Privacy Policy
Effective date: 01 September 2023
Note: new policy soon takes place, see here
For Tresorit, security and data privacy are of paramount importance. This Privacy Policy describes our commitment to protect the privacy of individuals in accordance with Swiss data protection laws and the
The main content on the left contains the legally binding full-length version. To help you understand our Privacy Policy better, we collected some helpful notes on the right to sum up the key points of the main content.
This Privacy Policy applies to our Services and websites, unless specified otherwise.
If you use the Tresorit Email Encryption Services or Tresorit Send, please visit the privacy notice which summarises our data processing practices in relation to that specific service.
Our Data Privacy Commitment
Our mission is to make privacy and security available to people and businesses. That’s why we use end-to-end encryption to protect files and folders you share and store in the cloud.
We encrypt all and every transmission containing personal data using Secure Socket Layer technology (SSL) and apply additional, client-side encryption on the files and directories uploaded and stored in protected storage folders (the Encrypted Content).
We never collect or store your files, encryption keys and passwords in an unencrypted or invertible form. The Encrypted Content and corresponding encryption keys can only be decrypted by you and persons with whom you explicitly share them. However, if you have an account that is part of a Business Subscription with recovery master key, Your Encrypted Content may also be accessed by your
According to the best of Tresorit’s knowledge, the current state of the art and the public knowledge of the human race, Tresorit is unable to decrypt the Encrypted Content and accordingly, Tresorit cannot access it. As a result, we cannot use Your Encrypted Content to identify any individual.
However, when using the service, creating and using your user account, you also submit some non-encrypted data, which may include personal data as well.
In a nutshell
Even though we can’t read or access the files and folders you store in Tresorit, we need to process some of your personal data to provide you with services.
Who will process your personal data?
What kind of personal data do we process?
What is the legal basis for processing?
How do we use your data?
How do you use your personal data?
Do we share your personal data with third parties?
Where do we transfer your data?
How do we protect your data?
How long will we retain your information?
Any further question?
Who will process your personal data?
In any case, certain activites of Tresorit are outsourced to third parties (processors), they may also use your personal data when acting on behalf of Tresorit. You can find more details about our sub-processors here.
What kind of personal data do we process?
A) Data that you provide to us
In order to send and deliver invitations upon your instructions, Tresorit stores and accesses certain personal data (such as the email address, name, Tresor name and its unique URL, storage account and username of the inviter and the invited person). Please note that your email address, first and last name are visible to others when you send them an invitation to, or if you accept an invitation.
Tresorit users may also require an email verification before you can download the content they shared with you. If you are signed in to Web Access, the email address associated with your account will be used by default for such purposes. Otherwise, the email you use for verification will be logged.
Please note that, the above information will be visible to the sender of the link and other users who have rights to share that specific file or folder. If you have any questions about this, please refer to the policies of the relevant organisation.
Also, for security purposes, certain information (such as your IP address, approx. location, and the platforms that were used to download the contents of the link) will be logged for your upload.
Please note that, the above information will be visible to the requester of the file and other users who have rights to access that specific file or folder. If you have any questions about this, please refer to the policies of the relevant organisation
Other information. You may decide to share further information, including personal data, with us when you contact our Support or Sales Teams, submit forms on our website or otherwise communicate with us. It is solely your decision to share any detailed, non-aggregated logs (which may contain e.g. non-encrypted filenames), your screen or any other data with us during such communications, so our processing of such data will be based on your consent.
Such information is requested for verification purposes and accordingly, this information will be visible to the initiator of the electronic signature process and other users who have rights to access that specific file or folder. Also, once the signing process is completed, a digital certificate is included in the electronically signed file. Anyone in possession of the electronically signed file may view information above based on the digital certificate at any time. If you have any questions about this, please refer to the policies of the relevant organisation.
We store access data without direct personal references, namely the visitor’s browser types, the name of your internet service provider, the website from which you have visited us, the name of the requested file, the Tresorit client version you download, and internet protocol addresses.
Unless you choose to identify yourself, either by responding to a promotional offer, opening an account or filling out a web form, this data does not allow us to draw any conclusions regarding your identity. By storing and analyzing such information, we are able to create in-depth analysis about our service, which is essential for improvement, security and debugging purposes.
This information includes internet protocol (IP) addresses as well as browser type, operating system, identification numbers associated with your devices, time of access, and error logs. We log website visits and application usage statistics to improve our services.
Analytics. When you download and use our services, we automatically collect information such as the type of device you use, operating system version, your Tresorit client version and the IP addresses associated with you.
B) Information that we collect from third parties
Our resellers and distributors. From time to time, we engage trusted business partners who help us generate leads, and market, promote and resell our product. We receive information from these partners, such as billing information, contact information, company name and registered address.
What is the legal basis for processing? (for EEA users)
- It is necessary in order to provide you Tresorit services, including to set up and maintain a Tresorit account for you, to provide customer support and to protect the safety and security of our services; Necessary for provision of services
- It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote our services and to protect our legal rights and interests; Legitimate interest
- You give us consent to do so for a specific purpose; Consentor
- It is needed to comply with a legal obligation. Legal obligation
How do we use your data?
Services Necessary for provision of servicesLegitimate interest
- We will use your personal data, such as Registration and Account Information, for the provision and maintenance of your user account, for authentication purposes, and for providing the Tresorit service to you and to other registered Tresorit users as designated by you.
Billing Necessary for provision of servicesLegitimate interest
- We will process your Registration and Billing Information for billing purposes, i.e. to complete transactions, and send you related information, including purchase confirmations and invoices.
Communications Necessary for provision of servicesLegitimate interestConsent
- We will send you technical notices, updates, security alerts, support and administrative messages. Please be aware that you cannot opt out of receiving certain service messages from us, including necessary security alerts and legal notices.
- We also send messages about how to use the services. You may change your communication preferences at any time.
- Push notifications (in-app) may be sent to your device to notify you of new folders being shared or certain events or user actions regarding the user account or the user’s data. To opt out of push notifications, please edit settings at the device level.
- Our service also enables communications between you and others. In particular, sending and delivering invitations, between you and the person who invites you or whom you invited.
We will send you emails with tips and tricks on how you can use Tresorit the best. You can change your email preferences anytime.
Developing Services Legitimate interest
- We are always looking for ways to make Tresorit services better, faster, smarter, and more secure. We use aggregated web statistics and logs about how people use our services and feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and improvement of our services.
- We also test and analyze certain new features with some users before rolling the feature out to all users.
Marketing Legitimate interestConsent
- If you are an existing customer of Tresorit, we may use your email address and phone number provided to us to send you marketing communications, such as providing you with information about similar Tresorit products and services, unless you have opted-out.
- We may also use information about you, including web statistics and logs, to personalize the content and experience you receive on our websites or in our marketing communications, as well as by displaying Tresorit ads on other companies' websites and applications, such as on platforms like Facebook and Google. Where legally required, also seek your consent for sending marketing communications.
Security Legitimate interestLegal obligation
- We use information about you to secure your profile, verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of our Terms of Service or Acceptable Use Policy.
Customer Support Legitimate interestConsent
- Occasionally, we connect personal information to information gathered in our log files as necessary to provide better customer experience and to improve our services. In such a case, we would treat the combined information in accordance with this policy.
- You may opt-out of these statistics or logs at any time by editing settings, but please note that in this case, it might be more difficult to our support team to find the problem when something goes wrong.
Protecting our legitimate business interests and legal rights Legitimate interestLegal obligation
- Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.
Aggregate Insights Legitimate interest
- We use mobile analytics software to allow us to better understand the functionality of our mobile application on your device. This software may record information such as how often you use the mobile application, the events that occur within the mobile application, aggregated usage, and performance data. While we use your information to produce aggregate insights, such insights do not identify you.
Other purposes
- We may also process your data for any other purposes for which we obtain your consent where necessary or otherwise in accordance applicable law and this policy.
How do you use your personal data?
Do we share your personal data with third parties?
1) Complying with legal requirements
2) Using third-party service providers
3) Content shared by you
4) Downloading content
5) Administrators
If you register an individual account and the domain of your email address is owned by an organization and was assigned to you as an employee, contractor or member of the organization, we may help your Administrator find your account by sharing some basic information about your account (such as your email address). This helps you join the relevant Business Subscription.
If your account is subject to Advanced Control, your Recovery Administrator may also be able to access your Encrypted Content as set out in section 5 of our Terms. You can always check whether Advanced Control is set up in respect of your account, under the Settings menu.
6) Business transactions
7) Testimonials
Where do we transfer your data?
We primarily store personal data within the EEA or Switzerland. Your personal data stored with us may also be transferred to countries outside of the EU or Switzerland. All such transfers of personal data are and will be made in accordance with applicable laws. You can reach the list of our current sub-processors here.
How do we protect your data?
A) Security
B) Confidentiality
According to the best of Tresorit’s knowledge, the current state of the art and the public knowledge of the human race, Tresorit is unable to decrypt the Encrypted Content and accordingly, Tresorit cannot access it. As a result, we cannot use Your Encrypted Content to identify any individual.
How long will we retain your information?
A) Your Personal Data
If your personal data is held by us on behalf of your company, we will retain such personal data in accordance with the terms and conditions of our data processing agreement with them, subject to applicable law.
B) Your Encrypted Content
You understand that once you shared all or a part of Your Encrypted Content by using Our Service with any person who accepted your invitation, such content goes out of your Control and remains accessible by such person to the extent you granted such person access, even if you select to delete or remove Your Encrypted Content. Therefore we ask you to pay special attention to whom you share Your Encrypted Content with.
Your data protection rights
- You have the right to have your data deleted. In certain circumstances, you may have a broader right to erasure of your personal data. For example, if it is no longer necessary in relation to the purposes for which it was originally collected. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.
- You may have the right to request us to stop processing your personal data and/or to stop sending you marketing communications.
- You may have the right to request that we restrict processing of your personal data in certain circumstances (for example, where you believe that the personal data we hold about you is inaccurate or unlawfully held). You also have the right to have incorrect data corrected. If the accuracy of the data cannot be definitively established, the data may be marked with a note of dispute/denial notice.
- In certain circumstances, you may have the right to be provided with your personal data in a structured, machine readable and commonly used format and to request that we transfer the personal data to another data controller without hindrance.
Please note that if your account is part of a Business Subscription, we will not independently respond to your request without your organisations’s prior written consent, except where required by applicable law.
You also have the right to complain to a data protection authority or claim damages before the court. For more information, please contact your local data protection authority. In Switzerland, the competent supervisory authority for data protection is the Federal Data Protection and Information Commissioner. A list of contact details for the EU data protection authorities is available here.
Withdrawal of consent
Changes to this policy
If there are any material changes to this policy, you will be notified 30 days prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices. Your continued use of our website or our services constitutes your acknowledgement of such changes to this policy.
Third party controllers
Any further question?
We have also appointed a data protection officer, whom you can reach at dpo@tresorit.com. We speak English.
As Tresorit AG is located outside of the EU, we appointed our EU affiliate to represent us in relation to any GDPR-related issues. This does not change the fact that Tresorit AG is the controller who ultimately handles your data. If you wish, you can also contact them directly:
Tresorit Kft.
Köztelek utca 6.
1092 Budapest, Hungary
Updates: Privacy Policy
We want to be as transparent as possible about the changes we make to our Privacy Policy. In this archive you can see the previous versions of the policy.
- Current version (01/09/2023)
Key changes:
- We made amendments to ensure that our Privacy Policy is compliant with the new Swiss Federal Data Protection Act (revFADP) as well as GDPR.
- 05/09/2022
Key changes:
- Due to the introduction of Tresorit eSign we added a section to clarify how we handle data when you are using this feature.
- 19/08/2022
Key changes:
- For the sake of clarity, we have updated the Privacy Policy‘s wording regarding email verification.
- 15/06/2022
Key changes:
- Due to the introduction of email verification with Microsoft and Google accounts, we clarified how we handle your data when using this feature.
- 26/02/2022
Key changes:
- For the sake of clarity, we specified the scope of the Privacy Policy and added links to privacy notices specific to certain Tresorit services.
- 25/03/2020
Key changes:
- Because of the introduction of our "File Request" feature, we are updating the scope of data collected.
- 09/10/2019
- 19/02/2019
- 24/08/2018
- 25/05/2018
- 24/10/2017