Privacy Policy - 2FAS. Two Factor Authentication Service, Inc.

Privacy Policy

  1. Who We Are. Two Factor Authentication Service, Inc. (“2FAS”) provides TOTP tokens for Users to use as secondary login authentication on any website that supports TOTP two-factor authentication tokens. We are a registered Delaware corporation, with a registered office at 16192 Coastal Highway, Lewes, DE 19958 and a mailing address at 340 S. Lemon Avenue #2130, Walnut, CA 91789.
  2. Our Commitment to Your Privacy. Two Factor Authentication Service, Inc. , (“we”, “our”, “us”, or “2FAS”) is committed to protecting your privacy. The term “you”, “your”, and “User” is used to refer to individuals and business entities that use all pages associated with our Site and 2FAS Mobile Application. This Privacy Policy sets forth how we use and protect Personal Information that you give when you sign up for the 2FAS Services under the Terms of Service, use the pages associated with our Site, or use the 2FAS Mobile Application. By using our Site or 2FAS Mobile Application, you agree to this Privacy Policy.
  3. Scope of this Privacy Policy. You recognize that this Privacy Policy does not apply to any data, including Personal Information, that you may give to, or store in the, websites and mobile applications that you access using 2FAS’s TOTP solution. We provide TOTP tokens solely for the purpose of providing you with a secure manner of accessing your online accounts. 2FAS has posted additional privacy provisions that apply to residents of California and the European Economic Area (EEA).
  4. Consent to Changes. We reserve the right, in our sole discretion, to change, modify, add, or remove portions of this Privacy Policy at any time, without prior notice to you. All revisions will be posted on this page. Please check the Effective Date of the Privacy Policy for the most recent version. Please review this Privacy Policy for changes. Your continued use of the pages associated with this website constitutes your acceptance of any changes. Notwithstanding the foregoing, we will endeavor to notify those Users who have provided us with an email address via email when a new version of this Privacy Policy goes into effect.
  5. Definitions.
    1. Account means your access to the 2FAS API, 2FAS Plugin, and/or 2FAS Vault Services. When you create an Account, you will be asked to provide your email address. You must use true, accurate, current, and complete information to create and maintain your Account.
    2. Device means the mobile device (phone, tablet, and the like) that you use to download and use the 2FAS Services.
    3. Master Password means the set of words randomly generated which allows you to access the backup solution provided by 2FAS Vault. The Master Password is only generated one time, you must write down the set of words given to you in order to use it to login to your 2FAS Vault Account.
    4. Mobile Application means the 2FAS Mobile Application that allows Users to generate TOTP tokens for any website or other application that supports TOTP two-factor authentication tokens.
    5. Personal Information means information that identifies or can be reasonably linked to you or someone in your household. This includes, but is not limited to: name, social security number, email address, home address, geolocation, biometric data, internet browsing history, and records of Services purchased from us.
    6. PIN means the Personal Identification Number you can set in order to open the 2FAS Mobile Application on your Device. The PIN can be 4 or 6 digits long.
    7. Privacy Policy means this document, which includes California specific provisions and GDPR specific provisions.
    8. 2FAS Services or Services means all products and services that 2FAS currently provides or may provide in the future.
    9. Site means all webpages and 2FAS Mobile Application screens associated with the Services provided by 2FAS.
    10. Terms of Service means the document that you agreed to be bound to when you downloaded 2FAS’s Mobile Application, created an Account, and/or signed up for 2FAS API, 2FAS Plugin, or 2FAS Vault Services. The most recent version of the Terms of Service can be found here.
  6. Information Collected. As part of our commitment to your privacy, we work to reduce the amount of Personal Information that we collect and store about our Users. However, you recognize that in order to provide the 2FAS Services, we must collect and store certain Personal Information about you. By using the 2FAS Services and agreeing to this Privacy Policy, you grant us consent to use and store such Personal Information about you. In accordance with the terms and conditions of our Terms of Service, we collect and store the following Personal Information about our Users:
    1. Device ID (including brand, model, unique ID, operating system info, and storage state)
    2. Email address (for Users of 2FAS API, 2FAS Plugin, and 2FAS Vault Services)
    3. Phone number, if provided by you
    4. Cookies and analytics
  7. Collection Purpose. We collect Personal Information about you for a variety of reasons.
    1. Unless you use 2FAS’s API, 2FAS Plugin, or 2FAS Vault Services or visit our website, we do not collect any Personal Information.
    2. For Users that use 2FAS’s API, 2FAS Plugin, or 2FAS Vault Service, we collect the limited Personal Information listed above in order to provide the 2FAS API, 2FAS Plugin, and 2FAS Vault Services to you. In order to create a 2FAS API, 2FAS Plugin, or 2FAS Vault Account, you must provide us with an email address. In order for you to use 2FAS Services and receive TOTP tokens, we must have access to your Device ID. In order to receive push notifications from the 2FAS Mobile Application, you must provide us with your Device ID. In order to receive SMS or Phone Calls for authentication purposes, you must create a 2FAS API Account and provide us with your mobile telephone number. In order to use the 2FAS Vault Service, you must provide us with your email address.
    3. We collect Personal Information to detect and prevent fraud and security breaches.
    4. We collect Personal Information to improve the 2FAS Services and provide customer support. This may include detecting technical issues, maintaining Services, improving Services through the use of analytics, and conducting research and reviewing analytics to improve current Services and develop new Services.
    5. We collect Personal Information to comply with applicable laws and assert and defend claims brought against us.
    6. We do not use your Personal Information for purposes that are not in the spirit of the original collection purpose. If we begin to use your Personal Information for additional reasons, we will modify this Privacy Policy and notify you accordingly.
  8. How we use the Personal Information that we collect about you. We only use the Personal Information you provide for the reasons listed above. We do not and will never sell, trade, or otherwise transfer your Personal Information to an unrelated third party for marketing, advertising, or other uses. We do share your Personal Information with third parties in order to provide the 2FAS Services, including but not limited to include login credentialing, 2FAS Mobile Application push notifications, payment processors, email processing, and SMS and Phone Call notifications for TOTP authentication, and security and fraud prevention. You can read more about the Personal Information that we share with third parties in Section 13.
  9. Cookies, Analytics, Etc.
    1. In addition to Personal Information, we collect information about your visit to our Site and use of our Services. This data may be entered voluntarily or collected passively. We use this information to operate, provide, and improve our Services and monitor for fraud and security breaches. You can change the settings on your computer, tablet, or mobile Device to disable certain passive tracking data.
    2. Cookies. Our Site uses cookies to track the pages that you visit and the links that you click. A cookie is a very small text document, which often includes an anonymous unique identifier. When you visit a website on your computer, tablet, or smart phone, that site’s computer asks your computer for permission to store this file in a part of your hard drive specifically designated for cookies. Each website can send its own cookie to your browser if your browser’s preferences allow it, however, to protect your privacy, your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other sites. Information is compiled in an aggregate manner and used for marketing and analytics purposes.
    3. Analytics. Analytics allow us to understand how and why Users use our Services, Site, and the 2FAS Mobile Application. Understanding how and why allows us to tailor and improve our Services to better serve our Users’ needs.
    4. What analytics we use. We use Google Analytics, Cloudflare, and Facebook Pixel to understand our Users’ how and why. You can read more about Google Analytics here (https://policies.google.com/technologies/partner-sites), Cloudflare here (https://support.cloudflare.com/hc/en-us/articles/205177068-How-does-Cloudflare-work-), and Facebook Pixel here (https://www.facebook.com/business/learn/lessons/overview-of-how-facebook-pixels-work, https://www.facebook.com/policies/cookies/, https://www.facebook.com/about/privacy/, https://www.facebook.com/about/basics, https://www.facebook.com/legal/terms/businesstools).
    5. Social Media – 2FAS is currently active on Facebook and Twitter. If you visit our pages or use the “share” buttons on Facebook and Twitter, these features may collect your IP address, track which of our Site pages you visit, and set a cookie which enables the feature to work properly. You can opt out of your information being gathered by disabling cookies on your browser.
    6. How to opt-out on your end. If you do not want cookies, analytics, or pixels to be collected about you, please disable cookies on your web and mobile browsers. In addition, follow the instructions given on Facebook’s Cookies and Privacy page for how to disable Facebook Pixels from tracking your activity on Facebook.
  10. Opt-Out.
    1. Right to opt-out of sale of your Personal Information. We do not and will never sell, trade, or otherwise transfer your Personal Information to an unrelated third party for marketing, advertising, or other uses.
  11. Deletion. You have the right to request that we delete the Personal Information we have gathered on you. However, if any of the Personal Information is required in order to provide you with 2FAS Services, then you will not be able to access your Account or 2FAS Services if we delete your Personal Information. Please read the Section 7 above to learn about what Personal Information is required for us to provide you the 2FAS Services.
  12. Children’s Privacy. 2FAS is committed to the privacy and security of Personal Information relating to children. For this reason, the Services provided by us are not to be used by anyone under the age of 16. If we discover that you are under the age of 16, we reserve the right to cancel your Account and remove your access to all Services. By agreeing to this Privacy Policy and using the Services, you represent that you are over the age of 16.
  13. Sharing Information with Third Parties. We do not and will never sell, trade, or otherwise transfer your Personal Information to an unrelated third party for marketing, advertising, or other uses. Unrelated third parties do not include those that assist us in performing the 2FAS Services (including but not limited to include login credentialing, 2FAS Mobile Application push notifications, payment processors, email processing, and SMS and Phone Call notifications for TOTP authentication, and security and fraud prevention). We may release your Personal Information when it is appropriate to comply with the law, enforce this Privacy Policy, assert and defend claims brought against us, or protect its or others’ rights, property, or safety.
  14. Links to Other Websites. 2FAS’s Site and the 2FAS Mobile Application may contain links to other websites which are of interest to our Users. In addition, the 2FAS API is available on third party websites. These third party websites have separate and independent privacy policies. 2FAS has no responsibility or liability for the content or activities of the websites accessible via the links and it is your responsibility to review and comply with any applicable privacy policy. 2FAS is not responsible for and does not endorse any third party website.
  15. Contact Us. You may contact us via email at [email protected] with the subject line “Privacy Policy” and a description of your question, issue, or deletion request in the body of the email.
  16. Notice. Notices under this Privacy Policy may be posted to our Site and sent via email to Users who have provided us with an email address.
California Consumer Privacy Act Compliance Supplement
  1. Application. Who does the CCPA applies to?
    1. The California Consumer Privacy Act of 2018 (“CCPA”) only applies to residents of California. A “resident” is natural person who resides in California.
  2. Definitions.
    1. Account means your access to the 2FAS API, 2FAS Plugin, and/or 2FAS Vault Services. When you create an Account, you will be asked to provide your email address. You must use true, accurate, current, and complete information to create and maintain your Account.
    2. Device means the mobile device (phone, tablet, and the like) that you use to register your 2FAS Account.
    3. Master Password means the set of words randomly generated which allows you to access the backup solution provided by 2FAS Vault. The Master Password is only generated one time, you must write down the set of words given to you in order to use it to login to your 2FAS Vault Account.
    4. 2FAS Mobile Application means the 2FAS mobile application that allows Users to generate TOTP tokens for any website or other application that supports TOTP two-factor authentication tokens.
    5. Personal Information means information that identifies or can be reasonably linked to you or someone in your household. This includes, but is not limited to: name, social security number, email address, home address, geolocation, biometric data, internet browsing history, and records of Services purchased from us.
    6. PIN means the Personal Identification Number you can set in order to open the 2FAS Mobile Application on your Device. The PIN can be 4 or 6 digits long.
    7. Privacy Policy means 2FAS’s privacy policy document, which includes GDPR specific provisions and the California specific provisions of this supplement.
    8. 2FAS Services or Services means all products and services that 2FAS currently provides or may provide in the future.
    9. Site means all webpages and 2FAS Mobile Application screens associated with the Services provided by 2FAS.
    10. Terms of Service means the document that you agreed to be bound to when you created an Account and signed up for Services. The most recent version of the Terms of Service can be found here
  3. Notice at Collection. We are providing you this Notice at Collection in compliance with the CCPA. You must read and accept this Notice at Collection prior to submitting any Personal Information to us as part of creating your Account and signing up for the 2FAS Services.
  4. Right to Know. As a California resident, you have the Right to Know certain information regarding the Personal Information that we gather about you. We will respond to your Right to Know request within forty-five (45) calendar days. If we are unable to process your request within forty-five (45) calendar days, then we will inform you that we have extended the deadline for an additional forty-five (45) days. As part of our process for answering your Right to Know request, we will need to ask you additional information in order to verify that you are actually the person you claim to be. We will only use this requested information as part of our verification process and not for any other reason.
    1. We collect the following Personal Information:
      1. Categories of Personal Information collected
        1. Device ID
        2. Contact Information (for Users of 2FAS API, 2FAS Plugin, and 2FAS Vault Services)
        3. Account Information (for Users of 2FAS API, 2FAS Plugin, and 2FAS Vault Services)
      2. Specific pieces of Personal Information collected
        1. Device ID
          1. Brand
          2. Model
          3. Unique ID
          4. Operating system info
          5. Storage state
          6. IP address (for Users of 2FAS API, 2FAS Plugin, and 2FAS Vault Services)
        2. Contact Information (for Users of 2FAS API, 2FAS Plugin, and 2FAS Vault Services)
          1. Email address
          2. Phone number, if provided by you to receive SMS and Phone Call notifications
        3. Account Information (for Users of 2FAS API, 2FAS Plugin, and Vault Services)
          1. Email address
      3. Categories of sources from which we collect your Personal Information
        1. You provide us your Contact Information upon sign up for 2FAS API, 2FAS Plugin, and/or 2FAS Vault Services.
        2. You provide us with your Account Information upon sign up for 2FAS API, 2FAS Plugin, and/or 2FAS Vault Services.
        3. Once you download the 2FAS Mobile Application and begin to use the 2FAS Services, the 2FAS Mobile Application will record your Device ID.
      4. Purpose for which we collect your Personal Information
        1. We collect the Personal Information listed above in order to provide Services to you. In order to create a 2FAS API, 2FAS Plugin, or 2FAS Vault Account, you must provide us with an email address. In order for you to use 2FAS Services and receive TOTP tokens, we must have access to your Device ID. In order to receive push notifications from the 2FAS Mobile Application, you must provide us access to your Device ID. In order to receive SMS or Phone Calls for authentication purposes, you must create an 2FAS API account and provide us with your mobile telephone number. In order to use the 2FAS Vault Service, you must provide us with your email address.
      5. Categories of third parties with whom we share your Personal Information
        1. We may share your Personal Information with third parties in order to provide 2FAS Services, including sending emails, sending SMS, making Phone Calls, allowing you to login to the 2FAS Mobile Application, sending emails, protecting against security threats and vulnerabilities, and processing payment for SMS and Phone Call notifications. These third parties include login credentialing, 2FAS Mobile Application push notifications, payment processors, email processing, and SMS and Phone Call notifications for TOTP authentication.
      6. Categories of Personal Information that we share, sell, or disclose to third parties
        1. We do not and will never sell, trade, or otherwise transfer your Personal Information to an unrelated third party for marketing, advertising, or other uses.
        2. Unrelated third parties do not include those that assist us in performing our Services (including but not limited to include login credentialing, 2FAS Mobile Application push notifications, payment processors, email processing, SMS and Phone Call notifications for TOTP authentication, and security and fraud prevention).
        3. We may release your Personal Information when it is appropriate to comply with the law, enforce this Privacy Policy, or protect ours or others’ rights, property, or safety.
    2. Procedure for requesting your Personal Information:
      1. You may contact us via email at [email protected] with the subject line “CCPA Right to Know” and a description of the Personal Information that you are requesting in the body of the email.
    3. We may refuse to disclose your Personal Information if:
      1. We cannot verify your request.
      2. Your request is manifestly unfounded or excessive.
      3. If we have already provided you with the requested Personal Information more than two times in the prior 12-month period.
      4. You request that we disclose Personal Information that is your social security number, financial account number, account password, Master Password, or PIN. This information cannot be disclosed in a Request to Know under the CCPA, in addition, 2FAS does not collect any of this information from Users.
  5. Right to Delete. As a California resident, you have the Right to Delete certain Personal Information that we gather about you. We will respond to your Right to Delete request within forty-five (45) calendar days. If we are unable to process your request within forty-five (45) calendar days, then we will inform you that we have extended the deadline for an additional forty-five (45) days. As part of our process for answering your Right to Delete request, we will need to ask you additional information in order to verify that you are actually the person you claim to be. We will only use this requested information as part of our verification process and not for any other reason.
    1. Procedure to request your Personal Information be deleted:
      1. You may contact us via email at [email protected] with the subject line “CCPA Right to Delete” and a description of the Personal Information that you are requesting in the body of the email.
    2. In some cases, we may not be able to delete the Personal Information that you request and still provide you Services under the Terms of Service. For example, in order to create a 2FAS API, 2FAS Plugin, or 2FAS Vault Account, you must provide us with an email address. In order for you to use 2FAS Services and receive TOTP tokens, we must have access to your Device ID. In order to receive push notifications from the 2FAS Mobile Application, you must provide us access to your Device ID. In order to receive SMS or Phone Calls for authentication purposes, you must create a 2FAS API Account and provide us with your mobile telephone number. In order to use the 2FAS Vault Service, you must provide us with your email address.
  6. Right to Opt-Out. As a California resident, you have the Right to “Opt-Out” from a business’s practice of selling your Personal Information. 2FAS has the policy of not selling, trading, or otherwise transferring your Personal Information to an unrelated third party for marketing, advertising, or other uses. If our policy changes in the future, we will notify you prior to selling, trading, or otherwise transferring your Personal Information to an unrelated third party for marketing, advertising, or other uses and obtain your consent for such practices. At such a time, this Privacy Policy will be updated to outline the procedure for opting out of such sale, trade, or transfer.
  7. Right to Non-Discrimination. We will not discriminate against you based on your exercise of your rights under the CCPA. However, if we are unable to process your CCPA request and continue to provide you 2FAS Service under the Terms of Service, then you may no longer be able to receive 2FAS Service under the Terms of Service.
  8. No Sale. 2FAS has not sold California residents’ Personal Information over the past 12-month time frame and do not intend to do so. This includes the Personal Information of children under the age of sixteen (16).
  9. Data Breaches. In accordance with California Civ. Code s. 1798.82(a), we will notify you if your unencrypted Personal Information was, or we have reason to believe has been, acquired by an unauthorized person. In addition, we will notify you if your encrypted Personal Information was, or we have reason to believe has been, acquired by an unauthorized person and the encryption key was, or we have reason to believe has been, acquired by an unauthorized person and we have reason to believe that the encryption key could be used to make your Personal Information readable or usable. Such notification may be posted to our Site and sent via email to Users who have provided us with an email address. It will be titled “Notice of Data Breach”, and it will include:
    1. What Happened
    2. What Personal Information was Involved
    3. What We Are Doing
    4. What You Can Do
    5. Where to go For More Information
  10. Contact Us.
    1. You may contact us via email at [email protected] with the subject line “CCPA Privacy Policy” and a description of your question, issue, or deletion request in the body of the email.
  11. Notice. Notices under this Privacy Policy may be posted to our Site and sent via email to Users who have provided us with an email address.
General Data Protection Regulation of the European Union Compliance Supplement
  1. Application. Who does the GDPR applies to?
    1. The General Data Protection Regulations of the European Union (“GDPR”) applies to residents and citizens of countries in the European Union. A “resident” is natural person who resides in a European Union Country.
  2. Definitions.
    1. Account means your access to the 2FAS API, 2FAS Plugin, and/or 2FAS Vault Services. When you create an Account, you will be asked to provide your email address. You must use true, accurate, current, and complete information to create and maintain your Account.
    2. Device means the mobile device (phone, tablet, and the like) that you use to register your 2FAS Account.
    3. Master Password the set of words randomly generated which allows you to access the backup solution provided by 2FAS Vault. The Master Password is only generated one time, you must write down the set of words given to you in order to use it to login to your 2FAS Vault Account.
    4. Mobile Application means the 2FAS mobile application that allows Users to generate TOTP tokens for any website or other application that supports TOTP two-factor authentication tokens.
    5. Personal Data means information that relates to a living, identifiable person such a name, email address, IP address, physical features, political affiliation, etc. or a combination of information that when put together can be used to identify the person.
    6. PIN means the Personal Identification Number you can set in order to open the 2FAS Mobile Application on your Device. The PIN can be 4 or 6 digits long.
    7. Privacy Policy means 2FAS’s privacy policy document, which includes California specific provisions and the GDPR specific provisions of this supplement.
    8. 2FAS Services or Services means all products and services that 2FAS currently provides or may provide in the future.
    9. Site means all webpages and the 2FAS Mobile Application screens associated with the Services provided by 2FAS.
    10. Terms of Service means the document that you agreed to be bound to when you created an Account and signed up for 2FAS Services. The most recent version of the Terms of Service can be found here
  3. Who We Are.
    1. Two Factor Authentication Service, Inc. (“2FAS”) provides TOTP tokens for Users to use as secondary login authentication on any website that supports two-factor authentication. We are a registered Delaware corporation, with a registered office at 16192 Coastal Highway, Lewes, DE 19958 and a mailing address at 340 S. Lemon Avenue #2130, Walnut, CA 91789. You can contact us via email at [email protected] with the subject line “GDPR.”
  4. What Personal Data We Collect. 2FAS takes the security of your Personal Data seriously. To that end, we minimize the Personal Data that we collect about you and are transparent in how it is processed and used. 2FAS collects minimal to no Personal Data for Users who only download and use the 2FAS Mobile Application. For 2FAS API, 2FAS Plugin, and 2FAS Vault Users, 2FAS collects your Personal Data in order to manage your Account and provide Service to you according to the Terms of Service. You recognize and agree that in order for 2FAS to provide you 2FAS Service under the Terms of Service, you must grant us consent to use and process the Personal Data that we request at sign-up. Processing the requested Personal Data is necessary for us to perform Services under the Terms of Service. The requested Personal Information includes:
    1. Device ID
      1. Brand
      2. Model
      3. Unique ID
      4. Operating system info
      5. Storage state
      6. IP address (for Users of 2FAS API, 2FAS Plugin, and 2FAS Vault Services)
    2. Contact Information
      1. Email address for Users of 2FAS API, 2FAS Plugin, and 2FAS Vault Services
      2. Phone number, for Users of 2FAS API and 2FAS Plugin Services and only if provided by you to receive SMS and Phone Call notifications
    3. Account Information
      1. Email address (for Users of 2FAS API, 2FAS Plugin, and 2FAS Vault Services)
    4. Security Analytics
      1. Cloudflare Analytics. We use security analytics provided by Cloudflare to detect and prevent security attacks.
      If you fail to provide such Personal Data or request that we delete such Personal Data, we will be unable to provide you 2FAS Service under the Terms of Service and your access to the 2FAS Service will be cancelled pursuant to the Terms of Service. In addition, we may in the future email you with special offers on other products or 2FAS Services that we think may be of value to you. If you have agreed to receive marketing emails, you may always opt out in the future by clicking the “Unsubscribe” button at the bottom of a marketing email to be removed from our direct marketing list.
    5. Analytic Data. In addition to the Personal Data that is required to provide 2FAS Services, we collect cookies, Google Analytics, and Facebook Pixels for the legitimate interest of improving and providing the 2FAS Services. We retain and analyze this information to evaluate how you, and other Users, move around our Site and the 2FAS Mobile Applications. This helps us to understand how our Site and the 2FAS Mobile Applications are used so that we can continually provide improved Services.
  5. How we use your Personal Data. We use your Personal Data for the following reasons:
    1. To administer your Account and provide 2FAS Services to you.
    2. To verify your identity when you login to use the Services.
    3. To personalize the advertisements that you see on our Site and the 2FAS Mobile Application.
    4. To personalize the advertisements that you see on other websites.
    5. To improve the Services and conduct market research on potential new Services.
    6. To inform you about products, Services, and promotional offers that you might find interesting, if you have opted into these types of communications.
    7. To send you emails, SMS notifications, or Phone Call notifications about login attempts and issues with your Account.
  6. How We Collect Your Personal Data. You provide us with Personal Data directly when you register for an Account. In addition, we collect and process data when you view or use our Site via your web browser’s cookies.
  7. Who receives the Personal Data. The Personal Data that you provide will be shared with our third party providers when sharing such information is necessary for the third parties to provide portions of the 2FAS Services to you. These third party providers include those that assist us in performing the 2FAS Services (including but not limited to include login credentialing, 2FAS Mobile Application push notifications, payment processors, email processing, and SMS and Phone Call notifications for TOTP authentication, and security and fraud prevention). In addition, we will release your Personal Data when it is required to comply with the law, enforce this Privacy Policy, or protect ours or others’ rights, property, or safety.
  8. No Sale. We do not and will never sell, trade, or otherwise transfer your Personal Information to an unrelated third party for marketing, advertising, or other uses.
  9. Who can access the Personal Data. Your Personal Data can only be accessed by 2FAS employees, contractors, and third parties who have a legitimate interest in processing the Personal Data.
  10. How We Store Your Personal Data. We store your Personal Data on a secure Amazon Web Services cloud located In the United States. All Personal Data is encrypted using industry standard encryption methods. We will update this GDPR Supplement if we change the location of your Personal Data.
  11. How Long We Store Your Personal Data. We will store your Personal Data as long as you have an active Account and use the 2FAS Services. After you cancel your Services and delete your Account, we will delete all your Personal Data within 7 days. However, we will maintain all records of payment and invoices for the period of time required by applicable governmental and regulatory bodies.
  12. Data transfer outside of the EU. We may transfer and store your Personal Data in countries other than the country in which the Personal Data was originally collected. These countries may be outside of the European Economic Area (“EEA”). These countries may not have the same data protection laws as the country in which you reside or provide the Personal Data. If your Personal Data is transferred, we will protect your Personal Data as described in this Privacy Policy and comply with applicable legal requirements for transferring Personal Data outside of the EEA. If you reside in the EEA, we will only transfer your Personal Data if:
    1. The country to which the Personal Data is being transferred to has been granted a European Commission adequacy decision;
    2. The recipient of the Personal Data is located in the US and has certified to the US-EU Privacy Shield Framework or its successor frameworks; OR
    3. We have put in place appropriate safeguards for the transfer.
  13. Children under 16. Pursuant to Article 8 of GDPR, children under the age of 16 are not allowed to give us consent to use and process their Personal Data. Therefore, if you are under the age of 16, you cannot consent to this Privacy Policy or the Terms of Service. If we discover that you are under the age of 16, your consent will be revoked and your license to use the 2FAS Service under the Terms of Service will be cancelled effective immediately.
  14. GDPR Rights.
    1. Pursuant to Article 15 of GDPR, you have the right to obtain from 2FAS confirmation as to whether your Personal Data is being processed. If we are processing your Personal Data, you have the right to know the purposes of the processing, the categories of your Personal Data being processed, who the recipients of your Personal Data, and how long we believe your Personal Data will be stored for. We will respond to your request within thirty (30) calendar days. We will provide this information to you in a machine-readable format. We may charge you a small fee to provide this information.
    2. Pursuant to Article 16 of GDPR, you have the right to request that we correct any of your Personal Data that is incorrect or incomplete. We will endeavor to correct and/or complete your Personal Data within thirty (30) calendar days of your request.
    3. Pursuant to Article 17 of GDPR, you have the right to request that we erase your Personal Data when the Personal Data is no longer necessary for the purpose for which it was collected and processed, there is no legal grounds for processing, there is no overriding legitimate interest for us to process your Personal Data, your Personal Data has been unlawfully processed, or we have been compelled to comply with a legal obligation from a country in the European Union or Member States. We will respond to your request within thirty (30) calendar days.
    4. Pursuant to Article 18 of GDPR, you have the right to require us to restrict processing your Personal Data when you are contesting the accuracy of your Personal Data, the processing is unlawful, we no longer need your Personal Data but are storing it for the establishment, exercise, or defense of legal claims, or you are exercising your right to object to processing under Article 21 of the GDPR.
  15. Complaints. If you are not satisfied with how we have handled your Personal Data, please contact us at [email protected] with the subject line “GDPR Complaint” and a summary of your issue(s) in the body of the email. You also have the right to lodge a complaint with the supervisory authority of the EU/EEA country in which you reside or are a citizen of.
  16. Changes. We reserve the right, in our sole discretion, to change, modify, add, or remove portions of this Privacy Policy GDPR Supplement any time, without prior notice to you. All revisions will be posted on this page. Please check the Effective Date of the Privacy Policy for the most recent version. Please review this Privacy Policy for changes. Your continued use of the pages associated with this website constitutes your acceptance of any changes. Notwithstanding the foregoing, we will endeavor to notify those Users who have provided us with an email address via email when a new version of this Privacy Policy goes into effect.