Privacy Policy

Overview

This Privacy Notice is dedicated for the users of our White-label Partner(s) (‘Partner(s)’) to transparently inform our Partner(s), about how we handle your personal data in accordance with global privacy standards. It also explains our relationship with our Partner(s) and End Users for clarity on roles and responsibilities.
This document highlights our policy for the collection of personal data in relation to our Password Manager (including Software Development Kits (‘SDKs, ‘Services’) provided to our Partners.
This document should be read in conjunction with our Terms of Service or our Master Services Agreement (whichever is applicable) . The Key terms stated herein apply to our Partners and the users (‘End Users’, ‘you’, ‘your’) accessing our Service through our Partners.
If you do not agree with any term of this Privacy Notice, please note that you may discontinue using our Services.

Scope and Definitions

Scope. This Privacy Notice applies to our provision of the Password Manager Services to Partner(s), and to End Users who access the Services through a Partner’s plan. It covers our processing of personal data as described below

Definitions

• Personal Data” means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
• “Processing” means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
• “Partner” means the white-label business customer that offers the Services to End Users.
• “End User” means an individual who accesses and uses the Services through a Partner’s plan.
• “Controller” means the entity that determines the purposes and means of Processing Personal Data.
• “Processor” means the entity that processes Personal Data on behalf of a Controller.
• “Sub-processor” means a third party engaged by us to Process Personal Data on our behalf to provide the Services.

Services

Our Services are delivered to End Users exclusively through our Partners and governed either by our Terms of Service or by a Master Services Agreement, as applicable. Therefore, we receive information (including personal data of End Users) from our Partners while operating the Services.
You are identified as an End User of our Services. In this instance, our white-label Partner acts as a data controller of your data.
We act solely as a data processor with respect to End User Data. We will: (a) process End User Data only on our Partner’s documented instructions; (b) implement and maintain appropriate technical and organizational measures to protect Customer Data; and (c) ensure any sub processors are bound by the same data protection obligations.

Information We Collect

For the provision of our Services, we collect the following information:
For the provision of our Services, we collect the following information, which we group as “Mandatory Account and Service Data” (necessary to operate the Services) and “Optional Vault Content” (items an End User may choose to store):
Mandatory Account and Service Data (collected from End Users or Partners):

• Username
• Email address
• Device Information (e.g., device type, OS version, application version, diagnostics)
• Security and service logs (e.g., connection timestamps, event telemetry necessary for security and reliability)

Optional Vault Content (End User-chosen items stored within the encrypted Vault):

• Passwords
• Social Media Accounts Information*
• Credit Card Information*
• Phone Number*
• PIN*
• WIFI Password*
• Passport*
• Bank Account Information*
• Crypto Wallet*
• Confidential Documents*
• Custom Items*

This information will only be collected if you select to store these items within the Password Manager Platform. *
Vault content remains encrypted end-to-end; we cannot access or decrypt it.

Our Basis For Collection

We process this information on the following legal grounds:

Legitimate Interests: to secure and protect the Services (e.g., fraud prevention, abuse detection, service diagnostics), to improve and troubleshoot the Services, and to maintain business records, where these interests are not overridden by your rights and freedoms.

To provide access to additional features: To provide our users with additional features included in our Password Manager Platform.

To fulfil our obligations under a contract: As stated above, we process personal data for the provision of services in accordance with our Terms of Service or to ensure performance of our obligations under a Contract. We process the personal data upon the express instruction of our Partner.
Consent: We will use or process your information where you have given your express consent to us to do the same. In this instance, the Partner shall be responsible for obtaining the express written consent from the End User.

Legal Obligations: We may process personal data to comply with applicable laws, regulations, court orders, or other legal requirements, including but not limited to law enforcement requests, regulatory compliance obligations, and mandatory record-keeping requirements

International Data Transfer

Our systems and servers are located worldwide. As a result, your personal data may be stored, accessed or otherwise processed in jurisdictions outside your country of residence.

We engage third-party service providers to help deliver our services. Before sharing any personal data, we require each provider to enter into a Data Processing Agreement that: (a) obliges them to process data only on our instructions; (b) mandates appropriate technical and organizational security measures; and (c) ensures personnel confidentiality and restricted access.

For transfers of personal data from the European Economic Area (EEA) to countries not deemed to provide an adequate level of protection, we rely on the European Commission’s Standard Contractual Clauses (SCCs).

Your Rights and Safeguards:
(a) Wherever your data is processed, we apply the same high standards of security and confidentiality. (b) You have the right to request information about the safeguards we use for cross-border transfers. 

For questions about international transfers, please contact: [email protected]

Sub-Processors

We use a limited number of Sub-processors to support the provision of the Services. These Sub-processors perform infrastructure, delivery, email, or monitoring roles essential to the operation of the Password Manager.

The current Sub-processors are:

• Amazon Web Services, Inc. (AWS) – cloud hosting and infrastructure services (see AWS Privacy Notice: https://aws.amazon.com/privacy/)
• Cloudflare, Inc. – content delivery network (CDN), security, and DDoS protection (see Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/)
• Mandrill (Mailchimp Transactional Email) – transactional email delivery (uses Mailchimp’s privacy practices; see Mailchimp/Mandrill Privacy Policy https://mailchimp.com/legal/prior-privacy-policy/)
• New Relic, Inc. – application performance monitoring and analytics (see New Relic Services Privacy Notice: https://newrelic.com/termsandconditions/privacy)

The privacy practices of each Sub-processor can be reviewed via their publicly posted privacy policies at the links above.
The Company shall provide prior reasonable notice of any material changes to this Sub-processor list (by email or by posting the changes publicly). Where required by applicable law or contract, the Company will seek the written consent of the Partner prior to engaging any new Sub-processor.

NO SUBPROCESSOR WILL RECEIVE MASTER PASSWORDS OR ACCESS TO DECRYPTED VAULT CONTENTS.

Cookies and Tracking Technologies

We may use cookies, SDKs, and similar technologies on our websites and support portals to operate and improve our Services and for analytics and security. These technologies do not provide us access to Vault contents. For details, please see our Cookie Policy at https://www.purewl.com/legal/cookie-policy-password-manager/ Where required by law, we will request consent for non-essential cookies.

Data Security

We maintain tight controls over the personal data we collect. Our dedicated IT security team has implemented appropriate physical, technical, and organizational measures to protect information about you against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access and against all other unlawful forms of processing:

Physical Measures:
We control access to our facilities with access cards. We also use security alarm systems and CCTV. We store devices with personal data information only in locked rooms or cabinets. Our printers are protected by access control measures. A clean desk policy is implemented.

Technical Measures:
We use layered defense with firewalls, anti-malware protection, intrusion detection, and prevention systems. Our infrastructure is regularly updated and regular vulnerability scans are in place to detect possible vulnerabilities. We have security event and incident management solutions to correlate and investigate signals in security tools. Servers are hardened and automated configuration tools are used to manage them. All workplaces are managed from a centralized endpoint management tool. Data at rest and in transit are encrypted. Encryption protocols are used according to the newest security practices.

Organizational Measures:
We have adopted information security and data processing policies according to best practices. We have external audits to prove our information security and data processing policies are up to standards. We adopted a constant development culture of security and data protection awareness among our employees (including organizing regular and ongoing training and other awareness activities). We analyze the threat landscape and attack surface and constantly update our security measures. Access to databases containing personal data is granted on a need-to-know basis.

Data Breach:
In the event of a data breach, we will notify the Partner and the relevant supervisory authority within 48 hours, as required by the GDPR, if the breach is likely to result in a high risk to your rights and freedoms. For users in California, in compliance with the CCPA, you will be notified if your unencrypted personal information is accessed by an unauthorized party. Partners will be notified without undue delay where we act as Processor.

While we employ robust security measures, we acknowledge the inherent challenges in guaranteeing absolute internet communications security. Users are reminded of their shared responsibility for information security when using our Services and Website. Any concerns about security can be reported promptly to us.

Data Retention

In cases where required, we only process personal data only for as long as it is necessary for the original purpose of collection or legal requirements. We determine the appropriate retention period for personal data based on the amount, nature, and sensitivity of the personal data being processed, the potential risk of harm from unauthorized use or disclosure of the personal data, if we can achieve the purposes of the processing through other means, and if the information is necessary for the execution of our legal rights, obligations and fulfillment of our other duties (for example, record and bookkeeping) as required by applicable laws. Vault content persists until End Users delete it or the applicable account is closed; due to our zero-knowledge design, we cannot access or restore deleted Vault content.

Data Subject Rights

Residents of the European Economic Area (EEA). If you are located in the EEA, you have the following rights under the General Data Protection Regulation (GDPR). To exercise any of these rights, please contact us as set out in Section (Contact Us).

Right of Access: You may request confirmation of whether we process your personal data and, if so, access to that data and certain information about our processing.

Right to Rectification: You may ask us to correct or supplement any inaccurate or incomplete personal data we hold about you.

Right to Erasure (“Right to be Forgotten”): You may request deletion of your personal data when it is no longer necessary for the purposes collected, or if you withdraw consent and no other legal basis applies.

Right to Restrict Processing: You may request that we suspend processing of your personal data where you contest its accuracy, or the processing is unlawful, or we no longer need it but you require it to establish, exercise or defend legal claims.

Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.

Right to Object: You may object to our processing of your personal data where we rely on a legitimate interest (including profiling) or direct marketing. We will cease processing unless we demonstrate compelling legitimate grounds.

Right to Withdraw Consent: Where we process your data based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint: You may lodge a complaint with your local data protection authority if you believe our processing infringes GDPR. 

United Kingdom (UK GDPR). Similar rights apply under the UK GDPR; you may contact us if you require any information regarding your rights at the address provided below.

Canada (PIPEDA). If you are located in Canada, you may have the following rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws (e.g., in Alberta, British Columbia, and Quebec):

Right to Access: to obtain access to your personal information held by us, including information about how it has been used and to whom it has been disclosed (subject to limited exceptions).

Right to Rectification: to request correction of inaccurate or incomplete personal information.

Right to Withdraw Consent: to withdraw your consent to processing where consent is the basis, subject to legal or contractual restrictions and reasonable notice.

Right to Challenge Compliance: to challenge our compliance with PIPEDA’s principles and our policies and practices regarding handling of personal information.

Openness and Accountability: you may request information about our policies and practices relating to the management of personal information, including our use of service providers outside Canada.

Brazil (LGPD). If you are located in Brazil, you have the following rights under the Lei Geral de Proteção de Dados (LGPD):

Confirmation and Access: to confirm the existence of processing and access your personal data (provided immediately in simplified form or within 15 days in a detailed declaration).

Correction: to request correction of incomplete, inaccurate, or outdated data.

Anonymization, Blocking, or Deletion: of unnecessary or excessive data or data processed in non-compliance with the LGPD.

Portability: to another service or product provider, upon express request, in accordance with ANPD regulations and subject to our commercial and industrial secrets.

Deletion of Data Processed with Consent: you may request deletion of data processed on the basis of consent.
Information About Sharing: to be informed about public and private entities with whom we share data.

Information About Consent: to be informed about the possibility of not providing consent and the consequences of such refusal.

Revocation of Consent: at any time, by express manifestation, via a free and facilitated procedure.

Opposition: to processing carried out in cases other than consent where there is non-compliance with the LGPD.

Review of Automated Decisions:
to request review of decisions solely based on automated processing that affect your interests, including decisions intended to define personal, professional, consumer, or credit profile, or aspects of your personality.

Residents of California. If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA). To submit a request, please use the methods in Section (Contact Us):

Right to Know and Access: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources, purposes and categories of third parties with whom we share it.

Right to Deletion: You may request that we delete personal information we collected from you, subject to certain exceptions.

Right to Opt-Out of Sale: You may request that we do not sell or share your personal information. We do not “sell” personal information for monetary consideration, but we may share information with our service providers. You can opt out by emailing at [email protected].

Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights. We may offer you different prices or services when permitted by law.

Right to Correct Inaccurate Information: You may request that we correct inaccurate personal information, considering the nature of the information and the purposes of processing.

Verification and Response: We will take reasonable steps to verify your identity before fulfilling any request. We will respond to your rights request within the timeframes required by applicable law (e.g., one month under GDPR, 45 days under CCPA, subject to one 30-day extension if needed).

To exercise any of the above rights, please contact: [email protected]

Minors’ Data

Our Services are intended for individuals 18 years of age or older, or as required by applicable laws in the relevant jurisdiction, who are capable of providing informed consent. We do not knowingly collect personal data from children under the age of 13 (or the minimum age required by applicable law) without verifiable parental consent, under the Children’s Online Privacy Protection Act (COPPA) and other applicable regulations. If you suspect that the information, including personally identifiable information, has been recorded or used to subscribe to our services by a minor. Parents or legal guardians must notify us immediately at [email protected].

Law Enforcement Requests

We may receive lawful requests from courts, law enforcement, or other authorities. We carefully review each request to verify legal validity and scope. Due to our zero-knowledge architecture, we cannot access or decrypt Vault contents and therefore cannot disclose them. Where allowed by law, we will notify the relevant Partner before disclosing any Personal Data.

Limitation Of Liability

As defined herein, the best and most robust information security architecture has been deployed to ensure a seamless user experience and protect user rights. However, in the unlikely event of a data breach, system failure, or any arising dispute, reasonable efforts shall be made to resolve the dispute in an amicable manner. The user understands that certain unavoidable risks arise in the normal course of business operations and that the Company or GZ Systems Ltd, and their affiliates shall not be liable (financial or non-financial), damages, or injury, whether direct or indirect, to the maximum extent permissible under applicable law, except in cases of gross negligence or willful misconduct resulting from your use of our service.

Governing Law And Dispute Resolution

This Privacy Notice and any dispute arising out of it shall be resolved in accordance with our Terms and Conditions available at the following link https://www.purewl.com/legal/password-manager-terms-of-service/. Nothing in this section limits your rights under applicable data protection laws to lodge a complaint with a supervisory authority.

Contact

For any questions or clarity on our Privacy Policy, please send your queries to [email protected] or to our Data Protection Officer at [email protected]

Updates

The Company may update its Privacy Policy from time to time. When changes are made that significantly impact how we process your personal data, we will notify you in advance through appropriate channels, such as in-app notifications, updates on our website, or via email of any material changes in our Privacy Policy. We encourage you to review this page regularly to stay informed about any updates. By continuing to use our services after changes have been made, you acknowledge and accept the revised Privacy Policy.

The date of the latest revision will always be displayed at the top of this page.