Cryptee | Privacy Policy

PRIVACY POLICY

FOR HUMANS

We take pride in being a security & privacy service accessible to everyone. So we have a simplified and easy to read version of our policy.

Below we will clarify how your data will be used, and the steps we took to protect it. By using Cryptee, you consent to the terms outlined in this policy.

FOR LAWYERS

In the following policy, Cryptee or Crypt.ee refers to the service offered by Svartlab OÜ (the "Company" or "We") through the crypt.ee website (the "Service"). This Privacy Policy explains (i) what information we collect through your access and use of our Service (ii) the use we make of such information; and (iii) the security level we provide for protecting such information. By visiting crypt.ee and using the Services provided here, you consent to the terms outlined in this privacy policy.

LEGAL
FRAMEWORK

hello. we're from estonia.

The Company is domiciled in Estonia, and thus governed by the laws and regulations of Estonia.

To sign up you will need to provide either a username, or optionally an email address for convenience.

It's just for sign up & important notifications. No spam. We won't sell or give this information to anyone else.

Any emails provided to the Service through sign up, waiting list, optional email verification, or optional notification/recovery email setting in your account, are considered personal data as defined and under protection by the Estonian Personal Data Protection Act and GDPR.

Such data will only be used to log you in, contact you with important notifications about the Service, to send you an invitation link to create your account, to verify your account, or to send you password recovery links if you choose to opt in.

DATA
COLLECTION

We collect as little user information as possible. Only the absolute bare minimum stuff to still be able to provide a service to you. All your personal data is encrypted, but in order to provide a service, we still need a few bits of other data. Let's begin.

VISITING OUR WEBSITE

We have an analytics system. We didn't trust any third party ones. So we built one ourselves instead. It is 100% anonymous, and it's only there just to see how well we're doing with design, improvements, features and page views.

ACCOUNT CREATION

We do not require ANY personal information. You don't even need to use an email. It's only for convenience.

Oh, and, legally we have to record the date and time of your sign up.

Account activity

To provide you a service, we need access to some basic things in unencrypted format. These are:

folder colors & archive status
# of things in each folder or album
file byte-sizes & mime-types after encryption
version-IDs of files, photos & videos
EXIF dates of photos
storage space used
all payment amounts & dates
payment type, plan & discounts

If you choose to upload RAW photos (such as DNG, TIFF, 3FR or FFF formats) to provide you the service, we need access to some basic EXIF data in unencrypted format. These are:

camera make & model (i.e. "Leica M11")
camera's lens (i.e. "35mm")
aperture, exposure, white balance & iso

We do NOT have access to the contents of encrypted photos, videos or documents/files or any specific payment information. More about payments below.

Communications with Cryptee

Your communications, such as support requests, bug reports, or feature requests may be saved to improve our service, knowledge base and FAQ sections.

Error Reporting & Abuse Detection

We have an automatic error collection, abuse detection and reporting system. The error reports are anonymous, but linked to our support system via anonymous user IDs to better help you out. We keep these only for 90 days. Our abuse detection system automatically collects and retains IP addresses and browser user agents for 180 days, but these are deleted once they're no longer relevant.

Payment Information

We rely on awesome and trusty companies called Stripe and Paddle to process your payments, and we use your anonymous user ID to know / track when you paid.

Our policy is to collect as little user information as possible to ensure a completely private and anonymous user experience when using the Service. We also have no technical means to access the contents of your encrypted data, documents, photos or videos. Service's user data collection is as follows:

Visiting our website

The Service employs an analytics software created specifically by the Company, and not a 3rd party analytics solution to further improve security, privacy and anonymity. Using this solution we may at times track usage metrics, design improvements and track new features' adoption on our pages completely anonymously, without collecting any identifiable pieces of information. These pieces of information are only collected in each unique session, without storing any trackers on the users' devices longer than each session, without tracking across sessions, with the sole purpose to improve our features, improve user experiences, increase new feature adoption and write better tutorials to guide our users.

Account creation

We do not require ANY personal information to create an account but you may provide an email address for login and password recovery purposes. Should you choose to provide it, we do associate these information with your account (to be able to provide you the Service). We will also store your account creation time.

Account activity

To provide you the Service, we have access to the following metadata: folder colors & archive statuses, number of documents/files/photos/videos in each folder or album, file byte-sizes & mime-types after encryption, generation/version identifiers for each document/file/photo/video (to prevent version conflicts between your devices), EXIF dates of photos (to help you sort / find photos based on when they're taken), amount of storage space used, payment activation and deactivation dates, first payment date, all payment amounts, upcoming and past payment dates, subscription plan associated with your account, whether a discount was applied or not, payment time and the type of the payment method used.

If you choose to upload RAW photos (such as DNG, TIFF, 3FR or FFF formats) to provide you the service, we need access to some basic EXIF data in unencrypted format. These are: Camera Make & Model (i.e. "Leica M11"), Camera's Lens (i.e. "35mm"), Aperture, Exposure, White Balance and ISO.

We do NOT have access to the contents of encrypted photos, videos or documents/files. We do NOT have access to any specific payment information. More information regarding payments related information is below.

Communicating with the Company

Your communications with the Company, such as support requests, bug reports, or feature requests may be saved by our staff, to improve our service and knowledge base featuring frequently asked questions.

Error Reporting & Abuse Detection

Should an error occur while you're using the Service, depending on the error, our automatic error collection and reporting system may collect your unique user ID while reporting the error to our error collection system. (processed via Sentry IO, contact details & privacy policy below) These collected Errors are automatically linked to our support system, and can be used to further clarify / investigate issues. These error reports are only retained for 90 days. We do not, and can't collect any personal / identifiable information with our error collection system. Our system may collect information like : (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites, (5) the date and time of access to the Internet site, and (6) any other similar data and information that may be used in the event of errors or attacks on our systems. Our abuse detection system automatically collects and retains IP addresses and browser user agents for 180 days, however these are deleted once they are no longer relevant.

Payment Information

The Company relies on third parties to process payments, so the Company necessarily must share your user identification number with the payment processor to be able to know which account the payment will be applied to. We do not otherwise store any of your payment information. Payments of users who subscribed to a paid plan after February 21, 2021 are processed by Stripe.com, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, and the merchant of record is The Company. Payments of users who subscribed to a paid plan before February 21, 2021 are processed by Paddle.com, Market Ltd, 15 Bermondsey Square, SE1 3UN London, United Kingdom, as merchant of record. As the payment process is entirely and independently carried out by Stripe.com or Paddle.com, you submit the relevant payment data, especially your payment details and your email address, directly to Stripe.com or Paddle.com. You can find their Privacy Policy at stripe.com/privacy and paddle.com/legal. In order to comply with credit card processing requirements, the Service includes third-party javascript from Stripe that may contain other tracking. However, this content is only loaded on the payment page. The use of your data by Paddle.com is based on Art. 6 subpara. 1 point b of GDPR. Furthermore, Paddle.com allows the Company to access the following payment data: Your email address, your payment method (e.g. by credit card), but not the payment details itself, in order to obtain an overview over the Service's performance. This use is based on Art. 6 subpara. 1 point of GDPR, while the legitimate interest of Paddle.com is to transparently communicate its sales of the Service to the Company; the legitimate interest of the Service is to know about its revenues generated by Paddle.com. The user, data subject has the possibility to revoke consent for the handling of personal data at any time from Paddle. A revocation shall not have any effect on personal data which must be processed, used or transmitted in accordance with (contractual) payment processing.

DATA
USE

We don't & won't have ads. We will never share your data unless for reasons listed in Data Disclosure below.

We do not have any advertising on our site. Any data that we do have will only be used for providing you the service, and never be shared except under the circumstances described below in Data Disclosure. When using the collected general data and information listed above, we do not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of the Service correctly, (2) optimize the content of the Service, (3) ensure the long-term viability of our systems and technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, we anonymously analyze collected data and information statistically, with the aim of increasing the data protection and data security of the Service, and to ensure an optimal level of protection for the personal data we process.

DATA
STORAGE

Your documents, files, photos and videos are always encrypted, and we can't access any of it. We may have backups (also encrypted) occasionally to be safe, but these are kept for up to 90 days.

The contents of your documents/files/photos/videos are ALWAYS stored in encrypted format. Offline backups may be stored periodically, but these will be backups of already encrypted files. We do not possess the ability to access the contents of any user's encrypted documents/files/photos on either the live servers or in the backups. On top all this, all services use a second layer of at rest encryption and HTTPS while in transit.

DATA
RETENTION

When you delete your account, every piece of data we have about your account in our possession and control is immediately deleted. There may be some leftovers in backups (which by the way are encrypted with your keys, and inaccessible to us/or anyone else), but those will be deleted after 90 days if there hasn't been a disaster.

When a user account is deleted, all user data, including encrypted contents of documents/files/photos/videos are immediately deleted from production servers. Active accounts will have data retained indefinitely. Deleted data may be retained in our backups for up to 90 days, which exists only for disaster recovery and are encrypted with the users' keys, therefore inaccessible to us/or anyone else.

DATA
DISCLOSURE

We will only disclose the limited user data we possess if we receive an enforceable court order.

If someone wants your data, we can only give them the data listed above in the Data Collection section and the fully encrypted data, which we can't decrypt. (and scientifically speaking, nobody should be able to decrypt for the foreseeable million+ years)

If permitted by law, we will always contact you and let you know if we have a way to reach out to you (for example via Email).

We will only disclose the limited user data we possess if we receive an enforceable court order. If a request is made for the encrypted contents of documents/files/photos/videos that we do not possess the ability to decrypt, the fully encrypted data or other user data disclosed above in the data collection section may be turned over. If permitted by law, we will always contact a user first before any data disclosure, given that we have a method to contact the user such as the user's email address.

We are fully committed to EU GDPR.

We can't even access your data. Only you can. That's what GDPR lawyers call magic. Basically your data is as private and as safe as it can be on the internet.

We use a few companies to help us bring you the service such as payments or error reports etc. These companies are:

Google Cloud Platform, Cloudflare, Sentry IO, Stripe, and Paddle only if you became a paid user before February 21, 2021.

CRYPTEE is fully committed to EU GDPR.

Based on Article 25 and Recital 78, the Service fits into the category of "Data protection by design and by default", by allowing only the users themselves to hold decryption keys, and not having access to the users' unencrypted information.

We are transparent and upfront with our users regarding the information we process/store, the purpose, and in which form we store it.

We only transmit user data outside the EU in encrypted form, of which the encryption keys are held by our users and not by us.

We do not use cookies. The only identifier stored on the site is stored either in indexedDB, localStorage or sessionStorage, employed to authenticate, identify and secure users while using the service. More information regarding this is below in Cookies & Local Storage section.

Name & Address of the Data Controller

Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is: Svartlab OÜ, Estonia. https://svartlab.com - info@svartlab.com

Contact Possibility

The Service contains information that enables a quick electronic contact to our enterprise, which also includes an e-mail address. If a data subject contacts the controller by e-mail or via a contact form, the personal data transmitted by the data subject are automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the data controller are stored for the purpose of processing or contacting the data subject.

Minimization, Routine Erasure & Blocking of Personal Data

Due to the nature of the Service, we do not possess any personally identifiable data. Other than an email address consensually provided by the data subject to use the Service more conveniently. We process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which we (the controller) is subject to. If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with legal requirements.

Transparency & Data Portability

We transparently show all our users every piece of information we have linked to their accounts, and allow them to easily see, delete, or export their data. Since we do not possess the ability to decrypt our users' encrypted pieces of data, we instead allow our users to export/download these data in the encrypted format we store on our servers.

Cryptee's Sub-Processors

Cryptee uses multiple providers (sub-processors) to provide the Service to its users. These processors are all committed to GDPR, and are listed below.

Google Cloud Platform
Google Ireland Ltd. - Gordon House, Barrow Street, Dublin 4, Ireland
https://cloud.google.com/security/privacy/

Cloudflare
Cloudflare, Inc. - 101 Townsend St., San Francisco, CA 94107
https://www.cloudflare.com/privacypolicy/

Sentry.IO
Functional Software, Inc. - 132 Hawthorne St, San Francisco, CA 94107
https://sentry.io/privacy/

Stripe.com
Stripe Payments Europe, Ltd. - 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland
https://stripe.com/privacy

and for paid users before February 21, 2021,

Paddle.com
Paddle Payments Ltd. - Core B, Block 71, The Plaza, Park West, Dublin 12, Ireland
https://paddle.com/legal
https://paddle.com/privacy-end-user

COOKIES
TRACKERS
LOCAL STORAGE

We don't have any of that stuff.

We do not use any cookies in the Service. (nor any advertising tracking cookies, nor any other form of tracking cookies or user tracking system in general)

Only pieces of identifiers stored on the user's device locally are stored either in indexedDB, localStorage or sessionStorage, employed to authenticate, identify and secure users while using the service.

These locally stored pieces of identifiers are used only to prevent abuse, authenticate and remember the user while the user is actively using the Service and navigating between pages. All locally stored information is flushed clean once the user signs out.

To further improve security, encryption/decryption keys are only stored in memory and flushed once the page is reloaded, even if the user is not signed out. Therefore even if a user is not signed out, their files would be encrypted and inaccessible without re-entering this key after reloading the page or navigating away from it.

We also have a script that regularly deletes all cookies on each page load. This is used as an additional measure to ensure none of our providers can start adding unsolicited cookies in the future.

MODIFICATIONS
TO
PRIVACY
POLICY

We might make small changes to this policy some day. If you continue to use the service, we'll assume you're cool with these.

We reserve the right to periodically review and change this policy from time to time. Continued use of the Service will be deemed as acceptance of such changes.

APPLICABLE
LAW

We're based in Estonia. So that's where all our legal stories will take place.

This Agreement shall be governed in all respects by the substantive laws of Estonia. The exclusive jurisdiction to resolve any controversy, claim or dispute arising out of or relating to the Agreement is the Harju County Court in Tallinn Estonia.