Tresorit – SwissID Sign Bundle Privacy Notice
Last update: 30th November 2022
This notice summarises how we collect and process your personal data in relation to purchase of subscriptions to the “Swiss qualified electronic signature” cloud products and services of SwissSign AG ("SwissID Sign Services"). Any terms used with initial letters shall have the same meaning as in the Terms of Sale, unless defined otherwise.
Also, this notice does not apply to the privacy practices of SwissSign AG and the provision of the SwissID Sign. To learn more about the data processing practices of SwissSign AG, please click here.
Who will process your personal data?
Tresorit AG (company registration no: CH-300.3.017.920-5; address: Franklinstrasse 27, 8050 Zurich) ("Tresorit") is the reseller of subscriptions to the SwissID Sign services. Accordingly, in relation to the purchase of subscriptions to the SwissID Sign Services, Tresorit will act as an independent controller in respect of your personal data specified below.
What kind of personal data do we process?
When you purchase a subscription to the SwissID Sign Services, we need to process some information about you to make the services work. This information may include the following personal data about you.
Registration data: When you sign up for a subscription with us, we process some identification and contact data. Certain basic information, like your name, the name of your organization, and your email address , is necessary for setting up a subscription to the SwissID Sign Services.
Billing information: At the time of the purchase of your subscription, we also collect certain billing information about you. You might also provide payment information, such as payment card details, which we collect via secure payment processing services. This data is necessary for setting up your subscription to the SwissID Sign Services.
Usage data: We process certain limited data to review the applicable usage limits of your subscription (see clause 4.2 of the Terms of Sale), such as the number of Electronic Signatures created within Customer’s Signing Room. Where necessary, we may also process the email address of Users relating to Customer’s Signing Room.
Additional Data Provided by You: You may decide to share further information, including personal data, with us when you contact us, provide feedback to us regarding the SwissID Sign Services or otherwise communicate with us. It is solely your decision to share any other data with us during such communications, so our processing of such data will be based on your consent.
Logs: As most websites and services provided through the Internet, we gather certain information and store it in log files in relation to the subscription flow. This information includes internet protocol (IP) addresses as well as browser type, operating system, identification numbers associated with your devices, time of access, and error logs.
What is the legal basis for processing? (for EEA users)
If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have legal bases for doing so under applicable EU laws. This means we collect and use your information only where:
- It is necessary in order to provide you the services, to provide customer support and to protect the safety and security of services;
- It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, and to protect our legal rights and interests;
- You give us consent to do so for a specific purpose; or
- It is needed to comply with a legal obligation.
How do we use your data?
We may process your personal data for several purposes, such as:
Managing subscriptions and payments
We will use your personal data, in particular, to fulfill and execute your purchase of the subscriptions to as well as to collect payments.
Usage limit monitoring purposes
To review the applicable usage limits of your subscription.
We will send you information regarding your subscription to the SwissID Sign Services. Please be aware that you cannot opt out of receiving certain service messages from us, including necessary security alerts and legal notices.
We are always looking for ways to make Tresorit services better, faster, smarter, and more secure. We use aggregated statistics and logs about how people use our services and feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and improvement of our services.
We use information about you to secure our services, and to monitor suspicious or fraudulent activity and to identify violations of our Acceptable Use Policy.
Protecting our legitimate business interests and legal rights
Where required by law or where we believe it is necessary to protect our legal rights, interests, and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger, or sale of a business.
Providing support (in relation to subscription management)
Occasionally, we connect personal information to information gathered in our log files as necessary to provide better customer experience.
We may also process your data for any other purposes for which we obtain your consent where necessary or otherwise in accordance applicable law and this policy.
Do we share your personal data with third parties?
We will share your personal data with third parties only in accordance with this notice. We will never sell your personal data to third parties. However, we may need to share some information, including personal data, we obtain from your use of our service in the following circumstances.
To ensure that you can use the SwissID Sign Services
Tresorit will share your subscription details which may also include personal data, such as your email address, with SwissSign AG for the provision of the SwissID Sign Services.
Complying with legal requirements
Tresorit may transmit personal data if the applicable legal provisions so require, or when such action is necessary to comply with any laws, including to meet national security or law enforcement requirements. We may also need to share personal data for the protection of our rights and interests, to protect your safety or the safety of others or to investigate fraud, in accordance with the applicable laws.
Using third-party service providers
In certain cases, we need to share information, including personal data with our affiliates and third-party service providers, including for backup, storage, analytics, billing, and communication services.
We may assign or transfer this policy, as well as your account and related information and data, including any personal information, to any person or entity that acquires all or substantially all of our business, stock or assets, or with whom we merge.
Where do we transfer your data?
Tresorit AG is a company organized and existing under the laws of Switzerland, having affiliates within the territory of the EEA (Germany and Hungary). Switzerland was already granted a data protection adequacy status by the European Commission. The effect of such a decision is that, if you are located in the EEA, transfer of your personal data to Switzerland are practically considered as intra-EU transmission of data.
We primarily store personal data within the EEA, in particular, on Microsoft Azure servers in Ireland. Your personal data stored with us may also be transferred to countries outside of the EU. All such transfers of personal data are and will be made in accordance with applicable laws.
How do we protect your data?
We take appropriate technical and organizational measures to protect your personal data against loss or other forms of unlawful processing. Tresorit is ISO 27001:2013 certified.
How long will we retain your information?
We will retain your personal data as long as it is needed to fulfill the purposes specified above, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize it as soon as it technically possible.
Your privacy rights
You may ask us:
- to provide information to you about the personal data that we or our processors maintain about you,
- to correct inaccuracies or amend your personal data,
- in certain circumstances, to delete your personal data,
- to restrict processing of your personal data in certain circumstances (for example, where you believe that the personal data we hold about you is inaccurate or unlawfully held),
- in certain circumstances, you may have the right to be provided with your personal data in a structured, machine readable and commonly used format and to request that we transfer the personal data to another data controller without hindrance.
You can request this by send an email to email@example.com. We will respond to your request within thirty days. Please note that we may ask you to verify your identity before complying with the request.
You also have the right to complain to a data protection authority or claim damages before the court. For more information, please contact your local data protection authority. A list of contact details for the EU data protection authorities is available here.
Withdrawal of consent
In cases where the processing of your personal data is based on your consent, you can withdraw your consent any time by contacting us at firstname.lastname@example.org. If you withdraw your consent, we will no longer process your personal data for the relevant purpose. However, please note that such withdrawal of your consent does not affect the lawfulness of our processing activities based on consent before its withdrawal.
Changes to this policy
As every high-quality service, our service is constantly improved in effort to keep users satisfied, but these improvements necessarily mean changes. Due to the ongoing changes in the law and the changing nature of technology, data practices are changing from time to time. Thus, we reserve the right to alter or modify this policy when it is necessary.
Any further question?
If you have any questions, please contact us at email@example.com.
We have also appointed a data protection officer, whom you can reach at firstname.lastname@example.org. We speak English.
As Tresorit AG is located outside of the EU, we appointed our EU affiliate to represent us in relation to any GDPR-related issues. This does not change the fact that Tresorit AG is the controller who ultimately handles your data. If you wish, you can also contact them directly. The details of our EU located affiliate is available here.