our own employees, when registering enterprise users, and when responding to requests for assistance.5. Information we may collect from you
On your request and in order to provide the Services, we may process the following data about you:- Information You Submit (“Submitted information”): This includes any Documentation which you transmit to a Requester using the Weblink. Such documentation may include personal data. You may also give us information about you by filling in forms on the Weblink, or by corresponding with us (for example, by e-mail or chat). This also includes information you provide when you register to use the Weblink, subscribe to any of our Services, search for a Weblink and when you report a problem with Weblink or our Services or ask for assistance and you choose to provide data. This includes any Documentation which you choose to transmit to a Requester using the Weblink. Such documentation may include personal data. You may also give us information about you by filling in forms on the Weblink, or by corresponding with us (for example, by e-mail or chat). This also includes information you provide when you register to use the Weblink, subscribe to any of our Services, search for the Weblink or Service. When you report a problem with the Weblink or our Services or ask for assistance and in doing so, you choose to provide data to us, in this case some of that data may be sent outside the EEA through our support systems.
- Information we collect about you and your device. Each time you visit one of our websites or use the Weblink we may automatically collect the following information:
- Technical information, including the type of mobile device you use, a unique device identifier (for example, your Device’s, the MAC address of the Device’s wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, and the time zone setting (the “Device Information”).
- Details of your use of any of the Weblink or your visits to any of our websites including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access (the “Log Information”).
- Location information. To provide additional security and defense to PlanetVerify’s platform and Weblink we may also use technology to determine your current location. Some of our location-enabled services require your personal data for this security feature to work. This particular security feature will be available strictly on an opt-in basis only so you will be asked to consent to your data being used for this purpose. You can withdraw your consent at any time by altering your device setting.
- Information we receive from other sources (“Third Party Information”). We are working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them. We also may receive information about you from third parties with whom we work in order to Verify the Documentation (if requested to do so by the Document Requester or by you). Further details about the Verification of Documentation can be found in our EULA.
- Unique application numbers: when you install or uninstall a Service containing a unique application number or when such a Service searches for automatic updates, that number and information about your installation, for example, the type of operating system, may be sent to us.
- Cookies
- tracking the duration of visits and content accessed; and
- storing frequently used user information to personalise your online experience and ease the log-in process.
6. Uses made of the information
We use information held about you in the following ways:- Submitted Information: We will use the Submitted Information in the manner set out in the EULA and this Data Protection Policy including but not limited to:
- Providing the Services by transmitting your Documentation as instructed by you, to the Document Requester
- Verifying the authenticity of the Documentation including by contacting third parties to do so; and
- Responding to your requests for assistance.
- Device information: For Weblink compatibility issues and potentially for multi-factor Verification purposes.
- Log information: For the assistance of identity verification or trouble shooting purposes.
- Location information: We may use this information for verification/authentication purposes.
- Third Party Information: For the assistance of identity verification/authentication.
- Unique application numbers: As described above and also for multi-factor verification purposes.
7. Disclosure of your information
We may disclose some or all of the data we collect from you when you download or use the App to the following third parties:Category of data | Recipient |
The Documentation which you upload | The Requester (i.e. the third party with whom you share the Documentation using the Weblink). |
The Documentation which you upload | Third parties (such as utility companies) who we may contact on behalf of the Requester in order to Verify the Documentation in question. |
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If Planet Verify or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
- If we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request.
- In order to:
- enforce or apply the EULA, and other agreements or to investigate potential breaches; or
- protect the rights, property or safety of Planet Verify our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.