We take pride in being a security & privacy service accessible to everyone. So we have a simplified and easy to read version of our policy.
Below we will clarify how your data will be used, and the steps we took to protect it. By using Cryptee, you consent to the terms outlined in this policy.
hello. we're from estonia.
The Company is domiciled in Estonia, and thus governed by the laws and regulations of Estonia.
To sign up you will need to provide either a username, or optionally an email address for convenience.
It's just for sign up & important notifications. No spam. We won't sell or give this information to anyone else.
Any emails provided to the Service through sign up, waiting list, optional email verification, or optional notification/recovery email setting in your account, are considered personal data as defined and under protection by the Estonian Personal Data Protection Act and GDPR.
Such data will only be used to log you in, contact you with important notifications about the Service, to send you an invitation link to create your account, to verify your account, or to send you password recovery links if you choose to opt in.
We collect as little user information as possible. Only the absolute bare minimum stuff to still be able to provide a service to you. All your personal data is encrypted, but in order to provide a service, we still need a few bits of other data. Let's begin.
VISITING OUR WEBSITE
We have an analytics system. We didn't trust any third party ones. So we built one ourselves instead. It is 100% anonymous, and it's only there just to see how well we're doing with design, improvements, features and page views.
We do not require ANY personal information. You don't even need to use an email. It's only for convenience.
Oh, and, legally we have to record the date and time of your sign up.
To provide you a service, we need access to some basic things in unencrypted format. These are:
We do NOT have access to the contents of encrypted photos or documents/files or any specific payment information. More about payments below.
Communications with Cryptee
Your communications, such as support requests, bug reports, or feature requests may be saved to improve our service, knowledge base and FAQ sections.
Error Reporting & Abuse Detection
We have an automatic error collection, abuse detection and reporting system. The error reports are anonymous, but linked to our support system via anonymous user IDs to better help you out. We keep these only for 90 days. Our abuse detection system automatically collects and retains IP addresses and browser user agents for 180 days, but these are deleted once they're no longer relevant.
We rely on awesome and trusty companies called Stripe and Paddle to process your payments, and we use your anonymous user ID to know / track when you paid.
We don't & won't have ads. We will never share your data unless for reasons listed in Data Disclosure below.
We do not have any advertising on our site. Any data that we do have will only be used for providing you the service, and never be shared except under the circumstances described below in Data Disclosure. When using the collected general data and information listed above, we do not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of the Service correctly, (2) optimize the content of the Service, (3) ensure the long-term viability of our systems and technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, we anonymously analyze collected data and information statistically, with the aim of increasing the data protection and data security of the Service, and to ensure an optimal level of protection for the personal data we process.
Your documents, files and photos are always encrypted, and we can't access any of it. We may have backups (also encrypted) occasionally to be safe, but these are kept for up to 90 days.
The contents of your documents/files/photos are ALWAYS stored in encrypted format. Offline backups may be stored periodically, but these will be backups of already encrypted files. We do not possess the ability to access the contents of any user's encrypted documents/files/photos on either the live servers or in the backups. On top all this, all services use a second layer of at rest encryption and HTTPS while in transit.
When you delete your account, every piece of data we have about your account in our possession and control is immediately deleted. There may be some leftovers in backups (which by the way are encrypted with your keys, and inaccessible to us/or anyone else), but those will be deleted after 90 days if there hasn't been a disaster.
When a user account is deleted, all user data, including encrypted contents of documents/files/photos are immediately deleted from production servers. Active accounts will have data retained indefinitely. Deleted data may be retained in our backups for up to 90 days, which exists only for disaster recovery and are encrypted with the users' keys, therefore inaccessible to us/or anyone else.
We will only disclose the limited user data we possess if we receive an enforceable court order.
If someone wants your data, we can only give them the data listed above in the Data Collection section and the fully encrypted data, which we can't decrypt. (and scientifically speaking, nobody should be able to decrypt for the foreseeable million+ years)
If permitted by law, we will always contact you and let you know if we have a way to reach out to you (for example via Email).
We will only disclose the limited user data we possess if we receive an enforceable court order. If a request is made for the encrypted contents of documents/files/photos that we do not possess the ability to decrypt, the fully encrypted data or other user data disclosed above in the data collection section may be turned over. If permitted by law, we will always contact a user first before any data disclosure, given that we have a method to contact the user such as the user's email address.
We are fully committed to EU GDPR.
We can't even access your data. Only you can. That's what GDPR lawyers call magic. Basically your data is as private and as safe as it can be on the internet.
We use a few companies to help us bring you the service such as payments or error reports etc. These companies are:
Google Cloud Platform, Cloudflare, Sentry IO, Stripe, and Paddle only if you became a paid user before February 21, 2021.
CRYPTEE is fully committed to EU GDPR.
Based on Article 25 and Recital 78, the Service fits into the category of "Data protection by design and by default", by allowing only the users themselves to hold decryption keys, and not having access to the users' unencrypted information.
We are transparent and upfront with our users regarding the information we process/store, the purpose, and in which form we store it.
We only transmit user data outside the EU in encrypted form, of which the encryption keys are held by our users and not by us.
Name & Address of the Data Controller
Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is: Svartlab OÜ, Estonia. https://svartlab.com - firstname.lastname@example.org
The Service contains information that enables a quick electronic contact to our enterprise, which also includes an e-mail address. If a data subject contacts the controller by e-mail or via a contact form, the personal data transmitted by the data subject are automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the data controller are stored for the purpose of processing or contacting the data subject.
Minimization, Routine Erasure & Blocking of Personal Data
Due to the nature of the Service, we do not possess any personally identifiable data. Other than an email address consensually provided by the data subject to use the Service more conveniently. We process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which we (the controller) is subject to. If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with legal requirements.
Transparency & Data Portability
We transparently show all our users every piece of information we have linked to their accounts, and allow them to easily see, delete, or export their data. Since we do not possess the ability to decrypt our users' encrypted pieces of data, we instead allow our users to export/download these data in the encrypted format we store on our servers.
Cryptee uses multiple providers (sub-processors) to provide the Service to its users. These processors are all committed to GDPR, and are listed below.
Google Cloud Platform
Google Ireland Ltd. - Gordon House, Barrow Street, Dublin 4, Ireland
Cloudflare, Inc. - 101 Townsend St., San Francisco, CA 94107
Functional Software, Inc. - 132 Hawthorne St, San Francisco, CA 94107
Stripe Payments Europe, Ltd. - 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland
and for paid users before February 21, 2021,
Paddle Payments Ltd. - Core B, Block 71, The Plaza, Park West, Dublin 12, Ireland
We don't have any of that stuff.
We do not use any cookies in the Service. (nor any advertising tracking cookies, nor any other form of tracking cookies or user tracking system in general)
Only pieces of identifiers stored on the user's device locally are stored either in indexedDB, localStorage or sessionStorage, employed to authenticate, identify and secure users while using the service.
These locally stored pieces of identifiers are used only to prevent abuse, authenticate and remember the user while the user is actively using the Service and navigating between pages. All locally stored information is flushed clean once the user signs out.
To further improve security, encryption/decryption keys are only stored in memory and flushed once the page is reloaded, even if the user is not signed out. Therefore even if a user is not signed out, their files would be encrypted and inaccessible without re-entering this key after reloading the page or navigating away from it.
We also have a script that regularly deletes all cookies on each page load. This is used as an additional measure to ensure none of our providers can start adding unsolicited cookies in the future.
We might make small changes to this policy some day. If you continue to use the service, we'll assume you're cool with these.
We reserve the right to periodically review and change this policy from time to time. Continued use of the Service will be deemed as acceptance of such changes.
We're based in Estonia. So that's where all our legal stories will take place.
This Agreement shall be governed in all respects by the substantive laws of Estonia. The exclusive jurisdiction to resolve any controversy, claim or dispute arising out of or relating to the Agreement is the Harju County Court in Tallinn Estonia.