Under the General Data Protection Regulation (GDPR) of the European Union (EU), EU citizens are entitled to certain privacy protections regarding the use of, storing and processing of your personal information as well as having right to be notified if personal information is stolen, copied or accessed on an unauthorized basis.
The GDPR is a modern privacy rights framework adopted to create better transparency and control over who, how and when your personal data may be used, including the “right to be forgotten”.
Mutualink, Inc. (being refered to as “We, “Us”, or “Our”) explains how it complies with the GDPR and how your personal data may be collected, stored and used. We also explain under what circumstances and for what purposes we may use your personal data and also provide instructions on how you can “opt-out” from our using your personal data and also request the removal of your personal data from our systems.
Our business is a “B2B” business, meaning we sell products and services to government agencies and private businesses, and not to individual consumers. Even so, under the GDPR, if you are an employee of or associated with a business customer, certain information may be considered personal data such as your business email, business mobile number or other similar information from which your personal identity may be known. It is also customary in many instances for business associates of business or government customers to furnish their private or personal contact information such as private email address, home telephone number and similar information. Even if done in the context of a business purpose, this information may be deemed personal data. Therefore, if you believe your business information discloses personal data that you do not wish disclosed, you should not give it to us. You should also ask your employer to change your business contact information an anonymized format, such as changing your email form “my.name@mycompany” to “randomcharacters@mycompany”.
Please be advised that our business has less then 250 employees. Accordingly, we are subject to less stringent recording requirements under GDPR requirements. We are however not exempt from other privacy protection and reporting requirements which apply to all business equally.
COLLECTION AND USE OF YOUR PERSONAL DATA.
Our ability to use your personal data may come about by the following means:
Additionally, many of our products and services are multimedia communications-based products, such as client communication software, client communications devices and network communications services. As such, personal identity information is required to enable communications and messages to be delivered to you, for other in-network users to identify and communicate with you, and for us and others to authenticate identity and employ various network and information security measures.
HOW WE COLLECT YOUR PERSONAL DATA
We may collect your personal data by a variety of means and store your personal data electronically. Generally, any time you interact with Us, including communication with our sales or marketing representatives, technical installation and service personnel, customer service personnel, security personnel, billing personnel and legal representatives, it is likely that information will be collected which is relevant to the particular function being carried out. The means by which information is collected include:
We also may collect data from publicly available sources or private sources when you have given your consent to share information or where the information is made public as a matter of law. This may include, for example, personal data provided by an organization with which you are a member or affiliated. It may also include accessing private security information databases and other collection methods as are deemed necessary for “know your customer” related laws pertaining to non-US financial transactions and compliance with US export and re-export control laws.
TYPES OF DATA WE COLLECT
Mutualink is a B2B company and our customers are generally public safety and security organizations. As a general rule of thumb, we will collect, process and may store data that falls in to the following categories:
Security Data such as your password and any sensitive personal data such social security number, birth date, place of birth, biometric data, financial payment information such as bank account numbers, credit cards, and medical information, if given, is stored in encrypted electronic data formats, and may only be used for security authentication and validation purposes or as you voluntarily choose to share through our products. Sensitive personal data is only transmitted in an encrypted data format or within an encrypted tunnel to those persons you choose share such information with using our products.
Also, we may collect data regarding your usage for product improvement purposes. This may include the frequency of log-in, the length of user sessions, the time and location of user sessions, the device identities used for login, the amount of data transferred used during a session and other use data which may help us analyze how and when you are using our products and services, and how we can improve your user experience and the overall functional value of our products and services.
HOW WE USE YOUR PERSONAL DATA
We will use your personal data only in connection with furthering our business relationship with you, to enhance and protect the security of your information, and to enable your use of our products and services, and those add-on products and services that may be integrated with our products and services.
For example, if there are multiple logins or attempted logins, this may indicate an unauthorized attempt to gain access to the system by an unauthorized user. Similarly, IP address and location may be used to determine if unauthorized access is being gained from a location or address which is unlikely and an indicator of fraud.
Of course, if you wish to change how we use your data, you’ll find details in the ‘What are my rights?’ section below.
Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you’ve asked for.
Business Transactional Data Use. In addition to Security Data and Relationship Data, we will use your personal data that is Business Transactional Data. We will use this data to facilitate all aspects of a commercial relationship from purchase order processing, sale, installation, services configuration, software download and installation, user account set-up and access, security authentication and verification, customer service inquiries, technical services assistance, repairs, network and quality of service monitoring service renewal reminders, service expiration reminders, and any other related purpose relating to the fulfillment of our obligations to you or your obligations to us.
We may keep Business Transactional Data and Relationship Data for our business record keeping purposes for a reasonable period of time and also to comply with applicable laws, rules and regulations. We will generally keep this data for at least as long as we believe the statute of limitation period requires for civil or criminal litigation matters. In civil litigation matters, the limitation period for an action may differ and generally can run as long as 7 to 10 years depending on the nature of the cause of action. Additionally, in some cases the statute of limitations period does not start until the discovery of the circumstances for which an action may be brought, such as in the case of an action for fraud in the concealment. Because this type of data may be relevant evidence in any dispute, we will retain such information for such purposes. Therefore, you should reasonably expect your personal data to be held for as much as ten (10) years by us for such purposes. Additionally, you should be aware the we may be required to keep your personal data indefinitely in the case of a government investigation or under an order to preserve evidence or similar circumstances.
For example, Product Derived Data such as login data, application and network use data, IP addresses, location information, client device identity may be used to determine the frequency of use and manner of use of our products and provide a basis to seek user feedback. We will keep this information for a reasonable period of time for product facilitation and enhancement purposes for a reasonable period of time. This generally would be for the period of time you (or your employer or organization is using the products and services) plus and additional reasonable period on the order of five (5) years to cover any re-start of product usage or services without undue burden in reconfiguration or preferred method of deployment, account set-up and related matters.
Product Derived Datamay also be stored or used for security or law enforcement purposes. This may occur if you use our products during an emergency, security or other communications or information sharing event using our software or network service products, and various law enforcement agencies seek information for investigatory reasons or evidentiary reasons. This could include login identity information, time of use, place of use, location of use and the like in order to corroborate events or the timing or occurrence of events. We may keep this information for a reasonable period of time for such purposes or as otherwise directed by a government agency. We may also turnover our records to law enforcement and other governmental authorities in order to prevent or report a potential crime or be required to turn over our records if required by law.
COMBINING YOUR PERSONAL DATA WITH OTHER DATA AND TRANSFORMING PERSONAL DATA
We may use other data sources to supplement your personal data for purposes of enabling certain functions in our products that you may choose to use such as real time location, location history, geofenced presence, facial and object recognition, and wearable sensor data. For example, we could utilize information obtained from your employer’s website to obtain a physical business location address, use land records or geographical maps systems or satellite imagery to located and display your location on map. Our products and services allow you to share your location with others on our network with your active consent. Our products and services allow you as a user to control the sharing and publication of your information from our application interfaces. However, your employer or organization using our products for agency or security purposes may require you to share your location with others and that is a matter between you and your employer or organization.
Our products may work in conjunction with various video recognition and other sensor type products. We may also provide such products and services, and this may result in the storing of your image or representations thereof. We view human readable information such as image files that display a representative reproduction of your face or other identifying features as personal data. We do not consider mathematical or parameter-based data representations of your image to be personal data if and when it is disassociated from other personal identifying information and anonymized. This type of data when combined with other personal identifying data we consider to be Product Derived Data and will be stored and used the manner explained above.
HOW WE PROTECT YOUR DATA
We know how much data security matters to all our customers. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.
We secure access to all transactional aspects of products using encryption when in transit. Generally, subject to export control restrictions, we employ AES256 encryption ciphers to protect it. This is accomplished using SSL-TLS transport protocols over IP enabled networks.
Access to your personal data is password-protected, and if stored in our systems (or our processor’s systems) is encrypted using AES 256 encryption if it sensitive personal data such as health information, social security numbers, license numbers, biometric data or if it relates to a security function such as passwords, private authentication information, or key pairs a database or data store. Information that may be stored in files are file read access protected with passwords and limited to basic contact information such as email addresses, phone numbers, business address and employer or organizational contact information. We do not anonymize network directory information such as user network identity, however access to such directory information is limited to authorized users of our network services.
As part of security measures, we regularly monitor our network and system for possible vulnerabilities and attacks. We engage in penetration testing for our digital products and services, and routinely scan our software for vulnerabilities. At the network level, we use firewalls, scan for anomalies and use various intrusion detection tools to monitor the security of the network.
All employees of Mutualink are required to sign a confidentiality and nondisclosure agreement prohibiting the use or disclosure of any information for any purpose other than for our own proper business purpose. Our channel partners are also subject to such restrictions.
HOW LONG WILL WE KEEP YOUR PERSONAL DATA?
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected. We have outlined above the various circumstances, purposes and time periods when we will hold personal data.
At the end of that retention period, your data will either be deleted completely or anonymized, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning. Tio summarize:
Ten Years from Transaction date. As described above, you should expect your personal data that is Business Transaction Data including any pertinent Relationship Data to be held for ten (10) years from the date of its creation for contract and legal purposes. The same ten-year period would apply to Security Data from the date of its last use or transactional entry.
Five Years from Relationship Termination. For Product Derived Data and Relationship Data, we would keep such data while you or your organization is a customer receiving services or using products of ours and for an additional five (5) years thereafter after the relationship is terminated.
WHO DO WE SHARE YOUR PERSONAL DATA WITH?
We will not sell, rent, lease or transfer your data to any third party commercial entity for the purpose of marketing or selling unrelated products or services for our financial gain or economic benefit. We may share basic business contact information such as your name, business title and business contact information (“Basic Business Referral Information”) and product and services information, including technical configuration information, customer compliant information, trouble-shooting information, with third party product and solutions providers that work with our products, such as channel partners and sales representatives, product repair and service providers, and operationalization consultants and specialists (“Sales and Service Partners”). We may make we make Basic Business Referral Information available to third party product, system and information providers that may integrate with our products or which are value-added products or services when used in conjunction with our products. When we make business referrals, in certain cases we may derive a commercial or financial benefit such as a commission or other fee. We will not make business referrals that we reasonably believe are not related to our products or our line of business.
In addition to Sales and Service Partners, we may provide personal data to ancillary service providers fulfilling certain functions on our behalf in facilitating a sale, product installation, delivery or product return, and with our professional advisors such accountants, external auditors and legal advisors.
For example, we may provide your business email, work address and telephone contact number to a shipping company to deliver products to you and ensure delivery. We also may supply your personal identifying data for purposes of export compliance and due diligence purposes to ensure your identity and ensure you are not a front for re-exporting products on an unauthorized basis. Another example might be an external vendor might request to perform a software audit for usage and royalty calculations on certain components we use in our products.
We also may furnish your personal data to an external marketing company performing services for us, provided, it would be limited to, usage relating to our business marketing activities and not for other purposes and require proof of adequate safeguards and handling.
Cloud Service Providers. Your personal data may be stored and processed using third party facilities and systems such as cloud service providers. Generally, all personal data is stored and processed on our computer and data storage systems. We do, however, have certain products and versions of products which are delivered over third-party cloud service provider infrastructure.
Our current third-party vendor for cloud related services is Amazon AWS. We may elect to use other cloud service providers such as Microsoft Azure, Google’s Google Cloud or other providers. In such case, you will be made aware of what service provider is being utilized at the time of initial service delivery and in the event your personal data is moved, or service deliver providers are changed you will be notified of such change by email or other appropriate communication to your employer or organization.
WHERE WILL YOUR PERSONAL DATA BE PROCESSED
Your personal data will be stored in the United States unless you are notified otherwise. In certain countries we may a local computer processing center or point of presence and data will be held in the local environment as requested by our customers and to the extent available.
We will not transfer your personal data to any provider in any jurisdiction unless such provider and jurisdiction meet the requirement under the GDPR.
YOUR RIGHTS OVER YOUR PERSONAL DATA
Below is an overview your various rights.
You have the right to request:
Access to the personal data we hold about you, free of charge in most cases.
The correction of your personal data when incorrect, out of date or incomplete.
The deletion of the data we hold about you, in specific circumstances. For example, when you withdraw consent, or object and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end.
A computer file in a common format (e.g. CSV or similar) containing the personal data that you have previously provided to us and the right to have your information transferred to another entity where this is technically possible.
Restriction of the use of your personal data, in specific circumstances, generally whilst we are deciding on an objection you have made.
That we stop processing your personal data, in specific circumstances. For example, when you have withdrawn consent, or object for reasons related to your individual circumstances. Please be advised, however, your employer may reasonably object as the customer having direct contract relationship with us, and we reserve the right to notify your employer or organization of such as request and advise them that removal may impair the intended use or enjoyment of our product and services functions.
That we stop using your personal data for direct marketing (either through specific channels, or all channels).
That we stop any consent-based processing of your personal data after you withdraw that consent.
Review by a partner of any decision made based solely on automatic processing of your data (i.e. where no human has yet reviewed the outcome and criteria for the decision).
You can contact us to request to exercise these rights at any time by completing an online form.
If we choose not to adhere to your request we will explain to you the reasons for our refusal.
Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation.
We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
Right to Stop Direct Marketing
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.
This right does not include communications and information functions, such as alerts and notices, which are displayed in any application or product interface of ours which is part of the operation of or relates to a normal function of our product. By logging into our products or services, you are expressly giving your consent for such purposes. If you disagree with that then do not log-in or use our products or services.
Checking Your Identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.
If you have authorized a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
HOW TO SEND US NOTICE
You may send us notice of the exercise of your rights, whether to “opt-out” of certain or all marketing channels, to request deletion of your personal data or to correct, receive a copy of your personal data by any of the following means:
Send an Email to:
Please include the subject line “GDPR Request”
Please include the action you are requesting we take, the basis for the action, and any information which can reasonably identify you, and valid means to respond back to you.
When you send us a communication through a form, you may check a box indicating your preference to opt-out of marketing campaigns and contacts.
Postage Prepaid to:
1269 South Broad Street
Wallingford, Connecticut USA 06492
Attention Legal Dept: EU Privacy Notice
When you send us a written communication through mail, you may check a box indicating your preference to opt-out of marketing campaigns and contacts.
COMPLAINTS OR CONCERNS
We are dedicated to adhering to the EU’s privacy laws for our EU customers. If you believe that we are not fulfilling our obligations in accordance with the law, you may file a complaint with the European Data Protection Supervisor (EDPS). We have provided this link for your convenience (note you are linking to an external third-party site unaffiliated with us):
RESERVATION OF RIGHTS
We provide this privacy notice to EU citizens in accordance with our understanding of the GDPR and will endeavor to comply with such law on a voluntary basis. We reserve all rights afforded under United States laws and treaties. This privacy notice is not a contractual obligation or guarantee to you that may be enforced in the United States or any other jurisdiction which does not recognize the GDPR as part if its law. Our contract obligations are limited to those contained in the purchase agreements and end-user license agreements between us and our customers. We, for ourselves and on behalf of directors, officers, employees, advisors, and all other persons affiliated with us reserve all rights regarding personal and subject jurisdictional matters, and the applicability and enforcement of the GDPR with respect to US citizens and non-EU citizens. Neither this privacy notice nor any actions taken to comply with the GDPR shall constitute a waiver of such rights or submission to jurisdictional authority of any court, tribunal or governmental authority outside of the United States.