Privacy Policy
5dkey (Sitepics.app Pty Ltd ABN 12621764314) understands that protecting your personal information is important.
This privacy policy sets out our commitment to protecting the privacy of personal information provided to us, or collected by us, when interacting with you.
In this privacy policy, we may refer to you as you, end user, or user.
Information about Australia’s privacy guidance can be found from the Office of the Australian Information Commission (OAIC)
5dkey is a credential management system and wallet designed to facilitate your access to buildings and other assets. 5dkey consists of the web management port (5dkey web app or web portal) as well as iOS and Android app (5dkey mobile apps). We collect only such information as to provide our services to you:
- Log you into Web and/or mobile app.
- Distribute virtual cards and eKeys (credentials) to your wallet.
- Collect and store access control logs for security purposes.
- Optimise the performance of your device / wallet for the above mentioned purposes.
Data we collect
When you are invited to the platform by a building manager, property manager or security manager (5dkey admin) we collect on the 5dkey web portal:
- Your name
- Mobile number
If your invitation is configured for ‘Bill to end user’ we also collect your address. This may be the address of the building you are accessing, not your residential address.
Where you are distrubted a virtual card (vCard) to your mobile device:
- IP address used by your phone or by access devices when they interact with our service (for security and for your protection);
- the friendly name that you have assigned to your mobile device (because it is typically personalized);
- Credential Information – information provided to us by the organization that owns Your Identity System to create the Virtual Credential that you will use for building or network access, such as the physical access control or network access credential data assigned by your employer to identify you via an existing employee badge, prox card or similar physical credential system;
- Details of access events which may include location data as per below.
Location Services
5dkey apps use location data in the background to log the location of devices you have been given access to. Access logs such as access granted or access denied events are typically always collected by the back end access control system, thus location data is only used to append these logs to verify the location of assets (for example doors or printers) that you have been given access to. 5dkey apps do not otherwise collect nor store your general location data.
Android app. Your device location data is used to discover and provide control of devices near you. You will still have the ability to badge your phone at card readers to access doors for example, however you will not be able to control a reader or device at a distance such as roller door from 10M distance.
Android and Apple devices. Location data may also be used to restrict access to readers and devices outside of the location to which you are authorised to access those devices. This is only where this feature has been configured by your inviting organization.
Data we share with 3rd parties:
When you confirm your account either on web app or mobile app, you are doing so via our authentication systems partner Kinde. We share your email to Kinde for this purpose, Kinde also store your password and may record your device ID and IP address for geolocation security purposes. For example, to avoid unauthorised international log in to your account. https://kinde.com/docs/important-information/privacy-policy/
Safetrust virtual credentials or vcards
‘Credential Manager’ and the associated ‘Wallet’ mobile application are designed to comply with global privacy legislation. This Privacy Statement provides you with information about how we protect and manage the Personally Identifiable Information (PII) that is provided and collected when you use our products. It also describes your rights and responsibilities with regards to the PII that is used by our products.
Because our products provide secure and accountable access to buildings or computer networks, we are required to process and maintain sufficient information to allow the organization that has invited you to use our products to positively identify you. You may accept this Privacy Statement either via the consent checkbox presented at your first log-in to the Wallet application or Credential Manager, or by using the consent mechanism provided to you in a third-party application that has incorporated this functionality into its product. Should you decide NOT to accept this Privacy Statement you will NOT be able to use our products.
Our products create and manage digital versions of identity credentials (“Virtual Credentials”) which supplement or replace the physical badges, smart cards, and similar tangible items that organizations currently use to enable building and/or network access. Typically an individual consumer (“User”) will be invited to use our building or network access mobile applications by a third party ‘organization’. For example, that organization might be the User’s employer, or the property manager, the owner of the gymnasium to which the User is a member, etc. In any case, that organization is responsible for specifying the policies and privacy controls that relate to the data that is collected when you use our products.
Our products use PII in accordance with global privacy legislation including the California Consumer Privacy Act (June 2018), European General Data Protection (April 2016) regulations and the Australian Government’s Privacy Act (1988). These regulations require that we clarify the following data privacy items in relation to our products:
- Our products use only the PII required to enable and monitor authorised access to sites and networks. The specific items of PII used by our products are described in the following section;
- Our products are designed to protect your PII and your Virtual Credentials by encrypting them so that they are protected when they are in the database, in transit, or on your mobile device;
- When the organization that has invited you to use our products deletes your account that triggers the automatic deletion of your operational information from our database;
- We retain essential audit information, in an encrypted form, for three years;
- We do not sell your PII to third parties. Your information is only shared with the organization that has invited you to use our products. Please note that the organization that invited you to use Credential Manager and the Wallet application will have its own Privacy Policy and is responsible for maintaining the controls in relation to their attitude to the sharing of PII.
You may be invited to use the Credential Manager and the Wallet application by more than one organization. If so, then your information is managed separately for each individual organization. In Credential Manager, each organization can set up one or more groups of access devices, such as door readers or turnstiles, that have similar access characteristics (“Identity Systems”),and you may be provided one or more Virtual Credentials for each Identity System in the same way as you would previously have had to carry a different key or access card for each building.
If you have an enquiry regarding the PII used by the products, please contact the organization(s) that invited you to use our products.
The information that we process
When you use the Credential Manager and the Wallet application, we collect and store the following Personal Information:
Some, or all, of this information will be provided to the Credential Manager Web Application by you when you create or activate an account on the Wallet, or it may be that some or all of this information will have been provided by the inviting organization.
In either case, your Personal Information is encrypted when it is stored in Credential Manager or transmitted. Access to this data is tightly controlled, logged and monitored, and it is restricted to the administrators of your Identity System and a small number of support staff who have this access for the purposes of assisting or supporting your Identity System administrators, or to periodically confirm compliance with our software license. Support staff and administrators are bound by contract with your Identity System owner, and by law, to keep this information confidential and use it only for legitimate purposes.
When you download the Wallet mobile application to your mobile device, we automatically collect information about your device including the type of device and its operating system. During operation we record whether bluetooth is active. We use this information for support purposes.
In addition to the above information, we collect information based on your activities using our products. Specifically, when the Wallet mobile application interacts with the access control equipment in your employer’s or organization’s buildings or computer systems (e.g., a door reader or a USB reader), the Mobile Application records an “event” that details the nature of the interaction (“Event Data”) — e.g., at this date and time, you successfully obtained access to Door 713. The Mobile Application sends the Event Data back to the Credential Manager application, which may be used for monitoring and analysis purposes by the Organization that invited you to use the System.
How we use your information
Your information is only used for the purpose for which it was provided to us. Such purposes include:
- Processing changes to the Virtual Credentials that you use for access to buildings or networks;
- Monitoring for fraud or inappropriate activities;
- Responding to enquiries referred to us from the Organization that invited you to use the System should you have a problem that relates to Credential Manager or Wallet functionality;
- Providing the Organization that invited you to use the System with reader event information that can be used for business analysis purposes;
- Complying with our obligations to you and/or your employer/organization under our contract or applicable law;
- Quality assurance and training purposes.
We will not use your email address for marketing or unsolicited advertising without your consent. From time to time, however, we may email you to provide you with some operational information, or to advise you if we suspect unauthorized use of your account, or to advise you of any changes or updates made to your information where we feel that such a notification will ensure the security and integrity of the service.
Disclosure of your information
We manage the information provided to us in accordance with the policies specified by the Organization that invited you to use the System. Typically account data is synchronised between that Organization’s building system database and Credential Manager. We will only disclose PII and event data to the Organization that invited you to use the System.
We will respond to subpoenas, warrants, or other court orders regarding information concerning users of our products. We will, with discretion, disclose Personal Information if we are required to do so by law, where such disclosure is necessary to protect us from legal liability or to protect the integrity of our products and website. If your Identity System’s owner enforces procedures that affect such disclosures, we will abide by that agreement.
Security of your information
We take all reasonable steps (including all measures required by law) to ensure your information is protected and secure at all times. To enable Credential Manager, your data is stored in an encrypted database within the secure Amazon Web Services Hosting Environment and our encryption architecture ensures that Amazon employees do not have access to your Personal Information. Amazon has several data centers geographically spread around the world. Your data is currently stored in Amazon’s data center located in Sydney, Australia and in Northern California, USA. All Amazon sites provide consistent data and communications security services.
When your data is in use by the system, it is protected at all times. When in transit between the browser and the server, it is protected by the industry standard TLS protocol. Data stored on your mobile device is protected by encryption which leverages standard iOS and Android encryption technologies. However, no data protection and security measures are completely secure. Despite all the measures we have put in place, we cannot guarantee the security of your information, particularly in relation to transmissions over the internet. Accordingly, any information which you transmit to us is transmitted at your own risk.
You must take care to ensure you protect your information (for example, by protecting the username, password, and other account details related to your account, as well as implementing security features in mobile device such as screen lock and, if available, biometric security features such as Apple’s TouchID and FaceID and similar features in Android). You should notify the administrators at your employer or organization as soon as possible if you become aware of any security breaches regarding your account or your Virtual Credentials. Please advise them as soon as possible if there are any changes to your Personal Information or if you believe the information we hold about you is not accurate, complete, or current.
We take all reasonable steps (including all measures required by law) to ensure your information is protected and secure at all times. To enable Credential Manager, your data is stored in an encrypted database within the secure Amazon Web Services Hosting Environment and our encryption architecture ensures that Amazon employees do not have access to your Personal Information. Amazon has several data centers geographically spread around the world. Your data is currently stored in Amazon’s data center located in Sydney, Australia. All Amazon sites provide consistent data and communications security services.
Retention and removal of your information
The Organization that invited you to use the System (the Data Controller) is responsible for ensuring that expired or unused accounts are deleted and will retain only the PII associated with active accounts. Audit records are retained for three years.The owner of each Identity System is responsible for notifying 5dkey when accounts are inactive or have expired. Upon such notification, 5dkey will remove these accounts within 90 days of notification.
How to contact us for questions, concerns or complaints
You should direct any privacy enquiries that you may have to the Privacy Contact Officer at the organization that invited you to use the Credential Manager and the Wallet application.
If you are unable to identify the inviting organisation you can contact 5dkey here
Revision of this Privacy Statement
We may revise this Privacy Statement or any part of it from time to time to ensure we remain compliant with data privacy regulations specific to your geographical location, including those specified in the California Consumer Privacy Act (June 2018), EU General Data Protection Regulation (GDPR) or Australian Government’s Privacy Act (1988).