Privacy Policy for Breeze

Effective Date: 01.01.2025

Last Updated: 25.06.2025

1. Introduction

Welcome to the Breeze platform. We value your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your personal information when you use our secure digital identity and credential management services.

2. Who We Are

This platform is operated by Sotera AS, provider of the Breeze platform — a secure digital identity and credential management system. For questions regarding this policy, you can contact your Breeze representative.

3. What Data We Collect

When you use our platform, we collect the following types of data:

Identity and Authentication Data:
  • Login credentials (email, encrypted passwords)
  • Multi-factor authentication codes (temporary)
  • National identity information (when using eID services) - stored as hashed values
  • Identity Provider (IdP) information from external authentication services
  • Session identifiers and access tokens
Technical and Security Data:
  • IP address
  • Browser type and version (via User-Agent headers)
  • Device information
  • Session data and authentication timestamps
  • Security audit logs and access control records
Personal and Credential Data:
  • Name, email, and contact details
  • Profile information linked to digital credentials
  • Credential data collections (names, photos, employee numbers, etc.)
  • Digital identity verification data
System and Usage Data:
  • Event logs for system security and audit purposes
  • Error tracking and monitoring data (via self-hosted monitoring systems)
  • Platform usage statistics for security monitoring
4. Cookies and Session Management

Our platform uses cookies and similar technologies solely for essential functionality:

Session Cookies (Required):
  • credToken: JWT authentication token for secure user sessions
  • connect.sid: Session identifier for platform communication
  • signedIn: Basic authentication status indicator
Security Cookies:
  • _GRECAPTCHA: Google reCAPTCHA v2 for spam protection on login forms

We do not use cookies for analytics, marketing, or tracking purposes. All cookies are essential for platform operation and security. You can manage cookie settings through your browser, but disabling them will prevent the platform from functioning properly.

5. How We Use Your Data

We use your personal data exclusively for:

  • Platform Operation: Authenticating users, managing digital credentials, and maintaining secure access
  • Security and Compliance: Monitoring for suspicious activity, maintaining audit logs, and ensuring platform integrity
  • Identity Management: Creating, managing, and verifying digital identity credentials
  • Technical Support: Providing user support and troubleshooting platform issues
  • Legal Compliance: Meeting regulatory requirements and responding to lawful requests
6. Data Sharing and Third Parties

We do not sell your personal data. We may share data with trusted third parties only when necessary:

Infrastructure Providers:
  • Microsoft Azure (platform hosting and storage)
  • Redis (session storage)
Authentication Services:
  • Signicat (for eID verification services)
  • External Identity Providers (when using SSO/SAML authentication)
Legal Requirements:
  • Compliance with legal obligations or lawful requests from authorities
7. Data Security

We implement comprehensive security measures:

  • Encryption: Industry-standard encryption including TLS for data in transit and AES-256 for sensitive data at rest
  • Authentication: Multi-factor authentication (MFA) and role-based access control
  • Audit Logging: Detailed audit trails for all system access and changes
  • Data Protection: Hashed storage of sensitive identifiers (e.g., national identity numbers)
  • Session Security: Secure session management with automatic token expiration
8. Data Retention and Deletion
Active Data:
  • User data is retained while your account is active and for legitimate business purposes
  • Audit logs are maintained for security and compliance requirements
Data Lifecycle Management:
  • Data retention periods are configurable and may vary by organization
  • Typical default settings include deactivation of inactive users after 365 days and deletion of unactivated accounts after 90 days
  • For specific retention periods that apply to your organization, please contact your Breeze vendor or administrator
  • Users can request data deletion subject to legal and security requirements
Anonymization:
  • Personal data can be anonymized when no longer needed for identified purposes
  • Anonymized data retains no personally identifiable information
9. Your Rights

Under applicable data protection laws (such as the GDPR), you have the right to:

  • Access: Request access to the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data (subject to legal requirements)
  • Restriction: Object to or restrict certain types of processing
  • Portability: Request transfer of your data in a structured format
  • Withdrawal: Withdraw consent where processing is based on consent

To exercise your rights, please contact your Breeze representative or administrator.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we do, the revised policy will be posted with an updated effective date. We recommend reviewing this policy periodically.

11. Contact Information

For questions about this Privacy Policy or how we handle your personal data, please contact your designated Breeze representative or system administrator.