Data Protection Policy
In summary, as explained further detail at https://www.vereign.com, we endeavour to empower you with self-sovereign identity and seamless addition of integrity, authenticity and privacy to any kind of digital service (hereinafter “Vereign Services”) and your associated digital identity account (hereinafter: “Vereign Identity”).
After your successful on-boarding we are providing you at https://app.vereign.com with the central user interface of your Vereign Identity, enabling you to check and edit your identity, individual profiles and stored interaction information (hereinafter: “Vereign Dashboard”) .
We will also offer you to install certain plug-ins for other applications and services starting with - but not limited to your Microsoft Office 365, Gmail account, LibreOffice and Roundcube based email web clients (hereinafter collectively: “Vereign Extensions”). Additional Vereign Extensions will be gradually available one after another. In case activated by you such Vereign Extensions will sent data to your Vereign Dashboard. Consequently, Vereign Dashboard will show you any respective data and interactions- you choose to use Vereign Extensions for.
I. Name and contact details of the controller
6300 Zug, Switzerland
II. General information
At Vereign we respect your personal data. Naturally, our data protection practice complies with applicable law including but not limited to the Swiss Data Protection Act (“Swiss DPA”) and its Ordinance (“Swiss DPO”). Also we are fully compliant with the General Data Protection Regulations (“GDPR”) of the European Union and its local adaptations including but not limited to the German Federal Data Protection Act (“Bundesdatenschutzgesetz”).
As a matter of principle, we collect and use personal data as much as necessary to provide our services requested by you (Art. 6 para. 1 Lit. b GDPR). A notable exception applies where a contractual basis is not apparent and the processing of personal data can only be authorised via your explicit consent (Art. 6 para. 1 Lit. a GDPR). In such a situation we will explain to you the exact purposes and consequences of the concerned data processing and you may at any time retrieve your consent given to us. In no event will we sell your personal data to any third party for any business or political agenda.
III. Allowed purposes for collecting and processing your personal data
1. Contact Forms and Job Offerings
On our website https://www.vereign.com/ we provide you with:
a) Contact forms like “count me in” button
We are providing you with the opportunity to get in touch with our team and you may send us a respective email, asking us to keep you informed about our projects and related events and other announcements. In particular we offer you a “count me in” button, which provides your chosen mail client with our contact email address firstname.lastname@example.org. In case you explain to us in such an email, you would like to participate in our projects or at least you would like to be informed about further developments, events and other news, we will include your provided email address, in an email list we use in case of the purposes just outlined above.
After you gave us your contact details (/email address), you may at any time retract your consent and object to any further usage of your emails address for the mentioned purposes. In order exercise such a right to object future usage of your email address, please just write us another email to email@example.com and we will delete your email address from our list without undue delay.
b) Applications for advertised job offerings
On our website we may also provide you with the opportunity to apply for advertised job positions, within our company group. In case you choose to apply to such a particular job offering, we will use your name, contact details and all other provided information exclusively for the relevant application process. In case you choose to opt for “Send me further details about other vacancies” we will also use your contact details and all other provided information to keep you informed about future job positions, even after the job offering you applied to has been filled. But of course, you may retract your consent any time (see also below: VII. Rights of the data subject).
2. Creating your Vereign Identity
You may choose to create a Vereign Identity at https://app.vereign.com, in this case we will use account information (provided by you during the on-boarding, including but not limited to your email address or telephone number) for the purposes of creating and validating your Vereign Identity. In particular, as explained during the on-boarding process, you will receive an email and/or text message in order to verify the provided contact details by means of a unique code.
3. Maintaining your Vereign Identity
In case of an account recovery processes has been triggered, we will use your provided contact details in order to safeguard that the processes has been triggered by you and to guide you through the necessary steps. Furthermore, in order to provide you with an audit-log of your Vereign Identity we collect technical information, as shown to you in your Vereign Dashboard tab “Activity”. This audit log provides you with tamper-proof evidence of all your “vereigned” actions. Data stored for this security feature is:
- Internet Protocol Address (IP address)
- Universally Unique Identifier of your used computer device (“UUID”)
- The category of your activity (e.g. login into your Vereign Dashboard, creation of profiles and claims just as well as sending emails or signing documents)
- Time and Date of your activity
- Blockchain Hashes (that have been written on a blockchain, see clause II no. 4 below)
4. Blockchain hashes
In certain events while using Vereign Services and as part of your audit log (as described in the previous section under clause II no. 3 above) a hash function is mathematically obfuscating data categories (hereinafter: “Input Data”), and this hash is subsequently written to a public Blockchain network administrated by Æternity Establishment.
In short, such a cryptographic hash function and subsequent transfer shall allow you (and your chosen recipients) to verify the authenticity and integrity of sent and received Input Data with the aid of the Blockchain hash. As long as a copy of the Input Data exists, the Blockchain hash will provide evidence that this copy of data is authentic and has not been altered (after being hashed). By itself the Blockchain hash is just a seemingly random sequence of characters identified by an abstract one time transaction identifier.
All activities where Input Data is hashed, are shown to you in detail under the tab “Activity” in your Vereign Dashboard. Such events are: Login into your Vereign Dashboard, creation of profiles and claims just as well as sending emails or signing documents. The data categories of the Input Data are shown to you in connection with the respective activity and may deviate from event to event. The following data categories are currently used for the Input Data:
- Device name
- Device IP
- Device UUID
- User UUID
- Claim Name
- Claim Value
- Recipient list
- Profile name
- Profile UUID
- Thread name
- Email ID
- Document name
Given the complexity of this Input Data the resulting Blockchain hash is practicable infeasible to invert, without having access to the original Input Data anyway (e.g. your vereigned email, profile or document). We even add another layer of random values to further increase the unlikeliness that a powerful computer could “brute force” the hash and thereby understand what information had been contained in the Input Data.
That also means as soon as you chose to erase the original Input Data (e.g. erase you Vereign Identity and all associated data) the abstract hash on the Blockchain will have no counterpart and will consequently not represent personal data anymore. Thereby it is technically feasible to separate your personal information from the abstract hash, leaving the abstract hash on the Blockchain without relevance for you and your personal information.
But please note, in case you have chosen to share your personal data via Vereign Services with other recipients these recipients will still have access to the confirmational value of the stored hash – due to the fact that they are still in possession of the Input Data (e.g. your email, profile or document you have chosen to share with this recipient). Same applies, in case your recipients share your data with others. This even applies in case a recipient forwards your information to others without your consent. However please understand, such a breach of confidence would be a matter between you and your recipients of communication.
5. Vereign Extensions
In case you choose to install and activate any of our Vereign Extensions any of your “vereigned” interactions will be sent to our servers and will be shown in your Vereign Dashboard accordingly.
On the other hand any activated Vereign Extensions will, after login verification, have access to your profiles as you have set up in Vereign Dashboard.
6. Keeping you up to date
As long as you choose to continue to use our Vereign Services we will keep you informed about our software development and additional Vereign Extensions. Also we may may ask about your user experience and other relevant feedback. For these reasons, we might reach out to you by using the contact details you choose to provide during your creation of a Vereign Identity.
7. Customer support and your Feedback
Also we provide you with the opportunity to give us your feedback, e.g. via a quick feedback function in your Vereign Dashboard (upper right corner in your Vereign Dashboard). In case you choose to address a certain issue or question via this functionality, we will automatically send your name, email address and phone number along with your feedback. This contact information has the sole purpose to help our support team to answer any question or mitigate your concern. After the support team has addressed your issue, your contact information and your feedback will be archived for 12 months - afterwards this information will either be anonymised or erased in its entirety.
Regardless of the channel you use to provide us with your feedback, as an open source company your collaboration and engagement is crucial for us. We need interested participants to test and try out the Vereign Services and provide us with feedback. If you choose to engage in such software testing and providing us with feedback, in the spirit of the open source community, this is also a main reason you are providing your related personal data to us and this purpose forms our legal relationship in the meaning of Art. 6 para. 1 Lit. b GDPR. We commit ourselves to exclusively use your related personal data for this purpose of testing and improving Vereign Services.
8. Secure Payment Gateway
The Payment Card Industry Data Security Standard (“PCI DSS”) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
9. IP-Addresses and webserver log files
In order to allow for the requested website of Vereign Dashboard to be displayed in your browser, we need to temporarily store and process your IP address. The legal basis for this temporal storage of personal data is Art. 6 para. 1 Lit. f of the GDPR.
After your individual session has ended, your IP address will be saved anonymously in log files of our web server. The information in our log files includes:
- the exact pages you accessed in our URL(s)
- date and time of your request
- the name of your telecommunication provider
- your browser type
- your operating system
- your anonymised IP address
We will use this non-personal data exclusively to safeguard the functionality of the website. Such log files are highly relevant for optimising our webpage and to safeguard the security of our information technology systems.
10. Cookies and the Matomo web analysis service
We use “cookies” on our internet pages. Cookies are text files stored on your computer that help increase the ease of use, efficacy and safety of our internet service.
In case you provide us with your respective consent in our “cookie banner”, we will additionally place so called “tracking cookies” in your browser and we will analyse the data stored by such tracking cookies on your machine using “Matomo” web analysis software. Such cookies will remain in your browser for longer periods than the individual session. The purpose of this data processing is to improve our internet sites and for this we need to understand what function or information proves useful or at least interesting to our visitors. For this purpose, information of usage (generated by the “tracking cookies”) is transferred to our server and stored for respective usage-analysis purposes. But your IP address is already stored in the cookie simply in an anonymised form only, and it is only recorded in this form by our web analysis software so that you remain as anonymous as feasible as an individual user in the context of the analysis. In detail in such “tracking cookies” we store:
However, if you do not wish to agree to the use of such “tracking cookies” anymore, you can erase them or even prevent their use with a corresponding setting in your browser software. You can also object to the use of data recorded by “tracking cookies” by clicking the following link. In this case, an “opt-out cookie” is placed in your browser, which means that Matomo will not record any session data at all. Important: If you delete your cookies, this means that the opt-out cookie will also be deleted and that you must reactivate it, if necessary. If you do wish to place an opt-out cookie right now, please opt out below.
Matomo Cookie Preference
IV. Interfaces to other Service Providers
In the course of development we will include more and more options for you to enhance your Vereign Identity with other service providers. But it will always be your choice either to use or not to use such third party providers and to link your Vereign Identity to such service providers.
While personalising your Vereign Identity you may choose to add profile pictures under https://www.vereign.com/identity. During this process we provide you with an option to include your avatar pictures as uploaded to a non-affiliated third party provider “Gravatar” (https://gravatar.com, https://automattic.com/privacy). In case you choose this option we will send the hash of your email address via an encrypted connection to this third party provider. In the event there is a user account matching the hashed email, Gravatar will provide your avatar picture to your Vereign Identity.
V. Data erasure and storage period
At any time after you have entrusted us with your personal data, e.g. to create and maintain a Vereign Identity, you may object to any further usage of your personal data (including but not limited to your email address or telephone number or any other personal data you have chosen to include in a profile or recorded interaction in the dashboard application). In order to exercise the right to object future usage of personal data, please just write us an email to firstname.lastname@example.org indicating your request and we will delete your account will be blocked within two weeks after we have received your authenticated mail.
In case you choose to write us an unauthenticated mail (not using the Vereign Services), we may ask you to provide us with sufficient evidence that you are indeed entitled to the Vereign Identity you claim to represent.
As a safety feature, after receiving such a request for deletion, we will reach out to you through any of the communication data you have choose to provide to your Vereign Identity. In case you indeed wanted to erase your Vereign Identity, these communication serve as confirmation of receipt of your requested deletion. In case you did not intent to delete your Vereign Identity, and any associated data, please reach out to us using email@example.com.
For a transition period of two months after a request for deletion we will keep your stored data (identity claims, emails and documents), and you may reactivate your Vereign Identity during this period, for such an reactivation please reach out by using firstname.lastname@example.org. But after this transition period of two months your data will be erased in a non recoverable way.
Without such a specific request your personal data will be erased as soon as the defined purpose of storing the data ceases to apply.
However, please note there may be explicit legal obligations or at least recognised interests of our company in line with EU GDPR and other applicable legislation to keep some of your personal data stored (or at least recoverable) for a certain retention period, even after the original purpose of storing your data ceases to apply, or you have exercised your right to object further usage of your personal data (Art. 6 para. 1 Lit. c and d GDPR). In such a case, the data will be erased if a storage period stipulated by the aforementioned rules or legitimate interests expires. In particular in case you choose to communicate with another Vereign recipient via Vereign Extensions, these other recipients using Vereign Services will keep a respective copy of your email conversation or exchanged document in their interaction history (as long as they choose to store this information), even after you decided to erase your account and personal data.
VI. Data processors
The recording, processing and use of personal data during the registration for your Vereign Identity as well as for subsequent usage of Vereign Services is primarily carried out by us, and our subsidiary Vereign Labs Ltd. (a Bulgarian company, having its registered office address at 152 “Sixth September” street, 3rd floor, office 3.6 В, Plovdiv 4000, Bulgaria).
However, for specific tasks, like sending you a confirmation SMS (in case you choose to provide us with your mobile phone number) or providing you with a secure payment gateway (see clause III no. 8 above), we also have contracted external service providers.
VII. Rights of the data subject
According to applicable law (in particular Swiss law but even more so GDPR) but also due to our own commitment you shall have the following rights toward us:
1. Right of access: You may request information about your data processed by us, in particular about the purposes of processing, the category of personal data, the categories of recipients to whom the data have been or will be disclosed by us, the envisioned period of storage, the existence of a right of rectification, erasure, restriction of processing or objection to it, the existence of a right to lodge a complaint, where your data are collected from (if these are not collected by us), and the existence of automated decision-making, including profiling.
2. Right to rectification: You have the right to demand without undue delay the rectification of inaccurate personal data stored by us as well as to have incomplete personal data stored by us completed.
3. Right to erasure: You have the right to demand that personal data stored by us be erased as long as the processing of this data is not necessary to fulfil a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims.
4. Right to block data: You have the right to demand to have your personal data blocked. Data that is blocked will not be deleted from our databases, but it will not be processed as long as being blocked.
5. Right to data portability: You have the right to receive your personal data in a structured, commonly used and machine-readable format, or to demand that it be transmitted to another controller.
6. Right to object: Consent given to process your personal data can be revoked at any time. As a result of this, we will no longer be permitted to continue processing data based on this consent in the future.
7. Right to lodge a complaint: You have the right to lodge a complaint with any competent supervisory authority.
In order to exercise your rights as a data subject, please contact our Data Protection Team (email@example.com) or send an email or postal mail to our contact details as indicated under clause I above.
In case you exercise your rights in accordance with the GDPR towards us, we will not charge any fees. However, a reasonable fee may be charged if your inquiry is demonstrably abusive, improper or if you make a repeated inquiry without relevant justification.
We may need to collect information about you that will enable us to clearly identify you as a data subject. In doing so, we will endeavour not to complicate or even hinder your request. Rather, we want to make sure that none of your personal data falls into the hands of unauthorised persons.
VIII. Contact Details of the Data Protection Authority in Switzerland
In addition to the rights listed in the clause listed above, you are also entitled to report any presumed violation of applicable data protection law, to the competent supervisory authorities in your EU member state or you may contact the Federal Data Protection and Information Commissioner (FDPIC) as the federal data protection authority in Switzerland. The FDPIC’s contact details are as follows:
Federal Data Protection and Information Commissioner
Feldeggweg 1, 3003 Berne, Switzerland
Tel: +41 58 462 43 95
Fax: +41 58 465 99 96
We have implemented extensive security provisions and measures to protect personal data stored by us from unauthorized access, misuse, altering, misappropriation, destruction, and loss.
However, in case you choose to communicate with us via an insufficiently encrypted communication channel, we would like to point out that such insufficiently encrypted data transfer via the internet cannot provide any guarantee that access to your data by third parties is averted. Adequate protection of your data during unencrypted transfer from your system to our server is not possible in technical terms.
As of: March 2020