The Covr Security app (the “Covr App”) is provided by Covr Security AB, company registration number (org. no. 556999-2638) having its registered address at Nordenskiöldsgatan 24, 211 19 Malmö, Sweden (“we” or “us”). Our contact details are set out below in section 2.13.
Your privacy is important to us. Under the applicable personal data protection legislation and regulations such as Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR), as well as any other local laws and legislation applicable in any relevant territory, we are processing personal data as data processor and also as data controller for which we decide the purposes and the means of processing (please see below). With “personal data” we mean information which is directly or indirectly referable to a natural living person, e.g. name and address but also possibly location data or IP addresses. We may collect the information set out below, which include your personal data.
The Covr App is provided by us to you as an end user and the Covr App is also provided to our partners as a service, by means of which you are able to safely identify yourself with our partners (for instance banks, retail sellers, cloud service providers, gaming companies etc.) that are using the Covr App’s services (the “Partners”). This means that our Partners are the data controllers for certain types of data and we are carrying out the processing activities on their behalf according to their instructions when providing them with the services of the Covr App. We also process certain personal data for our own purposes for which we are acting as data controllers.
1. Processing of personal data on behalf of our partners
1.1 We process the following types of data as data processor on behalf of our Partners in order to provide the services of the Covr App:
(a) A Digital Identity is created by Covr on the mobile device. This digital identity is a public key pair, and the user (you) has sole control of the private key. The public key is shared by you to other parties for identification purposes.
(b) Local operating system biometrics or a user created PIN code are used in combination with a hardware key to decrypt sensitive data that is stored on the device. Please note that we do not process any biometric data, as this information is used only locally on your device.
(c) Service provider connections, use the Public Key.
(d) Messages/Authorizations are stored on the users device and sent from to the service provider connection. The encrypted message/authorization passes through our systems.
1.2 Regarding the above types of data, our Partners are the data controllers, which means that they decide on the means and purposes of the processing. You should consult their privacy policies concerning the processing of your personal data via the Covr App in order to obtain information with respect to such as the purposes of the processing, your rights regarding the processing, the contact person to whom you might address questions or complaints etc.
1.3 The purposes of the processing of the personal data enlisted in section 1.1 is decided by the Partner implementing the Covr App in its operations. The processing always serves the purpose of safe online identification by means of providing the Covr App.
1.4 The provision of the Covr App entails the processing of your above enlisted personal data for our the purposes of enabling and providing the Covr App, which includes sending you alerts or messages concerning the Covr App via push notifications in your device; and ensuring the technical functioning of the Covr App.
1.5 The types of data enlisted above in section 1.1 are only shared by us with relevant Partners in order to provide the service of the Covr App.
2. Processing of personal DATA for our own purposes
2.1 TYPES OF DATA
2.1.1 We collect and process the following categories of personal data for our own purposes as data controller:
(a) the Digital Identity, as described in section 1.1 (a) above.
2.1.2 Please note that we are unable to provide the Covr App unless you provide the above stated personal data, which is a contractual requirement.
2.2 PURPOSES OF PROCESSING
2.2.1 We will process the Personal Data set out above for the following purposes:
(a) to analyse engagement, custom event triggers, funnels on usage and crash reporting;
(b) to improve and develop the Covr App or new services and products and to analyze your use of the Covr App. See section 2.8 below regarding Firebase for more information;
(e) fulfilling requirements by law (we are a Swedish company, subject to Swedish laws).
2.3 LEGAL GROUNDS OF PROCESSING
2.3.1 We will process your personal data based on your consent, for purposes (b), (c), (d), and (e).
2.3.2 By clicking “Continue” in the set-up flow and thereby creating a user account with the Covr App, you consent to the processing of your personal data.
2.3.3 You may at any time withdraw your consent. If you revoke your consent it will not affect the lawfulness of our processing based on your consent before its withdrawal.
2.3.4 For purpose (a), we process your personal data based on our legitimate interests of maintaining the correct functioning of the Covr App, and of analysing the use of it in order to develop and improve it. More information about this purpose and the processing of personal data it entails can be found in section 2.8, below.
2.3.5 You can opt out of the processing for purpose (a) in your user settings. cease to process your personal data for such purposes.
2.4 DISCLOSURE OF PERSONAL DATA
2.4.1 We may share and disclose your personal data, enabling us to fulfil the above purposes, to the following service providers:
(a) to our outsourced development team (located in Lithuania);
(b) to our cloud service hosting provider (servers located globally for redundancy and latency purposes); and
(c) to Google, as we use Firebase, which is further described in section 2.8 below.
2.4.2 For recipients that are located outside of the EU/EEA in countries that the European Commission has not deemed to have an adequate level of protection for personal data, such as the cloud service hosting provider, we are applying safeguards in accordance with the GDPR to ensure the safety of personal data that is transferred. You can contact us using the contact details set out below in section 2.13 to obtain more information of this and a copy of the safeguards.
2.5 RESPONDING TO LEGAL REQUESTS AND PREVENTING HARM
2.5.1 We may access, preserve and share your information in response to a legal request (like a search warrant, court order or a subpoena or the like), or when necessary to detect, prevent and address fraud and other illegal activity, to protect ourselves, you and other users, including as part of investigations, if we have a good faith belief that the applicable law require us to do so or where we have an interest in protecting ourselves.
The Covr App is not directed to persons under the age of 16. We do not knowingly collect personal data from persons under the age of 16 (the “Age Limit”). If you are a parent or guardian of a child under the Age Limit and you become aware of that your child has provided personal information to the Covr App without your consent, please contact firstname.lastname@example.org to exercise of your applicable access, rectification, cancellation, and/or objection rights.
2.7 RETENTION PERIOD
2.7.2 If the personal data is processed for the purpose of complying with laws, the personal data will not be processed for a longer period of time than what is necessary in order to comply with the particular legal requirement (such as for instance, the Swedish code of judicial procedure in relation to court orders and the like, and the GDPR when handling data subject requests).
2.7.3 If the personal data is processed our purpose 2.2.1(a) (enforcement of terms and legal matters), we will store the personal data for the duration of the matter and then for another ten years after its closure.
2.8 GOOGLE FIREBASE
2.8.1 We have implemented Google’s Firebase App (the “Firebase App”) in the Covr App, and we are using the following features of the Firebase App Analytics and crash reporting. We do not use the following features: Auth, Database, Storage, hosting, test labs, notifications, remote config, dynamic links or adMob.
2.8.2 For the purposes of analytics, analysing how the users use the Covr App and providing the users with a better user experience, the said features of the Firebase App collects and processes the following information: active users, user engagement, retention, app version, device type, general location, gender by age group.
2.8.3 You may opt-out from the processing carried out by the Firebase App in your user settings. This is the same thing as opting out from the processing based on our legitimate interests described above, in sections 2.3.4 and 2.3.5.
2.9 YOUR PRIVACY RIGHTS
2.9.1 You have the right to request access and further information concerning the processing of your personal data. You have the right to obtain a copy of the personal data that we process relating to you free of charge once (1) every calendar year. For any additional copies requested by you, we may charge a reasonable fee based on administrative costs.
2.9.2 You have the right to data portability, whereby if applicable you have the right to receive your personal data processed by us in a structured, commonly used and machine-readable format. You have the right to transfer such data to another data controller and we shall not hinder you in such transfers in order to avoid a “lock-in”.
2.9.3 You may request the rectification of inaccurate personal data concerning you and you have the right to have incomplete personal data completed. You may request, if applicable, the deletion of your personal data that we process. You have the right to request restriction of the processing of your personal data, if applicable.
2.9.4 You also have the right to withdraw your prior given consent by emailing email@example.com. The withdrawal of your consent does not affect the lawfulness of the processing based on the consent before its withdrawal, and we may continue processing your personal data based on other legal grounds, except for direct marketing.
2.10 NOTICE OF CHANGES
2.11 SCOPE OF CONTROL
2.12 CHANGE OF CONTROL
2.13 CONTACT INFORMATION AND RIGHT TO LODGE COMPLAINT
2.13.1 To exercise the aforementioned rights, or if you have any questions about our sharing practices, your rights under EU law, or wish to have your personal information removed, please contact us at the following address:
Covr Security AB
firstname.lastname@example.org Nordenskiöldsgatan 24 Malmö , Sweden
2.13.2 In order to ensure that you receive a swift response, please state in your email/letter your full name, address, mobile number associated with Covr. We will respond to your request within a month unless the request is complex in which case we might extend the period with up to an additional two months.
2.13.3 If you have any complaints regarding our processing of your Personal Data, you may file a complaint to the competent data protection authority. You can find out more about the local data protection authorities under the following link http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm