This is the LoginID Privacy Notice for consumer, customer, supplier and business partner data, where this information relates to an individual. This Privacy Notice provides information on the processing of personal data by LoginID, hereafter LoginID, we or us.
In this Privacy Notice we describe who we are, how and for which purposes we process your personal data, how you can exercise your privacy rights and all other information that may be relevant to you.
We did our best to provide you with all information in a clear and readable format. However, if you have any questions about our use of your personal data after reading this Privacy Notice, you can of course always contact us through the contact details provided below.
This Privacy Notice may be changed over time. The most up-to-date Privacy Notice is published on our website. This Privacy Notice applies from May 1, 2021. The last modifications to this Privacy Notice were made on May 1, 2021.
2. WHEN DOES THIS PRIVACY Notice APPLY?
This Privacy Notice is applicable to the processing by LoginID of all personal data of business clients and their end-users. LoginID’s business clients are affiliated partners (merchants, applications, and websites), resellers, and agents that have integrated with the LoginID service. This Privacy Notice does not address the processing of personal data of applicants or employees in the context of their employment relationship with LoginID.
It is LoginID ’s policy to comply with the privacy legislation within each jurisdiction in which we operate. Sometimes the privacy legislation and/or an individual’s right to privacy are different from one jurisdiction to another. This Privacy Notice has a limited scope and application. Consequently, the rights and obligations contained in this Privacy Notice may not be available to all individuals or in all jurisdictions. If you are unsure if or how this Privacy Notice applies to you, please contact our Privacy Officer for more information.
3. WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA?
LoginID is either a data controller or a data processor for the processing of all personal data that fall within the scope of this Privacy Notice. More information on what our specific data protection role is in relation to our processing activities can be found below, under Section 4 “For which purposes do we process your personal 2 data?”. This Privacy Notice provides information on what personal data are collected and used (processed) by LoginID and for what purpose, and to which persons or entities the data will or may be provided. LoginID will not share your personal data with external parties, unless specifically requested by the responsible business client or the data subject, or otherwise to comply with a legal obligation. We share information globally, both internally within the Companies, and externally with our partners and with those you connect and share with around the world in accordance with this policy.
Your information may, for example, be transferred or transmitted to, or stored and processed in the United States or other countries outside of where you live for the purposes as described in this policy. These data transfers are necessary to provide the services set forth in the Terms and to globally operate and provide our Products to you. We utilize standard contract clauses, rely on the European Commission's adequacy decisions about certain countries, as applicable, and obtain your consent for these data transfers to the United States and other countries.
4. FOR WHICH PURPOSES DO WE PROCESS YOUR PERSONAL DATA?
4.1 When you make use of the LoginID service
When you use the LoginID service, whether as a developer or as an end-user of one of our business clients, we will process your personal data. Through our authentication process, we process your personal data to create your credentials, so that you can always authenticate yourself on the LoginID service. Once verified, we store and manage your personal data so that it is secure and readily accessible, and retrieved at your request or at request of our business clients.
As part of our continuing efforts to manage and maintain our business operations including investigating and resolving incidents, and securing the integrity of the LoginID service, we may monitor, and log the interactions of developers and administrators.
(a) Client device verification and authentication
In order for you to use the LoginID service, we process your personal data to verify your device. The one-time verification process creates the credentials through which you and our customers authenticate themselves when using the platform(s) and/or service(s) of our business clients who have integrated with the LoginID service. For these processing activities, our business clients are the data controller and LoginID is the data processor.
Client device verification and authentication relies on Strong Customer Authentication (SCA), based on the FIDO protocols, which uses standard public key cryptography technologies to provide stronger and more effective authentication. When using the LoginID service for the first time, we need you to register your device with the online service that you want to log in to and unlock the FIDO authenticator by presenting your local device with a biometric (such as your fingerprint, facial recognition, or iris scanning). The device will create a public/private key pair that is unique to (i) your device, (ii) the business client’s online service and (iii) your account (with that service). The public key is stored with LoginID while your private key (including any biometric information) never leaves your device.
For these purposes, we process your username, e-mail address, IP-address and FIDO public key. For administrators and developers of our business clients, LoginID processes the same categories of personal data in addition to e-mail address and country of business.
The legal basis for this processing activity is the performance of a contract.
(b) Data management, storage, and collection
We manage and store your personal data on behalf of and according to the instructions of our business clients. LoginID ensures that your personal data is both accessible, reliable, and can be retrieved at your request or at request of our business clients.
For these purposes, we process the personal data provided to us by you and those personal data provided by our business clients. This processing is limited to your username, e-mail address, IP-address, and FIDO public key.
The legal basis for this processing activity is the performance of a contract.
(c) Monitoring and logging
To ensure the security of your personal data and compliance with the Terms and Conditions of our service, we monitor the behaviour of developers and administrators of our partnered business clients. The log data that we collect works as a forensic trail and allows us to respond to incidents quickly and resolve them effectively. This processing activity allows us to monitor administrator interactions around dashboard-related activities.
For this purpose, we may process personal data such as the administrator username, activity timestamp, user roles, and generated errors (if any). The legal basis for this processing activity is our legitimate interest and performance of a contract.
(d) To manage, maintain and develop the LoginID service and business operations
We process your personal data in an aggregated form in order to assess, analyse and improve the LoginID service. We use aggregated personal data to analyse how users interact with the service and the features it provides, so that we may adjust and improve our products and services accordingly. By analysing this aggregated personal data, we can calculate certain values such as the percentage of end-users authenticating themselves with biometrics versus username and password, or the percentage of end-users using desktop versus mobile device.
For this purpose, we may process personal data such as IP-address, particular authentication factors used (such as SMS, biometric, username and password), browser, device information, and geolocation of your network.
The legal basis for this processing activity is legitimate interest.
4.2 When you interact with LoginID (online or offline)
If you get in touch with us via firstname.lastname@example.org on the LoginID website, we will use your personal data in order to reply to and answer your question. For this purpose, we process your name, contact details, your correspondence with us, your question and all other personal data which are necessary to answer your question.
We are active on social media platforms like LinkedIn and Telegram. When you contact us through these channels, we will assume your consent to the collection, use and disclosure of your personal information for the purposes related to answering your questions and responding to your messages. We process your personal data accordingly, including your (user)name, email address, and the personal data you have included in your message.
When you register and provide us with your email address on the LoginID website, we will use that email address to advertise and market to you, which includes sending promotional communications, targeted advertising and presenting you with relevant offers. You will have the opportunity to opt out of marketing emails each time you receive marketing communications from us.
The legal basis for this processing activity is consent.
4.3 For the management and improvement of our internal business operations
LoginID collects personal information to enable us to manage, maintain and develop our business and operations, including:
to establish, maintain and manage our relationship with you so that we may provide you with, or receive from you, the products and services that have been requested (for example, we will use your personal information to establish your identity and credentials so that we may provide you with the products and services that you have requested);
to review the products and services that we provide to you so that we may understand your requirements for our products and services and so that we may work to improve our products and services;
to review the products and services that we obtain from you so that we may work with you and so that you may understand our requirements for such products and services;
to comply with your requests (for example, if you prefer to be contacted at a business or residential telephone number and advise us of your preference, we will use this information to contact you at that number);
to protect us against error, fraud, theft and damage to our goods and property;
to enable us to undertake our environmental, health and safety activities, including incident planning, response and investigation; and
any other reasonable purpose to which you consent.
4.4 To comply with the law
In some cases, we process your personal data to comply with laws and regulations. This could, for example, be the case where tax or business conduct related obligations apply. In order to comply with relevant laws and regulations, we may need to disclose your personal data to government institutions or supervisory authorities.
The categories of personal data processed for this purpose depends on the legal obligation and we will limit the processing of the personal data to what is strictly necessary to comply with that obligation.
6. WHO HAS ACCESS TO YOUR PERSONAL DATA?
6.1 Access to your personal data within LoginID
As a global organization, data we collect may be transferred internationally throughout our worldwide organization. Our employees are authorized to access personal data only to the extent necessary to serve the applicable purpose and to perform their jobs.
6.2 Access to your personal data by third parties
The following third parties might have access to your personal data for the purpose of provisioning of their products or services to us:
Amazon Web Services (AWS) – hosting and storage services
Pipedrive – customer relationship management
Mailchimp – integrated marketing platform for small businesses
HubSpot – integrated marketing platform
Google Analytics - statistics and analytics service
Crisp - customer messaging platform
When third parties are given access to your personal data, we will take the required contractual, technical and organisational measures to ensure that your personal data are only processed to the extent that such processing is necessary. The third parties will only process your personal data in accordance with applicable law.
If your personal data are transferred to a recipient in a country that does not provide an adequate level of protection for personal data, we will take measures to ensure that your personal data are adequately protected, such as entering into EU Standard Contractual Clauses with these recipients.
In other cases, your personal data will not be supplied to third parties, except where required by law.
6.3 The use of your personal data by data (sub-)processors
When a third party processes your personal data solely following LoginID instructions, it acts as a data (sub-)processor. We enter into an agreement with such a data processor for the processing of personal data. In this agreement we include obligations to ensure that your personal data are processed by the data processor solely to provide services to us.
7. HOW ARE YOUR PERSONAL DATA SECURED?
LoginID has taken adequate safeguards to ensure the confidentiality and security of your personal data. We have implemented appropriate technical, physical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access as well as all other forms of unlawful processing (including, but not limited to, unnecessary collection) or further processing. Examples are IT security policies, staff training and secure servers.
8. HOW LONG ARE YOUR PERSONAL DATA RETAINED?
Your personal data will be removed or made anonymous when your personal data is no longer necessary for the purposes for which these personal data are processed. However, LoginID’s role as a processor means that the applicable retention periods are determined by our business clients.
The security benefits
9. HOW CAN YOU EXERCISE YOUR PRIVACY RIGHTS?
You have the right to request access to an overview of your personal data, and, under certain conditions, rectification and/or erasure of personal data. In addition, you may also have the right of restriction of processing concerning your personal data, the right to object to processing as well as the right to data portability.
To invoke your right of access, rectification, and/or erasure of personal data, your right of restriction of processing, and/or your right to object to processing as well as to invoke your right to data portability please:
- If you are one of our clients’ end-users: please contact our client directly.
- If you are one of our client developers or admins: please contact us at email@example.com.
If you have given your consent to a certain purpose, you can withdraw your consent at any time. Please keep in mind that withdrawal does not have retrospective effect. You can contact us by using the contact details at the bottom of this Privacy Notice.
10. DO YOU HAVE QUESTIONS OR COMPLAINTS?
If you have any further questions about the way we process your personal data, please contact us at firstname.lastname@example.org.
Should you still be of the opinion that your request or complaint was not handled satisfactorily by us, you have the right to lodge a complaint with your local data protection supervisory authority. Please contact your local data protection supervisory authority through the contact details on their website.
You can also reach out to our GDPR representative at the following address:
Osano International Compliance Services Limited
25/28 North Wall Quay
Dublin 1, D01 H104