TRUST CENTER

Privacy Policy

Last updated September 25, 2025

ITC Privacy

Your information security is paramount to us.

ITC Systems manages and maintains your institutions’ privilege credentialing system as a 3rd party Data Processor.  As such, the main responsibility for data privacy compliance lies with your institution as the Data Controller.  Therefore, your institution’s privacy statement governs the use of your personal information (instead of ours).  Your institution determines what information we collect through our products and services and how it is used, and we process your information according to your institution’s instructions and the terms of our contracts with your institution. Please refer to your institution’s privacy statement.

Information we collect

Our products and services integrate with your institution’s systems. This provides us with your information to set up and maintain your profile and account that enables us to provide the product or service. This includes information in the following data categories:

  • Account information: The exact data elements will depend on the product, but often we receive your name, phone number, email address, institutional ID, account credentials, and emergency contact when we initially set up the products and services for your institution. We will receive regular updated information to keep your account information accurate and up to date.
  • Palm Biometrics: ITC Systems offers a palm vein biometric solution (AVRO Palm) that replaces or is associated with an existing physical credential. AVRO Palm is designed to be anonymous in that your palm biometric is associated only with the access card credential used at the time of enrollment and, when used, scans your palm and outputs only the associated credential number registered at the time of enrollment. The AVRO Palm database is independent, does not contain any personal identifiable information (PII), and does not share data with or interface to any other systems. AVRO Palm does not analyze your biometric data for secondary purposes or share any data external to the service. Retained biometric data is revoked either on a set calendar date or on a real time revocation request from the credential issuer as defined by them.
  • Credentials: Our products and services often integrate with your institution’s systems and rely on the credentials your institution uses. Where this is not the case, we will collect passwords, password hints, and similar security information that we use for authentication and account access.
  • Payment data: We collect data necessary to process your payments within our system, usage of our services including purchases on your institution’s credential, plans, attendance, and events. We collect payment history for your reference and made available to you. We do not store any credit card details.
  • Support: When you or your institution contacts us for support, we may collect limited information about you that you or a representative of your institution provides to us. We use this information only to assist with client support cases on behalf of your institution. When you contact us, your phone conversations or chat sessions with our client support teams may be monitored and recorded for training and quality purposes.

Indirectly from you

We collect information on how you use our products and services. Depending on which product or service you use, this may include the following data categories:

  • Location and events data: For some of our products and services, such as access cards and attendance, we will collect information about which premises and events you have visited and attended on behalf of your institution, as well as the time and date of such visits.
  • Android – Please be aware that if your device’s operating system version is Android 6.0 or higher, in order to be able to use the app for opening doors or other AVRO Mobile access control equipment using Bluetooth technology, Android requires to activate location permissions. Nevertheless, ITC Systems (AVRO Mobile) will not access or otherwise process any information relating to your location in these cases.
  • iOS – Please be aware that if your device’s operating system version is iOS 13 or later, in order to be able to use the app for opening doors or other AVRO Mobile access control equipment using Bluetooth technology, iOS requires to activate location permissions. Nevertheless, ITC Systems (AVRO Mobile) will not access or otherwise process any information relating to your location in these cases.
  • Device and usage: We collect device and usage information when you access and use our products and services, including information that your browser or mobile app sends when you are using it. This data may include your unique device identifier, IP address, your browser type and configuration, the date and time of your use of the product or service, language preferences, and cookie data.

How we use this information

On behalf of your institution, we use your information under the instruction of your institution, which is the data controller. We use the information in accordance with our agreement with your institution to operate, maintain, and provide the features and functionality of the products and services. Your institution determines how your information is used.

Secure Handling of Customer Data Agreement

(“CUSTOMER”) requires ITC Systems Inc (“ITC”) to review, accept, and integrate the following requirements (“Agreement”) as part of any contract, agreement, or Service Level Agreement (“SLA”) that involves the storage, transmission, processing, or collection of CUSTOMER data, or access to CUSTOMER data, by ITC. This Agreement is intended to ensure that CUSTOMER’s security and compliance requirements are outlined and followed by the ITC.

  • Security Controls
  1. Network Security: ITC agrees at all times to maintain network security that – at a minimum – includes: network firewall provisioning, intrusion detection, and third-party penetration testing. Furthermore, ITC agrees to maintain network security that conforms to the current standards set forth and maintained by the National Institute of Standards and Technology or other generally recognized comparable standard (e.g., ISO/IEC 27001, ISA 62443, COBIT 5, CCS CSC, SANS, PCI-DSS, etc.)
  2. Risk Assessments: Both ITC and Institution agrees to conduct a formal penetration test at least once a year of the ITC Systems’ netZcore Avro solution (Azure side and Institution side). Such test will be coordinated with ITC and Institution, to be done as solution test. A penetration test is here defined as “the process of using approved, qualified personnel to conduct real-world attacks against a system so as to identify and correct security weaknesses before they are discovered and exploited by others.”
  3. Security Auditing: ITC agrees to have an independent, industry-recognized third party security audit that conforms to the current standards set forth and maintained by the National Institute of Standards and Technology or other generally recognized comparable standard (e.g., ISO/IEC 27001, ISA 62443, COBIT 5, CCS CSC, SANS, PCI-DSS, etc.) performed at least once a year. The audit results and ITC’s plan for addressing or resolving of the audit results shall be shared with the Institution within 90 days of ITC’s receipt of the audit results.
  4. Business Continuity Plan: Should a plan be required; ITC agrees to work with CUSTOMER to develop detailed recovery procedures and manual workarounds in the event of a disaster. The plans should include emergency and contingency plans for the facilities in which ITC information systems that process CUSTOMER data are located. ITC’s redundant storage and its procedures for recovering data shall serve to reconstruct CUSTOMER Data in its original or last-replicated state from before the time it was lost or destroyed.
  5. Cybersecurity Insurance: ITC agrees to maintain, at all times during the term of this Agreement, a comprehensive program of risk mitigation and cyber liability insurance. CUSTOMER shall have the right to request copies of such certificates of insurance and/or other evidence of the adequacy of the above insurance coverage from ITC.
  6. Cybersecurity Insurance: ITC agrees to maintain, at all times during the term of this Agreement, a comprehensive program of risk mitigation and cyber liability insurance. CUSTOMER shall have the right to request copies of such certificates of insurance and/or other evidence of the adequacy of the above insurance coverage from ITC.
  1. Data Protection
  • Data Security: ITC shall develop, implement, maintain and use appropriate administrative, technical and physical security measures based on the latest industry security standards and best practices and in accordance with all applicable law, to preserve the confidentiality, integrity and availability of all electronically maintained or transmitted CUSTOMER Data received from, or on behalf of Institution or its students.
  • Data Encryption: ITC agrees to encrypt all CUSTOMER data, either in transit or at rest. This includes any backup data as part of its backup and recovery processes. ITC agrees that any and all transmission or exchange of data with CUSTOMER and/or any other parties expressly designated by CUSTOMER – solely in accordance with Section 3.4 below – and/or any other transaction ITC engages in that involves CUSTOMER data – shall take place via secure means, e.g. TLS protocol via HTTPS or SFTPS.
  • Data Storage: ITC has a policy that includes the following:
  1. Any and all CUSTOMER data will be stored, processed, and maintained solely on designated target servers within Canada.
  2. No CUSTOMER data at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium, except as stated explicitly with a valid business reason in the agreement between CUSTOMER and ITC, or as an exception made on a case- by-case basis as specifically agreed to in writing, in advance, by an authorized agent of CUSTOMER.
  3. ITC agrees that any portable or laptop computing devices as part of such agreed-upon exception will employ full-disk encryption as agreed in 2.2 above.
  1. Data Separation: ITC agrees that CUSTOMER data will be separated, either through physical or logical means, from other tenants in ITC’s infrastructure.
  2. Audit Trail: ITC must log access and use of systems containing CUSTOMER Data, registering the access ID, time, authorization granted or denied, and relevant activity.
  1. Data Stewardship
  • Data Ownership: ITC acknowledges that all CUSTOMER Data shared with ITC, or made accessible to ITC’s systems or personnel, remains the sole property of CUSTOMER as defined by existing CUSTOMER regulation and/or CUSTOMER policy. Sole property ownership by CUSTOMER shall mean that CUSTOMER retains at all times all physical as well as the sole intellectual property ownership of the CUSTOMER Data.
  • Data Use: ITC agrees that any and all data exchanged shall be used expressly and solely for the purposes enumerated in the agreement between CUSTOMER and ITC. Data shall not be distributed, repurposed or shared across other applications, environments, or business units of ITC.
  • Data Location: ITC agrees that no CUSTOMER Data will be outsourced or housed outside the country of origin without prior CUSTOMER authorization.
  • Data Redistribution: ITC agrees that no CUSTOMER data of any kind shall be transmitted, exchanged or otherwise passed to other ITCs, subcontractors, or other interested third parties except on a case- by-case basis as specifically agreed to in writing in advance by an authorized agent of CUSTOMER. ITC agrees that all such CUSTOMER pre-approved ITCs, subcontractors, or other interested third parties used by ITC will be contractually held to standards no less rigorous than those outlined in this Agreement.
  • Legal Requests: If required by law or a court of competent jurisdiction or an administrative body to disclose CUSTOMER Data, ITC will notify CUSTOMER in writing within two (2) days prior to any such disclosure in order to give CUSTOMER an opportunity to oppose any such disclosure.
  • End of Agreement Data Handling: ITC agrees that within 60 days of the termination of the agreement between CUSTOMER and ITC, or the termination of the pertinent records retention period, whichever is later (hereafter referred to as “data retention period”), CUSTOMER can reclaim any needed CUSTOMER data in a mutually agreed upon format. At the end of the data retention period, ITC will erase, destroy, and render unreadable all CUSTOMER data according to the standards enumerated in DOD 5220.22 or NIST 800-88 and certify in writing that these actions have been completed.
  • Data Breach: In the event of a breach of any of ITC’s security obligations, unauthorized access to, disclosure, or loss of CUSTOMER Data or other event requiring notification under applicable law (“Notification Event”), ITC agrees to:
  1. Notify CUSTOMER within twenty-four (24) hours of the discovery of the breach by providing notice via email to CUSTOMER’s Security Incident Response Team (email address to be supplied by CUSTOMER).
  2. Comply with all applicable provincial laws such that a requirement to notify affected individuals.
  3. Assume responsibility for informing all such individuals in accordance with applicable law.
  4. Indemnify, hold harmless and defend CUSTOMER, CUSTOMER’s officers, agents and employees from and against any claims, damages, or other harm related to such Notification Event, up to the limit of Cyber Liability Insurance held by ITC.
  1. Compliance
  • Data Classification Addendum: ITC agrees to abide by all legal and regulatory compliance requirements that apply due to the nature of the CUSTOMER data being shared (FERPA, HIPAA, PCI, GDPR, etc.)
  • FERPA Regulations: If ITC is provided access to any student data defined by the Family Educational Rights and Privacy Act (“FERPA”) as non-directory information (such as personally identifiable information (PII) or educational records), or directory information, ITC acknowledges that it will comply with the regulations outlined in FERPA for the handling of such information to the extent such regulations apply to ITC. ITC will not disclose or use any student information, except to the extent necessary to carry out its obligations under its agreement with CUSTOMER and as permitted by FERPA.
  • PCI Compliance: In cases where ITC is identified as a PCI third party service provider (TPSP), CUSTOMER requires that the ITC at all times shall maintain compliance with the most current Payment Card Industry Data Security Standard (PCI DSS). ITC may also agree to CUSTOMER’s PCI Addendum.
  • HIPAA Compliance: If ITC is provided potential access to any data defined as Protected Health Information (PHI) under HIPAA and the ITC meets the definition of a business associate under HIPAA, the ITC is required to enter into a Business Associates Agreement with CUSTOMER. If ITC is provided access to data defined as Protected Health Information (PHI) under HIPAA but the ITC is not considered a business associate under HIPAA, then ITC must implement HIPAA- compliant security safeguards consistent with the NIST Cybersecurity Framework.
  • GDPR Compliance: If the transfer of personal data to the ITC is required and is subject to the GDPR, ITC is required to abide by CUSTOMER’s Data Protection Addendum, as well as the GDPR requirements applicable to ITC.

AVRO Mobile Privacy

ITC Systems manages and maintains your institutions’ privilege credentialing system as a 3rd party Data Processor. As such, the main responsibility for data privacy compliance lies with your institution as the Data Controller. Therefore, your institution’s privacy statement governs the use of your personal information (instead of ours). Your institution determines what information we collect through our products and services and how it is used, and we process your information according to your institution’s instructions and the terms of our contracts with your institution.

Information we collect

Our products and services integrate with your institution’s systems. This provides us with your information to set up and maintain your profile and account that enables us to provide the product or service. This includes information in the following data categories:

  • Palm Biometrics: ITC Systems offers a palm vein biometric solution (AVRO Palm) that replaces or is associated with an existing physical credential. AVRO Palm is designed to be anonymous in that your palm biometric is associated only with the access card credential used at the time of enrollment and, when used, scans your palm and outputs only the associated credential number registered at the time of enrollment. The AVRO Palm database is independent, does not contain any personal identifiable information (PII), and does not share data with or interface to any other systems. AVRO Palm does not analyze your biometric data for secondary purposes or share any data external to the service. Retained biometric data is revoked either on a set calendar date or on a real time revocation request from the credential issuer as defined by them.
  • Credentials: Our products and services often integrate with your institution’s systems and rely on the credentials your institution uses. Where this is not the case, we will collect passwords, password hints, and similar security information that we use for authentication and account access.
  • Payment data: We collect data necessary to process your payments within our system, usage of our services including purchases on your institution’s credential, plans, attendance, and events. We collect payment history for your reference and made available to you. We do not store any credit card details.
  • Support: When you or your institution contacts us for support, we may collect limited information about you that you or a representative of your institution provides to us. We use this information only to assist with client support cases on behalf of your institution. When you contact us, your phone conversations or chat sessions with our client support teams may be monitored and recorded for training and quality purposes.

Indirectly from you

We collect information on how you use our products and services. Depending on which product or service you use, this may include the following data categories:

  • Location and events data: For some of our products and services, such as access cards and attendance, we will collect information about which premises and events you have visited and attended on behalf of your institution, as well as the time and date of such visits. Additionally, we may collect precise geolocation data when you use the mobile apps for some of our products. You will be asked if you want to enable location data before we collect such information from your device.
  • Device and usage: We collect device and usage information when you access and use our products and services, including information that your browser or the mobile app sends when you are using it. This data may include your unique device identifier, Internet Protocol address, your browser type and configuration, the date and time of your use of the product or service, language preferences, and cookie data.

How we use this information

On behalf of your institution, we use your information under the instruction of your institution, which is the data controller. We use the information in accordance with our agreement with your institution to operate, maintain, and provide the features and functionality of the products and services. Your institution determines how your information is used.

Email-to-PRINT Privacy

What is Email-to-PRINT?

Email-to-PRINT is an application that monitors emails sent for Printing. It is part of GoPrint, a Cloud Printing solution provided by ITC Systems.

Your information security is paramount to us.

ITC Systems processes an email-box dedicated for Email-to-PRINT provisioned by an institution. As such, the main responsibility for data privacy compliance lies with your institution as the Data Controller.

Information we collect

Email-to-PRINT integrates with GoPrint. You provide us your public institutional email login information to enable our application functionalities. The information we collect is the following:

  • Account information: When using a third-party authenticator (e.g., Microsoft, Google), you authorize us to obtain account information, such as email address and the username, from the third-party platform.
  • Credentials: We will collect an email and its password, and the shared mailbox name that we use for monitoring the institutional email inbox folder. When using a third-party authenticator, you authorize us to obtain your credential information, such as email address and authorization tokens that allow the application to read, send, and delete messages from the public email account you granted access to.
  • Email address: Your institution determines that the only information that ITC Systems needs from patrons, students, and employees is the email address of the sender which will act as the print name to release the print job at the release station.

How we use this information

Email-to-PRINT application only monitors the mailbox that it was granted access to; this application does not monitor patrons’, students’, or employees’ accounts.

  • Processing public email messages: On behalf of your institution, Email-to-PRINT uses your public email credentials to connect with your institution’s email account, reads the messages, processes the attachments and email body, and sends them to the printer.
  • Send messages: After Email-to-PRINT processes the messages, the application replies to the sender with the print job information.
  • Delete messages: When the option “Delete email after process” is enabled, we will delete the processed message from the public email inbox.

Data retention

The application will retain your institution’s email credential information as long as you have the email configuration set up in Email-to-PRINT.

The patrons’, students’, and employees’ email addresses are saved as the print name to release the print job at the release station. We do not use their email addresses any other purpose.

Google API Services User Data Policy

Email-to-PRINT’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

ITC Systems
©2025 ITC Systems Inc. All rights reserved.

Privacy Policy

Terms of Use

Accessibility Statement

Sustainability Statement