As a user of Padloc, you entrust us with some of your most sensitive and private data and we recognise the immense responsibility that comes with this. Padloc is built from the ground up with a focus on security, privacy and transparency and we employ these principles every step along the way when handling your data. As a security-sensitive service, cryptography and information security is at the very heart of our product and while these topics can be very hard to grasp for non-technical users, we do our best to describe the most important principles in simple words.
Who We Are
Padloc is maintained and run by MaKleSoft, a German company located at Meisenstr. 5, 91522 Ansbach, Bavaria. MaKleSoft and all of it's employees are bound by EU privacy laws and regulations like the General Data Protection Regulation (GDPR).
Information We Collect And How We Use It
While we treat all your data with the same high standard of security, there are different types of data and it is important to understand the distinction between them.
Your secure data is all the information you store within the Padloc app, like passwords, credit card details, secure notes and other sensitive (or non-sensitive) information. By design this data is readable by you and only you. Your secure data is encrypted locally on your devices using encryption keys that are derived from your master password that only you know and your data is never stored or transmitted in plain text. While we do store your encrypted data on our servers for synchronization or backup purposes we are never in the position to decrypt this data.
We never store your master password in any way and will never ask you to reveal it to us. Please note that this also means that we won't be able to help you recover you plain text data in case you loose your password.
Your secure data is your property and you have full control over it. You may read, edit or delete your data at any point without our permission. Accessing your secure data stored on our servers requires authentication via your email address and master password.
Account Meta Data
In order to authenticate you with our servers and to provide some of the essential functionality offered by Padloc, we require some additional information from you. The first and most important piece of information is your email address. Your email address is used to uniquely identify your account and serves as a means of authentication. In addition to your email address, we also ask you for a display name. This information is optional and does not have to be your real name. In addition to your email address and display name, we are some collecting some additional data when you interact with our service:
Device-specific information includes:
- Device UUID1
- Operating System and OS Version
- Device Manufacturer (if available)
- Device Model (if available)
- Device Name (if available)
- App Version
- Last Access
This information is essential for preventing fraud and to provide you fine-grained control of which devices you want to allow (and continue to allow) access to your account. Information about your device model, operating system and OS version also helps us notifying you in case we are made aware of security vulnerabilities specific to your device or operating system.
1 Your devices "Universal Unique Identifier" is a unique, random string of characters used to uniquely identify a given device in our systems. This string is generated automatically and is not directly tied to your devices serial number, mac address or other immutable identifiers unique to your device. In other words, this is only useful for our internal use and is not considered personal identifiable information.
For our internal use, we track basic usage data like app installs, updates and device activity. Since Padloc is a security-sensitive application that requires constant maintenance and security updates to patch vulnerabilities and maintain it's high standard in security, it is essential for us to know which app versions are in circulation and on which kind of devices. For instance, knowing which operating systems make up the majority of our user base, we are able to prioritize OS-specific vulnerabilities should they arise. This usage data is completely anonymised and does not contain any personal identifiable information.
Like most internet services, we keep internal logs of all requests sent to our servers. These logs are an essential tool for identifying and blocking malicious traffic and help us detect and prevent break-in attempts. These logs may contain some personal identifiable information like IP addresses. As with all the data that we collect, we treat these log files with utmost care and restrict access to them to key personnel. Log files are only kept as long as absolutely necessary after which they are deleted from our servers.
If you choose to purchase a paid subscription, your payment data is processed and stored securely by our payment provider Stripe. In addition to your credit card data, you may choose to provide us with additional billing information like your full name, address and, in case of business customers, your business name and VAT number.
Cookies and Tracking
Where Your Data Is Kept
Your data is held by third party data processors, who provide us with hosting and other infrastructure services. All of these providers are GDPR-compliant and conform to the U.S.-E.U. Privacy Shield Framework.
Who Has Access To Your Data
Your personal information is stored behind secured networks and is only accessible by a very limited number of persons who have special access rights to such systems and are required to keep the information confidential.
Third Party Disclosure
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information unless we provide you with advance notice. This does not include website hosting partners and other parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential.
Deleting Your Data
We are merely custodians of your data and we have no interested in keeping your personal information any longer than you want us to or is required by law. You can delete your Padloc online account at any time through the settings section within the app or, in case of legacy Padlock 2 accounts, via Padlock Cloud Legacy Online Dashboard.
German tax law requires us to keep payment transaction records and, in case of business customers, company and VAT information for up to 10 years. This data does not include your credit or debit card information which is deleted instantly after deleting your Padloc online account.
Disaster recovery and data availability requirements mean that we have a legitimate interest in maintaining secure and immutable backups. Erasure requests will leave those backups untouched, and we will only remove data from backups if legally compelled to. Backups are permanently deleted after 3 months.
We may use your contact information to communicate with you about service activity, provide support, and send you other information such as product updates and announcements. You may choose to stop receiving communications from us, except certain important notifications such as billing and account security alerts.
|Augustenstr. 80, 80333 Munich, Germany