Our Data Security and Data Integrity Promise
If you are using Deflect, we know that privacy and security are of the highest importance to you. We take all reasonable steps to protect your personal information from loss, misuse and improper access, disclosure, alteration and destruction. This Deflect Privacy Notice (the “Notice”) explains the practices of eQualitie inc. (“eQualit.ie”, “we”, “our” or “us”) regarding our collection, use, and disclosure of personal information in the course of providing our Deflect service (“Deflect” or the “Service”) as well as your rights with respect to these practices.
1. Purpose, Basis and Collected Information
Purpose. We collect, use and disclose personal information for the purpose of providing and improving the Deflect Service. We do this only in a way that is compatible with this purpose.
Basis. The basis for our collection, use and disclosure of personal information is that this is necessary:
- for the purposes of our (and our Subscribers’) legitimate interests in ensuring network and information security.
Personal Information Collected. For each Deflect subscriber (“Subscriber”), we may specifically collect:
- the email address they provide;
- the domain name of the registered website they provide;
- the username they provide;
- their Deflect account password they provide (which, once stored, is not accessible to us in clear text);
- information they provide regarding their organization’s activities to help us determine their eligibility for the free tier;
- the date of their registration;
- information they provide by email, through help tickets, or through our website, and associated metadata;
- their DNS zone file;
- their IP address;
- temporary session identifiers (“cookies”);
- the IP addresses of visitors to their website;
- in the case of a Subscriber website hosted by eQualit.ie, any personal information contained within the hosted files and database/s;
- metadata associated with these visitors’ browsing activity on their website; and
- payment information they provide, in the case of business & enterprise–tier customers
2. Use, Storage, Disclosure and Retention
Use. Within eQualit.ie, personal information will be accessible to and used only by those people to whom this access is necessary for the purposes of billing, support, quality assurance, operation or development of the Service. Logging information (IP addresses and http requests of website visitors) is used to protect Subscribers and to attribute attacks against our infrastructure. We use the information to identify, intercept and adequately mitigate anomalous activity and to improve our mitigation protections overall.
Storage. Personal information may be used or stored by us or our service providers or affiliates outside of Canada. In this case, it may be subject to the laws of the country in which it is used or stored. Personal information stored outside of Canada will be protected using filesystem encryption as a safeguard against third-party access. Our service providers and affiliates are described on the mitigation page, which will be accurate as of the date indicated on that page. Please contact us to request information about any changes to our practices since that date. Wherever practical, we encrypt personal information at rest and in transit. We access encrypted personal information only as necessary to provide the Service.
Disclosure. eQualit.ie will never disclose its Subscribers’ personal information to third parties without the Subscriber’s consent, except:
- for the purpose of providing the Service, notably web browsing metadata, to third-parties handling DNS resolution and other commercial infrastructure providers; and
- as required by law.
We choose our affiliates and third-party service providers carefully to maintain comparable protection of the personal information that we disclose to them.
We may be forced to disclose a person’s personal information without their knowledge or consent if we receive a subpoena, warrant or other legal order issued by a court or other competent entity. Our policy is to require law enforcement agencies who request information to obtain an order, subpoena or warrant before we will agree to disclose it. It is also our policy to contest such orders, subpoenas or warrants when we believe them to be unjustified.
Unless we are legally prohibited from doing so, we will notify Subscribers as soon as practicable of any order, subpoena or warrant to provide information about them or visitors to their website.
We do not sell personal information to any third party.
Retention. The personal information described above is retained for the following periods:
- Session identifiers (cookies) are created on the computers of anyone acting on the Subscriber’s behalf when they authenticate themselves to edit the Subscriber’s registered website. These cookies expire after 24 hours, and are used to maintain an authenticated connection with Subscribers during that time. eQualit.ie deletes these cookies when the Subscriber logs out or when the session expires. The only third-party cookies we set are mandated by the Stripe payment service for Tier A clients.
- Logging information (metadata regarding visitors to a Subscriber’s registered website) is retained for 13 months, unless the Subscriber is subscribed to the Deflect for non-profits tier and has opted out through the Deflect Dashboard, as explained in the Control Panel page, in which case it will be retained only for the time required to perform the Service.
- Passwords are retained only long enough to be converted into a cryptographic hash, which is then stored and retained according to the timeline for “All other information” as set out below.
- All other information is retained for as long as the relevant subscriber remains registered or retains an active account.
The retention periods described above shall be extended as necessary for the purposes of billing or for investigating malicious activity. IP addresses our system has blocked due to suspicious activity will be retained indefinitely.
We delete or anonymize the information in question within a reasonable time following the expiry of each of the relevant retention periods described above.
3. Your Rights
Access. You have the right to access, upon request, a copy of your personal information in a machine-readable format. Requests should be made via your account in the Deflect Control Panel.
Rectification. You have the right to ask for your personal information to be rectified to correct any errors it may contain. Subscribers may more easily rectify much of their information themselves through the Deflect Dashboard.
Objection and Erasure. You have the right to object to the collection, use or disclosure of your personal information and to ask that it be erased. You additionally have the right to have such requests processed by eQualit.ie in accordance with applicable law. Subscribers may also choose to delete their account through the Deflect Dashboard, and the associated data will then be deleted in accordance with the retention policy as set out above.
Complaints. You have the right to complain to eQualit.ie’s privacy officer, to the Commission d’accès à l’information and/or to the Privacy Commissioner of Canada regarding eQualit.ie’s collection, use or disclosure of your personal information.
This Notice is in place as of 31 October 2019 and forms an integral part of the Deflect Subscription Agreement. It replaces all previous privacy notices and policies regarding Deflect as of that date. This Notice may be amended by eQualit.ie at any time.
eQualit.ie’s Privacy Officer receives questions, requests and complaints related to this Notice and assumes general responsibility for it. Contact them at privacy |at| equalit |dot| ie