Last revised June 1, 2018
Our Commitment. We intend to comply with all applicable regulations and good commercial practices in collecting and handling personal data, including the European General Data Protection Regulation (GDPR). As an organization, we have subscribed to a set of principles to be followed by all of our personnel and any third parties who handle data when they help us provide services to customers or manage our business. In particular, we all commit:
- To process personal data fairly and lawfully
- To collect data only for specifically stated and legitimate purposes and to process the data only for these purposes
- To collect only the data that is relevant to and necessary for the purpose
- To retain personal data in identifiable form only for so long as we need to for the original purpose
- To put in place adequate organizational and technical measures to protect your personal data so that it cannot be accessed, deleted, altered or made unavailable by unauthorized parties
- To respect your wishes concerning communications and to remove your personal data from marketing or customer lists if you so request.
What information do we collect or process, and why? We collect and/or process different types of data and information for different purposes:
- Contact information. If you visit our websites or interact with our marketing and sales staff and express an interest in our products and services, we would like to know how to contact you and what your specific needs or interests are. So we ask you to provide some personal information, such as your name and job title, company, contact information including email address and phone number, and your communication preferences. We may also collect other information about your business and your interests in the Internet of Things in order to provide you with the most relevant information about us and our products and services. We use this information principally to respond to your inquiries and, depending on the communication preferences you indicated, we may also send you information about new products or services, special offers or other information that we think you may find interesting. We may also contact you for customer service or market research purposes.
- Registration, payment and device information. In addition to the information described above, when a customer first signs up for our products or services, we ask that they provide additional information for setting up and maintaining the account. Some of this will include personal data, such as contact details (names, job titles, phone numbers and email addresses) of authorized account representatives. We may also require payment information. In the course of using our services, we need to gather other information relevant to the products or services we’re being asked to provide, including information about devices and applications that will use our services. We use this information principally to provide products and services and to manage contractual relationships.
- Log and device data. We log and store certain types of information whenever you interact with us through the Aeris Sites or use a mobile application provided by us to access one of our services (“log data”). We also collect data in the course of providing services to customer devices (“device data”).
- Device Data. While providing services to customers and their devices, we collect a great deal of information that we believe is not personal data, including device IDs, time stamps, authentication records, location information, carrier service used, signal strength, the origin, destination, type and quantity of traffic passed and other operational data. If we reasonably determine that any device data could reveal information about a specific natural person, such as their location, we will protect it as we would any other personal data.
We use the log data from your visits to the Aeris Sites to comply with any requests or instructions that you give and to improve how we respond to your requests and how the Aeris Sites function. We use the device data collected from the use of our services to provide services, to diagnose problems with devices or our services, to provide customer support, to maintain and improve our network operations, to help prevent fraud and otherwise to operate our business. See “Analytics and Data Aggregation” below for additional information about uses of data.
- Contents of Cellular Transmissions. The actual contents of any SMS, data or voice transmissions made by customer devices over cellular networks are not accessed, viewed or stored by Aeris. These transmissions are made using standards-based security processes applicable to all cellular operators.
- Community Forum Data. If you post on any community forum or similar site that we sponsor to help customers and Aeris personnel communicate about issues of common interest, we may retain the content of posts as well as log data described above. You are encouraged to limit the amount of personal data you provide in your posts since they are publicly viewable.
- Data Relevant to Employment. If you apply for a position with any Aeris company, we and our third party service providers will collect information you provide in connection with your application, including contact data and other personal information such as employment history, together with information we create or request as we evaluate your candidacy including, if applicable, reference and background checks. If you join us, we will of course need to process other personal information relevant to your work with us, such as salary history, performance evaluations and benefits data. Generally, your information will stay in the country where you apply or work, although some data may be shared with other Aeris companies. Please see below.
- Sensitive Personal Data. Outside the employment context, where marital status is relevant, for example, for offering benefits, or nationality is relevant for determining right to work, Aeris does not collect “sensitive” personal data from customers or employees, such as data that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sex life. If you believe any Aeris Site or Aeris employee has asked you for this information, please write to Privacy@aeris.net.
- Children’s Personal Data. We do not knowingly collect any personal information from children under the age of 13. If you are under the age of 13, please do not submit any personal information through the Aeris Sites. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce this policy by instructing their children never to provide personal information through websites. If you have reason to believe that a child under the age of 13 has provided personal information to us through an Aeris Site, please contact us at firstname.lastname@example.org, and we will use commercially reasonable efforts to delete that information.
What is our legal basis for processing? We are establishing procedures to ask for consent prior to collecting any personal data from you, such as in connection with marketing activities or at Aeris Sites. We may also collect or process personal data where getting your consent is not reasonably practicable and we need the information to perform a contract with you (or your employer) or where processing is in the legitimate interests of Aeris or a third party and will not threaten your fundamental rights and freedoms. Where we rely on your consent to process your personal data, you have the right to withdraw your consent at any time, although in certain cases we may not be able to continue to provide services to you (or your employer) if we cannot use the personal data.
What is our policy regarding cookies?
- Cookies. Like many web sites, we use different kinds of “cookies” to collect information about your visits to the Aeris Sites. We use “persistent” cookies, small files stored on your hard drive, to make your future visits to the Aeris Sites more productive, such as by remembering some of your login information and your preferences. We also use “session-based” cookies that collect other log data as described above to help us analyze data about webpage traffic and to improve the Aeris Sites. Session cookies are deleted when you close your browser window. Cookies don’t contain any of your personal data. You can block cookies completely or adjust how your browser handles cookies, although blocking cookies may interfere with your use of some features of the Aeris Sites. We may also use web beacons, tags or scripts in order to count visits, evaluate usage and effectiveness of campaigns and the like.
What do we do with the information we gather? In addition to uses described above, we use this information for the following reasons:
- Marketing. We use contact and registration information and log data about your visits to Aeris Sites for several purposes, including customizing your interaction with the Aeris Sites according to your customer status and your interests. If you have consented to receive marketing communications, we may periodically send promotional emails about new products, special offers or other information that we think you may find interesting using the email address that you have provided. From time to time, we may also use your information to contact you for market research purposes.
- Operating, maintaining and improving our products and services. We use all of the information we collect to operate our business, provide products and services to you and our other customers and to develop, maintain and improve our products and services.
- Analytics and Data Aggregation. We analyze all log and device data as described above to understand how our services are operating, how to maintain and improve them, and to determine if there is information about patterns, correlations and trends that may be useful to us or to our customers or partners. If we move information outside of your secure account environment or our secure servers, such as to do analytics, we do so in a form that is intended not to permit personally identifiable information to be viewed, extracted or reconstructed (called, for convenience, “de-identified information”). In addition to our internal use, we may share results of our analysis or aggregated data containing de-identified information with third parties who use it for such purposes as industry analysis and demographic profiling. We may also sell products or services that incorporate or are based on results of our analysis or this aggregated information that has been de-identified.
How do we protect your personal data and where do we store it?
- Security. Data is at the heart of an IoT business, whether it is personal data or data about our customers’ devices. We use industry-standard measures to safeguard all data, and have a continuous process in place to test the effectiveness of these measures and to review the threat landscape and new tools available. You have a role to play in security as well, and we ask that you use prudent measures to protect against unauthorized access to your account information, including logging out of your account when finished, not sharing your login information and taking other customary security precautions appropriate for the situation. The type of organizational or technical measures we use to secure our systems and data may differ depending on the sensitivity of the data and our assessment of how accidental or unauthorized disclosure or use of the data could threaten the rights and freedoms of natural persons. If we become aware that the security of any of the personal information that we store or that is stored by our third party service providers has been compromised, we will comply with all applicable laws, including promptly notifying you if required by law.
- Special Laws. If you pay us by credit card, we and our payment processors protect your payment information in accordance with US laws establishing standards for payment card information. Unless we agree otherwise, however, the data security measures we take are not designed to comply with other laws applicable to specific types of businesses, such as the Health Insurance Portability and Accountability Act (HIPAA). Please contact Aeris if you need more information about this.
- Data Storage. We choose a storage location depending on the type of data:
- Marketing Information. If you share your information with an Aeris sales or marketing representative, your data is generally kept in the region where you are located or where the contact (such as a trade show or event) took place (e.g., US, EU, APAC). As we said earlier, we do use a CRM service, Netsuite, to help us manage our marketing and financial activities, and some of your personal data may be kept on Netsuite systems in the US. In addition, our staff do share limited information, which may include your contact information, to coordinate marketing activities and to make sure that you are interacting with the correct Aeris business function, such as finance, legal, support or engineering.
- End User Data. When we provide connectivity services, we do not require any personal data about our customers’ end users. Our customers are responsible for obtaining the consent for any collection and use of personal data from their end users. As the data processor for our customers, we may have access to or store personal data about end users of our solutions customers, such as automotive customers. We will agree with our solutions customers where this data will be stored (generally in the region where the end users are located, such as North America or the EU) and will put in place appropriate contractual commitments regarding security. If you are a customer or end user of one of our customers, you should ask your service provider for more information about how they collect and handle your personal data.
- Device Data. As we said earlier, device data rarely contains or needs to be treated as personal data. As we noted earlier, we do not intercept or keep the contents of any transmissions. The identifier numbers that we and cellular network operators use to identify a device are generally not, in an IoT context, associated with a natural person (unlike a consumer’s mobile phone number). Most device data for our connectivity customers is kept on our US systems even if the device activity occurs outside the US. Device data for solutions customers is often kept in a regional data store as agreed with the customer. If we determine that any device data should be treated as personal data (such as a government vehicle identification number used as a device identifier, or location data that identifies a single home), we will use additional security measures to protect that data appropriately and only use it for the permitted purposes.
- Data in Transit. Any traffic sent by or to a device using cellular networks is protected in accordance with cellular security standards, including in most cases encryption. Any data sent over the Internet is not necessarily secure unless it has been encrypted during transit or is sent over a secure channel, such as a VPN. An Aeris representative will be pleased to discuss when and whether a VPN is appropriate.
- Phishing. We are aware that there are people who may pose as legitimate businesses and try to trick you into disclosing personal information that can be used to steal your identity. We will not request your account login or password, your credit card information or any sensitive data that could be used to steal your identity, such as national identifying numbers, in an unsolicited or non-secure email or telephone call. If you believe that someone representing themselves as being associated with Aeris has requested this information in a contact that you did not request or initiate, please contact us immediately at email@example.com so that we may verify the identity of the person contacting you and the validity of the request.
With whom does Aeris share personal data?
- Access that you have. If you are a representative of one of our customers and have account access credentials, you can always access the account and review the information you have provided, including name, address, email address, phone number, payment information and other relevant account information. You can update this information directly or contact us for assistance. If you delete some or all of this information, then you may be prevented from accessing your account or using any services. Data relating to device activity and to actions that have been authorized by an account representative regarding those devices that is intended for viewing by customers may be accessed at our customer portal.
- Access by Aeris staff. We allow access to personal data only to those of our employees, consultants or service providers who have a need to access the information for a lawful purpose. We train our employees how to appropriately handle personal data and require that consultants and service providers do likewise.
- Access by other third parties. We may store your information with or allow access to your information to third parties who provide us with certain services, including website maintenance, database and cloud, customer support, payment processing, payroll and benefits management or other services. Our contracts with these third party providers only allow use of your information to provide these services and require that they not disclose it unless required in certain situations, like those described in the following paragraph. We review the security policies and practices of our third party service providers as appropriate as part of our own efforts to maintain the security of your information.
- Law Enforcement, Court Orders and Protection of Our Rights. We may disclose any of your information to government officials as necessary to comply with applicable laws and orders. If we receive a request to disclose any such information, we may do so if we believe in our reasonable discretion that such request is lawful and that disclosure is reasonably necessary to comply. We may also disclose your personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims.
- Other Disclosures. We may also disclose your information if we believe it is necessary in order to protect our property rights or rights of a third party, to protect the safety of any person or of the public or to prevent any activity that we believe is harmful, illegal or unethical. For example, we may need to use personal data in order to enforce our terms of service with customers and our workplace rules, or to engage in other business or corporate transactions. We will put in place appropriate security measures, such as non-disclosure agreements, whenever possible.
- How do you request copies of your personal data or ask to be “forgotten”? Generally, the only personal data we have is contact information for representatives of potential or current customers and employee data. If you would like a copy of that data, please contact us at firstname.lastname@example.org, and we will use reasonable efforts to give it to you in an appropriate format at no cost to you. To protect your privacy and security, we may take steps to verify your identity before complying with the request. If your request seems fraudulent or intended to harass us, we can reject it, and if it would require disproportionate technical effort (for example, developing a new system or fundamentally changing an existing practice), or would be extremely impractical (for example, requests concerning information residing on backup tapes), we may reject it or charge you a reasonable fee. If you wish to be “forgotten”, you can delete your account, opt-out of further marketing contacts, or ask for our assistance by writing to the same address. We may retain an archived copy of personal data to comply with law or for appropriate purposes, such as legal defense. If you are a customer or end user of an Aeris customer and wish to access or correct your personal data or wish to be forgotten, please contact that customer. We will respond to their request within 30 days.
How long do we keep personal data? We and our third party processors will keep personal data in our active operating systems only during the time that it is required for providing services to you or a customer. When it is no longer needed for that purpose, we may de-identify it and move it to another database for use in analytics. We may also keep copies in backup archives that are isolated from further processing until deletion is appropriate.