Privacy & Cookies Policy

Effective date: September 1, 2021

Who are we?

This Privacy & Cookies Policy applies to the website of Stichting Avast (known as Avast Foundation) with its official seat in Amsterdam, the Netherlands and its registered office at Databankweg 26, 3821AL Amersfoort, the Netherlands, registered with the trade register of the Dutch Chamber of Commerce under number registration No. 862110592 (collectively as “we,” “us” or “our”), which is in a position of a controller of personal data with respect to the purposes listed below.

What are the processing purposes?

The main purpose for processing personal data is to help us achieve our mission, which is the empowerment of digital citizens across the globe, by giving them the tools and skills to be safe and free online. 

To achieve our goals, these are the specific purposes for which we process personal data:

  • providing funds to our partners or co-funding programs with partners, including onward granting
  • sending newsletters to our subscribers
  • operating this website
  • ensuring compliance with legal obligations
  • establishing, exercising or defending our legal rights

What are the legal bases for processing?

Data processing within the purposes listed above is based on:

  • contract if you want to become our partner, or our legitimate interests if you want to receive funding within onward granting
  • consent if you subscribe to our newsletter
  • consent if you want to allow us to use cookies when you visit our website
  • our legal obligation if we need to process personal data to ensure compliance
  • our legitimate interests if we want to establish, exercise or defend our legal rights

In cases where the processing is based on your consent, such consent is always voluntary and free and we will not in any way force you to give such consent. Processing will not take place in any case without your consent. You can withdraw your consent at any time and we will immediately stop processing based on it. However, withdrawal of consent does not affect lawfulness of processing before the withdrawal.

In cases where the processing is based on legitimate interests, you have the right to object to such processing on grounds relating to your particular situation. It is our responsibility to assess whether there are sufficient grounds for continuing processing and to inform you about this.

What data and what means do we use when processing personal data?

  • If you are our partner, we process your identification, contact and other data necessary for funding you. Unless otherwise stated, the aforementioned data are necessary for the purposes set forth above and no contractual or other similar relationship can be established with us without providing them. If any data is optional, we will notify you.
  • If you are an onward partner (partner of one of our partners), we process your identification, contact and other data necessary for verifying whether the funding terms have been met.
  • If you are a subscriber to our newsletter, we process your contact details to be able to send you our newsletter.
  • If you are a visitor of our website, we process cookies which are strictly necessary for functionality of our website. If you grant us your consent, we will also process preference, performance and marketing cookies. See all cookies we use in the cookies tables below.

Scope of data processed for the purposes of compliance with our legal obligations and establishing, exercising or defending our legal rights depends on the circumstances of the specific situation. 

How do we handle the data?

We carry out processing manually and automatically using various applications and software, especially those that help us in our activities and without which we would not be able to do it.

We do not engage in any automated individual decision making and profiling.

Whom can we transfer the data to?

We may transfer personal data to the following categories of recipients:

  • service providers, such as professional consultants, cookie providers or software suppliers
  • public authorities if required under applicable law

If we disclose your personal data, we require its recipients to comply with adequate privacy and confidentiality requirements, and security standards.

If we decide to transfer some or all of our activities to another person, then your personal data may be included in such transfer to the extent they relate to the transferred activity. The same would apply if we were required to make such a transfer under applicable law.

Where can the data be processed?

Your personal data may be transferred for processing within the EU and the European Economic Area. In accordance with the law, we may also transfer personal data to countries outside the EU / EEA, but only if the third country or international organization ensures adequate level of protection or if we provide appropriate safeguards that the data will be handled in accordance with the law.

How long do we keep the data?

We process personal data only as long as necessary for each of the purposes:

  • providing funds to our partners - lifetime of the contract or as long as we have a legal obligation to do so
  • sending newsletters to our subscribers - until you unsubscribe
  • operating this website - as long as indicated in the cookies table below
  • ensuring compliance with legal requirements - as long as we have a legal obligation to do so

What are your rights?

You have the right to be informed about the processing of your personal data, to get your inaccurate data rectified, to get your data erased especially in case of unlawful processing or when the purpose of processing ceased to exist, you have the right to restrict the processing, the right to object to the processing based on legitimate interests, including direct marketing, the right of access to data (copy of data), right to data portability and right to file and complaint with supervisory authority - you can find contact details of the supervisory authority in your country of residence here: https://edpb.europa.eu/about-edpb/board/members_en.

If we send commercial communications to you, you can always opt out of such communications through the link provided in our messages or by a direct request to our contact points.

Where requests we receive are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request.

For requests and questions regarding personal data please contact privacy@avast.foundation, or reach us at the address of our seat indicated in the header. 

What security measures do we apply?

To protect your privacy, we have implemented the following measures:

  • User access control management – access limited to authorized persons who know the rules of processing of personal data and are bound by confidentiality (the “principle of least authority”)
  • Separation from other data – separation of personal data from other information, separation of data processed for other purposes, separation of data processed for different subjects
  • Password-setting rules – the introduction and regular change of access passwords to the computer system in which the data are processed, while observing the rules for creating sufficiently strong passwords
  • Minimization of processed data – only the necessary data is processed, data processed only for the necessary time to fulfill the purpose of processing
  • Software updates, Patch management
  • Device security (PC, notebook, mobile phone, etc.) – including appropriate encryption
  • Network security – including matching encryption 
  • Website security – including matching encryption 
  • Backup in a separate location – where the processor operates systems on its devices, it shall be able to provide, in the event of an incident, data recovery from the operational backups without undue delay
  • Testing, audits, evaluating and improving the effectiveness of measures
  • Security of the premises where personal data are located and stored (lock, lockable cabinets, security systems and camera records)
  • Access controls of persons entering the organization’s premises
  • Controls of personnel access to key IT spaces
  • Restricting access to physical documents and archives
  • Data security at the workplace (Clean table and blank screen policy)
  • Training of employees and contractors
  • Internal guidelines, directives or other binding provisions concerning the processing of personal data (information security, information classification, management of security incidents)

Cookies Tables

On this website, we use the following cookies: