The document explains the personal data we collect, how and where we may use it, how we protect it, who has access to it, with whom we share it, and how you may correct it.
Bitdefender may collect personal information from its users from its Home Solutions in three different ways:
- when you use Bitdefender products it is possible to share with us some technical details, such as data for identifying the device (UUID), the infected URL you reported or an IP addresses. If you use a Bitdefender product that integrates with your email server, some technical data of the infected files could be send to us, including data such as sender, recipient, subject or attachment. In most cases, these technical data may not lead to your direct or indirect identification, but in some very specific cases computer specialists might be able to identify a specific user. Therefore, we treat all such information as personal data and protect it as such.
This information is solely used for the purpose of information and network security by correct and efficient operation of the products and services, according to the technical specifications, and their improvement, including by analyzing the reported security issues. This includes delivering and customizing related services. Also, we may use this information for statistical purposes and improving the quality of our products.
The legal basis for processing these data is performance of a contract to which the data subject is part of.
These data are is being stored for a limited period, depending on its usefulness for the current information security needs. Based on the current speed of technology, we will not need them for over 10 years from the day of the collection.
As a leader in information security services, confidentiality and data protection are of vital importance for us. Access to the collected personal data is restricted only to Bitdefender employees and data processors that need access to this information. All Bitdefender information security policies are ISO 27001 certified.
Bitdefender may use other IT companies to process the collected personal data. These companies are considered data processors and have strict contractual obligations to keep the confidentiality of the processed data and to offer at least the same level of security as Bitdefender. Data processors have the obligation not to allow third parties to process personal data on behalf of Bitdefender and to access, use and/or keep the data secure and confidential.
Bitdefender may host personal data in Romania, Ireland, as well as in European Union or any other jurisdiction which offers adequate level of personal data protection according to European Union standards, including companies that are certified under the US-EU Privacy Shield program.
Due to confidentiality obligations and security requirements the specific information regarding the name and details for each processor used will be provided only to competent authorities.
The following types of data processor are being used:
All our data processors in US are certified in the US-EU Privacy Shield program.
Access to certain sections of Bitdefender websites is protected by a username and password. We recommend not to reveal this password. Bitdefender will never ask for your account's password via any kind of messages or phone calls. We advise not to disclose your password to anyone asking you to do so. If possible, we also recommend to log out of your online services account after each session. We also advice to close the browser window after navigating or using Bitdefender services.
Unfortunately, transferring data over the Internet cannot be 100% secure. Consequently, despite our efforts to protect personal data, Bitdefender cannot assure or guarantee the security of the information transmitted by the user until the information is on our servers. Any information you transmit is done on your own risk.
When you create an account on Bitdefender websites or for one of our services, a confirmation email with your account details will be sent. The confirmation email will be sent to the email you supplied and it may describe the ways in which you can modify or delete the account you created. We advise you to keep this confirmation email since it contains useful information regarding access to our services. Any requested modification will be solved in maximum 15 days from when the written request of the user has been received.
Some Bitdefender products include a parental control option. If you buy such products or activate this option you have the possibility to monitor your children's activity and to restrict access to certain applications, websites or Internet services. This is only possible on supported devices (for example computers or phones) for which you have installed and activated Bitdefender.
The parental control services option settings are managed from the web interface through which you access your Bitdefender account (known as Bitdefender Central). More details regarding the functionalities of this product are available on our dedicated webpage.
Before you can activate the parental control services, Bitdefender will ask certain data for creating a profile – name, age and sex of the person. The name will be used exclusively for device identification purposes and you do not have to give your child's full name. Age and sex are necessary only for determining the default level of online protection offered by this product, which can be also later changed or configured by the account administrator.
Where this Bitdefender parental control product is installed and an active profile is associated with the device, Bitdefender may collect, exclusively for the purpose of providing parental control services, including for display in the parent’s account, detailed information about the use of the device such as: visited websites, search engine keywords, used applications and software, phone contacts, social media monitoring and geo-localization information.
Some Bitdefender parental control products – such as ones that include cyberbullying-prevention features - may check social media text and images in conversations of your children and may collect stored images and videos. We do that only to inform the parents that some activities are suspected to be dangerous, without sharing your children’s conversations with the parents. We employ privacy-enhancing technologies, so that we do not receive full images from the conversations, and we delete or anonymize private text conversations in a maximum of 2 hours after a conversation has ended. In certain jurisdictions, including the United States, we collect data for cyberbullying-prevention research from parental control products with or without an active cyberbullying-prevention subscription; parents may opt out from such data collection in the product control panel. We are constantly researching how to improve our technologies in order to meet the scope of the technology (flag suspicious content), and to reduce any kind of information being sent to us, by including all detection technologies in the device of the user.
The collected information depends on the settings configured by the parent in Bitdefender Central. The only purpose of collecting this data is reporting to you, the parent. We do not use children information for their identification or monitoring Internet access by us.
We do not transmit to third parties the above mentioned information for marketing purposes or any other information which could lead to identifying your children.
When processing this data from your children's device, Bitdefender acts as a technical intermediary. Therefore, the responsibility of a notice to your children regarding the installation of this software and the way the personal data is processed is exclusively up to you. You are the only one who may activate this option and specify which type of personal information you wish to be collected.
The Bitdefender account owner has administration rights for Bitdefender products and services which includes parental control services. As such, he/she has full responsibility in assuring that he/she can undertake the surveillance activity from a legal point of view and that he/she has the right to know the location, to block the content or applications from that device. Therefore, we recommend to activate the parental control service exclusively on your minor children's devices or where you have the legal right to do so, based on the applicable law. We inform you that any illegal monitoring of online behavior or communications may be a crime. We do not recommend activating parental control services on devices used by persons who are over 16 years old, or otherwise in circumstances in which use of the parental control services is illegal.
As described and agreed by the Terms and Conditions for access to Bitdefender Premium Services, these services can’t be performed unless we have access to your devices. Thus depending on the services selected, Bitdefender may choose to provide the Premium Services using the following delivery channels: phone, live chat, email or remote access to your computer. During the delivery of the Services, Bitdefender may, at its sole discretion and without any obligation, capture in different forms (such as, but not limited to: voice recording, video recording, screen recording, written recording, database monitoring) the Services sessions for the purposes mentioned below.
In order to ensure and avoid any liability issues on our interaction with your devices, we must record all interactions for providing the Premium Services between our staff and these devices. We do this specifically to protect you and/or Bitdefender or its staff for any possible mismanagement in relation with your devices or your data. Please note that we may not provide the Services if you don’t accept these recordings.
You will be properly informed whenever we start a recording and it will always stop when we disconnect from your devices.
The purposes of these specific data processing activities (recording the interactions between our staff and your devices) are to prevent liability issues from any contractual party for these services and to ensure services improvement, including quality assessments.
The legal basis for this processing is legitimate interest of our users and of Bitdefender & its staff, based on Art 6 (1) f of GDPR. These data are being stored for a limited period – usually for maximum 12 month from the date of the communications, unless legal proceedings or liability issues are being raised on these communications in which case they will be stored until the end of such proceedings.
When you are using Bitdefender Digital Identity Protection service, whether or not you are using only this service or along with an anti-malware Product, we may collect additional data for the following purposes:
For the Onboarding and Continuous Identity Monitoring within the Bitdefender Digital Identity Protection service we will ask you to provide a name, an e-mail address and a phone number. Bitdefender Digital Identity Protection first searches for personal information in public records to start mapping your digital footprint. The system correlates all pieces of information linked to your identity and checks whether they has been exposed in a data breach, on the public Internet or on the Dark Web and we provide you with information such as e-mails or phone numbers used by you correlated with the data you provided or other information correlated with your identity such as name, gender, date of birth, email addresses, phone numbers, addresses, usernames, jobs, education, URLs, references to public photos.
For detection of Social media impersonation, Bitdefender Digital Identity Protection monitors 25 social media networks to detect if someone has created an account pretending to be you. At the first signs of impersonation, you will receive the link to the suspicious profile and recommended instructions on how to report or remove it from that social media network.
For any breach of your data, Bitdefender Digital Identity Protection will alert you of the findings and will be advised on steps to take to reduce the risks of account take-over and new account fraud. Such findings may be references regarding e-mail, password, address, phone number, SSN, credit cards, travel documents, criminal records and medical records – without displaying the value of such data; we do not store or process this information, only the references to potential data breaches. Bitdefender Digital Identity Protection will show you all the sources where this data is linked to your identity.
In order to interrogate the PIPL database, we use name, e-mail address and phone number. We also send the remediation actions when the user selects an action to remediate and digital footprint data validation. For example, in a breach we will display you the action to change the password for the breached account. Should you click on the respective link/button, we will register only that a change password action was taken and this information is sent to PIPL. This process allows us to adjust the digital footprint we have provided you in the Bitdefender account and make sure we do not send multiple alerts if the situation has been resolved.
We store the received information from PIPL in order to display to you the status of Your information and to be able to properly notify or give you instant alert if a change regarding your Digital footprint has occurred or a data breach in which your are involved. Each time a new information appears, we will display it in the Digital Identity Protection section of your Bitdefender Account.