Cryptobox Privacy Policy
Version 10/20/2021 :
This Privacy Policy describes how your personal data is collected and processed as a result of downloading and using the application (hereafter, the "Application") required to use the Cryptobox solution.
The Application is one of the software components of the Cryptobox platform, managed and hosted by Ercom, and accessed remotely. Cryptobox is therefore a "SaaS" solution in this configuration.
When using the Application and Cryptobox hosted by Ercom, we may be required to know and process some of your personal information. We are committed to respect your privacy and the confidentiality of your personal information. This is why we have drafted this Privacy Policy.
It is important to note that a user entity (hereafter, the "Customer") subscribes to the Cryptobox service, either directly with Ercom or through an authorized third party (hereafter, the "Distributor"), for the benefit of End Users. You may use Cryptobox in a particular setting, for example if the service is provided within a larger packaged offer by an authorized Distributor or operated directly by your employer. However, this Privacy Policy does not apply to personal information that the Customer's account managers (hereafter, the "Account Managers"), who manage Cryptobox user rights and are designated by those individuals, may collect directly from users and process elsewhere.
1. Account Manager data and Cryptobox usage data
Ǫ : What Account Manager data do we possess ?
→ Essential information: first name, last name and e-mail address.
To allow subscriptions to Cryptobox, we need the first name, last name and e-mail address of the Customer’s Account Manager, in order to send him/her a link and a password by e-mail to access the Cryptobox Application.
This information is communicated to us by the Customer who has subscribed to the Cryptobox service. Designed to identify and authenticate Account Managers, this data is kept for the entire duration of the subscription.
Ǫ : What solution and service usage data do we have access to ?
→ Only usage data.
For the purpose of administering the service, we collect the following usage data from the solution (metadata):
- Connection date and time
- Actions: logins (success/failure), user management (in particular adding/deleting / modification of user(s) information), adding/deleting Account Manager(s), modifying user/Account Manager rights, security level management, entity management;
- Connection IP address
In addition, we may access license information (number of users, activation status, start date, end date) that is not personally identifiable, but may be indirectly associated with users of the service
This information is collected automatically on our servers. Designed to understand, manage and improve the use of the Cryptobox solution as well as allow Customers to manage the service, this data is kept for one year after its collection.
2. End user data (you)
Ǫ : What identifying data about you do we possess?
→ Only four first name, last name and e-mail address.
When subscribing to the Cryptobox service, a Customer sends us the first name, last name and e-mail address of each user authorized to access the service, and we invite directly authorized users by e-mail to create their account using the Application.
As such, we send a hypertext link to the e-mail address provided to verify the e-mail address and finalize your registration. In order to use Cryptobox, you must be registered, either through a list sent by Customer while subscribing to the Cryptobox service, or throughout the subscription, you may be invited by an existing Account Manager.
Then, when you first log into the Application, we need to verify that you are authorized to use Cryptobox.
For this, when you register, you provide us with only your first name and last name (we already have your e-mail address that was communicated to us by the Customer or the Account Manager) (hereafter, "Identifying Data"). We do not ask you for any other personal information. This information is mandatory in order to validate your registration.
Your access to Cryptobox may be conditional on your account being validated by an Account Manager.
When you finalize your registration, your first name, last name and e-mail address are communicated to the Account Manager to inform him/her of your registration to Cryptobox and allow him/her to validate your account.
Your personal data is also used when another Cryptobox user designates you as a trustee (hereafter, “Trustee”), i.e. the trusted person through which this user can access his/her account in case he/she has forgotten his/her password.
Ǫ : Can we see the content of your shared documents ?
→ We are not able to access the content of your shared documents.
Files uploaded or downloaded to/from Cryptobox are encrypted end-to-end
from/to your device. They are only accessible to users you have
designated yourself.
The files you store in your collaborative
workspace (hereafter, the "Workspace") are kept for the duration of the
subscription, and for a period of 30 days afterwards to allow you to
recover your files by downloading them. After this period, files are
deleted from our servers. However, if you are using an evaluation
version or trial license of Cryptobox, your documents may be kept for a
shorter duration after the end of the license, if at all! Please check
the terms of your license!
To allow you to use Cryptobox, the Application also requires the following permissions:
- “Read System Memory": Reads system shared memory (adding files to the service)
- “Write to System Memory": Allows you to write to and read from the system's shared memory (downloading files from the service);
- “Read access to contacts": Access to contacts to invite them or share documents with them;
- “Internet access": Access to the device connection status to ensure proper operation of the Application.
Q : Can we access your instant communications ?
→ No, we do not have access to the content of your communications
Your communications (instant messaging using "My Chats") with another user are encrypted end-toend. We do not have access to the content of your communications.
Q : Do bug reports allow us to collect personal information ?
→ Bug reports are not intended to allow collection of personal information.
You can provide us with information about your use of Cryptobox (hereafter, "Bug Reports") by sending us an e-mail containing information about the performance of Cryptobox or other issues.
In this case, we collect your e-mail address and possibly other personal information that you decide to communicate as part of this e-mail. We generally do not wish to possess such information, which is why we invite you to limit as much as possible personal information in your correspondence. Your email address may however be useful for us to be able to respond!
The Application also include features to automatically detect application anomalies. You have the option to manually share this information with us, or choose to automate this feature. The information sent to us is anonymous and relates to the configuration of the device and the Application.
Q : What data do we collect automatically when you use Cryptobox ?
→ Only usage data.
Usage data revealing Cryptobox usage statistics, also known as metadata, are collected by our servers.
Usage data collected :
- The date and time an action occurred (downloading/uploading files, selecting a Trustee, changing the password, etc.);
- Your e-mail address;
- The name of the server on which the action took place;
- Your IP address;
- the list of your Trustees,
- the list of people you have invited,
- the list of Workspaces in which you are a member and the name of the Wokspaces,
- your role in each Workspace,
- The first name, last name and e-mail address of users with whom you communicate:
- In a workspace
- In a conversation
This usage data is not visible in the Application but may be accessible to the Account Manager depending on the subscribed offer .
Q : Does the Application use cookies ?
The Application does not use any cookie.
Q : For what purposes do we collect your personal data ?
→ Only to provide a quality Cryptobox service!
The identifying data collected from you and, where applicable, from the Account Managers and the Customer are required for:
- Manage user identification and authentication;
- Display your first name, last name and e-mail address in the list of users of a collaborative workspace;
- Display your first name, last name and e-mail address to your contacts within Cryptobox, including instant messaging;
- Send e-mail notifications in case you have opted for this feature (e.g. to be notified of scheduled updates or service downtimes);
In addition, usage data (metadata) and any personal information you choose to include in bug reports sent to us are only used for:
- Manage and track Cryptobox usage;
- Display your details (first name, last name and e-mail address) to Cryptobox administrators as part of providing support in response of a bug report;
- Compile statistics to measure adoption and application performance;
- Measure service quality to improve user experience, through a security audit
Q : Where and how is your personal data stored ?
→ In France, complying with very high levels of security.
Your personal data is stored on servers located in France. Your data will never be transferred outside France.
Cryptobox is designed around security and privacy (security & privacy by design).
Cryptobox security is primarily based on robust encryption technology (AES 256-bit). It secures userto-user communications and file sharing between users and external partners, data storage within Cryptobox, and provides Cryptobox with robust protection.
Your personal information is stored on our servers located in France. Their logical access (with end-toend encryption) and physical access (restricted and protected access) is very secure.
Q : Who can access your personal information ?
→ Very few people...
Your identifying data and, where applicable, your Trustee status, are communicated to the Account Manager.
Other personal information resulting from your use of Cryptobox may be accessible to the Account Manager depending on the subscribed offer. For more information on access and use of your usage data by your organization, please contact the relevant services at your organization.
When the Customer does not have access to your usage data, these may be aggregated and anonymised, and provided to the Account Manager and/or the Customer responsible for your account, but these are no longer personal information!
Access to your personal information is restricted to our authorized employees, as well as our vendors bound by very demanding confidentiality agreements. In both cases, only members on a strictly need to know basis can access personal information, and can only use them for the purposes listed above.
We do not commercially exploit your data and guarantee they are not transferred to third parties other than those mentioned above, and only because it is strictly required for your use of Cryptobox.
We may however be required to provide your personal information in case of legal or regulatory obligation, or resulting from a decision of a relevant judicial or administrative authority.
Q : What is the retention period for personal information ?
→ The duration strictly necessary, no more!
We keep your usage data (metadata) and the personal information possibly contained in Bug Reports for a duration of one (1) year after their collection.
Other personal data provided for the creation of the account (specifically, your first name, last name and e-mail address) are kept for the entire duration of your rights to use Cryptobox. Once your rights have come to an end, for any reason (including deletion of your account), we may retain this data for up to one (1) year for billing purposes, facilitating subscription, and to improve user experience.
At the end of the retention periods mentioned above, all your personal information will be deleted from our servers or anonymised.
Termination of your rights to use Cryptobox does not, however, affect the information that other Cryptobox users possess about you (including messages you sent them)
Q : How do you access your personal information ?
→ By contacting us, preferably by e-mail
You have the right to access your personal information to check their accuracy and correct them as necessary. Your personal information may be updated, corrected or modified as appropriate. We will endeavor to fulfill your request as soon as possible, but this right should not be exercised in an exaggerated or abusive manner.
You also have the right to request a copy of your personal information
You also have the right to oppose or limit the processing of your personal information, to withdraw your consent to their processing, as well as request the deletion of your personal information. Note, however, that exercising this right may affect your ability to use Cryptobox.
You can exercise this right in association with your personal information by contacting us by e-mail at: dpo@ercom.fr.
If, after contacting us, you believe the rights regarding your personal information have not been enforced or if you believe their processing does not comply with privacy protection rules, you may file a complaint with a supervisory authority, such as CNIL in France.
Q : Your consent
By using the Application, you agree that we may collect and process the information you provide us in accordance with the provisions of this Privacy Policy.
We may amend this Privacy Policy at any time, in which case we will notify you of such changes through in-app notifications.
By continuing to use the Application after being notified of changes to the Privacy Policy, you agree to such changes.
Q : Contact us
If you have any questions, comments or requests regarding this Privacy Policy, please contact :
Ercom
6 rue Dewoitine, Immeuble Rubis
78140 Vélizy
France
Tel: +33 1 39 46 50 50
E-mail: dpo@ercom.fr
Last modification: 10/20/2021 (Version 4)