V0.9 Last updated 26th February 2021
Data Protection General Statement:
This Data Protection Policy outlines Revoke’s commitment to its customers, suppliers and other individuals to operate its business activities in a manner which meets the compliance obligations of the Data Protection (Jersey) 2018 Law (“DPJL”) and the General Data Protection Regulation (EU) 2016/679.
Revoke understands and respects your right to privacy and we are committed to ensuring the confidentiality and security of your personal data and the personal data processing activities within our organisation by applying the appropriate technical and organisational measures required to achieve this objective.
This document covers the policies and procedures for processing personal data in a compliant manner and outlines the rights of the data subjects in respect of that data. The Privacy Notice below explains how we may use, process and store your personal data.
When you create an Account with us or use our Services, you enter into an agreement with us and are directed to this Privacy Policy and the Terms and Conditions which form part of that agreement. Each time you use your Account or our Services, or provide us with information, the processing of your Personal Data will be governed by the current version of this Privacy Policy and Terms and Conditions.
If you do not agree with the terms of this Privacy Policy or the Terms and Conditions, please refrain from creating an Account or using our Services.
Data Controller:
Revoke Limited trading as Revoke is the data controller of all personal data and data processing activities of its data protection app business. The company runs the “Revoke” app and associated services. It also operates the website www.revoke.com and www.atam.id websites. The company’s head office and Registered Office is located at Floor One, Richmond House, 8 David Place, St. Helier, Jersey, Channel Islands, JE2 4TD.
Revoke Limited is registered as data controller with the Jersey Office of the Information Commissioner and its number is 61116.
Reference documents:
Special notice regarding children:
Our Services are not directed to people under 16. We do not knowingly collect personal information from children under 16. If you become aware that a child had provided us with Personal Data without the proper consent, please contact us at dpo@revoke.com and we will take steps to remove such information and terminate the account as necessary.
Privacy Notice:
Scope of application:
This policy applies to our business activities and the personal data processing of the data subjects within the European Economic Area (EEA), UK, Jersey and Guernsey in the Channel Islands.
Personal data:
Personal data means any information relating to an identified or identifiable natural person. Revoke collects the following categories of personal information;
From Customers:
For Suppliers:
Note 1: Revoke does not collect or record credit/debit card information. All such payment transactions are dealt with by a third payment providers (Apple Pay, Google Play, City Pay), who operate to the highest security standards expected of such organisations.
Note 2: Please note that the list above is not exhaustive and Revoke may also collect and process personal data to the extent that it is necessary for the provision of our products and services performed under contract.
Purposes of data processing;
Revoke use the personal data noted above for the following range of activities;
Purpose | Lawful bases for processing |
---|---|
The provision of Revoke app services and sale of related services | Processing is undertaken in the performance of a Contract -i.e. the app services and sales transactions |
The provision of customer guidance and support services | Processing is undertaken in the performance of a Contract -i.e. the app services and sales transactions |
To act on your behalf when contacting third party organisations in the exercise of your data subject rights | Processing is undertaken once we have obtained your Contract to act for you. |
To send you notifications through the Revoke app or customer portal or SMS messaging communications or email, to keep you updated on the responses we have received in relation to the Revoke services you have requested from us | Processing is undertaken in the performance of a Contract i.e. the app services and sales transactions |
To act on your behalf when you request us to process communications regarding compensation claims against organisations which have breached your data protection rights | Processing is undertaken in the performance of a Contract i.e. the app services and sales transactions. |
To manage the operation of your subscription and services contract, and subscription payments | Processing is undertaken in the performance of a Contract i.e. the app services and sales transactions. |
To advertise and market our Revoke app services and features, and keep you updated on any new or existing customer services which may be available to you | Legitimate interest basis for Revoke to promote its business products and services. You have the right to object to such processing by contacting our data protection manager. |
Managing security and access controls to the Revoke app, Revoke’s computer systems, computer platforms, website and vendor related applications | Legitimate interest basis for Revoke to protect its business app, computer systems, platforms and website and vendor related applications. You have the right to object to such processing by contacting our data protection manager. |
Establishment and exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. | Legitimate interest basis for Revoke to protect and assert its legal rights and the legal rights of others. You have the right to object to such processing by contacting our data protection manager. |
Obtaining or maintaining insurance cover, managing risks, or obtaining professional advice. | Legitimate interest basis for Revoke to protect and assert its legal rights and the legal rights of others. You have the right to object to such processing by contacting our data protection manager. |
Comply with legal, tax and regulatory obligations. | In the performance of a task carried out in compliance with a Legal obligation. |
Please note that this list is not exhaustive and Revoke may also collect and process personal data to the extent that it is necessary for the provision of our services.
Data collection methods:
We collect personal data in the following ways;
Information collected:
Customer personal data will only be used by us where you are using our Revoke app and associated services.
The personal data collected is used to;
Personal data may be used for legitimate business interest of Revoke as indicated in this Privacy Policy.
Only personal data that is necessary for the purposes of assisting our customers with the provision of products or services as outlined above is actively collected.
Any other personal information is only passively collected and is processed in accordance with this Privacy Notice, or it may be collected and processed as required by law.
The Revoke app’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Recipients of data:
Personal data collected may be disclosed or transferred to;
If you choose to seek assistance and follow-up on the results of your dark web search, your data may be shared with Cyberscout if you provide approval to do so (if you separately engage them to examine your results and choose to provide them with further personal data beyond the reference number) and other third parties, if you choose to make a claim or commence other legal proceedings as a result of the data breach.
Third party service providers are bound by the requirements of the Data Processor Agreement obligations, where your personal data is to be processed to high standards of confidentially and with the required security standards and arrangements to be in place.
Security of your personal data:
As part of the Revoke customer onboarding process your personal identification data, Photo ID and any other biometric data, is encrypted once it has been expertly verified by our service provider. Revoke does not have access to your encrypted data as only you will have the required digital encryption key to access it.
Sharing your personal data with an organisation’s Data Protection Officer (DPO):
In order for your data protection request to be processed by those organisations you have selected in the Revoke app, their DPO may request access to view your encrypted verified personal identification to ensure you are who you say you are.
You will be asked to provide your explicit consent to allow the DPO to view your verified identification, as we need to be able to decrypt certain data in order for them to confirm its accuracy (e.g. email address, phone number). We also need to be able to send/provide access to view this information to companies with whom we are interacting on your behalf.
We use multiple rotating keys to encrypt your data; there is no master key. Your private key is never transmitted to our servers.
Only when you give your explicit consent will the DPO be able to view your verified identification. When we provide the DPO access to your verified identification we ensure that only the designated recipient of this information is able to access it.
It is the responsibility of the DPO to satisfy themselves that you are a customer or employee or ex-employee of theirs. In order to do this, they may ask for additional information from you, such as a date or amount of a previous bill, a previous address, or a customer number.
Social media platforms:
When we use social media platforms e.g. Facebook, Twitter, Instagram, we only operate it so as to promote our own business and we would not knowingly engage in activities that go beyond this scope. Customer (and other data subjects) are advised to refer to the respective privacy notices of these social media platforms to check your data protection and privacy rights. Revoke cannot be held responsible for third party social media platforms or websites activities.
Transfer and access to personal data:
Revoke will only transfer data outside of the EEA, UK, Jersey and Guernsey where it is necessary for the performance of the contract agreed by you.
Where the destination of the data transfer is outside the EEA, UK, Jersey and Guernsey and does not include a third country that has an “adequacy/equivalence” status, as recognized by the EU Commission, we would always ensure that appropriate safeguards are in place.
Revoke engages the services of those vendors who are operating under the respective data protection compliant agreements and where they are using Standard Contractual Clauses or are registered under the EU-US Privacy Shield arrangements, where appropriate.
Where we cannot guarantee these safeguards, we would always request your consent before the data is transferred.
Any transfer of data is done in a secure way and in compliance with Data Protection Laws.
Retention of data:
Revoke will only retain your personal data for as long as is necessary to fulfill the purpose for which it was collected.
Summary of the important data retention periods are as follows;
This is subject to the exception where the data cannot be deleted for legal or regulatory reasons.
Data subject rights:
Where a data subject in the European Union (or any “adequate/equivalent” status country) wishes to exercise their rights under applicable data protection laws, they should contact our Revoke’s data protection manager at dpo@revoke.com.
Data subjects have a number of rights available to them;
You can assert this right by accessing your personal Account or by contacting us directly via our website www.revoke.com or email dpo@revoke.com. We would request that any request to access personal data must be made to Revoke in writing and provide sufficient detail to identify the Personal Data that you are seeking.
If you are a registered user of our Services, we provide you with the tools to access or modify the personal data you provided to us and associated with your Account.
This right applies in certain specific circumstances; where accuracy of personal data is contested and the data controller needs time to verify details; where processing is deemed unlawful but the data subject opposes erasure and requests restriction instead; where there is an objection to data processing under legitimate interest legal bases and pending verification that the legitimate interest overrides the data subjects rights; purpose of processing is not longer valid but it is required by the data subject for establishment, exercise or defence of legal claims.
This right is available to data subjects to request exclusion from any direct marketing activities or communications, including profiling to the extent that it is related to such direct marketing activities, and to any automated means using technical specifications in context of information society services.
You can delete or request deletion of your Account and uninstall the Revoke app at any time. Revoke will not however be able to delete all our personal data to the extent that it is necessary to meet its legal obligations.
This is a new right and only applies to those processing activities that are conducted under the legal bases of Consent or on Contract and the processing is carried out by automated means. Your data can be transferred to another data controller or to you directly where technically feasible.
The data subject can object to automated decision making and profiling in certain circumstances and request human intervention in the decision making process.
Revoke does not make any decisions based on purely automated means, but if we do, you have a right to object.
Each data subject request to exercise the rights noted above will be reviewed against the requirements of the Data Protection (Jersey) Law 2018 and other relevant data protection laws, and in certain circumstances (e.g. restriction, erasure, objection, data portability) these rights may not be exercisable by the company. Full explanations will be given in such cases.
Making a complaint:
The Office of the Information Commissioner in Jersey, Channel Islands, is an independent statutory authority where you can make a complaint or learn more about data protection in Jersey. Their office is located at 2nd Floor, 5 Castle Street, St. Helier, Jersey, JE2 3BT. Their website is www.jerseyoic.org and telephone number is 01534 716530.
Security features:
Revoke is committed to ensuring the security of your personal data and has implemented appropriate commercially reasonable technical, physical and organizational measures to prevent unauthorized or unlawful processing of your personal data or accidental loss or destruction of your personal data.
Our Security Policy is available on our website at https://revoke.com/personal/security/.
Our website is encrypted using HTTPS (Hypertext Transfer Protocol Secure). In HTTPS the communication protocol is encrypted using Transport Layer Security (TLS). This provides a secure method of communication with us and any personal data uploaded onto our website is securely managed by our website data processor services.
Email communications are scanned using the latest version of anti-virus and malware software deployed by our business.Personal data held by Revoke is only available to authorised members of staff. No member of Revoke staff is able to access decrypted Photo ID or biometric data (Selfie).
Our computer systems have secure audit trails and we have robust back up capabilities in place to ensure that our services can continue uninterrupted for our customers.
Management and employees are trained in their data protection responsibilities and obligation to handle personal data in a confidential manner.
Change to this notice:
Revoke may update this Privacy Notice at any time. The updated notice will appear on our website www.revoke.com and www.atam.id and in our Terms of Business.
This Privacy Notice was last approved on 26th February 2021.
Contact details:
If you have any questions, concerns or complaints with respect to this Privacy Notice or the handling of your privacy or personal information, please contact our data protection manager at dpo@revoke.com.
We take security seriously which is why we’ve been assessed and certified for addressing cybersecurity effectively and mitigating the risk from Internet-based threats.