Awareness Platform is an online platform on which we, i5 B.V., offer various services. While doing so, we collect and process personal data. With this privacy statement we would like to inform you of what data we collect, how we do this (directly or indirectly), why we do this (for which goals), based on which legal grounds and how we continue to handle your data when you use the platform.

We collect the personal information that you or your organization provides to us by filling out this information on our platform or by providing it as a file to us.

When you can log in to our platform, you are a user of the platform. We need at least the first and last name and e-mail address of users. Every user automatically gets a unique username assigned by our software. When using our platform, we process the names, user names, e-mail addresses, IP addresses and user activities. When you participate in an e-learning, we also process your progress and the results of tests and examinations.

When your organization carries out a phishing test, the administrator of your organization will provide your name and e-mail address to us. We use this information to send you a phishing e-mail. During the phishing test, we also keep track of the actions you have carried out.

Do you represent an organization? Then we not only collect your name and e-mail address as contact person, but also the name, address and Chamber of Commerce number of the organization you work for, business payment details and any correspondence.

We do not collect and obtain special personal data. We also do not collect data about you from third parties, except for the data provided by your organization.

We use the collected data for three specific goals. Those goals are:
1. the provision of services via our platform
2. the (technical) maintenance and improvement of our platform
3. regular business operations

Below we explain which data we can process for each goal. We do not use personal data to create profiles and we do not use online behavioral advertising (showing personalized advertisements based on information from cookies).

1. Providing services via our platform

When you use our platform, we process your username or e-mail address for providing access to the various services.

When you participate in an e-learning course, we collect information about your progress and test and exam results. The administrators of your organization have access to statistics and reports. Here you can see, for example, which participants have completed the course on which date and time, and what their result was.

If you have been listed by your organization for a phishing test, the administrators of your organization can see on what date and time you performed actions that are part of the phishing test. Think of clicking on a link in a phishing e-mail. We also use your e-mail address and name to inform you about events and updates on the platform, and to advise you on how to use the software optimally. We do not send advertisements to your e-mail address.

2. Maintain and improve our platform

We use the information about your visit to our website to show you the website, to analyze which web pages and components are visited most frequently. With this information we can analyze and improve our website in a privacy-friendly way. We do not place or read any tracking cookies through our website and do not use cookies from others (such as Google's).

3. Regular business operations

We process contact, payment and communication data from (former) customers for our regular business operations. We send invoices, keep accounts and we keep correspondence with (former) customers on our e-mail server and in online workbooks.

Organizations may only process personal data if they have a legal ground for this. The General Data Protection Regulation lists six possible grounds. We use two of these grounds for our various processing operations:

• Agreement: when you use our platform or want to do this, and we necessarily have to process your personal data in order to do this. We also use this basis to give you the necessary information about updates.
• Legal obligation: if we receive a legitimate claim to provide data to a competent authority. We are also legally obliged to keep personal data (long) in our financial administration, on the basis of tax legislation.

We do not provide personal data to third parties, unless we are legally obliged to do so. We do use the services of a number of specialized suppliers in the field of ICT. We have concluded processor agreements with these organizations. The processors may only process personal data in our order and under our supervision, only for goals that we determine and under strict confidentiality. We actively monitor compliance with the security obligations of our processors. Our processors come from the European Union, or have a relevant branch in the EU, which means that they have to comply with the AVG. We therefore do not transmit personal data to countries where your personal data are less well protected. If we cooperate with contractors, temporary employees or partners who are not processors because they are directly under our authority, and it is necessary to exchange personal data, we will conclude a confidentiality agreement.

We do not store the personal data longer than we need it for the goal for which we obtained it. We base this assessment on the type of personal data, the product or service for which we have obtained the data, and what you, as a party involved, can reasonably expect as a retention period. Because we think it is important to be transparent, we explain below how long we keep your personal data and what happens next.

Within our platform, identifying personal data are stored separately from all other information. This concerns your name, e-mail address, username and password. As long as you are a user of our platform, this data is linked to other information such as the progress of e-learning courses or activities that you have carried out during a phishing test.

For the identifying personal data processed in our platform, we use a retention period that is equal to the license. For example, if your organization purchases a 1-year license and the license is not renewed, your identifying personal information such as name, e-mail address and any photo will be deleted after this year. The data that remains in our systems (such as modules and scores followed) are then completely anonymised and can no longer be traced back to you.

Even if you are not a user of our platform, but have been presented by your organization for a phishing test, your personal details will be deleted after the license has ended.

Your organization has one or more administrators who can manage your data in our platform. They can remove your user data from our platform at any time, after which your identifying personal data will immediately be deleted. Pay attention, because after this you will no longer have access to our platform and this action can not be reversed.

In order to guarantee the availability of our platform, we regularly make backups, which we keep for a maximum of one year. If your identifying personal data occurs in backups, these data will be erased at the latest one year after they have been removed from the platform together with the backups. The backups are only available for our technical managers and are only read in the event of an emergency. The backups are not accessible to your organization or others.

We have enabled encryption on the traffic to our website. This will make the data traffic between you and our web server unreadable, so that outsiders do not have access to it. In addition, we of course ensure that we protect your data in all our systems in an appropriate way. We do this with all kinds of technical measures, including physical security of access to our office, but also with organizational measures. For example, with acces control, we ensure that only authorized accounts, such as administrators, have access to users' accounts. In addition, we have already taken the protection of your data into account when developing our platform, by storing identifying personal data separately from other information. All important activities are recorded in log files, so that we can identify and investigate incidents in time. Furthermore, new employees receive a security awareness training. We also encourage our employees to report security incidents immediately, without fear of negative consequences. Finally, we regularly have our platform checked for technical vulnerabilities.

Cookies are small files that are placed on your device by a website. our platform only uses 'functional cookies'. These are cookies that our software needs to function so that we can deliver our services via the web. These cookies are stored for the duration of the session. We do not place analytical cookies or third party cookies, nor do we share cookies with others.

Under the General Data Protection Regulation (AVG) you have the right to view your personal data on request and, if necessary, to have this changed or removed. In addition to the right of access, correction and deletion, you can ask us to limit the processing of personal data and it is possible to object if you do not agree with the processing. Finally, in some cases it is possible to invoke the right of data portability. We do not use automated individual decision making, such as profiling.

Below this privacy statement you will find how you can contact us to use your rights. To verify your identity, we will ask you a number of identifying questions.

In addition, it is possible to file a complaint with the Dutch Data Protection Authority. See: https://autoriteitpersoonsgegevens.nl

We can change our privacy statement. We will make an announcement of this change via e-mail or on our platform. If we want to radically change the goals of the processing, and the processing is based on your consent, we will first ask you for permission for these new goals.

Questions about this privacy statement or reports of (suspected) data breaches can be sent directly to our Data Protection Officer via email to privacy@awarenessplatform.com. Questions about our services can be sent via email to support@awarenessplatform.com. By post we can be reached as follows: Awareness Platform, Lange kleifweg 14, 2288 GK Rijswijk. We can be reached by telephone on the following number: +31 70 711 3400. In case you want to use one or more of your rights, or if you want to report a technical vulnerability or a presumed data leak, you can approach us via these channels.