🔏Privacy Policy
Introduction
KEYLESS TECHNOLOGIES LIMITED is a company incorporated and registered in England and Wales with company number 11362854 whose registered office is at 9th Floor 107 Cheapside, EC2V 6DN, London, UK (“Keyless”, “we”, “us” or “our”).
This is the Privacy Policy (PP) for Keyless, covering privacy of all personal data that we control as Data Controller or handle as a Data Processor (“Policy”).
Keyless accepts that your privacy is of prime concern to our overall strategy, so is committed to demonstrating the highest standards in dealing with our customers and other business partners.
Applicability
When you are using our services, products and electronic media, we may collect, process and/or disclose data that identify you or make you identifiable (“Personal Data“) in accordance with this Policy.
Aim
This Policy is meant to tell you about which Personal Data we collect, store, process, use and/or disclose, for which purposes, and on which legal basis. Further, we inform you about your rights to protection of your Personal Data.
Scope
In the course of our business, we provide mobile apps, software development kits (“SDKs), our website, and related online and offline offerings (collectively, the “Services”). We provide these Services under contract with organisations (our “Customers”).
Our Customers can use our SDKs to build their own applications, use our apps, and can also use protocols, all of which may interact with parts of our Services. These applications can collect data from the users of those apps (“Users”), and the protocols and SDKs can also collect and/or transmit data related to the Customer’s users of these applications to our Services.
In addition, if you use our Services on behalf of an organization (for example your employer), your Personal Data will be subject to that organization’s privacy policy.
Further, we may receive your Personal Data directly from you when you are sending emails to us, or when you provide your Personal Data otherwise in the course of other interactions with us. We may also receive Personal Data indirectly from third parties who legally provide Personal Data to us.
Responsibilities
We have responsibilities to you directly as a Data Controller when we receive your Personal Data directly from you.
We may have responsibilities to our Customers as Data Processors when they use our Services. When we process your Personal Data under the instruction of a Customer, we do so under the terms of a separate agreement with the Customer. We seek to align each such agreement with this Policy.
In some cases, the Customer’s use of our Services is such that we do not need to process Personal Data. In this case, we do not act as a Data Processor for the Customer.
Location
We collect your Personal Data directly from the country where you are and we store it on servers inside the EU/EEA. Our Services store Personal Data on services inside the EU/EEA.
We may process your data outside of the EU, for example when we use third party services. Regardless of where we process it, we will always seek to conform to EU levels data privacy and data protection standards. If you have questions, please write to us at gdpr@keyless.io.
Policy review
This Policy may be amended or updated from time to time to reflect changes in our practices with respect to the Processing of Personal Data, or changes in applicable law.
We encourage you to read this Policy carefully, and to check this Policy regularly in order to review any changes we might make.Your continued use of our Services or of the website constitutes your agreement to be bound by this Policy, as amended or updated from time to time.
If there are any material changes to this Policy, we will notify you as required by applicable law. You understand and agree that you will be deemed to have accepted the updated Privacy Policy if you continue to use the Services after the new Privacy Policy takes effect.
Personal data we process
The categories of Personal Data about you that we may Process include:
Personal details: name, gender, date of birth / age, nationality, passport or national ID number, social security number, tax identification number;
Contact details: address, email address, telephone number, social media account details;
Biometric authentication information, when you use our Services for biometric authentication: Keyless ID, one-way encrypted biometric information, encrypted key information, and other information identify you to our Customer;
Account Information when you create an account with us to use our non-biometric Services: username and password.
Financial details: bank information for payments, credit card information for payments, utility bill, credit report;
Employee details: including educational background and details of previous employers;
Corporate details: name, place of registration, registration number, details with respect to articles of association and other similar documents / certificates, details with respect to shareholders and/or beneficial owners (including their personal and contact details); and
Technical information of your device which you use for communication (cell phone, tablet, notebook, personal computer, etc.), for example, device type, IP address.
How we collect your personal data
We may collect Personal Data about you from the following sources:
When you contact us via email, telephone or by any other means;
In the ordinary course of our relationship with you (e.g., Personal Data we obtain in the course of administering your payments);
When we provide you with access to our documents and products (e.g., to download documentations about our Services);
Where you have chosen to make such Personal Data public, including via social media profiles;
When you visit any of our websites or use any features or resources available on or through our websites; and
When you submit your resume/CV to us for a job application.
Note that when you visit our website or use our other Services, your device and browser may automatically disclose certain information (such as device type, operating system, browser type, browser settings, IP address, language settings, dates and times of connecting to a website and other technical communications information), some of which may constitute Personal Data.
Creation of personal data
In the course of your interaction with us, we may keep records of your interactions with us and details of your transaction history.
We may also keep records associated with Users of a Customer in the course of their use of and interactions with our Services.
Automatic collection of personal data
If you are a user of one of our Customers who uses our Services, we will automatically collect information about your IP address, device type, user settings, operating system version, Keyless ID, one-way encrypted biometric information, and encrypted key information.
Our Customers’ users data
If you use our Services on behalf of an organization (e.g. your employer), that organization may provide us with information about you so that we can provision your account.
If you use an app as part of one or our Customer’s services (e.g. to authenticate to those Customer services), our Customer may provide us with information about you so that we can provision your account.
How we use your Personal Data
Personal Data provided directly to us
We use your Personal Data to grant you access to and to enable you to use our Services, and also to provide, maintain and improve our Services. We use this Personal Data only if and as long as we have received your explicit prior consent and in accordance with respectively applicable additional legal requirements in your jurisdiction.
We use your information that you have provided directly to us for a variety of business purposes, including:
To provide the Services or information requested:
Fulfill our contract with you or the organization on whose behalf you use the Services;
Manage your information;
Respond to questions, comments, and other requests;
Process payment card and/or other financial information to facilitate your use of the Services;
Provide access to certain areas, functionalities, and features of our Services; and
Answer requests for customer or technical support.
For administrative Purposes:
Pursue legitimate interests, such as direct marketing, research and development (including marketing research), and network and information security;
Measure interest and engagement in the Services;
Develop of new products and services;
Improve our products and Services;
Assure internal quality control and safety;
Authenticate or verify individual identity;
Carry out audits;
Communicate with you about activities on the Services and changes to our agreements;
Prevent and prosecute potentially prohibited or illegal activities;
Enforce our agreements; and
Comply with our legal obligations;
We do not sell your Personal Data to third parties.
Our Customers’ users data
We use Personal Data obtained through our Customers only in association with the operation of our Services to them, and under their instructions.
How we process your Personal Data
We process your Personal Data according to our Security Policy.
We may process your Personal Data using our third-party service providers.
Third-party Processors
When we involve third party Processors in the performance of our services and contractual obligations and such involvement requires the sharing of Personal Data, we have entered with our third party Processors into data processing agreements according to Art. 28 of the European General Data Protection Regulation (“GDPR”) and, as far as required, further appropriate safeguards according to Art. 46 – 49 GDPR.
The categories of service providers to whom we entrust personal information include service providers for:
the provision of the Services;
the provision of information, products, and other services you have requested;
marketing and advertising;
payment and transaction processing;
customer service activities; and
the provision of IT and related services.
The list of third party Processors to which we disclose your Personal Data can be requested by email to gdpr@keyless.io.
Specifically we can already name the following Processors:
AWS:
To store your personal data, we are also using services provided by our data processor Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, United States (“AWS”).
For further information, please see AWS’s Privacy Policy.
Google LLC:
To store personal data, we use Google’s services GSuite and Google Cloud, which are provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.
For further information please see Google’s Privacy Policy.
DocSend:
To store your personal data, we are also using a service provided by DocSend, Inc. at 351 California St., STE 1200, San Francisco, California, 94104, United States, in compliance with the EU-U.S. Privacy Shield Framework.
For further information, please see DocSend Privacy Policy.
DocuSign:
To store your personal data, we are also using a service provided by DocuSign Inc., located in the United States at 221 Main Street, Suite 1550, San Francisco, CA 94105, United States.
DocuSign may transfer your personal information outside of your jurisdiction for further processing. DocuSign has adopted Binding Corporate Rules to facilitate the transfer of personal information from the EEA to DocuSign outside of the EEA. You may view their Binding Corporate Rules here and here.
For further information, please see DocuSign Privacy Policy.
Mailchimp:
To store your personal data, we are also using mailchimp, a service provided by our data processor Rocket Science Group LLC, located in the United States at 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, United States, in compliance with the EU-U.S. Privacy Shield Framework.
For further information, please see Mailchimp’s Privacy Policy.
Categories of third parties “Non-Processors”
We may also disclose your Personal Data to third parties who are not Processors in terms of Art. 28 of the GDPR.
The categories of such Non-Processors are: banks, credit agencies and other financial and/or payment service providers.
What we do with your Personal Data
Processing your Sensitive Personal Data
We do not seek to collect or otherwise process your Sensitive Personal Data, except where:
the Processing is required or permitted by applicable law (e.g., to comply with our diversity reporting obligations);
the Processing is necessary for the detection or prevention of crime (including the prevention of fraud);
the Processing is necessary for the establishment, exercise or defence of legal rights; or
we have, in accordance with applicable law, obtained your explicit consent prior to Processing your Sensitive Personal Data (as above, this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Cookies
Only Google Analytics and YouTube set cookies associated with our Services.
Please see the cookie policies of our third-party Processors for details of the cookies that they may set:
DocuSign
Zoho
If you have ‘Do Not Track’ activated in your browser, or if you rejected our cookie banner, we don’t collect any information and won’t let Google set any cookies in your browser.
If you do not want to allow us to use Cookies, you can disable Cookie installation via your browser setting or refuse the installation of Cookies when prompted to this effect. You also have the option of deleting Cookies from your computer’s hard disk at any time.
Mobile devices
We may send you push notifications through our mobile application.
You may at any time opt-out from receiving these types of communications by de-enrolling with our Service using the application, by uninstalling the application, or by changing the settings on your mobile device.
We do not collect location-based information if you use our mobile applications.
Consequences if we may not collect your Personal Data
We need your Personal Data to provide our Services to you and/or perform our contractual obligations towards you (e.g. through our Customers). Without providing such Personal Data, we may not be able to provide you the services you are intending to receive.
Marketing Activities
We may transfer your Personal Data to our business partners:
- KEYLESS TECHNOLOGIES S.R.L, a company incorporated and registered in Italy with company Startup Innovativa no. 14880901005 whose registered office is at Via Matteo Bartoli 302, Roma, Italy; and
- KEYLESS TECHNOLOGIES PTE. LTD., a company incorporated and registered in Singapore with Company No. 201904868C whose registered address is at 6 Eu Tong Sen Street #12-17, The Central, Singapore (059817).
We may transfer your Personal data to a business partner in order for us or our business partners to provide the Services or information requested, or for administrative purposes.
Your data protection rights
You have the right to request access to, and rectification or erasure of, your Personal Data, or restriction of their Processing.
Furthermore, you have the right to object to Processing as well as to request data portability.
If you are in the EU you have the right to file a complaint to the responsible European Data Protection Authority.
Lawful basis for Processing Personal Data
In Processing your Personal Data in connection with the purposes set out in this Policy, we may rely on one or more of the following legal bases, depending on the circumstances:
we have obtained your explicit prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way);
the Processing is necessary in connection with any contractual relationship that you may enter into with us;
our Customer instructs us to do the Processing under the terms of an agreement we have with them;
the Processing is required by applicable law;
the Processing is necessary to protect the vital interests of any individual; or
- we have a legitimate interest in carrying out the Processing for the purpose of managing, operating or promoting our business, and that legitimate interest is not overridden by your interests, fundamental rights, or freedoms.
Consent and withdrawal
Any consent is provided freely. If you give your consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of Processing based on consent before its withdrawal. After your withdrawal we will stop to Process your Personal Data, including storage. This paragraph is only relevant for Processing that is entirely voluntary – it does not apply for Processing that is necessary or obligatory in any way.
To withdraw your consent, please send us an email or a letter. Our contact details are shown below.
Children’s information
The Services are not directed to children under 17 (or other age as required by local law), and we do not knowingly collect personal information from children. If we learn that we have collected a child’s personal information in violation of applicable law, we will promptly take steps to delete such information.
Further information
Our contact information
For any requests you can contact us as follows: Name: Keyless Technologies Limited Address: 9th Floor 107 Cheapside, EC2V 6DN, London, UK Phone Number: Tel: +44 20 7862 4600 E-mail: gdpr@keyless.io
How to complain
You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s address: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Helpline number: +44 303 123 1113
Definitions
- ‘Controller’ means the entity that decides how and why Personal Data is Processed. In many jurisdictions, the Controller has primary responsibility for complying with applicable data protection laws.
- ‘Customer’ means an organisation that contracts with us to use one or more of our Services.
- ‘Data Protection Authority’ means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws.
- ‘EEA’ means the European Economic Area.
- 'GDPR’ means European General Data Protection Regulation.
- ‘Personal Data’ means information that is about any individual, or from which any individual is identifiable. Examples of Personal Data that we may Process are provided above in this Policy.
- ‘Policy’ means this Privacy Policy.
- ‘Process’, ‘Processing’ or ‘Processed’ means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- ‘Processor’ means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller).
- ‘SDK’ means ‘software development kit’ which is a set of software artifacts that you can use to provide capabilities in your programs, and which communicates with other Services.
- ‘Services’ means any services provided by Keyless.
- ‘Sensitive Personal Data’ means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, or any other information that may be deemed to be sensitive under applicable law.
- ‘User’ means a user of one of our apps or of our Customer’s apps that use our Services.
Last updated