If you are not sure what this is about, please consult with the EU portal for data protection reform.
The TL;DR version
We collect some personal information to issue invoices (as required by law - if it was up to us we would only ask for an email and a pseudonym to call you something by) or answer to your contact, pre-sales and support requests. This data and its backups are kept on servers located in the European Union. We only give access to that data to our auditors or when we are otherwise legally required to do so. On top of invoicing, your purchase history is used to give automatic renewal or product bundling discounts. We don't use your personal data for marketing or advertisements. We don't sell, rent or give access to your data to any other company.
If you decide you don't want us to have your information, no problem. Just send us an email or use the contact form to tell us. We will ask for some proof of identification and we'll remove the data we are not legally required to retain. Everything else will be anonymized. If you want us to keep all your info but keep it out of sight and not use it for any kind of processing (e.g. for stats), sure, drop us a line. If you want a raw copy, yeah, we can do that too. If you think we screwed up you can contact your local Data Protection Authority if you are an EU citizen.
Personal data collected, its purpose and its retainment period
Securitycheck Extensions collects personal data from you which falls into two different categories: legally required and optional. Each one has different purpose and retention rules.
Please note that Securitycheck Extensions does NOT use your personal data for marketing purposes.
Legally required personal data (invoicing data)
This is the data we are required to collect by law in order to issue invoices whenever you make any purchase with us. The data collected is stipulated by the invoicing regulations of Spain which implement the invoicing guidelines of the European Union.
The personal data in this category consists of your full legal name, your physical address and your email address. If you are purchasing on behalf of a company this also includes the company name, business activity and VAT number (where applicable).
This data is handled by Securitycheck Extensions and its designated staff for invoicing purposes. Your personal data is not sold, rented or otherwise made known to other third parties except if and when required by law. Since your personal data is used for invoicing, we are required by law to keep a copy of it for at least 10 years.
On top of that, we may use your full name and your email address to contact you regarding matters of your account with us such as but not limited to notifications for subscription activation, expiration or cancellation; imminent expiration of your subscription; one time, post-expiration offer to resubscribe; notifications for a support ticket created, replied to or closed; username reminder emails; password reset emails; important information about suspected fraud or other issue which can not be addressed automatically; replies to contact requests you have filed to our site.
While you may request that we remove your data, we are legally required to keep it for at least 10 years since your last transaction with us. Therefore your request may not result in any action. Please consult this EU page.
We kindly remind you that even though we cannot erase your personal data for legal reasons, you have the right to ask us to restrict processing of your personal data. Please refer to this EU page.
Optional personal data
When you request that we contact you by filling out out contact form; or email us directly; or using the forum we will inadvertently collect personal data from you. This data is only used to reply to you in the context of the support request.
This data is kept for an indefinite period of time for legal reasons (statute of limitations can vary widely). This data is, however, not processed in any way therefore fulfilling a fundamental requirement for the handling of personal data.
You can request the removal of that data at any point. With regards to contact forms there is nothing to remove from public access or processing, therefore there is nothing really for us to do. With regards to tickets, a request for removal will result into two actions:
- If there are any access details to third party systems (such as your server, Amazon S3, ...) we will permanently remove it from our system, replacing them with a placeholder text such as "Removed per user's request".
- Your ticket will be immediately unpublished, making it unavailable to everyone including you. A copy of the data will be kept in our database with its 'published' flag set to 0. This means that we have to refrain from processing it in any way. It's as though this data doesn't exist. We will only use this data if it's required for legal reasons e.g. if we get a court order for that data.
We kindly remind you that even though we cannot erase your personal data for leagl reasons, you have the right to ask us to restrict processing of your personal data. Please refer to this EU page.
Location of your data
Your data does NOT leave the European Union. It is stored on servers located in the European Union at all times (currently: The Netherlands). Backups of that data are also stored on the same server.
Automated decision making
Your purchase history may determine automatic discounts being applied to your purchase. For example, if you purchase a subscription while having a same subscription already active ("renewal before expiration") we apply an automatic discount. You can opt out of this by contacting us, but be advised that this has the effect of immediately removing all your personal information and losing you any existing subscription time without a refund.
The country you have selected, whether you are registering as a business and your VAT number (if applicable) are used to automatically determine the Value Added Tax (VAT) amount we are legally obliged to charge you or, in case of reverse charge, print the reverse charge information on the invoice. This is a legal requirement and you cannot opt out of it.
Selling, renting or otherwise sharing your personal data
We do not sell, rent or otherwise share your personal data except where required by law (for example: we are required to have our accounts audited every year by an external company, meaning they do get access to your personal data in the strictest confidence).
Your rights with regards to the personal data
You have the right to retrieve a copy of your personal data in machine readable format. This consist of dump of the database records pertaining to your user account.
You have the right to transfer your data. However, since we are the sole distributor of our software this request would be invalid as the only possible recipient is ourselves. Probably you meant to look for a copy of your personal data per the previous paragraph.
You have the right to request the removal of your data ("right to be forgotten"). As explained, legal requirements restrict our ability to comply with this request. Please refer to this EU page. Also refer to the "Actions taken upon a request to be forgotten is accepted" section about what will actually happen while we comply with your request.
You have the right to request a restriction from processing your data. When you do, your information will be marked in such a way that it will no longer be used by us for processing or other kind of access unless there's a legal necessity.
You have the right to withdraw your consent to our use of your personal information at any time. Kindly note that this results in the immedate application of the "Right to be forgotten" process on your user account.
In case of a dispute you have the right to contact your local Data Protection Authority. Please refer to the EU list for Member State's DPAs for further information.
How to exercise your rights
All requests must be submitted through the Contact Us form on our site. If this is not possible, you may send us an email at the address nicholas at akeeba dot com. We will respond to you in a reasonable period of time after reviewing your request, typically one to two weeks.
Honoring your request to personal data requires verification of your identity and of your EU citizenship status. We will ask you for a scanned copy of your passport or identity card (as long as it states your full legal name in English). If the user account was opened on behalf of a business we will need proof of ownership or controlling stake in that business and that the business is registered in an EU member state. Please note that if you are not an EU citizen (or the business is not registered in the EU, where applicable) your request will be declined. Likewise, if you fail to provide identification, or the identification does not match the information we have in file for you we will decline your request. The email exchange regarding identification, including the copy of your identification document(s), will be retained indefinitely for legal reasons.
We will not process any requests coming through regular post, support tickets, pre-sales requests, phone calls, social media, instant messages, in person or any other means of communication whatsoever. Actions regarding the personal data protection have privacy and legal implications, therefore we need a solid audit trail to protect both you and us from potential errors, malice or abuse.
You will not be charged any additional fee for exercising your legal rights to your personal data _as long as you only request an electronic reply sent to you by email or other electronic transmission method which does not incur fees to the sender_. If you request to be contacted or be sent data in a format which incurs fees to the sender -such as but not limited to sending hard-copy to your postal address- we reserve the right to ask for reimbursement of the associated expenses at market prices.
Kindly be informed that in order to prevent abuse we will not allow users to request a copy of their personal data or make other enquiries regarding the personal data protection too frequently. We reserve the right to decline too frequent requests from users with regards to your personal data on the grounds of attempting to disrupt our Company's operation by abusing their rights.
Actions taken upon a request to be forgotten is accepted
When you request to exercise your right to be forgotten (removal of personal information) or withdraw your consent we will first assess your request. Upon receiving satisfactory proof of identity per the previous section and establishing that you are certain about the irrevocable nature of the consequences of your request the following actions will take place (their associated consequences are also listed):
- If you are a subscriber, your subscriptions will be terminated immediately, without refund.
Consequence: if you have any remaining subscription time left it will be forever lost. You will not receive a refund. You will not be granted an extension if you decide to resubscribe. You will no longer be eligible for any renewal or welcoming back discount. Requests to grant a discount for being a long time client will be declined since you have now become a non-client, your previous purchase history being irretrievable to us per your request.
- All your forum entries will be unpublished. We do keep the ticket text indefinitely for legal reasons (statute of limitations may vary a lot). We will NOT process it in any way except when required for legal reasons.
Consequence: you will forever lose access to your forum entries.
- Your user account will be locked so that nobody can log into it or take it over, also marking it as inaccessible for any processing.
Consequence: Should you change your mind in the future you will not be able to use the same username again.
- Your email address will be changed to a fake / inert address to prevent any accidental emails in case of human error or programming mistake (bug) in our system. Moreover, the name associate with the user will change to an anonymized value such as "User 12345".
Consequence: if you contact us again we will not be able to comply with your data protection requests as there is no way to easily verify your identity (your data has been anonymized).
Exemptions to personal data protection
Personal data protection provisions are only legally binding for citizens of Member States of the European Union. However, to the extent possible and with respect to local laws and regulations we apply these protections to all of our clients, irrespective of where they come from.
Kindly note that any data you provide yourself to third parties during the use of our software -such as credit card and personal information submitted to 2Checkout and PayPal- is NOT covered by these protections. In the previous example, this data is covered by the Terms of Service of the respective payments processing company.
We'd like to clarify that credit card or other payment data is handled by the payments processing companies directly; we don't touch or store that data; you provide that data to these companies who are solely responsible for its protection.