Privacy Notice

PrivateStorage Privacy Notice

As of February 1, 2023

The previous privacy notice, dated November 9, 2022, is available here .

PrivateStorage.io Inc. (“PrivateStorage”, “we”, “us”) is committed to protect your privacy while you use PrivateStorage’s website, products and/or services. We want you to understand what information we collect about you, how we collect it, how that information is used, who we share data with, and what choices you have as a data subject. This Privacy Notice applies to our uses of your data; however, it does not apply to any third-party applications or software that integrate with our services through our website, or any other third-party products, services or businesses’ additional use of your data.

I. Data Controller and EU Representative

Data Controller: PrivateStorage.io Inc., 2009 Mackenzie Way, Suite 100, Cranberry Twp, PA 16066.

Our EU Representative: Least Authority TFA GmbH, Thaerstraße 28a, 10249 Berlin, Germany. privacy@leastauthority.com

II. The Data We Collect, Why We Collect it, Our Legal Basis for Doing So, and How Long It’s Kept

We operate this website in order to provide you with information about our products and services, and to take payments for those services.

1. If You Visit the Website

You may use our website for purely informational purposes without disclosing your identity. In order to display the website to you, some non-personal details about your device may be shared with us.

The Private.Storage website is currently hosted on AWS servers which are based in the EU.

PrivateStorage uses an open-source web analytics program with a strong privacy focus, called Matomo. It informs us about how visitors use our website. PrivateStorage collects anonymous statistical data about the use of its website to optimize its online presence and for marketing and sales purposes. Only the first 2 ‘bytes’ of your IP address are being stored which makes it harder to link your current visit to this website to future visits, and to determine your exact location.You can opt-out of visitor data collection by Matomo by enabling the Do-Not-Track option in your browser. Visit http://donottrack.us/ to learn how.

The videos posted on our website run on our servers. Thus, when watching these videos, we do not collect any personal data.

Our legal basis for the processing of the data listed above is based on our legitimate interests in ensuring the functionality, integrity, and security of the website.

2. If you Use PrivateStorage

Initial Use of PrivateStorage: When using PrivateStorage you do not need to create an account (e.g., email address/password). Instead, files stored with PrivateStorage are accessed through the use of special codes known as capabilities, not using passwords or email addresses. Thus, when you connect to the PrivateStorage service for the first time, the PrivateStorage desktop application will generate and store locally on your device the cryptographic capability needed to access and recover data stored on our servers. It’s important to create and save this Recovery Key (including a backup) as we will not have access to it for support purposes or any other reason. Accordingly, we do not have the ability to decrypt and/or read your stored data. We also cannot link any encrypted data stored with us to any individual. Read more about this on the Features Page.

To the extent that any verifying information you may provide to us can be used to identify you, we rely on our legitimate interests and our contract with you to process this information.

Ongoing Use of PrivateStorage: During normal use of PrivateStorage, we do not log anything about your use of our service. In exceptional circumstances, such as when a potential problem with data integrity is detected, our server may automatically create an incident log, which may contain non-personal information about your machine or the file size, and personal information such as your IP address. We use this information to diagnose and resolve possible errors in our service, the application, or our servers. We keep these logs for 29 days and then delete them. We rely on our contract with you to collect identifying IP address information for troubleshooting and service reliability purposes.

You can render your data inaccessible by following the instructions in our FAQ. We cannot help you do this because we cannot determine which encrypted data corresponds to which customer. Since we do not have customer lists, we also cannot confirm if you are a customer or not.

3. If You Buy Storage-Time

When you buy PrivateStorage storage-time, your payment information gets sent to our payment provider Stripe for processing. This information includes payment details (such as your name, address and credit or debit card details), the purchase amount, date of purchase and your IP address. Stripe collects this information to facilitate the purchase, and keeps this information to fulfill its legal obligations.

In some cases, Stripe uses your transaction history to authenticate you. In addition, Stripe may collect personal information about you from other sources. You should refer to Stripe’s Privacy Policy for more details about their collection, processing and retention processes.

Importantly, PrivateStorage does not store this information. However, Stripe provides us access to it through their administrative interface. At the moment, Stripe does not offer us a way to disable such access. Thus, we have implemented an internal policy of least privilege access, and restricted it only to a limited set of (less than 3) PrivateStorage team members.

Additionally, while it may be possible to verify that you submitted payment for our system, it is impossible for us to verify whether you have ever used the system to upload or download any data, or for us to associate you with any data.

On our side, we record the voucher number used to generate the payment, the Stripe token, currency, amount, and when a transaction took place (date and time). We use this information for business accounting and administration purposes. We retain this information until the voucher is completely spent and, additionally, as long as legally required. We cannot link this information to individuals spending their storage-time.

We process this data in order to fulfill our service contract with you and to comply with legal obligations.

4. If You Make a Support Request

If you contact us via our email address support@private.storage, or via Signal ( +1 724 200 8340 (Signal).
) for support requests, we will collect and process your email address and/or phone number, as well as your name and other details you provide to us. Any details you provide to us will be managed in our ticketing system, CDR: Link and stored on their hosting provider Greenhost. You can read CDR´s privacy policy here and Greenhost´s here.

We will keep data you share with us for 7 days after the closure of the issue. After 7 days, the closed issue, contact information, and other information you shared with us, will be erased from our system unless there are prevailing interests (for example, if there is a legal dispute).

If your inquiry is connected to the services we provide you, our lawful basis for processing data is the performance of a contract. Otherwise, our legal basis for processing these data is your consent. You may withdraw your consent at any time.

5. If You Contact Us for Other Reason

You can contact us via our email address info@private.storage for general questions or hello@private.storage to provide feedback on the product or privacy@private.storage for questions about this Privacy Notice.

We delete the data collected after the processing is no longer necessary, which is usually when we properly addressed the issue or, if applicable, after the expiry of the legally binding storage obligations, or if you object to further processing.

If your inquiry is connected to the services we provide you, our lawful basis for processing data is the performance of a contract. Otherwise, our legal basis for processing these data is your consent or - in case of general issues with our system - our legitime interest in the function of our services. You may withdraw your consent given to these data processing at any time.

6. If You Follow us on Social Media

We have a (limited) social media presence that can be accessed by clicking on the respective social media logo (e.g., GitLab, GitHub, LinkedIn, Twitter, Mastadon) on our website. If you choose to follow us on LinkedIn, Twitter, or Github, these sites may collect your personal information. We have no influence on the collected data and data procedure of any social network. If you choose to engage with us on these platforms, you should consult the privacy notices of the respective network.

7. If PrivateStorage is Sold or Acquired

If all or part of PrivateStorage is sold, merged, or otherwise transferred to another entity, your information may be transferred as part of that transaction. If that happens, PrivateStorage will take reasonable steps to make sure your information continues to be treated consistently with this Privacy Notice.

III. Transfer to Third Parties and Recipients Outside the EU

We will never sell, rent, or lease your personal data to a third party, but we do rely on sub-processors (or under the CCPA, “service providers”) to process data for the purposes we describe in Section II. Our sub-processors have a legal obligation to ensure compliance with all data protection laws, and they are also bound by further contractual provisions with us.

Some of the sub-processors process personal data outside of the EEA.

A current list of our digital sub-processors can be found in the table below:

Sub-Processors

Processor Purpose of Processing Details on Data Processed Location of Processing Legal Basis for Processing Agreement in Place?
CDRlink Handling customer support requests (Hosted) Email address, phone number, other details provided by customer. United States Consent / Contract Yes
Greenhost Cloud storage/ hosting CDRlink data The Netherlands Consent / Contract Yes
Stripe Payment processing Payment details – name, address, bank/credit card information, Stripe Token United States Contract Yes

Please note that we might change our third party digital service providers at our discretion any time without notice.

IV. Your Rights as a Data Subject

1. A Note on Data Subject Rights and PrivateStorage

Because our application is designed to be privacy-preserving and to collect the least amount of information necessary, we may not be able to fulfill all rights in all situations. For example, if you use PrivateStorage, we have no way of identifying if data about you is present in a file or folder on our system because the files are encrypted and sharded, and we do not have access to the keys to decrypt the data. We also have no way to force a data erasure request, or rectify encrypted data stored by another user. If you wish to access, delete, rectify, or export data you control as a user, the best approach is to do so directly within the PrivateStorage application itself. If you believe that someone else is storing data about you and wish to exercise these rights, you should make the request directly to that user.

2. Data Subject Rights and Support Requests

If you submit a request to us for support, or otherwise contact us via email/Signal, we can fulfill data subject requests if the data is still stored on our systems. Under the GDPR, we have one month to respond to your request.

3. Withdrawing Consent, Objecting to Further Processing and Automated Decision-Making

To the extent that we rely on your consent, you always have the right to withdraw that consent for further processing. To the extent that we rely on our legitimate interests, you have the right to object to this processing purpose, and we will cease processing, unless we can demonstrate that we have compelling legitimate grounds for further processing.

We do not engage in automated decision making.

4. Filing a Complaint

You have the right to lodge a complaint with the competent data protection supervisory authority. Our EU Representative is based in Berlin, Germany, and therefore, the supervisory authority responsible for PrivateStorage is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

Address: Alt-Moabit 59-61
10555 Berlin

Phone: +49 30 13889-0

Website: http://www.datenschutz-berlin.de

If you have any questions or complaints about this Privacy Notice or our data protection practices generally, we encourage you to contact us or our EU Representative at privacy@leastauthority.com.

V. Children's Privacy

PrivateStorage does not target nor provide services directly to children or proactively collect their information.

VI. Privacy Rights in California

The State of California requires us to post specific language related to our Privacy Notice. By default, PrivateStorage does not engage in the sale or sharing of your personal information with any third parties, aside from the service providers we have identified in this Privacy Notice.

VII. Securing Your Data

At PrivateStorage we develop usable products that advance digital security and preserve privacy as a fundamental human right.

PrivateStorage is designed to have several layers of security. We also take appropriate security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. Primarily we do this by:

More details about how PrivateStorage works and how we secure your data can be found in the FAQ. If you discover or are informed of a vulnerability in PrivateStorage or this website, please submit a report to our Whitehat Program.

VIII. Cookies

If you visit our website and buy storage-time, Stripe adds the following cookies for purposes of fraud prevention and detection. These are considered strictly necessary, as payments cannot occur without the cookies being in place:

Cookie ID First Party / Third Party Expiration Category Purpose
__stripe_sid Third Party Session Strictly Necessary Fraud Prevention / Detection
__stripe_mid Third Party 1 year Strictly Necessary Fraud Prevention / Detection
m Third Party (Stripe) 2 years Strictly Necessary Fraud Prevention / Detection

IX. Changes to this Privacy Notice

We may modify this Privacy Notice at any time to comply with legal requirements as well as developments within our organization. When we do, we will revise the date at the top of this page. We will record past versions of this notice through an archive on this page. We encourage you to review our Privacy Notice whenever you use our services to stay informed.

X. Contact Information

You can contact us via our email address info@private.storage for general questions, hello@private.storage to provide feedback on the product, or privacy@private.storage for questions about this Privacy Notice or exercising your data subject rights.