Privacy Policy

1. Data We Collect

We collect and process personal data necessary to operate our services, including:

• Account data: name, email address, phone number, company name, and billing details.
• Access and credential data: digital credentials, access logs, timestamps, and device identifiers.
• Usage data: feature interactions, configuration changes, API calls, and support requests.
• Technical data: IP addresses, browser types, operating systems, and device information.
• Biometric data (optional): templates used for facial or fingerprint authentication, processed only with your explicit consent.
• Support correspondence: records of inquiries and our responses.

2. Legal Bases for Processing

Under Article 6 of the GDPR, we rely on the following lawful bases to process personal data:

• Contract performance: to provide services, manage accounts, and process payments.
• Legitimate interests: to improve functionality, prevent fraud, and maintain security.
• Legal obligations: to comply with tax, accounting, and regulatory requirements.
• Consent: for biometric processing and marketing communications, which you may withdraw at any time.

Where required by law, we may rely on additional legal bases consistent with these purposes.

3. How We Use Personal Data

We use personal data to deliver, maintain, and improve our services; manage billing and subscriptions; provide technical support; detect and prevent fraud; develop new features; and meet our legal and regulatory obligations.

4. Data Sharing and Processors

We do not sell or share personal data with third parties. Personal data is stored and processed in our secure cloud environment, hosted on third-party infrastructure providers such as AWS. These providers act solely as data processors under our instructions and are bound by strict confidentiality and data protection agreements. We may disclose data only when legally required or necessary to defend our rights. We may disclose data only when legally required or necessary to defend our rights.

5. Data Storage and International Transfers

For EU customers, data is stored and processed within the European Union. For international users, data may be processed in regional data centers to optimize performance. When data is transferred outside the EU, we implement safeguards such as Standard Contractual Clauses and additional security measures to ensure GDPR compliance.

6. Data Retention

We retain data only for as long as necessary to fulfill the purposes described:

• Account data: duration of active account plus two years.
• Access logs: up to two years for security and audit purposes.
• Billing records: seven years to comply with tax requirements.
• Marketing data: until you opt out of communications.

7. Your Rights

You have the following rights under the GDPR:

• Access your personal data and information about its processing.
• Correct inaccurate or incomplete data.
• Request the deletion of your data in certain circumstances.
• Restrict or object to specific processing activities.
• Receive a portable copy of your data.
• Withdraw consent for biometrics or marketing at any time.

To exercise these rights, contact privacy@passwave.io. We will respond within 30 days. If you are unsatisfied with our response, you may contact your national data protection authority: https://edpb.europa.eu/about-edpb/board/members_en .

8. Security Measures

We protect your data using industry-standard safeguards, including TLS 1.3 encryption in transit, AES-256 encryption at rest, multi-factor authentication, strict access controls, continuous monitoring, and independent security audits. We will notify affected users within 72 hours of any breach that poses a risk to personal rights.

9. Children's Privacy

Our services are not directed to individuals under 16 years of age. If we become aware that personal data has been collected from a minor, we will delete it immediately.

10. Policy Updates

We may update this Privacy Policy to reflect changes in our practices or legal obligations. Material updates will be announced at least 30 days before they take effect.

11. Contact

For privacy inquiries or data-rights requests, contact privacy@passwave.io or our Data Protection Officer at dpo@passwave.io.