Privacy and data policy

Introduction

This Policy governs our processing of your personal information and the way in which we deal with other data that is not personal information. “Personal information” is the English term for “personal data” as defined in the European Union’s General Data Protection Regulation EU2016/679 (“GDPR”).

The term “processing” is used as defined in the GDPR. It includes collection, storage, and all of the ways we use, and allow you to use, personal information, when we provide our services. You are the data controller under the GDPR of the personal information you provide to us as part of your Account Data (see below).

This privacy policy explains the personal data that Secrecy collects and processes, how it processes data and for what purposes it is collected and processed. This privacy policy further describes our commitment to preserving the privacy and security of your personal data. This policy applies to the interactions that Secrecy has with you through your use of Secrecy products and services.

Legal framework

The Company Anonymize (883 096 646 R.C.S. Paris) is domiciled in France at the following address : 35 Rue BERGER - 75001 PARIS

All data storage infrastructure is also located solely within France, and thus governed by the laws and regulations of France.

Secrecy (“we”, “us” or “our”) is the data controller under the GDPR of all other personal information

General overview

This Policy is divided into several sections to see which provisions apply to different types of data.The GDPR provides rights to European users, but, as a leading privacy company, we make the GDPR protections and rights available to all our users globally in respect of their personal data wherever you may live

Which law is this Policy related to?

Subject to the rights that those in the European Union have under the GDPR, this Policy and its interpretation and operation are governed solely by the French law.

Secrecy is subject to the same rights that those in the European Union have under the GDPR.

Which supervisory authority can you contact?

If you have concerns or complaints about this policy or practices with regard to that you do not feel you can resolve through contacting us, you should bring those concerns to your local regulatory authority.

For residents of the European Union, our primary Supervisory Authority is the Berlin Commissioner for Data Protection and Information Freedom.

In France, you can, at any time, file a complaint with the competent supervisory authority called CNIL (www.cnil.fr).

In general, to exercise your rights, please send your request. Regarding requests relating to your personal data which would reach us by mail, we ask you to indicate your e-mail address, last name, first name, postal address and to attach a copy of a document justifying your identity (national identity card by example).

We will send you a response within one (1) month of the date of receipt of your request. This period may be extended by two (2) additional months given the complexity and number of requests.

How does “Secrecy Cloud” work?

This is the section of this Policy that covers the actual encrypted files that you upload, access, store and share using our services (“Secrecy cloud”). The following specific terms apply:

When you upload a file, it is already encrypted, so we do not know whether it is personal to you or someone else, relates to a business or some other organization, or what it contains. We gather a small amount of metadata about the type of file, but that does not disclose the content or information that the file contains.

All Your Files remain encrypted at all times while they are on our Secrecy Cloud. They are never received, stored or otherwise dealt with by us in unencrypted form because any decryption takes place only on your device or that of another user to whom you have provided the file/folder links and keys that are created when you give them access. Your Files are therefore not personal data under the GDPR since they are never held by Secrecy in a form that is information about an identified or identifiable natural person.

We collect Your Files because that is necessary for us to provide our end-to-end encrypted cloud storage and collaboration services that you contract for.Although Your Files are not personal information within our system because you have encrypted them, you should know that we store your data and make them available from servers that are owned and controlled by us, in secure facilities in Europe or in countries that the European Commission has determined to have an adequate level of protection under Article 45 of the GDPR, depending where you are based. None of Your Files are stored in, or made available from, the United States of America.

We keep your Secrecy Cloud while you are subscribed to our services but subject to our suspension and termination rights. You must maintain copies of Your Files. We do not make any guarantees that there will be no loss of data or the services will be bug free.

You should download your files prior to termination of services including where the administrator of a business account, within which you have used the services, terminates that business account. If you forget your password you will lose access to all the files contained in our Secrecy Cloud unless you have exported a Recovery Key.

When you delete one of your files, it will be made inaccessible, marked for deletion and removed when the next appropriate file purging process is run, subject to any retention.

What do we need to create an account?

This is the section of this Policy that covers account information you give us, and metadata that we generate in relation to our services. The following specific terms apply

When you sign up for particular services on our website or application, you may need to give us the details required in our registration form and will need to keep that information up to date. No payment account is expected for the Beta version of the application.

You do not need to give us any information other than an email address to use a free Secrecy account, but the volume of files that you can store and some other functionality is limited with such accounts. Functionalities is limited with such an account.

When you use our services, our systems retain the following metadata in unencrypted form :

  • Browser type and operating system of the devices from which you have logged in to Safe by Secrecy; IP address and port information for logins, API usage, file uploads, folder creations and link exports;
  • The country that we expect you are accessing our services from (inferred by matching your IP address to a public IP address database); File sizes, versioning order, timestamps and parent-child file relationships; Deletion timestamps;
  • The email address of anyone you have specifically made a contact using Safe by Secrecy’s systems.
  • The email address of anyone you have specifically made a contact using Safe by Secrecy’s systems.
  • Takedowns and account suspensions;
  • Our potential communications with you;
  • Your personal account settings, including any avatar picture.

From time to time we may need to communicate with each other directly. We will use the email address you have included in the settings information in your account.

If you forget your password, you will lose access to all your data unless you have exported a Recovery Key.

We will collect, store, use and otherwise process Account Data so that we can provide the services you have contracted to obtain from us. We also have a legitimate interest in processing Account Data so that we can maintain and improve our systems and services and communicate with you as referenced in this Policy.

We retain Account Data as long as your account is active. After account suspension or termination including where the administrator of a business account, within which you have used the services, terminates that business account, we may, but shall not be obliged to, retain all Account Data if enforcement action is likely or commenced.

Users sometimes request that an account be reactivated so we keep Account Data for 6 months for that purpose. Where there is no enforcement action likely or commenced and the 6 month period has expired, Account Data that identifies you will be anonymized, but where you are a contact of, have had a folder shared with you by, those details will continue to be retained to allow services to continue for those other users.

Any requests for access to, or correction of, Account Data that is not available to you when you are logged into your account, or if you cannot log in to your account, should be made to technical@secrecy.tech specifying the information in question. The information will be provided promptly, and at least within 6 months, without charge unless the request is manifestly unfounded or excessive. Corrections will be promptly considered and actioned if appropriate.

In order to pursue our legitimate interest of preventing the creation of accounts by spam bots or human spammers, Secrecy uses a variety of human verification methods. You may be asked to verify using either reCaptcha, Email, or SMS. IP addresses, email addresses, and phone numbers provided are saved temporarily in order to send you a verification code and to determine if you are a spammer.

If Secrecy has disclosed the Account Data to any third party only as a compliance authority), it will inform them of any correction where possible and will also inform the individuals about the third parties to whom the data has been disclosed where lawful and appropriate.

How do we use your data on the website?

This is the section of this Policy that covers activity on our application. The following specific terms apply:

We may collect statistics about visits to our website to measure the number of visitors to different parts of the website, to assess user access patterns, to make the website load faster and otherwise to operate the website. We may use cookies or other similar technology for these purposes. It is necessary for us to do this so that we can accelerate login and loading of the encryption functionality of our website that you contract so that we can improve the functionality of our website and to provide offers of additional services.

By using our website, apps or our services, you specifically consent to our use of cookies and such other technology to collect data

Where the website has stored your login session, you can delete or disable that information from browser localStorage, but this will result in longer load times and/or the need to re-enter your account credentials every time you open the website.

We may

  • Analyse and use the website usage data for marketing or statistical purposes as well as to improve the way we do business with our users;
  • Serve advertisements or use third-party advertising companies to serve advertisements on the website and on third party sites, as well as to assist us in analysing our marketing and other business efforts.

We and these advertisers may use cookies or other similar technology to collect information about your visits to the website and other sites in order to provide targeted advertisements to you.

We collect and keep Website Usage Data with your consent to provide services and support related to the website and our services, for market and product research and to be able to give users promotional material and special offers on our services.

Data access rights -how to exercise your rights?

Access and restrictions

You have the right to request access to your Data, namely: the reasons why we hold your personal data (email for instance) the categories of data we hold; our use of your personal data; who has access to your personal data (and their location); where your personal data may be transferred;how long we keep your personal data;if you did not provide us with your personal data directly, how we obtained it; your rights under applicable laws and the ability to restrict processing;the possibility of lodging a complaint with the competent supervisory authority; whether we use your personal data for any automatic decision-making and how we do it. You have the right to request the rectification of your Data. You have the right to request the limitation of the processing of your Data.

It is important to note that this right only applies if (i) you dispute the accuracy of your Data for the period allowing us to verify the accuracy of the latter, (ii) you consider that we are unlawfully processing your Data and that you require a limitation of their use rather than an erasure, (iii) we no longer need your Data with regard to the purposes referred to in paragraph 3 but that these are still necessary for the recognition, the exercise or the defense of your rights in court, (iv) in the event of exercise of your right of opposition during the period of verification relating to whether the legitimate reasons which we are pursuing prevail over yours.

Deletion of data

You have the right to request the deletion of your Data. In case you send a request to delete your Data, no data may be kept in the form of archiving, except for the time necessary to meet its legal, accounting and tax obligations. You have the right to request to exercise your right to object to processing carried out for the purposes of commercial prospecting.

Post-mortem requests

You have the right to formulate specific and general post-mortem guidelines regarding the retention, erasure and communication of your Data. In the absence of any instructions, your heirs can contact our administrator in order to (i) access the Data processing and / or (ii) to close your Account on the Platform and / or oppose the further processing of your Data. In any case, you have the possibility to tell us, at any time, that you do not wish, in the event of death, that your Data be communicated to a third party.

Do we use mobile analytics software?

We may use analytics software or develop it internally to send crash information to our developers so that we can fix bugs rapidly.

Some platforms may also collect aggregate, anonymous statistics like which type of devices and operating systems that are most commonly used, the total number of installs, total number of uninstalls, and the total number of active users.

None of the software on our website will ever access or track any location-based information from your device at any time. Any personal data acquired during this process is anonymized.

How do we store your Data?

All servers used in connection with the provisioning of the services (Secrecy Send and Secrecy Cloud) are located in OVH and wholly owned and operated by the Company.

Only employees of the Company have physical or other access to the servers. Data is ALWAYS stored in encrypted format on our servers. Offline backups may be stored periodically, but these are also encrypted. We do not possess the ability to access any user encrypted message content on either the production servers or in the backups.

What is our Data Retention policy?

When an account is closed, data is immediately deleted from production servers.Deleted emails are also permanently deleted from production servers.

What are your responsibilities for protecting your data?

You must ensure that anyone to whom you give access to any of our services or your Account Data complies with this Policy. You are responsible for their compliance

We strongly urge you to use best practices for ensuring the safety of your systems and devices (e.g. via unique passwords, security upgrades, firewall protection, anti-virus so_ware, securing devices).

Secrecy will never send an email asking for your password or suggesting that you click a link to login to your account, so do not be fooled by any such email since it will not be from us. We cannot guarantee the security of computers or devices nor of transmission from and to your device over the Internet and thus cannot guarantee there will be no unauthorized access.

Also, if you lose or otherwise allow access to your password or encryption keys, you will lose the security of all your data. If you forget your password you will lose access to all your data unless you have exported a Recovery Key.

Using the same password for Secrecy as you have used at other sites can lead to others accessing and taking control of your Secrecy account if one of those other sites is breached or hacked.

What is our role regarding the disclosure for civil or criminal enforcement?

If we think it is necessary or we have to by law in any jurisdiction, then we are entitled to give your files, your messages and Account Data and any website Usage Data to competent authorities.

We reserve the right to assist any law enforcement agency with investigations, including disclosure of information to them or their agents.

We also reserve the right to comply with any legal processes, including but not limited to subpoenas, search warrants and court orders initiated by enforcement authorities or other third parties.

We may disclose your data to enforce or apply any other agreement we have with you, or to protect the rights, property, or safety of us or our other users, third parties or the operation of our services.

What is the policy regarding our related or affiliated entities, payment processors and resellers?

You have a contract with Secrecy but our services (including personal information processing) may be provided by our related or affiliated entities, payment processors and resellers, in other jurisdictions, subject to applicable laws.

You authorize Secrecy and each of those related or affiliated entities to collect, store, share and otherwise process your data among themselves, as necessary to provide the services, subject to applicable laws. This will only be applied in an entity of a country of the European Union, or a country whose level of compliance has been approved by the European Commission. If the transfer is performed to a third party entity, the company undertakes to have these standards subscribed to this entity.

You authorise Secrecy and each of those related or affiliated entities, payment processors and resellers to collect, store, share and otherwise process.

You authorise Secrecy and each of those related or affiliated entities, payment processors and resellers to collect, store, share and otherwise process.

We will never sell Your Files, Your Messages, any Account Data or any Website Usage Data.

We will not disclose or otherwise Your Files, Your Messages, any Account Data or any Website Usage Data to a third party.

Can we contact you?

We may send invoices, security or service updates and various other notices by email to the email address listed in your account.

If appropriate, some of those notices will contain unsubscribe information so you can opt out of further receipt.

We will abide by any email unsubscription request (other than those we need to send for invoicing, security or service updates and other service provider purposes)

We will abide by any email unsubscription request (other than those we need to send for invoicing, security or service updates and other service provider purposes)

Security measures

We undertake to implement the appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk incurred for the rights and freedoms. These measures are defined to take into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks identified.

Changes to our policy

We may make changes to this Policy in the future. Any changes will be applied on a realtime basis. The notification will be applied as follows : Either by a pop-up on connection which requires acceptance of the new terms of the contract; either by email detailing the new version, or only of the modified article(s).