DATA SECURITY & PRIVACY POLICY

CLICK HERE to download a PDF.

DATA SECURITY & PRIVACY POLICY

I. PRIVACY POLICY

Your privacy is important to Aware, Inc. (“Aware”), a provider of biometric software and services (the “Service”). This Privacy Policy describes the information practices for Aware websites, software, services and applications, including what type of information is gathered and tracked, how the information is used, and with whom the information is shared in accordance with applicable data privacy laws, including but not limited to the General Data Protection Regulation (“GDPR”). As described below, this policy also applies to your offline interactions with Aware, such as when you license software subject to an End-User License Agreement or enter into Terms of Service for an Aware offering or provide information to Aware at a trade show or other event.

Should you have any questions about this Privacy Policy you can contact us at privacy@aware.com.

We may supplement this Privacy Policy. Those supplemental notices should be read together with this Privacy Policy.

II. PERSONAL DATA

“Personal Data” means any information that may be used, either alone or in combination with other information, to personally identify an individual, including, but not limited to, a first and last name, a personal profile, an email address, or other contact information, one or more factors specific to his/her physical, physiological, mental, economic, cultural, or social identity, and biometric information. Personal Data does not include data from which you can no longer be identified, such as anonymized data.

III. BIOMETRIC DATA

“Biometric Data” means information about your physical or biological characteristics (some jurisdictions call these “biometric identifiers”) that identify you. Information like eye, hand, or facial images; fingerprints; and voiceprints may be considered biometric data if they are being used to identify you. This list is not exhaustive, and the definitions of biometric data may vary under different laws.

IV. Location DATA

“Location Data” means information about your specific geographic location utilizing technologies such as GPS, network triangulation and/or Bluetooth to access an Aware application, such as the AwareID Authenticator application.

V. WHAT INFORMATION DO WE COLLECT ABOUT YOU, HOW DO WE COLLECT IT AND WHAT DO WE USE IT FOR?

This Privacy Policy discloses what Personal Data we gather, how we use it, and how you can correct or change it. It is our intention to give you as much control over your Personal Data as possible to preserve your privacy, while still allowing us to utilize that Personal Data in the course of our business to provide you a valuable service. Our site does collect cookies, which may include Personal Data, necessary for the basic function of our website, but only with your consent.

Personal Data We Collect

The kinds of Personal Data we collect may include but may not be limited to:

  • your first and last name;
  • your title and your company’s name;
  • your home, billing, or other physical address (including street name, name of a city or town, state/province, postal code);
  • your e-mail address;
  • your telephone number;
  • (for job applicants submitting electronic information) your educational background, employment experience, and job interest;
  • your biometric information;
  • any other identifier that permits Aware to make physical or online contact with you;
  • any information that Aware collects online from you and maintains in association with your account, such as: (a) your Aware username, (b) your Aware password, and/or (c) your credit card account information.

Our Basis for Processing Your Personal Data

We will process your Personal Data if and to the extent applicable law provides a lawful basis for us to do so. We will therefore process your Personal Data only:

  1. if you have consented to us doing so, and only for the purposes for which you have consented;
  2. if we need it to perform the contract we have entered into with you;
  3. if we need it to comply with a legal obligation; or
  4. except in the case of biometric information, if we (or a third party) have a legitimate interest which is not overridden by your interests or fundamental rights and freedoms.

Some processing of your Personal Data by Aware or its affiliates, subsidiaries, or agents may require us to transfer it from where it was collected to a third country. If your Personal Data was collected from a European Economic Area country or Brazil, we will transfer your Personal Data to a third country only if the appropriate authority has issued a decision that the third country provides adequate protections for your Personal Data, we include appropriate standard contractual clauses in our agreement pursuant to which the data is transferred, or with your consent.

How We Collect Personal Data

Aware collects Personal Data when:

  • you make purchases of products or services;
  • you provide biometric information when using the Service;
  • you request support for an Aware product or service;
  • you request free software downloads;
  • you create a user account (login username and password) on an Aware Site;
  • you register for webcasts, seminars, and roundtables;
  • you request information or materials (e.g., whitepapers or newsletters or meetings);
  • you participate in surveys and evaluations;
  • you participate in promotions, contests or giveaways;
  • you apply for a job or submit your resume to Aware;
  • you submit questions or comments to us.

Aware may also collect Personal Data from individuals (with their consent) at conventions, trade shows and expositions.

What Do We Use Personal Data For?

We will use your Personal Data to operate and improve our sites and the Service and deliver the Service or carry out the transactions you have requested. These uses may include providing you with more effective customer service; making the sites or services easier to use by eliminating the need for you to repeatedly enter the same information; performing research and analysis aimed at improving our products, services, and technologies; and displaying content and advertising that are customized to your interests and preferences.

We also use your Personal Data to communicate with you. We may send certain mandatory service communications such as welcome letters, billing reminders, information on technical service issues, and security announcements. We may contact you to inform you of other products or services available from Aware and its affiliates. We also may share content with you that you may find interesting or useful based upon your prior interactions with Aware. You may unenroll in promotional emails at any time pursuant to the instructions contained within such emails.

How Do We Transfer Personal Data?

We may transfer your Personal Data to our third-party service providers (such as a server hosting provider), but only to provide our services to you. We require third parties to whom we transfer your Personal Data to protect your Personal Data at least as strongly as we do. We may disclose your Personal Data to others under the same conditions as those under which we may process your Personal Data. See “Our Basis for Processing Your Personal Data,” above.

VI. WHAT WE MAY NEED FROM YOU

We may need to request specific information from you to help us confirm your identity and ensure your right to access Personal Data (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.

VII. WHAT IF YOU DO NOT PROVIDE THE PERSONAL DATA WE REQUEST?

It is in your sole discretion to provide Personal Data to us. If you do not provide us with all or some of the Personal Data we request, we may not be able to enter into a contract with you or send you the requested information and you may be unable to access certain programs and services that involve our interaction with you.

VIII. WITH WHOM WILL WE SHARE YOUR INFORMATION?

Aware shares Personal Data with companies working on our behalf. Except as described in this statement, we will not disclose your Personal Data to third parties for their own marketing purposes unless you have provided consent. Aware does not provide your Personal Data to third parties for processing for purposes other than the purpose for which the information was collected.

Some Aware services may be co-branded and offered in conjunction with another company. If you register for or use such services, both Aware and the other company may receive information collected as part of the co-branded services.

In some cases, Aware uses contractors to collect, use, analyze and otherwise process information on its behalf. It is Aware’s practice to require such suppliers to handle information in a manner consistent with Aware’s policies. Aware may also allow carefully selected Aware partners to participate in limited marketing campaigns solely to promote Aware’s products and services to you.

If you request something from an Aware Site (for example, a product or service, a callback, or specific marketing materials), we will use the information you provide to fulfill your request. As part of a transaction, we may also contact you as part of our customer satisfaction surveys or for market research purposes.

We may hire other companies to provide limited services on our behalf, such as handling the processing and delivery of mailings, providing customer support, hosting websites, processing transactions, or performing statistical analysis of our services. Those companies will be permitted to obtain only the Personal Data they need to deliver the service. We require them to process the data only when they have a lawful basis for doing so.

In some cases Aware may disclose your Personal Data where required to the extent necessary to meet a legal obligation to which Aware is subject, including a lawful request by public authorities and national security or law enforcement obligations and applicable law, rule, order, or regulation or where reasonably necessary for compliance or regulatory purposes, or for the establishment of legal claims.

IX. YOUR RIGHTS IN RELATION TO YOUR INFORMATION

You may have some of the following rights as an individual which you can exercise, based on the jurisdiction in which you live, in relation to your Personal Data that we hold. These rights may include:

  • request that we confirm the existence of the processing of your Personal Data;
  • request access to your Personal Data and request to the following information about its processing;
    • the purpose of processing;
    • the categories of Personal Data processed;
    • the recipients or categories of recipient to whom your Personal Data have been or will be disclosed;
    • the source of the Personal Data if not obtained from you;
    • whether the processing of your Personal Data involved automated means, and, if so, information about the logic of the automated processing and the significance and envisaged consequences of the automated processing;
  • request us to rectify (i.e., correct) your Personal Data;
  • request us to anonymize your Personal Data;
  • request to send you your data so that you may transfer it to another person, subject to commercial and industrial secrecy;
  • request us to erase your Personal Data;
  • request us to restrict the processing of your Personal Data;
  • object to the processing of your Personal Data.

If you want to exercise one of these rights, please contact us at privacy@aware.com. We will in general respond to European residents’ requests within one month, although we may extend the period for two further months if necessary. We will respond to Brazilian residents’ requests to confirm the existence of processing and access their Personal Data within 15 days, and Brazilian residents’ other requests within the relevant regulated time-period.

You also have the right to make a complaint at any time to the supervisory authority for data protection issues or, for EU residents, any other competent supervisory authority of an EU member state. You may request from us the contact information for the appropriate authority.

X. RIGHT TO WITHDRAW CONSENT

In case you have provided your consent to the collection, processing, and transfer of your Personal Data, you have the right to withdraw your consent fully or partly. To withdraw your consent, please contact privacy@aware.com. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless we have another lawful basis for processing your Personal Data.

XI. HOW LONG WILL WE RETAIN YOUR INFORMATION?

We will only retain your Personal Data for as long as necessary to fulfil the purposes for which we have a lawful basis to process it.

To determine the appropriate retention period for your Personal Data, we will consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Upon expiry of the applicable retention period, we will securely destroy your Personal Data in accordance with applicable laws and regulations.

XII. FEES

You will in general not have to pay a fee to exercise any of your individual rights mentioned in this Privacy Policy. However, we may charge a reasonable fee if your request to exercise your individual rights is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. We may also charge you a reasonable fee if you request multiple copies of your Personal Data.

XIII. USERS OF AWARE SOFTWARE AS A SERVICE (SAAS)

Aware Business Client. An Aware customer/client who has subscribed to an Aware SaaS product to utilize the Service. Aware makes the Service available to an Aware Business Client for integration into those third parties’ websites, applications, and online services or for direct use through the AwareID Authenticator Application.

Data Processor. Aware collects, uses, and discloses individual users’ information only as directed by the Aware Business Client and, accordingly, under applicable data protection laws, Aware is a processor or service provider (“data processor”) of user information with respect to the Service and not a controller, owner or business (“data controller”).

How Aware shares personal information with other entities. In general, Aware shares the personal information that we collect in connection with the Service as discussed below. Aware shares personal information only as directed by the Aware Business Client, and thus the following language is subject to the privacy policy of the Aware Business Client.

Customer Data Controller. Aware shares the personal information that Aware collects on behalf of a particular Aware Business Client with that particular Aware Business Client, sometimes called a “Customer Data Controller.”

Legal purposes. Aware may also use or share your personal information with third parties when we have reason to believe that doing so is necessary:

  1. To comply with applicable law or a court order, subpoena, or other legal process;
  2. To investigate, prevent, or take action regarding illegal activities, suspected fraud, violations of our terms and conditions, or situations involving threats to our property or the property or physical safety of any person or third party;
  3. To establish, protect, or exercise our legal rights or defend against legal claims; or
  4. To facilitate the financing, securitization, insuring, sale, assignment, bankruptcy, or other disposal of all or part of our business or assets.

How Aware uses your Biometric Data and/or Location Data as part of the AwareID Authenticator Application. Aware may use your biometric data and/or location data to allow you to enroll in and/or authenticate in the service(s) you have selected from an Aware Business Client.

Enrollment

By consenting to use the application, Aware may collect one or more biometric identifiers that are captured by the device through the mobile application and transmitted to Aware’s biometric cloud service for analysis. Aware may analyze those biometric identifiers for liveness and may compare your facial image to a facial image scanned from an identification document solely for the purposes of verifying identity. The verified identity may be enrolled and stored by the Aware Business Client who maintains ownership of the stored data.

Authentication

By consenting to use the authentication services, Aware may collect biometric identifiers at the time of authentication to compare one or more of the biometric identifiers captured during enrollment which are stored and owned by the Aware Business Client. During authentication, Aware may also collect your location data if you are utilizing our physical access control solution via the AwareID Authenticator Application.

Retention

Aware will retain the biometric data, including the photo of your face and photo or scan of your identification document, for the amount of time requested by the Aware Business Client through which you used Aware’s Service. In no event will Aware store your biometric data after Aware ceases to have a customer relationship with the Aware Business Client through which you used Aware’s Service. Aware does not retain or store your location data.

Information for California Residents. Aware process your personal information on behalf of the Aware Business Client pursuant to a written agreement for the Service. As such, Aware acts as a service provider to the Aware Business Client. Moreover, Aware does not sell your personal information as the terms “sell” and “personal information” are defined by California Civil Code Sec. 1798.`00 et seq. (the “CPRA”, also known as the California Consumer Privacy Act “CCPA”) and, in providing its services to the Aware Business Client, Aware will not retain, use, or disclose your personal information to any other third parties that would constitute “selling” as the term is defined in the CPRA. Any questions or requests regarding Aware’s processing of your personal information in respect to your rights under the CPRA should be directed to the Aware Business Client that is responsible for your personal information.

Information for Illinois residents. Aware’s collection of personal information may include Biometric Data, and Aware may share such Biometric Data with the Aware Business Client. Aware may collect, process and store your Biometric Data for the purpose of the Service and long-term proof of inspection of your provided form of identification, on behalf of and as instructed by the Aware Business Client (e.g., the duration of your use of its services), which shall be no longer than the earlier of the date when (i) the Aware Business Client ceases to have a relationship with Aware or (ii) within three (3) years after the Aware Business Client informs Aware that its last interaction with you has occurred.

XIV. U.S. DEPARTMENT OF COMMERCE’S DATA PRIVACY FRAMEWORK

Aware complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Aware has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Aware has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. To view the list of certified companies, please visit https://www.dataprivacyframework.gov/list.

Non-HR Data Recourse, Enforcement, and Liability. In compliance with the various DPF Principles, Aware commits to resolve Principles-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquires or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Aware at privacy@aware.com. Aware has a policy of responding to individuals within forty-five (45) days of an inquiry or complaint.

In compliance with the EU-U.S. DPF and UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Aware commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and Swiss-U.S. DPF to the International Centre for Dispute Resolution/American Arbitration Association (ICDR-AAA), https://www.icdr.org/dpf, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from Aware, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of ICDR/AAA are provided at no cost to you.

If your complaint is not resolved by us or the ICDR/AAA, you may, under certain conditions, have the option to invoke binding arbitration under the Principles. For further information, please see the Data Privacy Framework website (https://www.dataprivacyframework.gov/).

Accountability for Onward Transfer. Aware only transfers data to third parties as outlined within this Privacy Policy or as otherwise requested by you. Aware will obtain assurances from any such third parties that they will safeguard personal information consistently with this Privacy Policy. Examples of appropriate assurances include: a contract obligating the third party to provide the same level of protection as is required by the relevant DPF Principles, being subject to EU Directive 95/46/EC (the EU Data Protection Directive), DPF certification by the agent, or being subject to another European Commission adequacy finding (e.g., companies located in Canada), or any UK Directives if different from EU GDPR. Where Aware has knowledge that a third party is using or disclosing personal information in a manner contrary to this Privacy Policy, Aware will take reasonable steps to prevent or stop the use or disclosure. Aware’s accountability for personal data that it receives in the United States under the Data Privacy Frameworks and subsequently transfers to a third party is described in the DPF Principles. In particular, Aware remains responsible and liable under the DPF Principles if third parties that it engages to process personal data on its behalf do so in a manner inconsistent with the DPF Principles, unless Aware proves that it is not responsible for the event giving rise to the damage.

Renewal and Verification. Aware will renew its EU-U.S. DPF and Swiss-U.S. DPF certifications annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.

Prior to re-certification, Aware will conduct an in-house verification to ensure that its attestations and assertions about its treatment of individual Customer and Personnel Personal Data are accurate and that the company has appropriately implemented these practices. Specifically, as part of the verification process, Aware will undertake the following:

  • Review this Data Security and Privacy Policy and its publicly posted website privacy policy to ensure that these policies accurately describe the practices regarding the collection of Individual Customer Personal Data
  • Ensure that the publicly posted privacy policy informs customers of Aware’s participation in the EU-U.S. DPF and Swiss-U.S. DPF programs and where to obtain a copy of additional information.
  • Ensure that this Policy continues to comply with the Data Privacy Framework Principles
  • Confirm that customers are made aware of the process for addressing complaints and any independent dispute resolution process (Aware may do so through it publicly posted website, individual customer contracts, or both)
  • Review its processes and procedures for training Employees about Aware’s participation in the Data Privacy Framework programs and the appropriate handling of PII.

Aware will prepare an internal verification statement on an annual basis.

XV. CHANGES TO THIS PRIVACY POLICY

We reserve the right to update this Privacy Policy at any time, and we will make an updated copy of such Privacy Policy available on our website.

XVI. GENERAL INFORMATION

Collection of Information by Third-Party Sites. We may use a reputable third party to present or serve advertisements that you may see on the Service. These third-party ad servers may use cookies, web beacons, clear gifs, or similar technologies to help present such advertisements, and to help measure and research the advertisements’ effectiveness. The use of these technologies by these third-party ad servers is subject to their own privacy policies and is not covered by our Privacy Policy.

Links to Other Sites. The Service may contain links to third party websites that are not owned or controlled by us. We are not responsible for the privacy practices or the content of such other third-party websites, and you visit them at your own risk.

Children’s Privacy. The Service is neither directed to nor structured to attract children under the age of 16 years. Accordingly, we do not intend to collect Personal Data from anyone we know to be under 16 years of age. We will direct potential users under 16 years of age not to use the Service. If we learn that Personal Data of persons less than 16 years of age has been collected without verifiable parental consent, then we will take the appropriate steps to delete this information. To make such a request, or if there are any questions or concerns about the Privacy Policy for the Service or its implementation, please contact us at privacy@aware.com.

Security. The security of your Personal Data is important to us. We follow generally accepted industry standards, including the use of appropriate administrative, physical, and technical safeguards to protect the Personal Data submitted to us. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect Personal Data, we cannot guarantee its absolute security or confidentiality. If you have any questions about security, you can contact us at privacy@aware.com.

Please be aware that certain Personal Data and other information provided by you in connection with your use of the Service may be stored on your device (even if we do not collect that information). You are solely responsible for maintaining the security of your device from unauthorized access.

Merger, Sale or Bankruptcy. If we are acquired by or merged with a third-party entity, or if we are subject to a bankruptcy or any comparable event, we reserve the right to transfer or assign Personal Data in connection therewith.

California Online Privacy Protection Act Notice

On September 27, 2013, California enacted A.B. 370, amending the California Online Privacy Protection Act to require website operators like us to disclose how we respond to “Do Not Track Signals”; and whether third parties collect personally identifiable information about users when they visit us.

(1) We do not track users who do not interact with the website sharing functionality across the web, and therefore do not use “do not track” signals.

(2) We do not authorize the collection of personally identifiable information from our users for third party use through advertising technologies without separate member consent.

California Civil Code Section 1798.83 also permits our customers who are California residents to request certain information regarding our disclosure of Personal Data to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@aware.com. Please note that we are only required to respond to one request per customer each year.

Commitment. We are committed to protecting your privacy. If you have any comments or questions regarding our Privacy Policy or Personal Data that we may be storing and using, please contact us at privacy@aware.com.

Dispute Resolution

Aware commits to resolve complaints about your privacy and our collection or use of your Personal Data. Individuals with inquiries or complaints regarding this privacy policy should first contact Aware at:

privacy@aware.com or (781) 276-4000

Aware is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

XVII. FURTHER INFORMATION

If you have any concerns or require any further information, please do not hesitate to contact privacy@aware.com.