Your Privacy is Important

Effective July 10, 2020

At Zeguro, our mission is to help businesses protect against the digital risks of this world. As a result, our goal is to set a high standard for protecting the privacy of your information. We want to be clear about how we collect, use, protect, and share your information, including your personal information, and the rights and choices you have about the ways in which you can help us protect your privacy.

This Privacy Policy explains:

  • What information we collect and why we collect it.
  • How we use that information and when we disclose it.
  • Your rights regarding that information, including how to access and update your information.
  • The steps we take to protect your information.

Scope

This Privacy Statement applies to the information that we obtain through your use of Zeguro products and services, including Cyber Safety, our websites (https://www.zeguro.com, https://www.zeguro.co.uk, https://www.zeguro.com.au, https://portal.zeguro.com), social media, communications, and web-based tools (collectively, our “Services”). For a current list of the third party vendors referred to in this Privacy Policy, see our Subvendor Directory.

This Privacy Policy does not apply to personal information arising from Zeguro’s employment-related activities. Except to the extent that a third party provides services on our behalf (such as a SaaS vendor), this Privacy Policy also does not apply to the practices of third parties to which we may link or otherwise refer you, such as consultants, pentesting firms, audit firms, and other vendors.

You should read this Policy carefully as it contains important information about how we will use your Data (as defined below). In certain circumstances, you will be required to indicate your consent to the processing of your Data as set out in this Policy when you first submit such Data to or through our Services (as defined above). For further information about consent, see below.

Where we provide the Services under contract with an organization (for example your employer), that organization controls the information processed by the Services. For more information, please see Notice to End Users below.

If you have any feedback or questions about this Privacy Policy, you can contact us.

About Zeguro

The terms “Zeguro” or “us” or “we” refer to Zeguro Inc., the owner of the Services. We are a company registered in San Francisco whose registered office is at 101A Clay St, Suite 280, San Francisco, CA, 94111. The term “you” refers to the individual accessing and/or submitting Data to the Services. Zeguro, we, and us refer to Zeguro Inc., Zeguro Insurance Services LLC., and any of our corporate affiliates.

Zeguro is a U.S.-based company that offers our Services to domestic and international business customers. Information that we collect, including personal information, may be transferred to our U.S. offices to permit us to comply with our legal and contractual obligations, to provide information and services to prospective and current clients, and to perform related business activities. In addition, we may provide information to third-party service providers in the U.S. and in other countries to the extent necessary to support Zeguro’s business activities, and we may access personal information collected from our customers to support the Services that we provide to our customers. Thus, personal information may be transferred to and stored on servers located in the United States and in countries different from the country in which that information was initially collected. Similarly, information we collect may be accessed by Zeguro and our third-party service providers and business partners from countries other than the ones in which the information is stored. 

For more information about how we handle personal information from EU-based individuals, Overseas transfers section below. 

Information we collect

When you use the Services and/or when you otherwise deal with us, we may collect the following information about you (“Data”):

Information you provide us

  • Personal information including first and last name, and photograph and/or likeness
  • Business contact information, including names, email addresses, business addresses, telephone numbers, company name or business affiliation, and title
  • User IDs and passwords
  • Personal information that you choose to share within our user communities, such as our public Slack groups or on our community forum (help.zeguro.com)
  • Payment information (securely stored through our 3rd party payment processor – Stripe)
  • Content that you create, input, submit, post, upload, transmit, or store while using our Services
  • Other data that you may submit to our Services or to us directly, such as when you request customer support or communicate with us via email or social media sites
  • Details of any insurance made by you through the Services, together with details relating to subsequent correspondence (if applicable)

Information we collect automatically

  • Technical information (primarily used for security monitoring of your account) including Internet protocol (IP) or other device addresses or ID numbers as well as browser type, Internet service provider, URLs of referring/exit pages, operating system, date/time stamp, information that you search for, your locale and language preferences, your mobile carrier, and system configuration information, the length of your visit to the Services, and your interactions with the Services 
  • We and our analytics providers (see our Subvendor Directory) also collect and store analytics information when you use our Services to help us improve our Services
  • Information obtained through our correspondence and monitoring in accordance with the “Correspondence and monitoring” section below

Information we collect from other sources

  • We may obtain information, including personal information, from our business partners and service providers. This information includes, but is not limited to, information that we receive from our direct marketing providers, product referrals, and other interactions. We also may combine information we receive from third parties with other information we collect from you through our Services as described in this Privacy Policy.
  • Occasionally we may receive information about you from other sources, for example any insurance companies where you have an active policy, cybersecurity software providers, cloud service providers you connect with through the Services, or from any third party websites and applications that integrate or communicate with the Services in relation to you. If so, we will add this information to the Data we already hold about you in order to help us carry out the activities listed below.

If you provide information (including personal information) about someone else, you confirm that you have the authority to act for them and to consent to the collection and use of their personal information as described in this Privacy Policy. Please contact us immediately at legal@zeguro.com if you become aware of an individual providing us with personal information about another individual without being authorized to do so, and we will act consistently with this Privacy Policy.

How long we keep your Data

We retain your data only as long as necessary to accomplish the business purpose for which it was collected or to comply with our legal and contractual obligations, plus 1 year, and then securely dispose of that information. In most cases we hold data for the following time periods:

  • 5 Years where the legal basis is our legitimate interest in providing services
  • 5 Years or until consent is withdrawn (whichever is sooner), where the legal basis is express consent
  • 7 Years where the legal basis is a legal requirement

Why we collect information

We will not use your personal information for anything other than the following lawful purposes. We collect information from and about you in order to:

Establish and maintain contractual relationships with our customers

  • To provide our customers with product-based alerts, recommendations, warnings, training results, training modules, vulnerability reports, and more in relation to the Services we provide
  • To establish relationships with new customers
  • To fulfill our obligations to current customers
  • To contact customers regarding account-related issues and business communications relating to the Services, including technical notices, updates, security alerts, and administrative messages
  • To enable individuals to access and use our Services

Provide services and information that you request and consent to receive

  • To provide customer service and support
  • To communicate with you, including responding to your comments, questions, tickets, and requests regarding our Services
  • To process and complete transactions, and send you related information, including purchase confirmations and invoices
  • To provide direct marketing, email, and other information distribution
  • To disclose your information to selected third parties as permitted by this Policy, and you have provided express consent (see below)

Fulfill our other legitimate interests to the extent that they are not overridden by individual interests, fundamental rights, or freedoms

  • To administer, operate, maintain, and secure our website and Services
  • To monitor and analyze trends, usage, and activities in connection with our Services
  • To investigate and prevent fraudulent transactions, unauthorized access to our Services, and other illegal activities
  • To verify compliance with our internal policies and procedures
  • For accounting, recordkeeping, backup, and administrative purposes
  • To customize and improve the content of our communications, websites, and social media accounts
  • To educate and train our workforce in data protection and customer support
  • To provide, operate, maintain, improve, personalize, and promote our Services
  • To ensure that content from the Services is presented in the most effective manner for you and for your device
  • To develop new products, services, features, and functionality
  • To notify you of any changes to this website
  • To market our products and services (first-party marketing only; we do not provide personal information for use in marketing any non-Zeguro third-party goods or services)

Comply with our legal obligations

  • To comply with legal obligations, including but not limited to complying with tax and financial reporting and audit requirements
  • To demonstrate compliance with applicable privacy and data security laws and regulations, such as GDPR and SOC 2
  • To comply with incident monitoring, reporting, assessment, and notification requirements
  • To comply with other applicable criminal and civil law and regulatory requirements under federal, state, and international law

Your Data and its use

You may upload data to our Services, which may include personal information or data about your end users (all of which we call “Customer Data”). Customer Data is owned and controlled by you, and any Customer Data that we maintain or process we consider to be strictly confidential. We collect and process Customer Data solely on behalf of you/our customers, and in accordance with our agreements with customers. We do not use or disclose Customer Data except as authorized and required by our customers and as provided for in our agreements with our customers.

Zeguro will not be liable for any third-party costs, penalties, or claims that arise from the use of Customer Data that is uploaded by you.

The Customer shall retain ownership of all Customer Data and all rights therein. The Customer grants a royalty-free, transferable, non-exclusive license for the term of this Agreement to Zeguro to use the Customer Data to the extent necessary to provide the Services and perform the Customer Support Services (as applicable).

The Customer acknowledges that Zeguro has no control over any Customer Data hosted as part of the provision of the Platform and, although it reserves the right to do so, Zeguro does not actively monitor the content of the Customer Data.

Zeguro shall notify the Customer immediately if it becomes aware of any allegation that any Customer Data may be Infringing Data and Zeguro shall have the right to remove such Customer Data from the Services without the need to consult the Customer.

Zeguro respects the rules and laws of the jurisdiction in which it operates, as well as the privacy and rights of its customers. Accordingly, Zeguro provides Customer Information in response to law enforcement requests only when we reasonably believe that we are legally required to do so. To protect our customers’ rights, we carefully review requests to ensure that they comply with the law. Zeguro reserves the right to disclose Customer Data to law enforcement officials in the investigation of fraud or other alleged unlawful activities, only after law enforcement officials provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant.

The Customer shall indemnify Zeguro against all loss caused to Zeguro as a result of the use by the Customer or a User of Infringing Data on the Platform.

Our marketing activities and your option to opt-out

Where you have previously ordered products or services, submitted a quote, or obtained a trial from us, we may contact you by email, phone, SMS, and post to inform you about the services, promotions, and special offers that may be of interest to you on the product or service you are ordering. We will inform you (during the sale, signup, or quote process) if we intend to use your data for such purposes and give you the opportunity to opt out of receiving such information from us. 

If you prefer not to receive any direct marketing communications from us, or you no longer wish to receive them, you can opt out at any time (see below).

You have the right at any time to ask us to stop processing your information for direct marketing purposes. If you wish to exercise this right, you should contact us by sending an email to support@zeguro.com. Be sure to give us enough information to identify you and deal with your request. Alternatively you can follow the unsubscribe instructions in emails you receive from us.

Monitoring or recording communications with you

We may monitor and record communications with you (such as telephone conversations, screen recordings, and emails) for the purposes of provision of services, support, quality assurance, training, fraud prevention, and compliance. We are also required by law to record any customer communication for the purposes of obtaining insurance. 

We will always verbally advise that recording is happening for this purpose. Any information that we receive through such monitoring and communication will be added to the information we already hold about you.

Our use of cookies

Our software may issue ‘cookies’ (small text files) to your device when you access and use the Services and you will be asked to consent to this at the time (e.g. when you first visit our website). 

Our Services use cookies and other tracking and monitoring software to: distinguish our users from one another; collect standard Internet log information; and to collect visitor behavior information. The information is used to track user interactions with the Services and allows us to provide you with a good experience when you access the Services, helps us to improve our Services, and allows us to compile statistical reports on Services visitors and activity.

You can set your browser not to accept cookies if you wish. However, some of our Services features may not function properly. For further general information about cookies, please visit www.aboutcookies.org or www.allaboutcookies.org

Your consent

By submitting Data to or through the Services, you give consent to the use of your Data as outlined in this Privacy Policy.

If you have previously given consent you may freely withdraw such consent at any time. You can do this by notifying us in writing (either via mail or email).

If we need to process your Data in order to provide the Services, and you object or do not consent to us processing your Data, the Services may not be available to you. 

When and why we share your information

Except to the extent necessary to fulfill our business obligations, to accomplish one of the lawful purposes described in this Privacy Policy, or pursuant to your express instructions, we do not sell, transfer, or otherwise disclose personal information that we collect from or about you.

We may share your information in the following ways:

With your express consent

We will share your personal information with companies, organizations, or individuals outside of Zeguro when we have your consent to do so.

When you choose to share your information while using our Services

When you use our Services, certain features allow you to make some of your content accessible to the public or other users of the Services. We urge you to consider the sensitivity of any information prior to sharing it publicly or with other users.

When your account is accessed by your organization’s admin user

Your Zeguro account owners and admin users may be able to:

  • Access information in and about your Zeguro account
  • Disclose, restrict, or access information that you have provided or that is made available to you when using your Zeguro account, including your content
  • Control how your Zeguro account may be configured, accessed, or deleted

With our vendors, business partners, and subsidiaries to conduct business

We may share your information with our service providers and other third parties who perform services on our behalf, listed in our Subvendor Directory

We provide your payment information to our service providers for payment processing and verification. Service providers such as analytics providers may collect information about your online activities over time and across different online services when you use our Services. We also work with third-party service providers to add critical capability to the modules of Cyber Safety, e.g: threat intelligence, training videos, pentesting, and vulnerability scanning services, etc.

We may share Data with our regulated insurance entities for the purpose of providing you an insurance quote or policy.

For legal reasons

We may disclose your information (including your personal information) outside of Zeguro if we have a good-faith belief that it is necessary to:

  • Comply with any applicable law, regulation, legal process, or governmental request
  • Enforce our agreements, policies, and terms of service
  • Protect the security or integrity of Zeguro’s products and services
  • Respond to an incident involving personal data for which Zeguro has direct or indirect responsibility
  • Protect the property, rights, and safety of Zeguro, our customers, or the public from harm or illegal activities
  • Respond to an emergency that requires us to disclose information to assist in preventing the death or serious bodily injury of any person
  • Investigate and defend ourselves against any third-party claims or allegations

As the result of a business transition

We may share or transfer your information (including your personal information) in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. We will take reasonable steps to assure that any other entity involved continues to comply with the terms of this Privacy Policy. We will notify you of such a change in ownership or transfer of assets by posting a notice on our website.

Sharing non-personally identifiable data

We may share aggregated, anonymized, de-identified, or otherwise non-personal information in order to improve the overall experience of our Services. 

Such aggregated, anonymized, de-identified, or otherwise not re-identifiable information is not personal information within the scope of this Privacy Policy because they do not directly or indirectly identify you and cannot, with reasonable effort, be used to identify you. 

Keeping your Data secure

Unfortunately, no data transmission over the Internet or a data storage system can be guaranteed to be 100% secure. That said, we certainly try very hard, employing a variety of organizational, technical, and administrative measures to provide a level of security appropriate to the risk associated with the personal information you trust us with. More information on what security measures Zeguro uses to protect your Data can be found at https://www.zeguro.com/security-first.

While we will use all reasonable efforts to safeguard your Data, you acknowledge that the use of the Internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any Data that is transferred from you or to you via the Internet.

Zeguro protects personal information under its control and requires its service providers to also protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal Data transmitted, stored, or otherwise processed.

Overseas transfers (EEA Users only)

From time to time we may need to transfer your Data to countries outside the European Economic Area, which comprises the EU member states plus Norway, Iceland, and Liechtenstein (“EEA”). Non-EEA countries that we may need to transfer your Data to include the United States of America, because we are primarily based there.

Such countries may not have similar protections in place regarding protection and use of your Data as those set out in this Policy. Therefore, if we do transfer your Data to countries outside the EEA, we will take reasonable steps in accordance with applicable Privacy and Data Protection Requirements to ensure adequate protections are in place to ensure the security of your Data, including:

  • Use of approved contractual clauses
  • Ensuring that we only transfer your Data to persons or entities that are appropriately authorized and/or accredited to process Personal Data in compliance with applicable Privacy and Data Protection Requirements

By submitting your Data to us, in accordance with this Policy, you consent to these transfers for the purposes specified in this Policy.

Your rights to your Data

You have the right to:

  1. Request access to information about Personal Data that we may hold and/or process about you, including: whether or not we are holding and/or processing your Personal Data; the extent of the Personal Data we are holding; and the purposes and extent of the processing.
  2. Have any inaccurate information we hold about you be rectified and/or updated. If any of the Data that you have provided changes, or if you become aware of any inaccuracies in such Data, please let us know in writing, giving us enough information to deal with the change or correction.
  3. In certain circumstances, request that we delete all Personal Data we hold about you (the ‘right of erasure’). Please note that this right of erasure is not available in all circumstances, for example, where we need to retain the Personal Data for legal compliance purposes. If this is the case, we will let you know.
  4. In certain circumstances, request that we restrict the processing of your Personal Data, for example, where the Personal Data is inaccurate or where you have objected to the processing. 
  5. Request a copy of the Personal Data we hold about you and to have it provided in a structured format suitable for you to be able to transfer it to a different data controller (the ‘right to data portability’). Please note that the right to data portability is only available in some circumstances, for example, where the processing is carried out by automated means. If you request the right to data portability and it is not available to you, we will let you know.
  6. In certain circumstances, object to the processing of your Personal Data. If so, we shall stop processing your Personal Data unless we can demonstrate sufficient and compelling legitimate grounds for continuing the processing which override your own interests. If, as a result of your circumstances, you do not have the right to object to such processing, then we will let you know.
  7. Object to direct marketing. See “Our marketing activities and your option to opt-out” above.

California privacy rights

California Civil Code Section 1798.83 permits Zeguro customers who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please contact us.

Complaints and arbitration

Under this Privacy Policy, any unresolved privacy complaints can be referred to an independent dispute resolution mechanism. We use the International Centre for Dispute Resolution®/American Arbitration Association® (ICRD/AAA). If you feel that we have not satisfactorily addressed your complaint, you can visit the ICRD/AAA website at https://apps.adr.org/webfile/ for more information on how to file a complaint. In some cases, you may be able to invoke binding arbitration.

About this policy

Changes to this policy

We keep this Policy under regular review and may change it from time to time. If we change this Policy, we will post the changes on this page, and place notices on other pages of the Services as applicable, so that you may be aware of the Data we collect and how we use it at all times. You are responsible for ensuring that you are aware of the most recent version of this Policy as it will apply each time you access the Services.

Your continued use of our Services after the revised Statement has become effective indicates that you have read, understood, and agreed to the current version of this Statement.

When this policy applies

Our Services may contain links to other companies or individuals’ websites or services. This Policy only applies to our Services. If you access links to other websites, any Data you provide to them will be subject to the privacy policies of those other websites.

We have no control over third party websites or systems and accept no legal responsibility for any content, material, or information contained in them. Your use of third party sites or services will be governed by the terms and conditions of that third party.

The display of any hyperlink and/or reference to any third party website, system, product, or service does not mean that we endorse that third party's website, products, or services, and any reliance you place on such hyperlink, reference, or advert is done at your own risk.

Accessibility

This Policy aims to provide you with all relevant details about how we process your Data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. If you have any difficulty in reading or understanding this Policy, or if you would like this Policy in another format (for example audio, large print, or braille), please get in touch with us.

Notice to End Users

Our Services are intended for use by organizations. Where the Services are made available to you through an organization (e.g. your employer), that organization is the administrator of the Services and is responsible for the accounts over which it has control. If this is the case, please direct your data privacy questions to your administrator, as your use of the Services is subject to that organization's policies. We are not responsible for the privacy or security practices of an administrator's organization, which may be different from this policy. 

Administrators are able to:

  • Require you to reset your account password
  • Restrict, suspend, or terminate your access to the Services
  • Access information in and about your account
  • Access or retain information stored as part of your account
  • Install or uninstall third-party apps or other integrations

In some cases, administrators can also:

  • Restrict, suspend, or terminate your account access
  • Change the email address associated with your account
  • Change your information, including profile information
  • Restrict your ability to edit, restrict, modify, or delete information

Even if the Services are not currently administered to you by an organization, if you use an email address provided by an organization (such as your work email address) to access the Services, then the owner of the domain associated with your email address (e.g. your employer) may assert administrative control over your account and use of the Services at a later date. You will be notified if this happens. 

If you do not want an administrator to be able to assert control over your account or use of the Services, use your personal email address to register for or access the Services. If an administrator has not already asserted control over your account or access to the Services, you can update the email address associated with your account through your account settings in your profile. Once an administrator asserts control over your account or use of the Services, you will no longer be able to change the email address associated with your account without administrator approval.

Please contact your organization or refer to your administrator’s organizational policies for more information.