Last Updated: 31 October, 2022
Qustodio processes two types of personal data in relation to the Services: (1) your account and contact data, for which we are responsible (as Data Controller, as defined under the EU’s General Data Protection Regulation (GDPR), or as a business, as defined under the California Consumer Privacy Act (CCPA)); and (2) your User Data, collected from your monitored devices associated to your User Accounts (“Monitored Devices”), for which you are responsible (as Data Controller as defined under GDPR), while Qustodio acts as data processor as defined under GDPR or as a service provider as defined under CCPA.
- Your account and contact data are used for managing our relationship with you, including activation, support, invoicing, and upselling. This is described in Section A of the policy.
- Your User and Monitored Devices information is processed on your behalf, for providing the parental control and monitoring services through the control panel. This is described in Section B of the policy.
You are sole responsible for the configuration and use of the parental control panel and the processing of personal data associated with your account which includes, among others, collecting, storing, and analysing personal data from Users’ Monitored Devices. The Qustodio Services automatically deploys the configuration and the instructions given by you and you are solely responsible for the configuration of this control panel. You can change those configurations and provide instructions to limit and/or erase any data collected within the control panel.
We Comply With The Children’s Online Privacy Protection Act of 1998 (COPPA)
COPPA and its rules require us to inform parents and legal guardians (“parents”) about our practices for collecting, using, and disclosing personal information from children under the age of 13 (“children”). It also requires us to obtain verifiable consent from a child’s parent, or confirm that the child’s teacher has obtained verifiable consent from such child’s parent, for certain collection, use, and disclosure of the child’s personal information.
Read more about COPPA at the FTC’s COPPA page. This regulation is designed to protect the privacy of your children. In order for a child under the age of 13 located in the United States to use the Qustodio Services, his/her parent or teacher must approve the registration.
A. DATA PROCESSED BY QUSTODIO AS DATA CONTROLLER
Please note that this Section does NOT regulate the processing of user data from the Monitored Devices (“User Data”) by Qustodio in its capacity as Processor, which is regulated by Section B attached.
- Data Controller
The Data Controller is Qustodio Technologies SL, Roger de Flor 193, bajos, 08013, Barcelona, Spain. You can contact to our Data Protection Officer to send any suggestions, queries, doubts or complaints about personal data, or to access your personal data by writing to: firstname.lastname@example.org.
- Data collection by the Company through the Services
Data Collection. Qustodio will collect and process as data controller the following personal data through the Services:
- Registration Data. On registering for Services, we will collect the following personal data about you: name, surname, email address and telephone. This data is mandatory and if it is not provided, your account cannot be created.
- Information about your computer. Due to the communications standards on the internet, when you visit our platform we automatically receive the URL of the site from which you came and the site to which you are going when you leave the site. We also receive the internet protocol (“IP”) address of your computer and the type of web browser you are using. We use this information to analyse overall trends and to help improve the Services. This information is not shared with third parties without your permission.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Information We Collect
To comply with the CCPA, a business must describe the categories of personal information it has collected about consumers during the past twelve (12) months. Accordingly, this section applies to visitors, users, and others accessing the Qustodio Services who reside in the State of California.
We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information“). Personal information does not include:
- Publicly available information from government records.
- Deidentified or aggregated consumer information.
Please refer to Appendix I for more detail on the categories of personal information we have collected from consumers within the last twelve (12) months.
We obtain the categories of personal information listed in the previous section from the following categories of sources:
- Directly from you. For example, from forms you complete or features of the Qustodio Services you interact with.
- Indirectly from you. For example, from observing your actions within the Qustodio Services.
Purposes for Processing. The personal data we collect about you are used for performing our contract and communications with you, for managing your Qustodio Account and for providing our Services to you (as described in the Terms). The data we collect are also used to measure and improve the Services and its functionality and to provide customer service, send email notifications and (if you gave your consent) newsletters, or communications, in general, about the Services, products and novelties, and product offers or promotions offered by us. We will use your data also for granting compliance with the Terms, the applicable laws, and other legal obligation we are subject to.
Legal Basis for processing. Below are the lawful bases that we rely on to process your data:
- Preparation and performance of Contract: processing your data is necessary for the performance of our contract with you, or to take steps at your request before entering into such a contract.
- Legitimate Interest: we have a legitimate interest to process your Registration Data for our business, in conducting and managing our business to give you the best service/product and the best and most secure experience. We consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interest and we do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
- Comply with a legal or regulatory obligation: we may process your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
Generally, we do not rely on consent as a legal basis for processing your Account Data other than in relation to sending own marketing communications to you via email or text message. However, for transparency and clarity, we ask you to provide this consent, which is given by you on registering your account. You have the right to withdraw consent at any time by contacting us at email@example.com. This will not affect the processing of your Registration Data for service provision until you cancel your account.
Service Optimisation. We may process data on an aggregated non-identifiable basis for establishing user general attributes and profiles and share such anonymous information with third-party service providers to improve or promote our Services. We also use your data in a non-identifying and aggregated manner (i.e., dissociated data) to better design our website, software, and services.
Disclosure. We treat your personal data with strict confidentiality in accordance with applicable law. However, we disclose any information about you or your use of our Services: (i) in order to comply with the legal obligations we are subject to, (ii) in order to correctly deliver our Services or perform other obligations in accordance to the Terms, (iii) in the event of a sale or change of control of the Company for the purpose of appropriate due diligence actions; or (iv) to our service providers that provide us a service in relation to the data.
We require all third parties to respect the security of your personal data and to process it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process it data for specific purposes and in accordance with our instructions.
Qustodio in case you are monitoring Monitored Devices running iOS. Upon installation of Qustodio Software for Monitored Devices with iOS operating system, due to the technical configuration of the system, all data transmitted to and from the Device is channeled through our servers, in such a way we are visible to a third party such as your Internet access provider and the owner of the IP address from which communications originate. Although we are NOT an Internet access provider, due to this configuration we may receive notifications (each a “Notification”) from third parties regarding the User’s online behaviour, including but not limited to downloading and/or viewing online content, posting online content, opening online accounts, and/or using third party applications and programs. If we receive such a Notice stating your User engages in any activity that is or may be illegal or violate the rights of third parties, or if we believe (in our reasonable judgment) that any activity by your Users is or may be detrimental to the provision of the Services, we will notify you. We reserve the right to (and will, if we are obliged to by court or applicable law or to protect our interests and business, and in particular, but without limitation, if we receive a Notice from a third party or if user activity on a device is or may, in our opinion, be detrimental to the provision of the Services): (a) suspend or block access to your Device(s) to the Internet or to certain websites/internet services; and (b) provide any party providing the Notification to us or a Court or public authority with your name and contact details and/or (c) terminate your Account.
For iOS devices, after installing the MDM profile, Qustodio will have access to all the traffic of the device. This information (coming from the device) only goes to Qustodio servers and is not shared with any third party. The specific information collected through MDM is:
- Domain names, user agent and operating system version; in order to categorize websites and applications visited by the device, and thus make the filtering established by the parent. It is also used to report activity to the parent.
- the URL address in the web search engines; to report the search to the parents.
Data Retention. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including (a) the performance of the contract with registered users and (b) for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Generally speaking, we will retain your personal data for the period of your subscription (in active format) and 5 years thereafter (blocked), for legal and/or administrative purposes.
Anonymised Data for Statistical Purposes. For the purpose of improving our Services and providing sector/segment reports, we may anonymise your Registration Data and certain User Data and store and process this data on an anonymous basis, even after your Account has been closed, indefinitely. The principal purpose is to analyse on an aggregated non-identifiable basis how our Services are used, measuring their effectiveness, and providing general customer service. We may also provide this data (or parts of it) on a fully anonymous aggregate basis to third party business partners, including for conducting academic research and surveys or commercial analytics, and to publish periodic sector or segmented information and reports about behaviour patterns and tendencies.
- International Transfers of Data
We use third party technological services for the provision of our Qustodio Services, whose providers may process your personal data as sub-processors. These entities may be in jurisdictions that generally do not provide adequate safeguards in relation to the processing of personal data. For all entities outside the Economic European Area, we have entered contracts with such entities that do include such safeguards, including the EC model clauses:
- PayPal, Inc. provides us the billing service “Braintree”. You can find more information here https://www.braintreepayments.com/en-es/legal
For more information about our service providers that carry out international data transfers, please contact firstname.lastname@example.org.
- Data Security
We have adopted technical and organizational measures to preserve and protect your personal information from unauthorized use or access and from being altered, lost or misused, taking into account the technologic state of art, the features of the information stored and the risks to which the information is exposed. In case of a security breach, we will take the appropriate measure and will notify you electronically in a timely manner.
- Data Subject’s Rights
In accordance with the applicable data protection law, you have the right to:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party (known as “data portability”). We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will notify you if this is the case.
- File a complaint to the supervisory authority. You have the right to file a complaint to the Agencia Española de Protección de Datos (AEPD), in Calle Jorge Juan,6, 28001 Madrid (www.aepd.es) if you consider that we are violating the data protection and privacy applicable laws. Before contacting with the AEPD, please do not hesitate to contact with us at email@example.com, we will be happy to discuss our data protection practices with you and clarify any doubts you may have.
To exercise your rights, please contact us at firstname.lastname@example.org or sending a letter at Qustodio Technologies SL, Roger de Flor 193, bajos, 08013, Barcelona, Spain.
If you contact us to exercise your rights, we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
- Exercising Your Rights to Know or Delete
To exercise your rights to know or delete described above, please submit a request by either:
- Emailing us at email@example.com; or
- Submitting a support request within the Qustodio Services.
Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information. To designate an authorized agent, please submit a request by emailing us at firstname.lastname@example.org.
You may also make a request to know or delete on behalf of your child by emailing us at email@example.com.
You may only submit a request to know twice within a 12-month period. Your request to know or delete must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include, but is not limited to:
- (a) contact information associated with the account;
- (b) the user profile name;
- (c) the name of one or more Monitored Devices;
- (d) technical information (e.g., model ID, serial number, IMEI code, operating system, etc.); or
- (e) any other piece of personal information we determine in our sole discretion to be sufficient for verifying your identity to a reasonable degree of certainty.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
You do not need to create an account with us to submit a request to know or delete. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account.
We will only use personal information provided in the request to verify the requestor’s identity or authority to make it.
- Response Timing and Format
We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We will not discriminate against you for exercising any of the rights described above, and we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
- Commercial Communications.
As a user of Qustodio’s Services you will receive electronic commercial communications in accordance with applicable law, including alerts, notices, newsletters, offers and promotions, related to Qustodio’s Services. If you do not wish to receive such information you can expressly opt out by our commercial communications by clicking “unsubscribe” in one of our emails or by sending a notification to firstname.lastname@example.org.
B. QUSTODIO PROCESSING USER DATA AS DATA PROCESSOR/SERVICE PROVIDER
When registering and creating an Account, Qustodio starts collecting data from the Devices associated to the Account, which may include personal data relating to you, to the Users of the Devices or to third parties (“User Data”, including information about your Devices, websites and apps that your Users use, contacts, connections, payments, messages and other communications, posted and received content, etc.). Furthermore, in the event of any promotional or other campaign, Qustodio may process the contact information (name and email address) of a potential new client or user of our Services you provide us with. This section B applies to the processing of these data, as well.
We, as data processor under the GDPR and service provider under the CCPA, process User Data under instruction from you (our customer, the “Client”), acting as data controller. This means that you are in control of this data: you determine which data is collected and how it is used for your parental control purposes. Without prejudice to the issue that such data is in most cases processed within a domestic context, we are providing a commercial service to you and therefore our processing of the User Data on your behalf is governed by the terms of this Section B.
- Object and Term.
The purpose of this Section B is to regulate the processing of the User Data indicated above. The term of validity of this Section B is established by virtue of your subscription with Qustodio.
- Warranty and Indemnity.
You, as the person responsible for User Data that we process on your behalf as data processor for the provision of the Services, represent and warrant to us that you have all the appropriate informed consents from each and every data subject whose personal data are submitted to us in the course of the provision of the Services or collected and transmitted to us by the Qustodio Software. You agree to indemnify and keep us harmless from all claims, damages and losses we may suffer relating to or arising out of the processing of User Data and other third-party personal data submitted to our systems during the course of use and provision of the Services. Furthermore, you warrant that you have the consent, or the appropriate legal basis, of the new potential user for sending us this contact information, should you provide us with any data during a promotional campaign.
- Your use of User Data.
As Data Controller, you warrant that you have the appropriate authority to collect and process the User Data and any other data you provide us with acting as Data Controller, and you will not submit to the Services any personal data relating to any individual over 13 that has not authorized such processing. Through the Services, you may also access a copy of the User Data collected by us on your behalf. You will protect the confidentiality of any accessible User Data and prevent access by or disclosure to any unauthorized third person.
- Service Configuration and Data Processing Instructions.
We store the User Data until you close your Account. After that period of time, we disassociate the personal data from the individual it refers to and use such disassociated data for internal research and analysis purposes.
- Data Removal.
During your subscription, we generally retain your User Data on an identifiable basis for 12-month periods, for providing our annual behaviour report. In addition, through the Platform control panel, you may delete all historical data saved at any time. This data will no longer be accessible and will be fully removed from our systems on the next back-up, except as indicated below. If you wish to remove all the User Data in your Qustodio Account, please, uninstall Qustodio of your devices, and send an email (as set out below), with a digital copy of your ID or other identification document to prove your identity requiring the deletion of all the data we have about you and your Users. Once your identity confirmed, we will immediately remove all Data from our active systems and back-ups within fifteen (15) days from confirmation of identity.
- Rights and Responsibilities of Qustodio as Data Processor.
As established in the applicable laws and regulations, Qustodio shall:
a) Process User Data only on the basis of documented instructions from you, including transfers of User Data to a third country or international organization, unless otherwise required to do so under Union law or applicable Member State law. In such case, Qustodio will inform you of that legal requirement prior to the processing, unless otherwise prohibited by such law or in the public interest.
b) Ensure that the persons authorised to process User Data have undertaken to respect confidentiality or are subject to an obligation of confidentiality of a statutory nature.
c) Take all appropriate technical and organisational measures to ensure a level of safety appropriate to the risk of processing.
d) Respect the conditions for having recourse to another data processor, as established in the current legislation on protection of personal data.
e) Assist the data controller taking into account the nature of the processing, through appropriate technical and organisational measures, whenever possible, so that it can comply with its obligation to respond to requests for the exercise of the rights of the data subjects, in this case, the Users.
f) Assist you in ensuring that you comply with your privacy obligations, if any, taking into account the nature of the processing and the information that is available to Qustodio.
g) At your choice, either destroy or return all personal data once the processing services have been completed and destroy any existing copies unless the retention of personal data is required under Union or applicable Member State law.
h) Make available to you all information necessary to demonstrate compliance with the obligations established herein.
i) Process the User Data placed at the disposal of Qustodio in a way that ensures that the personnel in charge follows Your instructions.
j) Ensure that the DPO is involved in an adequate and timely manner in all matters relating to the protection of User Data.
k) Adhere to a Code of Conduct that is approved by the European Commission or other competent authority, if applicable.
l) Keep a record of processing activities in the case of processing personal data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.
- Data Subjects’ Exercise of their Rights.
If the Data Subjects (Users) address a request or exercise any of the rights established in the General Data Protection Regulation, you and / or Qustodio must provide the information requested and perform any required actions, without delay and, at the latest, within one month from receiving the request, which may be extended for a further two months if necessary, taking into account the complexity of the application and the number of applications.
Similarly, in the event that you and / or Qustodio do/es not proceed with the request of the User, he/she/they shall inform the latter without delay, and no later than one month after receipt of the request, shall provide the User with the reasons why he/she/they has/have not acted and inform the User of his/her/their right to file a complaint before a competent authority and to file a judicial appeal. The response to the User’s request shall be made in the same format as that used by the person concerned, unless he/she/they requests that it be done otherwise.
Qustodio may subcontract its obligations and/or give access to User Data to third party service providers, if it is necessary for the proper provision of the Services. For this purpose, you hereby expressly authorises Qustodio to subcontract the entities indicated in Appendix 1. Qustodio ensures a contract exists with each third-party subcontractor, which is sufficient to require the subcontractor to process User Data in accordance with the applicable data protection laws and the Client’s instructions.
- International Transfer of Data.
International transfers of User Data about users located in the EU may only be performed if the requirements of national and/or European laws and regulations that regulate them are met. User Data about users located outside the EU may be transferred to our servers located in Spain. Qustodio uses third-party technological services for the provision of Services, and these entities may be in jurisdictions that generally do not provide adequate safeguards in relation to the processing of personal data.
For all entities outside the Economic European Area, we have entered contracts with such entities that do include such safeguards, including the EC model clauses (see Section A.3 above and Appendix 1 below for a list of these entities). For more information, please contact email@example.com.
- Security Breach of the Personal Data.
Insofar as there exists an instruction from a competent supervisory authority, a development of a national legislation or a delegated act, in the event of a security breach of the personal data, Qustodio shall notify you and the competent supervisory authority of such breach without undue delay, and if possible, no later than seventy-two (72) hours after it happened.
- Termination, Resolution & Expiration.
In the event of termination, resolution or expiration of the contractual relationship for the provision of services hereunder between you and Qustodio, the latter shall not keep the User Data unless otherwise legally required or advisable to do so. Otherwise, upon termination, resolution or expiration, or when no longer legally required to keep the data, Qustodio shall destroy or return to the Client all personal data and any copies of it, as well as any support or other document containing any personal data. This is without prejudice to the right of Qustodio to continue process User Data where such data is being processed by Qustodio or for the defense of its legal interests.
Details of Processing
For CCPA compliance purposes, Qustodio has collected the following types of personal data/information from the consumers described below within the past twelve months. Under the GDPR, the data indicated below are data that Qustodio processes as data processor.
Categories of Data Subjects/consumers
Users of the devices which are monitored by Qustodio. Third parties who interact with the users of such devices.
Type of personal data/personal information
a) Identifiers such as real name, alias or account name, unique personal identifier, online identifier, IP address, email address.
(b) Information about the Monitored Devices usage, depending on the functionalities configured by the Account Owner in the dashboard, such as the URL of the visited websites on the supported web browsers, each website usage time and number of visits, each application usage time, the Monitored Devices usage times, and the Monitored Device location information. All data collected by such devices, including identification and contact data, Internet browsing and content viewing data, behavioural data.
(c) technical information about the Monitored Device, such as the model ID.
For iOS devices, after installing the MDM profile, Qustodio will have access to all the traffic of the device. This information (coming from the device) only goes to Qustodio servers and is not shared with any third party. The specific information collected through MDM is:
List of third parties accessing the User Data
- Amazon Inc. provides Qustodio the service of data hosting outside the European Economic Area (USA).
- ZenDesk Inc. provides Qustodio with support services outside the European Economic Area (USA).
The third parties indicated in section A.3 for the provision of their services.