Last Updated: May 25, 2018

WHO WE ARE

This Privacy Policy applies to Sectigo Limited and its subsidiaries (collectively, “Sectigo” or “we” or “us”) and describes Sectigo’s (“our”) policies and practices that we undertake in collecting, using, and safeguarding your personal information. By “personal information”, we mean information that can be used to identify you or that we can link to you and which we have in our possession or control.

When you purchase a certificate, you are contracting with Sectigo Limited, a limited company formed under the laws of England and Wales with registered number 04058690 and registered offices at 26 Office Village, Exchange Quay, Trafford Road, 3rd Floor, Salford, Manchester, M5 3EQ, United Kingdom.

Sectigo Limited is the data controller for personal information collected and processed for purposes of issuing publicly-trusted digital certificates, and is responsible for the collection, use, disclosure, retention, and protection of your personal information in accordance with our privacy standards, this privacy policy, and applicable laws. We have appointed a data protection officer to be responsible for our privacy program. Our Data Protection Officer can be contacted at:

Attn: Data Protection Officer

Sectigo Limited

Unit 7 & 9

Listerhills, Science Park, Campus Road,

Bradford, BD7 1HR

United Kingdom

DPOfficer@sectigo.com

OVERVIEW

Sectigo values your privacy.

In providing you with access to Sectigo’s products, services, and websites (including, but not limited to, www.sectigo.com, www.instantssl.com, www.enterprisessl.com, www.positivessl.com, and ssl.sectigo.com), Sectigo collects and uses certain information about you. This Privacy Policy is meant to help you understand what information is collected from you, how we use it, and how you can protect your privacy rights.

At a glance, this Privacy Policy contains the following information:

  • What information we collect.
  • How we collect your information.
  • How we use your information.
  • What information we share.
  • What security measures we have in place to protect your information.
  • What rights and choices you have in relation to your information.

This is important to us, so we hope you take the time to read and review it carefully.

DEFINITIONS

We’ve defined the following terms, which are used throughout this Privacy Policy, to provide better clarity on what we mean:

  • Account” refers to a CCM account, an E-PKI account, an S3 account, or any other account at a Sectigo website for which you sign up and log in.
  • Baseline Requirements” refers the most recent version of the CA/B Forum’s Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, accessible here: https://cabforum.org/baseline-requirements-documents/.
  • CA/B Forum” means the Certificate Authority and Browser Forum, a consensus-driven forum of certificate authorities (like us) and browsers that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates, and whose website is https://cabforum.org/.
  • Cookies Policy” refers to the most recent version of our Cookies Policy, accessible here: https://sectigo.com/.
  • CPS” refers the most recent version of our Certification Practices Statement, accessible here: https://sectigo.com/legal.
  • EV Code-Signing Guidelines” means the most recent version of the CA/B Forum’s Guidelines for The Issuance And Management of Extended Validation Code Signing Certificates, accessible here: https://cabforum.org/ev-code-signing-certificate-guidelines/.
  • EV Guidelines” refers to the most recent version of the CA/B Forum’s Guidelines for the Issuance and Management of Extended Validation Certificates, accessible here: https://cabforum.org/extended-validation/.

WHAT INFORMATION WE COLLECT

INFORMATION YOU GIVE TO US

Sectigo collects personal information in accordance with industry standards mandated by the CA/B Forum (such as the Baseline Requirements and EV Guidelines) when you purchase or use Sectigo products or services or otherwise interact with Sectigo. In most instances, you provide the information directly to Sectigo, such as when you create an Account, sign up for a newsletter, subscribe to Sec’s services, use a Sectigo website, download a Sectigo product, or request further information from Sectigo.

  • When You Purchase Services or Download a Product

When you purchase Sectigo services or download a product, you will provide certain personal information. This information may include personal contact information, such as name, company name, address, phone number, and email address; billing information, such as billing name and address, credit card number, and the number of employees within the organization; or other similar information that may be necessary for us to provide you with products and services. The information that you provide shall be used for such things as setting up or administering your Account, responding to your inquiries, providing you with product updates or improvements, and managing other daily business needs, such as, for example, payment processing, account and contract management, website administration, troubleshooting, security and fraud prevention, corporate governance, reporting and legal compliance and business continuity. If Sectigo would like to process that information for any other purposes, we will first provide you with sufficient information describing such additional use.

  • When You Order a Certificate

When you order a certificate, you will be required to provide certain information depending on the certificate type (e.g. DV, OV, EV, SMIME, etc.). The exact informational requirements are listed in the CPS for your review. Certain of the submitted details will be displayed within the certificate, and, as a result, will be publicly available.

You have choices about your information, but if you choose not to provide necessary information when purchasing a product or service, or ordering a certificate, (for example, information necessary to validate a certificate), then you may not be able to get that product, service, or certificate.

INFORMATION WE COLLECT FROM YOUR USE

To enable a better experience on our websites and provide you with better functionality and features in our products and services, we collect information about your interactions with Sectigo, like the products and services that you use and how you use them. We may use technologies like cookies, browser analysis tools, or server logs to receive error reports or usage data from software running on your device or our website and applications. We may also obtain data from third parties to enhance our files and better understand our customers.

  •  Cookies

A cookie is a piece of data that websites send to your computer or other web-based devices to uniquely identify your browser or to store information or settings on your browser based on your use. Cookies allow us to identify you when you return to the Sectigo website, providing you with a streamlined and customized experience. Sectigo may employ the use of cookies to analyze trends, administer our websites, products or services, gather demographic information or to measure the success of advertising and affiliate network memberships. Sectigo’s resellers and webhosts may also use cookies; although Sectigo does not exercise any access or control of such partners’ cookies.

You can always control the use of cookies, but if you choose to disable all cookies, it may limit your use of certain functions or features on our websites, products or services.

For more information on cookies and how we use them, see our Cookies Policy.

  • Analytics Tools

Sectigo's websites use Google Analytics, which is a web analytics service provided by Google, Inc. ("Google"), to evaluate your use of the Sectigo website. Google Analytics place a third-party cookie on your computer that is then used to compile reports of visitor traffic and internet usage. Google Analytics does not have a database of individual profiles for each visitor and only collects aggregate data.

For information on how Google Analytics uses data please visit “How Google uses data when you use our partners sites or apps”, located at www.google.com/policies/privacy/partners/.

  • Log Files

Sectigo uses log files comprising of non-personally identifiable information to analyze trends, administer the site, track movements throughout the site, calculate the number of document and file downloads, and gather broad demographic information for aggregate use.

This information may include your IP address or other proxy servers you use to connect to the Internet, device and application identification numbers, your browser type, your Internet service provider (or mobile carrier), the pages and files you viewed, your operating system and system settings, and the location and time zone associated with your usage. Based on certain Internet standards, we may also collect information about the website you were visiting before and the website you visit after you leave the Sectigo website.

INFORMATION WE COLLECT AND RECEIVE FROM THIRD PARTIES

  • Information We Collect and Receive from Our Resellers and Webhosts

Sectigo has hundreds of resellers and webhosts that offer you our products and services for purchase directly from them. Sectigo enters into agreements with its resellers and webhosts containing adequate privacy safeguards and protections. When you provide information directly to these resellers or webhosts, you are providing your information subject to the privacy policies and practices of those resellers. You should make sure to review and understand those policies and practices prior to sharing your information.

For Sectigo to provide you with products and services through a reseller or webhost, that specific reseller or webhost must share your information with us. When that information is shared with us, it will be collected and used in accordance with this Privacy Policy.

For more information on Sectigo’s resellers and webhosts, please contact privacy@sectigo.com.

  • Information We Collect and Receive from Third-Party Sources

For Sectigo to properly validate some types of certificates (such as EV Certificates) in accordance with industry standards, it is necessary for Sectigo to supplement information that Sectigo receives from you or a reseller with information that it gathers from third-party sources.

As such, Sectigo may verify the information you provide us with information from independent third-party sources. The types of certificates, allowable third-party sources, and other relevant information are detailed with specificity in the CPS, the Baseline Requirements, the EV Guidelines, and the EV Code-Signing Guidelines. Information collected from these third-party sources will be used by Sectigo to validate the ordered Certificate. This is an integral aspect of the services provided by Sectigo and is required of Sectigo to validate a certificate.

Sectigo does not have any control over these third-party sources, but once Sectigo collects supplemental information from these sources, Sectigo will protect it in accordance with this Privacy Policy.

Sectigo also collects and receives certificate information from publicly available certificate transparency (CT) logs. Generally, certificates and CT logs do not contain personal information. CT logs were created in the public’s interest to support public oversight and scrutiny of the SSL certificate system. The purpose of the CT log is to provide an open auditing and monitoring system to protect users and to prevent mistaken or malicious issuance of certificates.

CHILDREN’S ONLINE PRIVACY PROTECTION ACT STATEMENT

Sectigo websites, products and services are not directed to children under the age of 16 and Sectigo does not knowingly collect personal data from children under the age of 16. If Sectigo becomes aware that a child under the age of 16 has provided personal data, Comodo will take steps to delete such information from Sectigo’s files as soon as possible.

HOW WE USE YOUR INFORMATION

Understanding how important your privacy is to you, we limit the use of your information and want you to be clear on how your information will be used. Below is an overview, identifying the information collected, the purpose for which it is collected, the initial legal basis for processing such information, and the period for which we will retain that information.

We are providing the below information about our retention periods to show you that your information is being processed with transparency. Our retention periods, however, are not fixed for all types of information and will vary for reasons such as whether the information is still necessary for the original purpose of the processing, to fulfill (or assert) our or your legal obligations (or rights), and/or to comply with applicable laws or industry requirements. As such, we reserve the right to revise such retention periods where we determine that the information is still, or is no longer, necessary for the purposes for which the information was processed.

Information Collected

Purpose of Collection

Legal Basis

Necessary Retention Period

Information you give us to setup and administer your (or your organization’s) Account (see list in section “INFORMATION YOU GIVE TO US” above).

To provide you (or your organization) with the products and services requested and to properly administer your (or your organization’s) Account, including for renewals, billing, and contract management purposes.

Our collection and use will be based on the terms and conditions of your subscriber agreement with us.

Duration of the subscriber agreement governing the Account and a period thereafter as may be necessary to assert our legal rights.

Information that you provide us to issue a certificate (see list in section “INFORMATION YOU GIVE TO US” above).

To validate and issue the certificate you ordered, and to comply with industry standards and other requirements.

Our collection, use, and retention of such information is for the legitimate interests of Sectigo and third parties, including compliance with our legal obligations and industry standards (such as the CA/B Forum’s Baseline Requirements, EV Guidelines, and EV Code Signing Guidelines), network and informational security purposes, audit purposes, and fraud prevention purposes.

Duration of the subscriber agreement governing the certificate, and for seven (7) years after the expiration or revocation of all certificates thereunder.

Information that we collect about you from our resellers (see list in section “Information we Collect and Receive from Our Resellers and Webhosts” above).

If you ordered a certificate, to validate and issue the certificate, and to comply with industry standards and other requirements.

If you order any other product or service, to provide you with the products and services that you requested and to properly administer your Account, including for renewals, billing, and contract management purposes.

Our collection, use, and retention of such information is for the legitimate interests of Sectigo and third parties, including compliance with our legal obligations and industry standards (such as the CA/B Forum’s Baseline Requirements, EV Guidelines, and EV Code Signing Guidelines), network and informational security purposes, audit purposes, and fraud prevention purposes.

Duration of the subscriber agreement governing the certificate, and for seven (7) years after the expiration or revocation of all certificates thereunder.

Information that we collect about you from our third-party sources (see list in section “Information We Collect and Receive from Third-Party Sources”, above).

To validate and issue the certificate you ordered, and to comply with industry standards and other requirements.

Our collection, use, and retention of such information is for the legitimate interests of Sectigo and third parties, including compliance with our legal obligations and industry standards (such as the CA/B Forum’s Baseline Requirements, EV Guidelines, and EV Code Signing Guidelines), network and informational security purposes, audit purposes, and fraud prevention purposes.

Duration of the subscriber agreement governing the certificate, and for seven (7) years after the expiration or revocation of all certificates thereunder.

Information contained in an issued Certificate, including information published in CT logs (generally this does not contain personal information).

To ensure (i) certificates are not used for fraud, phishing, or other malicious uses, (ii) the authenticity of issued certificates, and (iii) the integrity of issued certificates for network and informational security purposes.

Our collection, use, and retention of such information is for the legitimate interests of Sectigo and third parties, including compliance with our legal obligations and industry standards (such as the CA/B Forum’s Baseline Requirements, EV Guidelines, and EV Code Signing Guidelines), network and informational security purposes, audit purposes, and fraud prevention purposes.

There is no retention period and the information is available on the Internet indefinitely.

Information we collect from your use of Sectigo’s websites, products and services.

For security and fraud prevention, corporate governance, and for audit, legal and regulatory reporting purposes.

Sectigo has a legitimate interest in using this information to protect Sectigo’s systems, your information and the information of other Sectigo customers.

Exact durations are listed in the Cookies Policy.

Your name, email address and contact information that you provide to us when sending us an inquiry form or other communication.

Respond to you when you contact Sectigo about our products or services.

When you submit an inquire, our ability to respond to you will be based on your consent that we will obtain prior to sending you any communications.

Until you withdraw your consent.

Your name, email address and contact information that you provide to us in relation to events and other Sectigo news.

Plan, host and provide you with information about Sectigo surveys, events, or other public forums.

When we provide you with this information it will be based on your consent to receive this information, which we will obtain prior to sending you any communications.

Until you withdraw your consent.

Your name, email address and contact information that you provide to us in relation to marketing and promotional activities.

Provide marketing and promotional communications about offers, news or announcements relating to the Sectigo products and services.

When we provide you with this information it will be based on your consent to receive this information, which we will obtain prior to sending you any communications.

Until you withdraw your consent.

Information on your use of our website, collected by our use of cookies and analytics tools.

Improve the user experience of our websites, products or services that we deliver to you based on our evaluation of the information we gathered on your use of our websites.

Our use of cookies and analytics tools is set forth in our Cookies Policy. Prior to using our website, you can review and consent to the use of cookies. You can also object to or limit our use of cookies by modifying your cookie preferences.

Exact durations are listed in the Cookies Policy.

Information on your use of our website, collected by our use of cookies and analytics tools.

Analyze your use to provide you with personally relevant content and tailored advertising that we think may be of interest to you.

Our use of cookies and analytics tools is set forth in our Cookies Policy. Prior to using our website, you can review and consent to the use of cookies. You can also object to or limit our use of cookies by modifying your cookie preferences.

Exact durations are listed in the Cookies Policy.

SHARING OF INFORMATION COLLECTED

We do understand and value the sensitive nature of your information, and as such, the information provided to Sectigo will be protected by Sectigo and not sold or rented to any unrelated third parties without your consent.

There are instances, however, when Sectigo may disclose your information for such limited purposes as:

  • To its subsidiaries and business partners who have similar privacy standards and only for the purposes addressed in this Privacy Policy.
  • To our resellers or webhosts when you place your order through that reseller or webhost.
  • To our service providers or processors who are obligated under law and contract to protect your information and only use your information in accordance with our instructions.
  • As may be necessary for audit, compliance, or corporate governance functions.
  • When legally obligated to do so by law or in response to a subpoena or court order in the United Kingdom or other countries where we operate.
  • If disclosure is necessary to effectuate the sale or transfer of business assets.
  • If disclosure is required to protect the rights of Sectigo, Sectigo's customers, or the users of Sectigo's products or services.

We may also share aggregate demographic data that does not contain any personally identifiable information.

  •  Re-Targeting

Sectigo has relationships with third-party advertising companies, and permits the operation of a retargeting consumer marketing program. These third-party advertisers may place cookies on your computer for the collection of anonymous consumer information but they do not collect personal information and we do not give them personal information. This Privacy Policy does not apply to these third-party advertisers but if you would like additional information, please visit Network Advertising Initiative at www.networkadvertising.org/managing/opt_out.asp, which also allows you to opt-out of such retargeting programs.

  • Forums, Bulletin Boards, Testimonials, Chat Rooms, and Surveys

Sectigo may provide you with communication tools such as public forums, bulletin boards, testimonials, or chat rooms. Information that you post will be accessible to anyone with Internet access and may be collected, used, and read by third parties, including other users. You should always use caution when posting any of your information on a public forum as you have no privacy rights in public postings. Sectigo is not responsible for any information submitted by you through these public services.

Occasionally, Sectigo may also request information from you via surveys. Participation in these customer surveys is absolutely voluntary. If you do choose to participate, however, the survey information you provide will be used by Sectigo to improve its website and the Sectigo’s products and services.

THIRD-PARTIES AND EXTERNAL LINKS

Sectigo’s websites may contain links to external websites of Sectigo’s service providers, partners or other third-parties that have and maintain their own privacy policies and data collection, use and disclosure practices. This Privacy Policy does not apply to such Sectigo's service providers, partners or other third-parties. This Privacy Policy also does not apply to the information practices of third-party advertisers of our services, who may use cookies or other technologies to serve and offer relevant ads to you.

If you access the products, services or websites of Sectigo’s service providers, partners or other third-parties, you should review those respective privacy policies as well to understand what information is collected and how it is used by them.

INFORMATION SECURITY

Sectigo develops, implements, and maintains a comprehensive security program designed to protect its networks and to safeguard the information it collects and stores. Sectigo protects information both online and off-line. Below are some of the many measures that Sectigo implements:

  • Transmission of information, including any payment information, is encrypted and protected using TLS/SSL technology.
  • Stored customer information is kept in a secure environment where access is restricted to employees who need the information to perform a specific job (for example, billing administration or the development team).
  • Employees are required to use password-protected screen-savers and keep their computers up-to-date.
  • Implementing detection and prevention controls to guard against viruses and malicious software.
  • Security procedures are audited in accordance with the AICPA/CICA WebTrust for Certification Authorities Principles and Criteria, the results of which are available here:
  • https://cert.webtrust.org/ViewSeal?id=2270
  • https://cert.webtrust.org/ViewSeal?id=2272
  • https://cert.webtrust.org/ViewSeal?id=2273
  • https://cert.webtrust.org/ViewSeal?id=2274

You can find more information and details on how Sectigo protects your information in the CPS.

INTERNATIONAL TRANSFER OF INFORMATION

Sectigo Limited is incorporated in the United Kingdom, with global offices and subsidiaries. In order to be able to provide worldwide access to you, your data may be accessed by or transferred to servers located outside of Europe. We will always protect your privacy and this Privacy Policy shall apply no matter where your information is transferred to in the world.

If your data is transferred to a server outside of Europe, we will ensure that it is protected and transferred in a manner consistent with legal requirements and applicable laws. Information can be transferred outside Europe in a number of ways. Examples include: the country to which we send your information may be approved by the European Commission, the recipient may have signed a contract based on the “model contractual clauses” approved by the European Commission, obliging them to protect your information, or where the recipient is located in the US, it may be a certified member of the EU-US Privacy Shield framework. In other circumstances, the law may permit us to otherwise transfer your information outside Europe. In all cases, any transfer of your information will be compliant with applicable data protection law.

You can obtain more details of the protection given to your information when it is transferred outside Europe (including a sample of the model contractual clauses) by contacting us at the mailing address or email address below.

YOUR RIGHTS TO YOUR INFORMATION

The law affords you certain rights when it comes to your information and we want to make sure you understand those rights. You have the right to:

  • Request access to your information
  • Request corrections to your information
  • Request that your information be erased
  • Request that the processing of your information be restricted
  • Object to the processing of your information
  • Request return of your information

Although you have these rights, please understand that these rights are not absolute. There may be instances where we may not be able to comply with your request or objection based on our legitimate interests.

If your information or certificate specific information needs to be updated, you can request that certain changes be made by logging into your Account. For any other requests, you can also contact us via email at privacy@sectigo.com.

If you feel that the processing of your information is unlawful or violates this Privacy Policy please let us know immediately. We will work diligently to address your concerns and resolve any concerns that you may have. If you further feel that we have violated on your rights as stated in the General Data Protection Regulation (GDPR), then you also have the right lodge a complaint with a supervisory authority. We will work with the appropriate supervisory authority to promptly resolve such complaints.

YOUR CHOICES AND COMMUNICATION PREFERENCES

You always have rights to the collection, use, or disclosure of your information. Remember, however, in certain cases, if you do restrict or object to the use of your information, then certain products or services that require that information may not be provided to you.

You can also limit the communications that we send to you. Customers may occasionally receive information on products, services, and special deals from Sectigo or may receive informational newsletters. Customers are given the opportunity to 'opt-in' to receiving these promotional communications at the time their information is collected. You may “opt-out” of receiving these promotional communications using the opt-out link provided in each promotional email or by emailing optout@sectigo.com.

Even if you opt-out of promotional communications, we will still need to contact you with important administrative and transactional information about your Account and your use of the Sectigo products and services. For example, we may contact you about new release or feature updates or with important security information about the products or services.

PROCESSING AND CUSTOMER CONSENT

Your information will be collected, used and processed for the purposes set forth in this Privacy Policy. If we would like to collect, use, or process your information for any unrelated purposes that are not disclosed in this Privacy Policy, we will first ask for your consent. You are free to withdraw this consent at any time by using the opt-out link or by emailing optout@sectigo.com.

CERTIFICATE REVOCATION & EXPIRY

Access to all issued certificates is provided through Sectigo’s public repository. Because of the nature of the services provided, there may be circumstances under which a certificate is revoked. Furthermore, certificates have a finite lifetime and will expire.

Despite the finite nature of certificates, Sectigo still provides public access to both revoked and expired certificates for network and informational security purposes, audit purposes, and fraud prevention purposes. Such certificates are flagged as revoked or expired within the repository.

AMENDMENTS TO THIS PRIVACY POLICY

Sectigo reserves the right to amend this Privacy Policy at any time. If we make a material change to this Privacy Policy, or materially change the way we use or disclose your previously collected information, we will notify you by sending you an email to the primary point of contact we have on file or by posting the changes to the Sectigo website for at least 30 days before the change takes effect.

HAVE QUESTIONS OR WANT TO CONTACT US?

Any questions that you may have about this Privacy Policy may be submitted by email to privacy@sectigo.com. We understand and value your privacy and are committed to respond as soon as reasonably possible. You mail also contact us by mail at the following locations:

MANCHESTER, UK OFFICES

Sectigo Limited

26 Office Village, Exchange Quay, Trafford Road

3rd Floor

Salford, Manchester

M5 3EQ

United Kingdom

BRADFORD, UK OFFICES

Sectigo Limited

Unit 7 & 9

Listerhills, Science Park, Campus Road,

Bradford, BD7 1HR

United Kingdom

US OFFICES

Comodo CA, Inc.

5 Becker Farm Road

Roseland, NJ 07068

United States

CANADIAN OFFICES

Comodo CA (Canada) Ltd.

300 March Road

Suite 501

Kanata, ON K2K 2E2

Canada