International Data Transfers and GDPR Statement as of December 20, 2021.
To learn more about how Openpath proactively protects against system vulnerabilities, read our security statement.
Visitor Data, which includes:
Account Data, which includes:
Administrator refers to an individual administrator of the Openpath System authorized by the Customer, which may, in the discretion of the Customer, include Customer’s employees, agents, and contractors. Customer is an end user of the Openpath System. Partner refers to an authorized Openpath reseller or technology partner from whom a Customer obtains access and use to the Openpath System or related third-party services.
Openpath only collects the personal information necessary to enable us to respond to your requests for our products and services. When you use our Website, complete forms, schedule a demo, respond to a survey, complete a partner application, contact us or otherwise interact with our business, we usually collect personal information such as your name, email address, postal address, company name, phone number and any other information you choose to optionally provide that will enable us to respond as requested to you.
You can opt out of providing personal information by not entering it to the Website or otherwise not providing it if asked.
When you use our Website, we automatically collect certain computer information by the interaction of your mobile phone or web browser with our Website. Such information is typically considered Non Personal Information. We also collect the following:
We automatically receive information from your web browser or mobile action. This information includes the name of the website from which you entered our Website, if any, as well as the name of the website to which you’re headed when you leave our website. This information also includes the IP address of your computer/proxy server that you use to access the Internet, your Internet Website provider name, web browser type, type of mobile action, and computer operating system. Openpath may sometimes use IP addresses to analyze trends, administer the site, track user movement, and to gather broad demographic information for aggregate use. The IP addresses collected are not linked to PII unless a user specifically provides us that information during a session, such as by completing an inquiry form.
We use the information we receive from you as follows:
We do not sell, rent, or otherwise provide your Personally Identifiable Information to third parties for marketing purposes. We may provide your Personally Identifiable Information to affiliates that provide services to us with regards to our Website (i.e. payment processors, Website hosting companies, etc.); such affiliates will only receive information necessary to provide the respective services and will be bound by confidentiality agreements limiting the use of such information.
We retain the right to collect and use any Non Personal Information collected from your use of our Website and aggregate such data for internal analytics that improve our Website and Service as well as for use or resale to others. At no time is your Personally Identifiable Information included in such data aggregations.
We may be legally required to disclose your Personally Identifiable Information, if such disclosure is (a) required by subpoena, law, or other legal process; (b) necessary to assist law enforcement officials or government enforcement agencies; (c) necessary to investigate violations of or otherwise enforce our Legal Terms; (d) necessary to protect us from legal action or claims from third parties including you and/or other Members; and/or (e) necessary to protect the legal rights, personal/real property, or personal safety of Openpath Security Inc, our Users, employees, and affiliates.
We may occasionally request information from users via voluntary surveys. Information requested may include contact and demographic information. Survey data may be used to monitor or improve the use and satisfaction of our web site, products, or services. Openpath will retain ownership to all data provided via these surveys.
Openpath collects and processes all Account Data strictly on behalf of Customers and Partners in accordance with Openpath’s contractual agreements with them and/or as defined in the Terms and Conditions and/or as required or permitted by law.
Customers and Partners are responsible for ensuring that Account Data is obtained and processed in accordance with all applicable laws. Since Account Data is managed by the Customer, the Customer is responsible for providing appropriate notice and choice regarding Openpath’s processing of Account Data on behalf of the Customer. If an individual has any questions or concerns related to Openpath’s handling of Account Data pertaining to them, they may contact our Privacy Officer via firstname.lastname@example.org and we will work with the applicable Customer to address the concern.
From Customers, Openpath collects the personal information that is needed to properly manage Openpath’s business relationship. Customers will receive login credentials to manage their Openpath System accounts.
Openpath provides the Openpath System to Customers via its Partner channel. Partners selected by the Customer handle the initial setup and configuration of the Customer’s Openpath account.
Customers are responsible for verifying that all individuals who are designated as Administrators are authorized by the Customer for the levels of access granted. In general, Openpath recommends that the Customer designate an employee of the Customer to be the Super Admin. If the Customer chooses to permit an individual who is not an employee of the Customer (such as, for example, an employee of a Partner to have any administrative rights or other access or privileges to the Customer’s account or Account Data), the Customer is responsible for monitoring the third party’s access to and use of the account and Account Data. Openpath is not responsible for any unauthorized use or misuse of the Customer’s account access, account privileges or Account Data by anyone using access provided by the Customer.
Certain Openpath employees also will have access to Account Data, solely in connection with the provisioning of the Openpath System and to respond to specific Customer and Partner requests for technical support. Openpath will access Account Data only for the purposes of providing the Openpath System, preventing or addressing service or technical problems, in accordance with the provisions of any separate written agreement between Openpath and Customer (such as, for example, the Openpath Terms and Conditions applicable to the Openpath System (as applicable, the “Terms and Conditions”)), or as may be required by law.
Openpath collects the following types of Account Data:
Information provided by Customers: The Openpath System provides the capability for Customers to store basic personal information such as an individual’s name, credential number, email address and photograph. This information is used to correlate security events to the correct individual, as well as to enable notifications and mobile application functionality. The Customer is solely responsible for determining if storage of this data is appropriate in the context of applicable laws and regulations.
Information generated from events: The Openpath System is used by the Customer to collect activity and event data. For example, the Customer can use the Openpath System to record that an access card was used at a particular door at a certain time. Through correlation with the information a Customer provides, Openpath may be able to tie an access event to a particular individual’s credential.
Log Information: The Openpath System records the actions of Administrators, as well as the status and the settings of various devices that have been configured to operate with the Openpath System. Log information may be used by the Customer to review the activity of Administrators.
Mobile Application: Openpath provides a mobile application which can be used with the Openpath System. The Openpath Mobile App is a form of digital credential used to authorize physical access to a building. Openpath collects information about the location of the device and its proximity to certain available Openpath readers within Bluetooth range of the Openpath Mobile App to simplify authorization to open the proper lock or door. In order to provide these services, Openpath collects various types of device, WiFi access point data and Bluetooth data. In order to use the services of the Openpath mobile applications, various features such as location services, WiFi, and Bluetooth communication will need to be enabled on the mobile device.
Location Data: In order for some features to work reliably, the Openpath Mobile App requires Location Services always enabled. We don't ever collect your physical location or GPS information, and do not share or sell your data to third parties. The app doesn't actually use your physical location, but rather Bluetooth Low Energy (BLE), which iOS and Android consider as part of their Location Services.
On iOS devices: The Openpath app also uses Motion Services in order to detect if a phone is in motion – if it is stationary, the Openpath background service will shut down in order to conserve battery. If the app detects the phone is moving, the Openpath service will resume in order to communicate with any nearby Openpath readers.
Logging data: Openpath does not log the geolocation or GPS of your phone. We temporarily log motion data on iOS devices and can only receive that data if you Send Feedback via the app for troubleshooting purposes.
If you'd rather not enable these features, you can still unlock entries on iOS devices by using Touch to Unlock with the Openpath app open and Bluetooth turned on. On Android devices, Touch to Unlock won't work if Location Services is turned off regardless if the app is open or not, but you can still use the app to unlock entries by tapping on the lock icons next to the entries.
Enable event notifications and Openpath Mobile App functionality.
Contact the Customer to inform it of product and service enhancements that Openpath thinks may be of interest to it.
Provide important service notices regarding the Openpath System and related devices. While Customers use Openpath System services, it will not be possible to opt out of communications regarding Openpath System service notices.
Ask the Customer to participate in surveys that help Openpath better understand the Customer’s needs in order to improve Openpath products and services.
Openpath also shares data with relevant third-party service providers when explicitly authorized by Administrators in the relevant Openpath System account; for example, to enable integrations with Video Management Systems, Alarm Systems, or Directory Services such as Active Directory.
In the context of GDPR, individuals residing in the European Economic Area with data stored in the Openpath System or using Openpath applications are considered “Data Subjects.” Customers (and in some cases Partners) are considered “Data Controllers.” Openpath is a “Data Processor.”
In Openpath’s role as a Data Processor, Openpath is the responsible custodian of the Data Subject’s data, performing this role on behalf of the Data Controller. The Data Controller is completely responsible to determine what data is captured, stored and processed within the Openpath System. Openpath does not share, sell, rent, or trade personally identifiable information with third parties unless directed by a Data Controller.
Within Openpath’s service model, most Data Subjects will have limited direct interaction with the Openpath System applications that capture and store their data. This interaction by Data Subjects will primarily be via the Openpath Mobile App. Most Data Subjects will be employees, visitors, or contractors of the Data Controller. Data is captured based on their relationship with the Data Controller. The Data Controller is responsible for gaining necessary consent from the Data Subject regarding the data to be stored. In cases where a Data Subject requests Account Data to be deleted from the Openpath System, Openpath will refer such request to the Data Controller for adjudication.
The GDPR includes provisions that grant Data Subjects portability rights in their personal data. Openpath will coordinate with Data Controllers and, as applicable Data Subjects, when requested to delete, anonymize or port data. Openpath provides for portability and is continually working to enhance its data export capabilities.
Openpath will continue to monitor the GDPR and evolve Openpath’s systems and processes to ensure continued compliance.
Those residing within the European Economic Area may request to access, correct, or limit the use of their personal information within the Openpath System by submitting a request to their Openpath Administrator. Individuals may have the right to complain to a data protection authority in the country where they live, where they work or where they feel their rights were infringed if they have concerns about their rights.
Openpath maintains a comprehensive, written information security program that contains industry standard, administrative, technical, and physical safeguards designed to prevent unauthorized access to Account Data.
Openpath may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Openpath stores all Visitor Data and Account Data in the continental United States. To facilitate Customers’ global operations, Openpath transfers information to the United States and provides access to that information to Customers around the world.
Openpath retains Visitor Data in accordance with our data retention policies and practices. The length of time we keep your information depends upon a number of factors, including the type of information. In general, we retain personal information for as long as we have an ongoing business need to retain it. Following that period, we will delete it.
If Openpath becomes aware of any improper access, unauthorized use or disclosure of Account Data (a “Data Breach”), Openpath will analyze the facts of the Data Breach in the context of applicable laws, regulations, policies and contractual obligations to determine the appropriate notification process. Openpath will conduct notifications in a timely manner after becoming aware of a Data Breach and take reasonable steps to minimize harm and mitigate further risks to Visitor Data and Account Data.
Openpath works with a select number of third-party service providers to perform database monitoring and other technical operations, assist with the transmission of data, and provide data storage services. These third parties may access, process, or store personal data in the course of providing their services. Openpath maintains contracts with these third parties restricting their access, use and disclosure of personal data in compliance with our privacy obligations. Openpath may be liable if they fail to meet those obligations, unless we prove that we are not responsible for the event giving rise to the damage.
The Website is hosted in the U.S. If you are a consumer accessing the Website from Asia, or any other region with laws or regulations governing personal data collection, use and disclosure that differ from U.S. laws, your continued use of the Website, which is governed by U.S. law and these terms, indicates your consent to transfer of your information to the U.S.
Because protecting the privacy of young children is especially important, we do not knowingly collect or maintain information from or about persons under 13 years of age. No part of our Website is structured to attract anyone under 13. If you are under 13, do not use or access the Website at any time or in any manner. If we learn that personal information of persons under 13 has been collected on the Website without verified parental consent, we will take appropriate steps to delete this information.
Section 1798.83 of the California Civil Code requires select businesses to disclose policies relating to the sharing of certain categories of customers' personal information with third parties. These businesses are required to accept requests for disclosures of these policies from customers but are only required to honor one request per calendar year. Businesses have thirty (30) days to respond to each inquiry to the designated address. Each inquiring customer will receive an explanation of the categories of customer information shared and the names and addresses of any third-party businesses. In limited circumstances, customers' failure to submit requests in the manner specified will not require a response from the business.
If you are a California resident, you may request such information from us by sending a letter to the address listed below. In your letter, please provide your name, address and email address, as well as a request that we provide such information to you, by using the following or similar language, “I request that Openpath provides its third-party information sharing disclosures required by section 1798.83 of the California Civil Code.”
If you have questions regarding this Privacy Statement or if you need to request access to or update, change or removal of personal information that we control, you can do so by contacting:
Openpath Privacy Officer
Openpath Security Inc
13428 Maxella Ave, #866
Marina Del Rey, CA 90292