Last Updated: May 10, 2019
1. Information We Collect
Information You Provide to Us
Site Content: The actual contents of the files you upload to the Service.
Registration and Billing Data: Names, addresses, phone numbers, email addresses, and sometimes payment information.
Correspondence Data: Information you send to us via email, our contact form, our chat widget, or other means of correspondence.
Information We Automatically Collect When You Use the Site and/or Service
Site Metadata: We collect metadata about your Site Content that is distinct from the actual content itself. Site Metadata includes file and folder names, modification dates, permissions, size information, history notification, usernames, group names, user and group settings, and site-wide settings. Site Metadata does not include passwords used by users to access the Service.
Usage Data: While using the Service, we also collect usage information customarily logged by web and FTP server software, including the date and time of your visit, the originating IP address, the pages and files requested, and other similar types of information.
Device Data: We also collect information from and about the devices you use to access the Site and Service. This includes things like the type of browser and device you use, the web page you visited before coming to our sites, and identifiers associated with your devices.
Cookie and Other Tracking Data (aka “Cookie Data”): Use of the Service and certain Site features require support for cookies, small pieces of data that are stored on your computer’s hard drive and transmitted back to us with each web page request. A cookie simply identifies your browser to the Service or Site by assigning it a unique ID number.
2. How Information is Used
We treat different types of information differently, and have a legitimate use for each type of data. - Site Content is stored securely and may only be accessed by users on who have been given the appropriate permissions to that Site Content by someone with account administrators permissions on the account. We will not access this data for any purpose, except as provided herein. For GDPR purposes, we are processors of Site Content.
Site Metadata is used by our software systems to provide the Service and account administrators have the option of displaying Site Metadata to users on the account. We may use aggregated information about Site Metadata for the purpose of operating and improving the Service. We advise naming your files such that the mere names of files or folders do not reveal confidential information.
Usage Data and Device Data are used to help us understand how the Service and Site are being used; improve the Site and Service; ensure compliance with the Terms of Service; and, detect, investigate, and prevent fraud and abuse.
Correspondence Data is used to communicate with you regarding any questions, comments, or concerns relating to the Site or Service.
Registration and Billing Data is used for billing purposes and to notify you about important service-related notices, include feature updates.
Cookie Data enables us to associate your session with your account, and provide certain features, such as ensuring your selected language and currency options are maintained. Email or newsletters that we send electronically may use techniques such as web beacons or pixel tags to gather email metrics and information to improve the reader’s experience, such as the number of emails that are opened, whether they were forwarded or printed, the type of device from which they were opened, and the locations (e.g. city, state, and county) associated with the applicable IP address. Please note that you do have the option to configure most web browsers to not accept cookies. However, be aware that disabling cookies may keep you from having access to some functions or services on our Site or with our Service. Because there is not yet a consensus of how to interpret web browser-based “Do Not Track” signals other than cookies, we do not currently respond to “Do Not Track” signals that are undefined.
Telephones numbers you provide to us may used to contact you with any troubleshooting or billing issues.
All of the above information may be used to undertake accounting and administrative tasks, or manage legal claims.
3. Sharing of Data with Third Parties
We use Desk.com, a Salesforce service, to manage and track our customers and leads.
Other parties such as advertising partners and analytics companies may also be collecting information about your online activity across various websites over time. The information collected by those third parties may include identifiers that allow those third parties to tailor the ads that they serve to your computer or other device.
If you visit the Site or login to the Service and use OpenID or OAuth (such as Facebook or Google), you may also be sharing and integrating data with third-party social media sites, and we may track aggregate data about the number of visits to this site with an open ID, the number of items “liked” on this site, or items on this site that you choose to share with a third-party social media site.
We have a data processing agreement with any third parties that process personally identifiable information that we control.
4. Our Access to Your Site Content and Metadata
Our front-line employees and contractors, such as customer service agents, do not have any access to your “Site Content”. They do, however, have access to “Site Metadata”. They will only access “Site Metadata” for the purpose of providing customer support upon request.
We use a variety of technical and organizational safeguards to prevent unauthorized access of your data, including: • Wherever possible, browsing sessions to the Service are secured with SSL, to prevent eavesdropping, tampering, and message forgery. If SSL is enabled, you will see a lock icon in your browser. Account administrators may choose whether to disable SSL or require SSL for your connections to the Service. We recommend always using SSL.
• Passwords are stored in a salted, encrypted format.
• (For files uploaded to the Service after October 5, 2011) Files are encrypted-at-rest, with all encryption keys stored in a key-management escrow service operated by Amazon S3.
For additional information about security practices, please check out our Security page.
6. EU-US Privacy Shield Framework
Our Privacy Shield commitment applies to the following types of data collected: “Site Content”, “Site Metadata”, and “Registration and Billing Data”. Under Privacy Shield, you have a right to remove, access, or correct this data. See Paragraph 6 of this Policy to learn how to remove your data. If Files.com transfers personal information received under the Privacy Shield to a third party, the third party's access, use, and disclosure of the personal data must also be in compliance with Files.com's Privacy Shield obligations, and Files.com will remain liable under the Privacy Shield for any failure to do so by the third party unless Files.com proves it is not responsible for the event giving rise to the damage.
Files.com LLC has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
7. Data Retention
You may use the Service to freely delete any of your Site Content, and doing so will remove such content from our active servers immediately. If you have configured backup retention after deletion for your Site Content, backups may remain on our backup servers for the period of time that you or your account administrator has specified as the backup retention period.
All of your Site Content and Site Metadata will be deleted from our active and backup servers within 7 days when you cancel your account.
Because of our efforts to ensure Service availability, we maintain backup copies of all Site Metadata. As a result, residual copies of your Site Metadata may remain on backup media, backup servers, and disk snapshots for up to 30 days after deletion or account cancellation.
Registration and Billing Data, Correspondence Data, Cookie Data, Device Data, and Usage Data will respectively be deleted or anonymized upon termination of the Service (if applicable), and when we have no ongoing legitimate business need to process your information. We take reasonable steps to limit the minimize the volume of data we collect from you and the length of time we retain your data. You have the right to obtain our confirmation of whether we maintain personal information relating to you. Upon request, we will provide you with access to the personal information that we hold about you. You may also may correct, amend, or delete the personal information we hold about you. Your right to access your personal data may be restricted in exceptional circumstances or vary based on where you reside. If we determine that your access should be restricted in a particular instance, we will provide you with an explanation of our determination.
For people residing in the EU, the GDPR provides certain rights. You may decline to share certain information with us, in which case we may not be able to provide some of the features and functionality of the Site and Service. These rights include, in accordance with applicable law, the right to object to or request the restriction of processing of your information, and to request access to, rectification, erasure and portability of your own information. Where we process your information on the basis of your consent, you have the right to withdraw that consent (noting that such withdrawal does not affect the lawfulness of any processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the processing of your personal information in reliance upon any other available legal bases). Requests should be submitted by contacting us using the contact details below. If you are within the EU and have any unresolved privacy concern that we have not addressed satisfactorily after contacting us, you have the right to contact the appropriate EU Supervisory Authority and lodge a complaint.
The Service and Site are not intended for use by children, especially those under 13. We do not knowingly collect personally identifiable information from children under 18 years of age. If your minor child has provided us with personally identifiable information, you may reach us using the contact information below if you want this information deleted from our records.
9. Other Provisions
Your use of the Service is governed by a Terms of Service, and potentially additional documents (e.g. a BAA or DPA) which will prevail in the event of a conflict with this document, except with respect to EU-US Privacy Shield, GDPR provisions, or other applicable legal requirements.
You agree that by submitting your telephone contact information on this web site and/or registering to receive the Service offered herein, such act constitutes a purchase, an inquiry, and/or an application for the purposes of the Amended Telemarketing Sales Rule (ATSR), 16 CFR ‘310 et seq. and any applicable state and local “do not call” regulations. We retain the right to contact you via telemarketing in accordance with the ATSR and the applicable state regulations.
For additional information about our commitment to GDPR, you visit our site.
10. Note to California Residents
If you live in the State of California, under the California Civil Code, you have the right to request that companies who conduct business in California provide you with a list of all third parties to which the company has disclosed Personal Information during the preceding year for direct marketing purposes.
If you are a California resident and want to request information about how to exercise your third party disclosure choices, you must send a request using the online contact form listed in Section 9 above.
All requests must be labeled “Your California Privacy Rights” on the subject of the actual request. For all requests, please include your name, street address, city, state, and zip code. Please include your zip code for our own recordkeeping. Requests that are improperly labeled or that are missing the required information will not be processed.
11. Contact Us
Our Data Protection Officer may be contacted at email@example.com.
This document was last updated according to the date at the top of this page.