Privacy Policy

Our Privacy Policy

References to “you” and “your” means you as the user of our service and “we”, “our” and “us” refers to FortiPass and related parties.“Personal Information” includes any information that can be used to personally identify you either directly or indirectly, for example: identifiers such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity. If the information we collect personally identifies you, or you are reasonably identifiable from it, then the information is considered personal information. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. “Privacy Laws” refers to Australian Privacy Act 1988. See References for details. We are committed to preserving the privacy of all visitors to FortiPass and related domains (including sub-domains), as well as visitors, customers, users and other persons of our products and services, and to protecting any Personal Information that you may provide to us or has been provided to us. We believe it is important for you to know how we treat Personal Information about you that we may receive and how we carry out data processing practices through the use of the Internet and any other electronic communications networks. Please read the following privacy policy to understand how we use and protect the Personal Information that you provide to us or how we may use and protect it in the future. By using this Site, or by providing any Personal Information to us, you consent to the collection, use and transfer of your Personal Information under the terms of this policy. It should also be noted that this Privacy Policy does not apply to any other data, such as any personal data that may be included in the notes, passwords, files, documents, folders, and similar data that we maintain on our customers’ behalf, as well as any other information our customers may upload to their FortiPass account(s) in connection with their use of our Services or information gathered from other channels, such as publicly available sources. For further enquiries concerning our privacy policy, you can contact us for more information.

Changes to this Policy

We reserve the right to revise or supplement this Privacy Policy from time to time. We will endeavour to notify service consumers with each update, however you should bookmark and periodically review this page to ensure that you are familiar with the most current version of this Privacy Policy and so you are aware of what Personal Information we collect, how we use it and under what circumstances we disclose it.

General

Information We Collect
By the nature of the service, information we collect is based on what is voluntarily entered by you into the service. The below information is a guide of common information capture by us.
Generally, we collect information from:

• you
• through our website and by other electronic communication channels;
• third parties;
• publicly available sources of information;
• when we are required to do so by law; and
• our own records.

The Personal Information we collect may include:

• your salutation, name, location, phone numbers and e-mail address;
• computer or network information;
• details about your interactions with us including authentications with applications through our services;
• company and business name, job title, business sector and contact details;
• data entered by you to use in means of authentication, authorisation and general storage of sensitive information;
• details of the ways in which you are prepared to receive information from us and/or selected third parties;
• details of your third party storage medium (for example, your google drive and google drive information); and
• data collected to send information about our products and services.

We strive to limit the types and categories of personal data that is collected from, and processed on behalf of our users to include only information which is necessary to achieve the purpose(s) for which it was collected. We do not use personal data for additional purposes which are incompatible with their initial collection. The measures and policies in place are designed to ensure that we only collect and process information from our users that we believe is necessary to operate the service effectively.

Disclosure

We may disclose your Personal Information to our employees, for the operation of our service or our business, and for the specific purpose of fulfilling requests by you, and to provide services to you, and where we are permitted to under Privacy Laws. Where we utilise third parties to undertake services, we may provide those third parties with some of your information if it is required to fulfil those services and only to the extent required to fulfil those services.

If we enter into a joint venture with or are sold to or merged with another entity, your Personal Information may be disclosed to our new business partners or owners. Unless required to do so by law and permitted under Privacy Laws, we will not otherwise share, sell or distribute any of the Personal Information you provide to us without your consent.
Third Party Storage Providers

As one of FortiPass' primary functions is we use a third party storage provider to store your vault information. By default this provider is Google Drive. For a full list of providers see the below list:

• Google/Google Drive

As a part of interacting with Google Drive, FortiPass requires consent to perform the following actions. Consent is given when a user completes the OAUTH login flow to the application. The full list of permissions given to FortiPass associated with Google Drive are as follows:

• see all your Google Drive files;
• edit all your Google Drive files;
• create Google Drive files; and
• delete all your Google Drive files.

Third Party Service Providers

FortiPass uses some third party service providers to assist in the delivery of some features. For a full list of providers see the below list:

• Have I Been Pwned

As a part of interacting with these service providers the following information you provide to FortiPass will be shared:

• your FortiPass monitoring emails (paid subscriptions only).

International Transfer and Storage of Data

As a part of the primary service model, FortiPass' third party providers may transfer and store data across multiple regions. Depending on the provider used will determine where exactly this data is stored. For more information please see the below links to our relevant third parties.

• Google/Google Drive

When service data (vault or personal) is no longer stored within the FortiPass service, for example if it is exported using either FortiPass tools or otherwise, then it is no longer the obligation of the FortiPass service to protect this information as it is out of our control. It is your responsibility to protect the information in an secure manner, storing and transferring it accordingly.

Access and Updating of Personal Information
Personal information captured by FortiPass can be viewed within the settings page of a registered user. Updating your information in the service can be achieved by update your information in your respective identity provided (for example, google) and then logging out and logging back into the service. The checking/updating of user information is only triggered when performing a fresh login to the service.

Website Visitors

Information We Collect
Like most website operators, FortiPass collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. FortiPass’s purpose in collecting non-personally-identifying information is to better understand how FortiPass’s visitors use its website. From time to time, FortiPass may release non-personally-identifying information in the aggregate, for example, by publishing a report on trends in the usage of its website.FortiPass also collects potentially personally-identifying information like Internet Protocol (IP) addresses in addition to those listed above. FortiPass does not use such information to identify its visitors, however, and does not disclose such information, other than under the same circumstances that it uses and discloses personally-identifying information, as described below. Certain visitors to FortiPass’s websites choose to interact with FortiPass in ways that require FortiPass to gather personally-identifying information. The amount and type of information that FortiPass gathers depends on the nature of the interaction. For example, we ask visitors who use our contact forms to provide a name, company and email address. In each case, FortiPass collects such information only insofar as is necessary or appropriate to fulfil the purpose of the visitor’s interaction with FortiPass. FortiPass does not disclose personally-identifying information other than as described below And visitors can always refuse to supply personally-identifying information, with the caveat that it may prevent them from engaging in certain website-related activities.We may:

• require the selection of a email address and password for the use of our products or services such as where you register to gain access to our web tools and products;
• offer you the opportunity to receive email updates and announcements concerning our products, services and activities;
• personal information you have provided to us may be used to facilitate those communications;
• collect information about you from emails, letters, telephone calls or from any other communication you have sent or may send to us;
• collect additional personal information automatically about your visit to our Site (e.g. our web server logs your IP address when you view a page on our site).

Use of Cookies
A “cookie” is a small text file that is placed on a device when it is browsing a website to enable the host of the website to store information about use of the website by that device. We use cookies and similar technologies for the following key purposes:

• Allow you to enter certain site member services without having to log in each time you visit;
• Ensure interactions with our site are from legitimate users and not bots;
• Track traffic patterns to our site;
• To produce data on web traffic and customer web activity through our website, if required for audit purposes.

Cookies used on this site can be organised into two distinctive groups:

• necessary; and
• unnecessary

The use of necessary cookies on the FortiPass website is autonomous and cannot be declined. You may later remove cookies created/used by FortiPass by clearing them from your browser.

The use of unnecessary cookies on the FortiPass website is not required. However you may not be able to used some website services while these are disabled. Much the same as necessary cookies, if you once had unnecessary cookies enabled and would like to remove them. You may later remove cookies created/used by FortiPass by clearing them from your browser.

For more information on specific third party cookies, please see the below links:

• Google Analytics

Please note you can still view the FortiPass website if you choose to set your browser to refuse all cookies; however, you will need to keep certain cookies enabled to establish an account or to install services.

For the full list of cookies, please see the below tables for their details. Please also note your cookie preferences in relation to the below lists can be adjusted in your cookie settings.

Necessary Cookies

Name	Purpose
1P_JAR	This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.
FortiPassHighestPrivelige	This cookie tracks the current user's subscription tier for display certain client side content.
user_id	This cookie tracks the current user's google id for display certain client side content.
auth_token	This cookie is a part of the logged in user's session information. Used for access to various systems both FortiPass and third party related.
id_token	This cookie is a part of the logged in user's session information. Used for access to various systems both FortiPass and third party related.
access_token	This cookie is a part of the logged in user's session information. Used for access to various systems both FortiPass and third party related.
refresh_token	This cookie is a part of the logged in user's session information. Used for access to various systems both FortiPass and third party related.

Unnecessary Cookies

Name	Purpose
_ga	This cookie is used by google analytics. Used to distinguish users.
_gid	This cookie is used by google analytics. Used to distinguish users.
_ga_	This cookie is used by google analytics. Used to persist session state.
_gac_gb_	This cookie is used by google analytics. Contains campaign related information.
_gat	This cookie is used by google analytics. Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_.
AMP_TOKEN	This cookie is used by google analytics. Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service.
_gac_	This cookie is used by google analytics. Contains campaign related information for the user.
ANID	This cookie is used for advertising served across the web and stored in google.com.
OTZ	Google uses cookies, like the OTZ cookies, to help customize ads on Google properties, like Google Search.
NID	This cookie is used to save the user's preferences and other information. This includes in particular the preferred language, the number of search results to be displayed on the page as well as the decision as to whether the Google SafeSearch filter should be activated or not.
SEARCH_SAMESITE	These cookies are used by Google to display personalized advertisements on Google sites, based on recent searches and previous interactions.
OGPC	This cookie enables the functionality of Google Maps.
HSID	This cookie is used to save the user's preferences and other information. This includes in particular the preferred language, the number of search results to be displayed on the page as well as the decision as to whether the Google SafeSearch filter should be activated or not.
SSID	This cookie is used to save the user's preferences and other information. This includes in particular the preferred language, the number of search results to be displayed on the page as well as the decision as to whether the Google SafeSearch filter should be activated or not.
APISID	This cookie is used to save the user's preferences and other information. This includes in particular the preferred language, the number of search results to be displayed on the page as well as the decision as to whether the Google SafeSearch filter should be activated or not.
SAPISID	This cookie is used to save the user's preferences and other information. This includes in particular the preferred language, the number of search results to be displayed on the page as well as the decision as to whether the Google SafeSearch filter should be activated or not.
__Secure-3PAPISID	This cookie is used to build a profile of website visitor interests to show relevant and personalized ads through retargeting.
SIDCC	Security cookie that protects the user data from unauthorised access.
__Secure-3PSID	This cookie is used to build a profile of website visitor interests to show relevant and personalized ads through retargeting.
SID	This cookie is used to save the user's preferences and other information. This includes in particular the preferred language, the number of search results to be displayed on the page as well as the decision as to whether the Google SafeSearch filter should be activated or not.
__Secure-3PSIDCC	This cookie is used to build a profile of website visitor interests to show relevant and personalized ads through retargeting.
DV	This cookie is used to save the user's preferences and other information. This includes in particular the preferred language, the number of search results to be displayed on the page as well as the decision as to whether the Google SafeSearch filter should be activated or not.

Information Processing
We may collect statistics about the behaviour of visitors to its websites. For instance, FortiPass may reveal how many downloads a particular version got based on checks from web services used by FortiPass installations to check for new versions of FortiPass.
We may use the Personal Information you provide or which we collect via this Site for the purposes of:

• providing any products, training or other services;
• enabling you to register to gain access to our web tools, products, services and training;
• responding to your inquiries or to process your requests in relation to your products, services and/or training modules;
• providing and personalising our products, services or training modules generally;
• account management and administering records of payments received via our payment gateway;
• promotion of our products, services and training modules, including carrying out market research campaigns;
• maintaining information as a reference tool or general resource;
• making the site easier for you to use and providing you with access to all parts of the site;
• helping you to quickly find products, services, training modules and information on the site;
• where necessary and required by law, crime prevention and prosecution of offenders;
• to contact you for your views on our products, services and training modules;
• to notify you about important changes or developments to our website or our products, services and training modules;
• to contact you by telephone, or by e-mail to let you know about other products, services and training modules which we - offer and which may be of interest to you or which are offered jointly with or on behalf of others; and
• any other purpose ancillary to these purposes or which arise out of requests made by you.

We may also use and disclose information:

• in aggregate (so that no individuals are identified) for marketing and strategic development purposes; and
• to use and analyse the information we collect so that we can administer, support, improve and develop our business.

Email Marketing

Email Marketing and Newsletter emails are only processed/sent to users who have consented, or if there is another legal basis to do so.

Users have the opportunity to consent to these emails during initial registration or from within their account settings.

If the user has previously consented and no longer wishes to receive these emails. A user may revoke consent at any time from within their account settings.

Retention Period

We keep your personal data in a form which permits identification for no longer than needed for the business purposes for which it was collected or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Personal data processed in the context of a contract with you will be retained by us for the term of the contract and for a reasonable time afterwards as might be required to determine and settle any related claims. Where our processing of your personal data is based on legitimate interests or compliance with legal obligations, it will be deleted as soon as the applicable underlying purpose has expired. Unless requested sooner, your account will be deleted or anonymized no later than twelve (12) months from the date of Service termination, expiration.

If an early removal of personal/user information is requested. A grace period of 48 hours is in place to prevent the accidental deletion of, or deletion of potentially compromised accounts. Deletion of the information will be processed after this grace period has lapsed and sufficient time has been allowed for review of the request's validity.

Please see Your Rights below if, for example, you wish to have something removed before the standard retention period.

Disclaimer
Given that the Internet is a global environment, using the Internet to collect and process Personal Information necessarily involves the transmission of data on an international basis. Therefore by browsing this Site and communicating electronically with us, you acknowledge and agree to our processing of Personal Information in this way.Whereas we employ reasonable measures to protect against viruses and other harmful components, the nature of the internet is such that it is impossible to ensure that your access to the Site will be uninterrupted or error-free, or that this Site, its servers or emails which may be sent by us are free of viruses or other harmful components.

Third Party Access to Information

FortiPass and its affiliates use third party sub-processors to assist us in the provisioning of our services and other business activities. FortiPass, where possible, utilises sub-processors that posses ISO/IEC 27001 certification or equivalent and are GDPR compliant. These third party sub-processors include:

• Google
• PayPal
• SendGrid

How we Protect Your Personal Information

We take the following steps to protect your personal information:

• storing Personal Information only on drives and systems which have access restricted to authorised individuals only;
• appropriate storage/tranfer encryption technologies to secure data at rest and in transit;
• providing our employees with the minimum system privileges required to undertake their role;
• training our employees and having clear rules and processes around the use of Personal Information;
• using ISO/IEC 27001 certified platforms.

Children

FortiPass products, services and websites are not intended for children. We do not knowingly collect information from children. Do not use our products, services and websites or provide us any information unless you are capable of consent in your territory or country.

Your Rights

• Right to be informed: we must tell you what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
• Right of access: you have the right to request a copy of the information that we hold on you.
• Right of rectification: you have the right to correct data that is inaccurate or incomplete.
• Right to be forgotten: in certain circumstances, you can ask for the data that we hold on you to be erased from our records.
• Right of portability: you can request that we transfer any data that we hold on you to another company.
• Right to restrict processing: you can request that we limit the way we use personal data.
• Right to object: you have the right to challenge certain types of processing, such as direct marketing.
• Right related to automated decision making including profiling: you are free to request a review of automated processing if you believe the rules aren’t being followed.
• Right to complain: if you believe we have breached the Australian Privacy Principles (APP), you can lodge an APP Breach Complaint Request.

You are free to exercise your rights by contacting us and raising a Subject Access Request (SAR) or APP Breach Complaint Request contact request. We must take reasonable steps to ensure that the request is valid and to verify your identity. We recommend submitting a Service Request to expedite this process. Following the verification of your identity, we endeavour to respond to the above requests within one calendar month, and no longer than three calendar months for higher volume or more complex requests.

Data Breach Reporting

FortiPass is obligated to report Data Breach’s that are likely to result in serious harm to an individual. Serious harm could take the form of serious physical, psychological, emotional, financial, or reputational harm. We will take all possible steps to ensure that these risks do not materialise, in which case reporting may no longer be required.
Reporting Scheduled:

Party	Ideal Schedule	Condition
Office of the Australian Information Commissioner	72 hours	Australian Customers
Impacted End-Users	72 hours	All end-users where we are the controller

References

• Australian Privacy Act 1988
• Freedom of information Act 1982
• The Notifiable Data Breaches (NDB) scheme
• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)