Privacy Policy (Including EU- GDPR provisions)

ePRINTit™ is committed to respecting your privacy through the protection of your personal information. When we collect your personal information, you can be confident that we handle and store it in a secure manner to protect your information from unauthorized access or disclosure. We only collect your personal information for the purposes specified in this Privacy Policy, and we will not sell your personal information to others.

Our postal address is ePRINTit™, 7820 S Quincy Street, Willowbrook IL 60527

We can be reached via e-mail at [email protected] or you can reach us by telephone Toll Free in NA | (877) 494-0443

Nothing in this Privacy Policy, or otherwise, will create, or add to, any right or claim (whether legal, equitable or otherwise) that any individual or person may have at law, or otherwise, against any of the ePRINTit’s™ respective directors, officers, employees, agents or representatives; nor will the existence of this Privacy Policy or its application impose any obligations or liability upon ePRINTit™ Representatives, or add to any such obligation or liability, that ePRINTit™ Representatives do not already otherwise have to any individual or person at law or otherwise.

This Web site Privacy Policy may be updated from time to time so please check back periodically.

External Links Disclaimer: In some cases, we link to other sites created and maintained by other public and/or private sector organizations. We provide these links solely for your information and convenience. When you link to an outside Web site, you are leaving the ePRINTit™ Web site and our information management policies no longer apply.

Your Consent 

BY SUBMITTING PERSONAL INFORMATION TO ePRINTit™ VIA OUR WEB SITE for SUPPORT or a request for MORE INFORMATION, YOU CONSENT TO OUR COLLECTION, USE AND DISCLOSURE OF SUCH PERSONAL INFORMATION FOR THE PURPOSES DESCRIBED IN THIS PRIVACY POLICY AND AS PERMITTED OR REQUIRED BY LAW.

Subject to legal and contractual requirements, if you requested online information from our website, you may opt out of receiving future communications from ePRINTit™ Representatives by opting out or selecting UNSUBSCRIBE in any email marketing you may receive or by calling | (877) 494-0443 and asking for assistance on how you may opt out of receiving online communications. Your personal information may be retained in the database to ensure that we honor your privacy requests to opt-out of certain communications, for record keeping purposes, for internal research and analysis, and the other purposes described in this Privacy Policy. To be completely removed from all data Bases, please indicate this in your email header line from your registered email address by sending the request to [email protected] that you wish to have your contact information completely removed. If you provide us with personal information concerning another individual, you represent and warrant that you have all necessary authority and/or have obtained all necessary consents from such individual to enable us to collect, use and disclose such personal information for the purposes set forth in this Privacy Policy.

What information do we collect?

When you browse or download information from the ePRINTit™ Web site, our servers automatically collect limited amounts of standard information for traffic monitoring and statistical purposes. The information is analyzed for operational trends, performance, and for ways to improve our site. ePRINTit™ cannot identify you from this information. Example information includes but is not limited to: Internet Protocol (IP) addresses of the computers being used to access our site; the operating systems and the types and versions of browsers used to access our site; the Internet Service Providers used by visitors to our site; the dates and times users access our site; the pages visited; and the names and sizes of files requested.

In addition to this anonymous information, ePRINTit™ may also collect information that is about an identifiable individual, referred to within as personal information. Personal information includes information that tells us specifically who you are. When viewing our web site, you may be asked to enter your name and e-mail address regarding a request for more information from us or for support. You are providing us with this information willingly so you can be properly supported by our staff.

You can access our Web site home page and browse public pages of our site without disclosing your personal information.

Where we provide the Services under contract with an organization (for example, your employer or school or library), that organization controls the information processed by the ePRINTit SaaS Services. This policy does not apply to the extent we process personal information in the role of a processor on behalf of such organizations.

This policy also explains your choices surrounding how we use information about you, which include how you can object to certain uses of information about you and how you can access and update certain information about you.  If you do not agree with this policy, do not access or use our Services or interact with any other aspect of our business. 

Note: If at any time you receive and email from us promoting our services, we include detailed unsubscribe instructions at the bottom of each e-mail.

Children

The ePRINTit™ Web site is a general audience site which is neither designed nor intended to collect personal information from children who are under the age of 13. In order to ensure compliance with the provisions of the Children’s Online Privacy Protection Act (COPPA), children under the age of 13 should not provide any personal information to this site. We request that parents and guardians supervise their children’s online activities.

Data Collection and Usage – Specific GDPR Privacy Policy

Corporate Accounts:

For corporate accounts using Identity Providers (IDPs) and Single Sign-On (SSO) solutions, ePRINTit does not access users’ personal information or documents.

All documents sent to our solution for processing are automatically destroyed based on the company’s administrative settings, configurable from 0 to 7 days.

During this period, documents remain encrypted and inaccessible to anyone, including ePRINTit staff.

Public Solutions:

For ePRINTit public solutions used in libraries or hotels, we do not collect any personally identifiable information (PII).

Accounts are free, and no private information or mobile app download is required.

Mobile Apps:

For users of our iOS and Android apps connected to a company, the personally identifiable information is controlled by the respective company or organization, not by ePRINTit.

Data Security and Retention

Documents processed through EPRINTit are encrypted and automatically destroyed after the retention period set by the company’s admin. We do not store any client private information, including email addresses.

Payments are processed through PCI-DSS certified payment gateways contracted by the respective company providing our SaaS services. We provide these API’s as a conduit to these certified Payment providers. These Payment Gateways may include those companies that manage wallets for an organization (account balance management), such as CBORD or Atrium.  ePRINTit only receives Tokens from these services that simply allow or not allow a transaction to take place and we have no access to account balances or funds.

User Rights

Under GDPR, users have the following rights:

Right to Access: Users can request access to their personal data.

Right to Rectification: Users can request corrections to inaccurate data.

Right to Erasure: Users can request the deletion of their data.

Right to Restrict Processing: Users can request the restriction of their data processing.

Right to Data Portability: Users can request their data in a structured, commonly used format.

Right to Object: Users can object to the processing of their data.

Data Protection Officer

For any questions or concerns regarding this Privacy Policy or data protection practices, please contact our Data Protection Officer at [email protected]  Address in the Subject matter, Privacy Officer Request

 

What are “cookies” and does ePRINTit™ use them?

A cookie is a small text file containing a unique identification number that is transferred from a Web site to the hard drive of your computer. This unique number identifies your browser, but not the individual, whenever you visit the ePRINTit™ Web site. These cookies will not let a Web site know any personal information about you, such as your name and address. Since these cookies are only text files, they cannot run on your computer, search your computer for other information or transmit any information to anyone. Cookies are used on many major Web sites. Many browsers are initially set up to accept cookies. If you prefer, you can reset your browser either to notify you when you have received a cookie, or to refuse to accept cookies.

To help serve you better, ePRINTit™ uses two types of cookies: session cookies (temporary) and persistent cookies (longer-term continuing use). Session cookies are used to support forms, registration and shopping cart information. They are used only during your online session and expire when you close your browser. Without session cookies, navigating around our Web site would be less convenient. Persistent cookies are stored on your computer’s hard drive for some length of time. They are usually used if you want us to remember information about your Web preferences (e.g. language preference).

Does ePRINTit™ share the information that is collected?

Your information will only be disclosed when legally required to do so, at the request of governmental authorities conducting an investigation, to verify or enforce compliance with the policies governing our Web site and applicable laws or to protect against misuse or unauthorized use of our Web site.

ePRINTit™ does not sell, rent or lease customer lists generated through the ePRINTit™ Web site to third parties. Documents sent to the ePRINTit™ service are automatically destroyed in a 7-day expiry/destruction cycle in their encrypted form and can never be disclosed. Importantly, neither ePRINTit nor any third party possesses the ability to decrypt user documents.

If Customer orders Services via Reseller, Reseller may have Administrator access to Customer’s Account and Customer’s End User Accounts.  As between ePRINTit™ and Customer, Customer is solely responsible for: (i) any access by Reseller to Customer’s Account or Customer’s End User Accounts; and (ii) defining in the Reseller Agreement any rights or obligations as between Reseller and Customer with respect to the Services. Resellers have no access to Customer documents, stored data, credit/debit card information and are only provided with such information required to monitor their sales and customer service obligations with end user Customers and Partners.

How can you access, edit or delete your information?

In the case of an organization who has contracted out our services and is using ePRINTit with a higher Authentication IDPs solution such as an SSO solution connected to a Microsoft account or others, we have no visibility or access to your account, or any information related to you. Any requests for removal of this information is held by your company or organization and requests should be directed to them.

What kinds of security procedures are in place to protect against the loss, misuse or alteration of your information?

ePRINTit™ has significant security measures in place to attempt to protect against the loss, misuse and alteration of your user data under our control. ePRINTit™ keeps such information in secure facilities, protected from unauthorized access, encrypted at 256bit RSA and using TLS 1.2/3 for encrypted movement of data and kept only as long as is reasonably required. Only persons who have a need to know your personal information for the purposes described in this Privacy Policy have access to the user data you choose to provide to the provider of the ePRINTit Service (Your company or institution). ePRINTit™ has imposed strict rules on ePRINTit™ employees who may have access to those databases that we manage user personal information or to the cloud servers that host our services. While we cannot guarantee that loss, misuse or alteration of data will not occur, we make reasonable efforts to prevent such occurrences. ePRINTit™ is not liable for any use or disclosure of your personal information that is beyond our reasonable control.

ePRINTit™ takes the security of its Web site and the personal information supplied by customers, resellers and distributors very seriously. Unauthorized actions against the ePRINTit™ Web site will be investigated. ePRINTit™ reserves the right to take legal action against offenders.

ePRINTit™ Cloud Platform: Specific GDPR Privacy Policy

Obligations of ePRINTit™

ePRINTit™ agrees and warrants:

1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the Data Exporter is established) and does not violate the relevant provisions of that State
2. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on ePRINTit™ behalf and in accordance with the applicable data protection law and the Clauses;
3. that ePRINTit™ will provide sufficient guarantees in respect of the technical and organizational security measures specified in its product specification sheets available at https://eprintit.com/resources/
4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation.
5. that it will ensure compliance with the security measures;
6. that, if the transfer involves special categories of data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
7. to make available to the Data Subjects upon request a copy of the Clauses, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
8. that, in the event of sub-processing, the processing activity is carried out by a Sub-processor providing at least the same level of protection for the personal data and the rights of Data Subject as the Data Importer under the Clauses; and
9. that it will ensure compliance with Clause (a) to (i).

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, ePRINTit™ and the Sub-processor shall, at the choice of the Data Subject, return all the personal data transferred and shall destroy all the personal data and certify to the Data Subject that it has done so, unless legislation imposed upon  ePRINTit™ and the Sub-processor prevents it from returning or destroying all or part of the personal data transferred. In that case, ePRINTit™ and the Sub-processor warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. ePRINTit™ and the Sub-processor warrant that upon request of the Data Subject and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

Processing operations

The personal data transferred will be subject to the following basic processing activities:

• Scope of Processing. The Clauses reflect the parties’ agreement with respect to the processing and transfer of personal data specified in this Appendix pursuant to the provision of the Services. Personal data may be processed only to comply with Instructions (as defined in the Data Processing and Security Terms).
• Term of Data Processing. Data processing will be for the period specified. Such period will automatically terminate upon the deletion by the End User Data Subject or automatically by ePRINTit™ as specified within the clients Mobile APP or Web Portal, of all data as described.
• Data Deletion. During the term of the Services Agreement, ePRINTit™ will provide its Partners with the ability to delete the Data Subjects personal data from the Services in accordance with the Services Agreement. After termination or expiry of the Services Agreement, the ePRINTit™ will delete the personal data in accordance with its Security Terms.
• Sub-processors. ePRINTit™ may engage Sub-processors to provide parts of the Services. ePRINTit™ will ensure Sub-processors only access and use of personal data to provide the Services and not for any other purpose.

1. Network Security.

1. 1. Data Centers.

At ePRINTit, we take security seriously. Our cloud-based solution, hosted with 100% microservices architecture, prioritizes data protection, regulatory compliance, and user trust. We rigorously evaluate our authentication methods to prevent unauthorized access, implement fine-grained access controls, and use encryption in transit and at rest to safeguard sensitive information. Our mobile apps employ strong authentication mechanisms, and all data transmitted between the mobile app and our cloud services are encrypted. Additionally, we assess third-party integrations for security risks and ensure compliance with industry standards and data protection laws

Infrastructure. ePRINTit™ maintains geographically distributed data centers in an Amazon Web Services (AWS) in a micro-services environment.  ePRINTit™ stores all production data in physically secure data centers in an encrypted form 256bit SHA2. No sub-processor or third party has access to this data other then what we permit.

Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. The Services are designed to allow ePRINTit™ to perform certain types of preventative and corrective maintenance without interruption.

Businesses Continuity. ePRINTit™ replicates data over multiple systems to help to protect against accidental destruction or loss. ePRINTit™ has designed and regularly plans and tests its business continuity planning/disaster recovery programs.

1. 1. Networks and Transmission.

ePRINTit utilizes a 100% microservice architecture built on AWS EC2 and Lambda. This architecture allows us to efficiently manage and secure data transmission and networking. Your data is transmitted over encrypted connections using industry-standard protocols (HTTPS) to ensure confidentiality and integrity. AWS network infrastructure is designed to be highly secure and resilient, with multiple layers of security measures in place. Lambda functions, which execute our microservices, operate within a secure environment provided by AWS, further protecting your data from unauthorized access.

Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. ePRINTit™ intrusion detection involves:

1. 1. • tightly controlling the size and make-up of the Data Importer’s attack surface through preventative measures;
      • employing intelligent detection controls at data entry points; and
      • employing technologies that automatically remedy certain dangerous situations.

Incident Response. ePRINTit™ monitors a variety of communication channels for security incidents, and The Data Importer’s security personnel will react promptly to known incidents.

Encryption Technologies. ePRINTit™ uses HTTPS encryption (also referred to as SSL or TLS connection). ePRINTit™ micro-services architecture is support with 256bit RSA key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough. SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA). They are built using the Merkle–Damgård structure, from a one-way compression function itself built using the Davies–Meyer structure from a (classified) specialized block cipher.

SHA-2 includes significant changes from its predecessor, SHA-1. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256

1. Access and Site Controls.
   1. Site Controls.

AWS security services like Amazon GuardDuty, Amazon Macie, and AWS Security Hub help identify potential security issues. AWS prioritizes security through encrypted data storage, network security, and continuous monitoring. Data security measures include encryption, isolated backups, and the use of AWS Nitro System for storage confidentiality. For more information on AWS Security operations please visit; Cloud Security – Amazon Web Services (AWS)

Internal Data Access Processes and Policies – Access Policy. ePRINTit’s™ internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. ePRINTit™ designs its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. ePRINTit™ employs a centralized access management system to control personnel access to cloud production micro-services, and only provides access to a limited number of authorized personnel. LDAP, Kerberos and a proprietary system utilizing SSH certificates are designed to provide ePRINTit™ with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. ePRINTit™ requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with ePRINTit™ internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength. For access to extremely sensitive information (e.g., credit card data), the Certified Payment Gateway (PCI-DSS Certification) Data Importer uses hardware tokens and ePRINTit or sub-processors have no access to this data. This is audited by Payment gateways companies to ensure we have no access to client credit card information.

1. Data.
   1. Data Storage, Isolation and Logging.

In our 100% microservices architecture, we leverage AWS EC-2 and Lambda to ensure robust and scalable operations. For data storage, we utilize Amazon S3 and Amazon RDS, providing secure, durable, and highly available storage solutions. Each microservice operates in isolation, facilitated by AWS IAM roles and security groups, ensuring that services only have access to the resources they need. This isolation enhances security and minimizes the risk of unauthorized access. Logging is handled through Amazon CloudWatch, which aggregates logs from all microservices, enabling real-time monitoring and troubleshooting. This setup ensures that we maintain high standards of data integrity, security, and operational efficiency.

Personnel Security.

ePRINTit™ personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. ePRINTit™ conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, ePRINTit™ confidentiality and privacy policies. Personnel are provided with security training. Personnel handling customer data are required to complete additional requirements appropriate to their role (eg., certifications). ePRINTit™ personnel will not process customer data without authorization.

1. Sub-processor Security.

Before onboarding Sub-processors, ePRINTit™ conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once ePRINTit™ has assessed the risks presented by the Sub-processor, the Sub-processor is required to enter into appropriate security, confidentiality and privacy contract terms.

1. ePRINTit™ Cloud Data Protection Team.

ePRINTit™ Cloud Data Protection Team can be contacted at [email protected]  (and/or via such other means as ePRINTit™ may provide from time to time). Subject line to include attention Cloud Data Protection.

1. ePRINTit™ Google Data Use.

ePRINTit™’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

* Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defense, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognized sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.

 

Update: November 24^th, 2024 – We updated our Privacy policy to the new GDPR compliance statements. We updated our Data Storage paragraph to reflect new methods and security. We updated our cloud services primary vendor to Amazon Web Services (AWS). We update what personal data we receive because of the higher authentication services we are now able to provide our clients with, restricting our ability to access our client data.