Mobile Connect privacy policy archive

Privacy Policy for Gallagher Mobile Connect iOS and Android

Revision 1.0 - September 2018

1. Introduction and Scope

This Privacy Statement applies to the Gallagher Mobile Connect App, supplied by Gallagher Group Limited, and its supporting Gallagher Cloud Service.

The App allows you to generate and store an access credential on your own device (smartphone or tablet), in response to an invitation from a site that uses a Gallagher Command Centre access control system. Once you have accepted the invitation, the App allows the site to broadcast important security and safety messages to you.

2. How to Reach Us

Please note that our App and our cloud services are processing personal information on behalf of a site that has a Gallagher Command Centre access control system. For questions or complaints about the personal information they hold about you, please contact the site that invited you.

The world headquarters of Gallagher Group is in Hamilton, New Zealand, where we have appointed internal Privacy Officers. To enquire about this Privacy Statement, or if you have any technical questions about how the Gallagher Mobile Connect App works, please contact us via email (privacy@gallagher.com) or by calling +64 7 838 9800. You can also write to Privacy Officer, Gallagher Group Limited, 181 Kahikatea Drive, Hamilton 3206, New Zealand.

3. Personal Information, Collection and Uses

3.1 What is personal information?

Personal Information is information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number or location data.

3.2 How we collect personal information.

Registration will involve your site security staff passing Gallagher your email address and phone number to process (see 3.5.1). We also collect some basic information about your device such as model and operating system, to ensure functional operation of our service (see 3.5.4).

3.3 Marketing agencies

We do not share your personal information with marketing agencies. Your information will not be sold, exchanged, transferred or given to any other company.

3.4 Third-party service providers

When we temporarily provide your personal information to companies that perform services for us, such as Apple or Google Firebase, written data processing agreements require them to protect the information.

3.5 Situations where we process your personal information

3.5.1 Registration of your Mobile Credential ID

Registration will involve the site passing us your email address and phone number for our cloud service to process. We use this information to send you an email and a text message, which the App will use to create your Mobile Credential ID.

We do not store your email address: we send the email message and immediately discard the address.

We store your phone number for the minimum period required to provide the service. As soon as your Mobile Credential is registered, or the registration invite expires we discard the phone number.

The registration process requires the App to communicate with Gallagher Cloud Services.

Credentials are stored only on your device, which means you can delete them. The contact information we hold about you is replaced by tokens, which are meaningless but unique numbers. The tokens are stored both on your device and in the cloud.

3.5.2 Using your device as an access credential

3.5.2.1 Mobile Access

The App communicates with Gallagher Bluetooth® Low Energy or NFC equipped Readers in order to allow you to gain access to areas, or perform actions such as arming/disarming zones or locking/unlocking doors. In order to provide this functionality, you must have a registered Mobile Credential.
When your device communicates with a Reader, it sends your Mobile Credential ID (a random number which cannot be associated to you without Administrative access to the Command Centre server) and then uses the FIDO UAF protocol to securely authenticate your device. More information on FIDO can be found at https://www.fidoalliance.org

3.5.2.2 Location Services

The App may ask for permission to access your device's location. For Android devices, location permissions are required to use Bluetooth® Low Energy scanning in any way. For iOS devices, location permissions are required to enable Background scanning.
Gallagher Mobile Connect does not use your location. It is never stored or transmitted in any way. These location permission requests are only in place because the operating system requires them to enable the above Bluetooth® Low Energy features.

3.5.2.3 Log data and troubleshooting

The App will collect logs to assist in troubleshooting should an error occur. This includes information about your activity, and may contain information about your Command Centre system, including such things as Reader names, statuses and access results (granted/denied/etc). These logs are stored locally on your device and are never sent unless by your explicit request.

3.5.3 Broadcast Notifications and message handling

The App allows your site administrators to send Push Notifications to your device so they can inform you of security/safety related incidents or any other purpose of their choosing.
In order to provide this functionality, you must have a registered Mobile Credential (see above).
When you open the App, it will communicate with Gallagher Cloud Services in order to retrieve any notifications that may have been sent to you. In order for your device to securely authenticate, it sends your Mobile Credential ID and then uses FIDO (see above).
When your site security staff send you a notification, the site name and notification text is stored by Gallagher Cloud Services. Immediately after your device retrieves the notifications, they are deleted. Un-retrieved notifications will be deleted after 7 days.

3.5.4 Telemetry

Whenever Mobile Connect communicates with Gallagher Cloud Services, in order to provide you services and to enable us to improve our products, we send and store the following:

• Mobile Device Operating System (e.g. iOS or Android)
• Operating System Version (e.g. iOS 11.4.1)
• Installed version of the Mobile Connect app (e.g. 11.0.0.74)
• The last time your device connected to Gallagher Cloud Services
• Mobile Credential ID

Although your IP address is sent, we do not store it. We store only the most recent copy of this information in the cloud, and we do not store history of your connections over time.

Gallagher Cloud Services explicitly do not store any other information that would enable Gallagher to associate this information with an individual. As above, your Mobile Credential ID is a random number that cannot be associated to you without Administrative access to your site's individual Command Centre server.

4. Your Privacy Choices

We are processing your personal information on behalf of a site that has a Gallagher Command Centre access control system. If you do not register using our App, or if you delete the App or the credential, then you will not be able to use your device to access their site. To stop receiving notifications from a particular site, or for questions or complaints about your personal information, please contact the site that invited you.

5. Cookies, Web Beacons and Other Technologies.

Wherever possible, we have disabled tracking by Google & Apple in The App.

6. Cross-Border Transfers

We use cloud services from Amazon AWS on computer systems hosted in Australia, for which we rely on Standard Data Protection Clauses (Article 46 GDPR) to confirm the appropriate safeguards.
We also use cloud services from Apple and Google on computer systems hosted worldwide, for which we rely on a variety of legal mechanisms, including contracts and EU-US Privacy Shield.

7. Data Retention

Data retention on Gallagher Cloud Services
Your name	Not collected
Your email address	Deleted following registration of your credential	3.5.1
Your phone number	Deleted following registration of your credential but not retained longer than the number of days, set by the site administrator (default 7 days)	3.5.1
Log data from the reader to the site's Command Centre server	Are stored by your site administrator and are not collected or stored by this App	3.5.2.1
Location	Not collected but is required to be activated on your device for Bluetooth service to work	3.5.2.2
Log data (on device)	Only stored on your device	3.5.2.3
Your Messages	Pass through Gallagher Cloud Services on the way to your device and then deleted, however may be temporarily stored until you activate the Gallagher Mobile Connect App	3.5.3
Telemetry data	We store only the most recent copy of this information in the cloud, and we do not store history of your connections over time	3.5.4
IP address	Although your IP address is sent, we do not store it	3.5.4

 

8. Information Security

Gallagher takes cybersecurity seriously. We intend to protect your personal information and to maintain its accuracy. Gallagher implements reasonable physical administrative and technical safeguards (such as system monitoring and encryption) to help us protect your personal information from unauthorised access, use and disclosure. We restrict access to your personal information to those employees who “need to know” it to provide services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees' privacy responsibilities. We also require that our suppliers protect personal information from unauthorised access, use and disclosure.

Data stored on the Gallagher Command Centre server for a site is under control of its Security Administrators, and subject to any security and privacy policies those Administrators apply. It is not accessible by Gallagher or other third parties affiliated with Gallagher.

9. Complaints

In many countries, you have a right to lodge a complaint with the appropriate privacy or data protection authority if you have concerns about how we process your personal information.

We aim to resolve complaints quickly and informally. If you wish to proceed to a formal privacy complaint, we will need you to make your complaint in writing to our Privacy Officers, as above. We will then acknowledge your formal complaint within 10 working days.

If you are not satisfied with the responses from your site or from us you may contact the appropriate national privacy authority.

Note: under GDPR, our nominated contact in Europe is the Regional Manager of Gallagher Security (Europe) Ltd in the UK, whose supervisory authority is the Information Commissioner’s Office (http://www.ico.org.uk).

10. Changes and Updates to this Privacy Statement.

This Statement is effective from 1 October 2018 and supersedes all previous notices or statements regarding our privacy and data protection practices and the terms and conditions that govern the use of Mobile Connect.

The previous version of this Statement is available at Revision 1.0 - September 2018

We recognise that privacy and data protection is an ongoing responsibility, and so we review this Statement regularly and will update it from time to time as we undertake new practices or adopt new policies.

You should check our website frequently to see the current Statement that is in effect and any updates we have made. We reserve the right to amend our Privacy Statement at any time, for any reason, without notice to you, other than posting the updated version on our website.