privacy and data policy

tl;dr

at ente, we collect and store only the bare minimum amount of information necessary to fulfill our role as a personal data storage provider.
all of your files and the metadata related to those files are stored encrypted, and only you hold the decryption keys.
we collect no app usage metrics.
crash reports (if any) are anonymized.
you can view the complete list of information we collect here.
if you think we could collect lesser information while retaining the quality of our service, please write to [email protected].


now for the long version...

Introduction

  1. This Policy governs our processing of your "personal data" (as defined in the European Union’s General Data Protection Regulation EU2016/679 (“GDPR”)) and the way in which we deal with other data that is not personal information. The term “processing” is used as defined in the GDPR. It includes collection, storage, and all of the ways we use, and allow you to use, personal information, when we provide our services. You are the data controller under the GDPR of the personal information you provide to us as part of your Account Data (see below). Drizzle Technologies Private Limited (CIN U72900KA2020PTC133651) ("ente", "we", "us" or "our") of Flat 301, Purvi Pride Apartments, Varthur, Bangalore, Karnataka, India, 560087 is the data controller under the GDPR of all other personal information.

  2. This Policy is divided into five sections to make it easier for you to see which provisions apply to different types of data. Words and phrases which are defined in our Terms of Service (“ToS”) have the same meanings when they are used in this Policy.

  3. The sections of this Policy are:

3.1 This Introduction section.

3.2 The “Your Files” section. This covers the actual encrypted files that you upload, access and share using our services.

3.3 The “Account Data” section. This covers the metadata that is collected and generated by our systems when you use our services, and the information that you provide to us when you register and communicate with us.

3.4 The “Website Usage Data” section. This covers the data that is collected and generated by our systems when anyone browses our website.

3.5 The “General Terms” section, which applies to all our services and all types of data.

  1. The GDPR provides rights to European users, but, as a leading privacy company, we make the GDPR protections and rights available to all our users globally in respect of their personal data wherever you may live.

Your Files

  1. This is the section of this Policy that covers the actual encrypted files that you upload, access and share using our services (“Your Files”). The following specific terms apply:

5.1 When you upload a file, it is already encrypted at your device, so we do not know whether it is personal to you or someone else, relates to a business or some other organisation, or what it contains. We also generate and store encrypted previews of images, videos and certain other types of file.

5.2 All Your Files remain encrypted at all times while they are on our system. They are never received, stored or otherwise dealt with by us in unencrypted form because any decryption takes place only on your device or that of another user to whom you have provided the file/album/folder/collection keys or links that are created when you give them access.

5.3 We collect Your Files because that is necessary for us to provide our end-to-end encrypted cloud storage and collaboration services that you contract for when you agree to our ToS.

5.4 Although Your Files are not personal information within our system because you have encrypted them, you should know that we store Your Files and make them available from servers in secure facilities in Europe or in countries that the European Commission has determined to have an adequate level of protection under Article 45 of the GDPR, depending where you are based.

5.5 We keep Your Files while you are subscribed to our services but this is subject to our suspension and termination rights set out in our ToS. You should download Your Files prior to termination of services.

5.6 If you forget your password you will lose access to all Your Files.

5.7 When you delete one of Your Files it will be made inaccessible, marked for deletion and removed when the next appropriate file purging process is run, subject to any retention specifically allowed under this Policy or our ToS. After account termination, all Your Files will be marked for deletion and removed when the next appropriate file purging process is run, subject to any retention specifically allowed under this Policy or our ToS.

5.9 We may, but shall not be obliged to, keep Your Files after your account has been suspended or terminated. In particular, we may, but shall not be obliged to, keep Your Files where we consider it necessary for evidential purposes relating to a breach of our ToS or with respect to current or anticipated action by any competent enforcement authority or other third party. With respect to release of Your Files to competent enforcement authorities and third parties, see our Takedown Guidance Policy.

5.10 See also the General Terms section of this Policy which applies to all types of data, including Your Files.

Account Data

  1. This section covers account information you give us, and metadata that we generate in relation to Your Files, and your account. The following specific terms apply:

6.1 When you sign up for particular services on our website you will need to give us the details required in our registration form and will need to keep that information up to date.

6.2 When you use our services, the following information is retained in their unencrypted form:

  • Your email address to serve as a medium of communication and as an identifier for your account.
  • Your name and avatar (both optional) for notifying other users when you invite/share files with them.
  • Amount of storage consumed by your encrypted data (files and thumbnails).
  • Deletion status of your files to remove deleted files from clients who might have already downloaded them.
  • Owner, sharee relationships within folders/albums/collections to control access permissions.
  • Payment invoices provided to us by our third-party Payment Processors for verifying the validity of your subscription plan.
  • Details of referrers and people your have referred, together with the storage balance accrued, for the purposes of ente's referral programme.
  • The email addresses you choose to share an album with.
  • Your public key.
  • IP address and port information used for API calls to ensure account security, to detect data centers closest to you, and to mitigate possible DDoS attacks.
  • Browser type and operating system of the devices from which you have logged in to ente to ensure account security.
  • Timestamps when our database rows were modified as a result of an API call from your account.
  • Takedowns and account suspension history.
  • Our communications with you.

6.3 From time to time we may need to communicate with each other directly. We will use the email address you have verified in your account. You can communicate with us using the appropriate address on our contacts page. Examples of direct communications include invoices, copyright or other enforcement emails, notifications under our Takedown Guidance Policy, system update information, data breach notifications, notification of major changes to our ToS or this Policy.

6.4 Access to your account and files is by way of nominated email address and password. It is your responsibility to keep these safe and secure as ente stores the email address but does not store the password. If you forget your password you will lose access to all your data.

6.5 We will collect, store, use and otherwise process Account Data so that we can provide the services you have contracted to obtain from us under our ToS. We also have a legitimate interest in processing Account Data so that we can maintain and improve our systems and services and communicate with you as referenced in this Policy.

6.6 We retain Account Data as long as your account is active. After account suspension or termination we may, but shall not be obliged to, retain all Account Data if enforcement action is likely or commenced under our ToS or Takedown Guidance Policy or for 1 month, whichever is longer. Where there is no enforcement action likely or commenced and the 1 month period has expired, Account Data that identifies you will be anonymized, but where you are a contact of, have had a data shared with you by another ente user, those details will continue to be retained to allow services to continue for those other users. See also the General Terms of this Policy with regard to retention.

6.7 You can request to download your Account Data by reaching out to you [email protected] from your registered email address. You can also request correction of Account Data if it is considered incorrect, in accordance with the GDPR. The information will be provided or updated promptly, and at least within one month, without charge unless the request is manifestly unfounded or excessive. Corrections will be promptly considered and actioned if appropriate.

6.8 If we have disclosed the Account Data to any third party (such as a compliance authority), we will inform them of any correction where possible and will also inform the individuals about the third parties to whom the data has been disclosed where lawful and appropriate.

6.9 See also the General Terms section of this Policy which applies to all types of data, including Account Data.

Website Usage Data

  1. This is the section of this Policy that covers activity on our website (“Website Usage Data”). The following specific terms apply:

7.1 We use a privacy focussed third-party analytics service to monitor the metrics of our website. You can read their privacy policy here: https://simpleanalytics.com/privacy

7.2 See also the General Terms section of this Policy which applies to all types of data, including Website Usage Data.

Crash Logs

  1. In case our mobile or web application encounters an error, an anonymized crash report is sent to our self hosted instance of Sentry to help us detect and fix issues that may crop up. These reports help our applications stay healthy and are purged every 60 days. These reports are not connected to your account.

Server Logs

  1. All API calls to our server from your account are logged for security reasons and also to aid in debugging. These logs are purged every 60 days.

General Terms

  1. This is the section of this Policy that covers all types of data.

Basis of processing and dealing with data

  1. As noted above, we process your personal information because we have contracted with you to do so under our ToS, this Policy, and our Takedown Guidance Policy. We cannot provide our services without that data. Other data that is not personal information is also dealt with by us in accordance with our ToS, this Policy, and our x.

Giving access to other users

  1. You must ensure that anyone who has access to any of Your Files or your Account Data complies with our ToS, this Policy, and our Takedown Guidance Policy. You are responsible for their compliance.

Your own security practices are critical

  1. We strongly urge you to use best practices for ensuring the safety of your systems and devices (e.g. via unique passwords, security upgrades, firewall protection, anti-virus software, securing devices). ente will never send an email asking for your password, so do not be fooled by any such email since it will not be from us. We cannot guarantee the security of computers or devices nor of transmission from and to your device over the Internet and thus cannot guarantee there will be no unauthorised access. Also, if you lose or otherwise allow access to your password or encryption keys, you will lose the security of all your data. If you forget your password you will lose access to all your data. Using the same password for ente as you have used at other sites can lead to others accessing and taking control of your ente account if one of those other sites is breached or hacked.

Disclosure for civil or criminal enforcement

  1. If we think it is necessary or we have to by law in any jurisdiction, then we are entitled to give Your Files, any Account Data and any Website Usage Data to competent authorities. We reserve the right to assist any law enforcement agency with investigations, including disclosure of information to them or their agents. We also reserve the right to comply with any legal processes, including but not limited to subpoenas, search warrants and court orders initiated by enforcement authorities or other third parties. We may disclose Your Files, any Account Data and any Website Usage Data to enforce or apply our ToS or any other agreement we have with you, or to protect the rights, property, or safety of us or our other users, third parties or the operation of our services. For more detail on disclosure to competent enforcement authorities and other third parties, see our Takedown Guidance Policy.

Third-party services

  1. We use the following third-party services to deliver specific services to you.

15.1. Payment Processors

We use third-party services to process your payments. We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council that help ensure the secure handling of payment information.

The Privacy Policies of the payment processors we work with can be accessed below:

15.2. Support Chat

We use Crisp to power our support chat interface. The data that is pushed to them is obfuscated and does not include a customer's personal information. You can find their privacy policy here: https://crisp.chat/privacy.

15.3. Feedback Collection

We use FeatureMonkey to collect feedback from users and to decide what features we should be working on. The data that is pushed to them is obfuscated and does not include a customer's personal information (like name or email). You can find their privacy policy here: https://www.featuremonkey.com/privacy.

15.4. Website Analytics

We use a privacy focused third-party analytics service to monitor the metrics of our website. You can read their privacy policy here: https://simpleanalytics.com/privacy

15.5. Backend Analytics

We use Amplitude for analyzing API access patterns. The data that is pushed to them is obfuscated and does not include a customer's personal information. You can read their privacy policy here: https://amplitude.com/privacy.

15.6. Transactional Emails

We use Zoho for sending out emails like login tokens, billing reminders, notification when an album is shared with you, etc. You can read their privacy policy here: https://zoho.com/privacy.

No Ads

  1. We will never serve you ads. Neither will we use your data for ad targeting or other commercial purposes.

No commercial sale of data

  1. We will never sell Your Files, any Account Data or any Website Usage Data. We will not disclose or otherwise provide Your Files, any Account Data or any Website Usage Data to a third party, or make any other use of Your Files, any Account Data or any Website Usage Data, for any purpose which is not specifically allowed under this Policy, our ToS or our Takedown Guidance Policy or is not incidental to the normal use of our services.

Data security

  1. Data security is very important to ente, whether that is your personal information or any other data. That is why we publish our client-side browser and mobile app software and why we have provided information in this Policy on collection and storage of all data whether or not it is personal information.

Communications

  1. We may send invoices, security or service updates and various other notices by email to the email address listed in your account or using any of our messaging systems. They will be deemed to be received in accordance with our ToS.

  2. If appropriate, some of those notices will contain unsubscribe information so you can opt out of further receipt. We will abide by any email unsubscription request (other than those we need to send for invoicing, security or service updates and other service provider purposes).

Children's Privacy

  1. Our service does not address anyone under the age of 18 ("Children"). We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or a guardian and you are aware that your Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we will take steps to remove that information from our servers.

Law

  1. Subject to the rights that those in the European Union have under the GDPR, this Policy and its interpretation and operation are governed solely by Indian law. Subject to the rights that those in the European Union have under the GDPR, you, us and all users, submit to the exclusive jurisdiction of the Indian arbitral tribunals and courts as further described in our ToS and you agree not to raise any jurisdictional issue if we need to enforce an arbitral award or judgment in India or another country.

Contact and complaints

  1. Questions and comments regarding this Policy are welcomed and should be addressed to the Privacy Officer at [email protected] For a comprehensive list of contact details for Drizzle Technologies Private Limited, and each of our related or affiliated entities and payment processors, together with details of how to contact our privacy officer and data protection officer, see our contacts page.

  2. If you are in Europe or otherwise have the right to lodge a complaint with a supervisory authority, you can find contact details for our European Representative and European supervisory authority on our contacts page.

Changes to our Policy

  1. We may make changes to this Policy in the future. Any breaking changes will be notified to all users.



Last updated 24 November 2020, effective 24 November 2020.

If you have a concern about any of these terms, please write to us at  [email protected].