Updated: April 28th, 2021
- At Ciphr, our mission is to empower people to protect and optimize their digital privacy. We create applications that allow people to communicate freely without compromising their privacy.
- We do not have access to any of your communications. Our end-to-end encrypted infrastructure ensures that any communication passing through our network remains private, only you and your contacts have access.
- We do not associate personal information such as email address or phone number to Ciphr accounts and will not collect any information without your consent.
- We believe in transparency and want you to know how we handle the limited personal information we may collect. This data is collected in order to provide our secure communication services (Services) or to allow you to interact with our website located at https://ciphr.io/ (Website).
1. Security FOR COMMUNICATION DATA
Ciphr takes its commitment to protect the security and privacy of your personal information seriously. Our security measures aim to maintain data accuracy and to protect your personal information from losses, theft or unauthorized access, disclosure, copying, misuse or modification.
Keeping your information safe: We care about the security of your information and employ safeguards designed to preserve the integrity and security of all information transmitted through our Services. Our algorithmic process ensures that all communication data sent through our Services is end-to-end encrypted to ensure that your encoded communication is delivered to the recipient securely. Only the recipient has access to a unique decryption key to transform the coded information into a readable text.
The integrity of your communication is assured during its transit because Ciphr uses:
- end-to-end encryption protocols that verify integrity, i.e. protect against modification by an attacker.
- transport layer security with pinned certificates, such that it would be very challenging for a man-in-the-middle to inject malicious certificates into the device’s trust store and/or decrypt traffic or modify any data in transit.
Ciphr’s security measures also include:
- ensuring server authentication and data encryption using Secure Sockets Layer technology (SSL) when Services are accessed via the Internet;
- maintaining a strict control of the residual data retained on Ciphr’s servers;
- limiting access to the actual data transmitted to only you and its intended recipient; and
- locating Ciphr’s platform and servers in various data centers and deploying them at random. Ciphr may use, among other things, content delivery networks and proxies to mitigate threats.
To increase the privacy of your data, please keep in mind that:
- the information (including documents and attachments) you send to your contacts may remain on their device(s) even after you deleted it from your own device(s), depending on the parameters selected for such transmission or whether, for example, the recipient(s) took a photo or otherwise recorded it;
- when sending or receiving any information, you should validate the identity and trustworthiness of the recipients; and
- you should take security measures to ensure that the confidentiality of the information you send or receive is preserved after the transmission.
2. PAYLOAD SECURITY
Our Services retain as little data as possible for as little time as possible. The communication data transmitted on the servers (Payload) using our Services is end-to-end encrypted before its transmission to Ciphr servers and relayed to the recipient’s device, such that Ciphr cannot have access to your conversations through our communication services. The Payload is automatically deleted as soon as it is successfully delivered to the recipient. In the event the Payload cannot be immediately delivered, it is only temporarily stored on Ciphr’s servers until the sooner of its successful delivery to the recipient or 14 days, after which it is automatically purged.
Temporary payload storage and transfer: Your encrypted communication information may be stored temporarily in any country in which Ciphr’s or its service providers’ servers are hosted, for the purposes of facilitating and securely completing your communication through the Services. Please note that we may transfer information to a country and jurisdiction that does not have the same data protection laws as your jurisdiction, including any country in which Ciphr or its affiliates or service providers maintain servers or facilities.
Security protocols: Your encrypted communications can only be decrypted with a private encryption key, which is only held by your intended recipient(s). In the unlikely event that personal information under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation and, where appropriate, notify those individuals whose information may have been compromised and take other appropriate steps, in accordance with any applicable law.
3. AUTOMATICALLY COLLECTED INFORMATION
Automatic collection of limited information is required to ensure the reliability of access to the Service. When you download, access, or use the Services, we may automatically collect the following information depending on your Ciphr version:
Ciphr Lite (App Platforms)
- Last login
- Device model
- App version
- Operating system version
Accessing Ciphr through our mobile device management (MDM) deployment provides you with additional security measures such as a virtual private network (VPN) and strict information technology (IT) policies to increase data protection. This requires additional information to facilitate access to the Services:
- Crash logs
- Device model
- Network state
- SIM#, IMEI#, IMSI#
- Mobile network information
Ciphr’s applications leverage an on-premise crash reporting system in order to gather application performance and crash data, which does not contain any personal information. Additionally, Ciphr’s applications allow you to trigger a reporting feature which contains application stack traces and information regarding events that occurred prior to and after a crash. Such a report also contains a plain text comments string allowing you to report comments related to the issue.
If any bug or error occurs, we may collect diagnostic information about your device. We use this additional information to enhance the security controls around the access to the Services and to resolve the bugs and errors that may exist. Diagnostic information includes:
- Last login
- Device model
- App version
- Operating system version
- Time zone
- Battery level
- Free memory
- Screen resolution
4. USER-PROVIDED INFORMATION FOR ACCESS TO SERVICES
We do not associate personal information such as email address or phone number to Ciphr accounts. No user information is required for account creation and Services access. Should we have access to any personal information about you from third-party sources, such as online application stores and platforms, we will not correlate such information with any account you create to use and access the Services.
Ciphr account information: To provide you with access to the Service and to facilitate communication between Ciphr contacts, Ciphr stores your randomly generated Ciphr Identification Number (CID), Alias information, and/or Ciphr Mail email address. Since we do not collect personal information for account creation, Ciphr Identification Number (CID), Alias information, and/or Ciphr Mail email address is not associated with any personally identifiable information. Ciphr will also request your password for entry to the application. We do not store passwords on our servers.
Payment information: Only if and when purchasing any fee-based feature of the Services, you may provide payment information to us or a third-party payment provider. We do not store your payment information.
5. USER-PROVIDED INFORMATION FOR COMMUNICATING WITH CIPHR
Data storage and transfer: Any information which you submitted for the purposes of communicating with Ciphr may be stored in any country in which Ciphr’s or its service providers’ servers are hosted. Please note that we may transfer information to a country and jurisdiction that does not have the same data protection laws as your jurisdiction, including any country in which Ciphr or its affiliates or service providers maintain servers or facilities.
Retention of your information. We will only retain voluntarily submitted personal information for as long as necessary to fulfil the purposes for which we received it, for the purposes of our legitimate business interests and for satisfying any legal requirement.
6. INFORMATION PROVIDED BY OUR Ciphr reseller PARTNERS
Our reseller partners (Ciphr Reseller Partners) may share Ciphr account details like Ciphr ID (CID), Ciphr Mail email address, or subscription details, with us so that we can deliver support services, update, upgrade or otherwise improve the Services, or to develop new services. Ciphr Reseller Partners are not required to disclose personally identifiable information with us unless otherwise required by applicable law. Please note that our Ciphr Reseller Partners are required to comply with applicable privacy and data collection laws.
Privacy policies of third-party partners: We also engage with certain third-party partners, who share our profound dedication to the protection of privacy, to help us improving our Services. We use an email marketing platform on the Website to create and manage mailing lists, newsletters and automated marketing campaigns. We also use an open source, self-hosted web analytics application that tracks online visits to websites and displays reports.
Our Website may collect information only in connection with your browsing activity, as opposed to your use of our Services. We may collect for internal evaluation of the performance of our Services information about your device, browsing actions, and patterns such as: (i) usage details (including but not limited to traffic data, and the resources you access and use through our Website); and (ii) device information (including IP address, operating system and browser type).
8. LIMITING COLLECTION OF ALL USER DATA
9. DO WE DISCLOSE YOUR DATA TO THIRD PARTIES?
We do not sell any data and we do not disclose your personal information to any third parties, unless required to provide you with the Services or by applicable law.
If you obtained our Services through any of our Ciphr Reseller Partners, please note that we may disclose limited information to the extent necessary with our Ciphr Reseller Partners that facilitate the provision of the Services (e.g. by providing assistance with respect to the maintenance and development of our Services).
10. TERMINATION OF YOUR ACCOUNT
11. law enforcement
Our Services must be used solely for lawful purposes, in full compliance with applicable laws. While Ciphr is committed to protecting your privacy and security, we may be required by applicable law to disclose personal information to law enforcement authorities. However, we will only release the information requested by law enforcement authorities when compelled to do so by court order, warrant, subpoena or other legal authority issued by a court or competent authority, in compliance with applicable laws.
12. miNimum age
We recognize the importance of protecting the privacy and safety of children. The Services are not intended for minors, who should not use the Services.
13. YOUR DATA RIGHTS
We are committed to respecting the highest standards on data protection and privacy and, as such, this section applies to all users of our Services around the world, and not only to users in the European Union.
Data Controller: Ciphr is the data controller for the processing of your Personal Information (as defined in the European Union General Data Protection Regulation (GDPR)).
Your Rights. You have the following rights in relation to your Personal Information, under certain circumstances:
- Right of access: If you ask us, we will confirm whether we are in possession of Personal Information about you and, if so, provide you with a copy of that Personal Information along with certain other details. If you require additional copies, we may need to charge a reasonable fee.
- Right to rectification: If your Personal Information is inaccurate or incomplete, you are entitled to ask that we correct or complete it. If we shared your Personal Information with others, we will tell them about the correction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Information so you can contact them directly.
- Right to erasure: You may ask us to delete or remove your Personal Information, such as where you withdraw your consent. If we shared your data with others, we will tell them about the erasure where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Information with so you can contact them directly.
- Right to restrict processing: You may ask us to restrict or ‘block’ the processing of your Personal Information in certain circumstances, such as where you contest the accuracy of the data or object to us processing it (please read below for information on your right to object). We will tell you before we lift any restriction on processing. If we shared your Personal Information with others, we will tell them about the restriction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your personal information so you can contact them directly.
- Right to data portability: You have the right to obtain your Personal Information from us that you consented to give us or that was provided to us as necessary in connection with our contract with you, and that is processed by automated means. We will give you your Personal Information in a structured, commonly used and machine-readable format. You may reuse it elsewhere.
- Right to object: You may ask us at any time to stop processing your Personal Information, and we will do so:
- If we are relying on a legitimate interest to process your Personal Information -- unless we demonstrate compelling legitimate grounds for the processing or we need to process your data in order to establish, exercise, or defend legal claims; and
- If we are processing your Personal Information for direct marketing. We may keep minimum information about you in a suppression list in order to ensure your choices are respected in the future and to comply with data protection laws (such processing is necessary for our and your legitimate interest in pursuing the purposes described above).
- Right to withdraw consent: If we rely on your consent to process your Personal Information, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect any processing of your data before we received notice that you wished to withdraw consent.
- Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we handled your Personal Information, you can report it to the data protection authority of the country in which you are located.
Please see the “Contacting Ciphr” section below for information on how to exercise your rights.
14. AccessING, correcting and updating PERSONAL information
Requests for access to, or for necessary corrections, additions or deletions of, personal information in accordance with applicable laws may be made by contacting Ciphr by email at firstname.lastname@example.org. We will respond to your request as quickly as possible and will need to verify your identity before providing you with access to the personal information we hold about you. In some cases, we may be unable to accommodate your request if we are unable to verify your identity, if we are prohibited by law, if disclosure would result in the disclosure of the personal information of others, or if the request is unreasonable or impractical. If we are unable to process your request for these or any other reasons, we will provide you with an explanation of the reason for denial, and you will be permitted to request a review.
15. notifications AND WITHDRAWING OF CONSENT
Ciphr may communicate with you to inform you about changes, important information with regard to the Services, information we believe may interest you, or with your consent. Ciphr will generally use the same means of communication you chose to contact Ciphr or the preferred means specified by you. You can always unsubscribe from any promotional e-mails.
If you are a registered user of our messaging service, you may receive notifications in the notifications section within the applications. With your consent, we may send push notifications or alerts to your mobile device even when you are not logged in. At any time, you can manage your push notification preferences or deactivate these notifications at any time by turning off the notifications settings in the device settings of your mobile device.
17. Contacting CIPHR