TL;DR: We do our best to respect your privacy!

Website Privacy Policy

This website, "www.passbolt.com" and any subdomains such as "help.passbolt.com", or "cloud.passbolt.com" (collectively referred to as the "Site" or "Website") is owned and operated by Passbolt SA ("we", "us" or "Passbolt"). By using and accessing our Site, you ("you", or the "User") agree to the terms of our Privacy Policy.

This Privacy Policy is effective with respect to any data that we’ve collected, or collect, about and/or from you on the Website.

Definitions

We define as Personal Information (or "your information") in the following manner: Any information that you provide to us about yourself while using the service that could help someone else identify you as an individual entity. This may include information such as your name, phone number, location, IP address, system locale and preferences, picture, public key information, etc.

We define the following subdomains of the Website "cloud.passbolt.com" and "demo.passbolt.com" as “Cloud Site”. We define the following sub domain community.passbolt.com as "Forum" or "Community Forum".

We define as "Products" any downloadable or electronically available Software products owned by Passbolt, such as Passbolt browser extension.

Collected Personal Information

Here is a summary of the Personal Information we collect for each services. Where possible do our best to provide services in an optional fashion, so that the purpose for which your are providing information is clear. We refrain from any subsequent processing of your data that is incompatible with that purpose. For example you may use the Cloud Site and not sign up to the Community Forum or you may use Passbolt Community Edition and not sign up to the newsletter, etc.

Analytics

We may collect information about your usage of the Site, such as which page you visited, how long you stayed on the Site, etc. This information is required for us to know which content is most important for our users and generally improve the user experience on the Site. In this context we use a setting to remove the last octet of your IP address prior to its storage, to anonymize this data.

It is possible for you to opt-out of this analytics tracking by enabling your browser's "Do Not Track" preference. We do not collect analytics data in the Community Edition software product. We do not collect analytics data on the Cloud Site.

Newsletter

When you signup to the newsletter we collect your name, email and IP address as part of the newsletter signup process. This information is required to be able to get in touch with you and for security purposes such as spam and abuse detection.

Cloud Site

On the Cloud Site we may collect personal information such as your name, email, profile picture, your IP address, which groups your belong to, credentials to other systems, and information about your usage.

The Cloud Site is organized by workspaces in the form of cloud.passbolt.com/workspace. Authorized Users on a given workspace are capable of viewing other users pictures, email addresses and names. This is needed to provide collaboration functionalities such as sharing credentials and organizing users by groups.

Community Forum data

On the Community Forum we collects personal information such as your email and IP address, the kind of browser or computer you use, number of links you click within the site, state or country from which you accessed the site, the date and time of your visit, the name of your Internet service provider, the web page you linked to our site from, pages you viewed on the forum. This information is needed to enhance your experience as well as allow automated moderation and spam prevention.

Customer and support data

By starting a free trial, or contacting sales or support directly using a contact form, via email or online chat, we collect personal information such as your name, email, the organization your are affiliated with, and the kind of product you use or interested in. This information is required to provide you with the service and respond to support or sales inquiries.

Payment and billing data

We collect personal information such as your email, name, address, VAT information, preferred payment channel, etc. when you purchase a subscription or service with Passbolt SA.

We do not have direct access to your credit card or debit card information. This information is collected in a secure iframe and processed securely directly by the third party payment processing services involved such as our payment gateway and your bank.

Surveys

We may collect personal information about you and your usage of passbolt as part of voluntary surveys you participate in. Surveys may request personal information such as your name, email, phone number, organization name, etc.

Cookies and Tracking

Cookies

A cookie is information stored on your computer by a website you visit. This Site use cookies for two purposes:

  • Sessions, e.g. to provide you with the functionality that keeps you logged in or to make sure your preferences are carried forward.
  • For analytics (see next section). We do not use cookies to track you on third party sites.

Analytics

We use Matomo to collect information about your usage of the Site.

We use Hubspot to collect information about the user journey of visitors contacting us using our various contact forms.

These services may store cookies to identify which page you visited, how long you stayed on the Site, etc. Consent is requested for such cookie via a "cookie banner". You can remove consent at any moment by deleting such cookie from your cache in your browser settings or enabling "Do Not Track" flag in your browser settings.

Cloud Site application session

The Cloud Site uses cookies to be able to tell if you are logged in or if an authentication is required.

CDN / Security session cookie

The Site uses cookies to be able to protect the site against malicious actors.

Community Forum session cookie

The Community Forum uses cookies to be able to tell if you are logged in or not as well to allow you to personalize your user experience.

Payment and billing session cookie

We use cookies in order to be able to secure and process your purchase order as part of the payment and billing process.

Social buttons

To protect you from third party tracking, we do not include any third party javascript application such as “facebook like” buttons on this Site.

Our use of your personal information

We may use your personal information only for one or more of the following purposes:

To give you access to the Products or Service. For example, if you register to the Cloud Site we may send you a link by email to activate your account. For example if you subscribe to Passbolt Pro Edition we will send you an email with instructions on how to get started.

To notify you about any activity within the Service. For example if you are using the Cloud Site and if another user shares a password with you, we may send you an email notification.

To provide you with support. For example, if you leave your personal information by email or the Forum, we may contact you back to help you solve your issues or answer your questions.

To promote our services. For example, if we think you might benefit from using another Products or Service we offer, or if we think an information about a change in the current Service is relevant for you, we may contact you to tell you about it.

To bill and collect money owed to us. This includes communications with regards to invoices, receipts, payment statuses and processing issues.

Disclosure of personal information

We may disclose your Personal Information for one or more of the following purposes:

To provide you with the Service. For example, if you register on the Cloud Site other people in the same workspace will be able to see the email address and name you used to register and will be able to share information with you.

To meet legal requirements. In the event we are to comply with court orders and valid subpoenas or to defend a court, arbitration, or similar proceeding.

To provide information to representatives and advisors. These include engineers, attorneys and accountants, who help us comply with legal, accounting, or security requirements.

To transfer your information in the case of a sale, merger, consolidation, or acquisition, any acquirer will be subject to our obligations under this privacy policy, including your rights to edit and delete your personal data. We will notify you of the change either by sending you an email or posting a notice on our Web site, so that you can opt-out if you wish to do so.

3rd Party Access

We will not sell, rent or loan any personal information to any third party. The following third parties may have access to your personal data under certain conditions.

Governments

Our company is registered in the Grand Duchy of Luxembourg. We are therefore subject to Luxembourg and Europe legislative texts on data protection and privacy.

Our organization relies on services (such as hosting, customer help desk and newsletters) provided by companies registered in the USA. They are obliged to provide access to notices pursuant to judicial, regulatory or other governmental orders or requests valid in USA.

Hosting provider

We primarily use Google Cloud Platform to host our websites. The Cloud Site data is hosted in Belgium and Germany.

See GCP Data Processing and Security Terms.

CDN provider

We use CloudFlare to provide caching of our website for performance as well as an application firewall for security purpose. see. Cloudflare DPA

Captcha

We use Google Cloud reCAPTCHA Enterprise (with remoteip unset) to protect signup forms against spam and other types of automated abuse.

See Google Cloud DPA.

Transactional emails

We use AWS SES to send transactional emails.

See Amazon Web Service (AWS)Privacy Notice andGDPR compliance center.

Newsletter provider

We use Hubspot to send newsletters.

See Hubspot privacy policy and DPA.

Survey provider

We use SurveySparrow for our surveys.

See SurveySparrow privacy policy and DPA.

Help desk provider

We use Hubspot to provide support by email.

See Hubspot privacy policy and DPA.

Analytics provider

We use Plausible to measure visits. Plausible do not use cookies and do not collect any personal data. See their privacy policy.

We also use Matomo for more advanced analytics. Matomo is an open source analytics solution that is privacy friendly.

Unless you provide your consent, Matomo is configured by default on our website to anonymize your ip address and not to collect data for advertising or remarketing purpose.

See Matomo's privacy policy and their data processing agreement (DPA).

Forum provider

We use discourse to run the community forum. By signing up to the forum (optional) you agree to the discourse privacy policy.

See Discourse privacy policy.

Customer Relationship Management & Helpdesk

We use Slack and Hubspot to manage chat conversation, sales inquiry, contact forms and surveys.

See Hubspot privacy policy and DPA. See Slack GDPR compliance framework and DPA.

Subscription and payment gateway providers

We use Chargebee, Stripe and Chartmogul to manage subscriptions and process payments.

See Stripe, Chargebee EU-GDPR compliance frameworks. See Chartmogul privacy policy and GDPR compliance info.

Invoices and billing history provider

We use Zoho Books to provide you with invoices, receipts and billing history.

See Zoho privacy policy.

Deleting, editing and accessing your personal information

You can stop receiving our promotional emails by following the unsubscribe instructions included in every email.

You can stop receiving Cloud notification emails by deleting your account. To delete your account you can contact an administrator of your workspace, or if you are the last administrator, by sending us an email at: [email protected].

You can stop receiving emails and/or delete your account from the Community Forum by logging in and going on your profile settings page.

We can also edit/delete/get access to any personal information that we hold within 60 days of any request you make by contacting us: [email protected].

Right to be forgotten

We are committed to delete personal information when the retention of data concerning you is no longer justified and we have no legitimate reason (e.g. legal obligations at the accounting level) that justifies the retention of your data. For example terminated customer accounts, or newsletter subscriptions that are inactive, will be deleted after 48 months.

Data portability

We fully support your rights for data portability. In that respect you can export your data from the Cloud Site and use this information in one of the supported 3rd party products. You can also export your data from the paid version to the free version of the software, or from the cloud version to the self-hosted software product.

Information security

Due to the nature of the service we work hard to prevent unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold. In particular:

  • We encrypt access to all of our services using SSL. We ensure encryption of communication not only between you and our servers but also internally between parts of our application.
  • The passwords your store in passbolt product are end to end encrypted, using state of the art peer-reviewed cryptographic libraries.
  • Where possible we offer and use strong authentication mechanism, including for example second factor authentication and anti-phishing mechanisms.
  • We organize regular code reviews and security audits. We also run a bug bounty program. We have a transparent process to report vulnerabilities that are reported to us or incidents on the services.
  • We regularly review our information collection, storage and processing practices, to guard against unauthorized access to systems. We use intrusion detection systems to monitor our network.
  • We restrict access to personal information to employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations.
  • We make sure all of our service providers implement industries standards and compliance instruments such as ISO27001, PCI-DSS, SOC 2.

Date of Last Update

This privacy policy was last updated on 16th of January 2024.

Last update (Minor): precision that reCAPTCHA is actually Google Cloud reCAPTCHA enterprise.

Last update (Minor): add Germany to the list of countries where Cloud Site data are hosted.

h
b
f
c
j
g
i
l
k
h
b