We take pride in being a security & privacy service accessible to everyone. So we have a simplified and easy to read version of our policy.
Below we will clarify how your data will be used, and the steps we took to protect it. By using Cryptee, you consent to the terms outlined in this policy.
Hello. We're from Estonia.
The Company is domiciled in Estonia, and thus governed by the laws and regulations of Estonia.
To sign up you will need to provide either a username, or optionally an email address for convenience.
It's just for sign up & important notifications. No spam. We won't sell or give this information to anyone else.
Any emails provided to the Service through sign up, waiting list, optional email verification, or optional notification/recovery email setting in your account, are considered personal data as defined and under protection by the Estonian Personal Data Protection Act and GDPR.
Such data will only be used to log you in, contact you with important notifications about the Service, to send you an invitation link to create your account, to verify your account, or to send you password recovery links if you choose to opt in.
We collect as little user information as possible. Only the absolute bare minimum stuff to still be able to provide a service to you. All your personal data is encrypted, but in order to provide a service, we still need a few bits of other data. Let's begin.
Visiting our website
We have an analytics system. We didn't trust any third party ones. So we built one ourselves instead. It is 100% anonymous, and it's only there just to see how well we're doing with design, improvements, features and page views.
We do not require ANY personal information. You don't even need to use an email. It's only for convenience.
Oh, and, legally we have to record the date and time of your sign up.
To provide you a service, we need access to some basic things in unencrypted format. These are:folder colors folder archive status # of things in each folder or album file byte-sizes after encryption version-IDs of each file / photo EXIF dates of photos storage space used last opened file's ID sort order of folders or albums based on their IDs language direction preference auto-lock timeout preference in minutes spell-checker preference all payment dates all payment amounts payment plan discounts payment type
We do NOT have access to the contents of encrypted photos or documents/files or any specific payment information. More about payments below.
Communications with Cryptee
Your communications, such as support requests, bug reports, or feature requests may be saved to improve our service, knowledge base and FAQ sections.
Error Reporting & Abuse Detection
We have an automatic error collection, abuse detection and reporting system. The error reports are anonymous, but linked to our support system via anonymous user IDs to better help you out. We keep these only for 90 days. Our abuse detection system automatically collects and retains IP addresses and browser user agents for 180 days, but these are deleted once they're no longer relevant.
We rely on another awesome and trusty company called Paddle to process payments, and we use your anonymous user ID to know / track when you paid.
Our policy is to collect as little user information as possible to ensure a completely private and anonymous user experience when using the Service. We also have no technical means to access the contents of your encrypted data, documents or photos.
Service's user data collection is as follows:
Visiting our website
The Service employs an analytics software created specifically by the Company, and not a 3rd party analytics solution to further improve security, privacy and anonymity. Using this solution we may at times track usage metrics, design improvements and track new features' adoption on our pages completely anonymously, without collecting any identifiable pieces of information.
These pieces of information are only collected in each unique session, without storing any trackers on the users' devices longer than each session, without tracking across sessions, with the sole purpose to improve our features, improve user experiences, increase new feature adoption and write better tutorials to guide our users.
We do not require ANY personal information to create an account but you may provide an email address for login and password recovery purposes. Should you choose to provide it, we do associate these information with your account (to be able to provide you the Service). We will also store your account creation time.
To provide you the Service, we have access to the following metadata: folder colors, folder archive statuses, number of documents/files/photos in each folder or album, document & bytesizes after encryption, generation/version identifiers for each document/file/photo (to let you know if a document/file was changed on another device of yours), EXIF dates of photos (to help you sort / find photos based on when they're taken), amount of storage space used, last opened document/file's id#, numerical sort order of files, folders and albums based on their IDs, language direction preference, auto-lock timeout preference in minutes, spell-checker preference, payment activation and deactivation dates, first payment date, all payment amounts, upcoming and past payment dates, subscription plan associated with your account, whether a discount was applied or not, payment time and the type of the payment method used.
We do NOT have access to the contents of encrypted photos or documents/files. We do NOT have access to any specific payment information. More information regarding payments related information is below.
Communicating with the Company
Your communications with the Company, such as support requests, bug reports, or feature requests may be saved by our staff, to improve our service and knowledge base featuring frequently asked questions.
Error Reporting & Abuse Detection
The Company relies on a third party to process payments, so the Company necessarily must share your user identification number with the payment processor to be able to know which account the payment will be applied to. We do not otherwise store any of your payment information.
All payments are processed by Paddle.com Market Ltd, 15 Bermondsey Square, SE1 3UN London, United Kingdom, as merchant of record.
We don't & won't have ads. We will never share your data unless for reasons listed in Data Disclosure below.
We do not have any advertising on our site. Any data that we do have will only be used for providing you the service, and never be shared except under the circumstances described below in Data Disclosure.
When using the collected general data and information listed above, we do not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of the Service correctly, (2) optimize the content of the Service, (3) ensure the long-term viability of our systems and technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, we anonymously analyze collected data and information statistically, with the aim of increasing the data protection and data security of the Service, and to ensure an optimal level of protection for the personal data we process.
Your documents, files and photos are always encrypted, and we can't access any of it. We may have backups (also encrypted) occasionally to be safe, but these are kept for up to 90 days.
The contents of your documents/files/photos are ALWAYS stored in encrypted format. Offline backups may be stored periodically, but these will be backups of already encrypted files. We do not possess the ability to access the contents of any user's encrypted documents/files/photos on either the live servers or in the backups. On top all this, all services use a second layer of at rest encryption and HTTPS while in transit.
When you delete your account, every piece of data we have about your account in our possession and control is immediately deleted. There may be some leftovers in backups (which by the way are encrypted with your keys, and inaccessible to us/or anyone else), but those will be deleted after 90 days if there hasn't been a disaster.
When a user account is deleted, all user data, including encrypted contents of documents/files/photos are immediately deleted from production servers. Active accounts will have data retained indefinitely. Deleted data may be retained in our backups for up to 90 days, which exists only for disaster recovery and are encrypted with the users' keys, therefore inaccessible to us/or anyone else.
We will only disclose the limited user data we possess if we receive an enforceable court order.
If someone wants your data, we can only give them the data listed above in the Data Collection section and the fully encrypted data, which we can't decrypt. (and scientifically speaking, nobody should be able to decrypt for the foreseeable million+ years)
If permitted by law, we will always contact you and let you know if we have a way to reach out to you (for example via Email).
We will only disclose the limited user data we possess if we receive an enforceable court order. If a request is made for the encrypted contents of documents/files/photos that we do not possess the ability to decrypt, the fully encrypted data or other user data disclosed above in the data collection section may be turned over. If permitted by law, we will always contact a user first before any data disclosure, given that we have a method to contact the user such as the user's email address.
We are fully committed to EU GDPR.
We can't even access your data. Only you can. That's what GDPR lawyers call magic. Basically your data is as private and as safe as it can be on the internet.
We use a few companies to help us bring you the service such as payments, error reports, or customer service portal etc. These companies are:
Google Cloud Platform, Cloudflare, Sentry IO, Paddle.
CRYPTEE is fully committed to EU GDPR.
Based on Article 25 and Recital 78, the Service fits into the category of "Data protection by design and by default", by allowing only the users themselves to hold decryption keys, and not having access to the users' unencrypted information.
We are transparent and upfront with our users regarding the information we process/store, the purpose, and in which form we store it.
We only transmit user data outside the EU in encrypted form, of which the encryption keys are held by our users and not by us.
Name & Address of the Data Controller
Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:
Svartlab OÜ, Estonia. https://svartlab.com - firstname.lastname@example.org
The Service contains information that enables a quick electronic contact to our enterprise, which also includes an e-mail address. If a data subject contacts the controller by e-mail or via a contact form, the personal data transmitted by the data subject are automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the data controller are stored for the purpose of processing or contacting the data subject.
Minimization, Routine Erasure & Blocking of Personal Data
Due to the nature of the Service, we do not possess any personally identifiable data. Other than an email address consensually provided by the data subject to use the Service more conveniently. We process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which we (the controller) is subject to. If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with legal requirements.
Transparency & Data Portability
We transparently show all our users every piece of information we have linked to their accounts, and allow them to easily see, delete, or export their data. Since we do not possess the ability to decrypt our users' encrypted pieces of data, we instead allow our users to export/download these data in the encrypted format we store on our servers.
Cryptee uses multiple providers (sub-processors) to provide the Service to its users. These processors are all committed to GDPR, and are listed below.
Google Cloud Platform
Google Ireland Ltd. - Gordon House, Barrow Street, Dublin 4, Ireland
Cloudflare, Inc. - 101 Townsend St., San Francisco, CA 94107
Functional Software, Inc. - 132 Hawthorne St, San Francisco, CA 94107
Paddle Payments Ltd. - Core B, Block 71, The Plaza, Park West, Dublin 12, Ireland
Estina Ltd. - Paupio st. 46, Vilnius
We don't have any of that stuff.
We do not use any cookies in the Service. (nor any advertising tracking cookies, nor any other form of tracking cookies or user tracking system in general)
Only pieces of identifiers stored on the user's device locally are stored either in indexedDB, localStorage or sessionStorage, employed to authenticate, identify and secure users while using the service.
These locally stored pieces of identifiers are used only to prevent abuse, authenticate and remember the user while the user is actively using the Service and navigating between pages. All locally stored information is flushed clean once the user signs out.
To further improve security, encryption/decryption keys are only stored in memory and flushed once the page is reloaded, even if the user is not signed out. Therefore even if a user is not signed out, their files would be encrypted and inaccessible without re-entering this key after reloading the page or navigating away from it.
We also have a script that regularly deletes all cookies on each page load. This is used as an additional measure to ensure none of our providers can start adding unsolicited cookies in the future.
We might make small changes to this policy some day. If you continue to use the service, we'll assume you're cool with these.
We reserve the right to periodically review and change this policy from time to time. Continued use of the Service will be deemed as acceptance of such changes.
We're based in Estonia.
So that's where all our legal stories will take place.
This Agreement shall be governed in all respects by the substantive laws of Estonia. The exclusive jurisdiction to resolve any controversy, claim or dispute arising out of or relating to the Agreement is the Harju County Court in Tallinn Estonia.