Privacy Policy

Effective Date: 10/24/2017

Our mission is to provide a novel approach to secure cloud storage. Tresorit will allow you to share files, and collaborate with your partners, colleagues and friends with cryptographic end-to-end security guarantees. As our objective is to operate such a high-quality service perfectly, we attach great importance to the protection of your Personal Data and your right to self-determination and make every necessary precaution in order to safely handle your Personal Data.

This Privacy Policy (hereinafter referred to as: “Policy”) applies to www.tresorit.com owned and operated by Tresorit Kft, and its wholly owned subsidiary, Tresorit AG (together as ”Tresorit”, “we”, “our”, “us”). This Policy provides our policies and procedures for collecting, storing, using, processing and disclosing your personal information and also forms an integral part of the Terms and Conditions of Use (hereinafter referred to as: “Terms”).

The provisions of this Policy are in conformity with Act CXII of 2011 on the Right of Informational Self-determination and Freedom of Information (hereinafter referred to as: “Data Protection Act”) and EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Tresorit is dedicated to continuous improvement of all parts of the Service, so if you have any question or feedback on this Policy, please let us know by sending an email to support@tresorit.com.

  • Terms and interpretation

    In this Policy, unless it is expressly provided otherwise, or the context otherwise requires, the following terms shall have the meaning set forth below:

    Data Controller” (also ”Tresorit”, “we”, “our”, “us”) means Tresorit Kft., a company organized and validly existing under the laws of Hungary (registered office: H-1095 Budapest, Lechner Ödön alley 6., Hungary, EU, registering authority: Company Court of Budapest-Capital Tribunal; registration number 01-09-969460; VAT Number: HU23520152) and its wholly owned subsidiary, Tresorit AG, a company organized and validly existing under the laws of Switzerland (registered office: CH-9052 Niederteufen AR, Büelstrasse 7, Switzerland, registering authority: Commercial Register of the Canton of Appenzell Ausserrhoden, registration number CH-300.3.017.920-5) , which determines the purposes and means of the Data Management, makes the decisions on the Data Management (including the means used) and executes and / or appoints a Data Processor to execute such decisions.

    Data Management” means any operation or set of operations performed by the Data Controller on data, in particular collection, record, organization, storage, alteration, usage, query, transmission, disclosure, alignment, combination, deletion and erasure of data irrespective of the means thereof.

    Data Processing” means the performance of technical tasks related to Data Management regardless of the method, means and place of application.

    Data Processor” means a natural or legal person or organization without legal personality performing Data Processing on the basis of a contract concluded with the Data Controller.

    Data Subject” (also “you”, “your”) means any natural person identified or directly or indirectly identifiable on the basis of Personal Data.

    Data Transmission” means granting access for specified third persons to data.

    Personal Data” means any data which can be associated with the Data Subject, in particular first name, last name, personal identification, one or more physical, physiological, mental, economic, cultural or social characteristics, and any conclusions which can be drawn from the data upon the Data Subject.

  • Scope of Data Management

    Tresorit may collect, record, store, process and transmit your Personal Data and other information only with your consent. By using our services, you give your consent to Tresorit to perform Data Management solely in accordance with this Policy.

    We make all the necessary measures to safeguard and protect your Personal Data and other information you provide to us or we may obtain from your usage of our services. We think privacy is a high priority, therefore this Policy primarily focuses on the authenticity and integrity of Data Management, while the implementation of our scheme tries to take the best available technical and organizational measures in order to obviate any kinds of breach.

    The security of your personal data is important to us. When you use our services, we encrypt all and every transmission of information using Secure Socket Layer technology (SSL), and we also apply additional, client side encryption on Your Encrypted Content as defined later. We follow generally accepted standards, and we usually go beyond the standards to protect the personal information submitted to us, both during transmission and once we receive it. We NEVER collect or store your files, encryption keys and passwords in an unencrypted or invertible form. Files and some corresponding encryption keys can only be decrypted by the people you explicitly shared with, or in case of a business account with recovery master key, by Your Business Domain Administrator. According to the best of our knowledge, the current state of the art and the public knowledge of the human race, we cannot decrypt Your Encrypted Content. During using the service, you also submit some non-Encrypted Content, like your email address. Although we don’t use client side encryption to those data, the transmission and storage of such data is still highly secured, and access is strictly restricted. Even though we do our best with such data, no method of transmission over the Internet, or method of electronic storage is 100% secure. If you have any questions about security on our site, you can contact us at support@tresorit.com.

    The scope of our Data Management includes the followings:

    Personal Data and other information you give us: Tresorit account creation process requires giving us certain Personal Data and other contact information. The collected Personal Data may include your e-mail address, first name, last name and a certificate created in relation with such information, and we may also store billing and payment information associated with you. The visibility of your Personal Data is restricted, will be accessible only by us, or in case of a business account, by Your Business Domain Administrator. Your email address, first and last name are visibly by the people you send an invitation to, or from whom you accept an invitation. In case you accept somebody’s invitation, the inviter will be able to access your Personal Data to the same limited extent. You are free to decline any invitation, and if you do so, the inviter will not get access to your Personal Data. Please note that your Personal Data transmitted is encrypted, but stored in non-client-side encrypted format , in order to provide the service, like we need your email address to send you email notices.

    Your Encrypted Content: The files and directories you upload and store using our services will be encrypted in such a way that neither we nor any third parties can access its content and its encryption keys or files in a readable form. Our encryption process is designed to provide access to such data up to the extent allowed by you, and nobody else is able to decrypt Your Encrypted Content, except in case of a business account, in which case Your Business Domain Administrator might have a master key to Your Encrypted Content. This Policy does not grant us any right to your files or intellectual property, we and the Data Processor mandated by us perform only Data Procession tasks which are needed for providing the services as explained below. You understand that in order to provide the services Tresorit may perform Data Management such as access, transmit across networks and modify the location of Your Encrypted Content solely in an encrypted form.

    Support Request: You may connect with us using our support system at support.tresorit.com or writing an email to support@tresorit.com, or other means. Unless you contributed on our public community site, the visibility of your request is restricted. You understand that those requests are transmitted encrypted, but stored non-encrypted format in order to be able to provide You support.

    Monitoring / Website / Cookies: Improving our services is really important for us, therefore we collect information for monitoring and debugging purposes. Please note that these types of information are collected automatically as a result of your use of the services or through the use of our website and web analytics services as described below. Such information may include your internet protocol address, your unique software ID, aggregated an anonymized error statistics, the type of browser you use, the site you visit immediately prior to visiting our website etc., but we never collect unencrypted or invertible passwords, encryption keys or files, and Tresorit Application does not monitor your activities of other applications on your device, except the file changes in folders you explicitly choose to sync. When you are using our services or visiting our website, your activities and information regarding these activities are also logged, while the website might use cookies and other tracking technologies in order to collect information for improvement purposes. Cookies are small text files that are placed on your computer by websites that you visit. These text files can be read by these websites and help to identify you when you return to a website. Cookies can be “persistent” or “session” cookies. Persistent cookies remain on your computer, when you have gone offline, while session cookies are deleted, as soon as you close your web browser. You are free to decline these cookies by applying the appropriate browser settings but please note that by doing so, you may experience interference during the use of our website only. You can decline to provide us error statistics in the client, but please note that in this case, it might be more difficult to our support team to find the problem when something goes wrong. The use of cookies by our partners, affiliates, tracking utility company, service providers is not covered by our privacy statement. We do not have access or control over these cookies. Our partners, affiliates, tracking utility company, service providers use session ID cookies to make it easier for you to navigate our site.

    Communication between our users: As a part of our services, Tresorit delivers invitations, for the purpose of which Tresorit stores and accesses such communication between you and the person who invites you or whom you invited. All Personal Data and other information regarding invitations and referrals (e-mail address, name, tresor name and its unique URL, storage account and username of the inviter / invited person), data entered into our forms and any other communication you send us are subject to our Data Management, therefore these types of Personal Data and other information remain in a non-encrypted form until deleted in accordance with Section 5 below.

  • Purpose of Data Management

    As we collect, store, transmit and process various types of Personal Data, such as full name, email address and other information, we feel that it is essential to make clear the purposes for such operations. When you download and use our services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID"). We do not ask for, access or track any location based information from your mobile device at any time while downloading or using our Mobile Apps or Services. Please note that by creating a Tresorit account and using our services you acknowledge and agree with the following objectives and purposes.

    In general, we use the submitted information for functional and improvement reasons, and we do not sell any of the submitted information. It is also important to underline that we want to prevent and take action against any activity that is or may be in breach of the Terms https://tresorit.com/terms-of-use, this Policy or the effective legal provisions. In light of these principles, we detail the purposes of Data Management for the following specific types of data as follows:

    Information you give us / Invitation messages: Your e-mail address and your first / last name are used for identification and contact purposes, as they are necessary to create and maintain specific Tresors, as well as keeping up the communication channels among us and our users. The same provision applies to every invitation message sent out, thus we can track our user groups, and improve our service from time to time. When you invite or send a referral to a Third Party, who is not already a Tresorit user, we store the contact details you provided us, like email address, in order to notify such user about your invitation. We might notify an invited user not more than 3 times, and a referred users not more than 1 time, unless you, or another Tresorit user send an invitation or referral again. We don’t sell any Third Party data, and Third Party can choose not to receive more notifications any time, by using the unsubscribe link included in these notifications.

    Monitoring / Website / Log Data: There are mainly statistical reasons behind the storage of such information regarding the visitors of our website, their browser types, the Tresorit client version, internet protocol addresses, aggregated error logs or unique software IDs, the unique file IDs and encrypted filenames you uploaded or downloaded. By storing and analyzing such information, we will be able to create in-depth analysis about our service, which is essential for improvement, security and debugging purposes. Please note that any data stored or collected for statistical purposes will not be disclosed to any third parties, other than included in this policy our in our Terms of Use.

  • Disclosure to third parties

    We will share your personal information with third parties only in the ways that are described in this privacy policy. We do not sell your personal data to third parties. While we cannot access Your Encrypted Content in a readable, clear text format, you understand that we may need to share some of your Personal Data or other information we obtain from your use of Our Service in the following circumstances:

    Disclosure on legal order or business purposes

    Tresorit may transmit Personal Data if the applicable legal provisions so require, or when such action is necessary to comply with any laws, such as to comply with a subpoena, or similar legal process, authorities’ or court’s orders, for the protection of our rights and interests, to protect your safety or the safety of others or to investigate fraud.

    If Tresorit is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our web site of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal information.

    Using third party services

    You understand and accept that our website, Software and services may contain or implement applications, APIs, tokens, extensions, etc. that may be necessary for the operations of our services or allow you to interface with, link to and/or import content from various websites and services provided by trustworthy third parties, including but not limited to those of the Data Processor, such as Microsoft Azure or third parties for purposes of fraud prevention or to process payment transactions. These companies are authorized to use your personal information only as necessary to provide these services to us.

    Sharing content by You

    When you share content using our Service with a third party, including sharing through encrypted links or sharing tresors, by the nature of sharing, some of your profile data and the content you share will be shared with that shared party. When you share content, your activity, relevant metadata of file edits or downloads, might be disclosed to the shared party.For example, when you edit a document, the other members of the tresors will see that you carried out this activity after you have uploaded it. If You are using Tresorit DRM, Your activity metadata may also include information about when you opened a DRM –protected document.

    Business Administrator

    When you have a business account, we may share your account’s usage, your profile data (e.g. Your name and Your email address), and your Non-Encrypted Content. If your Administrator set up a recovery master key, that Administrator may also be able to access your Encrypted Content. You can always check if such recovery master key is set up inside the application, under the Settings menu.

  • Amendment, deletion and destroying of data

    Personal Data

    As a registered user, you can view your Personal Data stored by us at any time at the Settings/Account page in the client or you can connect with our support team at support@tresorit.com for further information. You can edit or delete these data from our database if your Personal Data have changed, or if you decide to stop using our Service, without limitations, by using the same Account page or contacting us at support@tresorit.com.

    You understand and accept that the deletion of your Tresorit account does not mean the immediate deletion of all of your Personal Data stored by us. We will retain and use your personal data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. For identification purposes, Tresorit reserves the right to store your e-mail address for 1 year after your user account has been deleted. Same provision applies to the invitations you have sent out, as Tresorit will store such information for at least 90 days, but not more than 1 year after the validity of such invitation has expired. Upon the expiry of the aforementioned deadlines, Tresorit destroys such data in a way that those will not be available again to anyone.

    You also understand and accept that your Personal Data necessary for sending and receiving invitations may remain accessible to persons to whom you sent an invitation, or from whom you received and accepted an invitation, even if your Tresorit account is deleted or the invitation you sent or accepted has expired, or you stop sharing your Your Encrypted Content with such persons.

    Your email address may also be used for us to send you promotional or marketing emails. Out of respect for your privacy, you may choose to stop receiving these emails by following the unsubscribe instructions included in these emails or you may also contact us at support@tresorit.com. Push notifications may be sent to your device to notify you of new folders being shared. To opt out of push notifications, please edit settings at the device level.

    Your Encrypted Content

    As a registered user, you can access, edit or delete Your Encrypted Content. Once your Tresorit account is deleted for any reason, your Your Encrypted Content will be automatically deleted as well.

    You understand and accept that in line with the functionality of our services, in case you make any change to your Your Encrypted Content, based on your Aggregated User Plan, some previous versions of Your Encrypted Content might remain accessible to you and to the persons with whom you shared such previous versions. You may increase the number of the previous versions of your Your Encrypted Content which remains so accessible by upgrading your Tresorit account. You also understand and accept that previous versions of Your Encrypted Content exceeding this number or Your Encrypted Content which is chosen to be deleted by you or the people you gave appropriate permission, or due to the termination of your Tresorit account, might be restored for some days based on your Aggregated User Plan by the people you shared with the Your Encrypted Content. More than 30 days, but not more than 90 days after the expiry of such deadline Your Encrypted Content will be destroyed in a way that those cannot be restored and will not be available again to anyone, including you.

    Please note, as stated and regulated in Terms, we can delete or revoke access to Your Encrypted Content or to your account any time if you are in violation of Terms. We can also delete Your Encrypted Content or your account if you are a free user and you are inactive for more than 120 days, or if you failed to pay, or paid late as stated and regulated in Terms.

    You understand that once you shared all or a part of Your Encrypted Content by using Our Service with any person who accepted your invitation, such content goes out of your Control and remains accessible by such person to the extent you granted such person access, even if you select to delete or remove Your Encrypted Content.. Therefore we ask you to pay special attention with whom you share Your Encrypted Content.

  • Procedures in the event of a breach of security involving PHI held for a Tresorit Business Customer with a valid Business Associate Agreement.

    It is the Policy of this Company to thoroughly investigate and treat seriously any suspicion of a potential breach of its systems that would allow access to Your Encrypted Content in an unencrypted or otherwise readable form by unauthorized third parties. If such an unlikely event were ever to occur, Tresorit would promptly notify you via the e-mail address provided in the Personal Data.

    In the event your Encrypted Content contains Protected Health Information (“PHI”) and is stored by you as a Covered Entity or Business Associate, all as defined under the American Recovery and Reinvestment Act of 2009 (ARRA), including the Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. 17921-17954 (HITECH), and the Health Insurance Portability Act of 1996 (HIPAA), then Tresorit’s handling of such PHI shall comport with the HIPAA and HITECH standards, to the extent Tresorit is a Business Associate and we have executed a HIPAA Business Associate Agreement with you. In the unlikely if not impossible event of a disclosure by Tresorit of the PHI in an unencrypted (or otherwise readable) form to an unauthorized third party, Tresorit shall undertake timely notification to you as a Covered Entity or Business Associate, pursuant to the terms and conditions of the applicable Business Associate Agreement.

  • Additional Information

    Our site includes links to other web sites whose privacy practices may differ from those of Tresorit. If you submit personal data to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any web site you visit.

    Our web site offers publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your personal data from our blog or community forum, contact us at support@tresorit.com. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.

    You can log in to our support system using sign-in services such as Facebook Connect, Twitter or an Open ID provider, but such login will not give you access to your Encrypted Content. These services will authenticate your identity and provide you the option to share certain personal information with us such as your name and email address to pre-populate our sign up form. Services like Facebook Connect give you the option to post information about your activities on this web site to your profile page to share with others within your network. We strongly recommend you to use unique password for Your Tresorit Account, which differs from your passwords used elsewhere.

  • Changes to this Policy

    As every high-quality service, Our Service is constantly improved in effort to keep users satisfied, but these improvements necessarily mean changes. Due to the on-going changes in the law and the changing nature of technology, data practices will change from time to time. Thus, Tresorit reserves the right to alter or modify this Policy when it is necessary. If Tresorit makes any material change to this Policy, you as our registered user will receive a 30 day prior written notification in e-mail and these changes will be detailed also on this page in order to ensure that you are fully aware of what information is collected or stored, how it is used and under what circumstances it will be disclosed or transmitted so that you can make your own decision whether or not to continue using our services in light of such changes. Your privacy will not be reduced without your consent. If you are concerned about how your information is collected, stored, used or disclosed, you should periodically check back at this page. If you have any specific concerns not addressed in this Policy, please see Section VIII of this Policy for further contact information.

  • Further information and contact options

    You are entitled to enquire adjustment or deletion of your stored Personal Data. Furthermore, if you have questions about this Policy or want to know further information or explanation about the data we store about you, please contact us by email at support@tresorit.com, or write to us at:

    Tresorit AG

    Reg. number: CH-300.3.017.920-5

    Büelstrasse 7

    CH-9052 Niederteufen AR

    Switzerland

    Or to

    Tresorit Kft.

    Reg. number: 01-09-969460

    Lechner Ödön alley 6.

    H-1095 Budapest

    Hungary, EU

    Hungarian National Authority for Data Protection and Freedom of Information registration number: NAIH-71964/2014.