Privacy policy and GDPR

Effective date: March 11, 2025

Introduction

Your privacy is of paramount importance to us. At Passwork Europe SL ("we," "us," and "our"), we adhere to the principle of transparency and strive to provide you with complete information about how we process your personal data. This Privacy Policy explains what data we collect, how we use it, who we share it with, and what rights you have regarding your data. We recommend that you carefully read this document.

1. General

1.1 About this Privacy Policy

Passwork Europe SL takes your privacy matters very seriously. This privacy policy ("Privacy Policy") details how we receive, collect and use personal data in connection with our website passwork.pro (the "Website") and the related services and products provided through the Website (collectively, the "Service"). Please read this Privacy Policy carefully.

1.2 About the Service

The Service allows you to store all of your company passwords in protected vaults, collaborate with teammates, manage user rights, track all changes, monitor security and use one-click login.

1.3 Your consent

Before you submit any personal data through the Service, you are encouraged to read this Privacy Policy, which is always available on the Website, to understand the legal bases (other than your consent) we rely on when handling your personal data. In some cases, if required by the applicable law, we may seek to obtain your informed consent for the processing of your personal data. For example, your consent may be necessary if: (i) we intend to collect other types of personal data that are not mentioned in this Privacy Policy; (ii) we would like to use your personal data for other purposes that are not specified in this Privacy Policy; or (iii) we would like to transfer your personal data to third parties that are not listed in this Privacy Policy.

1.4 Children

We do not intentionally collect children's personal data unless parents decide, at their sole discretion, to provide such data to us. If you, as a parent or a legal guardian of a child, become aware that the child has submitted his/her personal data to us, please contact us immediately. We will delete your child's personal data from our systems without undue delay.

1.5 Term and termination

This Privacy Policy enters into force on the effective date indicated at the top of the Privacy Policy and remains valid until terminated or updated by us.

1.6 Amendments

The Privacy Policy may be changed from time to time to address changes in laws, regulations, and industry standards. We encourage you to review our Privacy Policy to stay informed.

When making substantial changes to the Privacy Policy, we will:

  • Post a prominent notice on our website 30 days before the changes take effect

  • Send an electronic notification to the email address associated with your account

  • Provide a summary of key changes at the beginning of the updated Policy

  • Indicate the date of the last update at the top of the document

Please review our Privacy Policy regularly. By continuing to use the Service after the publication of changes, you confirm your agreement with the updated Policy.

2. We as a Data Controller and Our Contact Information

The data controller responsible for the processing your personal data through the Service is Passwork Europe SL having a registered business address in Barcelona, Spain. We act as a data controller because we make decisions about the personal data that needs to be collected through the Service and the purposes for which it is used.

For any questions and information about this Privacy Policy or our data processing practices, please contact us by email: [email protected].

3. We as a Data Processor

We act as a data processor with regard to the data submitted or generated by you through the Service for our processing like passwords ("Your Data") and Your Data contains your or other individuals' personal data. We do not own, control, or make decisions about Your Data. We process Your Data only in accordance with the instructions issued by you, as our data controller. To ensure that Your Data is processed in accordance with the strictest data protection standards, we offer for conclusion a data processing agreement. You can receive a copy of such an agreement by contacting us at [email protected].

4. When Do We Collect Personal Data?

We collect personal data on individuals who use the Service or if the collection of personal data derives from a legal obligation:

  • Most of the personal data is collected directly from you (for example, when you create your user account and/or use the Service).

  • Updates to the personal data may also be received from authorities, organizations, companies offering updating services, public directories and other public sources of information.

  • When visiting the Website or using the Service, certain technical and other information (which may be personal data) may be automatically sent by your computer to us (for example, your IP address, the type of your browser and the source of your visit).

  • We can also collect information about your Website usage by using cookies and other tracking technologies. Please refer to our Cookie Policy for further information.

  • Any or all of the activities with regard to Website usage information may be performed on our behalf by our service providers, including, for example, our analytics vendor(s) and our email management partner(s). For a list of our data processors, please refer to the "How do we share your personal data?" section.

  • In the event we make message boards and forums available to you (collectively, "Forums"), you will be solely responsible for the information and any other content you post on and through these Forums. You should be aware that when you voluntarily disclose personal data (for example, your name, email address, telephone number) on or through these Forums, such information is generally accessible to, and may be collected and used by, other users. This may result in unsolicited messages from third parties, and such messages are beyond our control. We do not exercise control over any users, and we are not responsible, nor do we have any liability whatsoever, for any collection or use of information you may disclose through the Forums. You are encouraged to exercise discretion when providing personal data about yourself in and through the Forums. Please do not post any personal data on the Website that you expect to keep private.

5. What Personal Data Do We Collect and For What Purposes We Use It?

We respect data minimization principles, meaning we collect only a minimal amount of personal data through the Service necessary to ensure the proper provision of the Service as described below. Your personal data is used for limited, specified, and legitimate purposes explicitly mentioned in this Privacy Policy. We do not use your personal data for any purposes that are different from the purposes for which it was provided. When processing personal data, we make sure that we do so by relying on one of the available legal bases. You can find more information about the legal bases below.

5.1 Legal Bases for Processing

We process your personal data only when we have a lawful basis to do so. In accordance with applicable law, this may be:

  • Contract performance: when processing is necessary to fulfill a contract with you.

  • Legitimate interest: when processing is necessary for our legitimate interests or those of a third party.

  • Legal obligation: when processing is necessary to comply with a legal obligation.

  • Consent: when you have explicitly consented to the processing of your personal data for one or more specific purposes.

  • Vital interests: when processing is necessary to protect your vital interests or those of another natural person.

  • Public interest: when processing is necessary for the performance of a task carried out in the public interest.

For each processing purpose stated below, we have identified the corresponding legal basis.

Demo Request Form

When you submit a request for a demo through our website, we collect your name, company name, business email address, and phone number. We use this information to contact you regarding your demo request, provide you with information about our Service, and maintain our business records. The legal bases on which we rely are 'pre-contractual measures at your request' and 'pursuing our legitimate business interests' (i.e., to promote our Service and respond to potential customers). We keep your personal data for up to 3 years after your last interaction with us, unless you request us to delete it earlier.

Inquiries

When you contact us by email, we collect your name, email address, and any information that you decide to include in your message. We use such data to respond to your inquiries. The legal bases on which we rely are 'pursuing our legitimate business interests' (i.e., to grow and promote our business) and 'your consent' (for optional personal data). We keep your personal data until you stop communicating with us.

Payments

When you make a payment, you will be asked to provide your email address, country, payment details (such as your name, credit card number, expiration date, security code, billing address, or PayPal details), company name, VAT number, and address. Please note that we do not process payments directly; this is handled by our third-party payment processors, Paddle and PayPal. Your payment data is used to process your payments, issue invoices, and maintain our business records. The legal bases on which we rely are 'performing a contract,' 'pursuing our legitimate business interests' (i.e., administering our business), and 'complying with our legal obligations'. We keep your personal data for 7 years, as required by tax law.

IP Address

When you use the Website, we or our third-party analytics service providers (as explained below) collect your IP address. We use your IP address to analyze the technical aspects of your use of the Website, prevent fraud and abuse of the Website, ensure the security of the Website, and tailor the Website for your location. The legal basis on which we rely when processing your IP address is 'pursuing our legitimate business interests' (i.e., to analyze and protect the Website). We keep your IP address data for 90 days.

Cookies

When you browse the Website, we collect your cookie-related data. For more information about the purposes for which we use cookies, please refer to our Cookie Policy, which also specifies the duration of cookie validity. The legal bases on which we rely are 'pursuing our legitimate business interests' (i.e., to analyze and promote our business) and 'your consent' (for non-essential cookies).

5.2 Sensitive Data

We do not collect or have access to any special categories of personal data ("sensitive data"), unless you decide, at your own discretion, to provide such data to us. Sensitive data is information that relates to your health, genetics, biometrics, religious and political beliefs, racial origins, membership of a professional or trade association, sex life, or sexual orientation. If you provide us with such sensitive data or Your Data contains the said sensitive data, we will process such data for the purpose of fulfilling our contractual obligations. As soon as the processing is completed, we will securely delete it from our systems.

5.3 Processing of Your Data

When you upload or create Your Data on the Service, we process Your Data as requested by you, including any personal data it may contain. Your Data may contain the following information: passwords and company information. We process Your Data in order to (i) provide you with the requested services and (ii) perform our contractual obligations. The legal basis on which we rely is 'performing a contract with you'. Once the processing of Your Data is completed, we will securely delete it from our systems.

5.4 Refusal to Provide Personal Data

If you refuse to provide us with your personal data when we request it, we may not be able to perform the requested operation, and you may not be able to use the full functionality of the Service or receive our response. Please contact us immediately if you believe that any personal data that we collect is excessive or unnecessary for the intended purpose.

6. What Non-Personal Data Do We Collect?

6.1 Usage Data

When you use the Website and/or Service, we receive and store certain technical non-personal data, such as the total number of visitors to our Website, the number of visitors to each page of our Website, device and browser information, as well as Service usage data. We cannot use this information to identify you. It is important to note that no personal data is available or used in this process. We collect such information to better understand user behavior and trends, detect potential outages and technical issues. All log analysis is conducted in an anonymous, aggregate and non-personally identifiable manner.

6.2 Aggregated Data

In a continuous effort to better understand and serve our users, we conduct research on user demographics, interests and behavior based on the personal data and other information provided to us. We compile and analyze this research on an aggregate basis and may share this aggregate data with our data processors. This aggregate information does not identify you personally. Additionally, we may disclose aggregated user statistics to describe our services to current and prospective business partners and other third parties for lawful purposes.

7. How Do We Disclose and Transfer Personal Data?

7.1 Our Data Processors

Due to the technical and practical requirements, some of the personal data may be processed by our data processors located outside your jurisdiction, or on servers outside your jurisdiction operated by our processors. If any personal data is transferred outside your jurisdiction, we ensure that the country to which the personal data is transferred provides an adequate level of privacy protection, or by using appropriate contractual safeguards approved by relevant authorities, such as the Standard Contractual Clauses adopted by the European Commission.

The disclosure and transfer of your personal data is limited to the instances when it is necessary to ensure the proper operation of the Service, provide you with requested services or information, pursue our legitimate business interests, enforce our rights, prevent fraud and ensure security, or fulfill our contractual obligations. Our data processors include:

  • Our hosting service provider Amazon Cloud located in the USA;

  • Our newsletter service providers SendInBlue located in France and MailerLite located in Lithuania;

  • Our marketing service provider Bitrix24 located in the USA;

  • Our analytics service provider Google Analytics located in the USA;

  • Our payment service providers Paddle and PayPal located in the USA;

  • Our independent contractors and advisors.

All our data processors are bound by data processing agreements that include appropriate safeguards for the protection of personal data in accordance with GDPR requirements.

7.2 Disclosure of Technical (Non-Personal) Data

Your technical (non-personal) data may be disclosed to third parties for various purposes. For example, we may share it with prospects or partners for business or research purposes, to improve the Service, respond to lawful requests from public authorities, or develop new products and services.

7.3 Legal Requests

If contacted by a public authority, we may need to disclose information about you to the extent necessary for pursuing a public interest objective, such as national security or law enforcement.

7.4 Successors

In case the Service is sold partly or fully, we will transfer your personal data to a purchaser or successor entity and request the successor to handle your personal data in accordance with this Privacy Policy. We will notify you of any changes to the data controller.

7.5 Selling Personal Data

We do not sell your personal data to third parties. However, some of your personal data, including online identifiers (e.g., cookie-generated data and IP addresses), may be used for advertising, marketing, and monetization purposes (e.g., programmatic advertising, retargeting, third-party marketing, profiling, or cross-device tracking). To ensure that you have full transparency and control over your personal data, we provide you with a possibility to manage your personal data used for such purposes as described in our Cookie Policy.

8. How Long Do We Store Your Personal Data?

8.1 Retention of Personal Data

We store your personal data in our systems only for as long as such personal data is required for the purposes described in this Privacy Policy or until you request us to delete your personal data, whichever comes first. After your personal data is no longer needed for its primary purposes and we do not have another legal basis for retaining it, we securely delete your personal data from our systems.

Specific retention periods for different data types:

  • Account data: for the duration of your account and for 30 days after deletion

  • Payment data: 7 years in accordance with tax law requirements

  • Log data: 90 days

  • Marketing data: until you withdraw your consent

  • Cookies: depending on the type, from session to 2 years (details in the Cookie Policy)

8.2 Retention of Technical (Non-Personal) Data

We retain non-personal data pertaining to you for as long as necessary for the purposes described in this Privacy Policy. For example, we may store such data for the period of time needed for us to pursue our legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce our agreements.

8.3 Retention as Required by Law

In certain cases, we are required by law to retain your personal data for a specific period of time (e.g., for accounting records). Thus, we keep your personal data for the duration stipulated by applicable law and securely delete it once the required storage period expires.

9. How Do We Protect Your Personal Data?

We use technical and organizational measures to protect your personal data against unauthorized access, transfer, deletion or any other handling that may compromise information security. These measures include:

  • Encryption: All data is transmitted over secure connections using TLS and stored in encrypted form

  • Multi-factor authentication: For access to systems containing personal data

  • Access control: Strict access policies based on the principle of least privilege

  • Monitoring: Continuous monitoring of systems to detect suspicious activity

  • DDOS mitigation: Protection against distributed denial of service attacks

  • Regular audits: Independent security audits of systems and processes

  • Staff training: Regular training of employees on data protection issues

  • Incident management: Structured data incident response processes

  • Backup: Regular creation of encrypted backups to ensure data integrity

Only authorized personnel appointed by us and our processors have access to and use your personal data. We adhere to the highest information security standards as part of our commitment to protecting your information.

9.1 Notification of Breach

In the event a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify promptly about the nature of the breach, the likely consequences of that breach and the steps you can take to mitigate the potential consequences of that breach.

10. How Can You Manage Your Personal Data?

You may at any time contact us to exercise the following rights (unless, in very limited cases, the applicable law provides otherwise):

  • Right to rectification: You can rectify any inaccurate personal data that we hold about you;

  • Right to erasure ('right to be forgotten'): You can ask us to erase your personal data from our systems;

  • Right to restriction: You can ask us to restrict the processing of your personal data;

  • Right to object: You can ask us to stop processing your personal data;

  • Right to withdraw consent: You have the right to withdraw your consent, if you have provided one;

  • Right to complaint: You can submit your complaint regarding our processing of your personal data.

For EU/EEA residents, additional GDPR rights are detailed in Section 14.6 of this Privacy Policy.

Please note that any requests for access to your data or data portability may be subject to verification of your identity, applicable legal requirements, technical feasibility, and our operational capabilities. Such requests will be evaluated on a case-by-case basis.

The request must be made in writing and it must be signed. If you would like to exercise any of your rights, please contact us by email or by post (details provided in section 2 of this Privacy Policy) and explain your request in detail. To verify your request, we may ask you to provide identifying information that allows us to identify you in our system. We will respond to your request within a reasonable time frame, but no later than 30 days.

10.1 Complaints

If you wish to file a complaint regarding our processing of your personal data, we kindly request that you first contact us to express your concerns. Upon receiving your complaint, we will investigate promptly and provide you with our response. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

10.2 Non-Discrimination

We do not discriminate against you for exercising your rights. This means we will not (i) deny goods or services, (ii) charge different prices, (iii) deny discounts or benefits, (iv) impose penalties, or (v) provide lower quality services.

11. How Do We Communicate With You?

11.1 Newsletters

We may occasionally send you newsletters to update you on Service developments and special offers. You will receive our newsletters by email in the following instances:

  • If you give us your explicit ("opt-in") consent to receive marketing messages;

  • If you voluntarily subscribe to our newsletter;

  • If we decide to send you information closely related to services you already use.

11.2 Opting-Out

You can opt out of receiving our commercial communications at any time, free of charge, by clicking on the 'unsubscribe' link provided in each newsletter or by contacting us directly.

11.3 Tracking Pixels

Our newsletters may include tracking pixels that allow us to conduct analysis of our marketing campaigns. Tracking pixels allow us to see whether you opened the newsletter and which links you clicked on. We use this information for analytics to support our legitimate business interests.

11.4 Service-Related Notices

If necessary, we will send you important informational messages, such as the Service updates, technical emails and other administrative updates. Please note that such messages are sent on an "if-needed" basis and they do not fall under commercial communication that requires prior consent. You cannot opt out of receiving these service-related notices.

12. Third-Party Sites and Privacy Practices

The Website may contain links that will let you leave the Website and access another website. Websites linked to or from the Website are not under our control, and these websites may have different privacy policies. This Privacy Policy applies exclusively to personal data acquired through the Website or through your use of the Service, and/or your interactions with us. We encourage you to exercise caution when entering personal data online. We do not assume any responsibility or liability for these external websites.

13. Applicable Law

This Privacy Policy is governed by and construed in accordance with the laws of Spain, without regard to its conflict of law provisions. Any disputes arising in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of Spain.

If any provision of this Policy is found to be invalid or unenforceable, the remaining provisions will remain in effect. This Policy does not limit any rights you may have under the laws of your country of residence.

14. GDPR Compliance

14.1 Our Commitment to GDPR

By setting high data protection standards, the General Data Protection Regulation (EU) 2016/679 (GDPR) is designed to protect the fundamental human right to privacy. When offering our software solutions under the brand 'Passwork', including, without limitation, the on-premises version of Passwork, we strive to ensure that any personal data processed through Passwork is handled in a lawful, fair, and transparent manner. We are also committed to helping our clients understand how we comply with the GDPR.

To comply with our obligations under the GDPR, we have updated our policies and procedures and made them available for your consultation at any time.

14.2 How We Comply with the GDPR

The GDPR's requirements are significant and our team has adapted our services, operations, policies, and contractual commitments to help us and our clients comply with the requirements set by the GDPR. The measures that we have implemented include, but are not limited to:

  • Investments in our security infrastructure;

  • Updates to relevant contractual terms;

  • Support for international data transfers by means of our data processing agreements offered to our clients (the "DPA") and data processing agreements concluded with our data processors; and

  • Offering data portability and data management tools, including data import, export, amendment, and deletion tools whereby our clients may access, import, export, update, and delete their data through their interface.

We also monitor the guidance around GDPR compliance from privacy-related regulatory bodies and update the features of Passwork and our contractual commitments accordingly. We provide regular updates regarding our data protection practices to ensure you stay up-to-date.

14.3 Our Role under the GDPR

As a provider of Passwork, we act both as a data controller and data processor. Our role depends on the specific situation that involves the processing of personal data:

  • Data Controller: We act as a data controller when we collect information through our Demo Request Form, for payment processing purposes, or if you contact us directly. As a data controller, we comply with our obligations and remain solely responsible for the personal data obtained directly from our clients.

  • Data Processor: We act as a data processor in situations when our clients conclude a service contract with us and certain personal data is submitted, uploaded, generated, or otherwise processed by our clients through Passwork. In such cases, the obligations applicable to data processors under the GDPR apply to us. To ensure that we process personal data on behalf of our clients in compliance with the GDPR, we offer our Data Processing Agreement (DPA), a copy of which is available by contacting us at [email protected].

14.4 Our Security Infrastructure

Protecting personal data belonging to our clients and processed on their behalf is of utmost importance to us. Therefore, we have set high standards for security and take administrative, organizational, and technical security measures to protect personal data submitted through Passwork from loss, misuse, unauthorized access, and disclosure. The security measures implemented by us include:

  • Maintaining adequate access control mechanisms (e.g., two-factor authentication, password protection, and limited access) covering any systems, servers, or files in which personal data is stored;

  • DDOS mitigation;

  • Using SSL encryption for any transmission of personal data electronically;

  • Limiting access to personal data by our officers, directors, employees, consultants, and representatives only to the specific purposes; and

  • Adhering to the highest information security standards and conducting regular information security audits.

We also make use of technology partners and third-party service providers who are carefully selected as complying with the highest data protection and information security standards.

14.5 International Data Transfers

The GDPR sets strict requirements for the transfer of personal data outside the EU. To ensure that EU residents' personal data remains safe and secure, the GDPR allows such international transfers only if certain safeguards are implemented, such as (the list is not exhaustive):

  • The third country is deemed by the EU as ensuring an adequate level of protection;

  • Standard Contractual Clauses govern such transfers;

  • Approved certification mechanisms are used; or

  • Approval from data protection supervisory authorities is received.

To comply with the GDPR requirements and ensure that personal data processed through Passwork by our clients remains secure, we offer our DPA based on the latest Standard Contractual Clauses adopted by the European Commission to meet adequacy and security requirements for our clients who operate in the EU or submit EU residents' personal data through Passwork. The DPA is available by contacting us at [email protected].

14.6 Additional GDPR Rights

Under the GDPR, European Union residents have certain rights regarding their personal data, including:

  • Right of access: You can request a copy of your personal data that we store

  • Right to rectification: You can correct any inaccurate personal data we hold about you

  • Right to erasure ('right to be forgotten'): You can ask us to delete your personal data

  • Right to restriction of processing: You can ask us to restrict how we use your data

  • Right to data portability: You can request a copy of your data in a structured, commonly used format

  • Right to object: You can object to certain types of processing, including profiling

  • Rights related to automated decision-making: You have rights regarding automated decisions with legal effects

For all GDPR-related inquiries, please contact us at [email protected].

15. Policy Change History

Version 2.0 — March 11, 2025

  • Updated information on data subject rights

  • Added details on data retention periods

  • Enhanced security measures

  • Updated list of data processors

  • Added comprehensive GDPR compliance section

  • Updated company information and contact details

Version 1.0 — August 2, 2021

  • Initial publication of the Privacy Policy