Policy as of November 9, 2022
PrivateStorage.io Inc. (“PrivateStorage”, “we”, “us”) is committed to protect your privacy while you use PrivateStorage’s website, products and/or services. We want you to understand what information we collect about you, how we collect it, how that information is used and what choices you have with respect to the information. Below is our Privacy Policy which applies to all the interactions you have with PrivateStorage. However, this Privacy Policy does not apply to any third-party applications or software that integrate with our services through our website, or any other third-party products, services or businesses.
The Data Controller of our website https://private.storage/ and its associated services is PrivateStorage.io Inc., 2009 Mackenzie Way, Suite 100, Cranberry Twp, PA 16066.
The EU representative of PrivateStorage is Least Authority TFA GmbH, Thaerstraße 28a, 10249 Berlin, Germany.
We operate this website in order to provide you with information about our products and services, and to provide you our services.
1. Visits to the Website
You may use our website for purely informational purposes without disclosing your identity. In order to display the website to you, only access data is transmitted to our provider.
The PrivateStorage website is currently hosted on AWS servers which are based in the EU. We do not ask AWS to log anything. Read more about AWS privacy policy here: https://aws.amazon.com/privacy/ and its GDPR compliance here https://aws.amazon.com/compliance/gdpr-center/.
PrivateStorage uses an open-source web analytics program with a strong privacy focus, called Matomo. It informs us about how visitors use our website. PrivateStorage collects anonymous statistical data about the use of its website to optimize its online presence and for marketing and sales purposes. Only the first 2 ‘bytes’ of your IP address are being stored which makes it harder to link your current visit to this website to future visits, and to determine your exact location.
The information Matomo (https://matomo.org/) collects is:
The Matomo software runs exclusively on the server of our website. A storage of the personal data of the users only takes place there. The data will not be passed on to other third parties. Please read Matomo’s full privacy policy under https://matomo.org/privacy-policy/.
You can opt-out of visitor data collection by Matomo by enabling the Do-Not-Track option in your browser. Visit http://donottrack.us/ to learn how.
All access data will be deleted as soon as they are no longer required for the purpose of their processing, at the latest 120 days after the collection.
The legal basis for the processing of the data listed above is provided in Art. 6 para. 1 (f) GDPR. Our legitimate interest is to ensure the functionality, the integrity and security of the website.
You can object to the processing at any time on grounds relating to your particular situation. You can send us your objections via the contact data mentioned at the end of this Privacy Policy.
2. Cookies
We are not using any cookies, including technically necessary cookies. Please be aware that Stripe, our online payment processor, is using cookies. Please read more under “Payments to PrivateStorage” in this policy.
3. Social Media
On our website we do not use social network plug-ins. However, we have a social media presence that can be accessed by clicking on the respective social media logo (e.g., GitHub, LinkedIn, Twitter, YouTube) on our website. No personal data is sent to the social networks before you click on the logos or links which take you to the social network’s website.
We have no influence on the collected data and data procedure of any social network. Further information on the purpose and scope of data collection and processing of the respective network can be found in the data protection declaration of the respective network. There you will also find further information on your rights and settings to protect your privacy, when using social networks. Please note that personal data is processed by social networks not only if you are logged in, but personal data, such as your IP address can also be processed even if you do not have a social media account. We process your data with the utmost care, but assume no liability for the behavior of the operators of the social networks or third parties.
4. Notify Me List
The PrivateStorage website offers the possibility to be notified when we release our product to the general public. To send out the notification email we are planning to use Google's gmail. Please read more about Google's data protection under https://policies.google.com/privacy?hl=en-US. To sign up for the notification, providing us with an email address is sufficient. If you submit your email address, we will use and keep it only to notify you when the product is released. After we send you an email with that notification, we will permanently delete your email address and any communication with you.
The legal basis for this processing is your consent, Art. 6 para. 1 (a) GDPR. If you wish to no longer receive the notification email, you can inform us by emailing us at info@private.storage.
5. Contacting Us
You can contact us via our email address info@private.storage for general questions or hello@private.stroage to provide feedback on the product or privacy@private.storage for questions about this privacy policy.
We delete the collected data that we collect when you contact us, after the processing is no longer necessary, which is usually when we properly addressed the issue or, if applicable, after the expiry of the legally binding storage obligations, or if you object to further processing.
The legal basis for processing these data is your consent (Art. 6 para. 1 (a) GDPR), or - in case of general issues with our system - our legitime interest in the function of our services (Art. 6 para 1 (f) GDPR). You may withdraw your consent given to these data processing at any time. If the data processing is based on our legitime interest in the function of the services, you can object to the processing based on reasons arising from your particular situation.
6. Support Request
You can contact us via our email address support@private.storage or via Signal, an end-to-end encrypted messaging platform (without email address) for support requests. Your personal data transmitted with the email will be stored, but only used for the process of our conversation.
To manage your request, we are using CDR Link (https://digiresilience.org/solutions/link/). To learn more about its privacy policy please read here https://digiresilience.org/about/privacy/.
We will keep your data transmitted to us until 7 days after the closure of the issue. After 7 days, the closed issue and the corresponding email address will be erased from our system unless there are prevailing interests.
The legal basis for processing these data is your consent (Art. 6 para. 1 (a) GDPR), or - in case of general issues with our system - our legitime interest in the function of our services (Art. 6 para 1 (f) GDPR). You may withdraw your consent given to these data processing at any time. If the data processing is based on our legitime interest in the function of the services, you can object to the processing based on reasons arising from your particular situation.
If your inquiry is connected to our services for you, the legal basis for processing your personal data is the performance of a contract, Article 6 para. 1 (b) GDPR.
7. PrivateStorage Services
When using our PrivateStorage services, you do not need to create an account. Instead, files stored are accessed through the use of special codes known as capabilities, not using passwords or email addresses. Thus, when you connect to the PrivateStorage service for the first time, the PrivateStorage desktop application will generate and store locally on your device the cryptographic capability needed to access and recover data stored on our servers. Please create and save this Recovery Key (including a backup) as we will not have access to it for support purposes or any other reason. Thus, we do not have the ability to decrypt and/or read your stored data. We also cannot link any encrypted data stored with us to any individual. Read more about this on the Features Page.
In addition, in normal use of PrivateStorage, we do not log anything about your use of our service. In exceptional circumstances, such as when a potential problem with data integrity is detected, our server may automatically create an "incident log", which can contain information like file size, and your IP address. We use this information to understand and address possible errors in our service. We keep these logs for 30 days and then delete them.
You can render your data inaccessible by following the instructions in our FAQ. We cannot help you do this, because we cannot determine which encrypted data corresponds to which customer. We also do not have customer lists so we also cannot confirm if you are a customer or not.
The legal base for the processing necessary to store your encrypted data is the performance of a contract (Article 6 para. 1 (b) GDPR), or in case of a potential problem, our legitime interest in the functionality of our services (Article 6 para. 1 (f) GDPR).
8. Payments to PrivateStorage
When you buy PrivateStorage storage-time, your payment information gets sent to our payment provider Stripe to process the payment. This information includes payment method information (such as credit or debit card number), purchase amount, date of purchase, your name, billing address, your IP address, operating system, browser, and device. In some cases, Stripe uses your transaction history to authenticate you. In addition, Stripe may collect personal information about you from other sources. Some of the data collected by Stripe is to comply with US and other national “Know Your Customer” laws. For more details, please see Stripe’s Privacy Policy.
Although we do not store this information and do not want to be able to access it, Stripe provides us access to it through their administrative interface. At the moment, Stripe does not offer us a way to disable such access. Instead, we have implemented an internal policy of least privilege access to a limited (less than 3) employees. Additionally, while it may be possible to verify that you submitted payment for our system, it is impossible for us to verify whether you have ever used the system to upload or download any data. If you have uploaded or downloaded any data, it is also impossible for us to associate you with that data.
On our side, we record the voucher number used to generate the payment, the Stripe token, currency, amount, and when a transaction took place (date and time). We use this information for business accounting and administration purposes. We retain this information until the voucher is completely spent and additionally, as long as legally required. We cannot link this information to individuals spending their storage-time.
Since this data processing is necessary for the performance of our service contract, the legal basis is Article 6 para, 1(b) GDPR. Insofar as the processing is also necessary to comply with legal obligations, the legal basis is Article 6 para. 1 (c) GDPR.
We will never sell, rent, or lease your personal data to a third party, but we may share collected information for the purposes described in this Privacy Policy with third parties that help us to provide, improve, promote or support our services, that help with our business operations and assist in the delivery of our services, for example, payment processors, hosting services, content delivery services, etc., in a manner that is consistent with this Privacy Policy. We may also share information with third parties if required to do so by law or if you violate our contractual relationship. Our service providers have a legal obligation to ensure compliance with all data protection rules, and they are often also bound by further contractual provisions on data protection.
We only transfer personal data to third parties if we have a legal permission to do so, in particular if you have given consent to such a transfer, if the transfer is necessary for the provision of our services, if the transfer is required by law in this context, or if we have a necessary legitime interest (see Art. 6 para 1 (a), (b), (c), (f) GDPR).
Here are some examples of digital service providers we use to perform our work. Please note that we might change our third party digital service providers at our discretion any time without notice.
Insofar as the processing is based on Art. 6 para. 1 (f) GDPR, you have the right to object to the processing. You can revoke any consent you may have given at any time. You can send us your objections or revocation of your consent via the contact data mentioned at the end of this Privacy Policy.
We may disclose aggregate, non-identifying information about how our users use PrivateStorage products. For example, we may disclose the total amount of storage-time sold, or the total amount of storage space used.
If all or part of PrivateStorage is sold, merged, or otherwise transferred to another entity, your information may be transferred as part of that transaction. If that happens, PrivateStorage will take reasonable steps to make sure your information continues to be treated consistently with this privacy policy.
PrivateStorage does not provide services directly to children or proactively collect their information. If we discover that a child has provided us with personal information, we will promptly delete such information from our systems.
For additional information on Children’s Online Privacy Protection Act (COPPA) protections, please see the FTC website at: https://www.consumer.ftc.gov/articles/0031-protecting-your-childs-privacy-online
In the case of a personal data breach, we will without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art. 33 GDPR). When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the personal data breach to the data subject without undue delay (Art. 34 GDPR).
However, please note that your personal data stored with us has been encrypted locally on your device before it has been transferred to our servers. So, your personal data cannot be decrypted or read without the Recovery key. Please be aware that you are the only person that has the Recovery key for your stored data. This means that in case third parties receive unauthorized access to our server, they cannot decrypt or read your data without having your Recovery key.
You can request from PrivateStorage at any time
Restriction of the processing of your personal data where one of the following applies:
You can revoke your consent once given to us at any time. As a result, we stop the data processing based on this consent in the future (Art. 7 para. 3 GDPR).
If we process your data pursuant to a legitimate interest or a legitimate interest of a third party (Art. 6 para. 1 (f) GDPR), you can exercise your right to objections in accordance with Art. 21 GDPR. Please direct any such request to privacy@private.storage.
As soon as we receive any request from you, we will process it. Please be aware that it might take some time for the process to be reflected across all our systems.
You have the right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for Berlin, Germany is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, with its address Friedrichstr. 219, 10969 Berlin, Germany, and its phone: 030/138 89-0. Please find its homepage here: http://www.datenschutz-berlin.de.
If you have any questions or complaints about data protection at PrivateStorage, we encourage you to contact us at privacy@leastauthority.com.
The Private.Storage website may contain links to third party websites (companies or organizations other than PrivateStorage). PrivateStorage is not responsible for the privacy policy or the content of the website of any third party. We would strongly recommend carefully reading the privacy statements of third parties’ websites.
The State of California requires us to post specific language related to our privacy policy. By default, PrivateStorage does not share your private information with any third parties aside from the disclosures already made in this privacy policy. However, if you wish to inquire into how PrivateStorage does not share our user's private information with third parties for direct marketing purposes, you may contact: privacy@private.storage.
We are committed to protecting the information that we receive from you. We take appropriate security measures to protect your information against unauthorized access to or unauthorized alteration, disclosure, or destruction of data.
PrivateStorage must comply with all applicable laws and regulations, including, but not limited to those of the European Union, Germany and the USA. For this reason, we may have to collect, process and retain your details for an extended period of time as a legal obligation (see Art. 6 (1) (c), GDPR).
We delete your personal data as soon as they are no longer required for the purposes pursued by the processing and as long as there are no conflicting legal storage obligations.
At PrivateStorage we develop usable products that advance digital security and preserve privacy as a fundamental human right. Since the inception of the company, we have been continuously working to build products and provide services that protect your data and your right to privacy.
PrivateStorage products are designed to have several layers of security.
While the transmission of data across the internet is never fully secure, we must inform you that we cannot guarantee that unauthorized third-parties will never be able to work around our internal security. PrivateStorage is offered to you at your own risk, and you are responsible for taking reasonable measures to secure your Recovery key (such as maintaining the confidentiality and integrity of your key).
If you discover or are informed of a vulnerability in PrivateStorage, we would appreciate any report you submit to our Whitehat Program available at https://private.storage/whitehat-program/.
Consistent with Article 25 of GDPR (“Data protection by design and default”), we believe in security by design and security by default. Our software designs are inspired by end-to-end security and the “principle of least authority” (PoLA), a security best practice requiring system components to only have the privilege necessary to complete their intended function and not more.
We may modify this privacy policy at any time to comply with legal requirements as well as developments within our organization. When we do, we will revise the date at the top of this page. Each visit or interaction with our services will be subject to the new privacy policy. We will record past versions of this policy through an archive on this page. We encourage you to review our privacy policy whenever you use our services to stay informed about our policies. By using our services, you acknowledge and agree that it is your responsibility to review our privacy policy to be aware of modifications.
PrivateStorage values and welcomes questions, concerns, and feedback about our service and this privacy policy. If you have feedback about the privacy policy, please send it to privacy@Private.Storage, any other feedback please send it to info@Private.Storage.