Effective Date: 10/24/2017
Our mission is to provide a novel approach to secure cloud storage. Tresorit will allow you to share files, and collaborate with your partners, colleagues and friends with cryptographic end-to-end security guarantees. As our objective is to operate such a high-quality service perfectly, we attach great importance to the protection of your Personal Data and your right to self-determination and make every necessary precaution in order to safely handle your Personal Data.
The provisions of this Policy are in conformity with Act CXII of 2011 on the Right of Informational Self-determination and Freedom of Information (hereinafter referred to as: “Data Protection Act”) and EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Tresorit is dedicated to continuous improvement of all parts of the Service, so if you have any question or feedback on this Policy, please let us know by sending an email to firstname.lastname@example.org.
In this Policy, unless it is expressly provided otherwise, or the context otherwise requires, the following terms shall have the meaning set forth below:
“Data Controller” (also ”Tresorit”, “we”, “our”, “us”) means Tresorit Kft., a company organized and validly existing under the laws of Hungary (registered office: H-1092 Budapest, Köztelek u. 6., Hungary, EU, registering authority: Company Court of Budapest-Capital Tribunal; registration number 01-09-969460; VAT Number: HU23520152) and its wholly owned subsidiary, Tresorit AG, a company organized and validly existing under the laws of Switzerland (registered office: CH-8032 Zurich, Minervastrasse 3, Switzerland, registering authority: Commercial Register of the Canton of Appenzell Ausserrhoden, registration number CH-300.3.017.920-5) , which determines the purposes and means of the Data Management, makes the decisions on the Data Management (including the means used) and executes and / or appoints a Data Processor to execute such decisions.
“Data Management” means any operation or set of operations performed by the Data Controller on data, in particular collection, record, organization, storage, alteration, usage, query, transmission, disclosure, alignment, combination, deletion and erasure of data irrespective of the means thereof.
“Data Processing” means the performance of technical tasks related to Data Management regardless of the method, means and place of application.
“Data Processor” means a natural or legal person or organization without legal personality performing Data Processing on the basis of a contract concluded with the Data Controller.
“Data Subject” (also “you”, “your”) means any natural person identified or directly or indirectly identifiable on the basis of Personal Data.
“Data Transmission” means granting access for specified third persons to data.
“Personal Data” means any data which can be associated with the Data Subject, in particular first name, last name, personal identification, one or more physical, physiological, mental, economic, cultural or social characteristics, and any conclusions which can be drawn from the data upon the Data Subject.
Tresorit may collect, record, store, process and transmit your Personal Data and other information only with your consent. By using our services, you give your consent to Tresorit to perform Data Management solely in accordance with this Policy.
We make all the necessary measures to safeguard and protect your Personal Data and other information you provide to us or we may obtain from your usage of our services. We think privacy is a high priority, therefore this Policy primarily focuses on the authenticity and integrity of Data Management, while the implementation of our scheme tries to take the best available technical and organizational measures in order to obviate any kinds of breach.
The security of your personal data is important to us. When you use our services, we encrypt all and every transmission of information using Secure Socket Layer technology (SSL), and we also apply additional, client side encryption on Your Encrypted Content as defined later. We follow generally accepted standards, and we usually go beyond the standards to protect the personal information submitted to us, both during transmission and once we receive it. We NEVER collect or store your files, encryption keys and passwords in an unencrypted or invertible form. Files and some corresponding encryption keys can only be decrypted by the people you explicitly shared with, or in case of a business account with recovery master key, by Your Business Domain Administrator. According to the best of our knowledge, the current state of the art and the public knowledge of the human race, we cannot decrypt Your Encrypted Content. During using the service, you also submit some non-Encrypted Content, like your email address. Although we don’t use client side encryption to those data, the transmission and storage of such data is still highly secured, and access is strictly restricted. Even though we do our best with such data, no method of transmission over the Internet, or method of electronic storage is 100% secure. If you have any questions about security on our site, you can contact us at email@example.com.
The scope of our Data Management includes the followings:
Personal Data and other information you give us: Tresorit account creation process requires giving us certain Personal Data and other contact information. The collected Personal Data may include your e-mail address, first name, last name and a certificate created in relation with such information, and we may also store billing and payment information associated with you. The visibility of your Personal Data is restricted, will be accessible only by us, or in case of a business account, by Your Business Domain Administrator. Your email address, first and last name are visibly by the people you send an invitation to, or from whom you accept an invitation. In case you accept somebody’s invitation, the inviter will be able to access your Personal Data to the same limited extent. You are free to decline any invitation, and if you do so, the inviter will not get access to your Personal Data. Please note that your Personal Data transmitted is encrypted, but stored in non-client-side encrypted format , in order to provide the service, like we need your email address to send you email notices.
Your Encrypted Content: The files and directories you upload and store using our services will be encrypted in such a way that neither we nor any third parties can access its content and its encryption keys or files in a readable form. Our encryption process is designed to provide access to such data up to the extent allowed by you, and nobody else is able to decrypt Your Encrypted Content, except in case of a business account, in which case Your Business Domain Administrator might have a master key to Your Encrypted Content. This Policy does not grant us any right to your files or intellectual property, we and the Data Processor mandated by us perform only Data Procession tasks which are needed for providing the services as explained below. You understand that in order to provide the services Tresorit may perform Data Management such as access, transmit across networks and modify the location of Your Encrypted Content solely in an encrypted form.
Support Request: You may connect with us using our support system at support.tresorit.com or writing an email to firstname.lastname@example.org, or other means. Unless you contributed on our public community site, the visibility of your request is restricted. You understand that those requests are transmitted encrypted, but stored non-encrypted format in order to be able to provide You support.
Communication between our users: As a part of our services, Tresorit delivers invitations, for the purpose of which Tresorit stores and accesses such communication between you and the person who invites you or whom you invited. All Personal Data and other information regarding invitations and referrals (e-mail address, name, tresor name and its unique URL, storage account and username of the inviter / invited person), data entered into our forms and any other communication you send us are subject to our Data Management, therefore these types of Personal Data and other information remain in a non-encrypted form until deleted in accordance with Section 5 below.
As we collect, store, transmit and process various types of Personal Data, such as full name, email address and other information, we feel that it is essential to make clear the purposes for such operations. When you download and use our services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID"). We do not ask for, access or track any location based information from your mobile device at any time while downloading or using our Mobile Apps or Services. Please note that by creating a Tresorit account and using our services you acknowledge and agree with the following objectives and purposes.
In general, we use the submitted information for functional and improvement reasons, and we do not sell any of the submitted information. It is also important to underline that we want to prevent and take action against any activity that is or may be in breach of the Terms https://tresorit.com/terms-of-use, this Policy or the effective legal provisions. In light of these principles, we detail the purposes of Data Management for the following specific types of data as follows:
Information you give us / Invitation messages: Your e-mail address and your first / last name are used for identification and contact purposes, as they are necessary to create and maintain specific Tresors, as well as keeping up the communication channels among us and our users. The same provision applies to every invitation message sent out, thus we can track our user groups, and improve our service from time to time. When you invite or send a referral to a Third Party, who is not already a Tresorit user, we store the contact details you provided us, like email address, in order to notify such user about your invitation. We might notify an invited user not more than 3 times, and a referred users not more than 1 time, unless you, or another Tresorit user send an invitation or referral again. We don’t sell any Third Party data, and Third Party can choose not to receive more notifications any time, by using the unsubscribe link included in these notifications.
Disclosure on legal order or business purposes
Tresorit may transmit Personal Data if the applicable legal provisions so require, or when such action is necessary to comply with any laws, such as to comply with a subpoena, or similar legal process, authorities’ or court’s orders, for the protection of our rights and interests, to protect your safety or the safety of others or to investigate fraud.
If Tresorit is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our web site of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal information.
Using third party services
You understand and accept that our website, Software and services may contain or implement applications, APIs, tokens, extensions, etc. that may be necessary for the operations of our services or allow you to interface with, link to and/or import content from various websites and services provided by trustworthy third parties, including but not limited to those of the Data Processor, such as Microsoft Azure or third parties for purposes of fraud prevention or to process payment transactions. These companies are authorized to use your personal information only as necessary to provide these services to us.
Sharing content by You
When you share content using our Service with a third party, including sharing through encrypted links or sharing tresors, by the nature of sharing, some of your profile data and the content you share will be shared with that shared party. When you share content, your activity, relevant metadata of file edits or downloads, might be disclosed to the shared party.For example, when you edit a document, the other members of the tresors will see that you carried out this activity after you have uploaded it. If You are using Tresorit DRM, Your activity metadata may also include information about when you opened a DRM –protected document.
When you have a business account, we may share your account’s usage, your profile data (e.g. Your name and Your email address), and your Non-Encrypted Content. If your Administrator set up a recovery master key, that Administrator may also be able to access your Encrypted Content. You can always check if such recovery master key is set up inside the application, under the Settings menu.
As a registered user, you can view your Personal Data stored by us at any time at the Settings/Account page in the client or you can connect with our support team at email@example.com for further information. You can edit or delete these data from our database if your Personal Data have changed, or if you decide to stop using our Service, without limitations, by using the same Account page or contacting us at firstname.lastname@example.org.
You understand and accept that the deletion of your Tresorit account does not mean the immediate deletion of all of your Personal Data stored by us. We will retain and use your personal data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. For identification purposes, Tresorit reserves the right to store your e-mail address for 1 year after your user account has been deleted. Same provision applies to the invitations you have sent out, as Tresorit will store such information for at least 90 days, but not more than 1 year after the validity of such invitation has expired. Upon the expiry of the aforementioned deadlines, Tresorit destroys such data in a way that those will not be available again to anyone.
You also understand and accept that your Personal Data necessary for sending and receiving invitations may remain accessible to persons to whom you sent an invitation, or from whom you received and accepted an invitation, even if your Tresorit account is deleted or the invitation you sent or accepted has expired, or you stop sharing your Your Encrypted Content with such persons.
Your email address may also be used for us to send you promotional or marketing emails. Out of respect for your privacy, you may choose to stop receiving these emails by following the unsubscribe instructions included in these emails or you may also contact us at email@example.com. Push notifications may be sent to your device to notify you of new folders being shared. To opt out of push notifications, please edit settings at the device level.
Your Encrypted Content
As a registered user, you can access, edit or delete Your Encrypted Content. Once your Tresorit account is deleted for any reason, your Your Encrypted Content will be automatically deleted as well.
You understand and accept that in line with the functionality of our services, in case you make any change to your Your Encrypted Content, based on your Aggregated User Plan, some previous versions of Your Encrypted Content might remain accessible to you and to the persons with whom you shared such previous versions. You may increase the number of the previous versions of your Your Encrypted Content which remains so accessible by upgrading your Tresorit account. You also understand and accept that previous versions of Your Encrypted Content exceeding this number or Your Encrypted Content which is chosen to be deleted by you or the people you gave appropriate permission, or due to the termination of your Tresorit account, might be restored for some days based on your Aggregated User Plan by the people you shared with the Your Encrypted Content. More than 30 days, but not more than 90 days after the expiry of such deadline Your Encrypted Content will be destroyed in a way that those cannot be restored and will not be available again to anyone, including you.
Please note, as stated and regulated in Terms, we can delete or revoke access to Your Encrypted Content or to your account any time if you are in violation of Terms. We can also delete Your Encrypted Content or your account if you are a free user and you are inactive for more than 120 days, or if you failed to pay, or paid late as stated and regulated in Terms.
You understand that once you shared all or a part of Your Encrypted Content by using Our Service with any person who accepted your invitation, such content goes out of your Control and remains accessible by such person to the extent you granted such person access, even if you select to delete or remove Your Encrypted Content.. Therefore we ask you to pay special attention with whom you share Your Encrypted Content.
It is the Policy of this Company to thoroughly investigate and treat seriously any suspicion of a potential breach of its systems that would allow access to Your Encrypted Content in an unencrypted or otherwise readable form by unauthorized third parties. If such an unlikely event were ever to occur, Tresorit would promptly notify you via the e-mail address provided in the Personal Data.
In the event your Encrypted Content contains Protected Health Information (“PHI”) and is stored by you as a Covered Entity or Business Associate, all as defined under the American Recovery and Reinvestment Act of 2009 (ARRA), including the Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. 17921-17954 (HITECH), and the Health Insurance Portability Act of 1996 (HIPAA), then Tresorit’s handling of such PHI shall comport with the HIPAA and HITECH standards, to the extent Tresorit is a Business Associate and we have executed a HIPAA Business Associate Agreement with you. In the unlikely if not impossible event of a disclosure by Tresorit of the PHI in an unencrypted (or otherwise readable) form to an unauthorized third party, Tresorit shall undertake timely notification to you as a Covered Entity or Business Associate, pursuant to the terms and conditions of the applicable Business Associate Agreement.
Our web site offers publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your personal data from our blog or community forum, contact us at firstname.lastname@example.org. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.
You can log in to our support system using sign-in services such as Facebook Connect, Twitter or an Open ID provider, but such login will not give you access to your Encrypted Content. These services will authenticate your identity and provide you the option to share certain personal information with us such as your name and email address to pre-populate our sign up form. Services like Facebook Connect give you the option to post information about your activities on this web site to your profile page to share with others within your network. We strongly recommend you to use unique password for Your Tresorit Account, which differs from your passwords used elsewhere.
As every high-quality service, Our Service is constantly improved in effort to keep users satisfied, but these improvements necessarily mean changes. Due to the on-going changes in the law and the changing nature of technology, data practices will change from time to time. Thus, Tresorit reserves the right to alter or modify this Policy when it is necessary. If Tresorit makes any material change to this Policy, you as our registered user will receive a 30 day prior written notification in e-mail and these changes will be detailed also on this page in order to ensure that you are fully aware of what information is collected or stored, how it is used and under what circumstances it will be disclosed or transmitted so that you can make your own decision whether or not to continue using our services in light of such changes. Your privacy will not be reduced without your consent. If you are concerned about how your information is collected, stored, used or disclosed, you should periodically check back at this page. If you have any specific concerns not addressed in this Policy, please see Section VIII of this Policy for further contact information.
You are entitled to enquire adjustment or deletion of your stored Personal Data. Furthermore, if you have questions about this Policy or want to know further information or explanation about the data we store about you, please contact us by email at email@example.com, or write to us at:
Reg. number: CH-300.3.017.920-5
Reg. number: 01-09-969460
Köztelek u. 6.
Hungarian National Authority for Data Protection and Freedom of Information registration number: NAIH-71964/2014.