This policy applies to CCleaner products and services. Please note, there may be clauses below that do not apply to your use of our website or services.
1. Our Policy’s Aims
1.3 Personal data refers to any information relating to an identified or identifiable natural person (“data subject”), where this identification can be made directly or indirectly, by means of identifiers such as your name, identification number, email address, phone number, online identifiers such as cookies in some circumstances, your location, your genetic, economic, cultural or social identity or other information that is specific to you.
1.4 We do not mean information that only refers to a business corporation or organization. We also do not mean information that has been "anonymized," either by removing or de-identifying all specific identifiers. Anonymous data is not personal data when the anonymization is irreversible. When we refer to anonymous data, we mean data that cannot be reversed into personal data.
1.5 As a data controller, we commit ourselves to protecting the privacy of our website visitors and users of our products and services with respect to the processing of your personal data.
Where we collect and process your personal data, we will limit the collection and retention to what is adequate, relevant and necessary for our purposes and it will be kept in a form which allows for your identification no longer than necessary for the purpose for which we process your personal data. We refer to this as data minimisation.
1.7 Where we store your personal data for longer periods for statistical purposes, as permitted, we will use appropriate safeguards. Applicable law defines ‘statistical purpose’ as any collection of personal data, where the result of processing is for aggregate data, so the personal data we collect from you is anonymized or pseudonymized. For example, the processing of your personal data may be for the business-related process of counting users, products, sales and various metrics. We also share statistical data that has been anonymized and aggregated geographically and so, cannot be used to identify individuals, with third parties for trend analytics.
1.8 Our policy provides you with the legal bases for the collection of your personal data, lets you know how long personal data is stored and the reasons why, and how in some circumstances, they are necessary to retain. The length of this retention and how you may choose to request that we delete some or all your personal data and the consequences of the deletion are explained in this policy.
1.9 Some of the legal bases we rely on are contractual and service necessity, consent, legitimate interests and compliance with legal obligations. .
1.11 We strive to keep the policy easy to understand and transparent, and so we refrain from technical information overload. If you wish to have further details on how we process your personal data, please contact us.
2. Talk to Us about Your Data
2.1 We try to ensure that the users of our products and services always have an open line of communication with us. You can contact us at any time if you have any questions, queries or requests about your personal data and, if European law applies to the processing of your data, about your right to request access to, modify, remove or export your data, or object to our processing of your data. You have the right to complain to supervisory authorities in your Member State should you feel your privacy has been breached, however we would appreciate it if you reach out to us first before you approach any supervisory authorities or courts. You may submit requests to us at email@example.com. We will action your request within one month of receiving a request from you concerning any one of your rights as a data subject. Should we be inundated with requests or particularly complicated requests, the time limit may be extended to a maximum of another two months. If we fail to meet these deadlines, we would, of course, prefer that you contact us to settle the matter informally.
2.2 We process your personal data where it is lawful and fair for us to do so. The legal bases we rely for processing your personal data are contractual necessity, consent, legitimate interests and compliance with legal obligations.
2.3 There could be instances where you are using our products or services, but we do not have your personal data, even though you have purchased our products or services. These include situations where you purchase our products from our service provider, a reseller, or an app store. Because your relationship in these cases is with that service provider, reseller or an app store, we do not actually have your personal data and will not be able to perform your request to access or delete your information. In such circumstances, please contact your service provider, reseller, or app store where you purchased the products or services, as this person is the primary controller of your personal data.
3.1 Online activities
Any personal data collected from you when you visit our websites or use our products or services
3.2 Phone contacts
Any personal data collected from you when you call us for sales, service, or customer support.
3.3 Offline contacts
Any personal data collected from you at a "live" or in-person event such as a trade show or promotion.
3.4 Reseller information
Any personal data, including contact information such as telephone number and email address, collected from our resellers or sub-resellers.
3.5 Other circumstances
Any personal data collected from you when you contact us by email or by clicking the "report a virus" link on our website or by requesting online service or support, or opening a support ticket, or through our media contact or news subscription services, or other occasions.
4.1 Third Party Sites
Clicking on a thumbnail or profile link on our "Community" pages
Submitting a search query
When you submit a search query via an app like AVG Secure Search or through Avast Secure Browser, you are indicating that you consent to having your search query and history transmitted to third party search providers and to being redirected to third party sites, where the privacy policies of the third parties apply
Third party links
Third party privacy practices
5. Disclosing Your Personal Data to Third Parties
5.1 Disclosure to third parties
We are required to disclose your personal data to unrelated third parties in limited circumstances:
where necessary to satisfy a legitimate government request or order;
in compliance to a legal requirement by a court of law or in the public interest;
in response to a third-party subpoena, if we believe on the advice of our attorneys that we are required to respond;
If we obtain your permission; or
If necessary to defend ourselves or our users (for example, in a lawsuit).
5.2 We are also required in a few limited situations to share our users' personal information with third parties. For example, if you request a specific service or product from us, and if that product or service is administered by a third party working for us, we may share your personal information with the third party to respond to your request. This third party may also transmit back to us any new information obtained from you in connection with providing the service or product.
5.4 We offer third party browsers to new users of certain products, such as our antivirus products. Whether you install the third party browser is in your discretion.
5.5 For certain mobile products, we offer third party ads. While we do not share your personal data with the ad network, data from your device including its IP Address, is used by the ad network to enable the delivery of the ads. If you do not want to view third party ads, you have the choice to change to a paid version of the product. If you are served a third party ad and you click on the ad, your data will be governed by the relevant third party whose ad you clicked on.
5.6 We reserve the right to store and use the information collected by our software. We may publish or share that information with third parties that are not part of the Avast Group, but we will only ever do so after anonymizing the data.
6. International Transfers of Your Personal Data
6.1 We are a global business that provides its products and services all around the world. In order to reach all of our users and provide all of them with our software, we operate on an infrastructure that spans the globe. The servers that are part of this infrastructure may therefore be located in a country different than the one where you live. In some instances, these may be countries outside of the European Economic Area (“EEA”), where the level of protection provided by the laws of these countries may be different than the high standard enshrined in the GDPR. Regardless, we provides the same GDPR-level of protection to all personal data it processes.
At the same time, when we transfer personal data outside of the EEA, we always make sure to put in place appropriate and suitable safeguards, such as standardized contracts approved by the European Commission, which legally bind the receiving party to adhere to a high level of protection, and to ensure that your data remains safe and secure at all times and that your rights are protected.
Situations where we transfer personal data outside of the EEA include provision of our products and services, processing of transactions and your payment details, and the provision of support services.
7. Sharing of Information Among Avast Entities
7.1 Our data collection and management practices do not vary by location. We follow the same “data minimisation” procedure with respect to all personal data in our possession, regardless of the jurisdiction from which it was collected, and regardless of whether the data is transferred from one member of the Avast Group to another.
7.2 We reserve the right to store and use the information collected by our software and to share such information among the Avast Group to improve our current and future products and services, to help us develop new products and services, and to better understand the behaviour of our users.
7.3 Any reference in this policy to “Avast Group” means Avast, its, direct and indirect, parent companies and any company that is, directly or indirectly, controlled by or under common control with Avast or its parent companies.
8. Storage, Retention, and Deletion of Your Personal Data
8.1 Storage of Information
We store information that we collect on our servers or on the servers of our subsidiaries, affiliates, contractors, representatives, contractors, agents, or resellers who are working on our behalf.
The data on our servers can only be accessed from our physical premises, or via an encrypted virtual private network (“VPN”). Access is limited to authorised personnel only, and company networks are password protected, and subject to additional policies and procedures for security.
8.2 Access by our contractors
We or our contractors, subsidiaries, affiliates, representatives, agents, or resellers who are working on our behalf undertake regular maintenance of your personal data. All third parties must agree to observe the privacy of our users, and to protect the confidentiality of their personal information. This means your personal data cannot be shared with others, and there must be no direct marketing by the third parties.
8.3 Retention and Deletion of Your Personal Data
We retain and delete the various types of personal data we collect in compliance with the legal requirement that personal data be kept in a form that permits identification of our data subjects for no longer than is necessary for the purposes for which the personal data is being processed.
We will not keep your personal data in a form that allows you to be identified for longer than reasonably necessary with regards to the purpose for which the information was collected. We will also anonymize and aggregate data to the extent possible.
In general, we strive to delete or obfuscate Internet Protocol (IP) addresses within 60 days when the purpose for which they were collected has been fulfilled. We may retain online identifiers, location data and other personal data for statistical purposes as permitted under applicable law.
We may also amend the personal data we keep in such a way that you cannot be identified, for example, by hashing. We may retain a “key” to the hashing, but we will securely store it separately from the hashed data.
We will only keep your personal data for additional periods following the expiration of the purpose for which we collected it when permitted as compatible for our legitimate interests or required by law, for example tax, contract, secrecy or criminal laws. Otherwise, your personal data will be automatically deleted from our system once the legal basis for the collection and processing has been fulfilled.
If you are an active paid user, we need to retain your personal data for mailing or billing purposes. If you subscribe to a recurring newsletter, we will keep your information to continue to fulfil your subscription request. In the case of Avast Forum, Support Portal, or Avast news and blogs, your account data is kept active until you delete it.
If you participate in a giveaway or promotion that we offer, we will retain your data long enough to administer the promotion, plus any additional time that is permitted or required by law.
For the purpose of licensing products that are registered on a periodic basis, we will keep your personal data on the legal basis of contractual necessity for as long as you are actively using the product and thereafter for legal compliance. Thereafter, your personal data will be deleted.
9. How You Can Request Deletion
For our paid and trial customers of products and services for your personal computer, and some free users with an Avast account, you will be able to log in to our GDPR portal with your email address, which will be verified, to request deletion of your personal data.
For other users of our free products and services, you may request Avast to delete your personal data by submitting a request ticket here. However, please note, if you have not registered your email with Avast before requesting deletion of personal data, we will not respond to you. We will not keep your email address if we do not have an email match in our system of registered users.
In some circumstances and to the extent permitted by law, for example, to provision the service or contract, for compatible use for our legitimate interests, under national tax, contract, criminal, or secrecy laws, we may retain your personal data despite your requests for erasure.
10. Effects of Request – How Long Before Deletion and Consequences of Deletion
10.1 Depending on what you request and how many requests we receive, it is possible for your requests to be actioned from within a day to three months. For example, paid, trial and registered customers may log-in to the GDPR portal to request a change of address and we will give effect to this typically within a couple days.
10.2 If you request the erasure of your data (“right to be forgotten”), we will generally action this within 30 days, which may only include a record in our system that once the legal basis for processing your personal data has been fulfilled, your personal data needs to be promptly deleted.
11. Data Security
11.1 Safeguards for protection of personal information
We maintain administrative, technical, and physical safeguards for the protection of your personal data.
11.2 Administrative safeguards
Access to the personal data of our users is limited to authorized personnel who have a legitimate need to know based on their job descriptions, for example, employees who provide technical support to end users, or who service user accounts. In the case of third-party contractors who process personal information on our behalf, similar requirements are imposed. These third parties are contractually bound by confidentiality clauses, even when they leave. Where an individual employee no longer requires access, that individual's credentials are revoked.
11.3 Technical safeguards
We store your personal information in our database using the protections described above. In addition, we utilize up-to-date firewall protection for an additional layer of security. We use high-quality antivirus and anti-malware software, and regularly update our virus definitions. Third parties who we hire to provide services and who have access to our users' data are required to implement privacy and security practices that we deem adequate.
11.4 Physical safeguards
Access to user information in our database by Internet is not permitted except using an encrypted virtual private network (VPN). Otherwise, access is limited to our physical premises. Physical removal of personal data from our location is forbidden. Third-party contractors who process personal data on our behalf agree to provide reasonable physical safeguards.
We strive to collect no more personal data from you than is required by the purpose for which we collect it. This, in turn, helps reduce the total risk of harm should data loss or a breach in security occur: the less data we collect, the smaller the overall risk.
11.6 Notification in the event of breach
In the unlikely event of a breach in the security of personal data, we will notify all users who are actually or potentially affected.
We may tailor the method of notice depending on the circumstances. Where the only contact information that we have for you is an email address, then the notification will necessarily be by email. We may also elect to give you notice via our in-product messaging system. Where we believe there are affected users for which we have no contact information on file, we may give notice via publication on our company website.
We reserve the right to delay notification if we are asked to do so by law enforcement or other authorities, or if we believe that giving notice immediately will increase the risk of harm to our user body overall.
12. Other Jurisdictions
Residents of the Russian Federations
We collect and process personal data on the territory of the Russian Federation in strict compliance with the applicable laws of the Russian Federation.
We collect and process personal data (including sharing it with third parties) only upon the consent of the respective individuals, unless otherwise is provided for by the laws of the Russian Federation. You will be asked to grant your consent by ticking the respective box / or clicking “I accept” button or through similar mechanism prior to having access to the site, and/or when submitting or sharing the personal data we may request. We collect and use your personal data only in the context of the purposes indicated in the consent to processing of personal data.
We (directly or through third party contractors specifically authorized by us) collect, record, systematize, accumulate, store, actualize (update and amend), extract personal data of the Russian Federation citizens with the use of databases located on the territory of the Russian Federation, except as otherwise permitted by Russian data protection legislation. We may process personal data of Russian citizens using databases located outside of the Russian Federation subject to compliance with Russian data protection legislation.
We undertake all the actions necessary to ensure security of your personal data.
You are legally entitled to receive information related to processing your personal data. To exercise this right, you have to submit a request by e-mail at: firstname.lastname@example.org with the headline “PRIVACY REQUEST” in the message line.
You have the right to revoke the consent at any time by sending us an e-mail at: email@example.com with the headline “PRIVACY REQUEST” in the message line. Once we receive the revocation notice from you we will stop processing and destroy your personal data, except as necessary to provision the contract or service to you. However, please note once you have revoked your consent, we may not be able to provide to you the products and services you request, and may not be able to ensure proper work of our products.
We do not transfer your personal data to the countries that under Russian law are not deemed to provide adequate protection to the individuals’ rights in the area of data privacy.
We do not offer, sell or otherwise make available our products or services that have access to, collect and process (or allow us to do the same) personal data of third parties in the Russian Federation without the consent of such third parties.
If any provisions of this Policy contradict the provisions of this section, the provisions of this section shall prevail.
Your California Privacy Rights
13. Policy Changes
13.3 Where the changes are major, we will notify you by email if you have an Avast account or through posts on our website.
14. Contacting Us
14.1 We are registered as Avast Software s.r.o. and our registered address is Pikrtova 1737/1a, 140 00 Prague 4, Nusle, Postal Code 140 00, Czech Republic.
14.2 Dispute resolution
We make every effort to conduct our business in a fair and responsible manner. In the unlikely event of a disagreement or complaint about the way that your personal data is handled, please contact us.
If you prefer, you can send paper mail to AVAST Software s.r.o., Pikrtova 1737/1a, 140 00 Prague 4, Czech Republic. Be sure to write "Attention: PRIVACY" in the address so we know where to direct your correspondence.
15. Data Protection Officer
15.1 As required under the GDPR, we have a data protection officer (DPO) to monitor our compliance with the GDPR, provide advice where requested and cooperate with supervisory authorities. You can contact our data protection officer via firstname.lastname@example.org.