Privacy Policy – Covr Security AB

Dear User,

The Covr Security app (the “Covr App”) is provided by Covr Security AB, company registration number (org. no. 556999-2638) having its registered address at Nordenskiöldsgatan 24, 211 19 Malmö, Sweden (“we” or “us”). Our contact details are set out below in section 2.13.

Your privacy is important to us. Under the applicable personal data protection legislation and regulations such as Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR), as well as any other local laws and legislation applicable in any relevant territory, we are processing personal data as data processor and also as data controller for which we decide the purposes and the means of processing (please see below). With “personal data” we mean information which is directly or indirectly referable to a natural living person, e.g. name and address but also possibly location data or IP addresses. We may collect the information set out below, which include your personal data.

This document contains a policy statement regarding our collection, use and processing of personal data, with whom we may share such data, your rights in relation to your personal data and other information that we have to provide you with. When you use the Covr App, we will process personal data for various purposes. If you do not want us to process personal data about you as set out in this Privacy Policy, please do not use the Covr App.

The Covr App is provided by us to you as an end user and the Covr App is also provided to our partners as a service, by means of which you are able to safely identify yourself with our partners (for instance banks, retail sellers, cloud service providers, gaming companies etc.) that are using the Covr App’s services (the “Partners”). This means that our Partners are the data controllers for certain types of data and we are carrying out the processing activities on their behalf according to their instructions when providing them with the services of the Covr App. We also process certain personal data for our own purposes for which we are acting as data controllers.

1. Processing of personal data on behalf of our partners

1.1 We process the following types of data as data processor on behalf of our Partners in order to provide the services of the Covr App:

(a) A Digital Identity is created by Covr on the mobile device. This digital identity is a public key pair, and the user (you) has sole control of the private key. The public key is shared by you to other parties for identification purposes.

(b) Local operating system biometrics or a user created PIN code are used in combination with a hardware key to decrypt sensitive data that is stored on the device. Please note that we do not process any biometric data, as this information is used only locally on your device.

(c) Service provider connections, use the Public Key.

(d) Messages/Authorizations are stored on the users device and sent from to the service provider connection. The encrypted message/authorization passes through our systems.

1.2 Regarding the above types of data, our Partners are the data controllers, which means that they decide on the means and purposes of the processing. You should consult their privacy policies concerning the processing of your personal data via the Covr App in order to obtain information with respect to such as the purposes of the processing, your rights regarding the processing, the contact person to whom you might address questions or complaints etc.

1.3 The purposes of the processing of the personal data enlisted in section 1.1 is decided by the Partner implementing the Covr App in its operations. The processing always serves the purpose of safe online identification by means of providing the Covr App.

1.4 The provision of the Covr App entails the processing of your above enlisted personal data for our the purposes of enabling and providing the Covr App, which includes sending you alerts or messages concerning the Covr App via push notifications in your device; and ensuring the technical functioning of the Covr App.

1.5 The types of data enlisted above in section 1.1 are only shared by us with relevant Partners in order to provide the service of the Covr App.

2. Processing of personal DATA for our own purposes

2.1 TYPES OF DATA

2.1.1 We collect and process the following categories of personal data for our own purposes as data controller:

(a) the Digital Identity, as described in section 1.1 (a) above.

2.1.2 Please note that we are unable to provide the Covr App unless you provide the above stated personal data, which is a contractual requirement.

2.2 PURPOSES OF PROCESSING

2.2.1 We will process the Personal Data set out above for the following purposes:

(a) to analyse engagement, custom event triggers, funnels on usage and crash reporting;

(b) to improve and develop the Covr App or new services and products and to analyze your use of the Covr App. See section 2.8 below regarding Firebase for more information;

(d) enforcing the terms of use, including to protect our rights, property and safety and also the rights, property and safety of third parties if necessary; and

(e) fulfilling requirements by law (we are a Swedish company, subject to Swedish laws).

2.3 LEGAL GROUNDS OF PROCESSING

2.3.1 We will process your personal data based on your consent, for purposes (b), (c), (d), and (e).

2.3.2 By clicking “Continue” in the set-up flow and thereby creating a user account with the Covr App, you consent to the processing of your personal data.

2.3.3 You may at any time withdraw your consent. If you revoke your consent it will not affect the lawfulness of our processing based on your consent before its withdrawal.

2.3.4 For purpose (a), we process your personal data based on our legitimate interests of maintaining the correct functioning of the Covr App, and of analysing the use of it in order to develop and improve it. More information about this purpose and the processing of personal data it entails can be found in section 2.8, below.

2.3.5 You can opt out of the processing for purpose (a) in your user settings. cease to process your personal data for such purposes.

2.4 DISCLOSURE OF PERSONAL DATA

2.4.1 We may share and disclose your personal data, enabling us to fulfil the above purposes, to the following service providers:

(a) to our outsourced development team (located in Lithuania);

(b) to our cloud service hosting provider (servers located globally for redundancy and latency purposes); and

2.4.2 For recipients that are located outside of the EU/EEA in countries that the European Commission has not deemed to have an adequate level of protection for personal data, such as the cloud service hosting provider, we are applying safeguards in accordance with the GDPR to ensure the safety of personal data that is transferred. You can contact us using the contact details set out below in section 2.13 to obtain more information of this and a copy of the safeguards.

2.5 RESPONDING TO LEGAL REQUESTS AND PREVENTING HARM

2.5.1 We may access, preserve and share your information in response to a legal request (like a search warrant, court order or a subpoena or the like), or when necessary to detect, prevent and address fraud and other illegal activity, to protect ourselves, you and other users, including as part of investigations, if we have a good faith belief that the applicable law require us to do so or where we have an interest in protecting ourselves.

2.5.2 Information that we receive about you by using the Covr App, may be accessed, preserved and retained for an extended period of time when it is the subject of a legal request or obligation, government investigation, or investigations concerning possible violations of our Terms of Use or policies, or otherwise to prevent harm.

2.6 CHILDREN

The Covr App is not directed to persons under the age of 16. We do not knowingly collect personal data from persons under the age of 16 (the “Age Limit”). If you are a parent or guardian of a child under the Age Limit and you become aware of that your child has provided personal information to the Covr App without your consent, please contact dataprotection@covrsecurity.com to exercise of your applicable access, rectification, cancellation, and/or objection rights.

2.7 RETENTION PERIOD

2.7.1 In order to achieve the purposes of the processing as set forth above, we will process your personal data until the Terms of Use is terminated and for two years thereafter for archiving purposes. When we are processing the personal data on behalf of Partners, it is the Partner that decides the retention period and we defer to the information set out in their respective privacy notices.

2.7.2 If the personal data is processed for the purpose of complying with laws, the personal data will not be processed for a longer period of time than what is necessary in order to comply with the particular legal requirement (such as for instance, the Swedish code of judicial procedure in relation to court orders and the like, and the GDPR when handling data subject requests).

2.7.3 If the personal data is processed our purpose 2.2.1(a) (enforcement of terms and legal matters), we will store the personal data for the duration of the matter and then for another ten years after its closure.

2.8 GOOGLE FIREBASE

2.8.1 We have implemented Google’s Firebase App (the “Firebase App”) in the Covr App, and we are using the following features of the Firebase App Analytics and crash reporting. We do not use the following features: Auth, Database, Storage, hosting, test labs, notifications, remote config, dynamic links or adMob.

2.8.2 For the purposes of analytics, analysing how the users use the Covr App and providing the users with a better user experience, the said features of the Firebase App collects and processes the following information: active users, user engagement, retention, app version, device type, general location, gender by age group.

2.8.3 You may opt-out from the processing carried out by the Firebase App in your user settings. This is the same thing as opting out from the processing based on our legitimate interests described above, in sections 2.3.4 and 2.3.5.

2.9 YOUR PRIVACY RIGHTS

2.9.1 You have the right to request access and further information concerning the processing of your personal data. You have the right to obtain a copy of the personal data that we process relating to you free of charge once (1) every calendar year. For any additional copies requested by you, we may charge a reasonable fee based on administrative costs.

2.9.2 You have the right to data portability, whereby if applicable you have the right to receive your personal data processed by us in a structured, commonly used and machine-readable format. You have the right to transfer such data to another data controller and we shall not hinder you in such transfers in order to avoid a “lock-in”.

2.9.3 You may request the rectification of inaccurate personal data concerning you and you have the right to have incomplete personal data completed. You may request, if applicable, the deletion of your personal data that we process. You have the right to request restriction of the processing of your personal data, if applicable.

2.9.4 You also have the right to withdraw your prior given consent by emailing dataprotection@covrsecurity.com. The withdrawal of your consent does not affect the lawfulness of the processing based on the consent before its withdrawal, and we may continue processing your personal data based on other legal grounds, except for direct marketing.

2.10 NOTICE OF CHANGES

If we make changes to this Privacy Policy we will notify you by publication here https://www.covrsecurity.com/covr-app-privacy-policy/. If the changes are material, we will provide you additional, prominent notice as appropriate under the circumstances and, where required under applicable law, ask for your consent.

2.11 SCOPE OF CONTROL

You should be aware that when you are using the Covr App you may be directed to other sites where the collection and processing of personal data is outside of our control. Please be advised that the privacy policy of the new site will govern the collection and processing of your personal data on that site and that we have no responsibility or liability thereto.

2.12 CHANGE OF CONTROL

If the ownership of our business changes, we may transfer your personal data to the new owners so they can continue providing the Covr App. The new owners will be obliged to comply with the commitments of this Privacy Policy.

2.13 CONTACT INFORMATION AND RIGHT TO LODGE COMPLAINT

2.13.1 To exercise the aforementioned rights, or if you have any questions about our sharing practices, your rights under EU law, or wish to have your personal information removed, please contact us at the following address:

Covr Security AB

dataprotection@covrsecurity.com Nordenskiöldsgatan 24 Malmö , Sweden

2.13.2 In order to ensure that you receive a swift response, please state in your email/letter your full name, address, mobile number associated with Covr. We will respond to your request within a month unless the request is complex in which case we might extend the period with up to an additional two months.

2.13.3 If you have any complaints regarding our processing of your Personal Data, you may file a complaint to the competent data protection authority. You can find out more about the local data protection authorities under the following link http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm