Virtru Values Your Privacy and Security

This Privacy Policy describes our practices in connection with information
that we collect from you when you use Virtru.

Our Principles

Transparency. We only use and share information about our users as spelled out in our Privacy Policy or other notices or in the agreements under which we provide the Services. We want you to know how we use your information, and to avoid any surprises.

Sensible Defaults. Our default user settings try to balance user experience and privacy in as sensible a fashion as we can.

Data Security. Security is our business.We use reasonable organizational, technical and administrative measures to protect personal information under our control.

Choice. We let our users know when and how we collect information and we are designing our Services to offer our customers choices about how their information is used.

Limited Collection of Data. We seek to collect and retain the least amount of user data necessary for the functioning, security, and effective operation of our business.

Working with Partners. We make privacy a key factor in selecting service providers who have access to Personal Information.

Our Privacy Policy

Last Updated: December 28, 2020

This Privacy Policy describes our practices in connection with information that we collect from you when you use our website at www.virtru.com (the “Site”) or our hosted encryption, access control and revocation services (the “Services”).

“Personal Information” means:

  • Information that identifies you, like your name or email address; or
  • Information that, when combined with other information, could reasonably identify you.

Information We Collect

Any information you provide to us or to our third party service providers:

When visiting our Site

  • When you use our Site, for example, when you contact us, sign up for a newsletter, download informational content (such as whitepapers), or register to attend an event or webinar, we collect identifiers, such as your name, email address, and telephone number, if you choose to provide such information to us.

When paying for our Services

  • We may collect identifiers when you register for our paid Services, such as your full name and billing address, and a third party payment services provider will collect and store your credit card number and/or any other financial information required to process payment card transactions on our behalf, in which case your information will be subject to the third party’s privacy policy, rather than this Privacy Policy.
  • We also may collect identifiers and professional or employment-related information, such as your name, company name and size, and your business telephone number and email address.

When voluntarily engaging with Virtru

  • If you interact with Virtru online or offline e.g., when you visit our company, attend an event, or contact customer service, we may also collect any other information you voluntarily provide to us.

Identifiers and Internet or other electronic network activity information automatically collected through our Site and Services:

Data that drives the Services

  • When you use our free or paid Services, we collect key access policies and application activations (“Virtru Application Data”). We store Key Access Policies for each message or file you secure, as well as all updates to those Policies, such as revocation and adding or removing authorized users. Key Access Policies include the minimal metadata required to enforce the policy, such as authorized user email addresses, encryption keys and expiration date/time as well as a “Display Name” per policy for use in the online dashboard, which may be a file name or email subject line. We also store a list of which applications that have been activated for use by each user, as well as when those activations expire.

Data to ensure the Site and Services function correctly

  • Certain information is collected by most browsers and sent to web servers so that sites can behave reliably, such as your computer type (Windows or Mac), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version and the name and version of the Services (such as the App) you are using.
  • An Internet Protocol (IP) address is a number that is automatically assigned to the computer that you are using by your Internet Service Provider (ISP), and is identified and logged automatically in our server log files whenever a user visits the Site, along with the time of the visit and the page(s) that were visited. We use IP addresses for purposes such as calculating Site usage levels, helping diagnose server problems, and administering the Site and Services. We may also derive your approximate location from your IP address.
  • Cookies allow a web server to transfer data to a computer for record keeping and other purposes. We and our service providers use cookies and other technologies to, among other things, better serve you with more tailored information and facilitate your ongoing access to and use of the Site, as well as for online tracking purposes. If you do not want information collected through the use of cookies, there is a simple procedure in most browsers that allows you to decline the use of cookies. For further information about our use of cookies, please visit our Cookie Policy.

Data for business metrics

  • The downloading of images embedded in the introduction template for Services may be used for internal business metrics such as click-through rates and to measure the success of our marketing campaigns.
  • Pixel tags (also known as web beacons and clear GIFs) may be used to, among other things, track the actions of users of the Site and Services (including email recipients), measure the success of our marketing campaigns, and compile statistics about usage of the Site and Services and response rates.

From Other Sources:

  • We may receive information about you from other sources, for example, publicly available databases.

Help Us Minimize Data Collection

  • Unless we request it, we ask that you not send us, and you not disclose, any sensitive Personal Information (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through the Services or otherwise to us.

The Site and Services are not directed to and we do not knowingly collect Personal Information from individuals under the age of sixteen (16). We request that these individuals not provide Personal Information through the Site or Services.

How We Use Information

We may use information, including Personal Information, for the following purposes:

Communicating with you

  • To respond to your inquiries and fulfill your requests, such as to send you email updates you have requested or information regarding the Services, changes to our terms, policies or other administrative announcements, when necessary to manage our contractual relationship with you, to comply with a legal obligation, or based on our legitimate interests.
  • To send you communications regarding additional services that may be of interest to you, when you have given consent or based on our legitimate interests.

Processing your payments

  • To process your payments, provide you with the products or services you have purchased, communicate with you regarding your purchase and provide you with related customer service, when necessary to manage our contractual relationship with you, to comply with a legal obligation, or based on our legitimate interests.

Administering our Site and Services

  • To administer the Site and Services, including performing security analyses to verify that the Services are working properly and have not been compromised, based on our legitimate interests.

Operating our business

  • For our internal business purposes, such as data analysis, audits, developing new products, enhancing our website, improving our services, identifying usage trends and determining the effectiveness of our promotional campaigns, when necessary to manage our contractual relationship with you, to comply with a legal obligation, or based on our legitimate interests.
  • Any other purpose when in de-identified or aggregate form, e.g., to calculate the percentage of our users who have a particular telephone area code.

Where we need to collect Personal Information by law or under the terms of a contract we have with you and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel the Services, but we will notify you before doing so.

If you wish to have more information regarding the legitimate interests we rely on, please contact us in accordance with the “Contacting Us” section below.

When We Disclose Personal Information

Virtru does not sell your Personal Information.

We may disclose Personal Information:

When operating our business

  • To our subsidiaries and affiliates.

When third party provider support our services

  • To our third party service providers to facilitate services they provide to us. These can include providers of services such as website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, auditing, and other services.

When required by law

  • As required to comply with applicable law and regulations and to cooperate with public and governmental authorities (this can include laws and authorities outside your country of residence), including law enforcement. We will handle any government requests for encryption keys in accordance with our Frequently Asked Questions on Government Surveillance.

When necessary for legal reasons

  • If necessary to enforce obligations under our terms and conditions and when it is reasonably necessary to protect the rights, property or safety of you, our other users, Virtru or the public.

When our organizational structure changes

  • To third parties in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings). Such third parties may include, for example, an acquirer and its advisors.

When we have received your permission

  • In other circumstances when we tell you and you consent to the disclosure.
  • Without restriction when in de-identified or aggregate form.

In the last twelve (12) months, we have disclosed:

  • Identifiers and professional or employment-related information to subsidiaries, affiliates, and third party service providers.
  • Internet or other electronic network activity information to third party service providers.

Third Party Sites

This Privacy Policy does not apply to information collected by any third party through any website, application, or content that may link to or be accessible from the Site. The inclusion of a link on the Site does not imply endorsement of the linked site by us or by our affiliates.

Security

Security is our business! We use reasonable organizational, technical and administrative measures to protect Personal Information under our control. We also require our third-party service providers with access to Personal Information to use reasonable measures to protect the confidentiality and security of the Personal Information they maintain for us. Unfortunately, no data transmission or data storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us of the problem by contacting us in accordance with the “Contacting Us” section below.

Retention

We retain Personal Information for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law.

The criteria used to determine our retention periods include:

  • The length of time we have an ongoing relationship with you and provide the Services to you (for example, for as long as you have an account with us or keep using the Services);
  • Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or
  • Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

Cross-Border Transfers

The Services are controlled and operated by us from the United States. Your Personal Information may therefore be stored and processed in any country where we have facilities or in which we engage third party service providers, and by using the Services you understand that your information will be transferred to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country.  In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Information.

If you live in the EEA, we may transfer Personal Information to countries for which adequacy decisions have been issued (the full list of these countries is available here), use contractual protections for the transfer of Personal Information to third parties, such as an intra-company agreement that complies with the European Commission’s Standard Contractual Clauses or their equivalent under applicable law, or rely on third parties’ certification to the Swiss-U.S. Privacy Shield Framework, where applicable.

You may contact us in accordance with the “Contacting Us” section below to obtain a copy of the safeguards we use to transfer Personal Information outside of the EEA.

Updates to this Privacy Policy

We may update this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective when we email you about the changes or post the revised Privacy Policy on the Site. Your use of the Site or Services following any such updates will constitute your acceptance of such updates. If we make a material change that will apply to information we had already collected, we will additionally seek your affirmative consent.

Your Privacy Choices

  • Opt-out of direct marketing: If you no longer want to receive marketing-related emails from us on a going-forward basis, you may opt out by following the “unsubscribe” instructions in the next email you receive from us. Note that you may not opt out of receiving some administrative announcements (such as changes to our policies). Please note that if you opt out of receiving marketing-related emails from us, we may still send you important administrative messages, from which you cannot opt out.

California Privacy Rights

If you are a California resident, you have the right to:

  • Request to know:
    1. Specific pieces of Personal Information we have collected about you
    2. Categories of Personal Information we have collected about you, disclosed about you for a business purpose, or sold
    3. Categories of sources from which Personal Information is collected
    4. Categories of third parties with whom we share or to whom we sell Personal Information
    5. The business or commercial purposes for collecting and selling Personal Information
  • Request deletion of Personal Information
  • Opt-out of the sale of Personal Information (Virtru does not sell Personal Information)
  • Not receive discriminatory treatment by Virtru for exercising these rights

To make a request, please call us at 1 (855) 892-7499, email us at info@virtru.com, or visit https://support.virtru.com. To verify your identity, we will generally ask you to provide certain information that we already maintain in our records. Only you, or someone legally authorized to act on your behalf, may make a request related to your Personal Information. To make a request on your behalf, an authorized agent may contact us by email with proof of your written and signed permission.

Nevada Privacy Rights

Although Virtru does not sell Personal Information, if you are a Nevada resident, you have the right to opt-out of any future sale of Personal Information we have collected or will collect. To make such a request, please email us at info@virtru.com.

European Economic Area Privacy Rights

If you are an EEA resident, you have the right to:

  • Request access to your Personal Information
  • Request rectification of your Personal Information
  • Request erasure of your Personal Information
  • Restrict or object to the processing of your Personal Information
  • Receive and transfer your Personal Information (data portability)
  • Lodge a complaint with a supervisory authority
  • Where processing of your Personal Information is based on consent, withdraw your consent at any time without affecting the lawfulness of the processing of Personal Information that occurred before you withdraw consent

To make such a request, please email us at info@virtru.com.

Contacting Us

Virtru Corporation, located at 1130 Connecticut Ave NW Suite 210, Washington, DC 20036, D.C. County, US, is the company responsible for the collection, use and disclosure of your Personal Information under this Privacy Policy.

If you have any questions about this Privacy Policy, please contact us by email at info@virtru.com, or please write to the following address: 1130 Connecticut Ave NW Suite 210 Washington, DC 20036. You may also make a complaint to your local data protection authority.