Privacy Policy

Date Last Revised: April 18, 2018

This Privacy Policy ("Privacy Policy") explains how Salt Edge Inc., including its respective affiliates, related companies, unaffiliated partners and/or licensors (together herein referred to as  "Salt Edge"), collects, uses, processes and protects the information provided by you (“End User”) or acquired through End User’s use of the Services (as defined below). This Privacy Policy also describes what End User’s information Salt Edge collects, the specific ways Salt Edge uses such information, and how End Users can exercise their rights under the Applicable Laws (as defined below).

Salt Edge regularly reevaluates its privacy and security practices and adapts them as necessary to deal with new regulatory requirements, changes in legislation and revised security standards. End Users are advised to read this Privacy Policy carefully.


1. DEFINITIONS

For the purposes of this Privacy Policy, in addition to the capitalized terms defined elsewhere in this Privacy Policy, the following terms shall have the meanings ascribed to them as follows:

1.1. “AISP” means account information service provider, a regulated payment service provider that provides consolidated information on one or more Payment Accounts held by End User with either another payment service provider or with more than one payment service provider.

1.2. “Applicable Laws” means:

  1. the General Data Protection Regulation (EU) 2016/679 and any other similar or equivalent laws, regulations or rules in force from time to time relating to the privacy, processing and use of Personal Data;
  2. the revised Payment Services Directive (PSD2 - EU Directive 2015/2366), together with all regulatory technical standards, codes of practice, guidelines and/or formal interpretations issued by a regulator with jurisdiction over the Services, and all laws or regulations in force from time to time in ASPSP’s jurisdiction giving effect to PSD2; and
  3. all laws, statutes, rules, regulations, decrees, orders or directives in force from time applicable to the Services.

1.3. “ASPSP” means account servicing payment service provider, a payment service provider (such as bank, credit institution or electronic money institution) that provides and maintains a Payment Account for End User.

1.4. “Authenticator” means the mobile application Priora Authenticator that may be provided by Salt Edge to End User as a strong customer authentication solution compliant with PSD2 requirements.

1.5. “Consent” of End User means any freely given, specific, informed and unambiguous indication of End User’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

1.6. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

1.7. “Metadata” means all ancillary information, metadata, usage data, service data, relationships, trends, metrics, logs and all other information derived from use of the Services and Priora Platform.

1.8. “Minimum Terms of Service for End User” means Salt Edge’s minimum terms of service which govern End User’s use of the Services set out at https://priora.saltedge.com/pages/min_terms_of_service_end_user as the same may be amended from time to time for the purposes of compliance with changes in the Applicable Laws or good industry practice.

1.9. “Payment Account” means an account held in the End User’s name by the ASPSP which is used for the execution of Payment Transactions.

1.10. “Payment Account Data” means data relating to End User’s Payment Account, particularly:

  1. account information (including without limitation account number, type, currency, balance);
  2. transactions information (including without limitation transaction amount, date, description, currency); and
  3. account holder information (including without limitation name, address, email, phone number), on the condition that the respective ASPSP in its sole discretion provides access to such additional information.

1.11. “Payment Order” means an instruction by End User to its respective ASPSP requesting the execution of a Payment Transaction.

1.12. “Payment Order Data” means data relating to the Payment Order, including without limitation amount, currency, status, description, payee details.

1.13. “Payment Transaction” means an act initiated by End User or on End User’s behalf of placing, transferring or withdrawing funds from End User’s Payment Account.

1.14. “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes, but is not limited to, Payment Account Data and Personalized Security Credentials.

1.15. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.16. “Personalized Security Credentials” means personalized features provided by ASPSP to End User for the purposes of authentication, including without limitation username, password, access number, security questions and answers, token/SMS codes, multifactor information, device information.

1.17. “PISP” means payment initiation service provider, a regulated payment service provider that initiates Payment Orders at End User’s request with respect to End User’s Payment Account held with the respective ASPSP.

1.18. “Priora Account” means End User’s account on the Website which is automatically created when End User starts using the Services.

1.19. “Priora APIs” means application programming interfaces that establish secure communication between TPPs and ASPSP during the provision of Services.

1.20. “Priora Platform” means the Website, Priora APIs, Authenticator and any and all materials, documentation, articles and/or guidelines prepared and/or provided by Salt Edge in connection with using the Services, Website, Priora APIs and/or Authenticator.

1.21. “processing” or “to process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, access, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.22. “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

1.23. “Pseudonymization” means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific End User without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

1.24. “Services” means the services provided by Salt Edge via Priora Platform on behalf of End User’s respective ASPSP.

1.25. “Special Categories of Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

1.26. “TPP” means a third-party provider, such as AISP or PISP.

1.27. “Website” means the website https://priora.saltedge.com.


2. CONSENT

By accessing and using the Services End User hereby: (i) acknowledges and confirms that End User is at least eighteen (18) years old, or of the legal age of majority in the jurisdiction in which End User resides; and (ii) consents to the use of his/her Personal Data as described in this Privacy Policy. Except as set forth in this Privacy Policy, End User’s Personal Data will not be used for any other purpose without End User’s Consent. Salt Edge will only disclose End User’s Personal Data to third parties strictly for the purposes described in this Privacy Policy. Salt Edge does not sell, trade or rent End User’s Personal Data to any third party, nor does Salt Edge use End User’s Personal Data for advertising purposes.


3. COLLECTION OF INFORMATION

When End User starts using the Services Salt Edge will collect information, including Personal Data, for the purpose of providing, maintaining and improving the Services, as well as meeting the compliance requirements set forth in the Applicable Laws with respect to the provision of Services. Salt Edge collects information primarily in four (4) ways:

  1. Information End User voluntarily provides to Salt Edge. When End User starts using the Services, or contacts Salt Edge’s customer support team with respect to service-related issues or communicates with Salt Edge in any way, End User voluntarily gives Salt Edge information that Salt Edge collects and processes as described in the Minimum Terms of Service for End User and this Privacy Policy. End User gives Salt Edge information directly through the Services: for example, in order to access the Priora Account, End User must authenticate himself/herself by providing the Personalized Security Credentials required to access End User’s Payment Account with the respective ASPSP. End User may communicate with Salt Edge directly through the Services or by sending an email. If End User voluntarily submits Personal Data by email with his/her inquiry or request pertaining to the Services, Salt Edge will process any such Personal Data in accordance with this Privacy Policy. Salt Edge may require additional information, including Personal Data, in order to identify End User while processing his/her inquiry or request. Salt Edge may also maintain a record of such communication, including any follow-ups and subsequent feedback, for internal purposes.
  2. Information collected through End User’s use of the Services. Salt Edge collects information about: (i) the TPPs End User interacts with through the Services and a trail log of their actions with respect to access to End User’s Payment Account; (ii) any actions of End User within the Priora Account and Authenticator; (iii) any Payment Orders initiated through a PISP, including associated Payment Order Data; (iv) Payment Account Data to which an AISP has been granted access to; and (v) details of the Consent given by End User to TPPs, including without limitation scope and timestamp of such Consent. Salt Edge may store this information or part thereof in log files or other Metadata associated with End User’s Priora Account, and link it to other information Salt Edge collects and processes about End User.
    1. Information collected through use of Authenticator. When End User uses the Authenticator on End User’s mobile device, Salt Edge may collect certain information in addition to that described elsewhere in this Privacy Policy, including without limitation device type and operating system. Salt Edge will also send push notifications in the Authenticator to inform End User about pending actions or give service-related notifications. End User can’t opt out of receiving these push notifications. Salt Edge may access, track or collect location-based information from End User’s mobile device while downloading or using the Authenticator.
  3. Information collected from ASPSP and TPP. Salt Edge collects information from End User’s respective ASPSP and TPPs for the purposes of providing the Services as follows:
    1. from ASPSP: Payment Account Data, Payment Order Data and confirmation of availability of funds in End User’s Payment Account; and
    2. from TPP: (i) Payment Orders initiated by End User through a PISP; and (ii) details of the Consent given by End User to TPP, including without limitation scope and timestamp.
  4. Information Salt Edge collects automatically. Each time End User uses the Services Salt Edge collects certain information automatically about how and when End User uses the Services. This information may include without limitation the browser that End User is using, operating system, IP address, all of the areas within the Services that End User visits, and the time of day when End User accesses and uses the Services. Salt Edge collects this information automatically as part of log files or other Metadata, as well as through the use of cookies, web beacons and other similar tracking technologies. All personally identifiable information collected about End User is treated as Personal Data in accordance with the terms of this Privacy Policy. Salt Edge may also use the collected information in an anonymized aggregate way (i.e., it is not personally identifiable in this state) for a variety of purposes, including but not limited to enhancing or otherwise improving the Services and developing new services (see further Section 4.b. “Use of Non-Personal Data”). Further details about the use of cookies and other tracking technologies are provided below:
    1. Cookies — a cookie is a data file placed on a device when it is used to access the Services. Cookies or similar technologies may be used for many purposes, including without limitation remembering End User and End User’s preferences and tracking End User’s visits to the Website or access of the Authenticator. Cookies work by assigning a number to the End User that has no meaning outside of the assigning website or application. Salt Edge uses cookies for various purposes, including without limitation tracking End User’s movements within the Website and Authenticator, analyzing trends, gathering statistical data and improving End User experience and the overall quality of the Services. Salt Edge encodes and encrypts the cookies so that only Salt Edge can interpret the information stored in them. Cookies can be disabled or controlled by setting a preference within End User’s web browser or on End User’s device. Thus, if End User does not want information to be collected through the use of cookies, End User can deny or accept the use of cookies at the individual browser or device level. However, if End User chooses to disable cookies some features of the Services may not function properly or Salt Edge may not be able to customize the delivery of information to End User.

      Besides first-party cookies set by Salt Edge itself, Salt Edge also uses third-party cookies. These third-party service providers with whom Salt Edge has contracted help analyze certain online activities and provide analytics services. Salt Edge uses the following third-party cookies:

      1. Google Analytics: Salt Edge has integrated Google Analytics, a web analytics service provided by Google Inc., in the Website in order to collect and analyze data about End Users’ behavior within the Website. The Google Analytics cookies collect information that allow Salt Edge to understand how End User interacts with the Website, including without limitation the IP address or other unique identifier for End User’s computer, mobile or other device used to access the Website, referral URL, what Website sub-pages End User visits, how often and the duration of such visits, the access time and location. Google Inc. uses the collected information to evaluate the use of the Website and provide online reports and other related services that help Salt Edge enhance user experience. The collected information is transferred and stored in the U.S.A. by Google Inc. or any third-party service providers acting on its behalf. If End User objects to the collection and processing of such data by Google Inc., End User must install a browser add-on (https://tools.google.com/dlpage/gaoptout) which will prevent further collection and transmission of information via Google Analytics. Further information about Google Analytics cookie usage can be found here.
      2. Fabric.io: Salt Edge has integrated Fabric, an analytics service for mobile applications provided by Google Inc., in the Authenticator in order to collect and analyze data about End Users’ behavior within the Authenticator and improve the Authenticator performance. The Fabric cookies collect information about how often End User uses the Authenticator, the IP address, timestamps, device model name, operating system and version number, and other performance data. The collected data is used to provide analytical reports, crash reports and other related services that help Salt Edge to resolve technical issues, improve the Authenticator and enhance user experience.
    2. Web beacons — web beacons are images (single-pixel gifs) embedded in a web page or email for the purpose of measuring and analyzing website usage and activity. Web beacons or similar technologies help Salt Edge better manage the Services, count End Users of the Services, monitor how End Users navigate the Services, count how many e-mails that Salt Edge sends are actually opened and, generally, measure performance. Salt Edge does not link the information gathered by web beacons to End Users’ Personal Data.

Salt Edge does not use cookies, web beacons or other similar tracking technologies to track and analyze End Users’ activity for advertising purposes and at no occasion will Salt Edge contract such third-party service providers to collect Personal Data on Salt Edge’s behalf for advertising purposes.


4. USE OF INFORMATION

  1. Processing Personal Data. Salt Edge processes Personal Data for the purpose of:
    1. providing, maintaining, supporting, protecting and improving the Services;
    2. meeting the regulatory compliance requirements set forth in the Applicable Laws;
    3. providing customer support;
    4. sending system alert messages;
    5. enforcing compliance with the Minimum Terms of Service for End User and Applicable Laws;
    6. protecting the rights and safety of End Users and third parties, of Salt Edge and End User’s respective ASPSP(s);
    7. transferring End User information, including Personal Data, in case of a sale, merger, consolidation, or acquisition. In such case, any acquirer will be subject to Salt Edge’s obligations under this Privacy Policy;
    8. storing Personal Data in order to be able to provide the Services on Salt Edge’s servers or servers provided by third parties that are committed to complying with Salt Edge’s obligations contained in this Privacy Policy and with whom Salt Edge has contracted;
    9. troubleshooting, analyzing and solving service-related errors. In such cases, End Users’ Personal Data may be visible to and/or accessed by technicians, IT staff and/or system administrators authorized by Salt Edge; and
    10. combining Personal Data with information obtained through the use of cookies, web beacons or similar technologies to improve the Services and user experience.
  2. Use of Non-Personal Data. Salt Edge may generate anonymous data derived from or based on Personal Data so that the results are no longer personally identifiable with respect to End User, and combine or incorporate such anonymous data with or into other similar data or information collected from other End Users or derived from other End Users’ use of the Services (collectively, “Anonymized Aggregate Data”). Salt Edge may use such Anonymized Aggregate Data for any business purpose, including but not limited to:
    1. providing, supporting and improving the Services, including sharing such Anonymized Aggregate Data with the respective ASPSP for the purpose of conducting transaction risk analysis and/or compiling other statistical reports;
    2. conducting analytical research, compiling statistical reports and performance tracking;
    3. developing and/or improving other Salt Edge’s services and products; and
    4. sharing such Anonymized Aggregate Data with Salt Edge’s affiliates, agents or other third parties with whom Salt Edge has a business relationship.
  3. Salt Edge will not sell Anonymized Aggregate Data.


5. CHILDREN’S PRIVACY

Protecting the privacy of young children is especially important to Salt Edge. The Services are not directed to children under the age of sixteen (16) years and Salt Edge does not knowingly collect or process Personal Data from persons under sixteen (16) years of age. If Salt Edge becomes aware of the fact that Personal Data of persons less than sixteen (16) years of age has been collected via the Services, Salt Edge will take the appropriate steps to delete this information.


6. DISCLOSURES AND TRANSFERS

Salt Edge will only transfer and/or disclose Personal Data as specified in this Privacy Policy unless End User gives Consent to the disclosure and/or transfer to any other third parties.

  1. Disclosure to Third-Party Providers. Salt Edge has put in place contractual (including data protection, confidentiality and security provisions) and other organizational safeguards with its third-party service providers (“Third-Party Providers”) to ensure an adequate level of protection of Personal Data. Salt Edge may transfer Personal Data to such Third-Party Providers, including Salt Edge’s subcontractors and hosting providers engaged by Salt Edge in connection with the provision of Services, Website and/or Authenticator. Such Third-Party Providers may process, store and/or have access to Personal Data.
  2. Disclosure to ASPSP and TPPs. Salt Edge will disclose Personal Data to End User’s respective ASPSP and TPPs for the purpose of providing the Services as further described in the Minimum Terms of Service for End User.
  3. Disclosure for Legal Reasons. Salt Edge may disclose Personal Data without End User’s Consent, and End User hereby authorizes Salt Edge to do so, when Salt Edge believes in good faith that the disclosure of such information is reasonably necessary or appropriate:
    1. to comply with the Applicable Laws, any subpoena, enforceable request from the competent authorities or other legal process;
    2. to enforce Salt Edge’s rights against End User or in connection with a breach by End User of the Minimum Terms of Service for End User, including investigation of potential violations;
    3. to help detect, curb or investigate fraud or other prohibited or illegal activities that affect or hurt the interests of Salt Edge or other third parties;
    4. to identify, contact or bring legal action against someone who may be causing injury to, or interference with (either intentionally or unintentionally), Salt Edge’s rights or property, other End Users of the Services, or anyone else (including the rights or property of anyone else) that could be harmed by such activities; and
    5. to help Salt Edge comply with legal, accounting or security requirements, in which case Salt Edge may disclose such information to its auditors, professional consultants, accountants and/or legal advisors.
  4. Disclosure in Case of a Sale or Merger. Salt Edge may disclose Personal Data in connection with an acquisition, corporate re-organization, merger or amalgamation with another entity, a sale of all or a substantial portion of Salt Edge’s assets or stock, including any due diligence exercise carried out in relation to the same, provided that the information disclosed continues to be used for the purposes permitted by this Privacy Policy by the entity acquiring access to the information.
  5. Transfer of Ownership. End User’s information (including Personal Data), may be transferred upon change of control as a result of a sale, merger, acquisition or reorganization, but only in accordance with this Privacy Policy. If the entire or substantial ownership of Salt Edge or Services were to change, End User’s information (including Personal Data) may be transferred to the new owner so the Services can continue operations. In any such transfer of ownership End User’s Personal Data will remain subject to the promises of the then and current Privacy Policy. Salt Edge will provide reasonable advance notice to End User via the Website and/or Services of any such change in ownership or control of End User’s Personal Data or in case such Personal Data becomes subject to a different privacy policy.

End User acknowledges that his/her Personal Data may be processed in and transferred to jurisdiction(s) other than End User’s country of residence. The Personal Data of any End User residing in the EU will only be processed in the EU/EEA and shall not be transferred outside EU/EEA without first obtaining such End User’s Consent. By using the Services and submitting any Personal Data to Salt Edge, End User agrees to such processing, transfer and/or disclosure. Salt Edge will take all steps reasonably necessary to ensure that Personal Data is treated securely and in accordance with this Privacy Policy.


7. CONTROLLER AND PROCESSOR

In providing the Services Salt Edge acts as Processor and the respective End User’s ASPSP acts as Controller of Personal Data. While processing End User’s Personal Data Salt Edge shall at all times act on Controller’s behalf and according to Controller’s lawful instructions. Furthermore, Salt Edge shall adhere to the following principles with respect to Personal Data processing:

  1. not to collect more Personal Data than is necessary for the purpose of providing the Services;
  2. not to use Personal Data for any other purposes than those specified in this Privacy Policy;
  3. ensure that all employees authorized by Salt Edge to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  4. not to intentionally access, collect and/or process any Special Categories of Personal Data; and
  5. provide reasonable assistance to Controller to respond to requests for exercising End Users’ rights specified in Section 8.

8. END USER’S RIGHTS

Taking into account the nature of the processing, Salt Edge will provide reasonable assistance to Controller for the fulfilment of Controller’s obligation to respond to requests for exercising End User’s rights set forth below:

  1. the right to be informed: a. End User has the right to receive fair processing information about his/her Personal Data, including purpose of processing and lawful basis for processing, the identity of Controller and Processor, the categories of Personal Data collected and processed, the recipients to whom Personal Data has been or will be disclosed, details of transfers (if any) to third countries and applicable safeguards, Personal Data retention period, the existence of End User’s rights, the sources Personal Data originates from.
  2. the right of access: End User has the right to obtain: (i) confirmation that his/her Personal Data is being processed; and (ii) access to such Personal Data.
  3. the right to rectification: End User is entitled to have Personal Data rectified if it is inaccurate or incomplete. Salt Edge can’t, however, rectify any Payment Account Data, Payment Order Data or Personalized Security Credentials, as this information is provided by and collected from End User’s respective ASPSP.
  4. the right to erasure (right to be forgotten): End User has the right to request the deletion of his/her Personal Data when there is no compelling reason for its continued processing or End User withdraws Consent to such processing. End User can delete (all) his/her Priora Account(s) at any time, in which case End User’s Personal Data will be permanently deleted from Salt Edge’s production servers, except for the information that Salt Edge will retain in accordance with its Data Retention policy (see further Section 9 “Data Retention”).
  5. the right to restrict processing: End User has the right to block processing of Personal Data on the grounds specified in the Applicable Laws. In such case, throughout the duration of the restriction Salt Edge will no longer be able to process End User’s Personal Data and, consequently, provide the Services to End User.
  6. the right to data portability: End User may request to receive free of charge a copy of Personal Data stored in Salt Edge’s system in a structured, commonly used and machine-readable format or have Salt Edge transmit the data directly to another organization if this is technically feasible. Salt Edge will use commercially reasonable efforts to respond to any data portability requests without undue delay and at the latest within one (1) month, although in certain limited circumstances Salt Edge: (i) may not be able to make all relevant information available to End User where that information also pertains to another End User; in such case, Salt Edge will provide reasons for denial to comply with End User’s request or any part thereof; and (ii) may extend the reply period to two (2) months where the End User’s request is complex or Salt Edge receives a number of requests; in such case, Salt Edge will inform End User within one (1) month of the receipt of the request and explain why the extension is necessary. Salt Edge reserves the right to charge a reasonable administrative fee if End User’s request is manifestly unfounded or excessive, particularly if it is repetitive, and for further copies of the same information.
  7. the right to object: End User has the right to object to: (i) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); (ii) direct marketing (including profiling); and (iii) processing for purposes of scientific/historical research and statistics. Salt Edge does not process End User’s Personal Data for any of the foregoing purposes.
  8. rights in relation to automated decision-making and profiling: End User has the right to object to processing of Personal Data for the purposes of automated individual decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of Personal Data to evaluate certain things about an individual). Salt Edge does not process End User’s Personal Data for any of the foregoing purposes.
  9. the right to lodge a complaint with a supervisory authority: End User has the right to lodge a complaint about Salt Edge’s data protection or privacy practices, or the exercise of any of End User’s rights with respect to Personal Data as detailed in this Privacy Policy, with End User’s local supervisory authority. For more information, End User should consult the applicable privacy and data protection regulatory body for the jurisdiction in which End User resides.
  10. the right to withdraw Consent: End User may withdraw Consent to Salt Edge’s processing of Personal Data at any time. However, withdrawing Consent may result in End User’s inability to continue using the Services.

9. DATA RETENTION

Salt Edge will delete End User’s Personal Data from its primary production servers when End User deletes (all) his/her Priora Account(s) or withdraws Consent to further processing of his/her Personal Data by Salt Edge. As a result, End User’s Personal Data will be excised permanently from Salt Edge’s production servers and further access to End User’s Priora Account(s) and use of the Services will be impossible. Notwithstanding the foregoing, Salt Edge shall retain End User’s Personal Data or portions thereof:

  1. in backup files on its backup servers for a period of up to one (1) year in order to ensure compliance with internal business continuity and disaster recovery procedures; and
  2. in log files in order to: (i) comply with the requirements of the Applicable Laws; (ii) exercise or defend (ongoing) legal claims; and (iii) assist End User’s respective ASPSP in meeting audit or statutory requirements. The retention period for such Personal Data shall be a minimum of five (5) years from the date of deletion, or such longer period as required by the Applicable Laws, unless subject to statutory or regulatory change.

Backups and log files containing Personal Data are stored separately from the production servers. All Personal Data retained in backup files and log files will be treated in accordance with the terms of this Privacy Policy for as long as it is retained before being automatically deleted after the retention period has elapsed.

Backup files are stored using strong TLS encryption and Salt Edge’s authorized personnel does not access such files in the ordinary course of business operations. Salt Edge will not use any Personal Data retained in backup files in everyday business activities.


10. DATA SECURITY

  1. Online Confidentiality.
    1. End User must keep the Personalized Security Credentials and the set of credentials required to access the Authenticator (“Authenticator Credentials”) secure and never disclose them to any third party. End User is solely responsible for maintaining the confidentiality of such information. If End User suspects that the Personalized Security Credentials and/or Authenticator Credentials have been stolen or been made known to others, End User must change them immediately and contact Salt Edge promptly at privacy@saltedge.com. Salt Edge shall not be responsible for any loss or damage resulting from access to End User’s Priora Account and/or Authenticator through Personalized Security Credentials and/or Authenticator Credentials obtained from End User or through violation of this Privacy Policy or the Minimum Terms of Service for End User.
    2. Although Salt Edge will take reasonable steps to ensure that End User’s Personal Data is treated and stored securely, unfortunately, the sending of information via the Internet is not totally secure and on occasion such information can be intercepted. Therefore, Salt Edge can’t guarantee the security of Personal Data that End User chooses voluntarily to send to Salt Edge electronically. Salt Edge expressly disclaims all liability for any interception or interruption of any Internet transmissions sent by End User or any losses of or changes to data, including Personal Data, resulting from such interception or interruption.
  2. Notice of Security Breach. Nobody is 100% safe from hackers. If a security breach causes an unauthorized intrusion into Salt Edge’s systems, software or networks that leads to a Personal Data Breach resulting in a high risk to the rights and freedoms of End User, then Salt Edge will notify Controller of the Personal Data Breach without undue delay after having become aware of it, by describing the nature of the Personal Data Breach, the data that has been, or Salt Edge reasonably believes to have been, compromised and the immediate actions taken by Salt Edge with respect thereto. Salt Edge will later report to Controller the measures taken to mitigate potential adverse effects and prevent continuing or similar security breaches in the future.
  3. Personal Data Safeguards. Salt Edge is committed to maintaining the confidentiality, integrity and security of the Personal Data of End Users. Salt Edge employs advanced security techniques to safeguard Personal Data against unauthorized access, use and/or disclosure. Salt Edge strictly restricts access to Personal Data in accordance with specific internal procedures governing access to such information. Salt Edge carefully selects the individuals privileged with access to Personal Data in accordance with internal security policies and practices, and each such individual is bound by confidentiality obligations. The Services ensure secure communications with TLS encryption. To maintain the security of online sessions and protect Salt Edge’s systems from unauthorized access, Salt Edge uses a combination of firewall barriers, encryption techniques and authentication procedures, among others. Access to Salt Edge’s systems requires multiple levels of authentication, including biometric recognition procedures. Security personnel monitor the systems 24 hours a day, 7 days a week. Salt Edge databases are both physically and logically protected from general employee access. Salt Edge enforces physical controls on its premises. Salt Edge is routinely verified for its use of TLS encryption technologies and audited for its privacy practices. Salt Edge tests its systems, the Priora Platform and Services infrastructure for any failure points that might allow hacking.
  4. Data Pseudonymization. In addition to the technical and organizational security measures employed by Salt Edge to ensure security, confidentiality and integrity of Personal Data, Salt Edge also uses data Pseudonymization technique when processing and storing Personal Data in its systems by replacing the data fields which are the most identifying in a data record with pseudonyms. Personal Data which has undergone Pseudonymization can no longer be attributed to a specific End User without the use of additional information, and such additional information is kept by Salt Edge separately and is subject to technical and organizational security measures to ensure that such pseudonymized Personal Data is not attributed to an identified or identifiable natural person.

11. PRIVACY POLICY UPDATE

Salt Edge reserves the right to change this Privacy Policy at any time and from time to time to reflect changes in the Services or the Applicable Laws. If Salt Edge decides to change this Privacy Policy in the future, Salt Edge will post an appropriate notice at the top of this Privacy Policy page and/or give reasonable advance notice to End Users through the Services or Website. Any non-material change (such as clarifications) to this Privacy Policy will become effective on the date the change is posted and any material changes will become effective thirty (30) days from their posting on the Website. Unless stated otherwise, this Privacy Policy applies to all Personal Data collected and processed by Salt Edge in connection with the Services. The date this Privacy Policy was last revised appears at the top of this document. End User is advised to print a copy of this Privacy Policy for reference and revisit this Privacy Policy from time to time to ensure that End User is aware of any changes. End User’s continued use of the Services after the changes to this Privacy Policy become effective signifies End User’s acceptance of any such changes.


12. DATA PROTECTION OFFICER

Salt Edge’s data protection officer can be reached at any time by email at dpo@saltedge.com in case of any questions with respect to Salt Edge’s collection, use, disclosure or processing of Personal Data.


13. CONTACT

Any questions, comments or feedback regarding this Privacy Policy or any other privacy or security concern may be sent by email to privacy@saltedge.com.

Salt Edge Inc.
40 King Street West, Suite 2100
Toronto, Ontario
M5H3C2, Canada