The legal bits
The sole reason we exist is to improve security, so it goes without saying that protecting your personal data is a top priority. At Push, we have a few fundamental principles:
- We do not sell our users’ data. We aren’t a data broker, we don’t sell your personal information to data brokers, and we don’t sell your information to other companies that want to spam you with marketing emails. We are not ad funded, don’t show ads in any of our Services, and never will.
- We are thoughtful about the personal information we ask you to provide and the personal information that we collect about you throughout the operation of our services.
- We store personal information for only as long as we have reason to keep it.
- We make considerable efforts to secure your personal information; we practice what we preach throughout our service.
- We have no interest in making money by selling or sharing your personal information with anyone else.
- We aim for full transparency on how we gather, use, and share your personal information.
What is Push, and what this policy covers
Push Security Ltd (Push) is a SaaS platform that is simplifying and automating cyber security to make securing organisations quicker and easier.
Depending on the context of personal information you provide, we may be the data controller or data processor of your personal information under this policy. We are a processor of Client Data - personal information submitted to the Services or collected through the Services on behalf of or at the direction of customers.
Below we explain how we collect, use, and share information about you, along with the choices that you have with respect to that information.
Push as the data controller
For any personal data we collect about users that directly access or have registered accounts to use our Services, we operate as the data controller - as we make important decisions around exactly which data to collect, how it is used, and we have direct relationships with those users.
This section covers all data we collect as the data controller; please see Push as the data processor for information on data we process on behalf of users.
Information we collect
We only collect information about you if we have a reason to do so - for example, to provide our Services, to communicate with you, or to make our Services better.
We collect this information from three sources: if and when you provide information to us, automatically through you operating our Services, and from outside sources. Let’s go over the information that we collect.Information you provide to us
It’s probably no surprise that we collect information that you provide to us directly. Here are some examples:
- Basic account information: We ask for basic information from you in order to set up your account. For example, we require individuals who sign up for an account to provide an email address and password, along with a username or name — and that’s it.
- Credentials: Depending on the Services you use, you may provide us with credentials for your SaaS platforms - for example, access tokens used by integrations.
- Communications with us: You may also provide us with information when you respond to surveys, communicate with us about a support question, or sign up for a newsletter. When you communicate with us via form, email, phone, or otherwise, we store a copy of our communications (including any call recordings as permitted by applicable law).
We also collect some information automatically:
- Log information: Like most online service providers, we collect information that web browsers, mobile devices, and servers typically make available, including the browser type, IP address, unique device identifiers, language preference, referring site, the date and time of access, operating system, and mobile network information.
- Usage information: We collect information about your usage of our Services. For example, we collect information about the actions that users perform on our site — in other words, who did what and when. We also collect information about what happens when you use our Services (e.g. page views, support document searches). We use this information to, for example, provide our Services to you, get insights on how people use our Services so we can make our Services better.
- Location information: We may determine the approximate location of your device from your IP address. We collect and use this information to, for example, calculate how many people visit our Services from certain geographic regions.
We may also get information about you from other sources. For example, if you create or log in to your account through a social login (like Google or Microsoft) we’ll receive information from that service (your username and basic profile information) via the authorization procedures for that service. As another example, if you use the chat feature on our website, our CRM system may provide us additional contextual information such as the company you might be connecting from based on your IP address. The information we receive depends on which services you use or authorize and what options are available.
How and why we use informationPurposes for using information
We use information about you for the purposes listed below:
- To provide our Services. For example, to set up and maintain your account, provide you with relevant guidance, provide customer service.
- To ensure quality, maintain safety, and improve our Services. For example, by monitoring and analyzing how users interact with our Services so we can create new features that we think our users will enjoy or make our Services easier to use.
- To market our Services and measure, gauge, and improve the effectiveness of our marketing. For example, by targeting our marketing messages to groups of our users (like those who have a particular plan with us or have been users for a certain length of time), advertising our Services, analyzing the results of our marketing campaigns, and understanding and forecasting user retention.
- To protect our Services, our users, and the public. For example, by detecting security incidents; detecting and protecting against malicious, deceptive, fraudulent, or illegal activity; complying with our legal obligations; and protecting the rights and property of Push and others, which may result in us, for example, declining a transaction or terminating Services.
- To fix problems with our Services. For example, by monitoring, debugging, repairing, and preventing issues.
- To customize the user experience. For example, to personalize your experience by recommending new security initiatives, or knowledge base articles that we think would be of value to you and your team.
- To communicate with you. For example, by emailing you to ask for your feedback, share tips for getting the most out of our products, or keep you up to date on Push; If you don’t want to hear from us, you can opt out of marketing communications at any time. (If you opt out, we’ll still send you important updates relating to your account.)
A note here for those in the UK, or European Union about our legal grounds for processing information about you under UK, and EU data protection laws, which is that our use of your information is based on the grounds that:
- The use is necessary in order to fulfill our commitments to you under the applicable terms of service or other agreements with you or is necessary to administer your account — for example, in order to enable access to our website on your device or charge you for a paid plan; or
- The use is necessary for compliance with a legal obligation; or
- The use is necessary in order to protect your vital interests or those of another person; or
- We have a legitimate interest in using your information — for example, to provide and update our Services; to improve our Services so that we can offer you an even better user experience; to safeguard our Services; to communicate with you; to measure, gauge, and improve the effectiveness of our advertising; and to understand our user retention and attrition; to monitor and prevent any problems with our Services; and to personalize your experience; or
How we share information
We share information about you in limited circumstances, and with appropriate safeguards on your privacy. These are spelled out below:
- Third-party vendors: We may share information about you with third-party vendors who need the information in order to provide their services to us, or to provide their services to you or your site. This includes vendors that help us provide our Services to you (cloud compute and storage services that provide the infrastructure our Services are built on, email delivery services that help us stay in touch with you, customer chat and email support services that help us communicate with you); those that assist us with our marketing efforts (e.g., by providing tools for identifying a specific marketing target group or improving our marketing campaigns, and by placing ads to market our services); those that help us understand and enhance our Services (like analytics providers); and those that make tools to help us run our operations (like programs that help us with task management, word processing, email and other communications, and collaboration among our teams);
- Legal and regulatory requirements: We may disclose information about you in response to a subpoena, court order, or other governmental request.
- With your consent: We may share and disclose information with your consent or at your direction.
- Aggregated or de-identified information: We may share information that has been aggregated or de-identified, so that it can no longer reasonably be used to identify you. For instance, we may publish aggregate statistics about the use of our Services.
How long we keep information
To reduce our own risk and yours we generally discard information about you when it’s no longer needed for the purposes for which we collect and use it — described in the section above on How and why we use information — and we’re not legally required to keep it.
For example, we keep web server logs that record information about a visitor to our website, like the visitor’s IP address, browser type, and operating system, for no more than 90 days. We retain the logs for this period of time in order to investigate issues if something goes wrong on one of our websites, or there is a security incident.
Where possible we delete data immediately, for example, when you delete an integration we immediately delete the associated security tokens, however in some cases the deleted content may remain on our backups and caches until the next scheduled purge process completes.
Children's personal information
As our services are designed to be used by businesses, they are not intended for children under 16 years old. We do not knowingly collect personal information from children and if you believe we might have any information from or about a child under 16 years old, please get in touch as described in How to reach us.
You have several choices available when it comes to information about you:
- Limit the information that you provide: If you have an account with us, you can choose not to provide the optional account information, profile information.
- Opt out of marketing communications: You may opt out of receiving promotional communications from us. Just follow the instructions in those communications or let us know. If you opt out of promotional communications, we may still send you other communications, like those about your account and legal notices.
- Don’t opt in to cookies: When you first access our website we show a cookie opt in banner at the bottom of the page. If you respond “No thanks”, we will not set any cookies, except for an opt out cookie to remember your decision.
- Set your browser to reject cookies: At this time, Push does not respond to “do not track” signals across all of our Services. However, you can usually choose to set your browser to remove or reject browser cookies before using our websites, with the drawback that certain features of our websites may not function properly without the aid of cookies.
- Close your account: While we’d be very sad to see you go, you can close your account if you no longer want to use our Services. Please keep in mind that we may continue to retain some of your information after closing your account, as described in How long we keep information above — for example, when that information is reasonably needed to comply with (or demonstrate our compliance with) legal obligations such as law enforcement requests, or reasonably needed for our legitimate business interests.
If you are located in certain parts of the world, including the UK and countries that fall under the scope of the European General Data Protection Regulation (aka the “GDPR”), you may have certain rights regarding your personal information, like the right to request access to or deletion of your data.General Data Protection Regulation (GDPR)
If you are located in a country that falls under the scope of the GDPR, data protection laws give you certain rights with respect to your personal data, subject to any exemptions provided by the law, including the rights to:
- Request access to your personal data;
- Request correction or deletion of your personal data;
- Object to our use and processing of your personal data;
- Request that we limit our use and processing of your personal data; and
- Request portability of your personal data.
You also have the right to make a complaint to a government supervisory authority.Contacting us about these rights
You can usually access, correct, or delete your personal data using your account settings and tools that we offer, but if you aren’t able to or you’d like to contact us about one of the other rights, scroll down to How to reach us to, well, find out how to reach us.
When you contact us about one of your rights under this section, we’ll need to verify that you are the right person before we disclose or delete anything. For example, if you are a user, we will need you to contact us from the email address associated with your account. You can also designate an authorized agent to make a request on your behalf by giving us written authorization. We may still require you to verify your identity with us.
Push as the data processor
When you create integrations with your SaaS platforms for the purposes of granting our Services access to extract and process your data, Push processes that data on your behalf as the data processor. We refer to this data we process for you as Customer Data.
For many of the use-cases or initiatives that we support, Customer Data will contain personal data about members of your organisation. You remain in control of which data to collect, how it should be processed, and when it should be deleted by choosing which integrations to authorise (or delete).
We do our best to ensure you are able to make informed decisions about the Customer Data our Services process by striving to be as transparent as is practical. As part of this we will show you details of the authorisation we require as well as a sample of the raw data we extract each time you grant us new (or extend) access to your systems.
While we are all too aware that no online service is completely secure, we think deeply about the risks involved, and given our background and the nature of our service - we are extremely passionate (not to mention incredibly well incentivised!) to provide a very high level of security.
We work very hard to protect information about you against unauthorized access, use, alteration, or destruction, and take all practical measures to do so. We design with security in mind from day 1, and monitor our Services for potential vulnerabilities and attacks at all stages - from code development, through build and deployment, to day-to-day operations.
To enhance the security of your account, we encourage you to enable security settings, like Multi-Factor Authentication.
How to reach us
|Feb 1 2021||1.0||Initial version|