Privacy policy

Processing of data

Purpose	The parties' purpose with the processing is that the purpose of the Main Agreement can be fulfilled and that the Customers end-users can utilize Facegent services as a digital access provider.
Categories of Personal Data	Personal identification number Name (first & last) Address Phone number E-mail Gender Picture Bookings and purchases, visits and training statistics, employment number (for staff) & other information that our customers have chosen to register in the system.
Categories of Registered	Customers, employees and other personal resources & guests. End customers and other persons registered in the customer's installation. People we contact in connection with the delivery of our services, for example employees of customers or third parties. Persons who, in connection with the creation of support matters, sent their personal data themselves. Persons who sent e-mail to or received e-mail from the supplier.
Thinning time	Support matters with contact information are stored as long as a valid Customer Agreement exists and are then deleted within 6 months after its expiration. Information that falls under the Accounting Act is saved in accordance with current legislation. Information that is handled in connection with the ordered additional service is deleted no later than 6 months after the service has been delivered. Thinning of information in the case management system takes place on an ongoing basis. Anonymisation of persons in the supplier's register takes place when the need for storage no longer exists. Thinning of e-mails and documents takes place when the need for storage no longer exists.
Practical Handling	Data containing personal data must be sent in a way that is sufficiently secure for the purpose. Emails containing personal information are deleted when the purposes are fulfilled. Internal documents are cleaned on an ongoing basis so that only relevant personal data is saved.
Access Control	Access control of connections to customers' installations takes place in three levels: Level 1- No direct access to customer installations. Access to support installations is initiated by the customer's users. Level 2 - Access to customer installations for installation and support. Level 3 - Access to systems that handle file exchange for banking services, for example for direct debit withdrawals.
Backup	Backups are kept for 14 days and then deleted.
Access Logging	Access to sensitive internal systems is logged. Access to passwords for logging in to customers' environments is logged. The staff's logins in the customer's installation of the system are logged.
Authorization and permissions	Access to information and systems takes place according to the "principle of least privilege". The staff's need for access to information and systems is reviewed quarterly.
Encryption	Ongoing work to encrypt all workstations. Connection details, username and password are encrypted. File upload of data from customer to supplier takes place via encrypted channels.
Firewalls, separation of environments and antivirus protection	Information stored locally in the supplier's premises is limited to what is necessary. The supplier's premises are alarmed. Firewall with VPN access that provides encrypted traffic for external access. Two-factor authentication is used to access internal functions of customers' installations. The vendor's computers are equipped with antivirus software.