Tresorit – Email Encryption Privacy Notice

Last update: 15th June 2022

This notice summarises how we collect and process your personal data in relation to the provision Tresorit Email Encryption Services ("EE Services").

This notice does not describe our privacy practices relating to our website, tresorit.com and the Tresorit Services in general. If you are a visitor of tresorit.com and/or a user of the Tresorit Services, please visit the Tresorit Privacy Policy to learn more about the privacy practices that apply to you. Also, this notice does not apply to any third-party applications or software integrated with the Services ("Third-Party Services"), or to the privacy practices of any other third-party products, services or businesses.

Who will process your personal data?

Tresorit services are provided by Tresorit AG (company registration no: CH-300.3.017.920-5; address: Franklinstrasse 27, 8050 Zurich) ("Tresorit"), a company registered under the laws of Switzerland. Accordingly, Tresorit will be the controller of your personal data under EU law.

If your account is part of a Business Subscription – in accordance with section 5 of our Terms of Service, or you receive Encrypted Email Content from a Qualified User who is part of a Business Subscription, in certain cases, the ultimate decisions regarding your personal data will be made by the relevant organization. In such case, your company will be considered as a controller and Tresorit will act as a processor, acting upon the instructions of such organization.

What kind of personal data do we process?

When you use the EE Services, we need to process some information about you to make the services work and to evaluate how you use our EE Services. This information may include the following personal data about you.

If you are a Qualified User, i.e. you are a Company Administered User and you meet certain requirements as described in the Documentation

  1. Data provided by you in relation to your Company Administered User Account
    • Name
    • Email address
  2. Data provided by you in relation to the use of the EE Services
    • Date and time of sent and received Encrypted Email Content
    • Sender and addressee email address

If you receive an Encrypted Email and/or respond to an Encrypted Email as a Collaborator

  1. Data collected for security purposes if you open an Encrypted Email
    • Verified email address
    • IP address
    • Approx. location
    • Browser user agent
    • If you use third-party single sign-on (SSO) to authenticate your email address, we will also receive identity data (such as your name) and other authentication information about you
  2. Data collected for security purposes if you respond
    • Date and time of sent and received Encrypted Email Content
    • Sender and addressee email address
    • Your verified email address
    • IP address
    • Approx. location
    • Browser user agent
    • If you use third-party single sign-on (SSO) to authenticate your email address, we will also receive identity data (such as your name) and other authentication information about you

If you receive an Encrypted Email and/or respond to an Encrypted Email as a Collaborator, please note that, the above information will be visible to the Qualified User who shared the Encrypted Email Content with you. If you have any questions about this, please refer to the policies of the Qualified User’s organization.

Additional Data Provided by You: You may decide to share further information, including personal data, with us when you contact us, provide feedback to us regarding the EE Services or otherwise communicate with us. It is solely your decision to share any other data with us during such communications, so our processing of such data will be based on your consent.

Logs: As most websites and services provided through the Internet, we gather certain information and store it in log files when you interact with our website or service. This information includes internet protocol (IP) addresses as well as browser type, operating system, identification numbers associated with your devices, time of access, and error logs.

What is the legal basis for processing? (for EEA users)

If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have legal bases for doing so under applicable EU laws. This means we collect and use your information only where:

  • It is necessary in order to provide you the EE Services, to provide customer support and to protect the safety and security of services;
  • It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, and to protect our legal rights and interests;
  • You give us consent to do so for a specific purpose; or
  • It is needed to comply with a legal obligation.

How do we use your data?

We may process your personal data for several purposes, such as:

  1. Operating the Services
    • We will use your personal data, in particular for the provision and maintenance of our EE Services.
  2. Communications
    • We will send you information regarding the EE Services, such as notices about your use of the Service (for example when Encrypted Email Content has been shared with you). Please be aware that you cannot opt out of receiving certain service messages from us, including necessary security alerts and legal notices.
  3. Developing Services
    • We are always looking for ways to make Tresorit services better, faster, smarter, and more secure. We use aggregated statistics and logs about how people use our services and feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and improvement of our services.
    • We also test and analyze certain new features with some users before rolling the feature out to all users.
  4. Analytics
    • We use analytics software to allow us to better understand the behaviour of our users to grow our business. This software may record information such as how often you use our EE Services, the events that occur while using the EE Services, aggregated usage, and performance data.
  5. Security
    • We use information about you to secure our EE Services, and to monitor suspicious or fraudulent activity and to identify violations of our Acceptable Use Policy.
  6. Protecting our legitimate business interests and legal rights
    • Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.
  7. Providing (technical) support
    • Occasionally, we connect personal information to information gathered in our log files as necessary to provide better customer experience and to improve our services.
  8. Other purposes
    • We may also process your data for any other purposes for which we obtain your consent where necessary or otherwise in accordance applicable law and this policy.

How do you use your personal data?

Please remember that if you send an Encrypted Email Content to someone, you may reveal details about yourself. In particular, your e-mail address is visible by the people you send an Encrypted Email Content to.

We are not responsible for your use of any otherwise personal data, which you make available to others via sending Encrypted Email Contents, or the activities of Collaborators to whom you give or make available your information. Where you provide your personal data to us, you agree to provide and maintain complete and accurate information and understand that you are solely responsible for that data.

Do we share your personal data with third parties?

We will share your personal data with third parties only in accordance with this notice. We will never sell your personal data to third parties. However, we may need to share some information, including personal data, we obtain from your use of our service in the following circumstances.

  1. Complying with legal requirements

    Tresorit may transmit personal data if the applicable legal provisions so require, or when such action is necessary to comply with any laws, including to meet national security or law enforcement requirements. We may also need to share personal data for the protection of our rights and interests, to protect your safety or the safety of others or to investigate fraud, in accordance with the applicable laws.

  2. Using third-party service providers

    In certain cases we need to share information, including personal data with our affiliates and third-party service providers. In particular, we use Microsoft Azure for a number of services, including backup, storage, analytics and Sendgrid, for communication services.

  3. Third-party authentication providers

    If you decide to use SSO to authenticate your email address, we will also need to share certain limited information with such third-party provider. To learn more about the privacy practices of such third-party provider, please read the Privacy Policy of the relevant provider.

  4. Business Transactions

    We may assign or transfer this policy, as well as your account and related information and data, including any personal information, to any person or entity that acquires all or substantially all of our business, stock or assets, or with whom we merge.

Where do we transfer your data?

Tresorit AG is a company organized and existing under the laws of Switzerland, having affiliates within the territory of the EEA (Germany and Hungary). Switzerland was already granted a data protection adequacy status by the European Commission. The effect of such a decision is that, if you are located in the EEA, transfer of your personal data to Switzerland are practically considered as intra-EU transmission of data.

We primarily store personal data within the EEA, in particular, on Microsoft Azure servers in Ireland. Your personal data stored with us may also be transferred to countries outside of the EU. All such transfers of personal data are and will be made in accordance with applicable laws.

How do we protect your data?

We take appropriate technical and organizational measures to protect your personal data against loss or other forms of unlawful processing. Tresorit is ISO 27001:2013 certified.

How long will we retain your information?

We will retain your personal data as long as it is needed to fulfill the purposes specified above, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize it as soon as it technically possible.

Your privacy rights

You may ask us:

  • to provide information to you about the personal data that we or our processors maintain about you,
  • to correct inaccuracies or amend your personal data,
  • in certain circumstances, to delete your personal data,
  • to restrict processing of your personal data in certain circumstances (for example, where you believe that the personal data we hold about you is inaccurate or unlawfully held),
  • in certain circumstances, you may have the right to be provided with your personal data in a structured, machine readable and commonly used format and to request that we transfer the personal data to another data controller without hindrance.

You can request this by send an email to support@tresorit.com. We will respond to your request within thirty days. Please note that we may ask you to verify your identity before complying with the request.

You also have the right to complain to a data protection authority or claim damages before the court. For more information, please contact your local data protection authority. A list of contact details for the EU data protection authorities is available here.

Withdrawal of consent

In cases where the processing of your personal data is based on your consent, you can withdraw your consent any time by contacting us at support@tresorit.com. If you withdraw your consent, we will no longer process your personal data for the relevant purpose. However, please note that such withdrawal of your consent does not affect the lawfulness of our processing activities based on consent before its withdrawal.

Changes to this policy

As every high-quality service, our service is constantly improved in effort to keep users satisfied, but these improvements necessarily mean changes. Due to the ongoing changes in the law and the changing nature of technology, data practices are changing from time to time. Thus, we reserve the right to alter or modify this policy when it is necessary.

Any further question?

If you have any questions, please contact us at support@tresorit.com.

We have also appointed a data protection officer, whom you can reach at dpo@tresorit.com. We speak English.

As Tresorit AG is located outside of the EU, we appointed our EU affiliate to represent us in relation to any GDPR-related issues. This does not change the fact that Tresorit AG is the controller who ultimately handles your data. If you wish, you can also contact them directly. The details of our EU located affiliate is available here.