Protect My Privacy’s Privacy Policy

V1.5 Last Updated: 13 December 2022

Data Protection General Statement:

This Data Protection Policy outlines Protect My Privacy’s commitment to its customers, suppliers and other individuals to operate its business activities in a manner that meets the compliance obligations of the Data Protection (Jersey) 2018 Law (“DPJL”), the Data Protection (Bailiwick of Guernsey) Law 2017, and the General Data Protection Regulation (EU) 2016/679.

Protect My Privacy understands and respects your right to privacy and we are committed to ensuring the confidentiality and security of your personal data and the personal data processing activities within our organisation by applying the appropriate technical and organisational measures required to achieve this objective.

This document covers the policies and procedures for processing personal data in a compliant manner and outlines the rights of the data subjects in respect of that data. The Privacy Notice below explains how we may use, process, and store your personal data.

When you create an Account with us or use our Services, you enter into an agreement with us and are directed to this Privacy Policy and the Terms and Conditions which form part of that agreement. Each time you use your Account or our Services, or provide us with information, the processing of your Personal Data will be governed by the current version of this Privacy Policy and Terms and Conditions.

If you do not agree with the terms of this Privacy Policy or the Terms and Conditions, please refrain from creating an Account or using our Services.

Data Controller:

Protect My Privacy is a trading name of Revoke Limited who is the data controller of all personal data and data processing activities of its data protection app business. The company runs the “Protect My Privacy” app, the protectmyprivacy.app website and it operates the www.revoke.com website. The company’s head office and Registered Office is located at 2nd Floor, Conway House, 7-9 Conway Street, St Helier, Jersey, JE2 3NT.

Revoke Limited is registered as a data controller with the Jersey Office of the Information Commissioner and its number is 61116.

Reference documents:

• Data Protection (Jersey) Law 2018
• Data Protection (Registration and Charges)(Jersey) Regulations 2018
• Data Protection (Bailiwick of Guernsey) Law 2017
• EU General Data Protection Regulation 2016/679

Special notice regarding children:

Our Services are not directed to people under 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with Personal Data without the proper consent, please contact us at dpo@revoke.com and we will take steps to remove such information and terminate the account as necessary.

 

Privacy Policy:

Scope of application:

This policy applies to our business activities and the personal data processing of the data subjects within the European Economic Area (EEA), UK, Jersey, and Guernsey in the Channel Islands.

Personal data:

Personal data means any information relating to an identified or identifiable natural person. Protect My Privacy collects the following categories of personal information;

From Customers:

• Contact details: e.g. name, address, email address, telephone and mobile number plus other relevant contact information
• Identity information (only when requested by a Data Protection Team and explicit consent is given by the customer). This could include Passport, Date of Birth, Drivers Licence, National ID and/or Selfie (biometric data). This data is encrypted and cannot be decrypted by Protect My Privacy
• Country of Residence
• Your consent confirmation(s), when required for our services
• IP address, connection information, browser type and version, operating system, device identifier

Note 1: Protect My Privacy does not collect or record credit/debit card information. All such payment transactions are dealt with by third-party payment providers (Apple Pay, Google Play, City Pay), who operate to the highest security standards expected of such organisations.

Purposes of data processing;

Protect My Privacy uses the personal data noted above for the following range of activities;                      

Purpose	Lawful bases for processing
The provision of Protect My Privacy app services and sale of related services	Processing is undertaken in the performance of a Contract -i.e. the app services and sales transactions
The provision of customer guidance and support services	Processing is undertaken in the performance of a Contract -i.e. the app services and sales transactions
To act on your behalf when contacting third party organisations in the exercise of your data subject rights	Processing is undertaken once we have obtained your Contract to act for you.
To send you notifications through the Protect My Privacy app or customer portal or SMS messaging communications or email, to keep you updated on the responses we have received in relation to the Protect My Privacy services you have requested from us	Processing is undertaken in the performance of a Contract i.e. the app services and sales transactions
To act on your behalf when you request us to process communications regarding compensation claims against organisations that have breached your data protection rights	Processing is undertaken in the performance of a Contract i.e. the app services and sales transactions.
To manage the operation of your subscription and services contract, and subscription payments	Processing is undertaken in the performance of a Contract i.e. the app services and sales transactions.
To advertise and market our Protect My Privacy app services and features, and keep you updated on any new or existing customer services which may be available to you	Legitimate interest basis for Protect My Privacy to promote its business products and services. You have the right to object to such processing by contacting our data protection manager.
Managing security and access controls to the Protect My Privacy app, Revoke’s computer systems, computer platforms, website and vendor related applications	Legitimate interest basis for Protect My Privacy to protect its business app, computer systems, platforms and website and vendor related applications. You have the right to object to such processing by contacting our data protection manager.
Establishment and exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.	Legitimate interest basis for Protect My Privacy to protect and assert its legal rights and the legal rights of others. You have the right to object to such processing by contacting our data protection manager.
Obtaining or maintaining insurance cover, managing risks, or obtaining professional advice.	Legitimate interest basis for Protect My Privacy to protect and assert its legal rights and the legal rights of others. You have the right to object to such processing by contacting our data protection manager.
Comply with legal, tax and regulatory obligations.	In the performance of a task carried out in compliance with a Legal obligation.

Services provided to our customers:
The main services we offer to our customers are as follows;

1. Data Protection Requests (to exercise your rights)
2. Dark Web Searches (to identify if your data was in a data breach)
3. Privacy Checks (on your social media and online accounts)
4. Mailbox Search (to identify companies for your list)

We have designed our services to comply with the requirements of the new data protection law in the areas of Privacy By Design and Privacy by Default.

For Data Protection Requests and Dark Web Searches, we provide these services as an integral part of our contractual services to you, which have been communicated in our app services notices and in our Terms of Business.

For the Privacy Checks and Mailbox Search services, you are being offered these services on an “opt-in” or “opt-out” basis, i.e. you can select to use or not use or use for a selected period of time, these specific services. These services will help facilitate the cleaning up of your digital estate, and to help us avoid contacting organisations on your behalf with whom you would have had no previous relationship.

The Protect My Privacy app’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Protect My Privacy helps you identify companies that hold your personal data. We do this through our Dark Web Search, Privacy Checks, and Mailbox Search features. We never contact a company on your behalf without your explicit permission.

Research that is in the public interest

Revoke may conduct research into relevant topics relating to data protection rights, and the exercise of these rights for data subjects. Other topics researched can relate to the technology available for the security of customers’ data and how our services can be developed to provide additional, valued service for our users.

Protect My Privacy may communicate with you to alert you to important topics, news trends and subjects which may be of interest to you.

For more details on these services, please see our Terms of Business.

Data collection methods:

We collect personal data in the following ways:

• When you download the Protect My Privacy app from Apple or Google Play app stores and agree to the terms and conditions for its use
• When you submit the personal data requested by our Protect My Privacy services in order to complete the user verification process, e.g. when you give us your date of birth, address, photo ID (copy of your Passport, Driving Licence or National ID) and selfie (Biometric data) so we can verify your identity and communicate effectively with organisations on your behalf and match their records [note: all data is encrypted, and never transmitted insecurely]
• When you complete and submit your digital consent form(s)/requests for us to act on your behalf in relation to the exercise of your data protection rights
• When you email us using one or all of our dedicated customer support, data protection and business email addresses
• When you contact our customer service partner or our in-house team who can support and guide you with your data protection queries, cyber security queries and queries in relation to our Protect My Privacy services
• When you visit our Protect My Privacy (www.protectmyprivacy.app) and Revoke (www.revoke.com) websites which use only essential and analytical cookie features which may track your usage of our website and uploading of information to the website to help us improve our services to you
• When you contact us by telephone and/or leave a voicemail message or text messages or use of the online chat facility or posting messages on our social media platforms
• When you transfer to us from another service provider upon the exercise of your new data protection “data portability” rights and Protect My Privacy has agreed the terms and transfer details prior to commencing Protect My Privacy services
• From third party channels such as public registers, social media and any other public open forums
• Directly from you as a member of the public, staff member, business partner, supplier or intermediary when engaging with us directly
• From publicly available sources, which may form part of our research into specific data protection and security topics in the interest of the public 

Information collected:

Customer personal data will only be used by us where you are using our Protect My Privacy app and associated services.

The personal data collected is used to;

• Meet our obligations in the performance of a contract for the provision of Protect My Privacy products and services which you have purchased from us
• To ensure that only you have access to any encrypted data retrieved using Protect My Privacy
• To mitigate fraud and verify your identity to confirm that you are the person in the Photo ID (copy of your Passport, Drivers Licence or National ID)
• Provide uninterrupted access to your Protect My Privacy account and maintain the service level expected and outlined in our Terms of Business
• To inform us at Revoke, and our users, of the risk that may be present from certain data controllers, data processors or general risks existing within the digital environment of the internet, apps and social media services 
• To meet our obligations to you as data controller under the respective data protection laws
• Assist us in the delivery and operation of secure business communications via email, our website and other relevant means
• Meet legal obligations from relevant local laws in relation to the sale of product and services transactions e.g. GST/VAT
• Assist Protect My Privacy in compiling relevant aggregated statistical data for statistical or public relation purposes. This aggregated information is not tied to personal information,
• Meet any legal obligations in relation to the establishment, exercise or defence of a legal claim or where we received a court order for the disclosure of personal data
• Meet any other legal obligations from relevant local laws

Personal data may be used for the legitimate business interest of Protect My Privacy as indicated in this Privacy Policy.

Only personal data that is necessary for the purposes of assisting our customers with the provision of products or services as outlined above are actively collected.

Recipients of data:

Personal data collected may be disclosed or transferred to;

• Our data processors who provide services in relation to the provision of app products and services, computer systems used for the maintenance of customer subscription accounts (Apple, Apple Store In-App Payments, Google Play In-App Payments, Microsoft)
• Our data processors who provide identity verification services to protect your account. Protect My Privacy uses two companies for this specific service (Yoti and Onfido)
• Our data processors who provide the dark web search service to check if your email address and related personal data have been breached. Protect My Privacy uses a number of companies to provide this specific service (Dehashed, HaveIbeenpwned)
• Our SMS service providers to send notifications to you regarding your requests (Textlocal, Amazon, Mailjet)
• Our email manager provider to manage and deliver our email communications (Mailjet)
• Our customer services application provider for the efficient delivery of customer service support ticket management (LiveChat) 
• Our customer service provider who gives advice, support and insurance information when requested (Cyberscout, a Sontiq brand); they only receive a unique reference linking to an anonymized version of your dark web search results

If you choose to seek assistance and follow-up on the results of your dark web search, your data may be shared with Cyberscout if you provide approval to do so (if you separately engage them to examine your results and choose to provide them with further personal data beyond the reference number) and other third parties, if you choose to make a claim or commence other legal proceedings as a result of the data breach.

• Our service provider who manages the generation and reporting of statistical tracking data of our services
• Third-party organisations you have requested us to contact on your behalf to exercise your data protection rights
• Protect My Privacy’s business partners who may provide professional services in relation to additional expert services
• Protect My Privacy’s data processors who provide services in relation to the secure and safe running of its business systems and processes,
• Credit checking and debt collection agencies for the proper running of business customer accounts
• Professional agents in the provision of required services (e.g. lawyers, bankers, accountants, auditors)
• Law Enforcement and Competent Authorities as required by the respective laws where such disclosure is necessary for compliance with a legal obligation
• Other third parties when requested by you and when relevant consent has been obtained from you
• Any new owner of Protect My Privacy should it be acquired or merged with another company or as part of the re-organisation of the company

Third-party service providers are bound by the requirements of the Data Processor Agreement obligations, where your personal data is to be processed to high standards of confidentially and with the required security standards and arrangements to be in place.

Security of your personal data:
As part of the Protect My Privacy customer onboarding process your personal identification data, Photo ID, and any other biometric data is encrypted once it has been expertly verified by our service provider. Protect My Privacy does not have access to your encrypted data as only you will have the required digital encryption key to access it.

Sharing your personal data with an organisation’s Data Protection Officer (DPO):
In order for your data protection request to be processed by those organisations you have selected in the Protect My Privacy app, their DPO may request access to view your encrypted verified personal identification to ensure you are who you say you are.

You will be asked to provide your explicit consent to allow the DPO to view your verified identification, as we need to be able to decrypt certain data in order for them to confirm its accuracy (e.g. email address, phone number). We also need to be able to send/provide access to view this information to companies with whom we are interacting on your behalf.

We use multiple rotating keys to encrypt your data; there is no master key. Your private key is never transmitted to our servers.

Only when you give your explicit consent will the DPO be able to view your verified identification. When we provide the DPO access to your verified identification we ensure that only the designated recipient of this information is able to access it.

It is the responsibility of the DPO to satisfy themselves that you are a customer or employee or ex-employee of theirs. In order to do this, they may ask for additional information from you, such as a date or amount of a previous bill, a previous address, or a customer number.

Social media platforms:

When we use social media platforms e.g. Facebook, Twitter, Instagram, we only operate it so as to promote our own business and we would not knowingly engage in activities that go beyond this scope. Customers (and other data subjects) are advised to refer to the respective privacy notices of these social media platforms to check their data protection and privacy rights. Protect My Privacy cannot be held responsible for third-party social media platforms or website activities.

Storage of data:

Customer data is stored in the European Union in either the Netherlands or in Ireland.

Transfer and access to personal data:

Protect My Privacy will only transfer data outside of the EEA, UK, Jersey, and Guernsey where it is necessary for the performance of the contract agreed by you.

Where the destination of the data transfer is outside the EEA, UK, Jersey, and Guernsey and does not include a third country that has an “adequacy/equivalence” status, as recognised by the EU Commission, we would always ensure that appropriate safeguards are in place.

Protect My Privacy engages the services of those vendors who are operating under the respective data protection compliant agreements and where they are using Standard Contractual Clauses or other approved data transfer mechanisms, where appropriate.

Where we cannot guarantee these safeguards, we would always request your consent before the data is transferred.

Any transfer of data is done in a secure way and in compliance with Data Protection Laws.

Retention of data:

Protect My Privacy will only retain your personal data for as long as is necessary to fulfil the purpose for which it was collected.

Summary of the important data retention periods are as follows;

• If you create an Account with us, we will retain your Personal Data for as long as you have that Account
• If your account becomes inactive for 12 months, your account will be treated as expired. If we do not hear from you after sending you a reminder, we will delete your account within 30 days
• Should you delete or request deletion of your Account, we will only retain and use your Personal Data to the extent necessary to comply with our legal obligations (if we are required to retain your data to comply with applicable laws), detect and prevent fraud, resolve disputes and enforce our legal agreements and policies. All requests for deletion of accounts will be actioned after 48 hours of the request
• Protect My Privacy will retain personal data in relation to customer, supplier, other data subjects’ transactions for 10 years from the date of the transaction where they are deemed to be part of the financial records of the business
• Where we communicate with you as a data subject and not as an existing customer, we will always do so in compliance with the data protection laws and the provision of the required notices, but importantly your data will be deleted after 30 days from the first communication to you, or anonymised to protect your data, unless you want to download our app and start using the available services offered by Protect My Privacy  

This is subject to the exception where the data cannot be deleted for legal or regulatory reasons.

Data subject rights:

Where a data subject in the European Union (or any “adequate/equivalent” status country) wishes to exercise their rights under applicable data protection laws, they should contact Revoke’s data protection manager at dpo@revoke.com.

Data subjects have a number of rights available to them;

• Access to their personal data

You can assert this right by accessing your personal Account or by contacting us directly via our website www.revoke.com or email dpo@revoke.com. We would request that any request to access personal data must be made to Revoke in writing and provide sufficient detail to identify the Personal Data that you are seeking.

• Rectification of any inaccuracies

If you are a registered user of our Services, we provide you with the tools to access or modify the personal data you provided to us and associated with your Account.

• Restriction on the processing of their data

This right applies in certain specific circumstances; where the accuracy of personal data is contested and the data controller needs time to verify details; where processing is deemed unlawful but the data subject opposes erasure and requests restriction instead; where there is an objection to data processing under legitimate interest legal bases and pending verification that the legitimate interest overrides the data subjects rights; the purpose of processing is no longer valid but it is required by the data subject for the establishment, exercise or defence of legal claims.

• To object to the processing of their data

This right is available to data subjects to request exclusion from any direct marketing activities or communications, including profiling to the extent that it is related to such direct marketing activities, and to any automated means using technical specifications in the context of information society services

• To be forgotten (erasure of your data)

You can delete or request deletion of your Account and uninstall the Protect My Privacy app at any time. Protect My Privacy will not however be able to delete all our personal data to the extent that it is necessary to meet its legal obligations

• Right to data portability

This is a new right and only applies to those processing activities that are conducted under the legal basis of Consent or on Contract and the processing is carried out by automated means. Your data can be transferred to another data controller or to you directly where technically feasible

• Right to object to automated decision making and profiling

The data subject can object to automated decision-making and profiling in certain circumstances and request human intervention in the decision-making process. Protect My Privacy does not make any decisions based on purely automated means, but if we do, you have a right to object

• Right to withdraw consent for those data processing activities based on consent

Where the processing of personal data is conducted with Consent as the legal basis, the data subject can withdraw consent at anytime

Each data subject request to exercise the rights noted above will be reviewed against the requirements of the Data Protection (Jersey) Law 2018 and other relevant data protection laws, and in certain circumstances (e.g. restriction, erasure, objection, data portability) these rights may not be exercisable by the company. Full explanations will be given in such cases.

Making a complaint:

The Jersey Office of the Information Commissioner (“JOIC”), Channel Islands, is an independent statutory authority where you can make a complaint or learn more about data protection in Jersey. Their office is located at 2^nd Floor, 5 Castle Street, St. Helier, Jersey, JE2 3BT. Their website is www.jerseyoic.org and their telephone number is 01534 716530.

Security features:

Protect My Privacy is committed to ensuring the security of your personal data and has implemented appropriate commercially reasonable technical, physical, and organisational measures to prevent unauthorised or unlawful processing of your personal data or accidental loss or destruction of your personal data.

Our Security Policy is available on our website here.

Our website is encrypted using HTTPS (Hypertext Transfer Protocol Secure). In HTTPS the communication protocol is encrypted using Transport Layer Security (TLS). This provides a secure method of communication with us and any personal data uploaded onto our website is securely managed by our website data processor services.

Email communications are scanned using the latest version of anti-virus and malware software deployed by our business. Personal data held by Protect My Privacy is only available to authorised members of staff. No member of Protect My Privacy staff is able to access decrypted Photo ID or biometric data (Selfie).

Our computer systems have secure audit trails and we have robust backup capabilities in place to ensure that our services can continue uninterrupted for our customers.

Management and employees are trained in their data protection responsibilities and obligation to handle personal data in a confidential manner.

Change to this notice:

Protect My Privacy may update this Privacy Notice at any time. The updated notice will appear on our website www.protectmyprivacy.app and  www.revoke.com and in our Terms of Business.

This Privacy Policy was last updated on 13 December 2022.

Contact details:

If you have any questions, concerns, or complaints with respect to this Privacy Policy or the handling of your privacy or personal information, please contact our data protection manager at dpo@revoke.com.