Privacy
Everything you'd like to know about your data and how it is being used
All devices that have either the XFA Web Extension, XFA Desktop Application or the XFA Mobile App installed will send their device status to the XFA servers, identified by a unique device ID.
The device status includes the checks as seen in the interface and varies from device to device, but may include information such as OS version, disk encryption status, available updates, ...
Only when a user accepts an invitation by an organization will this device ID be linked to the email address on which they were invited.
Organization administrators that use the XFA Dashboard will also have to submit basic details of their organization alongside creating an account with username & password.
When an organization administrator connects "Discovery" with their Microsoft or Google account, XFA will collect device information from sources such as registered devices, sign-in logs, and active sessions along with some user metadata such as groups in the respective organizational account. This device data will be linked to the company email address of the user, similar to the information collected from the device.
Currently all applications send the device status regardless if a user is added to an organization. This information is used for general user statistics & optimization of the XFA ecosystem.
The device status is locally available by the user at any time. When a user is a added to an organization, the device status will also be available to the administrators of that organization, identified by the email address on which they were invited.
Organizational data are used for billing purposes.
At no point will any device information of either a user or organization be shared without prior permission.
Billing information and administrative details (invoices, contact information, ...) will be kept as long as required, as instructed by the law of Belgium (which is the operating country of XFA BV).
Individual device information will remain in the system unless requested to be deleted with the device ID and corresponding token. This information guarantees we can support devices that are offline for a long time & maintain accurate statistics. Organizational statistics will be deleted when the account has been deleted.
The origin of all website visits (e.g. Social Media, Google Search) is anonymously tracked to optimize our marketing efforts. Additionally, we track both the page views and duration of a website visit when consent is provided through the marketing banner (shown when first visiting our site). When a user provides their name or email address on our website (for commercial or marketing purposes), this information will be linked.
We might also collect emails for marketing purposes at (online) events (e.g. Conferences, LinkedIn Live). Marketing or commercial communication based on legitimate interest might also include tracking (e.g. tracking pixel, tracked links) to minimize spam and optimize the content of the communication.
We do not share this information with any third parties unless specified otherwise (e.g. co-organizers of events, product partnershups, ...) events). You can opt-out at any time with the 'unsubscribe' link at the bottom of the email or by contacting us at [email protected]
XFA has been founded by privacy-aware security professionals & built from the ground up with privacy and security by design in mind. Modern development & infrastructure practices have been adopted such as the principle of least privilege, encryption (both at rest and in transit) and a layered security model. These practices guarantee that the highest level of availability, confidentiality & integrity is kept at all times.
Development of XFA is based in Belgium and data is stored on Amazon Web Services (AWS) in the Ireland region. At no point will we move any data without prior disclosure of planning so.
Any questions or requests can be sent to [email protected]
More information can be found in our terms and conditions