Clean.io is serious about privacy, especially yours

Last updated March 31st, 2020

If you are a company or business we provide services to (or the site visitors, customers, or end users of such companies or businesses), then this privacy policy applies to you. Please note that this privacy policy does not address our privacy practices with respect to our Clean.io website and marketing activities. Please visit our Clean.io Website Privacy Policy for more information related how we handle information collected from our website visitors or individuals who have a direct relationship with us.

  1. INTRODUCTION

Clean.io, Inc. (“Clean.io”, “us” or “we”) provides technology and services that enable our clients and customers (“Clients”) to detect and block malicious software code in order to protect Internet users that are visiting or using their sites, properties or applications (“Users/User”). This privacy policy (“Policy”) explains how information is collected, used, and disclosed when we provide our products and services to our Clients.  For purposes of this Policy, “User(s)” do not include Authorized Users that are the employees and agents of our Clients who are accessing the Services on behalf of our Clients.

  1. OVERVIEW OF THE CLEAN.IO SERVICES

Clean.io offers an application programming interface, scripts and services for use on web pages and applications that, collectively, help in detecting and blocking malicious software code (including, without limitation, malicious code or technology that may be: (i) injected into web pages and/or mobile applications through advertising compromised browser extensions, WiFi networks and/or websites, (ii) resident on the User’s local machine, (iii) injected into web pages and/or mobile applications through the websites Users visit, or (iv) injected into web pages and/or mobile applications through navigation redirects and other similar activities) as well as related services, data, analytics, code, SDKs and technology (collectively, the “Clean.io Services” or the “Service(s)”). Our Clients use the Service in order to attempt to protect their Users from the unwanted and/or harmful effects of such malicious software code.

In order to use and receive the Services, each Client must first enter into a written Clean.io Platform Agreement or other similar services agreement addressing the particular Services being performed by Clean.io (the “Principal Agreement”). Such Principal Agreement may address aspects of our privacy obligations with our Clients and how Clean.io will retain, use, disclose and otherwise process personal information in connection with such Services.  However, unless the Principal Agreement expressly states that this Policy shall not apply, this Policy shall apply to and supplement the Principal Agreement and shall govern how we collect and use data that may be obtained through the provision of Services to Clients.

  1. INFORMATION COLLECTED VIA THE CLEAN.IO SERVICES

3.1       Services Related Data.  When a User visits a web page, mobile application or other similar property that is receiving our Service, certain information is collected about such page, application or property, the related User and User’s device and the malicious ad, code or technology that is related to such page, application or property. Collected information consists of: the User’s country or other general geographic area, browser type, operating system, date and time of User visit, user agent string, URLs of pages viewed by the User, whether the User encountered malicious advertising, technique used by the malicious ad to inject itself into the page, time elapsed since the page load until malicious JavaScript execution attempt, Internet Service Provider (ISP), number of ad impressions shown on the page, duration of the entire page view and “session depth”, JavaScript and certain HTML content of the impacted page (which in some cases may include site content written on the screen, including comments), device pixel ratio (as a number from 1 to 4, generally: e.g. 1 on old PCs, 4 on super retina screens), and ad dimensions for the applicable ad (e.g. 300×250).    

Please note that we may use a User’s IP address for purposes of collecting information regarding a User’s Internet Service Provider and general geographic location (e.g., country or zip code).  However, we do not store the User’s IP address and do not use it any manner to identify any individual. Also, while we do collect the user agent string of Users, we do not combine it with any other personal information and do not use it to identify any individual.

3.2       Custom Data Points.  Clients may also elect to pass custom data points or special markers to Clean.io in connection with Services, such as a client identifier or ad source identifier. The type of custom information shared via our Service is ultimately determined by our Clients with the exception of any client identifiers assigned by us.

3.3       Authorized User Data.   In order for a Client’s employees and  authorized agents (the “Authorized Users”) to access and use the Services on the Client’s behalf, those Authorized Users will first need to be provisioned access credentials via clean.io’s access and login procedures in effect from time to time.  Clean.io currently uses Auth0 to facilitate access to the Services.  Additionally, we may require an Authorized User’s name and email address in order to communicate with Authorized Users with respect to Customer’s and the Authorized User’s use of the Services.  Certain of the information that we collect from Authorized Users (e.g. name and email) is considered “Personal Data” or “Personal Information” (each as defined below) under the terms of applicable privacy laws and is therefore subject to the terms of our Data Processing Addendum.

3.4       Personal Data. Except as set forth in Section 3.3 with respect only to Authorized Users, we do not intentionally collect, and the Services are not intended to collect, any “Personal Data” or “Personal Information” (each as defined below) about Users and we ask our Clients not to provide any such Personal Data to us.  For example, we do NOT collect identifiers such as contact information, government IDs, cookies, names, email addresses and other similar information from Users.  In the event that we agree for a specific engagement to collect or process personal information on behalf of a Client in that Client’s Principal Agreement or another written agreement with such Client or we receive or otherwise access such personal information despite our efforts not to collect or receive such information, the terms of our Data Processing Addendum shall apply in those limited circumstances.

  1. COLLECTION METHODS

Clean.io generally collects information related to the Services via the deployment of a script on Client websites or in connection with use of our software development kit (“SDK”) on mobile and other applications.   Also, Clients sometimes directly send malicious ads to Clean.io for separate analysis or pre-scanning, and Clean.io may collect information from those ads.  In addition, Clients may send us other types of information directly from time to time.  We require Clients to have obtained from their Users the right for us to collect all information contemplated by this Policy via their terms of services, terms of use or other similar agreement and their applicable privacy policies.   

  1. CLEAN.IO’S USE OF COLLECTED INFORMATION

We use the information we collect or receive as follows:

5.1       Providing Our Services.  Clean.io primarily uses the information we collect to provide the Services. In providing the Service, the information collected helps us determine whether and how malicious 3rd-party code is being delivered to a User’s runtime environment on their device. The information also helps us offer related services designed to improve the User’s experience, such as: improving our ability to detect and defeat malware or undesirable User experiences (e.g. video advertisements that automatically play with audio enabled, advertising creatives that deliver to a User’s device with excessive data payloads, etc.) and blocking malware that causes our Clients, our Client’s partners and/or our Client’s Users economic damage. Clean.io may also use the information collected to enable a Client to block specific advertisers and creatives from rendering an impression on a web page or inside a mobile application.  We use registration information collected from your Authorized Users in order to facilitate their access and use of the Services.

5.2       Sharing With Our Clients.  We may share the information we collect with our Clients and the Client’s partners (upon their request or direction), and our Client and their Client partners may use the information for a variety of purposes, including to improve the User’s experience on a web page or inside a mobile application. 

5.3       Improving Our Services.  We may use the information we collect to improve our Service.

5.4       Business Use of Aggregated or Anonymous Data. As permitted by applicable law, we may also use the information collected on an anonymized and/or aggregated basis for the purpose of performing industry tracking and analysis and developing and sharing reports  related thereto and for our other business purposes.  We may share (on any anonymized and/or aggregated basis) information we collect with researchers and experts working in the digital security industry and also with advertising exchanges (both supply side and demand side).

5.5       Legal Actions.  We may also share any information we store or collect in response to a legal process, or when necessary to protect our Services or our Client’s services and offerings, or if otherwise required or recommended by applicable law.  We may also share the information with law enforcement on a proactive basis if the information relates to potential illegal or fraudulent activities.

5.6       Bankruptcy and Acquisitions.  In the event that the ownership of Clean.io or an affiliate or their assets changes as a result of a merger, acquisition, sale of assets, change of control or in the unlikely event of a bankruptcy, the information we have collected may be transferred to another company. If we believe a transfer results in a material change in the use of the information we’ve collected or received about our Users, we will provide notice and choices consistent with applicable law.

  1. OUR DATA RETENTION POLICY

Clean.io removes data within five years after our last encounter with a User.  After data is removed, Clean.io reserves the right to store and use all anonymized and aggregated indefinitely.

  1. OUR POLICY REGARDING CHILDREN

We do not knowingly collect data from anyone under the age of 13. In the event that we learn that we have collected data from a child under age 13, we will take reasonable steps to delete that information as quickly as possible. If you believe that we might have any information from or about a child under the age of 13, please contact us at [email protected].

  1. CALIFORNIA CONSUMER PRIVACY ACT – CCPA

California has adopted the California Consumer Privacy Act of 2018 (“CCPA”).   The CCPA relates to how businesses collect, use, and disclose “Personal Information” relating to California residents.  The phrase “Personal Information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Personal Information of a Consumer (as defined by CCPA) includes things such as: identifiers (such as contact information, government IDs, cookies, etc.), information protected against security breaches (such as a Consumer’s name and financial account, driver’s license, social security number, user name and password, health/medical information), protected classification information (like race, gender, ethnicity, etc.), commercial information, Internet/electronic activity, precise geolocation, audio/video data, professional or employment related information, education information, biometrics, and inferences from the foregoing.

We do not intentionally collect any “Personal Information” (as defined under the CCPA) about Users via the Services (although we do collect Personal Information from Authorized Users as set forth in Section 3.3 above).  We ask our Clients not to provide any such Personal Information about Users to us. If, notwithstanding the foregoing, Client and Clean.io expressly agree in the Principal Agreement that Clean.io will collect or receive Personal Information regarding a User that is subject to CCPA, or we actually receive or collect such Personal Information despite our intention not to collect or receive such information, then the terms of the Clean.io  Data Processing Addendum (“DPA”) shall apply to our collection, use and processing of such Personal Information.  As noted in Section 3.3, the information we collect from Authorized Users during the course of their registration with the Services may be “Personal Information” under the CCPA. The terms of the DPA also apply to all such Authorized User Personal Information.   For clarity, the DPA shall apply to our relationships with our Clients and sets forth certain rights and obligations between us and our Clients related to the information of their Users – our Client would be considered the owner and controller (a “Business” under CCPA) of the Personal Information of its Users and we will act as a “Service Provider” under CCPA.  If you are a User or Authorized User, you should also contact our Clients with whom you shared your information to learn about their privacy policies and to exercise your privacy rights.

  1. GENERAL DATA PROTECTION REGULATION – GDPR

Users that are residents of the European Economic Area have certain rights under the European Union’s General Data Protection Regulation (“GDPR”).  Those Users are referred to as “Data Subjects” by the GDPR and the GDPR applies to “Personal Data” of those Users.  “Personal Data” is defined as information relating to an identified or identifiable Data Subject (as defined by GDPR). 

Except with regard to Authorized Users as set forth in Section 3.3, we do not intentionally collect any “Personal Data” about Users via the Services.  We ask our Clients not to provide any such Personal Data to us.  If, notwithstanding the foregoing, Client and Clean.io expressly agree in the Principal Agreement that Clean.io will collect or receive  Personal Data regarding a User that is subject to GDPR, or we have Personal Data in our possession despite our intention not to collect or receive such information, then the terms of this Clean.io Data Processing Addendum shall apply.  As noted in Section 3.3, the personal information we collect from Authorized Users during the course of their registration with the Services may be “Personal Data” under GDPR. The terms of the DPA also apply to all such Authorized User Personal Data.   For clarity, the DPA shall apply to our relationships with our Clients and sets forth certain rights and obligations between us and our Clients related to the information of their Users – our Client would be considered the owner and controller of the Personal Information of its Users and Authorized Users (a “Data Controller” under GDPR)  and we will act as a “Data Processor” under GDPR.  If you are a User or Authorized User, you should also contact our Clients with whom you shared your information to learn about their privacy policies and to exercise your privacy rights.

  1. SUBPROCESSORS: Clean.io may from time to time use certain subcontractors (i.e., subprocessors) in connection with providing the Services (“Subprocessors”). See our Subprocessor List for more information regarding the specific Subprocessors we use.  The Clean.io Data Processing Addendum  also provides additional information regarding the Subprocessors we use.
  1. DATA SECURITY MEASURES

Clean.io implements industry standard practices on information security management to safeguard information we collect via the Services. Our information security systems apply to people, processes and information technology systems on a risk management basis.

Because no method of transmission over the Internet, or method of electronic storage, is 100% secure, Clean.io cannot guarantee that unauthorized parties will not gain access to information or data processed by the Services.  Clean.io will promptly notify a Client of any data breach or security incident impacting information or data collected from Client or its Users in any material respect. To the extent permitted by applicable law, Clean.io expressly excludes any liability arising from any unauthorized access to personal or sensitive information. 

  1. INTERNATIONAL DATA TRANSFERS

All information we have is stored on servers located in the United States. In the process of providing our Services, we may transfer information across borders from your country or jurisdiction into the United States. With the exception of data transfers from the EU and Switzerland, by providing Clean.io with your information, you hereby consent to the transfer of information to the U.S.  Transfers of “Personal Data” from the EU and Switzerland to the US will be subject to the terms of the applicable Client’s Principal Agreement and/or the Clean.io  Data Processing Addendum.  

  1. LIMITATION OF LIABILITY

Clean.io’s aggregate liability to its Clients arising from or related to this Privacy Policy is subject to the applicable terms and conditions of the Client’s respective Principal Agreement.

  1. MODIFICATION OF PRIVACY POLICY; NOTICE OF CHANGES

Clean.io reserves the right to change this Policy at any time and for any reason, subject to any requirements of applicable law. Such changes, modifications, additions or deletions shall be effective immediately upon notice thereof, which may be given by means including, but not limited to posting the revised Policy on our website. By continuing to use our Services after any changes or modifications are made to this Policy, you accept the updated Policy and agree to abide by and be bound by the updated Policy.   

  1. QUESTIONS & CHANGES TO THIS PRIVACY POLICY

We may change this Policy at any time. We will post all changes to this Policy on this page and will indicate at the top of the page the modified policy’s Last Updated date. If you have any questions or suggestions regarding this Policy, please contact us at: [email protected]