Siccura Privacy Policy
Privacy Policy
Thank you for choosing to be part of our community at Siccura Ltd, doing business as Siccura (“Siccura”, “we”, “us”, or “our”). At Siccura, we prioritise the trust that our users place in us by sharing their personal information. We respect your privacy, and we design our services with your privacy in mind. As part of our commitment to privacy, we’ve established this Privacy Policy to help you understand how we handle your information when you use our services (see the section headed, “What is our Zero-Knowledge policy?”).
In line with our commitment to privacy and security, Siccura’s services are built upon the principles of Zero Knowledge and decentralisation. This architecture ensures that you have complete control over your data and that your privacy is protected to the greatest extent possible.
Our Privacy Policy explains what we collect, how it’s used, and the controls you have over your personal information. It applies to all products, services, and websites offered by Siccura. By using our Services, you accept the terms of this Privacy Policy and our Terms of Use, and you consent to our collection, use, disclosure, and retention of your information as described in this Privacy Policy. If you have not done so already, please also review our Terms of Use. The Terms of Use describe the terms and conditions under which you can use our Services.
Take some time to read through it carefully, as it is important. If there are any terms in this policy that you do not agree with, please discontinue the use of our Sites or Software and our Services. If you have any questions or concerns about our policy or our practices with regard to your personal information, please contact us at support@siccura.com.
Siccura's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Please read this privacy policy carefully. It applies to all interactions you have with any of the Siccura Sites and Apps and it will help you make informed decisions about sharing your personal information with us.
Table of Contents:
- What is our Zero-Knowledge Policy?
- Information We Do Not Collect
- Information We Collect
- How We Collect Information
- Why We Collect Information
- How We Use Your Information
- Legal Grounds for Processing Your Information
- Information Sharing and Disclosure
- Data Security
- Cookies and Other Tracking Technologies
- Data Retention
- User Rights and Control over Data
- Information From Minors
- Third-Party Services and Links
- International Data Transfers
- How to delete your account?
- Changes to This Privacy Policy
- Contact Information
1. What is our Zero-Knowledge Policy?
We employ a Zero-Knowledge architecture, which ensures that we don’t have access to your encryption keys, or the content of your communications. This means we can’t read your messages or access your files. Only you and those you choose to share with can access them.
When you use our services, the personal information you provide (such as your mobile number or email address) is encoded at the source on your device using a one-way hash algorithm. This algorithm converts the data into a unique unbreakable code that even we cannot read. There is no point in time when your personal data is visible to the servers or service administrators.
We make your content readable to you alone. Most encryption systems only encrypt your data during transmission. This means that anyone with physical access to the servers on which your data is stored (such as the company’s staff) could have access to it.
The one-way encoding process we use is comprehensive – even with physical access to the servers, third-parties and even Siccura cannot read your data. All they can see are sequentially numbered rows of encoded undecipherable data.
Your message content and data for your third-party service providers (such as Gmail, Outlook, or Google Drive) are never sent to the Siccura servers. If you choose to have a Siccura IM account or a Siccura Cloud account, your content and data will follow the same comprehensive encryption process and will be stored on the Siccura server. In both cases, your device will encrypt the message content and send it to the server. Your third-party service provider and even Siccura will not be able to decrypt and read your content. Only you have the ability to decrypt and read your data. The encryption key required to decrypt the data you share with a contact is sent via a separate channel using a separate Siccura server. This encryption key is also encrypted by your device and only you will be able to decrypt it, even Siccura will not be able to access this data.
All data passing through the client is encrypted by default and plain data (in a readable format) never leaves your device unless you specifically select it. Your private encryption key used to encrypt the data is never shared with anyone, even Siccura does not have it.
You can also sync your contacts with the Siccura servers so that you can connect with your contacts. This contact data also follows our strict Zero Knowledge policy, which means that it is encoded at the source using a one-way hash algorithm. This algorithm converts the data into a unique unbreakable code that even we cannot read. There is no point in time when your contact data is visible to the servers or service administrators.
At registration, you have the option to enter an email address so that we can send you marketing and promotional updates. This information will be encrypted but it will not be converted using a one-way hash algorithm into a unique unbreakable code because we may need to read the data so that we can send you marketing and promotional updates and for password recovery purposes.
Some of the data you provide may need to be decrypted for lawful purposes and for compliance with our legal obligations.
Moreover, our decentralised design means that data isn’t stored in a single location, which reduces the risk of data breaches and enhances your privacy.
2.Information We Do Not Collect:
At Siccura, we prioritise your privacy and have intentionally designed our services to minimise the amount of personal data we collect and store. We follow the principle of data minimisation, collecting only what is necessary for providing and improving our services.
Zero-Knowledge Architecture: Critical to our privacy approach is our Zero-Knowledge architecture. This design ensures that we do not have access to certain types of sensitive data, maintaining a boundary between us and your personal content.
Encryption Keys: Your encryption keys are generated and stored on your device. These keys are never transmitted to us or any third parties, and they remain entirely within your control.
Content of Communications: We do not have access to the content of your communications, including messages, emails, files, or shared content. This data is encrypted and can only be decrypted with your unique encryption keys. Only you and the people you choose to share with can access this content.
Passwords: Your passwords are stored using advanced hash functions. This means we don't know and can't access your password.
Our Zero-Knowledge policy reinforces our commitment to privacy by ensuring that your most sensitive data remains under your control at all times. This design means that even in the unlikely event of a data breach, your sensitive data remains secure and inaccessible.
3.What Information We Collect:
The data we collect depends on how you interact with Siccura, the choices you make, including your privacy settings, and the products and features you use. We categorise this information based on when and why it is collected as follows:
- Information Required for Purchase: To purchase our services, we may need to collect certain personal identification information from you. This information allows us to process your order and provide you with the services you've purchased. It can include:
- Payment information
- Billing address
- Email address
- Name
- Information Required for Using the Services: To create an account and use our services, we may need to collect certain personal identification information and sensitive information from you. This information enables us to set up your account, enable secure login, and personalise your experience. This can include:
- Username
- Encrypted password
- Phone number
- Information Collected During Use Of Services: While using our services, we may collect certain non-identifying and sensitive information. This information helps us understand how our services are being used, track and improve performance, secure our services, and personalise your experience. It can include:
- IP address
- Device ID and Hardware Information
- Browser Type and version
- Operating system Information
- Network information
- Account activity (e.g. Features used, settings changed)
- Sensitive Information: While our Zero-Knowledge architecture prevents us from accessing certain sensitive information, such as your encryption keys and the content of your communications, we may still collect other sensitive information as necessary to provide our services. For example: Account credentials: We collect and store your account credentials, such as your username and password, to enable you to log in and use our services. Your password is stored using advanced hash functions so we can't access it.
- Sensitive Information from Google OAuth Services – GMail and Google Drive: In order for our users to use Siccura Mail and or Siccura Cloud efficiently, users have the option to connect their Email accounts and Cloud accounts, which are hosted on Google with Siccura. At the time of connecting these accounts, we will require users to undertake a Google OAuth consent. During this stage, users will be required to authorise Siccura to access certain pieces of information. The information that we collect from our users are:
- Google Contacts API: Siccura uses the “./auth/contacts.readonly” api as it is essential for the application to function effectively. This permission enables the application to access contact information, specifically email addresses, which is crucial for its encryption functionality. The Siccura application utilises the provided scope to retrieve contact email addresses from the user's account. This information is used to locate the corresponding public keys associated with each contact. These public keys play a pivotal role in the encryption process.
When a user composes and sends an email through the application to one of their contacts, the application employs a dual-key encryption mechanism. The data within the email is encrypted using a data key. This data key is then further encrypted using the recipient contact's public key and the sender's private key.
- GMail API: Siccura uses the "https://mail.google.com/" permission as the application functions as an email client, enabling users to connect various email hosting accounts. Siccura allows users to manage their emails, including reading, organising folders, composing, and sending secure emails. For secure emails received, the application decrypts and displays content.
- Google Drive API for productivity and Drive Syncing at client level: Siccura uses the "/auth/drive" allows Siccura app to securely sync encrypted files on user's Google Drive. Consent is obtained to access Drive for uploading new files, downloading, editing, and re-uploading existing files. This sync functionality ensures auto-updates across user's multiple devices using Siccura application.
- Google Contacts API: Siccura uses the “./auth/contacts.readonly” api as it is essential for the application to function effectively. This permission enables the application to access contact information, specifically email addresses, which is crucial for its encryption functionality. The Siccura application utilises the provided scope to retrieve contact email addresses from the user's account. This information is used to locate the corresponding public keys associated with each contact. These public keys play a pivotal role in the encryption process.
- Information Collected From Third Parties: We may receive information about you from other sources to help us correct or supplement our records, improve the quality or personalisation of our services, and prevent or detect fraud. We may also collect information from third parties if you choose to use third-party integrations or connect your Siccura account with a third-party service.
4.How We Collect Information
We collect information from you in various ways when you use our services. Here is a breakdown of how we gather your data:
Information Provided by the User:
Most of the personal information we collect is provided directly by you. For instance, you give us your name, email, and billing address when you purchase our services; your username and encrypted password when you create an account; and your communications preferences when you update your settings or preferences.
Information Collected Automatically
Some information is collected automatically when you use our services. This includes non-identifying information and certain sensitive information related to your use of the services. Examples of automatically collected data include your IP address, device ID, browser type, and account activity. We may use technologies like cookies, log files, or analytic tools to help us collect this data.
Information Collected Through Audit Trails
In some cases, and particularly when you subscribe to our audit trail feature, we collect data on user activity for auditing purposes. These audit trails log the actions that users perform on data they don't own but have accessed, such as viewing, modifying, or sharing. This allows the owner of the data to track and monitor how their data is being used.
It's important to note that even when a user who has accessed another user's data deletes their account with Siccura, the audit logs pertaining to their activity remain intact for the data owner's audit purposes. This is because these logs are related to the data owner's information, and not the accessing user's personal information.
Information Collected from Third-Party Sources
We may also receive information about you from third parties. This can happen if you choose to use third-party integrations, connect your Siccura account with a third-party service, or when we contract with third parties to improve the quality or personalisation of our services, or to prevent or detect fraud.
Decentralised Data Collection
Owing to the decentralised nature of Siccura, some of the information we collect is gathered locally on your device rather than centrally. This ensures that you maintain full control over your data. For example, your encryption keys are generated and stored on your device and never transmitted to us or any third parties. This local data collection contributes to your privacy and security.
5. Why We Collect Information
We collect your information for various purposes. The data we gather helps us to provide and improve our services, to personalise your experience, and to communicate with you effectively. Here's a more detailed look at why we collect your data:
- To Provide and Maintain Our Services: We need certain information to deliver our services to you and ensure they function as intended. For instance, we require your account credentials to create your account and enable you to log in, and we use your billing information to process your purchases. Some of our unique features, like "Lock Content to Device" or "Watermarking," require specific data (like your device ID) to function correctly.
- To Improve User Experience: We use data about how you use our services to understand and analyse the usage trends and preferences of our users, to improve our services, and to develop new products, services, features, and functionalities. For example, knowing your device type and operating system helps us identify platform-specific limitations and communicate these to you to enhance your experience.
- To Ensure Privacy and Security: We collect certain data to safeguard your privacy and ensure the security of our services. Information such as your device ID helps us implement privacy and security features like content locking and watermarking. Your encryption keys, generated and stored locally on your device due to our decentralised architecture, empower you with exclusive control over your encrypted data.
- To Communicate with You: We use your contact information to send communications, respond to your enquiries, and provide customer support. This includes sending you technical notices, updates, security alerts, and administrative messages.
- To Comply with the Law: In certain cases, we may need to collect your information to comply with legal obligations. This might include responding to legal requests or preventing fraudulent activities.
- To Support Audit Trails: For users who subscribe to our audit trail feature, we collect data on user activity for auditing purposes. This allows the owner of the data to track and monitor how their data is being used, contributing to accountability and transparency in data handling.
6.How We Use Your Information
The information we collect is used to provide, maintain, improve, and secure our services, as well as to communicate effectively with you. Here is a more detailed description of how we use your data:
- To Provide, Maintain, and Improve Our Services: We use your information to deliver our services, perform necessary business operations (like billing), and improve the functionality and user experience of our services. We may use your device ID to ensure the correct functioning of unique features like "Lock Content to Device" and "Watermarking."
- To Support Audit Trails: For users who subscribe to our audit trail feature, we use the collected data to log user activity for auditing purposes. This allows the owner of the data to track and monitor how their data is being used, enhancing accountability and transparency.
- To Ensure Privacy and Security: We use certain data to protect your privacy and ensure the security of our services. Information such as your device ID is crucial for implementing privacy features like content locking and watermarking. Your encryption keys, stored locally on your device, ensure you have control over your encrypted data.
- To Communicate with You: We use your contact information to send communications, respond to your inquiries, and provide customer support. This includes sending technical notices, updates, security alerts, and administrative messages.
- Our Commitment to Zero-Knowledge: Our Zero-Knowledge architecture means that we limit our access to your personal data to what's strictly necessary to provide the service. We don’t use your personal data for anything beyond this, as we can't access the content of your communications or your encryption keys. This commitment ensures that your privacy is respected and protected at all times.
7. Legal Grounds for Processing Your Information
We process your personal data based on certain legal grounds, depending on the nature of the data and the specific context in which we collect it. The legal bases for our processing of your personal data typically fall into one of the following categories:
- Consent: We may process your data if you have given us explicit consent to use your personal information for a specific purpose. For example, we require your consent to use your data to provide you with promotional communications.
- Performance of a Contract: We may process your data when it's necessary for the performance of a contract to which you are a party, or in order to take steps prior to entering into a contract. For instance, we need to process your payment information to fulfill our contract and provide you with the services you purchase.
- Legal Obligations: We may process your data when we're required to by law. For instance, we may need to collect and store your data to comply with legal obligations relating to tax, to respond to legal requests, or prevent fraudulent activities.
- Legitimate Interests: We may process your data when it's necessary for the purposes of the legitimate interests pursued by us or by a third party, provided those interests are not overridden by your interests or fundamental rights and freedom. For example, we may process your data to protect you, us, or others from threats (such as security threats or fraud), comply with laws, enable or administer our business, manage corporate transactions, or understand and improve our relationships with customers.
8. Information Sharing and Disclosure:
At Siccura, we uphold stringent measures to maintain your privacy. We only share your personal data under limited circumstances, as outlined below:
- When and Why We Share Information: The scenarios in which we might share your information include providing our services, complying with legal obligations, protecting the rights and safety of our users and third parties, and in connection with corporate transactions (like a merger or acquisition).
- Third Parties with Whom Information May Be Shared: We may share your data with certain third parties in alignment with our services and operational requirements. These third parties could include service providers and advisors, law enforcement, and potential business partners.
- Access to Your Information: As per our commitment to a Zero-Knowledge policy and our decentralised architecture, the content of your communications and your encryption keys are accessible only to you. However, certain data, such as your contact information and billing details, may be accessed by our team when necessary to provide our services or support. Any request for access to your data is handled strictly, with a strong emphasis on preserving your privacy and maintaining our services' security.
- Audit Trail Information: For users who subscribe to our audit trail feature, the audit logs generated by accessing and manipulating data may be shared with the data owner. This process is conducted in a manner that respects all users' privacy and is compliant with our privacy policy.
- Data for “Data Privacy and Security”: Certain information, such as your device ID, is used to execute functions for data privacy and security. This information is essential for our services' operation but is not visible or accessible to any third party, nor to Siccura.
9.Data Security:
At Siccura, we prioritise your data security and take extensive measures to protect your information against unauthorised access, alteration, disclosure, or destruction. We are dedicated to providing a safe and secure environment for our users.
- Security Measures: We employ a range of security measures including the use of secure networks, encryption, and anonymisation techniques such as data hashing. Our servers and computer environments are safeguarded by robust physical and electronic security measures. Access to your personal data by our team is strictly controlled and limited only to those who require it to perform their job functions.
- Zero-Knowledge and Decentralisation: A core aspect of our commitment to data security is our Zero-Knowledge architecture. This means that the content of your communications and your encryption keys are never visible to us. Only you have access to this sensitive information, which ensures that we can’t use your personal data beyond what is necessary to provide the service.
Furthermore, our services employ a decentralised architecture. This means that some data is stored locally on your device rather than on central servers. This design further minimises the risk of your data being compromised.
- Data Hashing: We use data hashing techniques to ensure the confidentiality of your sensitive information. Hashing is a form of cryptography that transforms data into a unique, fixed length string of text, which is virtually impossible to reverse-engineer. This ensures that even if your data were intercepted in some manner, it would remain unintelligible without the correct hash key.
- Data Breach Notification: Despite our stringent security measures, no method of transmission over the internet or electronic storage is 100% secure. In the unfortunate event of a data breach, we commit to notify you and the relevant authorities, as required by law, promptly. We will also take all reasonable steps to mitigate the effects and to prevent any further data breaches.
10.Cookies and Other Tracking Technologies
At Siccura, we use cookies and similar tracking technologies to enhance your experience on our platform. These technologies allow us to recognise your device and/or browser and can provide us with information about how you use our services.
- What are Cookies? Cookies are small data files that are stored on your device when you visit a website or use an application. They can be used for a variety of purposes, such as remembering your preferences, tracking your usage for statistical analysis, and facilitating certain interactive features of our platform.
- How We Use Cookies and Other Tracking Technologies: We use these technologies for several reasons:
- Essential Cookies: These cookies are necessary for the essential functions of our service, such as authenticating users and preventing fraudulent use.
- Performance and Analytics Cookies: These cookies collect information about how users interact with our services, allowing us to analyse and improve the performance of our platform.
- Functionality Cookies: These cookies allow us to remember choices you've made or information you've provided, such as your username, language preference, or the region you're in. This allows us to tailor our services to you.
- Siccura Specific Cookies: In our built-in browser, certain cookies and tracking features are crucial to control the provision of Audit Trails and for executing Siccura's Privacy and Security functions. Users will not be able to disable such cookies as they form an integral part of our service delivery and are covered under our Terms of Service.
- Third-Party Cookies: We may also use third-party cookies as part of our services. These cookies are managed by the respective sites and are not in our control. They may be used to track your activity across various sites and build up a profile of your interests.
- Controlling Cookies: Most browsers are initially set up to accept cookies. However, you can reset your browser to refuse all cookies or to indicate when a cookie is being sent. Please note, however, some features of our services, particularly those related to the built-in browser, may not function properly if your cookies are disabled.
11. Data Retention
At Siccura, we are committed to retaining your personal information for no longer than necessary in relation to the purpose for which it was originally collected.
- Retention Period
Our retention periods are determined based on the nature of the data and the purposes for which it was provided. Generally, we keep your data for as long as your account is active or as needed to provide you with our services. In some instances, we may retain data for longer periods if required for legitimate business or legal purposes.
- End of Retention Period
Upon the expiry of the data retention period, or when the purpose of data collection is no longer relevant, we undertake to delete or anonymise your personal data in accordance with applicable laws and regulations.
- Account and Software Data Deletion: Users have the right to delete their account, and software data at any time. To delete your account, please follow the instructions provided in our service. Deleting your account will result in the loss of all data and content associated with your account. Be aware that this includes the decryption keys for your secured data, rendering all such data unexecutable and irretrievable. Please also note that data shared with other users will remain accessible to them, as they have already been granted the decryption key and access rights, even after you delete your account. We plan to develop functionality in the future to render all shared data useless in such scenarios, should that be required.
- Decentralised Data Retention: Due to our decentralised architecture, some of the data is stored locally on your device. When you delete your data or account, it removes the information from your device. However, any shared data, or data stored on the devices of other users due to our decentralised nature, may remain accessible to those users or on those devices, unless they also delete it.
- Audit Trail: Please note that, if you have subscribed to our Audit Trail feature, the audit log data associated with other users’ actions on your shared data will be retained, even if those users delete their accounts. This allows us to preserve the integrity of the audit trail for you. In a reverse scenario, if you delete your account, any audit log data related to data shared with you by other users will remain intact for those users than in a centralised system.
12.User Rights and Control Over Data
Siccura recognises and respects your rights regarding your personal data.
- Accessing and Modifying Your Data: You have the right to access the personal information we hold about you. If you wish to access, modify, or correct your personal information, you can do so through your account settings. If you require assistance or have any difficulties, please contact us via our support channels.
- Deleting Your Data: As detailed in our "Data Retention" section, you have the right to delete your account and associated personal data at any time. Please be aware that deleting your account will also render all secured data unexecutable and irretrievable. Any data shared with other users will remain accessible to them, even after you delete your account.
- Consent and Withdrawal of Consent: By using our services, you are consenting to the collection, use, and sharing of your information as described in this Privacy Policy. However, you have the right to withdraw your consent at any time. Please note that the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
- Opt-Out Options: We respect your right to control your data. As such, we provide you with the choice to opt-out of data collection and sharing, where applicable. However, please note that certain features of the service may not function as intended if you choose to opt-out of data collection. More details on how to opt-out and the implications will be provided in the relevant sections of our service.
13.Information From Minors
Siccura is committed to protecting the privacy of children. Our service is not intended for children under the age of 13, and we do not knowingly collect or solicit personal data from anyone under the age of 13.
If we become aware that we have collected personal data from a child under the age of 13 without verification of parental consent, we will take steps to remove that information from our servers. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us so that we can carry out the necessary actions.
In accordance with the U.S. Children's Online Privacy Protection Act ("COPPA") and the EU General Data Protection Regulation ("GDPR"), we will not knowingly collect, use, or disclose personal information from children under the age of 16 without obtaining prior consent from their parents or guardians, unless permitted by applicable laws.
14. Third-Party Services and Links
Our services may contain links to other websites, applications, and services not maintained by Siccura. These links are provided for your convenience and we encourage you to read the privacy policies of these third-party services before providing them with any personal data.
The inclusion of a link on our services does not imply endorsement of the linked site or service by us. We are not responsible for the privacy practices or the content of such sites. Our Privacy Policy does not apply to these third-party websites or services, and we cannot control or take responsibility for their privacy practices and content.
When you leave our services, we encourage you to read the privacy policy of every service you visit. If you decide to access any of the third-party websites linked to our services, you do so entirely at your own risk and subject to the terms and conditions of use and privacy policies for such websites.
15.International Data Transfers
Siccura is a global platform, and your information may be stored and processed in any country where we have operations or where we engage service providers. By using our services, you understand that your information will be transferred to countries outside of your country of residence, which may have data protection rules that are different from those of your country.
Additionally, your information may be transferred to other countries in compliance with legal requirements, such as Standard Contractual Clauses approved by the European Commission. In such cases, Siccura takes measures to ensure that data transfers comply with applicable data protection laws and that your data remains protected to the standards described in this privacy policy.
We comply with international data transfer laws, including the European General Data Protection Regulation (GDPR), and have implemented safeguards to ensure that your personal data is secure. These include the use of encryption technologies and pseudonymisation where appropriate.
16.How to delete your account:
If you are a personal user of any of the Siccura software, you can ask for your account to be deleted by reaching out to support@siccura.com. In the case that you are a business user, only the business administrator can initiate the account deletion process, and they should send the requests to support@siccura.com
17.Changes to This Privacy Policy
Siccura reserves the right to update and change this Privacy Policy from time to time in order to reflect any changes to our practices or for other operational, legal or regulatory reasons. The date of the latest update to the Privacy Policy will be indicated at the top of this page.
When we make significant changes, we will notify you by email or by means of a notice on our services prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.
By continuing to use our services after those changes become effective, you agree to be bound by the revised Privacy Policy. If you do not agree to the new Privacy Policy, you should stop using our services.
18.Contact Information:
If you have questions or comments about this policy, you may email us at support@siccura.com or by post to:
Siccura Ltd
13 Montpelier Avenue
Bexley, Kent
DA5 3AP
United Kingdom
Updated Version - November 2023