We are Readdle LLC ("we") and we provide you services under these Terms of Service. In the Documents Application ("App" or "Documents") you can manage your files.
We understand you care about your privacy and we appreciate the trust you place in us. To justify your trust, we embed the latest data security standards, improve our awareness in privacy matters, and comply with the General Data Protection Regulation and other privacy laws.
This Privacy Notice describes which of your personal data the App collects, how it stores and processes it, and what happens when you use Documents.
We do not collect, track or store any personal data over what we need to provide and improve our product and services.
We categorize users of the App as follows: User and Client for privacy purposes.
| User | is a person to whom we provide our App on a free basis. |
| Client | our user, individual, to whom we provide our App on a paid basis. |
You own and control the personal data we collect about you. You can choose not to provide certain information or disable and prevent us from collecting, storing, and processing it. Please be aware you will not be able to take advantage of some of Documents’s features in this case.
We are the controller of the personal data for the Users and Clients from the moment of the User’s consent to the Terms of Service.
This means we determine the amount, purpose, and means of personal data processing when you use the App.
For more details about our role as a controller and a processor of personal data, please contact us at dpo@readdle.com. You can also send us a letter.
Name: Readdle LLC (Documents)
Address: Glandore Business Centre, Grand Canal House, 1 Grand Canal Street Upper,
Dublin 4, D04 Y7R5, Ireland.
Email: dpo@readdle.com.
We do our best to keep this part of the document simple. To help you understand, we use tables and charts to make it structured and easy.
Please note: not every piece of data we receive and store. Even more, mainly the data is stored locally on your device, and we see pseudonymised or even anonymised data.
Mainly, we process two categories of data: technical and the one you give to us. Some of it you see in your interface, some of it is processed on the backend.
Client-Side is the part of the App displayed or takes place on the users’ devices
Backend is an invisible crucial part of our App, where algorithms operate on the variables and data points.
We can process personal data based on the following legal bases:
As defined, these are the categories of Users:
We collect your personal data according to this Privacy Notice when you use the App. Some of the data we collect automatically, such as the country the App is used in: we get this data based on the IP address or from the AppStore (we receive this information in a generalized form).
Generally, all the data provided to us can either be linked to you or not (i.e., anonymized data).
Technical information from the App. When you use our App following amount of data is collected automatically:
All the data you can use through our App is stored on Google Drive, iCloud, Dropbox, Box, WebDAV, etc. process right on the device, via SDKs and we don't have access to these files.
Here you can read in shortlist what data you process:
And here is the data that we have:
Overall function:
| When | Data we have and see | Data you see on your device |
| First app download |
|
You can edit such data as:
|
| Opening the App |
|
|
| Receiving emails with tips |
|
|
| Usage |
|
|
| Settings |
|
|
| Transfer between devices |
|
|
| Upgrade to |
|
|
| Document Plus |
|
|
Receipt is an electronic document provided by Apple about your payment. It is stored on your device. We receive only hash (electronic value) to verify the transaction.
We use the Amplitude service to gather statistics on the App usage. As a User, you will not see how this service operates. The Amplitude projects (statistics per specific User after combined into general groups via several criteria) are fully anonymized. This process does not involve personal data that we can access.
We understand that you might wish to know the details about our privacy practices. We grouped our data privacy processes by features. Please click on each feature to read more.
You can click on each and read more:
We provide you the functionality for data transfer. Wi-Fi Transfer is the easiest way to transfer files and photos from a computer to your iPhone or iPad and vice versa. All you need to do is open an App on your phone.
We would like to clarify some important details:
In other words in any case we are not aware about what exactly you transfer. We only know about the fact of this connection.
| Type of data | Type of user | Data description | Backend side | Legal basis | The reasoning |
| Provided | User Client |
Any data you may transfer | IP address token |
Performance of the contract | Providing a service |
One of the main parts of our services is designed to make your experience with Documents more comfortable and easy. So we provide you the possibility to link accounts from 3rd-party services for integration and synchronization of data.
| Type of data | Type of user | Data description | Legal basis | The reasoning |
| Provided | User Client |
All cloud data and third-party app data | Performance of the contract | Providing a service |
We can send you small notifications to inform you about changes or updates via pushes from the App. You can allow or disable push notifications in the App Settings on your device
| Type of data | Type of user | Data description | Legal basis | The reasoning |
| Collected | User Client |
push token | Consent | Informing you about the App |
We can use Automated individual decision-making to customize your experience with our app to make you more comfortable
| Type of data | Type of user | Data description | Legal basis | The reasoning |
| Collected | User Client |
Data on your interaction with music | Performance of the contract | Providing a service |
For greater security and anonymity when using the Internet, we have added a VPN. With VPN enabled, your IP address will be changed. This can be random or you can choose a connection server.
| Type of data | Type of user | Data description | Legal basis | The reasoning |
| Provided | User Client |
phone settings (for other applications), IP address. | Performance of the contract | Providing a service |
Since this is a significant change for us, we make it a separate functionality of the product. We do not change the set of data that we processed before, but now we also store information that you have a subscription.
| Type of data | Type of user | Data description | Backend side | Legal basis | The reasoning |
| Provided | Client | We receive only information about the successful payment of the upgrade and extension to Documents Plus | Here we store the receipt hash | Performance of the contract | Performance of the contract; Providing a service |
In order to track and issue invoices on time, we process your receipt. We also keep the history of payments, as this is a legal requirement and we cannot delete this information until the expiration of the filing of the annual accounts.
| Type of data | Type of user | Data description | Backend side | Legal basis | The reasoning |
| Provided | Client |
|
Here we store the receipt hash | Legal obligation | Compliance with legal obligation |
Here we described the data you see in our App.
| Type of data | Data description | Legal basis | The reasoning |
| Provided | media-files and documents from google drive, iCloud, phone memory. | Performance of the contract | Providing a service |
| Provided | Legitimate interest | Instructions for use App | |
| Provided | your App settings. | Legitimate interest | Providing a service |
| Collected | App usage data | Legitimate interest | Analytics; Statistics |
| Collected | History of requests user ID. | Legitimate interest | Customisation of our services; IT support |
| Assigned | User ID, open functionality subscription expiration date, availableDevices, APP_token | Performance of the contract | Provision of services |
Please pay attention. We knowingly do not process the data from Users below 16 years of age without a legal representative’s consent. If you are such a User or the user’s legal representative, please inform by email at dpo@readdle.com.
In general, we store personal data for the following periods of time:
| User | Client |
| During the performance of the contract and 12 months after last interaction. | During the performance of the contract and 36 months after completion. |
Consent. We process the data based on your consent during the general term unless you withdraw it. After you withdraw your consent, it will take us up to 30 calendar days to erase your data.
Deletion. We will delete your data within 3 months following the request.
We store your personal data either until you delete the account or after a certain period – depending on the data type.
We store your data in the backups of databases. We regularly back up our databases: at least once a day, and store them 1 week.
We use Google Cloud SQL service for the backup purposes. You can learn more about the procedure in their guide here.
We use your personal data on the basis of performance of the contract to provide services and communicate with the Users.
We share your personal data with our contractors in the scope we need to provide services, technical and customer support. Also, we can share your data on the following grounds: consent, compliance with the law, and legitimate interest.
Consent. We share your personal data based on your explicit consent.
Compliance with the law. We will disclose your personal data to third parties to the extent that it is necessary:
Legitimate interest or performance of the contract:We transfer your personal data to third parties on the basis of public offer for processing on our behalf, subject to technical and organizational measures to protect your personal data. We may transfer your data to certain companies, consultants, and contractors hired to provide certain services on our behalf.
VPN Provider. Please see the details in the Privacy Notice.
Convert API. Please see the details in the Terms and Privacy.
We will ask for your consent unless the transfer of data is part of performance of a contract.
The personal data we collect is stored on servers in the USA. The data is stored in the USA by default, but we may need to process your personal data in another country. We also share some data with our service providers in Ukraine.
There is no adequate decision by the European Commission regarding neither the US nor Ukraine. This means that the USA and Ukraine are not deemed to provide an adequate level of protection for your personal data. We use adopted Standard Contractual Clauses based on legislation assessments for data protection during transfer and storage.
You can read more detailed measures to protect your personal data here and in our Data Processing Agreement.
However, if a data transfer is required to perform a contract or to provide you services, we have the right to do so without your consent.
We regularly perform Data Protection Impact Assessments to ensure that we use an appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed. We follow ISO 27001 Standard to put all security controls in place as a basis.
To be more specific, to protect your personal data we use HTTPS and encryption, divided group and individual access (where appropriate), alarm system, corporate VPN, written approved internal policies (like password policy and physical access policy).
Moreover, we systematically monitor our technologies’ state of the art and never forget about the backups. All our contractors are under contractual obligations which are compliant with the GDPR requirements.
Here you can find information about the steps we mentioned above:
We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your email and account credentials are stored on secure cloud-based servers using symmetric and asymmetric encryption: private and public keys.
We currently use Hetzner and Google ("Hosting providers"). These Hosting providers have various international security certificates that ensure the safety of your data with them.
App Center. You can read more on the security measures via the link.
Google. You can read more on the security measures via the link.
1. Physical access control: group access and alarm system
We secure access to the premises via ID readers, so only authorized persons have access to them. The ID cards can be blocked individually; access is also logged.
An alarm system is installed on the premises, preventing infiltration by unauthorized persons. The alarm system is linked to a locking mechanism for the doors.
2. System access control: individual access and password policy
Each employee has access to the systems/services only via his/her employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.
Password policy. We regulate access to our systems via password procedures and the use of SSH keys of at least 4096 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as password-based access to the relevant systems is disabled.
We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.
Passwords must meet specific requirements. It must be at least:
Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.
3. Data access control: monitoring and physical access policy.
All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.
Due to the proximity of the employees, a visual inspection is possible at any time.
Locking and/or logging off when leaving work is prescribed and is practiced.
4. Transfer control: contractual obligations and corporate VPN
Before transferring any data, we specify organizational and security requirements in Data Processing and Data Transfer Agreements (if applicable). These agreements are obligatory for every Enterprise and us as the Controller.
Furthermore, the handling of local data storage devices, e.g., USB sticks, is regulated via agreements.
Access to the systems outside the company network is possible only via secure VPN access.
5. Input control: general restriction
Our employees do not work directly at the database level, but instead use applications to access the data.
IT employees access the system via individual access and use a common login.
6. Availability control: backups and division
We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail.
Critical services are operated redundantly in multiple data centers and controlled by a high-availability system.
Our workstations are also protected with the usual measures. For example, virus scanners are installed, laptops are encrypted.
We would like to specify that we use MDM-solution to protect employee devices with security settings.
7. Separation control: limited access.
We use logically separate databases to prevent unauthorized persons from accidentally reading data to separate data.
Access to the data is also restricted because employees use services (applications) that control access.
You, as subjects of personal data, have the following rights:
| Right | Description |
| Right to access | You can request an explanation of the processing of your personal data. |
| Right to rectification | You can change the information if it is inaccurate or incomplete. |
| Right to erasure | You can send us a request to delete your personal data from our systems. |
| Right to data portability | You can request all the data that you provided to us, as well as request to transfer data to another controller. |
| Right to object | You can object to the processing of your data. |
| Right to restriction | You may partially or wholly prohibit us from processing your personal data. |
| Right to withdraw consent | You can withdraw your consent at any time. |
| Right to lodge a complaint | If your request was not satisfied, you can file a complaint to the regulatory body. |
To exercise your rights, write us an email at dpo@readdle.com
If your request was not satisfied, you could file a complaint to the Data Protection Commission (DPC) regulatory body by post at 21 Fitzwilliam Square, South, Dublin 2, D02 RD28, Ireland or using webforms.
You, as the subject of personal data, have some specific privacy rights. To exercise them, write us an email at dpo@readdle.com
Your rights vary depending on the laws that apply to you but may include:
Please see more detailed information about your State law in a separate section; you can find it in the navigation on the right of the page.
| Virginia’s Consumer Data Protection Act | Consumer Privacy Act and California Privacy Rights Act | Colorado Privacy Act | Nevada Privacy Law | Delaware Online Privacy and Protection Act |
| Right to Know whether the controller is processing a customer’s personal data. | Right to Know what personal information is collected and Right to Access personal information. | Right of Access. | Right to Know whether the controller is processing the customer’s personal data. | Right of Access. |
| Right to Access personal data processed by the controller. | Right to Know if Personal Information is Sold. | The right to confirm the processing of personal data. | Right to Opt-Out of Sale. | Right to withdraw consent. |
| Right to Correct. Right to Delete. Right to Data Portability. Right to Opt-Out of targeted advertising, the sale of personal data, or profiling. |
Right to Delete. Subject to certain exceptions. Right to Data Portability. Right to Correct. Right to Opt-Out of Sale. Right to Limit Use and Disclosure of Sensitive Personal Information. |
Right to Access. Right to Correction. Right to Deletion. Right to Data Portability. Right to Opt-Out of targeted advertising, the sale of personal data, or profiling via a universal Opt-Out mechanism. |
Right to Correct. | Right to Correction. Right for "do not track"request Right to Opt-Out of Sale. |
What do these rights mean?
Depending on the state and legislative requirements, we have from 30 to 60 days to exercise your request with the right to postpone it for 30 days more.
This Privacy Notice and the relationships falling under its effect are regulated by the GDPR. Existing laws and requirements for the processing of personal data are subject to change. In this case, we will publish a new version of the Privacy Notice in our App. If significant material changes are made that affect your privacy and confidentiality, we will notify you by email or display information in the App and ask for your consent if necessary.