Guardian Logo

Guardian MDM Privacy Policy

Introduction

Guardian MDM (Yeoley Limited) (“Company”, “we”, or “us”) provides a Software-as-a-Service (SaaS) Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) solution. We are committed to protecting your privacy and handling personal data in a transparent and secure manner. This Privacy Policy describes how we collect, use, share, and protect personal data in connection with the Guardian MDM service, and outlines your rights. We adhere to applicable data protection laws, including the EU General Data Protection Regulation (GDPR). (Please note we are currently reviewing our practices for compliance with the California Consumer Privacy Act (CCPA); while we strive to respect the rights of California consumers, full CCPA compliance is not yet guaranteed as our review is ongoing.) This policy is incorporated into our Terms of Service and applies to all users of our services and website. By using Guardian MDM, you acknowledge that you have read and understood this Privacy Policy.

Data Collection

Personal Data We Collect: We collect various types of information to provide and improve our services. This includes:

  • Account and Identity Data: Information you provide when creating an account, purchasing a subscription, or contacting us. For example, we may collect your name, work email address, phone number, job title, company/organization name, billing address, and other contact details. We also collect login credentials and authentication information for the service. If you communicate with us (e.g. for support), we will collect the content of those communications.
  • Device and Technical Data: Information about the mobile devices and systems you enroll in Guardian MDM. This includes device identifiers (such as IMEI, serial number, UDID), device name, model and manufacturer, operating system and version, and technical identifiers associated with the device. We collect device status details and telemetry such as IP address, hardware identifiers (e.g. SIM card ICCID and phone number), battery level/health, storage usage, and device settings or configuration (e.g. whether GPS/location services are enabled). We also collect an inventory of installed applications and their usage permissions on managed devices, as well as security information (e.g. if the device has a passcode, encryption status, pending OS updates, etc.). This data allows us to monitor and manage the devices in accordance with your organization’s policies.
  • Location Data: Guardian MDM does not track device location by default. However, if your organization enables a location-tracking feature and the end-user grants permission, we may collect and store geolocation information for managed devices. Location data (such as GPS coordinates or approximate location) is collected only when authorized and typically only for company-owned devices (BYOD personal devices are not subject to location tracking by our service). Even when enabled, location data collection may be periodic or limited (e.g. storing the last known locations up to a certain number of points). Location information is used for legitimate business purposes like locating lost devices or optimizing fleet deployment, as configured by your organization.
  • Usage and Analytics Data: We automatically collect certain information about how the Guardian MDM service and website are accessed and used. This may include log data such as IP addresses, browser type, device type, pages or features accessed, session duration, and other technical information. On the admin management console and our website, we and our analytics partners may use cookies or similar technologies to gather usage statistics (for example, capturing page visit durations or click-stream data). Within the Guardian MDM platform, we may log administrative actions (e.g. policy changes, device commands issued) and device event logs (such as device check-ins, compliance status) for security and auditing.
  • Customer-Provided Content: In the course of using our service, you or your organization may input, upload, or generate personal data within Guardian MDM. For example, an administrator might upload a list of company contacts to distribute to devices, configure Wi-Fi passwords, or assign a device to a specific employee by name. Any such Customer Data that you submit to our platform (which could include names, phone numbers, email addresses, files or other information related to your end-users) remains under your ownership and control. We process this data only on behalf of and under the instructions of the customer (your organization) as a Data Processor, and it is used strictly to provide the MDM services (e.g. syncing a contacts list to managed devices or applying a configuration profile). We do not access or use customer-provided content for any independent purpose except as necessary to carry out the service or as required by law.
  • No Collection of Sensitive Data or Children’s Data: We do not intentionally collect any special categories of personal data (such as race, religion, health, biometric data, etc.) or any information about children under 16 years old. Our services are business-oriented and not directed to minors. If you believe a child’s personal data has been provided to us improperly, please contact us so we can delete it.

Data Usage

We use the collected data to operate, maintain, and improve our services in a lawful and transparent way. The purposes for which Guardian MDM processes personal data include:

  • Providing the MDM/EMM Service: We use personal and device data to deliver the features of our platform and fulfill our contractual obligations. This includes using device information and configurations to enforce security policies on devices, deploy applications or updates, back up device settings, and allow administrators to monitor device status. User account data (like your email and credentials) is used to authenticate you and enable your access to the service. In short, we process data as necessary to manage and secure your organization’s devices and mobile assets as per your instructions.
  • Service Administration and Operations: We process data to manage customer accounts, provide customer support, and communicate with you about the service. For example, we may use your email address to send service notifications, alerts, updates about changes to policies or terms, and respond to inquiries or support tickets. If you submit a support request, our support team may access relevant account or device data to troubleshoot and resolve your issue.
  • Improvement and Development of the Service: We analyze usage and performance data (often in aggregate or anonymized form) to understand how our product is used and to enhance the platform’s functionality and user experience. This can involve analyzing which features are most utilized, the effectiveness of security policies, or device compliance trends. By monitoring these patterns, we can optimize our services, fix bugs, anticipate customer needs, and develop new features or integrations that benefit our users. For example, we may evaluate device check-in data or feature usage statistics to guide our software updates and roadmap.
  • Security and Fraud Prevention: We use personal and device data to protect the integrity and security of the MDM service, our customers, and their data. This includes monitoring for suspicious or unauthorized activities, enforcing security measures, and preventing misuse. For instance, we may use account and log-in information to detect fraudulent access or multiple failed login attempts. Device telemetry (like security settings or jailbreak/root status) may be used to alert administrators to potential security risks. We also maintain audit logs of administrative actions in the system to investigate any improper behavior. These processing activities are necessary for our legitimate interests in keeping the service and user data secure.
  • Legal Compliance and Protection: Where required, we will use personal data to comply with applicable laws, regulations, legal processes or enforceable governmental requests. For example, we may retain and disclose certain information if we are compelled by law enforcement or regulatory authorities (in accordance with lawful process) or to establish or exercise our legal rights. Additionally, we may process data as needed to enforce our agreements or to protect our rights or the rights of our customers (for instance, to investigate and prevent spam, abuse, or security incidents).
  • Marketing and Communication (Limited): We do not sell your data to third parties for marketing. We may, however, use your contact information to send administrative or transactional communications (service updates, billing reminders, etc.) and, if you are an account administrator or have opted in, to send occasional product news, offers or newsletters. You can opt out of non-essential communications at any time. Any marketing emails we send will include an unsubscribe option. (Note: We do not engage in behavioral advertising based on device data or end-user information collected via the MDM service.)

We will only use personal data for the purposes for which we collected it, and in accordance with a valid legal basis (e.g. to perform our contract with you, with your consent, or for our legitimate interests balanced with your rights, or to comply with a legal obligation). We do not undertake any fully automated decision-making (including profiling) that has legal or similarly significant effects on individuals.

Data Sharing

We treat your personal data as confidential and do not sell it. We may share or disclose data only in the following circumstances:

  • Service Providers (Sub-Processors): We employ trusted third-party companies to perform certain business-related functions on our behalf – for example, cloud infrastructure providers, data center/hosting services, analytics services, customer support tools, email delivery services, and payment processors. These third-party data processors may need to access or handle personal data in order to provide their services to us (such. as storing data on cloud servers or processing an online payment). In all cases, we disclose to them only the information necessary for them to perform their specific duties. They are contractually bound to keep personal data confidential and to use it solely for providing services to Guardian MDM, in line with this Privacy Policy and applicable law. We require all our service providers to maintain appropriate data protection and security measures. (See also the section below on Third-Party Services for more details on key providers.)
  • Within our Corporate Group: If Guardian MDM is part of a group of related companies, we may share data with our parent company, subsidiaries, or affiliates as needed to operate and improve the service (for example, for centralized administration or customer support). Any such entities will follow privacy protections similar to those described here.
  • Business Transfers: In the event of a potential or actual merger, acquisition, sale of company assets, investment, bankruptcy, or other corporate transaction, personal data held by Guardian MDM may be among the assets transferred to a new owner or successor entity. We would ensure the continuing confidentiality of any personal data in such an event and provide notice before any personal data becomes subject to a different privacy policy. Corporate Restructuring and Succession: Please be advised that the Guardian MDM service is currently operated by Yeoley Limited. It is anticipated that upon completion of the current development phase, the service and its associated assets will be assigned to a dedicated successor entity that will operate as Guardian MDM ( "Successor Entity "). In the event of this corporate restructuring, all personal data collected and processed by Yeoley Limited in connection with the Guardian MDM service will be transferred to the Successor Entity as part of the business transfer. The Successor Entity will be contractually bound to this Privacy Policy and will continue to protect your data in accordance with its terms.
  • Legal Obligations and Safety: We may disclose personal data if required to do so by law or in response to valid legal process (such as a subpoena, court order, or search warrant). We may also disclose data if we believe in good faith that it is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights, property, or safety of Guardian MDM, our customers, or others, (iii) investigate or assist in preventing any violation of law or our terms of service, or (iv) respond to an emergency that we believe in good faith requires us to disclose information to assist in preventing serious harm.

Except as outlined above, we do not share personal information with third parties unless you have requested or consented to such sharing. Importantly, any third parties with whom we share data must handle it with the same level of care and protection we commit to. We do not allow our processors to use your data for their own purposes – they can only process it for specified purposes and in accordance with our instructions and applicable data protection law.

International Transfers

Guardian MDM is a global service. The personal data we collect may be transferred to and stored on servers located in countries different from your own, including servers outside the European Economic Area (EEA). In particular, if you are an EU/UK user, be aware that your personal data might be processed in the United States or other jurisdictions where some of our third-party service providers operate or where our company’s servers are hosted. Regardless of where data is processed, we safeguard your information in accordance with this Privacy Policy. Data transfers from the EU/UK: When we transfer personal data from the EEA or the United Kingdom to a country that is not deemed to have “adequate” data protection by EU/UK authorities, we rely on appropriate legal transfer mechanisms to ensure your data remains protected. These may include the European Commission’s Standard Contractual Clauses (SCCs) or other approved safeguards, along with supplementary technical and organizational measures as needed. We will ensure that any recipient of the data (such as our U.S.-based cloud providers) is contractually obligated to provide an adequate level of protection for your personal information comparable to the protections under EU/UK law. You can contact us for more information about the safeguards we have in place for international data transfers. By using our services, you understand that your personal data may be transferred to our facilities and those third parties with whom we share it as described.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. In general, this means:

  • Customer Account Data: Information related to your Guardian MDM account (such as account owner’s contact info, billing records, subscription details) is kept for the duration of your subscription or contract with us. If you terminate your account, we will delete or anonymize your personal data within a reasonable period after account closure, once it is no longer needed for the original purpose. Some basic contact or transactional information may be retained for a certain time after termination (usually not more than a few years) in archived backups or as required for legitimate business purposes such as resolving disputes, enforcing agreements, or complying with legal obligations (for example, financial/tax laws may require us to keep invoicing records for a set number of years).
  • Device and Operational Data: Data collected from enrolled devices (device details, logs, etc.) is retained as long as the device remains under management and the customer account is active. If a device is unenrolled or wiped, we will delete or anonymize the associated device data in our systems within a reasonable timeframe. Similarly, if your organization stops using Guardian MDM entirely, device-specific data will be purged following account closure (often after a short grace period). We may retain aggregated, non-identifiable telemetry for internal analysis.
  • Customer-Provided Content: Any content or personal data that you (the customer) have provided or managed via our service (such as contact lists, files, or configuration information) can be deleted by you at any time via the admin console. If not deleted earlier, such data will be deleted as part of account termination procedures. We do not keep it beyond what is needed to provide the service, except as required for legal compliance or backups.
  • Web Analytics Data: Data collected via cookies and analytics tools on our website is typically retained as per our Cookie Policy or the third-party analytics provider’s retention settings (often aggregated or anonymized after a certain period).

When we have no ongoing legitimate need to use your personal data, we will either delete it or anonymize it (so it can no longer be associated with you) in our systems, or if deletion/anonymization is not feasible (for example, because the data is stored in secure backups), we will securely store the data and isolate it from further use until deletion is possible. We continuously review our data retention practices to ensure we are not keeping data longer than necessary.

Security Measures

Guardian MDM takes the security of your data very seriously. We have implemented a variety of technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: We use encryption to protect data in transit and at rest. Communications between your devices, our admin console, and our servers are secured via industry-standard encryption protocols (e.g., TLS/SSL). Sensitive data stored in our databases is encrypted at rest. This ensures that personal data is indecipherable to unauthorized parties.
  • Access Controls: We restrict access to personal data to authorized personnel who need it to operate our service or assist you. Our employees and contractors are bound by confidentiality obligations. Administrative access to systems is logged and tightly controlled. Multi-factor authentication and least-privilege principles are used where applicable to prevent unauthorized access.
  • Network & Infrastructure Security: Our servers are hosted in secure facilities with robust physical security and network security (firewalls, intrusion detection systems, etc.). We maintain up-to-date security software and practices to protect against malware and other threats. Regular vulnerability assessments and penetration testing are performed on our platform. We also isolate customer data and use safeguards to prevent co-mingling of data.
  • Monitoring and Auditing: We continuously monitor the Guardian MDM service for potential security vulnerabilities or anomalies. Activity logs are kept for critical operations, aiding in detecting and investigating unusual behavior. We also employ automated tools to alert on suspicious patterns (e.g., multiple failed logins or unusual data access).
  • Organizational Policies: Our staff are trained on privacy and security best practices. We have incident response plans in place to handle any security breaches or cyber incidents swiftly and effectively. In the unlikely event of a data breach involving your personal data, we will notify affected customers and the relevant supervisory authorities as required by law. In particular, if a security incident qualifies as a personal data breach under GDPR, we will inform you and/or the authorities within 72 hours of becoming aware of it, whenever feasible (unless the breach is unlikely to result in any risk to your rights).

Please note that while we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. Therefore, we cannot guarantee absolute security. However, we regularly review and update our security measures to follow best practices and to address new threats. You also play a role in security: we encourage you to use a strong password for your account and to keep your account credentials confidential.

Rights of Data Subjects

If you are located in a jurisdiction with data protection laws (such as the GDPR in the European Union/UK), you have certain rights regarding your personal data. Subject to applicable law and any relevant exemptions, these rights may include the following:

  • Right to Access: You have the right to request confirmation of whether we are processing personal data about you, and to obtain a copy of the personal data we hold about you. This allows you to check what information we have and to verify that we are processing it lawfully.
  • Right to Rectification: If any of your personal data held by Guardian MDM is inaccurate or incomplete, you have the right to request correction or completion of it. We will promptly update our records and inform any third parties, if applicable, of the change.
  • Right to Erasure: You have the right to request deletion of your personal data in certain circumstances (also known as the “right to be forgotten”). For example, you can request erasure if the data is no longer necessary for the purposes it was collected, you have withdrawn consent (where the processing was based on consent), or you object to processing and we have no overriding legitimate grounds. Please note we may not be able to delete data that we are required to keep by law or that is necessary for defending legal claims, but we will inform you if such an exception applies.
  • Right to Restrict Processing: You have the right to ask us to suspend or limit the processing of your personal data in certain scenarios – for instance, if you contest the accuracy of the data, or you want us to preserve data while you establish, exercise or defend a legal claim.
  • Right to Data Portability: In situations where processing is based on your consent or the performance of a contract and carried out by automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible.
  • Right to Object: You have the right to object to our processing of your personal data when such processing is based on our legitimate interests (or those of a third party) and you feel it impacts your fundamental rights and freedoms. You also have the right to object at any time if your personal data is processed for direct marketing purposes (we currently do not process data for direct marketing without consent, but this is a legal right you have).
  • Right to Withdraw Consent: If we rely on your consent to process any personal data, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. If you withdraw consent for a particular feature (such as location tracking), that feature will be disabled and we will stop processing your data for that purpose.
  • Right to Complaint: If you have concerns about our data practices, you have the right to lodge a complaint with a supervisory data protection authority. For example, EU/EEA individuals can contact their national Data Protection Authority, and UK individuals can contact the Information Commissioner’s Office (ICO). We encourage you to contact us first, so we can address your concerns directly.

To exercise any of your rights, please contact us using the information in the Contact section below. We may need to verify your identity before fulfilling certain requests (this is to protect your privacy and security). We will respond to your request within the timeframe required by law (generally within one month for GDPR-related requests) and will let you know if we need additional information from you. Please note that some rights may be limited where we have an overriding legitimate interest or legal obligation to continue processing your data. We will explain the rationale in our response if we cannot fully comply with your request.

Use of Third-Party Services

Guardian MDM relies on a number of external services and integrations to deliver our solution’s functionality. We believe in being transparent about which third-party services we use and how they handle data. Key third-party services we utilize include:

  • Cloud Hosting and Infrastructure: We use reputable cloud service providers to host our application, databases, and backups. For example, our servers and data storage may be hosted on Amazon Web Services (AWS) or similar cloud platforms. These cloud providers store and process data on our behalf in secure data centers. We choose providers that offer robust security and privacy assurances. Some data may also be processed via Google Cloud Platform, especially for certain features (e.g., Android device services). All cloud hosting vendors are bound by our data processing agreements and by strict security standards; they will not access your personal data except as needed to maintain and support the service.
  • Analytics Tools: We utilize third-party analytics services to collect non-identifying information about how users interact with our website and platform, so we can improve performance and user experience. For instance, our website uses Google Analytics (a web analytics service provided by Google) to gather traffic statistics and usage data. Google Analytics may set cookies in your browser and collect your IP address and Browse information (page views, clicks, etc.), which is transmitted to Google’s servers (potentially in the USA) to generate aggregated reports for us. Importantly, this information does not include personal details like your name or account data – it is used for statistical analysis of website usage. We have configured Google Analytics to anonymize IP addresses where applicable. You can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on, or by adjusting cookie settings. Aside from web analytics, Guardian MDM’s product may also include its own internal analytics or diagnostics tools to monitor system performance; these do not use personal data beyond what is described in Data Collection. We do not use any third-party advertising networks on our platform.
  • Push Notification and Messaging Services: To facilitate real-time device management commands and notifications, Guardian MDM makes use of push notification services provided by device operating system vendors. Specifically, for Android devices we use Google Firebase Cloud Messaging (FCM) (or the relevant Android Enterprise notification service). These services deliver instant notifications/commands from our server to the managed devices over a secure channel. No sensitive personal content is transmitted via these push services – they are generally limited to device tokens and instructions to wake the device or sync with our servers. For example, FCM may carry a wake-up signal telling an Android device to fetch its management instructions (the actual device policies or data are then retrieved directly from our server by the device). We share only necessary device identifiers or tokens with Google to enable these notifications. Such third-party messaging services act as independent data controllers for the limited metadata they handle (e.g., device push tokens). Google will each process that data according to their own privacy policies. We ensure that we do not include personal user information in the push payload beyond what the service requires.
  • Other Third-Party Services: Guardian MDM may use additional third-party platforms to support functionality, such as:
    • Email and Communication Tools: We may use an email service provider (for example, SendGrid or similar) to send account invitations, password reset emails, and support communications. These providers would handle your email address and the content of the communication.
    • Support Ticketing System: If we utilize a customer support software (for instance, Zendesk, Freshdesk, or similar) to manage support inquiries, basic contact data (name, email) and any info you provide in a support ticket will pass through that system. Such providers are under contract to maintain confidentiality and security of your data similar to us.
    • Payment Processor: If you make payments to us (for subscriptions), we rely on a PCI-DSS-compliant third-party payment processor (e.g., Stripe) to handle your payment card information. We do not store full payment card details on our own servers. The payment processor will process your payment data securely, and only limited information (like a payment reference or last 4 digits of your card) is retained by us for record-keeping.

We maintain a list of our key sub-processors (critical third-party data processors) which is available upon request (and may be provided in an Annex or on our website). Whenever we add or change a core sub-processor that handles personal data, we will notify our enterprise customers as required by our Data Processing Agreement. Rest assured that all third-party services we engage are vetted for strong privacy and security practices, and we execute appropriate contracts (including Data Protection Addendums) to ensure your data is safeguarded. These providers cannot use your information for their own purposes; they only process it for the specific purposes we dictate, consistent with this Policy. If you have questions about whether a particular third-party service is used with your data, or want to see our up-to-date sub-processor list, please contact us.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us. We have appointed a team responsible for privacy compliance (which may include a Data Protection Officer or Privacy Manager) who can assist with your inquiries and requests. You can reach us by email at [email protected]. You may also write to us at:

Guardian MDM Privacy Team
(Yeoley Limited)
Coppice House, Technical Centre, Halesfield 7, Telford TF7 4NA
United Kingdom

We will respond to privacy-related inquiries as soon as possible, and no later than any timeframes required by law. If you are an EU or UK resident and feel that we have not adequately addressed your concerns, you have the right to contact your local Data Protection Authority (such as the UK ICO or an EU supervisory authority) about our personal data handling. We encourage you to contact us first so we can try to resolve your issue. Thank you for trusting Guardian MDM with your organization’s mobile device management needs. We value your privacy and will continue to update our practices and this policy to meet our obligations and your expectations. Any changes to this Privacy Policy will be communicated by posting the updated policy on our website and/or through other communication channels.