Effective date: January, 24th 2023
Copyright 2023, Cubbit S.r.l.

This Data Protection Policy ("Policy") explains how personal data we collect are processed and your rights in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

The Policy applies to our geo-distributed cloud storage products and services (the "Services"), to cubbit.io and our other websites (the "Websites"), and to other interactions (e.g., support requests, surveys, events, contests, etc.), unless otherwise specified.

Who we are

Cubbit S.r.l., a company registered under the laws of Italy having its registered office in Bologna, via della Zecca 1, Tax ID no. 03562001200, company registration no.: BO-528970 ("Cubbit"), is the provider of the following Services:

  • Sync and share, which allows users to store and share encrypted files and folders via the Cubbit geo-distributed cloud storage network.
  • Cubbit DS3, which allows storage and management of encrypted data as objects via the Cubbit geo-distributed cloud storage network.

Under the GDPR, Cubbit is generally the data controller of the personal data described in this Policy. If your Cubbit account is managed by a legal entity (i.e., a company or organization), or if you have received a Cubbit link from a business user, that business user is the data controller, and Cubbit acts as a data controller on their behalf.

What data Cubbit collects

We collect personal data, depending on the context and the way you interact with Cubbit and the choices you make, including your privacy settings.

a. Information provided directly by you

Files. Our Services are designed to store data. When you use our Services and upload your files, Cubbit stores, processes, and transmits those files to the geo-distributed cloud.

Account Data. Personal information provided when setting up the Cubbit account, such as: name, email address, and password, the latter only for Cubbit DS3 accounts. 

Contact Information. Data that allows Cubbit to be able to communicate with you, such as your phone number or email address.

Billing and payment information. Personal information required for handling a purchase, billing, shipping, such as bank or payment card details. These may be collected and processed by secure services provided by third parties and integrated with the Websites.

Other Information. You may also share some information about yourself, which may contain personal data, with us voluntarily when you contact our technical support or sales department directly, submit an application, fill out a form, post a message on the Websites or social media forums, take part in surveys, or visit our office. Personal data collected both online and offline in connection with recruitment activities are processed in accordance with our policy.  

b. Information we collect when you use our services

Log. We collect certain information and store it in log files when you interact with our Websites and Services. This information may include your Internet Protocol (IP) address, browser type, Internet Service Provider (ISP), ID number associated with your device, access time, and error and failure logs.

Usage Data. Based on your use of the Services, we may collect information related to your interactions with and use of the Services, such as processor and memory usage, storage capacity and computational system metrics, and metadata, including file extension, file size, upload and modification date.

Sharing data. When you share a file or send or receive an invitation to collaborate on a folder, according to the instructions provided, we may access and store certain unencrypted data such as: the user ID (not the name assigned by the user), the folder ID and its unique URL address, the email address of the invited person when that person is not yet registered to our services, type of permission granted, as well as any personal information contained in the text of the message accompanying the invitation (optional). The user's username and email address will be visible to the invited person upon receipt of the invitation.

Cubbit Cell Data. We collect certain information from the Cubbit Cell when it is connected to the Services, which may contain personal information, such as the device identifier, the date it was first accessed, and the associated IP address, from which the approximate geographic location can be derived. We may also receive information about the external drive that may be connected to the Cubbit Cell, the amount of storage space used, bandwidth upload and download speeds, and other metrics about the device and network connection.

Information collected by cookies and similar technologies. We and our third-party vendors use cookies and other similar technologies to collect information when you interact with the Websites and Services. Cookies are small data files that, when stored on your device, allow our web server to recognize you. Information collected by cookies may include, for example, but not limited to, your IP address, operating system, browser type, language, pages visited, time spent, links clicked, referring and exit page. This data is anonymized and does not allow us to identify you personally. Other technologies, such as pixel tags, are electronic images that may be used in our Services or in email messages to understand your interactions with the Websites and our social media accounts or to receive confirmation that an email from us has been opened. For more information, please read our Cookie Policy.

c. Information we collect from third parties

Resellers and distributors. We enter into agreements with business partners to promote, market and resell our products and services. Our business partners may provide us with personal information, such as billing and/or customer contact information.

Employers, colleagues, friends or other users. We may collect and process personal information about representatives or employees of our customers, suppliers, investors. We may also receive your contact information from a friend as part of a referral program. Other users of the Services may provide us with information about you. For example, we receive personal information (email address) when someone invites you to sign up for the Services or when an Account Administrator designates you as a guest user.

Publicly Available Sources. We may collect some personal information available from public records and other information provided in public forums, including information made publicly available on social networks.

Other Third Parties. We may collect information about you from third-party service and content providers integrated with the Websites and Services, or from our advertising and social media network partners. Your interactions with social media features are governed by the data protection policies of the companies providing those services.

Why Cubbit uses your data

Cubbit may use the categories of personal data listed above for the following purposes:

Providing the Services. We use your personal information to set up and maintain your account, enable you to access and use the Websites and Services, enter into, manage and fulfill our service contract with you or your employer, provide, manage, process a purchase order, expiration or termination of the Services.

Research and development. We use your personal information to make sure the Services work properly. Cubbit may also collect anonymized aggregate statistical data to understand how users use the Services and to develop and improve features.

Protect and secure Cubbit, users and others. We use your personal information to diagnose, repair, and track service and quality problems, investigate and prevent security incidents, meet legal requirements, or where we believe it is necessary to protect our interests and the interests of others. We may use information about you in connection with legal action, compliance, and for conducting audits.

Service Communications. We use your personal information to send you email communications or in-app notifications related to the Services, such as: technical alerts, security alerts, administrative alerts, and notifications of available software updates. These types of communications are an integrated part of the Services and you cannot opt out from receiving them. We may use your personal information to respond to support requests, questions, or any complaints.

Marketing. If you are already our customer, or are using our Services, we may process your personal data to send you marketing communications to provide you with information about Cubbit's products and services. In other cases, with your consent, we may send you communications, including periodic communications ("newsletters"), regarding promotions, updates, and events about our Services, using the contact information you have provided to us. You may opt out of receiving Cubbit's marketing communications at any time by clicking on the link in the email you receive or by contacting us at: privacy@cubbit.io With your consent we process your personal information when you take part in surveys, become our testimonial, submit comments, provide feedback, take part in dissemination events, or contests, or other online and offline communication and marketing activities. We may use information about you collected through cookies or other similar technologies to show you ads on other companies' websites and applications, such as on search engines or social networking platforms, and to determine the effectiveness of our communication activities. To disable its use for marketing purposes, click here.

Other purposes if we obtain your consent. We may use your personal information for any other purpose for which you have given us consent.

Legal basis for data processing

In accordance with the GDPR, we collect and process your personal data, as described above, only if a legal ground for processing personal data exists, i.e., if at least one of the following conditions is met:

  • is necessary to provide the Services reliably and securely
  • there are legitimate commercial interests, when these do not outweigh your interest in data protection or your fundamental rights and freedoms, such as research, development, direct marketing of the Services and to protect Cubbit's rights and interests
  • fulfillment of a legal obligation arising from laws, regulations or standards, or
  • in all other cases where you have given your consent for specific processing.

Who we share your data with

Your personal information will never be shared with parties outside Cubbit, except in the following cases.

Content shared by you. Service features allow you to share personal information and your files with other people.

Administrators. If you are using the Services as part of a company or organization, or otherwise your account is linked to that of an administrator account, the administrator may be able to control your account and files.

Third-party service providers. We may share your personal data with our service providers, who act on our behalf, such as providers of IT services, operating systems and platforms, marketing services, data analytics, email distribution, lending institutions, and other services. We may share your personal data with external professionals and consultants, such as lawyers, accountants, auditors, etc., whom we use to carry out specific activities. These individuals act as data controllers or as data processors, appointed by special agreement on the processing of personal data. The list of (sub-)controllers is available upon request by contacting us through the following address privacy@cubbit.io

Third-party applications. Cubbit DS3 allows third-party services to access some account information and content, via Cubbit APIs. The use of your personal information by these third-party service providers is governed by their terms of service and data protection policies.

Complying with legal requirements. We may disclose your personal data if required by applicable law in force, or when such action is necessary to comply with any law or regulation or order from a public authority. We may also need to share personal information to protect our rights and interests, to protect your safety or the safety of others, or to investigate fraud and abuse, in accordance with applicable laws.

Public. We may post your user experiences and feedback along with your name and other identifying information on the Websites or social media, with your consent. The Websites may also offer publicly accessible comment sections and forums. You should be aware that any information you post may be read, collected, and used by others who access it.

Corporate transactions. In the event of a reorganization, merger, acquisition, or sale of all or some of our assets, your information may be shared under the agreement with that entity. Regardless of changes that may occur in our company, users of our Services will be promptly informed using the contact information we hold, of any agreement and options available to you regarding the processing of personal data.

How we protect your data

Information Security. We take appropriate technical and organizational measures to protect personal information from loss or other forms of unlawful processing. Our Services have received ISO/IEC 27001:2013 compliance certification, with extension to ISO/IEC 27017:2015 and ISO/IEC 27018:2019 audits.

Content Confidentiality. Our Services are designed to prevent unauthorized access to user-stored content. Each uploaded file is encrypted (AES256), sharded and each shard replicated and stored in nodes (i.e. Cubbit Cells), which contribute to the Cubbit geo-distributed storage network. All data transmissions are protected using Transport Layer Security (TLS) cryptographic protocol.
You are responsible for maintaining the confidentiality of your Cubbit account login credentials, API keys, and all activities that occur within your account. Cubbit is not responsible for any loss or damage resulting from your failure to maintain the confidentiality or loss of login credentials and API keys, including the inability to retrieve or decrypt data stored within your account for Services implementing the zero knowledge cryptographic protocol.

Where we transfer your data

We may transmit, process and store your personal data outside the country where you are located. When transferring your personal data from the European Economic Area to third countries, we rely on the legal tools provided by applicable European legislation, including the Adequacy Decisions, Binding Corporate Rules, and Standard Contractual Clauses adopted by the European Commission (914/2021/EU), identifying if necessary additional technical, contractual and organizational measures to protect the personal data transferred.

How long we retain your data

We retain your personal information for as long as necessary to fulfill the purposes described in this Policy and to comply with applicable regulations and practices. After these time periods have elapsed, your personal data will be deleted or anonymized, if technically possible.

Your rights

You can ask us to provide you with information regarding the personal data we or our data processors are using, request correction or deletion of that data.

In accordance with the GDPR, data subjects have the right to:

  • Access. Ask for confirmation that your personal information is being processed and, if so, obtain access to it.
  • Portability. Receive copies of your personal information in a structured, commonly used, device-readable format and to transmit it to another data controller.
  • Rectification. Correct your inaccurate personal data or supplement incomplete personal data.
  • Opposition. Ask to stop processing your personal data and opt out of receiving marketing communications.
  • Limitation. Limit the processing of your personal information in certain cases.
  • Deletion. Request deletion of your personal data, such as when the processing is no longer necessary in relation to the purpose(s) for which it was collected, you have withdrawn consent and there is no other legal basis for the processing to be in place, you have objected to the processing and there is no overriding legitimate reason for the processing, the processing is unlawful, or deletion is required to comply with a legal obligation.
  • Withdrawal of consent. Where consent is required to carry out a particular processing, you have the right to revoke your consent and/or withdraw it at any time without any adverse consequences to you as a result. Withdrawal does not affect the lawfulness of any processing of your personal data that has taken place up to that point.
  • Complaint. You also have the right to file a complaint with the Supervisory Authority of the state where you are resident or bring a judicial review if you believe that your rights have been violated as a result of the processing of your personal data.

If you wish to exercise any of the rights listed above, please contact us at privacy@cubbit.io. We will respond to you within 30 days. Please note, before we comply with your request we may need to verify your identity.

Changes

If necessary to comply with the ongoing evolution and improvement of our Services and regulatory changes, we reserve the right to periodically update and modify this Policy. If such changes materially affect your rights, we will notify you using the information you provide, prior to their entry into force. In any case, we encourage you to consult this page to check for changes in our data protection practices.

Contacts

If you have any questions regarding this Policy or our data protection practices, please contact us at: privacy@cubbit.io or

Cubbit S.r.l. ℅ Copernico Rizzoli

Attn.: Privacy Team and DPO
Via Altabella 17
Bologna - 40125 (Italy)

Updates

Here you can browse the archive of previous versions of this Privacy Policy