Cryptopass consists mainly of the Application which is installed on each terminal of an End User (or “you”) and a central platform operated by or under the control of Ercom (the Publisher, or “we”) and to which the installations of the Application have remote access. Cryptopass is therefore a “SaaS” solution.
It is important to note that the Cryptopass service may be subscribed by a user entity (the “Customer”), either directly with Ercom, or through an authorized third party (the “Distributor”), for the benefit of its End User employees. However, this policy does not apply to personal data that administrators – who manage the rights of Cryptopass users and who are designated by these persons (the “Administrators”) – may collect from users and otherwise process.
1. Administrators and Cryptopass administration interface data.
This information is communicated to us by the Customer having subscribed to the Cryptopass service. Intended to manage the identification and authentication of Administrators, they are kept for the duration of subscription to the service by the Client.
· Date and time of connection
· Action logs: login (pass/fail), user declaration/deletion, Administrator(s) declaration/deletion, license change
· Connection IP address
In addition, we may have access to license information (number of users, activation status, start date, end date) that is not personally identifiable, but that may be indirectly associated with users of the service.
This information is collected automatically on our servers. Intended to know, manage and improve the use of the administration interface as well as the management of the service subscribed by the Client, they are kept for one (1) year from their registration.
2. Cryptopass end user data (you)
When you first connect from the Application, we must verify that you are authorized to use Cryptopass.
To do this, you only provide us with your mobile phone number associated with your device. We then send you to this number an SMS with the validation code that is required by the Application to finalize access to Cryptopass.
When you finalize your registration, your phone number is communicated to the Administrator in order to inform him of your registration to Cryptopass and allow him to validate your account.
When using Cryptopass, the Application requires the following permissions:
· Audio: access the microphone to establish communication;
· Video: access the camera for video-conferencing;
· Photo/storage: share / receive files ;
· Contacts (*): cross with users equipped with Cryptopass to display only relevant contacts ;
· Phone Status: Ensure proper integration of Cryptopass into the device.
You can accept or deny these permissions, which allows you to access the associated features. The associated information is only accessible from the Application on your terminal and is never sent back to our servers.
(*) To facilitate the operation and ease of use of the Application, we automatically import the phone numbers of your Cryptopass user contacts into the Application’s smart contact book. This ensures a simple and transparent user experience.
Once your messages and files are sent to the recipient, they are automatically deleted from our servers. Your messages are stored in your own device.
If a message is not transmitted immediately, we keep it on our servers for a maximum of seven (7) days to ensure its transmission. After this period, it is automatically deleted from our servers.
Audio and video calls are not recorded on our servers.
In this case we collect your e-mail address and possibly other personal data that you decide to provide as part of this e-mail. However, we generally do not wish to have such information, which is why we invite you to limit personal data in your e-mail as much as possible. Your e-mail address may however be useful to us to answer you!
The Application also has a way to automatically detect anomalies on the Application. In this case, you have the option to manually share this information with us, or choose to make this operation automatic. The information that is then sent to us is anonymous and concerns the configuration of the device and the Application.
The usage data collected are:
· The type of event (connection to the Application, text message, voice call or video…) ;
· The calling number;
· The number called;
· The date and time of the event, if applicable the duration of the communication;
· Platform type: IOS or Android with the mobile client version.
This usage data is not visible on the administration interface and is therefore not communicated to the Administrators and the Client (your employer for example).
Ǫ For what purposes is your personal data collected?
® Only the provision of a quality Cryptopass service!
The personal data collected from you and, where applicable, from the Administrators (mobile phone number and possibly your first and last name) are necessary for:
· manage user identification and authentication; and
· transmit your communications and give you access to Cryptopass;
· allow other end users who already have your mobile phone number in their contact directory to know that they can communicate with you via the Cryptopass service.
In addition, the usage data (metadata) and any personal data that you may have chosen to include in the bug reports that you have notified us are only used for:
· manage and monitor the use of Cryptopass ;
· manage support requests following the sending of a bug report ;
· establish statistics to measure the adoption and performance of the Application ;
· Measure satisfaction and service quality to improve the user experience, including through a security audit.
Cryptopass was developed around security and privacy by design.
Cryptopass security is mainly based on robust encryption technology (AES 256-bit type) using the TLS protocol. It covers communication security, file sharing between users, exchanges with the server as well as Cryptopass in-depth security.
Your personal data is stored on our servers, located in France. Their logical (end-to-end encryption) and physical (restricted and protected access) access is very secure.
Your usage data may be aggregated and anonymized before being transmitted to the Administrator and/or the Client on which your account depends, but they are no longer personal data!
Access to your personal data is reserved to our authorized employees, as well as to our potential subcontractors linked to very demanding confidentiality commitments. In both cases, only members who strictly need to know can have access to them and they can only use them for the purposes listed above.
We do not commercially exploit your data, whether for a fee or free of charge, and guarantee that it will not be transferred to third parties other than those mentioned above and only because the communication of your personal data to such third parties is strictly necessary for your use of Cryptopass.
We may nevertheless be required to disclose your personal data in the event of a legal or regulatory obligation, or resulting from a decision of a competent judicial or administrative authority.
With respect to your other personal data (specifically, your mobile phone number): we retain it for the duration of your Cryptopass usage rights, and once your rights have expired, for any reason whatsoever (including account deletion by you or the Administrator), we may retain this data for a period of one (1) year for billing control, subscription reactivation facilitation and user experience enhancement purposes.
At the end of the above-mentioned periods, all your personal data will be deleted from our servers or made anonymous.
The expiry of your Cryptopass usage rights does not affect the information that other Cryptopass users have about you (including copies of messages you have sent them).
You also have the right to obtain the transmission of your personal data.
You also have the right to object to or obtain restrictions on the processing of your personal data, to withdraw your consent to its processing, and to obtain the deletion of your personal data. Note however that exercising this right may affect your ability to use Cryptopass.
You can exercise these rights relating to your data by contacting us by e-mail at the following address: firstname.lastname@example.org.
If you feel, after contacting us, that your personal data rights have not been respected or if you feel that their processing does not comply with personal data protection rules, you can file a complaint with a supervisory authority, such as the CNIL in France.
6 rue Dewoitine, Immeuble Rubis
78140 Vélizy, France
Tel : +33 1 39 46 50 50
e-mail : email@example.com