1 – Presentation
We intend to consolidate the relationship of trust and proximity that we have with all these stakeholders through the provision of simple and transparent information about the purpose, means and legal basis for the processing of Personal Data.
This policy is drafted and implemented in compliance with the European Union General Data Protection Regulation no. 2016/679 (hereinafter GDPR), in force since April 2016 and of mandatory implementation since 25 May 2018.
2 – Our Commitment
Security, transparency and privacy are key values for our company and are reflected in the DNA of our product; they are present in the processing we do of your Personal Data, whether it is at the level of collection, registration, organization, structuring, conservation, adaptation or alteration, recovery, consultation, use, disclosure by transmission / dissemination or availability, comparison or interconnection, limitation, deletion or destruction.
We want you to feel confident that your Personal Information is safe with us, as we will always be committed to protecting your privacy, and we take our responsibilities for the protection of your Personal Information very seriously.
3 – Who are we and how can you contact us?
We are 3NCRYPT3D Messaging Services, Lda and our address is:
Lake Towers – Edifício D
Rua Daciano Baptista Marques, 245 – 2º
4400-617 Vila Nova de Gaia, Portugal
If you have any questions about how we use your Data or if you wish to exercise any of your rights as a Data Subject described later in this document, you may also contact us at firstname.lastname@example.org.
We understand that the quantity and quality of the Data we hold does not justify the existence of a Data Protection Officer as we have opted for minimal collection of Personal Data.
4 – What is Personal Data?
5 – Personal Data:
- In what way/under what circumstances do we collect them or access them?
- What data do we collect or access?
- To what end do we do it?
- What is the legal basis for data collection?
- For how long do we keep your Data?
The answers to these questions are stated below, in the presented order:
As a visitor to our site
In order to function properly, our website needs to install so-called cookies on your device. These are small text files, associated with the browser through which you have accessed it, which store information that allows us to optimize your browsing experience.
Cookies on our website do not run any program, do not transmit viruses or collect information to identify the user; they only store generic and anonymous information related to the user’s browsing preferences and also allow for traffic analysis, research and remarketing.
This will help us to improve our sites and provide you with a better service and online experience. Being located on your device, cookies may be deleted at any time by you, and how you can do so will depend on the device and browser you are using.
As an interested person about our service
We consider you interested in our service when:
- You subscribe to our newsletter on our website or a landing page associated with it;
- If you register for events, training or activities that we may promote or take part in;
- You make a support request to us through the support centre.
In order for any of the above to be possible, we need to collect, separately or cumulatively, the following Data:
- Your name;
- Your e-mail address;
- Your telephone number (optional).
For the purpose of confirming your registration, your record will be saved together with the date and time of registration.
The purpose of collecting this data to allow us to respond to your questions or, if applicable, do direct marketing by communicating our news to you through our newsletter or other means that we may deem convenient. The lawfulness for this processing is obtained through your express consent, in a duly informed manner, via double opt-in.
This Data will be stored indefinitely until, on your own initiative, you choose to withdraw your consent for us to communicate with you. You can do this through the unsubscribe link at the end of each newsletter or via email to email@example.com.
If you contact us through a form our website or through the contacts available, as a potential customer or in any other quality
If you contact us for clarification of any doubt, we will place this contact within the contractual or pre-contractual framework. In order to be able to provide an answer and follow-up on that requests, we will need to access some of your Personal Data, including name, e-mail and, if applicable, phone.
If you contact us normally via social networks, and unless you indicate otherwise, the communication will always be maintained on the contact platform chosen by you (eg: Facebook, linkedIn …). If your contact is understood as an explicit request for information or support, that contact will automatically be forwarded to our Helpdesk platform mentioned in point 8 of this Policy, below.
If your contact raises a support ticket on our Helpdesk platform, the Privacy and Cookie policies of the platform in question will apply, as listed in Section 8 of this Policy. Naturally, you can exercise all your rights within the scope of the management of your data by contacting us through the means provided in Point 3 of this Policy.
This Data will be stored for a maximum of two years after the last contact.
As our client
- Direct client – if you purchased your 3NCRYPT3D service subscription on our site;
- Through our partners – your subscription is made on our site but through an access code or link that was provided to you by one of our partners, duly identified by all parties involved.
In both cases mentioned, the data we need and the purposes for use are:
Provided by you:
- First and Last Name – identifies you in email messages sent to you. These messages are related to the use, maintenance, configuration and security of your account on our service. This is also the name that will appear as the sender of the automated messages that your recipients will receive from us;
- Username – identifies you on our system and allows you to login to the service. Ultimately, it is the e-mail address you will provide when you create your account and cannot be changed for technical and security reasons;
- User e-mail – allows the proper operation of our service, through the sending of login requests (heartbeat), as well as all necessary communications related to the use, maintenance, configuration and security of your account. Additionally, and assuming that you may be interested in the updates and news about our service, it may be used to send you targeted informational email messages;
- “Hashed” value of your email address – In the event that a user lets the trial period expire without subscribing our service their account will be deactivated, and kept in that state for 60 days. After that period it is deleted. However, we will indefinitely store a “Hashed” value of the user’s email address. This procedure is necessary to prevent the same user from creating successive demo accounts, making abusive use of our systems without subscribing to the service. The algorithm we use to create the “Hashed” value of the email address is SHA256 and, since the “Hashing” process is unidirectional, it is impossible for us to infer the original email address from the “Hashed” value we keep. This way, the user’s email address is protected from any authorised or unauthorised use.
- Recipient’s (Contact’s) name – necessary to identify the recipients of your messages in the e-mails they will receive, as set by you, allowing them to confirm that the message is in fact addressed to them;
- Recipients’ e-mail addresses – necessary for our service to be able to fulfil its purpose, which is the delivery of messages to the people you select. Depending on the circumstances set by you, we will send your messages to the recipients. The responsibility for the content of your messages is yours alone. We reiterate that we do not have any way to access your messages, which are encrypted by an encryption key that only you possess. As such, in this context, we do not consider them Personal Data.
- VAT Number and/or postal address – required for billing purposes, if the customer requires an invoice to be valid for tax purposes.
Data observable by us / meta-data:
All the data described below is intended to measure performance, provision of the service, protection against external attacks, confidentiality of your messages, and your account’s protection.
This data is collected, processed and maintained automatically by our service and will only be manually accessed in case of unavoidable need by our technical staff, to provide user support, for example. This data is:
- Application code;
- Unique identifier of the authorized devices;
- Operating system, and version, of the authorized devices;
- Date and time of logins to the service;
- IP addresses from which the login were made;
- Browser type and version;
- Hostname (device name);
- Account status;
- Subscription type;
- Subscription history;
- Partner affiliation, if applicable;
- Created Contacts;
- Number of saved messages and respective recipients;
- Delivered messages, their recipients and the date and time of delivery;
- Messages delivered for the purpose of confirmation of death, their recipients, date and time of delivery and the answer provided by the recipients.
All Data listed in this section is associated with your account and stored, fully encrypted, on our database servers. These data are treated for the purposes of compliance with the contractual relationship and are the minimum necessary to provide our service with the strictest safety standards.
With this context in mind, we remind you that sending of e-mail messages and notifications is an integral part of our service and, as such, you cannot unsubscribe from them as it would prevent us from providing our service to you, rendering contractual relationship unfeasible. The only exception to this is the sending of newsletters. We will send you newsletters based on our legitimate interest; because we want you to make the most of your 3NCRYPT3D subscription, we understand that cancelling it would be inconvenient to you. However you may cancel the subscription to our newsletter via the link at the bottom of the message. You can also ask us to unsubscribe you by the means listed above.
As our Customer, with the exception mentioned in the next paragraph, we will only keep your account data for as long as your subscription is active plus a 60-day grace period, in case you wish to reactivate your subscription without losing the information previously saved. After this time, all the data in your account will be deleted by an automated routine.
If you actively and definitively decide to delete your account, you can do so in your account’s control panel at https://account.3ncrypt3d.com. In this case, all your personal information as well as contacts, messages and files will be deleted immediately, after you complete the 3 levels of validation: account login, PIN code validation, and clicking a link sent to your registered email address.
Due to the sensitive nature of the service we provide, and in our legitimate interest, we will keep historical metadata of the activities that have taken place in your account for 24 months following its expiry, cancellation or deletion, in order to resolve any disputes that may arise from the use of our service. These metadata are:
- Unique identifier of the authorized devices;
- Operating system, and version, of the authorized devices;
- Date and time of logins to the service;
- Meta-information on delivered messages, their recipients and the date and time of delivery;
- Meta-information on Messages delivered for the purpose of confirmation of death, their recipients, date and time of delivery and the answer provided by the recipients.
- Email Address Hash
Please note that in these cases the account contents – messages and files – has already been deleted, we only save meta-data about the events in your account. Where applicable, your tax data we retain will be kept for the legal periods set out in Portuguese law. We also remind you that, in order to be our Client, all we need from you is a name and an e-mail address; if confidentiality is an essential factor for you, you can create a name and an e-mail address that are not identifiable. It is essential, however, that:
- You have an e-mail address associated with an account in any of the App Stores where we host our application, in order to download the application;
- That the recipients of your messages can identify you by the information you provide.
In this particular context, we stress that your recipients’ email addresses have to be real ones, to ensure we can deliver your messages. Reinforcing what is stated in our Terms and Conditions (https://account.3ncrypt3d.com/Login/Terms), we remind you that 3NCRYPT3D will never use the data of your contacts for any purpose other than the one listed here and that only you, as our customer, will be responsible for the way they are used, namely through the contents of the messages that you send to them. We also inform you that if, as our Customer, you contact us by any other means than those specifically provided to you, the data privacy provisions of the previous item will apply.
Being our potential Client, an employee of one of our Partners, potential Partners, Subcontractors or others:
In this context, the data to be collected will be those considered normal in the context of business relations and will be collected in the following cases:
- Exchange of contacts in public or private events where we are present (exchange of business cards or data contained in them);
- In a face-to-face or online trading environment;
- External consulting.
In this context, the Personal Data concerned are normally the following (all or in part):
- Phone number;
- Social network data (linkedin, facebook, instagram).
The purpose for processing of the above data is allowing us to make the necessary contacts to pursue a business relation that can be of interest and favourable to all parties involved; the basis for its processing is contractual or pre-contractual execution. These Data will be kept for as long as the pre-negotiation and/or the contract lasts, and will be kept for an indefinite period of time with a view on potential resumption. The data holders may exercise the rights referred to, below, as they see fit.
Being our employee or prospective employee:
In this situation the legally required data will be requested directly to the employee, who will actively provide it in a way that allows signing and management of their employment relationship. The basis for collecting this data contractual execution. The Data will be retained for the duration of the contractual relationship, plus the legally allowed time for either party to exercise its rights and/or obligations, up to a maximum of 12 years.
If the company explicitly needs to recruit new employees or receives unsolicited job applications from candidates, all data retained will be the one that the interested parties agree to send. This data are necessary for the purpose of evaluation of the application, in order to allow us to take all contractual or pre-contractual steps. This data shall only be retained for a maximum period of six months unless an actual work relationship takes place. In the latter case, the retention period will be extended as legally required in the context of labour contracts, under the Portuguese labour laws.
6 – As our Client, what other Data do you provide and to which we do not have access?
As a User of our service you may save Data that, regardless of whether it is personal or not, is very relevant, sensitive and confidential to you. 3NCRYPT3D was created precisely for this purpose.
This point serves to clarify that the information you save in your messages is inaccessible to us, as it is encrypted by an encryption key that is yours alone and stays under your sole control. For more information on this, please read our Frequently Asked Questions here: https://3ncrypt3d.freshdesk.com
7 – Where do we store your data and how does it get there?
All the Data that we collect from our users, as part of our service, is stored in the European Union, in the Netherlands, where the Microsoft Azure data centre that we’ve chosen is located; this data centre is protected under the highest security standards. This service provider has no way of accessing your data since, in addition to the technical encapsulation of cloud computing solutions, your messages are stored on a database with Transparent Data Encryption and additional end-to-end encryption; the transfer of your data from your device to our servers is made with double or triple encryption, depending on whether it is data from your contacts or messages and attachments, respectively.
SSL/TLS 2048 bit encryption is used to access your account via web browser at https://account.3ncrypt3d.com. Not being able to guarantee the absolute security of using the internet communication protocols via browser, we use the highest security standards available at the date of this document, and do everything we consider reasonable in order to allow the provision of a confidential, complete and available service.
The remaining Personal Data that we process is stored in outsourced services that we use, as presented below in this policy.
In the future, for reasons of performance, availability and reliability of our service, we may set up partial or full copies of our database on servers located in other countries, always within Microsoft’s Azure computing infrastructure and subject to the same security measures and within the applicable legal framework.
8 – About Personal Data we share with third parties:
- The rule
- Which third-party companies do we work with?
- What Personal Data do we disclose?
- Why do they need Personal Data?
- What is their commitment to your Data?
As a rule, we do not share your Personal Information with third parties. However, in order to provide you with our service and all information that you explicitly expressed to want from us, we use some external services that collect some of your data.
Depending on how your Personal Data reaches us – i.e. under what circumstances it is obtained – we may use different third-party services. We ensure that all of them have been carefully selected, based on their effectiveness and also the respect they show in relation to the management of the Personal Data they have access to; all of them have declared compliance with the GDPR.
If you would like more information on this subject, you can contact us in the ways described in point 3 of this document.
- From the standpoint of business management and in case of need for protection and defense:
- Against any illegal acts committed by customers or visitors;
- Our services, rights and property;
- The safety of our staff, agents, clients and others;
- Attacks that may put us at risk of non-compliance with our Policies and Terms and Conditions as accepted by you when you subscribe to our service.
The verification of any of the above mentioned situations may imply the transmission to the competent authorities of all the necessary information available to us with a view to its resolution by legal means.
- In compliance with official requests by the authorities, whenever related to legal proceedings, in which cases the customers involved will be notified by us if we are not legally restricted by investigation or judicial secrecy;
- When or if, for any reason, a business management decision involves the transfer of ownership or rights of all or part of our operations or other assets. These decisions may include, for example, mergers, business interests held in third parties, business interests held by third parties, financing transactions, acquisitions or divestitures. These events, if applicable, will always be communicated to our customers, as well as any change in the Terms and Conditions that may result from them;
- To comply with legal requirements, namely those relating to tax and social security processing, for employment relationships.
In any of these situations, we will have limited control over how Personal Data is treated and protected.
- From the service provision standpoint
In order to make our service and/or information about it available to you – including newsletters – we use other external service providers which we share some of your Information with, as listed below:
- Sendgrid – This is the service we use to send transactional and automated e-mail messages that are an integral part of the 3NCRYPT3D operation. This includes the e-mail messages that our service sends you, namely for monitoring the application installation and configuration, Heartbeat warnings, security configuration, operation and maintenance of your account as well as the email messages sent to your recipients, in conditions specified by you. As such, for reasons of contractual execution, Sendgrid will have access to your name and e-mail address – as our Customer – and the names and email addresses of your recipients. Sendgrid’s commitment of compliance with GDPR can be found at this link: https://sendgrid.com/policies/privacy/services-privacy-policy/
- Paddle – Paddle.com Market Limited (hereinafter “Paddle”), is the partner we selected to take care of selling and managing our customers’ subscriptions and payments. This partner is located in the UK at the following address: (Paddle.com Market Limited – 15 Briery Close, Great Oakley, Corby, Northamptonshire – NN18 8JG, United Kingdom).
By subscribing to 3NCRYPT3D, our Customer will be redirected to this service. All payments will be made directly to Paddle and any invoices and receipts will be issued by Paddle.
As such, we, 3NCRYPT3D, will not ask you – our Customer – billing data (name, address, VAT number and means of payment); Paddle will do it. Paddle can send you periodic email messages related to the management of your subscription and will manage any problems that may arise from the means of payment that you, as a customer, may choose. Paddle’s commitment to comply with data protection regulation can be found at this link: https://paddle.com/privacy-buyers/. Paddle’s Terms and Conditions can be found at this link: https://paddle.com/legal-buyers/
- Paypal – Paypal is another payment service and subscription management that we can use under specific circumstances, namely for Portuguese customers. In these cases the Client will be directed to Paypal’s checkout screen to provide payment details. In this case, the invoice/receipt of the payment will be issued by us, 3NCRYPT3D, even if we may use PayPal’s platform to send it. The data collected by Paypal service are limited to those necessary for contractual and legal compliance. Paypal’s commitment to comply with data protection regulation can be found at this link: https://www.paypal.com/us/webapps/mpp/ua/privacy-full
- Cloudflare – To protect us from mass attacks by hackers with the intent to disrupt the service (DDoS attacks), we use a partner that specialises in nullifying or mitigating its impact and acts as a filter between the visitors/users of our sites and our servers. Although it does not record personal or personally identifiable information, it does record the IP addresses from which the accesses or attacks originate. We will only access this data for forensic analysis if we determine that we need to take legal action; otherwise, we do not have to be aware of that data. Cloudflare’s commitment to comply with data protection regulation can be found at this link: https://www.cloudflare.com/privacypolicy
- Instapage – This is the service we use to collect and store the data from the forms available on our landing pages. After confirmed consent from you, this data will be automatically sent to the Mailchimp email marketing tool. Instapage’s commitment to comply with data protection regulation can be found at this link: https://instapage.com/gdpr
- Mailchimp – It is an email marketing tool with which we only share the names and emails of our customers and people that have shown interest in our service. Mailchimp’s commitment to comply with data protection regulation can be found at this link: https://mailchimp.com/legal
- Zapier – Tool we use to integrate online services and applications, namely between Google Sheets and Mailchimp. Zapier’s commitment to comply with data protection regulation can be found at this link: https://zapier.com/help/gdpr/
- Arsys – This is our email service provider. We use it to send and receive e-mails as part of contractual or pre-contractual relations; here, we host all the e-mail addresses of 3NCRYPT3D and our email contacts – internal, external or partners / potential partners, customers or others, and also people who, through our website, ask us any questions; answers provided by email will be processes by this service. Arsys’ commitment to comply with data protection regulation can be found at this link: https://www.arsys.es/legal?dhtml=politica-proteccion-datos
- Bitrix, Airtable, Slack and Google Docs – These are distinct tools for CRM, backoffice and internal management, which may contain Personal Data of internal or external employees or Partners / potential Partners, Customers, Subcontractors or others. The commitment from each of these partners to comply with the GDPR can be found in the below links:
Google Docs: https://cloud.google.com/security/gdpr/
- Freshdesk – As our potential customer, or de facto customer, you may have questions or doubts about our services. All questions, commercial or technical, will be managed through our support centre platform, which is a service provided by Freshdesk. This platform allows us to give you the best possible support and management of support tickets. Your help requests, clarification or others can be made via email, telephone, social networks, or through contact forms and chat available in our applications and websites. When you contact us by any of these means you implicitly accept that we use the contact details you provide to respond to your requests. Fresdesk’s commitment to comply with data protection regulation can be found at this link: https://www.freshworks.com/privacy/
We want you to know that we have been very careful in choosing all the services that make it possible to provide our service as we always looked for those that guarantee us maximum functionality, quality, reliability and transparency with regard to your Personal Data.
9 – Attribution of Responsibilities
In relation to the Personal Data collected and processed by us within the scope of our service, we assume ourselves as the Data Controller, to the extent that we define its purposes and means of processing. By using companies such as the ones described in the previous point, we are contracting services that are provided as a full service (as is), limited to the available offer, and that presupposes the processing of Personal Data by third parties; as such, the purposes and means of processing are defined by these partner services. From us there’s only:
- The need to hire them;
- The acceptance of the service they provide;
- Verification that they are fully committed to compliance with the GDPR, as legally required.
Thus, it is our understanding that these companies, when providing services that involve the processing of data, are responsible for the data and we cannot be liable for data incidents that may occur on their side.
10 – How we protect your Personal Data
We have a variety of information security means comprised of encryption, administrative, technical, physical and procedural measures, which aim to protect your Personal Data and prevent it from unlawful use, unauthorized access and disclosure, loss, improper or unadverted changes, or its unauthorized destruction.
In the scope of information security we assume the same commitment to the continuous improvement that guides us in our daily activities. Among others, we highlight the following measures:
- Restricted internal access to your Personal Data only to the people who need it for the purposes we have set out above;
- Confidentiality agreements with our employees;
- Storage and transfer of Personal Data in the most secure manner possible;
- Implementation of mechanisms that guarantee the integrity and quality of your Personal Data;
- Monitoring of the information systems, with the aim of preventing, detecting and preventing the improper use of your Personal Data;
- Redundancy of equipment for storage, processing and communication of Personal Data, to avoid loss of availability.
11 – Rights of Data Holders and how to exercise these rights
The Holder of Personal Data has, in accordance with the GDPR and in the circumstances set forth therein, rights in relation to his/her Personal Data. They are listed below and, in some circumstances, due to the characteristics of our service, are explained with appropriate safeguards:
- Access to your Personal Data, in what form and on what grounds they are processed by us or third-party contracted services;
- Deletion – also as far as Customers and their accounts are concerned, the deletion of the account during the validity of the subscription period can only be done by the account holder in the option available for this purpose, without prejudice to the exceptions listed in our Terms and Conditions. This is a measure of security and defense of the Personal Data and the accounts of our Customers. In the remaining situations described in point 5, this right may be exercised without any restriction;
- Limitation – provided, when requested, in the periods of time in which we correct and/or clarify your questions regarding the way we treat your Data;
- Opposition – if applicable, in accordance with the GDPR;
- Portability – this right presupposes that the Personal Data we have at our disposal can be read on another platform; the regulation itself prescribes that data should be provided in a “structured, current use and automatic reading” format. However, again with regard to the Customer account, we may only provide, on request, the Data provided, which is: Customer’s name, registration email address (login) and recipients’ emails; everything else – especially messages, which here are not considered Personal Data, as previously explained – can only be provided as a set of encrypted data, whose reading on another platform is impossible due to the private key encryption that is possessed by the customer alone; this limitation arises from our main security factor: inviolable encryption within the existing computing standards on this date;
As Holder of your data, you may also withdraw, at any time, any consent you have previously given us for their use, with the exception of those data necessary for the provision of our service;
The exercise of these rights does not apply when your Personal Data is used to safeguard the public interest, particularly in cases of detection and prevention of illegal activities or when subject to professional secrecy;
If you wish to exercise any of these rights or if you have any questions on this subject, please contact us via the means referred to in point 3 of this policy.
Complaint – If you feel dissatisfied with the way we treat your Personal Data or with our response to your possible questions on this subject, you can submit a complaint to:
CNPD: National Data Protection Commission (CNPD):
Address: Rua de São Bento, 148 – 3º – 1200-821 Lisboa, Portugal
Phone: +351 213 928 400
12 – Additional information
Despite being a fully automated messaging service, 3NCRYPT3D does not make automated decisions based on the Personal Data it handles as data Controller. Human intervention, whether in the provision of service or in business management, only occurs in the following situations:
- If a problem occurs during your registration or when using the application;
- If you initiate a technical support request through any of the channels at your disposal;
- If it is detected that in any way the Terms and Conditions of the service are being violated;
- If access is requested by the legal authorities within the framework of legal proceedings or other legal provisions;
- In our legitimate interest to protect our rights and property, the safety of our staff and our agents, customers and others, and to enforce compliance with our Policies and Terms and Conditions explicitly accepted by you when subscribing to our service or in the absence of opposition to them when updated;
- If you register for events, training or activities that we may promote or take part in;
- If you contact us through a form on our website or through the contacts means available online, as a potential customer or in other quality;
- Being our potential Client or an employee of one of our Partners, potential Partners, Subcontractors or others;
- Being our employee or prospective employee.
We do not knowingly transfer data to companies or services that, for territorial reasons or due to non-application of the data protection established rules, are outside the scope of the GDPR. The understanding of this policy and its specifics can be enhanced by reading the Terms and Conditions and the documentation available on our support centre, which we strongly encourage you to do before subscribing to our service.