California Consumer Privacy Act Compliant Notification
The California Consumer Privacy Act of 2018 (as amended) (the, “CCPA”) provides California residents with information and access rights to Personal Information collected by businesses that meet certain criteria. TruU Inc. (the “Company”, “TruU”, “we” “us” “our”) is a business subject to CCPA.
The purpose of our Services is to prevent breaches and unauthorized access to your employer’s network, software, data, applications and physical premises (the, “Cybersecurity Purposes”). We do not offer our services direct to consumers and all information collected from you is solely used for Cybersecurity Purposes. We do not commercialize, sell, lease or otherwise transfer your information to third parties other than your employer solely for the Cybersecurity Purposes. To be clear, we collect information solely in relation to the business, employee or contractor capacity and not in any individual or consumer capacity. The type of information we collect from you varies depending upon the services requested by your employer or contracting entity and the configuration requested for identity and access. All information collected is done so in compliance with the United States National Institute of Standards and Technology for Cybersecurity and in compliance with applicable law.
Information We Collect: The type of information we collect from you varies depending upon the type and configuration of Services used by our customers in its identity and access management systems. Below is an overview of the categories of Personal Information we have collected through all customers in the past 12 months. The information collected about you may be substantially less than that listed below; and, again, the data collected is determined by your employer or contracting entity and only used for identity and access to your employer or contracting entity’s corporate property, networks, data, software and applications.
- Identifiers including name, business email address, business directory name, and, where applicable in additional services, government issued ID such as drivers license.
- Electronic Device Information including type, IP address, device type, device identifier, Operating System, cookie ID, service provider, network settings, security protections, applications, tokens and device location.
- Biometric Information At set-up of the identity and access services, we will create a biometric profile of you and then anonymize that profile through cryptography and create an alphanumeric. The biometric data collected at set-up and at varying times may include:
- the way you interact with your keyboard and mouse but not what you type;
- a digital signature of your voice that does not record what is said but rather timber, tone and cadence;
- a digital image of your face (blurring out background images) that is then translated into an alphanumeric based on measuring points of your face; and,
- mouse and keyboard interaction, live video and audio sessions provided as part of liveness detection and in accordance with United States National Institute of Standards & Technology verification (“Biometric Information”).
- We acquire information from other trusted sources. These might include companies such as your mobile phone carriers and Internet Service Provider.
- When using our Cybersecurity Services we may automatically collect or receive certain information associated with you or your network device(s), such as your computer or mobile devices, including geographical location and proximity to usual places of accessing employer networks. This includes information about your use of our Services and your interactions with your employer or contracting entity network, data and software applications. Such information may be automatically collected through your company authorized devices. The information we automatically collect may also include geolocation information, such as information that identifies the approximate location of your device and your IP address, which may be used to estimate your location. For example, if you are typically working from Santa Clara, California, and you logged into your employer network from Santa Clara at 9:00 a.m., and then at 10:00 a.m. the TruU system warns the IT administrator at your employer that an attempt was made to log in using your credentials from Asia, your information will be used to trigger deviations from the baseline personal information we collected from you and your Employer.
The Why: Purposes for Which the Information is Used
The purpose of our Services is to prevent breaches and unauthorized access to your employer or contacting entity network, software, data, applications and physical premises (the, “Cybersecurity Purposes”).
Who We Share Your Information With
The information collected by us and shared by you with us is used by us solely for the Cybersecurity Purposes. We do not share, rent or sell any of your Personal Information. Your information is only shared with your employer or contracting entity for the Cybersecurity Purpose. We only share your information with your employer or contracting entity, its authorized representatives, software applications used by you in the course of performing your duties for your Employer, Active User Directory services and federated identity service providers for access to Employer authorized networks, software, data and applications. If requested by law enforcement or pursuant to valid law enforcement process we may share your information to regulators or law enforcement. We do not provide any government with our encryption keys, the ability to break our encryption keys or unfettered access to your data. In the context of a merger, sales or asset transfer of TruU, your information may be transferred to an acquiring party in accordance with applicable law and regulations. We may share your information with third parties who perform services on our behalf and in compliance with the policies set forth herein.
Right to Access
You have the right to request a copy of the specific pieces of Personal Information that we have collected about you in the prior 12 months. You have the right to know the categories of Personal Information collected, the sources of Personal Information, commercial purposes for collecting Personal Information, categories of third parties we have disclosed your Personal Information and including for a business purpose, and categories of third parties to whom your Personal Information has been sold. As explained above and below, many of these areas are inapplicable to our services. We reserve the right to deny request that is manifestly unfourded, excessive or we have already provided the information more than twice in a twelve month rolling period.
Please note, too that by design, we have anonymized the information we have collected about you through a cryptographic exchange where we only have an alphanumeric that represents an employee or contractor and we do not have the name or anyway to identify the individual to the number. Moreover, we translate the voice and facial signatures into a numeric sequence for anonymizing the data set such that the information we store that you would receive from us will consist of letters and numbers, i.e., the alphanumerics.
Right to Be Forgotten
You have the right to request we delete all information we have about you by sending an email to biometiricdeletionrequest@truu.ai and we will work with your employer or contracting entity to ensure your information is deleted, subject to that information which we are required or advised to retain pursuant to applicable law including CCPA sec. 1798.145 Upon deletion you will not have access to your employer or contracting entity property, network, software or applications until such time as an alternate identity and access management solution is provided to you by your employer or contracting entity.
Non-Discrimination
We will not take any action against you for exercising your rights under the CCPA. However, your employer or contracting entity may require as a condition of accessing its property, network, data, software and applications, that you use our services. Your employer or contracting entity have an obligation to minimize breaches of their internal systems and can be held civilly and criminally liable for certain breaches that lead to the exposure of sensitive information. An identity and access management system that combines multiple factors to identity you as an authorized user materially and substantially reduces the potential that hackers and malicious persons acting on behalf of hostile countries cause damage and disruption and theft of IP.
Exercising Your Rights Under the CCPA
You may exercise your Rights to Know and To Be Forgotten by submitting a request to biometricdeletionrequest@truu.ai, n writing to the Corporate Address below, through our website at www.truu.ai or through our toll free number below. You may also ask any questions by submitting them to legalandprivacy@truu.ai. We will need to validate your identity prior to taking any actions and this will require interaction with your employer or the contracting entity. After making your request or inquiry we will acknowledge same within 24 hours. Within ten days of submitting your request we will take action and confirm same. If you do not receive a confirmation within 24 hours or a response within ten days, please resend to legalandprivacy@truu.ai.
We will respond to the request to confirm deletion within 45 days.
Corporate Address
TruU, Inc. attn: Legal and Compliance 2350 Mission College Blvd., Suite 780 Santa Clara, CA 95054
Toll Free Number: 1 877 214 2838
For Questions, Concerns or Legal Notices
To Request Deletion of Data or Exercise Rights in Relation Thereto:
biometricdeletionrequest@truu.ai
Copyright © 2022 TruU, Inc. All rights reserved.
