Documents Privacy Policy

  1. Definition of "User"
  2. Controller details
  3. Personal Data we process
  4. Personal Data in Documents
  5. Analytics
  6. Docstransfer
  7. Logging in through third-party accounts.
  8. Push notifications
  9. Automated individual decision-making
  10. Turning on the VPN
  11. Upgrade and extension to Documents Plus
  12. Invoice history
  13. App usage
  14. Age limitation:
  15. Term of Storage
  16. General
  17. Backup storage:
  18. Data sharing with third parties
  19. Details:
  20. Data transfer outside the European Economic Area
  21. Security measures
  22. HTTPS and encryption
  23. Security measures (detailed explanation):
  24. Privacy rights
  25. EU privacy rights
  26. The USA citizens’ privacy rights.
  27. Privacy Notice Update

We are Readdle LLC ("we") and we provide you services under these Terms of Service. In the Documents Application ("App" or "Documents") you can manage your files.

We understand you care about your privacy and we appreciate the trust you place in us. To justify your trust, we embed the latest data security standards, improve our awareness in privacy matters, and comply with the General Data Protection Regulation and other privacy laws.

This Privacy Notice describes which of your personal data the App collects, how it stores and processes it, and what happens when you use Documents.

We do not collect, track or store any personal data over what we need to provide and improve our product and services.

Definition of "User"

We categorize users of the App as follows: User and Client for privacy purposes.

User is a person to whom we provide our App on a free basis.
Client our user, individual, to whom we provide our App on a paid basis.

You own and control the personal data we collect about you. You can choose not to provide certain information or disable and prevent us from collecting, storing, and processing it. Please be aware you will not be able to take advantage of some of Documents’s features in this case.

Controller details

We are the controller of the personal data for the Users and Clients from the moment of the User’s consent to the Terms of Service.

This means we determine the amount, purpose, and means of personal data processing when you use the App.

For more details about our role as a controller and a processor of personal data, please contact us at dpo@readdle.com. You can also send us a letter.

Name: Readdle LLC (Documents)
Address: Glandore Business Centre, Grand Canal House, 1 Grand Canal Street Upper,
Dublin 4, D04 Y7R5, Ireland.
Email: dpo@readdle.com.

Personal Data we process

We do our best to keep this part of the document simple. To help you understand, we use tables and charts to make it structured and easy.

Please note: not every piece of data we receive and store. Even more, mainly the data is stored locally on your device, and we see pseudonymised or even anonymised data.

Mainly, we process two categories of data: technical and the one you give to us. Some of it you see in your interface, some of it is processed on the backend.

Client-Side is the part of the App displayed or takes place on the users’ devices

Backend is an invisible crucial part of our App, where algorithms operate on the variables and data points.

We can process personal data based on the following legal bases:

  • performance of the contract — for processing that is strictly necessary for service provision as written in Terms of Service, technical and customer support;
  • legitimate interest — for processing that is reasonable for the user and required for the development of the service;
  • consent — for additional processing for specific purposes

Personal Data in Documents

As defined, these are the categories of Users:

  1. User
  2. Сlient

We collect your personal data according to this Privacy Notice when you use the App. Some of the data we collect automatically, such as the country the App is used in: we get this data based on the IP address or from the AppStore (we receive this information in a generalized form).

Generally, all the data provided to us can either be linked to you or not (i.e., anonymized data).

Technical information from the App. When you use our App following amount of data is collected automatically:

All the data you can use through our App is stored on Google Drive, iCloud, Dropbox, Box, WebDAV, etc. process right on the device, via SDKs and we don't have access to these files.

Here you can read in shortlist what data you process:

  • email, payment data (receipt and receipt hash), media-files and documents from google drive, iCloud, phone memory; phone settings (for other applications), History of data subjects requests.

And here is the data that we have:

  • payment data, user_ID

Overall function:

  • Logging in through third-party accounts. When you connect "Documents" to other accounts, the App accesses all personal data stored in that account: cloud data and third-party app data.
    This may include: media files, documents, history and application interaction results. This is achieved thanks to AppToken;
  • Automated individual decision-making.
  • DocsTransfer
When Data we have and see Data you see on your device
First app download
  • email
  • login
  • Documents Plus expiration date
You can edit such data as:
  • email;
  • login;
  • type of license/ account;
  • Documents Plus expiration date (Active Until)
  • type of configuration.
Opening the App
  • IP address
  • user id
  • token
  • email;
  • login;
  • type of license/ account;
  • Documents Plus expiration date (Active Until)
Receiving emails with tips
  • email
  • email
Usage
  • IP address
  • token
  • media-files and documents from google drive, iCloud, phone memory;
  • history of data subjects requests.
Settings
  • phone settings
  • phone settings
Transfer between devices
  • IP address
  • token
  • any data you may transfer
Upgrade to
  • user id
  • App Store account data
Document Plus
  • receipt hash
  • email
  • payment data
  • receipt

Receipt is an electronic document provided by Apple about your payment. It is stored on your device. We receive only hash (electronic value) to verify the transaction.

Analytics

We use the Amplitude service to gather statistics on the App usage. As a User, you will not see how this service operates. The Amplitude projects (statistics per specific User after combined into general groups via several criteria) are fully anonymized. This process does not involve personal data that we can access.

We understand that you might wish to know the details about our privacy practices. We grouped our data privacy processes by features. Please click on each feature to read more.

You can click on each and read more:

Docstransfer

We provide you the functionality for data transfer. Wi-Fi Transfer is the easiest way to transfer files and photos from a computer to your iPhone or iPad and vice versa. All you need to do is open an App on your phone.

We would like to clarify some important details:

  1. At the moment of connection, our server sees the IP address of the device from which it is connected. We store it during the connection and then delete.
  2. All user data is transmitted exclusively over the local network and never gets to our or any other server.
  3. In other words in any case we are not aware about what exactly you transfer. We only know about the fact of this connection.

  4. Within the local network, the transmission of user data goes without encryption.
  5. Auxiliary control commands are transmitted between the device and the browser.

Type of data Type of user Data description Backend side Legal basis The reasoning
Provided User
Client
Any data you may transfer IP address
token
Performance of the contract Providing a service

Logging in through third-party accounts.

One of the main parts of our services is designed to make your experience with Documents more comfortable and easy. So we provide you the possibility to link accounts from 3rd-party services for integration and synchronization of data.

Type of data Type of user Data description Legal basis The reasoning
Provided User
Client
All cloud data and third-party app data Performance of the contract Providing a service

Push notifications

We can send you small notifications to inform you about changes or updates via pushes from the App. You can allow or disable push notifications in the App Settings on your device

Type of data Type of user Data description Legal basis The reasoning
Collected User
Client
push token Consent Informing you about the App

Automated individual decision-making

We can use Automated individual decision-making to customize your experience with our app to make you more comfortable

Type of data Type of user Data description Legal basis The reasoning
Collected User
Client
Data on your interaction with music Performance of the contract Providing a service

Turning on the VPN

For greater security and anonymity when using the Internet, we have added a VPN. With VPN enabled, your IP address will be changed. This can be random or you can choose a connection server.

Type of data Type of user Data description Legal basis The reasoning
Provided User
Client
phone settings (for other applications), IP address. Performance of the contract Providing a service

Upgrade and extension to Documents Plus

Since this is a significant change for us, we make it a separate functionality of the product. We do not change the set of data that we processed before, but now we also store information that you have a subscription.

Type of data Type of user Data description Backend side Legal basis The reasoning
Provided Client We receive only information about the successful payment of the upgrade and extension to Documents Plus Here we store the receipt hash Performance of the contract Performance of the contract;
Providing a service

Invoice history

In order to track and issue invoices on time, we process your receipt. We also keep the history of payments, as this is a legal requirement and we cannot delete this information until the expiration of the filing of the annual accounts.

Type of data Type of user Data description Backend side Legal basis The reasoning
Provided Client
  • Data on previously purchased Document Plus
  • Receipt
Here we store the receipt hash Legal obligation Compliance with legal obligation

App usage

Here we described the data you see in our App.

Type of data Data description Legal basis The reasoning
Provided media-files and documents from google drive, iCloud, phone memory. Performance of the contract Providing a service
Provided email Legitimate interest Instructions for use App
Provided your App settings. Legitimate interest Providing a service
Collected App usage data Legitimate interest Analytics;
Statistics
Collected History of requests user ID. Legitimate interest Customisation of our services;
IT support
Assigned User ID, open functionality subscription expiration date, availableDevices, APP_token Performance of the contract Provision of services

Age limitation:

Please pay attention. We knowingly do not process the data from Users below 16 years of age without a legal representative’s consent. If you are such a User or the user’s legal representative, please inform by email at dpo@readdle.com.

Term of Storage

General

In general, we store personal data for the following periods of time:

User Client
During the performance of the contract and 12 months after last interaction. During the performance of the contract and 36 months after completion.

Consent. We process the data based on your consent during the general term unless you withdraw it. After you withdraw your consent, it will take us up to 30 calendar days to erase your data.

Deletion. We will delete your data within 3 months following the request.

We store your personal data either until you delete the account or after a certain period – depending on the data type.

Backup storage:

We store your data in the backups of databases. We regularly back up our databases: at least once a day, and store them 1 week.

We use Google Cloud SQL service for the backup purposes. You can learn more about the procedure in their guide here.

Data sharing with third parties

We use your personal data on the basis of performance of the contract to provide services and communicate with the Users.

We share your personal data with our contractors in the scope we need to provide services, technical and customer support. Also, we can share your data on the following grounds: consent, compliance with the law, and legitimate interest.

Details:

Consent. We share your personal data based on your explicit consent.

Compliance with the law. We will disclose your personal data to third parties to the extent that it is necessary:

  • to comply with a government request, court order, or applicable law;
  • to prevent unlawful use of our App or violation of the Terms of Service and our policies;
  • to protect against claims of third parties;
  • to help prevent or investigate fraud.

Legitimate interest or performance of the contract:We transfer your personal data to third parties on the basis of public offer for processing on our behalf, subject to technical and organizational measures to protect your personal data. We may transfer your data to certain companies, consultants, and contractors hired to provide certain services on our behalf.

VPN Provider. Please see the details in the Privacy Notice.

Convert API. Please see the details in the Terms and Privacy.

We will ask for your consent unless the transfer of data is part of performance of a contract.

Data transfer outside the European Economic Area

The personal data we collect is stored on servers in the USA. The data is stored in the USA by default, but we may need to process your personal data in another country. We also share some data with our service providers in Ukraine.

There is no adequate decision by the European Commission regarding neither the US nor Ukraine. This means that the USA and Ukraine are not deemed to provide an adequate level of protection for your personal data. We use adopted Standard Contractual Clauses based on legislation assessments for data protection during transfer and storage.

You can read more detailed measures to protect your personal data here and in our Data Processing Agreement.

However, if a data transfer is required to perform a contract or to provide you services, we have the right to do so without your consent.

Security measures

We regularly perform Data Protection Impact Assessments to ensure that we use an appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed. We follow ISO 27001 Standard to put all security controls in place as a basis.

To be more specific, to protect your personal data we use HTTPS and encryption, divided group and individual access (where appropriate), alarm system, corporate VPN, written approved internal policies (like password policy and physical access policy).

Moreover, we systematically monitor our technologies’ state of the art and never forget about the backups. All our contractors are under contractual obligations which are compliant with the GDPR requirements.

Here you can find information about the steps we mentioned above:

HTTPS and encryption

We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your email and account credentials are stored on secure cloud-based servers using symmetric and asymmetric encryption: private and public keys.

We currently use Hetzner and Google ("Hosting providers"). These Hosting providers have various international security certificates that ensure the safety of your data with them.

App Center. You can read more on the security measures via the link.

Google. You can read more on the security measures via the link.

Security measures (detailed explanation):

1. Physical access control: group access and alarm system

We secure access to the premises via ID readers, so only authorized persons have access to them. The ID cards can be blocked individually; access is also logged.

An alarm system is installed on the premises, preventing infiltration by unauthorized persons. The alarm system is linked to a locking mechanism for the doors.

2. System access control: individual access and password policy

Each employee has access to the systems/services only via his/her employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.

Password policy. We regulate access to our systems via password procedures and the use of SSH keys of at least 4096 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as password-based access to the relevant systems is disabled.

We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.

Passwords must meet specific requirements. It must be at least:

  • 12 characters long
  • 1 letter in upper-case
  • 1 letter in lower-case
  • 1 number
  • 1 non-alphanumeric character

Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.

3. Data access control: monitoring and physical access policy.

All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.

Due to the proximity of the employees, a visual inspection is possible at any time.

Locking and/or logging off when leaving work is prescribed and is practiced.

4. Transfer control: contractual obligations and corporate VPN

Before transferring any data, we specify organizational and security requirements in Data Processing and Data Transfer Agreements (if applicable). These agreements are obligatory for every Enterprise and us as the Controller.

Furthermore, the handling of local data storage devices, e.g., USB sticks, is regulated via agreements.

Access to the systems outside the company network is possible only via secure VPN access.

5. Input control: general restriction

Our employees do not work directly at the database level, but instead use applications to access the data.

IT employees access the system via individual access and use a common login.

6. Availability control: backups and division

We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail.

Critical services are operated redundantly in multiple data centers and controlled by a high-availability system.

Our workstations are also protected with the usual measures. For example, virus scanners are installed, laptops are encrypted.

We would like to specify that we use MDM-solution to protect employee devices with security settings.

7. Separation control: limited access.

We use logically separate databases to prevent unauthorized persons from accidentally reading data to separate data.

Access to the data is also restricted because employees use services (applications) that control access.

Privacy rights

EU privacy rights

You, as subjects of personal data, have the following rights:

Right Description
Right to access You can request an explanation of the processing of your personal data.
Right to rectification You can change the information if it is inaccurate or incomplete.
Right to erasure You can send us a request to delete your personal data from our systems.
Right to data portability You can request all the data that you provided to us, as well as request to transfer data to another controller.
Right to object You can object to the processing of your data.
Right to restriction You may partially or wholly prohibit us from processing your personal data.
Right to withdraw consent You can withdraw your consent at any time.
Right to lodge a complaint If your request was not satisfied, you can file a complaint to the regulatory body.

To exercise your rights, write us an email at dpo@readdle.com

If your request was not satisfied, you could file a complaint to the Data Protection Commission (DPC) regulatory body by post at 21 Fitzwilliam Square, South, Dublin 2, D02 RD28, Ireland or using webforms.

The USA citizens’ privacy rights.

You, as the subject of personal data, have some specific privacy rights. To exercise them, write us an email at dpo@readdle.com

Your rights vary depending on the laws that apply to you but may include:

  • The right to be informed about the personal data we collect and/or process about you;
  • The right to learn the source of personal data about you we process;
  • The right to access, modify, and correct personal data about you;
  • The right to know with whom we have shared your personal data, for what purposes, and what personal data has been shared (including whether personal data was disclosed to third parties for their direct marketing purposes);
  • The right to withdraw your consent, where the processing of personal data is based on your consent; and
  • The right to lodge a complaint with a supervisory authority located in the jurisdiction of your habitual residence, place of work, or where an alleged violation of law occurred.

Please see more detailed information about your State law in a separate section; you can find it in the navigation on the right of the page.

Virginia’s Consumer Data Protection Act Consumer Privacy Act and California Privacy Rights Act Colorado Privacy Act Nevada Privacy Law Delaware Online Privacy and Protection Act
Right to Know whether the controller is processing a customer’s personal data. Right to Know what personal information is collected and Right to Access personal information. Right of Access. Right to Know whether the controller is processing the customer’s personal data. Right of Access.
Right to Access personal data processed by the controller. Right to Know if Personal Information is Sold. The right to confirm the processing of personal data. Right to Opt-Out of Sale. Right to withdraw consent.
Right to Correct.
Right to Delete.
Right to Data Portability.
Right to Opt-Out of targeted advertising, the sale of personal data, or profiling.
Right to Delete. Subject to certain exceptions.
Right to Data Portability.
Right to Correct.
Right to Opt-Out of Sale.
Right to Limit Use and Disclosure of Sensitive Personal Information.
Right to Access.
Right to Correction.
Right to Deletion.
Right to Data Portability.
Right to Opt-Out of targeted advertising, the sale of personal data, or profiling via a universal Opt-Out mechanism.
Right to Correct. Right to Correction.
Right for "do not track"request
Right to Opt-Out of Sale.

What do these rights mean?

  1. The right to access information. You can request an explanation of the processing of your personal data: what data exactly we process and how.
  2. The right to withdraw consent. After you once give us any consent, you can withdraw it at any time without any consequences for you.
  3. The right to portability. You can request all the data you provided to us and request to transfer data to another controller in a machine-readable format.
  4. The right to file complaints. If your request was not satisfied, you can file a complaint to the regulatory body. But please first contact us, and we will do our best to help you.
  5. Right to delete (Right to Deletion). You can send us a request to delete your personal data from our systems.

Depending on the state and legislative requirements, we have from 30 to 60 days to exercise your request with the right to postpone it for 30 days more.

Privacy Notice Update

This Privacy Notice and the relationships falling under its effect are regulated by the GDPR. Existing laws and requirements for the processing of personal data are subject to change. In this case, we will publish a new version of the Privacy Notice in our App. If significant material changes are made that affect your privacy and confidentiality, we will notify you by email or display information in the App and ask for your consent if necessary.

Back