This privacy statement (Version 1.0) was last revised on 11 May 2020.
Data privacy is important to Zerv and its technology partners and this Privacy Statement describes the Personal Information that we collect, hold and use, and with whom we share it.
It also describes your rights and responsibilities in respect to the Personal Information that we store about you, the End User. To use our products, you will be required to accept this Privacy Statement.
By accepting it, you agree that we can collect, hold, use and share your Personal Information as described in this Privacy Statement.
For easy reference, we refer to each such profile as “Your Profile.” Typically, the owner of Your Profile is the organization that issued that credential to you, such as your employer, landlord, or a government agency or other entity with whom you have a relationship that requires them to issue you a credential to authenticate who you are, in order to be permitted building and/or network access.
For the sake of simplicity in this Privacy Statement, we will occasionally refer to the owner of Your Profile as “your employer or organization.” Zerv’s products create and manage digital versions of access credentials (“Digital Credentials”) to supplement or replace the physical badges, smart cards, and similar tangible items that organizations currently use to enable building and/or network access.
Zerv protects the information associated with these Digital Credentials by encrypting it so that it is protected in the database, in transit, or on your mobile device. In addition to this, specific items of Personal Information are also protected in our database using a encryption key.
This design ensures that operational use of your data is tightly controlled.
We collect and store the minimum amount of Personal Information required to provide you with the building and/or network access as authorized by the owner of Your Profile. The owner of Your Profile typically requires that we hold sufficient information to validate your identity and that we log and report system usage in line with their information and security management policies.
The Zerv product you will likely use most often is the Zerv mobile application (“Zerv App”). Zerv App is an iOS or Android application that stores Digital Credentials securely on your mobile phone. The Zerv App communicates both with (a) devices that provide access control in your employer’s or organization’s buildings or computer systems, and (b) Zerv’s credential manager (“Credential Manager”) cloud software, which is accessed via a website (“Portal”) that administrators at your employer or organization will make available to you.
By logging into the Zerv App, you are consenting to this Privacy Statement and to the license to use the Zerv products that has been provided to you by your employer or organization.
The information that we collect The ‘Personal Information’ that is stored and managed by the Zerv App and Credential Manager is: Name; Email address; Mobile phone number; IP address;
Location information associated with registration and ‘Events’ such as where your credential was used.
In addition we categorize the certificates or credentials that has been provided for authentication purposes as ‘Sensitive Information’.
Depending on how your company or organization has deployed Zerv products, most of this information will be provided by your employer or organization.
Access to Personal information is tightly controlled, logged and monitored within the Zerv system. Access is restricted to the administrators of Your Profile and a small number of Zerv staff, who have this access for the purposes of assisting or supporting Your Profile administrators, or to periodically confirm compliance with our software license. Zerv employees are bound by contract with Your Profile owner, and by law, to keep this information confidential and use it only for legitimate purposes.
In addition to the above information, Zerv collects information based on your activities using its products. Specifically, when the Mobile Application interacts with the access control equipment in your employer’s or organization’s buildings (e.g., a door reader), the Mobile Application records an “event” that details the nature of the interaction (“Event Data”) — e.g., at this date and time, you successfully obtained access to Door 713. The Mobile Application sends the Event Data back to the hosted Credential Manager, which may be reviewed by Your Profile owner. Profile owners may elect to have this data pushed to an analytics engine for monitoring and analysis.
When you download the Zerv App to your mobile device, we automatically collect information about your device including the type of device, the operating system, and whether Bluetooth is active. We use this information for support purposes. When you access any of the Zerv websites (www.zervinc.com, http://www.zervaccess.com, etc) we collect, process and retain information about you to improve your user experience. This may include information such as your IP address, browser type, Internet Service Provider, the files that were viewed on our site, date and time, etc.
Like many commercial websites we also use a standard technology called a “cookie” to improve your experience. Disclosure of your information
We may disclose the information you provide us, through registration and use of our Products, to the owner of Your Profile. If you have Digital Credentials from more than one Profile owner (say, your employer and your home), the owner of any given Profile will have access only to data related to the Digital Credential issued by that owner. We will respond to subpoenas, warrants, or other court orders regarding information concerning users of our products. Zerv will, at its discretion, disclose Personal Information if it is required to do so by law, where such disclosure is necessary to protect Zerv from legal liability or to protect the integrity of our products and website. If Your Profile’s owner agreed with Zerv upon procedures that affect such disclosures, Zerv will abide by that agreement.
Security of your information
We take all reasonable steps (including all measures required by law) to ensure your information is protected and secure at all times. Your data is stored in an encrypted database within the secure Amazon Web Services (“AWS”) hosting environment and our encryption architecture ensures that Amazon employees do not have access to your Personal Information. Amazon has several data centers geographically spread around the world. All Amazon sites provide consistent data and communications security services.
When your data is in use by the system, it is protected at all times. All of the Credential Manager data is encrypted at the database level. Within the database, most of your personal and all of your sensitive information is also protected by an additional layer of encryption to ensure isolation of data by Profile. The system uses your mobile number and your name as references internally and these data items are not subject to the second level of encryption. Data stored on your mobile device is protected by encryption which leverages standard iOS and Android encryption technologies. However, no data protection and security measures are completely secure. Despite all the measures we have put in place, we cannot guarantee the security of your information, particularly in relation to transmissions over the internet. Accordingly, any information which you transmit to us is transmitted at your own risk.
You must take care to ensure you protect your information (for example, by protecting the username, password, and other account details related to your Zerv account, as well as implementing security features in mobile device such as screen lock and, if available, biometric security features such as Apple’s TouchID and FaceID and similar features in Android). You should notify the administrators at your employer or organization as soon as possible if you become aware of any security breaches regarding your Zerv account or your Digital Credentials. Please advise them as soon as possible if there are any changes to your Personal Information, or if you believe the information we hold about you is not accurate, complete, or current.
Retention and removal of your information
Your Profile owner is responsible for notifying Zerv when accounts are inactive or have expired. Upon such notification, Zerv will deactivate these accounts as directed by Your Profile Owner, but retain all information. How we use your information We only use your information for the purpose for which it was provided to us. Such purposes include: Managing the Digital Credentials that you use to access buildings or networks; Monitoring for fraud or inappropriate activities; Responding to enquiries (via the Profile owners help desk) if you encounter a problem that relates to Zerv functionality;
Providing the owner of the Profile with reader event information that can be used for business analysis purposes; Complying with our obligations to you and/or your employer/organization under our contract or applicable law; To better understand how individuals, interact with our products or website; Quality assurance and training purposes.
Zerv does not sell your Personal Information to third parties. We will not use your email address or phone number for marketing or unsolicited advertising materials without your consent. We will, however, email or text you to provide you with some operational information, or to advise you if we suspect unauthorized use of your account, or to advise you of any changes or updates made to your information where we feel that such a notification will ensure the security and integrity of the service.
How to contact us for questions, concerns or complaints Zerv products are designed for use by organizations, and you should direct your privacy enquiries to the administrator of Zerv products in that organization. Zerv will respond to such enquiries via the owner of your Profile.
In all other situations please email your request or concern to firstname.lastname@example.org.
We will refer your inquiry or complaint to our Privacy Officer, who will, within a reasonable time, investigate the issue and determine the steps required for resolution.
We will contact you if we require any additional information from you and will notify you in writing of the response or determination of our Privacy Officer.
Revision of this Privacy Statement
Zerv may revise this Privacy Statement or any part of it from time to time to ensure we remain compliant with data privacy regulations specific to your geographical location, including those specified in the EU General Data Protection Regulation (GDPR).
Please review this policy periodically for changes.
If we make significant changes to this policy, we may notify you using the contact details provided by you or by putting a notice on our website at http://www.zervaccess.com