TrustBuilder is committed to protecting and respecting your privacy.
This policy explains how we use any personal information that you provide to us through our website, application, or through direct contact with our sales, support or customer success representatives. It will also explain to you how we use any personal information provided to us through our customers and used by us as part of our service to them. Finally, this policy will explain to you the conditions under which we may disclose your information to others, how we keep it safe and secure, and your rights and choices in relation to your information. Please read it carefully. We may change this policy in the future and will post any changes on this page, so please check back frequently.
For the purposes of data protection law, TrustBuilder acts as either the controller or the processor of your personal information, depending on the type of processing we are performing. It will be made clear in the following sections which of these roles we are fulfilling for which usages of your personal information.
Any questions regarding this policy or our privacy practices should be sent by email to gdpr@TrustBuilder.com.
Who are we?
TrustBuilder nv is an Ghent, Belgium based company providing identity and access management services. In this policy, ‘TrustBuilder’, ‘we’, ‘us’, or ‘our’ means TrustBuilder Corporation NV. Our Data Protection Officer can be contacted at gdpr@TrustBuilder.com.
Information we may collect from you ourselves
If you are a customer of TrustBuilder, if you are submitting information to us directly via our website, application, or in person to a representative, or if we are collecting information about you via public sources, then we will be operating as a controller for the purposes of data protection law.
What information do we collect from you?
As a controller, we may collect and process the following information about you:
- your name and contact details (including email address and telephone number);
- your company and function at that company;
- information about your activities on our website, and about the device used to access it, for example your IP address, geographical location, browser, or device type;
- information about your interactions with emails we have sent you, and about the device used to read these emails, for example your IP address, geographical location or device type;
- transcripts or recordings of support or sales conversations with representatives, including via email, live chat, or by phone;
- public information, for example public social media accounts, corporate website, and public governmental records.
Data protection laws recognize certain categories of personal information as sensitive and therefore requiring greater protection, for example information about your health, ethnicity and religion. TrustBuilder usually does not collect these kinds of information. In the event that we do collect this information, we will make it clear to you why we are collecting this type of information, what it will be used for, and any special measures we will take to protect it at the time of collection.
How do we collect information from you?
We may collect this information from you when you perform one of these activities:
- when registering for an account;
- when requesting a demo;
- when downloading promotional material from us;
- when entering a competition operated by us;
- when reporting a problem with our services;
- when communicating directly with a representative;
- when entering into a contract with us for the supply of services.
How do we use your personal information and how long do we keep it for?
As a controller, we use personal information we collect from you for the following purposes:
Providing and personalizing our services to you
We will use your personal information for:
- providing and securing your access to our application;
- personalizing any communication about the services we provide to you;
- completing any transactions that you do with us;
- administering promotions or competitions that you enter with us;
- managing, operating, and supporting your account with us.
We will retain this information until the fulfillment or cancellation of our service to you, unless expressly provided otherwise, plus any period mandated by applicable Belgian law.
Fulfilling your requests
We will use your personal information for:
- providing you with requested information, such as white papers, educational material, or other specific documents;
- arranging demonstrations of our products and services, at your specific request;
- satisfying and documenting GDPR rights requests;
- allowing you to participate in interactive features of our website or application, when you choose to do so.
We will retain this information for a maximum period of 12 months after your last communication regarding your request, unless expressly provided otherwise, plus any period mandated by applicable Belgian law.
We will use your personal information for:
- ensuring that our content is presented in the most effective manner for you and your device;
- administering our website and application for internal business purposes, such as troubleshooting, data analysis, testing, research, statistical and survey purposes;
- protecting our interests and those of third parties who we employ as sub-processors or who employ us as sub-processors, but only in the context of securing and keeping safe our services and your information;
We will retain this information for a maximum period of 36 months after your last interaction with us. After this period we may retain non-identifiable information in an aggregated or anonymized form for the same purposes.
Marketing, sales, and advertising
We will use your personal information for:
- providing you with information about goods and services that we offer that we think may interest you, which may be based on a profile we have built of you using other information collected by TrustBuilder;
- measuring and understanding the effectiveness of advertising materials we serve to you.
We will retain this information for a maximum period of 36 months after your last interaction with us.
Data protection law requires us to rely on one or more lawful grounds to process your personal information. We will always use one of the following grounds:
Where you have provided specific, informed, consent to us to use your personal information in a certain way, such as to send you an email, text, and/or telephone marketing.
Performance of a contract
Where we have entered into a contract with you or are performing our obligation under it, such as when you become a customer and use our application, or when you request a demo or educational document from us.
Where it is reasonably necessary to achieve our or others’ legitimate interests. This may include your legitimate interests. Our processing must be fair and must not unduly impact your rights.
For example, we may use your personal information to:
- send sales communications we think may interest you based on your company, function in that company, or other public information that indicates your interest in our areas of activity;
- better understand how people interact with our services and application;
- personalize or improve our service and applications for the benefit of our customers;
- protect our services and data from threats to their safety and security.
Where it is necessary so that we comply with a legal obligation to which we are subject, for example a court order, or a requirement to maintain records.
You have the choice as to whether or not you receive marketing or sales information from us. You can withdraw your consent at any time by making a rights request, or in the example of email by unsubscribing from the link at the bottom of our emails.
We will not use your personal information for marketing or sales purposes if you have indicated to us that you do not want us to do so. However, we may still contact you for other purposes, such as to manage your account or fulfill a specific request from you.
Under Belgian data protection law when we are operating as a controller you have certain rights over the personal information we hold about you.
Here is a summary of your relevant rights:
Right to access
You have the right to request from us access to your personal information.
You also have the right to request a copy of the personal information we hold about you and we will provide you with this unless legal exceptions apply.
Right to rectification
You have the right to have inaccurate or incomplete information we store about you corrected. It is important to us that your information is correct as we rely on it to optimize our services so we will work with you to ensure that your data are correct.
Right to erasure
You may ask us to delete some or all of your personal information and we will do so, subject to certain exceptions. In many cases we will anonymize your information rather than delete it.
In the case that your information has been included in a backup as part of our disaster recovery process, we will not directly delete your information. However, in the event we need to restore our service from this backup, we will maintain a list of erasure requests and use this list to delete your information again from our services and applications before the restoration is completed. We retain backups for a maximum period of 12 months. Backups are always stored encrypted and access to them is controlled.
In the case that we receive your information from a third party and this third party sends us your information again after we have received an erasure request we will maintain a list of erasure requests and use this list to filter out your information before it enters our services or applications. We will notify the third party of their mistake in sending us your data again. We will continue to do this for a period of 6 months. After that period we will assume the controller has received new authorization from you to send us your information and will begin processing of your information anew. Some personal information of yours may be stored in a raw form on our systems if this occurs.
Right to restriction of processing
You have the right to ask us to restrict the processing of some or all of your personal information if there is a disagreement about its accuracy, or if there is a dispute over our lawful use of it. We will do this.
In the event that this restriction of processing is lifted, either by you, by us, or by a decision of the Belgian Data Protection Authority, then we will notify you prior to continuing the processing of your information.
Right to data portability
If we are processing your information (1) based on your consent, or as part of a contract with you, and (2) the processing is being done by automated means, then you may ask us to provide to you or to another service provider all of your information in a machine readable format and we will do this.
Right to Object
You have the right to object to us processing your information when we are using it for any of the following conditions:
- based on legitimate interests;
- for direct marketing purposes;
- for statistical or research purposes.
If you want to exercise any of your rights as described above, please email us at gdpr@TrustBuilder.com. We will treat your email address as your identifier and use the existence of access to the email address as proof of identity. If you wish us to use another identifier, such as your name, address, or telephone number, we will require proof of identity before we can process your request.
In the event that data protection law identifies us as the processor of your information then we will also pass on your request to our customer, the controller of your information, to ensure that they also comply with your request, if relevant.
For all rights requests, we will respond to you within one month of your request being made. We may, as part of that response, ask for a further two months extension to complete your request. We will complete your request in a maximum of three months after your request.
There are exceptions which apply to a number of these rights, and not all rights are applicable in all circumstances. If you wish to have more information about the details of your rights, we recommend you consult Belgium’s Data Protection Authority.
In addition to these rights, you have the right to lodge a complaint with the supervisory authority which oversees our usage of your personal data and our compliance with data protection law. In the case of TrustBuilder, this is the Belgian Data Protection Authority.
Information we may collect from you via our customers
If one of our customers has gathered information about you and is legally entitled to share that information with us then we may have access to that information. If this is the case then we will, for the purposes of data protection law, be operating as a processor.
What information is provided to us?
As a processor, we may be provided with the following information about you by our customer:
- transaction data detailing your transaction history with the controller. This may include goods and services purchased, quantities, prices, time and location of purchase and methods of payment;
- engagement data detailing your interactions with the controller’s emails, websites, applications, or physical premises. This may include the time, location, method and type of the interaction and what was interacted with;
- personal information about you, such as your email address, telephone number, name, gender , date of birth, address and country of residence, the language you prefer to speak, and whether you represent an individual, a company, a re-seller of services, the government, or something else. We will also receive an affirmation from the controller that they have a legal basis for sharing your information with us. Our applications and services will reject any data which do not contain this affirmation, although your information may still be stored in a raw encrypted form on our servers for a period of time.
What do we use information provided to us for?
As a processor, we use personal information provided to us only with the direct instruction of our customers. We may provide the following kinds of processing service to our customers:
- analysis of your information for the purpose of providing more effective marketing messages to you via segmentation;
- analysis of your information for the purpose of providing insight to our customers into their business;
- analysis of your information for the purpose of building a profile of your likes, dislikes and habits. This profile will be used to provide more effective marketing messages to you based on a prediction of your future behaviors. This profile will not be used outside of this context or for making any decisions which could significantly affect you.
How long do we keep your personal information for?
As a processor, we will retain your personal information according to the instructions of our customers, but no longer than the length of the contract with that customer. We may, with the permission and oversight of our customer, keep your information in an anonymized or aggregated form after the termination of our contract with them.
Who has access to your information?
Whether operating as a controller or a processor of your personal information, the following applies.
We do not sell or sell access to your personal information to third parties.
We do not share your information with third parties for their marketing purposes.
However, when a customer of ours, with your consent, provided your information to us as part of our service offering, we share the information resulting from our service with that particular customer (and that customer only).
Further, we may disclose your information to third parties to achieve the purposes laid out in this policy. We may do this for any of the following reasons:
- with service providers, to help us run our business and perform services you request or services our customers request as your data controller. This can include cloud service providers, software tooling for our business, or other tooling or services;
- analytics and search engine providers, to help us improve and optimize our service. In general, these data will not be directly identified.
Additionally, we may also share personal information with third parties in the event that TrustBuilder (or substantially all of its assets) is acquired by another entity, or if we’re required to do so by law.
In all cases when we share information with a third party, we will ensure a robust and legally binding Data Processing Agreement is in place with that third party prior to transferring your personal information to them.
When, for the purposes of data protection law, TrustBuilder is operating as a processor of your personal information, we will disclose the concrete list of third parties we share your information to with our customer, your controller, and they will approve of this list prior to transferring your information to us. In the event that we change or add a processor then we will provide our customers, your controller, with notification of this change 14 days prior to the change coming into effect and allow them the possibility to object to the change.
Keeping your information safe
When your personal information is given to us, we take steps to ensure that technical and organizational measures are in place to protect it.
When we transmit your personal information across the internet, we protect it with SSL encryption. We do this both for data we transmit to and from web-browsers and when we are moving data between our services and those of third parties. We also require third parties to communicate your information with us via SSL encrypted channels.
When your personal information is at ‘rest’ upon our servers, we encrypt it using various state of the art encryption technologies.
When your personal information is in use by our services or applications, we control access to it via fine-grained permissions and secure authentication and authorization technologies.
When we process your information into profiles or histories of you, we endeavour to separate identifiable and identified information into different parts of our services. This helps to limit the possibilities of misuse of your information, or, in the event of a data breach, to limit the ability of your information being linked back to you.
Your information security is an important part of our business and engineering processes. We consider your privacy at all stages of design, implementation and operation of our services and applications.
Transferring your information outside of the EEA
As part of the services we offer to you, or to our customers when they have asked us to process your data on their behalf, the information you provide us may be transferred outside of the European Economic Area (“EEA”). This may occur if our servers are located outside of the EEA or if we contract a third party located outside of the EEA.
In the event that we transfer your personal data outside of the EEA, and in line with data protection law, we will only do so if the third party is approved via one or more of the following mechanisms:
- an adequacy decision from the European Commission has decided that the third party country to whom we are transferring data offers a sufficient level of protection for your information;
- the third party and TrustBuilder have entered into a data protection agreement following European Commission approved standard procedural clauses;
- the third party is based in the United States of American (“USA”) and is a part of the European Commission approved, USA operated, EU-US Privacy Shield.
In general, TrustBuilder will prefer service providers who operate their businesses within the EU, and will prefer servers hosted inside the EU for those services based elsewhere.
Our websites and applications may use the Google Analytics website recording service. Google Analytics is a web analytics service provided by Google LLC. TrustBuilder does not communicate identified information to Google Analytics, however we do communicate your patterns of usage to Google Analytics and this could be combined with other sources of information to identify you.
Should you wish to opt-out of your data being processed by Google Analytics, you can do so using their opt-out tool.
Use of ‘cookies’
Like many websites, TrustBuilder uses ‘cookies’ and similar technologies in the operation of our website and application. ‘Cookies’ are small pieces of information sent to you by an organization and stored on your hard drive. They can allow that website to recognize you when you visit them. This information helps us to deliver a more personalized service to you.
It is possible to switch off cookies in your browser preferences. However, doing so may result in a loss of functionality on our website and application.