Last updated: December, 2023
1. What this Privacy Policy covers
This Privacy Policy describes how Aqua Security Software Ltd. (collectively with its affiliates, “Aqua Security”, “Aqua” “we”, “our” or “us”) handles and protects the Personal Information (as defined below) it collects, receives and processes concerning individuals engaging with Aqua on behalf of our customers (including authorized signatories, procurement and billing contacts) (“Customer(s)”), Customers’ authorized users of the Platform (“User(s)”), its website visitors and prospects (“Prospect(s)”) (collectively, “you” or “your”) during the use of the Aqua Platform SaaS Offering and Aqua Platform Self-Hosted installation (collectively, “Aqua Platform”), Aqua’s websites (“Website”), and the related services to any of the foregoing (together with Aqua Platform and the Website, the “Services”).
Specifically, this Privacy Policy describes our practices regarding:
- What this Privacy Policy covers.
- Personal Information we process.
- How and why we use Personal Information.
- With whom do we disclose the Personal Information we collect.
- Tracking technologies.
- Retention of Personal Information.
- How do we safeguard your Personal Information.
- Your rights.
- Where is your Personal Information processed.
- Communications.
- Minors.
- Third Parties collection of Personal Information.
- Our role.
- Additional notices.
- Changes to this Privacy Policy.
If you are a Customer, User or Prospect, please read this Privacy Policy carefully and make sure that you fully understand it.
Please note that you are not legally required to provide us with any of your Personal Information, and may do so (or avoid doing so) at your own free will. By using our Services, you agree to the collection and processing of your Personal Information as describe in this Privacy Policy. If you do not wish to provide us with your Personal Information, or to have it processed by us or any of our service providers, please simply do not visit or interact with our Services.
2. Personal Information we process
Personal Information is any information that identifies, relates to, describes an individual or that is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual (“Personal Information”). It does not include aggregated, de-identified or anonymized information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual.
Specifically, we collect, disclose or otherwise process (including in the preceding 12 months) the following types of your Personal Information in relation to the Services:
Category of Personal Information Collected | Example of Personal Information Collected |
Identifiers | Full name, email address, IP address, device identifiers and or other similar identifiers |
Customer Records information | Telephone number |
Internet or Other Electronic Network Activity Information | Browsing history, search history, information on an individuals’ interaction with the Services, cookies, pixels, device fingerprinting |
Geolocation Data | Location data including non-precise geolocation data (such as location derived from an IP address such as city or postal code) |
We collect the above-mentioned categories of Personal Information (including in the preceding 12 months) from the following categories of sources:
- Directly from you: We may process information which you provide us voluntarily in any forms and inquiries that you submit to us. For instance, when you communicate with us (e.g., when you ask to find more information about our Services), when you respond to communications from us, or share additional information about yourself through your use of the Services. We may also collect the feedback, suggestions, complaints and reports which you send to us. We also collect Personal information when you register for an account with us, we collect your email address and other information that is required to identify you in our Services and permit you to access your account(s) and to the Services offered by us. If you choose to sign-up and login to our Services via a third-party account (such as Google), we may have access to basic information related to such account, such as your full name, email address, username for that account, profile picture (or similar, depending on the third-party account), as well as any other information you made publicly available on such account or agreed to share with us. Please note that the Personal Information related to such an account will also be subject to the terms, conditions and restrictions of this third party. Hence, we recommend you to carefully read the terms and privacy policies of such third parties before connecting them to your use of our Services.
- Information collected automatically: We may generate Personal Information when you use the Services, such as data about your use of the Services, including connectivity, technical and aggregated usage data, data about your device log-in credentials to the Services, as well as other information which relates to your activity through the Services.
- Information received by third parties: We collect personal information about you from other sources such as our affiliates, partners, social networks with which you interact, or vendors, as well as from publicly available sources. Please note that when you directly engage with such third-party services, any aspect of that engagement that is not directly related to the Services and directed by Aqua Security is beyond the scope of Aqua Security’s Terms and this Privacy Policy, and their own terms and privacy policies will govern your use of those services.
3. How and why we use Personal Information
We use Personal Information as necessary for the performance of our Services (“Performance of Contract”); to comply with our legal and contractual obligations (“Legal Obligations”); and to support our legitimate interests in maintaining and improving our Services, e.g. in understanding how our Services are used and how our campaigns are performing, and gaining insights which help us dedicate our resources and efforts more efficiently; in marketing, advertising and selling our Services to you and others; providing customer services and technical support; and protecting and securing our Users, Customers, Prospects, ourselves and our Services (“Legitimate Interests”).
If you reside or are using the Services in a territory governed by privacy laws under which “consent” is the only or most appropriate legal basis for processing Personal Information as described in this Privacy Policy (either in general, based on the types of Personal Information you expect or elect to process or have processed by us or via the Services, or due to the nature of such processing) (“Consent”), your acceptance of our Terms and of this Privacy Policy will be deemed as your consent to the processing of your Personal Information for all purposes detailed in this Privacy Policy, unless applicable law requires a different form of consent. If you wish to revoke such consent, please contact us at [email protected].
Specifically, we collect and use Personal Information (including in the last 12 months) for the following purposes (and in reliance on the legal bases for processing noted next to them, as appropriate):
Customer, Prospect and User Personal Information
- To facilitate, operate, enhance, and provide our Services and all related features and functions (Performance of Contract; Legitimate Interests);
- To provide our Users and Customers with assistance and support, to test and monitor the Services, diagnose or fix technical issues (Performance of Contract; Legitimate Interests);
- To invoice and process payments (Performance of Contract; Legitimate Interests); and
- To personalize our Services, including by recognizing an individual and remembering their information when they return to our Services, and to provide further localization and personalization capabilities (Performance of Contract; Legitimate Interests).
- To gain a better understanding on how individuals evaluate, use, and interact with our Services, to utilize such information to continuously improve our Services, the overall performance, user-experience and value generated therefrom. We collect such information automatically through their usage of the Services (Legitimate Interests);
- To create aggregated, statistical data, inferred non-personal data or anonymized or pseudonymized data (rendered non-personal), which we or others may use to provide and improve our respective Services, or for any other business purpose (Legitimate Interests);
- To facilitate and optimize our marketing campaigns, ad management and sales operations, and to manage and deliver advertisements for our Services more effectively, including on other websites and applications. Such activities allow us to highlight the benefits of using our Services, and thereby increase your engagement and overall satisfaction with our Services. This may include contextual, behavioral and interests-based advertising based on Customers’, Users’ and Prospects’ activities, preferences or other data available to us or to our service providers and business partners (Legitimate Interests; Consent);
- To contact our Customers, Users and Prospects with general or personalized Services-related messages, as well as promotional messages that may be of specific interest to them (Performance of Contract; Legitimate Interests; Consent);
- To support and enhance our data security measures, including for the purposes of preventing and mitigating the risks of fraud, error or any illegal or prohibited activity (Performance of Contact; Legitimate Interests; Legal Obligation);
- To facilitate, sponsor and offer certain events, webinars and promotions (Legitimate Interests);
- To comply with our contractual and legal obligations and requirements, and maintain our compliance with applicable laws, regulations and standards (Performance of Contract; Legitimate Interests; Legal Obligation); and
- For any other lawful purpose, or other purpose that you consent to in connection with provisioning our Services (Legal Obligation; Consent).
We do not process your Personal Information to conduct automated decision-making.
4. With whom do we disclose the Personal Information we collect
We may disclose Personal Information in the following instances:
- With our service providers: We rely on certain trusted third-party service providers to power certain software features in certain version or installation architecture, services and functions that make up the Services, such as to host the Aqua platform environments on third-party cloud platforms. We may also use outsourced personnel to perform technical and support functions that may involve access to Personal Information, and use third party services providers for communications and content delivery networks (CDNs), data and cyber security services, billing and payment processing services, fraud detection, investigation and prevention services, session or activity recording services, call recording, remote access services, performance measurement, data optimization and marketing services, social and advertising networks, led generating and data enrichment providers, content, email, third-party customer support providers, and our legal, compliance and financial advisors and auditors. Our service providers may have access to Personal Information, depending on each of their specific roles and purposes in facilitating and enhancing our Services or other activities, and may only use the data as determined in our agreements with them.
- With Aqua Security affiliated companies: We may share Personal Information internally within our group, for the purposes described in this Privacy Policy;
- In the event of a merger, sale, change in control, or reorganization of all or part of our business. If we believe that such change in control might materially affect your Personal Information then stored with us, we will notify you of this event and the choices you may have via email;
- When we are required to disclose Personal Information to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims;
- Where we have a good-faith belief sharing is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the rights, property or physical safety of any person, violations of our policies, or as otherwise required to comply with our legal obligations; or
- As you may otherwise consent from time to time.
Aqua Security shall only disclose your Personal Information to third parties that provide the necessary measures to safeguard the security of the Personal Information they process. Our service providers do not have permission to use Personal Information for any purpose other than to provide us the services we require.
5. Tracking technologies
We may use tracking technologies within the Services, such as log files, pixels and cookies.
A cookie is text file placed on your hard drive and stored by your browser.
We use cookies, log files and similar tracking technologies to improve the user experience, analyze our performance and marketing activities, personalize your experience, improve and maintain the safety and functionality of the Services and to collect statistical or anonymous data about how you and other users use and interact with the Services. Some of the cookies are set by us, and some may be set by third parties (for example, Google Analytics).
The type of information collected may include (but is not limited to) internet protocol (IP) addresses, MAC address, device type, browser type, operating system type, Internet Service Provider (ISP), date/time stamp of Services use and user interface interactions.
Our Services uses different types of cookies, including essential cookies which are necessary for the Services to function properly, preferences & functional cookies that enhance the functionality and personalization of the Services, performance & analytics cookies used for gathering analytics data on the Services usage and improve their performance accordingly, and targeting & advertising cookies to make ads more relevant to you based on your browsing habits.
You can control your cookie preferences, as applicable to the location from which you are using the Services, at any time by clicking the “Your Privacy Choices” button available in our website’s footer.
Top of FormYou can also manage your cookies preferences, and accept, remove or entirely block cookies, through your browser settings. If you choose to opt-out of certain cookies, this will typically generate a new cookie which will preserve your choice, and indicate it to our Services in your next visits so that the cookies you opted-out of will not be utilized.
Please note though that if you do block or restrict tracking technologies on your device, you will still be able to use the Services, but various features and functionality of the Services may be impaired.
You can find more information about how Google Analytics collects information and how you can control such use at: https://www.google.com/intl/en/policies/privacy/partners/.
Certain web browsers may transmit “Do Not Track” signals to websites with which the browser communicates. However, due to differences in how web browsers interpret this feature and send those signals, and lack of standardization, we do not change our practices in response to such “Do Not Track” signals. However, most browsers allow you to control cookies, including whether or not to accept them and how to remove them. You may set most browsers to notify you if you receive a cookie, or to block or remove cookies altogether.
Additionally, under some US data protection laws, like the CCPA, our sharing of certain internet activity and device information with third parties through cookies may be considered a “sale”, or “sharing” of personal information or use of cookies for targeted advertising. We do so in pursuit of the business and commercial purposes described in Section 3 above.
For the purposes of the CCPA, in the last 12 months, we have “sold” or “shared” Internet or other electronic network activity information, Geolocation Data, and Commercial Information of Users with our analytics and advertising partners and our Service Providers.
You may opt out of all cookies that may result in such a “sale” and/or “sharing” of your personal information under the CCPA in the following ways:
- Click the “Your Privacy Choices” button available in our website’s footer and follow the instructions presented there for opting out of these cookies, where such an option is applicable to your use of our Services.
- Set the Global Privacy Control (GPC) for each participating browser system that you use, to opt out of the use of cookies that may be considered a “sale”, or “sharing” of personal information under the CCPA (instructions on how to download and use GPC are available here).
Please note: If you visit us from a different device or browser, or clear your cookies, then you need to re-select your preferences.
We do not sell or use your personal information for targeted advertising under other US State privacy laws. However, to the extent applicable, including if a supervisory authority determines that our practices includes the selling and/or sharing of your personal information, including for targeted advertising (as such terms are defined under applicable US State Privacy Laws, excluding the CCPA), — and you would like to opt out of the “sale” or “sharing” of your personal information or the use of your personal information for “targeted advertising”, please contact us at [email protected].
6. Retention of Personal Information
We retain the Personal Information that we collect for as long as needed to maintain and expand our relationship, to provide our services to you and to comply with our legal or contractual obligations, resolve disputes and enforce our agreements (unless we are instructed otherwise). Retention periods will be determined taking into account the type of the Personal Information and the purpose for which it is collected, and the potential risk of harm from unauthorized use or disclosure of your Personal Information, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused Personal Information at the earliest reasonable time. Under applicable regulations, we may be required to keep records containing your Personal Information, account opening documents, communications and anything else as required by applicable laws and regulations.
7. How do we safeguard your Personal Information
Aqua Security takes appropriate administrative, technical, physical and organizational security measures to protect your Personal Information. We comply with the GDPR, CCPA and other applicable privacy laws and follow generally accepted industry standards to protect the Personal Information submitted to us, both during transmission and once it is received, taking into account the nature of such information and the risks involved in processing, and comply with applicable laws and regulations.
While we have taken reasonable steps to secure the Personal Information provided to us, please be aware that regardless of any security measures used, we cannot and do not guarantee the absolute protection and security of any Personal Information stored with us or with any third parties
To learn more, please visit our Trust & Security webpage.
8. Your rights
Certain data protection laws provide individuals with certain statutory rights to their Personal Information, such as the EU and UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Such rights may include (to the extent applicable to you):
- The right to know/request access to your Personal Information and receive Personal Information we hold about you.
- The right to request rectification of your Personal Information that is in our control.
- The right to request erasure of your Personal Information.
- The right to object to or to restrict the processing of Personal Information by us, including the right to direct us not to “sell” or “share” your Personal Information, as such terms are defined under the CCPA.
- The right to obtain a copy or port such Personal Information.
- The right to equal services and prices (e.g., freedom from discrimination).
If you are a GDPR-protected individual, you also have the right to lodge a complaint with the relevant supervisory authority in the EEA or the UK, as applicable.
You can exercise your rights by submitting a request to [email protected].
Please note that when you ask us to exercise any of your rights under this Privacy Policy or applicable law, we may need to ask you to provide us additional information to verify your identity, to avoid disclosure to you of Personal Information related to others and to ask you to provide further information to better understand the nature and scope of data that you request to access. Such additional information may be then retained by us for legal purposes (e.g., as proof of the identity of the person submitting the request, or proof of request fulfillment).
If you are a California Resident, you may also designate an authorized agent, in written authorization or through a power of attorney, to request to exercise your privacy rights on your behalf. The authorized agent may submit a request to exercise these rights by contacting us at [email protected]. Note that we will not discriminate against you by withholding our Services from you or providing a lower quality of service to you for requesting to exercise your rights under the law.
9. Where is your Personal Information processed
Since we operate globally and may use service providers worldwide, including in the US, Europe, Israel and other locations as reasonably necessary for the proper performance of our Services, or as may be required by law, we may transfer your Personal Information outside your country of residence.
While privacy laws may vary between jurisdictions, Aqua Security is committed to protect Personal Information in accordance with this Privacy Policy and customary industry standards, and such appropriate lawful mechanisms and contractual terms requiring adequate data protection, regardless of any lesser legal requirements that may apply in the jurisdiction to which such Personal Information is transferred.
For data transfers from the European Economic Area, Switzerland or the UK, we will transfer your Personal Information only to such countries approved by the European Commission, FDPIC and UK Information Commissioner’s Office (ICO) respectively, as providing adequate level of data protection, or enter into Standard Contractual Clauses as approved by the relevant data protection authority. You can obtain a copy of these clauses by contacting us as indicated below.
10. Communications
We engage in Services and promotional communications, through email, phone, SMS and notifications.
Services Communications: We may contact you with important information regarding our Services. For example, we may send you notifications (through any of the means available to us) of changes or updates to our Services, billing issues, log-in attempts or password reset notices, etc.
Promotional Communications: We may also notify you about new features, additional offerings, events and special opportunities or any other information we think you will find valuable, as our Customer, User or Prospect. We may provide such notices through any of the contact means available to us, through the Services, or through our marketing campaigns on any other sites or platforms. If you do not wish to receive such promotional communications, you may notify us at any time by sending an email to [email protected] or by following either of the following “unsubscribe”, “stop”, “opt-out” or “change email preferences” instructions contained in the promotional communications you receive.
11. Minors
We do not knowingly collect or solicit personal information from anyone under the age of consent (as determined under the applicable laws where the individual resides; “Age of Consent”). By accessing, using or interacting with our Services, you certify to us that you are not under the Age of Consent. In the event that we learn that we have collected Personal Information from an individual under the Age of Consent without verification of parental consent, we will delete that information upon discovery. If you believe that we might have any information from or about an individual under the Age of Consent, then please contact us through the contact details available below.
12. Third Parties Collection of Information
Our policy only addresses Aqua Security’s data processing practices with regards to Personal Information we process about you. To the extent you disclose, submit or otherwise transmit your information to third-party services, such third parties’ terms and privacy practices and policies apply to their use or disclosure of the information you disclose to them. Any aspect of that engagement which is not directly related to the Services and directed by Aqua Security is beyond the scope of Aqua Security’s Terms and this Privacy Policy. Accordingly, we encourage you to read the terms and conditions and privacy policy of each third party that you choose to disclose information to.
13. Our role
Aqua Security is the “data controller” of the Personal Information listed in Section 2 and assumes the responsibilities of a controller (solely to the extent applicable under the law), as set forth in this Privacy Policy. In such instances, our service providers processing such data will assume the role of “data processor”.
14. Additional notices
DPO: Aqua Security has appointed PrivacyTeam as our Data Protection Officer, for monitoring and advising on Aqua Security’s ongoing privacy compliance and serving as a point of contact on privacy matters for data subjects and supervisory authorities.
EU Representative: Aqua Security has designated Prighter as Aqua Security’s representative for the European Union for data protection matters pursuant to Article 27 of the GDPR. Inquiries regarding our privacy practices in the EU may be sent by email to [email protected], or by post to: Prighter at https://prighter.com/q/12156565510
UK Representative: Aqua Security has designated Prighter as Aqua Security’s representative in the United Kingdom for data protection matters pursuant to Article 27 of the UK GDPR. Inquiries regarding our privacy practices in the UK may be sent by email to [email protected], or by post to Prighter at https://prighter.com/q/12156565510
Questions, concerns or complaints: If you have any questions, inquiries, concerns, or requests regarding the use or disclosure of your Personal Information, please contact us at: [email protected].
15. Changes to this Privacy Policy
This Privacy Policy was last changed on the date set forth at the top of this Privacy Policy. Aqua Security may update this Privacy Policy from time to time and any such changes will become effective prospectively from the date of publication. Your continued use of the Services after the changes have been implemented will constitute your acceptance of the changes.