The sole reason we exist is to improve security, so it goes without saying that protecting your personal data is a top priority. At Push, we have a few fundamental principles:

• We do not sell our users’ data. We aren’t a data broker, we don’t sell your personal information to data brokers, and we don’t sell your information to other companies that want to spam you with marketing emails. We are not ad-funded, don’t show ads in any of our Services, and never will.
• We are thoughtful about the personal information we ask you to provide and the personal information that we collect about you throughout the operation of our services.
• We store personal information for only as long as we have reason to keep it.
• We make considerable efforts to secure your personal information; we practice what we preach throughout our service.
• We have no interest in making money by selling or sharing your personal information with anyone else.
• We aim for full transparency on how we gather, use, and share your personal information.

Below is our Privacy Policy, which incorporates and clarifies these principles.

Push Security Ltd (Push) is a SaaS platform that is simplifying and automating cyber security to make securing organizations quicker and easier.

We free security teams up to get more done with less by enlisting the help of every employee at our customers' company via ChatOps. As part of this, we help educate our industry and raise awareness of cyber security risks and we do this via our pushsecurity.com, blog, email communications, and application integrations with other SaaS providers including Google, Microsoft, and Slack. Throughout this Privacy Policy we will refer to all of these collectively as “Services”.

Depending on the context of personal information you provide, we may be the data controller or data processor of your personal information under this policy. We are a processor of Client Data - personal information submitted to the Services or collected through the Services on behalf of or at the direction of customers.

Below we explain how we collect, use, and share information about you, along with the choices that you have with respect to that information.

For any personal data we collect about users that directly access or have registered accounts to use our Services, we operate as the data controller - as we make important decisions around exactly which data to collect, how it is used, and we have direct relationships with those users.

When we engage third party service providers in our capacity as a data controller and we call these third-party service providers sub-processors. Sub-processors are service providers who have or potentially will have access to or process personal data on our behalf. Here is a list of all our sub-processors for data where we are the controller.

This section covers all data we collect as the data controller; please see Push as the data processor for information on data we process on behalf of users (in other words all your data in our product).

We may also get information about you from other sources. For example, if you create or log in to your account through an OIDC login (like Google or Microsoft) we’ll receive information from that service (your username and basic profile information) via the authorization procedures for that service. As another example, if you use the chat feature on our website, our CRM system may provide us additional contextual information such as the company you might be connecting from based on your IP address. We may also collect information from advertising platforms so that we can measure which advertising activities are effective at reaching our customers.

It’s probably no surprise that we collect information that you provide to us directly. Here are some examples:

• Basic account information: We ask for basic information from you in order to set up your account. For example, we require individuals who sign up for an account to provide an email address and password, along with a username or name — and that’s it.
• Credentials: Depending on the Services you use, you may provide us with credentials for your SaaS platforms - for example, access tokens used by integrations.
• Communications with us: You may also provide us with information when you respond to surveys, communicate with us about a support question, or sign up for a newsletter. When you communicate with us via form, email, phone, or otherwise, we store a copy of our communications (including any call recordings as permitted by applicable law).

We also collect some information automatically:

• Log information: Like most online service providers, we collect information that web browsers, mobile devices, and servers typically make available, including the browser type, IP address, unique device identifiers, language preference, referring site, the date and time of access, operating system, and mobile network information.
• Usage information: We collect information about your usage of our Services. For example, we collect information about the actions that users perform on our site — in other words, who did what and when. We also collect information about what happens when you use our Services (e.g. page views, support document searches). We use this information to, for example, provide our Services to you, get insights on how people use our Services so we can make our Services better.
• Location information: We may determine the approximate location of your device from your IP address. We collect and use this information to, for example, calculate how many people visit our Services from certain geographic regions.
• Information from cookies & other technologies: A cookie is a string of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns. Pixel tags (also called web beacons) are small blocks of code placed on websites and emails. We use cookies and other technologies like pixel tags to help us identify and track visitors, usage, and access preferences for our Services, as well as track and understand email campaign usefulness. For more information about our use of cookies and other technologies for tracking, including how you can control the use of cookies, please see our Cookie Policy.

We may also get information about you from other sources. For example, if you create or log in to your account through an OIDC login (like Google or Microsoft) we’ll receive information from that service (your username and basic profile information) via the authorization procedures for that service. As another example, if you use the chat feature on our website, our CRM system may provide us additional contextual information such as the company you might be connecting from based on your IP address. We may also collect information from advertising platforms so that we can measure which advertising activities are effective at reaching our customers.

We use information about you for the purposes listed below:

• To provide our Services. For example, to set up and maintain your account, provide you with relevant guidance, provide customer service.
• To ensure quality, maintain safety, and improve our Services. For example, by monitoring and analyzing how users interact with our Services so we can create new features that we think our users will enjoy or make our Services easier to use. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to enhance security outcomes. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
• To market our Services and measure, gauge, and improve the effectiveness of our marketing. For example, by targeting our marketing messages to groups of our users (like those who have a particular plan with us or have been users for a certain length of time), advertising our Services, analyzing the results of our marketing campaigns, and understanding and forecasting user retention.
• To protect our Services, our users, and the public. For example, by detecting security incidents; detecting and protecting against malicious, deceptive, fraudulent, or illegal activity; complying with our legal obligations; and protecting the rights and property of Push and others, which may result in us, for example, declining a transaction or terminating Services.
• To fix problems with our Services. For example, by monitoring, debugging, repairing, and preventing issues.
• To customize the user experience. For example, to personalize your experience by recommending new security features, or knowledge base articles that we think would be of value to you and your team.
• To communicate with you. For example, by emailing you to ask for your feedback, share tips for getting the most out of our products, or keep you up to date on Push; If you don’t want to hear from us, you can opt out of marketing communications at any time. (If you opt out, we’ll still send you important updates relating to your account.)

A note here for those in the UK, or European Union about our legal grounds for processing information about you under UK, and EU data protection laws, which is that our use of your information is based on the grounds that:

• The use is necessary in order to fulfil our commitments to you under the applicable terms of service or other agreements with you or is necessary to administer your account — for example, in order to enable access to our website on your device or charge you for a paid plan; or
• The use is necessary for compliance with a legal obligation; or
• The use is necessary in order to protect your vital interests or those of another person; or
• We have a legitimate interest in using your information — for example, to provide and update our Services; to improve our Services so that we can offer you an even better user experience; to safeguard our Services; to communicate with you; to measure, gauge, and improve the effectiveness of our advertising; and to understand our user retention and attrition; to monitor and prevent any problems with our Services; and to personalize your experience; or
• You have given us your consent — for example before we place certain cookies on your device and access and analyze them later on, as described in our Cookie Policy.

We share information about you in limited circumstances, and with appropriate safeguards on your privacy. These are spelt out below:

• Third-party vendors: We may share information about you with third-party vendors who need the information in order to provide their services to us, or to provide their services to you or your site. This includes vendors that help us provide our Services to you (cloud compute and storage services that provide the infrastructure our Services are built on, email delivery services that help us stay in touch with you, customer chat and email support services that help us communicate with you); those that assist us with our marketing efforts (e.g., by providing tools for identifying a specific marketing target group or improving our marketing campaigns, and by placing ads to market our services); those that help us understand and enhance our Services (like analytics providers); and those that make tools to help us run our operations (like programs that help us with task management, word processing, email and other communications, and collaboration among our teams);
• Legal and regulatory requirements: We may disclose information about you in response to a subpoena, court order, or other governmental requests.
• Business transfers: In connection with any merger, sale of company assets, or acquisition of all or a portion of our business by another company, or in the unlikely event that Push goes out of business or enters bankruptcy, user information would likely be one of the assets that is transferred or acquired by a third party. If any of these events were to happen, this Privacy Policy would continue to apply to your information and the party receiving your information may continue to use your information, but only consistent with this Privacy Policy.
• With your consent: We may share and disclose information with your consent or at your direction.
• Aggregated or de-identified information: We may share information that has been aggregated or de-identified, so that it can no longer reasonably be used to identify you. For instance, we may publish aggregate statistics about the use of our Services.
• Links to third-party websites: This website may include links to third-party websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

To reduce our own risk and yours we generally discard information about you when it’s no longer needed for the purposes for which we collect and use it — described in the section above on How and why we use information — and we’re not legally required to keep it.

For example, we keep web server logs that record information about a visitor to our website, like the visitor’s IP address, browser type, and operating system, for no more than 90 days. We retain the logs for this period of time in order to investigate issues if something goes wrong on one of our websites, or there is a security incident.

Where possible we delete data immediately, for example, when you delete an integration we immediately delete the associated security tokens, however in some cases the deleted content may remain on our backups and caches until the next scheduled purge process completes.

As our services are designed to be used by businesses, they are not intended for children under 16 years old. We do not knowingly collect personal information from children and if you believe we might have any information from or about a child under 16 years old, please get in touch as described in How to reach us.

You have several choices available when it comes to information about you:

• Limit the information that you provide: If you have an account with us, you can choose not to provide the optional account information, profile information.
• Opt out of marketing communications: You may opt out of receiving promotional communications from us. Just follow the instructions in those communications or let us know. If you opt out of promotional communications, we may still send you other communications, like those about your account and legal notices.
• Don’t opt in to cookies: When you first access our website we show a cookie opt in banner at the bottom of the page. If you respond “No thanks”, we will not set any cookies, except for an opt out cookie to remember your decision.
• Set your browser to reject cookies: At this time, Push does not respond to “do not track” signals across all of our Services. However, you can usually choose to set your browser to remove or reject browser cookies before using our websites, with the drawback that certain features of our websites may not function properly without the aid of cookies.
• Close your account: While we’d be very sad to see you go, you can close your account if you no longer want to use our Services. Please keep in mind that we may continue to retain some of your information after closing your account, as described in How long we keep information above — for example, when that information is reasonably needed to comply with (or demonstrate our compliance with) legal obligations such as law enforcement requests, or reasonably needed for our legitimate business interests.

If you are located in certain parts of the world, including the UK and countries that fall under the scope of the European General Data Protection Regulation (aka the “GDPR”), you may have certain rights regarding your personal information, like the right to request access to or deletion of your data.

If you are located in a country that falls under the scope of the GDPR, data protection laws give you certain rights with respect to your personal data, subject to any exemptions provided by the law, including the rights to:

• Request access to your personal data;
• Request correction or deletion of your personal data;
• Object to our use and processing of your personal data;
• Request that we limit our use and processing of your personal data; and
• Request portability of your personal data.

You also have the right to make a complaint to a government supervisory authority.

Push is GDPR compliant and all data is hosted in the EU. For a copy of our DPA please email privacy@pushsecurity.com to the bottom of the section called General Data Protection Regulation (GDPR)

You can usually access, correct, or delete your personal data using your account settings and tools that we offer, but if you aren’t able to or you’d like to contact us about one of the other rights, scroll down to How to reach us to, well, find out how to reach us.

When you contact us about one of your rights under this section, we’ll need to verify that you are the right person before we disclose or delete anything. For example, if you are a user, we will need you to contact us from the email address associated with your account. You can also designate an authorized agent to make a request on your behalf by giving us written authorization. We may still require you to verify your identity with us.

When you create integrations with your SaaS platforms for the purposes of granting our Services access to extract and process your data, Push processes that data on your behalf as the data processor. We refer to this data we process for you as Customer Data, and this is governed by our terms of service.

We do our best to ensure you are able to make informed decisions about the Customer Data our Services process by striving to be as transparent as is practical. As part of this we will show you details of the authorisation we require as well as a sample of the raw data we extract each time you grant us new (or extend) access to your systems.

When we engage third party service providers in our capacity as a data processor for Customer Data, the General Data Protection Regulation (“GDPR”) calls these third-party service providers sub-processors. Sub-processors are service providers who have or potentially will have access to or process personal data that we process for, and on behalf of, our customers. Here is a list of all our sub-processors.

While we are all too aware that no online service is completely secure, we think deeply about the risks involved, and given our background and the nature of our service - we are extremely passionate (not to mention incredibly well incentivised!) to provide a very high level of security.

We work very hard to protect information about you against unauthorized access, use, alteration, or destruction, and take all practical measures to do so. We design with security in mind from day 1, and monitor our Services for potential vulnerabilities and attacks at all stages - from code development, through build and deployment, to day-to-day operations.

To enhance the security of your account, we encourage you to enable security settings, like Multi-Factor Authentication.

If you have a question about this Privacy Policy, or you would like to contact us about any of the rights mentioned in the Your rights section above, please contact us through our web form or via email (privacy@pushsecurity.com).

Although most changes are likely to be minor, we may change our Privacy Policy from time to time. We encourage visitors to frequently check this page for any changes to the Privacy Policy. If we make changes, we will notify you by revising the change log below, and, in some cases, we may provide additional notice (like adding a statement to our homepage, or sending you a notification through email or your dashboard). Your further use of the Services after a change to our Privacy Policy will be subject to the updated policy.