Get NIS2-ready with Tresorit. Meet the highest security standards. Learn more

Privacy Policy March 2020

Effective date: 25 March 2020

For Tresorit, security and data privacy are of paramount importance. This Privacy Policy describes our commitment to protect the privacy of individuals in accordance with the

GDPRThe General Data Protection Regulation (GDPR) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union.
.

The main content on the left contains the legally binding full-length version. To help you understand our Privacy Policy better, we collected some helpful notes on the right to sum up the key points of the main content.

Our Data Privacy Commitment

Our mission is to make privacy and security available to people and businesses. That’s why we use end-to-end encryption to protect files and folders you share and store in the cloud.

We encrypt all and every transmission containing personal data using Secure Socket Layer technology (SSL) and apply additional, client-side encryption on the files and directories uploaded and stored in protected storage folders (the Encrypted Content).

We never collect or store your files, encryption keys and passwords in an unencrypted or invertible form. The Encrypted Content and corresponding encryption keys can only be decrypted by you and persons with whom you explicitly share them. However, if you have an account that is part of a Business Subscription with recovery master key, Your Encrypted Content may also be accessed by your

Recovery AdministratorTresorit Business Subscriptions are administered by one person who has an extended set of rights – the Recovery Administrator. They manage the billing and users, and can also put security measures in place to protect confidential company data.
.

According to the best of Tresorit’s knowledge, the current state of the art and the public knowledge of the human race, Tresorit is unable to decrypt the Encrypted Content and accordingly, Tresorit cannot access it. As a result, we cannot use Your Encrypted Content to identify any individual.

However, when using the service, creating and using your user account, you also submit some non-encrypted data, which may include personal data as well.

In a nutshell

Even though we can’t read or access the files and folders you store in Tresorit, we need to process some of your personal data to provide you with services.

Who will process your personal data?

Tresorit services are provided by Tresorit AG (company registration no: CH-300.3.017.920-5; address: Franklinstrasse 27, 8050 Zurich) (Tresorit), a company registered under the laws of Switzerland. If you have a subscription with Tresorit as an individual user, Tresorit will be the controller of your personal data under EU law.
Your data is processed by Tresorit. However, if you are a part of a business subscription, certain data is processed upon the instructions of your organization.
If your account is part of a Business Subscription – in accordance with section 5 of our Terms or you receive a Tresorit link from a user who is part of a Business Subscription, in certain cases, the ultimate decisions regarding your personal data will be made by the relevant organisation. In such case, your company will be considered as a controller and Tresorit will act as a processor, acting upon the instructions of such organisation.

In any case, certain activites of Tresorit are outsourced to third parties (processors), they may also use your personal data when acting on behalf of Tresorit. You can find more details about our sub-processors here.

What kind of personal data do we process?

A) Data that you provide to us

Registration information. When you register for our services, you submit some non-encrypted identification and contact data (such as your e-mail address, name, job title or position, address, phone number). The data that we request at the time of registration is necessary for the provision of our services.
Certain basic information, like your name and email address, is necessary for setting up a Tresorit account.
Billing information. At the time of registration, you also need to provide certain billing information. You might also provide payment information, such as payment card details, which we collect via secure payment processing services. This data is necessary to provide you with Tresorit services.
When you purchase a subscription, you also need to provide payment information, which will be handled by secure processing services.
Account information. When you use our services, you also give us access to certain information (such as the name and the permission history of your
Tresorit FoldersTresorit Folders are secure, encrypted parent folders to your files in the cloud.
) that is necessary for the provision and maintenance of your user account. For the avoidance of any doubt, Tresorit cannot connect such metadata information to Your Encrypted Content or file names as Tresorit has no access to the Encrypted Content or file names.

In order to send and deliver invitations upon your instructions, Tresorit stores and accesses certain personal data (such as the email address, name, Tresor name and its unique URL, storage account and username of the inviter and the invited person). Please note that your email address, first and last name are visible to others when you send them an invitation to, or if you accept an invitation.
Some information about your Tresorit Folders is unencrypted, like its name, size and members. This is needed for features like your activity wall.
Access logs. Content owners may apply certain security settings to protect the content of share links. If you open a Tresorit link where
Detailed access logsDetailed access logs is a security setting on share links. When turned on, content owners can track download attempts by IP address, date and platform.
are enabled, certain information (such as your IP address, approx. location, and the platforms that were used to download the contents of the link) will be logged for your open attempts.

Tresorit users may also require an email verification before you can download the content they shared with you. If you are signed in to Web Access, the email address associated with your account will be used by default for such purposes. Otherwise, the email you use for verification will be logged.

Please note that, the above information will be visible to the sender of the link and other users who have rights to share that specific file or folder. If you have any questions about this, please refer to the policies of the relevant Business Domain.
When sharing content, Tresorit users can enable access logs or request an email verification from those who wish to download their content. In these cases certain information about you will be logged and shared with the content’s owners.
File request information. Before you upload a requested file, you may be asked for your email address for verification purposes . If you are signed in to Web Access, the email address associated with your account will be used by default for such purposes. Otherwise, the email you use for verification will be logged and your email address will be shared with the requester. We will also notify you regarding your successful upload.

Also, for security purposes, certain information (such as your IP address, approx. location, and the platforms that were used to download the contents of the link) will be logged for your upload.

Please note that, the above information will be visible to the requester of the file and other users who have rights to access that specific file or folder. If you have any questions about this, please refer to the policies of the relevant Business Domain.
For verification purposes, certain information, such as your email address, may be shared with the requester of the file.
Other information. You may decide to share further information, including personal data, with us when you contact our Support or Sales Teams, submit forms on our website or otherwise communicate with us. It is solely your decision to share any detailed, non-aggregated logs (which may contain e.g. non-encrypted filenames), your screen or any other data with us during such communications, so our processing of such data will be based on your consent.
Sometimes, when you require assistance from our Sales and Support teams, you may choose to share additional information with us.
Information that we collect about you on our website. When you visit our website, we and our partners may use cookies and other information gathering technologies for a variety of purposes. These technologies may provide us with personal data, information about devices and networks you utilize to access our website, and other information regarding your interactions with our website. For detailed information about the use of cookies in the website, please read and review our Website Cookie Policy and Service Cookie Policy.
We collect data through cookies and similar technologies on our website.
Website statistics. You can visit the Tresorit website, which is separate from the Tresorit app and service, without providing any direct information about yourself.

We store access data without direct personal references, namely the visitor’s browser types, the name of your internet service provider, the website from which you have visited us, the name of the requested file, the Tresorit client version you download, and internet protocol addresses.

Unless you choose to identify yourself, either by responding to a promotional offer, opening an account or filling out a web form, this data does not allow us to draw any conclusions regarding your identity. By storing and analyzing such information, we are able to create in-depth analysis about our service, which is essential for improvement, security and debugging purposes.
We collect data from our website visitors – we can’t identify you directly without your consent.
Logs. As most websites and services provided through the Internet, we gather certain information and store it in log files when you interact with our website or service.

This information includes internet protocol (IP) addresses as well as browser type, operating system, identification numbers associated with your devices, time of access, and error logs.

Analytics. When you download and use our services, we automatically collect information such as the type of device you use, operating system version, your Tresorit client version and the IP addresses associated with you.
We log website visits and application usage statistics to improve our services.

B) Information that we collect from third parties

Other users of our services. Other users of Tresorit services may provide information about you while using our service. For example, we receive personal data about you when somebody sends you an invitation or add you to their contacts. Similarly, your Administrator may provide your contact information when they designate you as a user under your company’s policy.

Our resellers and distributors. From time to time, we engage trusted business partners who help us generate leads, and market, promote and resell our product. We receive information from these partners, such as billing information, contact information, company name and registered address.
We also receive personal data when new users are invited to a business subscription or to a Tresorit Folder.
Other partners. We receive information about you and your activities on our website from third-party partners, such as advertising partners. Upon your consent, such partners provide us with information about your engagement with our website and online advertisements. If you want to learn more, please see our Website Cookie Policy.
We reach out to audiences who might be interested in our product with targeted marketing campaigns.

What is the legal basis for processing? (for EEA users)

If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have legal bases for doing so under applicable EU laws. This means we collect and use your information only where:

  • It is necessary in order to provide you Tresorit services, including to set up and maintain a Tresorit account for you, to provide customer support and to protect the safety and security of our services;
    Necessary for provision of services
  • It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote our services and to protect our legal rights and interests;
    Legitimate interest
  • You give us consent to do so for a specific purpose;
    Consent
    or
  • It is needed to comply with a legal obligation.
    Legal obligation
We only collect and use your personal data with a lawful basis: with your consent, when it is necessary in order to provide our services, when we need to fulfill a legal obligation or when there’s a legitimate business reason behind.

How do we use your data?

We may process your personal data for several purposes. How we use your personal data depends on your subscription plan, on how you use the Tresorit services, and your preferences you have communicated to us.

Services
Necessary for provision of services
Legitimate interest

  • We will use your personal data, such as Registration and Account Information, for the provision and maintenance of your user account, for authentication purposes, and for providing the Tresorit service to you and to other registered Tresorit users as designated by you.

Billing
Necessary for provision of services
Legitimate interest

  • We will process your Registration and Billing Information for billing purposes, i.e. to complete transactions, and send you related information, including purchase confirmations and invoices.

Communications
Necessary for provision of services
Legitimate interest
Consent

  • We will send you technical notices, updates, security alerts, support and administrative messages. Please be aware that you cannot opt out of receiving certain service messages from us, including necessary security alerts and legal notices.
  • We also send messages about how to use the services. You may change your communication preferences at any time.
  • Push notifications (in-app) may be sent to your device to notify you of new folders being shared or certain events or user actions regarding the user account or the user’s data. To opt out of push notifications, please edit settings at the device level.
  • Our service also enables communications between you and others. In particular, sending and delivering invitations, between you and the person who invites you or whom you invited.
You cannot opt-out of emails which contain necessary information such as security alerts and legal notices.

We will send you emails with tips and tricks on how you can use Tresorit the best. You can change your email preferences anytime.

Developing Services
Legitimate interest

  • We are always looking for ways to make Tresorit services better, faster, smarter, and more secure. We use aggregated web statistics and logs about how people use our services and feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and improvement of our services.
  • We also test and analyze certain new features with some users before rolling the feature out to all users.
We collect and analyze usage data from our users – this data is used for the research and development of our services.

Marketing
Legitimate interest
Consent

  • If you are an existing customer of Tresorit, we may use your email address and phone number provided to us to send you marketing communications, such as providing you with information about similar Tresorit products and services, unless you have opted-out.
  • We may also use information about you, including web statistics and logs, to personalize the content and experience you receive on our websites or in our marketing communications, as well as by displaying Tresorit ads on other companies' websites and applications, such as on platforms like Facebook and Google. Where legally required, also seek your consent for sending marketing communications.

Security
Legitimate interest
Legal obligation

  • We use information about you to secure your profile, verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of our Terms of Service or Acceptable Use Policy.
Some of your data is used for authentication. This is required to secure your account and to prevent fraud or theft.

Customer Support
Legitimate interest
Consent

  • Occasionally, we connect personal information to information gathered in our log files as necessary to provide better customer experience and to improve our services. In such a case, we would treat the combined information in accordance with this policy.
  • You may opt-out of these statistics or logs at any time by editing settings, but please note that in this case, it might be more difficult to our support team to find the problem when something goes wrong.
Tresorit collects your activity and usage statistics to log files, which is also helpful when you require the assistance of our support team.

Protecting our legitimate business interests and legal rights
Legitimate interest
Legal obligation

  • Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.

Aggregate Insights
Legitimate interest

  • We use mobile analytics software to allow us to better understand the functionality of our mobile application on your device. This software may record information such as how often you use the mobile application, the events that occur within the mobile application, aggregated usage, and performance data. While we use your information to produce aggregate insights, such insights do not identify you.
We use your data to generate aggregate user insights that we use to research and develop our product. These insights cannot be used to track your individual actions.

Other purposes

  • We may also process your data for any other purposes for which we obtain your consent where necessary or otherwise in accordance applicable law and this policy.

How do you use your personal data?

Please remember that if you use our Service to share Your Encrypted Content with someone, your personal data might be shared with such third party. For example, your email address, first and last name are visible by the people you send an invitation to, or from whom you accept an invitation. To learn more about our sharing features, we recommend that you visit the Tresorit Knowledge Base. We are not responsible for your use of any otherwise personal data, which you make available to others via invitations, or the activities of other users or other third parties to whom you give or make available your information.

Do we share your personal data with third parties?

We will share your personal data with third parties only in accordance with this policy. We will never sell your personal data to third parties. However, we may need to share some information, including personal data, we obtain from your use of our service in the following circumstances.

1) Complying with legal requirements

Tresorit may transmit personal data if the applicable legal provisions so require, or when such action is necessary to comply with any laws, including to meet national security or law enforcement requirements. We may also need to share personal data for the protection of our rights and interests, to protect your safety or the safety of others or to investigate fraud, in accordance with the applicable laws.
In certain cases, we may need to oblige to national security or law enforcement requirements and provide personal data to authorities.

2) Using third-party service providers

In certain cases we need to share information, including personal data with our third-party service providers. We use third-party service providers for a number of services, including application development, backup, storage, payment processing, analytics and other services. We require our third-party service providers to use the personal data that we share with them solely in connection with the services they provide to us. The current list of our service providers is available here.
As any other business, we may need to share personal data with other service providers that we use in our operation for billing, backup, analytics etc.

3) Content shared by you

Information, including personal data, will be shared with a third-party when you share content using our service with a third party (e.g. through share links and collaborating in Tresorit Folders). You acknowledge that once you shared all or a part of your Encrypted Content by using our service with any person who accepted your invitation, such content goes out of your control and remains accessible to the extent you granted access. Accordingly, we ask you to pay special attention with whom you share your Encrypted Content.
When you are a member of a shared folder, besides its content, your activity will also be visible to other members.

4) Downloading content

When content is shared with you – either by accepting, downloading, assessing a Tresorit link or invitation –, certain information regarding your activity, might also be disclosed to the shared party.

5) Administrators

If your account is part of a Business Subscription – in accordance with section 5 of our Terms – the relevant Administrator may be able to view certain information about your interactions with the relevant Business Subscription. Such information may include your email and activity. If you have any questions about this, please refer to the policies of the relevant Business Domain.

If you register an individual account and the domain of your email address is owned by an organization and was assigned to you as an employee, contractor or member of the organization, we may help your Administrator find your account by sharing some basic information about your account (such as your email address). This helps you join the relevant Business Subscription.

If your account is subject to Advanced Control, your Recovery Administrator may also be able to access your Encrypted Content as set out in section 5 of our Terms. You can always check whether Advanced Control is set up in respect of your account, under the Settings menu.
By accepting Advanced Control, you give your Recovery Administrator permission to have cryptographic access to your files.

6) Business transactions

We may assign or transfer this policy, as well as your account and related information and data, including any personal information, to any person or entity that acquires all or substantially all of our business, stock or assets, or with whom we merge.
Regardless of any changes that might happen in our company, your personal data will be protected the same way as it is right now.

7) Testimonials

From time to time, we may post testimonials on our website that may contain personal data. We obtain your consent to post your name along with your testimonial. If you wish to update or delete your testimonial, you can contact us at support@tresorit.com.

8) Referrals

If you choose to use our referral service to tell a friend about our products and services, we will ask you for your friend’s name and email address. We will automatically send your friend an email inviting him or her to visit our website and will store this information for the purpose of sending this initial email, tracking the success of our referral program and other marketing activities. We will not contact him or her more than once. Your referral may contact us at support@tresorit.com to request that we remove their information from our database.

Where do we transfer your data?

Tresorit AG is a company organized and existing under the laws of Switzerland, having affiliates within the territory of the EEA (Hungary). Switzerland was already granted a data protection adequacy status by the European Commission. The effect of such a decision is that, if you are located in the EEA, transfer of your personal data to Switzerland are practically considered as intra-EU transmission of data.

We primarily store personal data within the EEA. Your personal data stored with us may also be transferred to countries outside of the EU. All such transfers of personal data are and will be made in accordance with applicable laws. You can reach the list of our current sub-processors here.
Your data may be transferred outside of the EEA in accordance with legal and regulatory requirements.

How do we protect your data?

A) Security

We take appropriate technical and organizational measures to protect your personal data against loss or other forms of unlawful processing. Tresorit is ISO 27001:2013 certified.
We protect your data with the highest level of security technology available.

B) Confidentiality

We NEVER collect or store your files, encryption keys and passwords in an unencrypted or invertible form. The Encrypted Content and corresponding encryption keys can only be decrypted by you and persons with whom you explicitly share them. If you have an account that is part of a Business Subscription with recovery master key, Your Encrypted Content also may be accessed by your Recovery Administrator as set out in our Terms.

According to the best of Tresorit’s knowledge, the current state of the art and the public knowledge of the human race, Tresorit is unable to decrypt the Encrypted Content and accordingly, Tresorit cannot access it. As a result, we cannot use Your Encrypted Content to identify any individual.

How long will we retain your information?

A) Your Personal Data

We will retain your personal data as long as it is needed to fulfill the purposes specified above, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize it as soon as it is technically possible.

If your personal data is held by us on behalf of your company, we will retain such personal data in accordance with the terms and conditions of our data processing agreement with them, subject to applicable law.

B) Your Encrypted Content

As a registered user, you can access, edit or delete Your Encrypted Content. Once you delete a Tresorit Folder for any reason, Your Encrypted Content will also be automatically deleted within 90 days. For technical and support reasons, we may keep your data for 60 days from the date when you delete a Tresorit Folder. Please note that after this date, Your Encrypted Content will be destroyed in a way that those cannot be restored and will not be available again to anyone, including you.

You understand that once you shared all or a part of Your Encrypted Content by using Our Service with any person who accepted your invitation, such content goes out of your Control and remains accessible by such person to the extent you granted such person access, even if you select to delete or remove Your Encrypted Content. Therefore we ask you to pay special attention to whom you share Your Encrypted Content with.

Your privacy rights

You may ask us to:

  • provide information to you about the personal data that we or our processors maintain about you,
  • correct inaccuracies or amend your personal data,
  • delete your personal data.
You can request this by send an email to support@tresorit.com. We will respond to your request within thirty days. Please note that, we may ask you to verify your identity before complying with the request.

If you are from a country where the GDPR applies, you may have additional rights such as:

  • In certain circumstances, you may have a broader right to erasure of your personal data. For example, if it is no longer necessary in relation to the purposes for which it was originally collected. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.
  • You may have the right to request us to stop processing your personal data and/or to stop sending you marketing communications.
  • You may have the right to request that we restrict processing of your personal data in certain circumstances (for example, where you believe that the personal data we hold about you is inaccurate or unlawfully held).
  • In certain circumstances, you may have the right to be provided with your personal data in a structured, machine readable and commonly used format and to request that we transfer the personal data to another data controller without hindrance.
If you would like to exercise such rights, please contact us at support@tresorit.com. We will consider your request in accordance with applicable laws. To protect your privacy and security, we may ask you to verify your identity before complying with the request.

Please note that if your account is part of a Business Subscription, we will not independently respond to your request without your organisations’s prior written consent, except where required by applicable law.

You also have the right to complain to a data protection authority or claim damages before the court. For more information, please contact your local data protection authority. A list of contact details for the EU data protection authorities is available here.
If you want to exercise your data privacy rights, please email us. We may ask for proof of identity.

Withdrawal of consent

In cases where the processing of your personal data is based on your consent, you can withdraw your consent any time by editing settings at device level. In addition, you can also contact us at support@tresorit.com. If you withdraw your consent, we will no longer process your personal data for the relevant purpose. However, please note that such withdrawal of your consent does not affect the lawfulness of our processing activities based on consent before its withdrawal.
You can change your email settings any time under the Profile tab, in My Account.

Changes to this policy

As every high-quality service, our service is constantly improved in effort to keep users satisfied, but these improvements necessarily mean changes. Due to the ongoing changes in the law and the changing nature of technology, data practices are changing from time to time. Thus, we reserve the right to alter or modify this policy when it is necessary.

If there are any material changes to this policy, you will be notified 30 days prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices. Your continued use of our website or our services constitutes your agreement to be bound by such changes to this policy. Your only remedy, if you do not accept the terms of this policy, is to discontinue use of our website and services.
This policy may change from time to time. Check back here every now and then to take a look.

Third party controllers

Our webpage or services may, from time to time, contain links to and from the websites or services of third parties. This policy does not extend to these external sites or companies, so please refer directly to their privacy policies.

Any further question?

If you have any questions, please contact us at support@tresorit.com.

We have also appointed a data protection officer, whom you can reach at dpo@tresorit.com. We speak English.

As Tresorit AG is located outside of the EU, we appointed our EU affiliate to represent us in relation to any GDPR-related issues. This does not change the fact that Tresorit AG is the controller who ultimately handles your data. If you wish, you can also contact them directly:

Tresorit Kft.
Köztelek utca 6.
1092 Budapest, Hungary

Updates: Privacy Policy

We want to be as transparent as possible about the changes we make to our Privacy Policy. In this archive you can see the previous versions of the policy.

  • Current version (01/09/2023)

    Key changes:

    • We made amendments to ensure that our Privacy Policy is compliant with the new Swiss Federal Data Protection Act (revFADP) as well as GDPR.
  • 05/09/2022

    Key changes:

    • Due to the introduction of Tresorit eSign we added a section to clarify how we handle data when you are using this feature.
  • 19/08/2022

    Key changes:

    • For the sake of clarity, we have updated the Privacy Policy‘s wording regarding email verification.
  • 15/06/2022

    Key changes:

    • Due to the introduction of email verification with Microsoft and Google accounts, we clarified how we handle your data when using this feature.
  • 26/02/2022

    Key changes:

    • For the sake of clarity, we specified the scope of the Privacy Policy and added links to privacy notices specific to certain Tresorit services.
  • 25/03/2020

    Key changes:

    • Because of the introduction of our "File Request" feature, we are updating the scope of data collected.
  • 09/10/2019
  • 19/02/2019
  • 24/08/2018
  • 25/05/2018
  • 24/10/2017