TL;DR: We do our best to respect your privacy!
Website Privacy Policy
This website, "www.passbolt.com" and any subdomains such as “community.passbolt.com”, "cloud.passbolt.com" (collectively referred to as the "Site" or "Website") is owned and operated by Passbolt SA ("we", "us" or "Passbolt"). By using and accessing our Site, you ("you", or the "User") agree to the terms of our Privacy Policy.
This Privacy Policy is effective with respect to any data that we’ve collected, or collect, about and/or from you on the Website.
Definitions
We define Personal Identifiable Information (or “PII” or "Personal information") in the following manner: any information that you provide to us about yourself while using the service that could help someone else identify you as an individual entity. This may include information such as your name, identification number, phone number, location, IP address, system locale and preferences, picture, public key information, etc.
We define the following subdomains of the Website "cloud.passbolt.com" as “Cloud Site”. We define the following sub domain community.passbolt.com as "Forum" or "Community Forum".
We define as "Products" any downloadable or electronically available Software products owned by Passbolt, such as Passbolt browser extension.
Collected Personal Information
Here is a summary of the Personal Information we collect for the different services we provide.
Where possible do our best to provide services in an optional fashion (opt-in), so that the consent and purpose for which you are providing information are both clear. We refrain from any subsequent processing of your data that is incompatible with that original purpose.
For example you may use the Cloud Site and not sign up to the Community Forum or you may use Passbolt Community Edition and not sign up to the newsletter, etc.
Security data
Purpose: security. Type: required.
When you visit the Site, we collect information about your usage such as which page you visited on the Site, including the referrer, IP address, device and browser characteristics (User Agent), and timestamp. This information is required for security purposes such as spam and abuse detection and prevention.
Analytics & Advertising data
Purpose: statistics and marketing. Type: opt-in.
We do not collect analytics and advertising data in the Products or on the Cloud Site.
We may collect information about your usage of the other parts of the Site, such as which page you visited on the Site, how long you stayed on the Site, which advertisement you clicked to come on the Site, etc. This information is required for us to know which content is most important for our users, improve the user experience on the Site and measure advertisements performance. In this context, we pseudonymize this data, by for example truncating or hashing IP addresses.
It is possible for you to opt-in and opt-out of this analytics and advertising tracking by refusing consent in the consent collection banner (“Cookie Banner”) presented to you when you visit the Site.
Newsletter data
Purpose: marketing. Type: opt-in.
When you sign up to the newsletter we collect your name, email, company name as part of the newsletter signup process. This information is required to be able to get in touch with you and send you updates about the products and services.
Cloud Site data
Purpose: necessary for the service. Type: opt-in.
On the Cloud Site we may collect personal information such as your name, email, profile picture, your IP address, which groups you belong to, credentials to other systems, and information about your usage. This information is required to provide you access with the service.
The Cloud Site is organised by workspaces in the form of cloud.passbolt.com/workspace. Authorised Users on a given workspace are capable of viewing other users pictures, email addresses and names. This is needed to provide collaboration functionalities such as sharing credentials and organising users by groups.
Please consult Passbolt Cloud Data Protection Agreement (DPA) for more information.
Community Forum
Purpose: necessary for the service. Type: opt-in.
On the Community Forum we collect personal information such as your email and IP address, the kind of browser or computer you use, number of links you click within the site, state or country from which you accessed the site, the date and time of your visit, the name of your Internet service provider, the web page you linked to our site from, pages you viewed on the forum. This information is needed to enhance your experience as well as allow automated moderation and spam prevention.
Customer and support
Purpose: necessary for the service. Type: opt-in.
By filling out any form on the Site, such as the one used to start a free trial, join a webinar, schedule a demo call, or to contact sales or support, or when you directly contact us via email, we collect personal information such as your name, email, the organisation you are affiliated with, and the kind of product you use or are interested in. This information is required to provide you with the service and respond to support or sales inquiries.
Payment and billing
Purpose: necessary for the service. Type: opt-in.
We collect personal information such as your email, name, address, VAT information, preferred payment channel, company name and address, etc. when you purchase a subscription or service with Passbolt SA.
We do not have direct access to your credit card or debit card information. This information is collected in a secure iframe and processed securely directly by the third party payment processing services involved such as our payment gateway and your bank.
Surveys
Purpose: statistics and marketing. Type: opt-in.
We may collect personal information about you and your usage of passbolt as part of voluntary surveys you participate in. Surveys may request personal information such as your name, email, phone number, organisation name, etc.
Cookies and Pixels
A cookie is information stored on your computer by a website you visit. This Site uses cookies for multiple purposes:
- For security, to identify if you are a human or not and reduce spam.
- For sessions, e.g. to provide you with the functionality that keeps you logged in or to make sure your preferences are carried forward.
- For analytics (see next section). We do not use cookies to track you on third party sites.
- For advertising, to know which ad brought you to the site and measure their performance, and see if you are returning to the site.
A tracking pixel is a tiny, invisible image embedded in emails or web pages to collect data on user behavior, such as opens, clicks, and interactions, for analytics and marketing purposes.
Necessary
Essential cookies are necessary for the Site to function. They help maintain security, manage logins, and protect the Site from malicious activity. You cannot opt-out of these cookies as they are necessary for the security of the site or to provide you access to the service.
Provider: Google ReCAPTCHA Enterprise
- These cookies (rc::a and rc::c) are used to distinguish between humans and bots when you are visiting a page with a form.
Provider: Cloudflare Cookies
- This cookie (__cf_bm) is used to distinguish between humans and bots.
- This cookie (_cfuivd) Part of the services provided by Cloudflare - Including load-balancing, deliverance of website content and serving DNS connection for website operators.
Provider: Hubspot
- Used to distinguish between humans and bots. This cookie (__cf_bm) is set by HubSpot's CDN provider (Cloudlare) and is a necessary cookie for bot protection.
Provider: Cookiebot
- CookieConsent cookie stores the user's consent state for the current domain.
- A pixel (1.gif) is used to count the number of sessions to a given website for service delivery optimization.
Provider: Passbolt Cloud
- Passbolt cloud service uses cookies for session management (passbolt_session and passbolt_mfa) and security (csrfToken).
Preferences (Optional)
Preferences cookies retain user settings to personalise the Site, such as currency and language preferences.
Provider: Passbolt
- Saves the visitor’s currency preference.
Statistics (Optional)
Analytics cookies provide insights into user interactions, helping improve functionality and user experience.
Provider: Hubspot
- The cookies (__hssc) and (__hssrc) are used respectively to identify if the cookie data needs to be updated in the visitor's browser and is used to recognise the visitor's browser upon reentry on the website.
- The cookies (hubspotuk) and (__htsc) set a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.
Provider: Matomo
- The cookie (_pk_id#) collects statistics on the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been read.
- And the other one (_pk_ses#) is used to track page requests from the visitor during the session.
Marketing (Optional)
Marketing cookies track visitors for conversion tracking, retargeting and to deliver relevant content, especially for embedded media such as videos.
Provider: Hubspot
- This pixel _ptq.gif sends data to the marketing platform Hubspot about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
Provider: Google
- This pixel (pagead/1p-user-list/#) tracks if the user has shown interest in specific products or events across multiple websites and detects how the user navigates between sites. This is used for measurement of advertisement efforts and facilitates payment of referral-fees between websites.
- This cookie (_gcl_au) is used by Google AdSense for experimenting with advertisement efficiency across websites using their services.
- These cookies (_ga_#) and (_ga) are used to send data to Google Analytics about the visitor's device and behavior. Tracks the visitor across devices and marketing channels.
Provider: LinkedIn
- Browser Identifier cookie (bcookie) to uniquely identify devices accessing LinkedIn to detect abuse on the platform.
- This cookie (li_gc) stores consent of guests regarding the use of cookies for non-essential purposes.
- This cookie (lidc) is used to facilitate data center selection.
- The LinkedIn Insight Tag pixel measures ad conversions, retarget visitors, and gain insights into ad performance on LinkedIn. LinkedIn may collect information such as truncated or hashed IP addresses, device and browser characteristics (User Agent), referrer, and timestamps.
- This cookie (AnalyticsSyncHistory) is used to store information about the time a sync took place with the lms_analytics cookie.
- This cookie (UserMatchHistory) tracks visitor interactions for LinkedIn ad analytics and retargeting.
- This cookie (li_sugr) is used to store a user ID in a hashed or truncated form outside Designated Countries, facilitating LinkedIn advertising.
- These cookies (lms_ads, lms_analytics) are used to identify LinkedIn Members outside of LinkedIn for advertising and analytics purposes.
Our use of your personal information
We may use your personal information only for one or more of the following purposes:
To give you access to the Products or Service. For example, if you register to the Cloud Site we may send you a link by email to activate your account. For example if you subscribe to Passbolt Pro Edition we will send you an email with instructions on how to get started.
To notify you about any activity within the Service. For example if you are using the Cloud Site and if another user shares a password with you, we may send you an email notification.
To provide you with support. For example, if you leave your personal information by email or the Forum, we may contact you back to help you solve your issues or answer your questions.
To promote our services. For example, if we think you might benefit from using another Product or Service we offer, or if we think information about a change in the current Service is relevant for you, we may contact you to tell you about it.
To bill and collect money owed to us. This includes communications with regards to invoices, receipts, payment statuses and processing issues.
Disclosure of personal information
We may disclose your Personal Information for one or more of the following purposes:
To provide you with the Service. For example, if you register on the Cloud Site other people in the same workspace will be able to see the email address and name you used to register and will be able to share information with you.
To meet legal requirements. In the event we are to comply with court orders and valid subpoenas or to defend a court, arbitration, or similar proceeding.
To provide information to representatives and advisors. These include engineers, attorneys and accountants, who help us comply with legal, accounting, or security requirements.
To transfer your information in the case of a sale, merger, consolidation, or acquisition, any acquirer will be subject to our obligations under this privacy policy, including your rights to edit and delete your personal data. We will notify you of the change either by sending you an email or posting a notice on our Web site, so that you can opt-out if you wish to do so.
3rd Party Access
We will not sell, rent or loan any personal information to any third party. The following third parties may have access to your personal data under certain conditions.
Governments
Our company is registered in the Grand Duchy of Luxembourg. We are therefore subject to Luxembourg and Europe legislative texts on data protection and privacy.
Our organisation relies on services (such as hosting, customer help desk and newsletters) provided by companies registered in the USA. They are obliged to provide access to notices pursuant to judicial, regulatory or other governmental orders or requests valid in the USA.
Hosting provider
We primarily use Google Cloud Platform to host our websites. The Cloud Site data is hosted in Belgium and Germany.
See GCP Data Processing and Security Terms.
CDN provider
We use CloudFlare to provide caching of our website for performance as well as an application firewall for security purpose. see. Cloudflare DPA
Captcha
We use Google Cloud reCAPTCHA Enterprise (with remoteip unset) to protect signup forms against spam and other types of automated abuse.
See Google Cloud DPA.
Transactional emails
We use AWS SES to send transactional emails.
See Amazon Web Service (AWS) Privacy Notice and GDPR compliance center.
Newsletter provider
We use Hubspot to send newsletters.
See Hubspot privacy policy and DPA.
Survey provider
We use SurveySparrow for our surveys.
See SurveySparrow privacy policy and DPA.
Help desk provider
We use Hubspot and Slack to manage support conversations, sales inquiry, contact forms and satisfaction surveys.
See Hubspot privacy policy and DPA.
See Slack GDPR compliance framework and DPA.
Analytics providers
Provider: Plausible
We use Plausible to measure visits. Plausible do not use cookies and do not collect any personal data. See their privacy policy.
Provider: Matomo
We also use Matomo for more advanced analytics. Matomo is an open source analytics solution that is privacy friendly.
Unless you provide your consent, Matomo is configured by default on our website to anonymize your ip address and not to collect data for advertising or remarketing purposes.
See Matomo's privacy policy and their data processing agreement (DPA).
Provider: Google Analytics
We also use Google Analytics for more advanced analytics.
Unless you provide your consent, Google Analytics is configured by default on our website to deny all forms of consent. When consent is not granted, cookieless pings are sent to Google Analytics for future measurement. Cookieless pings, as part of regular HTTP/browser communication, may include the following information: user agent, screen resolution, IP address. Note that Google Analytics 4 does not store or log IP addresses.
See Google Analytics privacy policy and their data processing terms(DPA).
Advertisement providers
We use Google Ads and LinkedIn to advertise the Site and the Products.
Unless you withdraw consent via the cookie banner, advertisement providers track visits or actions on the Site following ad interactions, also known as "Conversion tracking” and “Retargeting”. This includes reading and writing cookies related to advertising, collecting truncated or hashed IP addresses, and capturing the full URL of pages visited, including ad-click information in URL parameters (e.g., GCLID/DCLID).
Advertisement providers also collect data on website visits for retargeting purposes. Unless you withdraw consent via the cookie banner, advertisement providers track URL, referrer, IP address fragments, device and browser characteristics (User Agent), and timestamp.
See Google Ads Support and LinkedIn Insight documentation for more details.
See Google Ads privacy policy and DPA.
See LinkedIn Ads privacy policy and DPA.
Forum provider
We use discourse to run the community forum. By signing up to the forum (optional) you agree to the discourse privacy policy.
See Discourse privacy policy.
Subscription and payment gateway providers
We use Chargebee, Stripe and Chartmogul to manage subscriptions and process payments.
See Stripe, Chargebee EU-GDPR compliance frameworks.
See Chartmogul privacy policy and GDPR compliance info.
Invoices and billing history provider
We use Zoho Books to manage invoices, receipts and billing history.
See Zoho privacy policy.
Deleting, editing and accessing your personal information
You can stop receiving our promotional emails by following the unsubscribe instructions included in every marketing email.
You can stop receiving Cloud notification emails by deleting your account or updating your organisation notification preferences. To delete your account or update the preferences you can contact an administrator of your workspace, or if you are the last administrator, by sending us an email at: [email protected].
You can stop receiving emails and/or delete your account from the Community Forum by logging in and going on your profile settings page.
We can also edit/delete/get access to any personal information that we hold within 60 days of any request you make by contacting us: [email protected].
Right to be forgotten
We are committed to delete personal information when the retention of data concerning you is no longer justified and we have no legitimate reason (e.g. legal obligations at the accounting level) that justifies the retention of your data. For example terminated cloud account data will be purged from backups after 60 days.
Data portability
We fully support your rights for data portability. In that respect you can export your data from the Cloud Site and use this information in one of the supported 3rd party products. You can also export your data from the paid version to the free version of the software, or from the cloud version to the self-hosted software product.
Information security
Due to the nature of the service we work hard to prevent unauthorised access to or unauthorised alteration, disclosure or destruction of information we hold. In particular:
- We encrypt access to all of our services using SSL. We ensure encryption of communication not only between you and our servers but also internally between parts of our application.
- The passwords your store in passbolt products are end-to-end encrypted, using state of the art peer-reviewed cryptographic libraries.
- Where possible we offer and use strong authentication mechanisms, including for example second factor authentication and anti-phishing mechanisms.
- We organise regular code reviews and security audits. We also run a bug bounty program. We have a transparent process to report vulnerabilities that are reported to us or incidents on the services.
- We regularly review our information collection, storage and processing practices, to guard against unauthorised access to systems. We use intrusion detection systems to monitor our network.
- We restrict access to personal information to employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations.
- We make sure all of our service providers implement industry standards and compliance instruments such as ISO27001, PCI-DSS, SOC 2.
Date of Last Update
This privacy policy was last updated on 27th of January 2025.
Last update: Cookies and Tracking update, Advertisement provider information.