We care about the security of your data and the protection of your privacy, so please read this policy carefully together with our Terms of Service. If you do not agree with the following terms, please do not access or use our Services or Website.
Table of contents
- Who we are
- How this Policy applies
- Who is the Data Controller and Processor
- How we protect your personal data
- Which personal information we collect
- Legal grounds for use of your information
- Who we share your personal information with
- Where do we transfer your data
- How long will we retain your information
- Which rights of control and choice you have
- Policy changes
- Contact us
Who we are
Cubbit Srl, (collectively “Cubbit”, “we” or “us“, “our“) is an italian headquartered startup limited company (registered office in Via della Zecca 1, 40121 Bologna, VAT no. 03562001200) aiming to create the first collaborative and sustainable cloud storage service.
How this Policy applies
Who is the Data Controller and Processor
If you have a Cubbit account as an individual person, for those to whom the GDPR applies, Cubbit is the “data controller” for processing of personal information as described below. In other cases, if you are a legal person (i.e. company or organisation), you will be considered as “data controller” and Cubbit will be a "data processor," acting on instructions given from the data controller.
With regard to the processing of files uploaded to our distributed cloud network by users, however, Cubbit is always to be considered the “data processor” and the user (person or company or organization) owning the Cubbit account is the data controller, until account termination.
You can find a legal definition of “data controller” and “data processor” according to the EU legislation at the following link here.
How we protect your personal data
Thanks to an AES-256 key encryption system, the data you have chosen to store on our network is safe and secure.
Once encrypted, every single file is divided into 24 chunks, which are processed into 36 redundancy chunks. Of the 36 chunks, only 24 are needed to recover the original encrypted file. These chunks are then distributed globally and stored on the network using a peer-to-peer connection between the hosting cells and the user.
Only you, or eventually someone with whom you decided to share your account user-name and password, have the keys to decrypt and to access the encrypted content of your file.
We do not collect users passwords so we can’t have access to the files you stored in your account and therefore we are not even able to recover your password, but we allow users to reset the old password by correctly typing a secret code or sentence set at the creation of the account allowing them to create a new password.
However, even if we cannot access the content of files and folders uploaded to the cloud, we may still need to process some of your personal information to provide you with our service.
Which personal information we collect
We collect information that you provide to us directly or indirectly, from third parties and by automated means, when you interact with us
- Data you provide to us
- Registration and billing information you provide by purchasing a Cubbit Cell or supporting our crowdfunding campaign. When you place an order, you are asked to provide some contact data and billing information by completing our survey such as name, shipping address, country/city of residence, VAT number, SDI code for Italian citizens only, phone number, email and product preferences.
- Account information you provide by downloading and installing the Cubbit client software and creating your personal account, such as the name and email that is necessary for the provision and maintenance of your user account. However, Cubbit is unable to link such metadata information to the encrypted content or file names within the storage space, as CUBBIT DOES NOT HAVE ACCESS TO YOUR PASSWORD OR TO THE ENCRYPTED CONTENT OR FILE NAMES LOCATED IN YOUR ACCOUNT.
- Additional information that you decide to share with us, including your personal data, when you contact our Swarm Support Team, submit forms on our website or otherwise communicate with us. The processing of such data, including detailed, non-aggregated logs (which may contain, for example, unencrypted file names), your device screen, or any other data, is necessary for the performance of the service or in order to take steps prior to entering into a contract under Article 6 1. (b) GDPR.
- Information that we collect from third parties
- Our seller. Personal information about you that the Indiegogo or Kickstarter crowdfunding platform shares with us as campaign owners.
- Information that we collect automatically
When you use our service we may automatically collect certain information about and from your Cubbit Cell. This may include information about the software version, operating system, Internet protocol address, and the date and time of each request made to Cubbit. When you connect to the network, we may also receive information about the external drives connected, number and size of files transferred/stored.
This information allows us to better meet user needs, diagnose service issues, provide more effective customer support, inform you about operating systems that we no longer support and ensure the continued functionality of our products.
Legal grounds for use of your information for European Economic Area residents
If you are an individual (both a website visitor or a Cubbit user) located in the European Economic Area (“EEA”), we collect and process your personal information as described above only on the following legal basis: 1) Consent - we will normally collect your personal information only where we have your consent to do so; 2) Performance of contractual obligations - when it is necessary in order to provide our services; 3) Legal obligations - when we need to fulfill a legal obligation arising from European law, regulation or legislation; 4) Legitimate interest - when there’s a legitimate business reason behind; 5) Public interest - when it is necessary to pursue legitimate interests of the controller or of a third party, as long as interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular where the data subject is a minor, prevail.
For example, but not limited to:
- the processing of data relating to the management of the relationship with users is based on the fulfilment of a contract between you and Cubbit (for example, when you place a purchase order, create an account), or on our legitimate interest (stability, sustainability and security of the network);
- the processing of data related to the sending of commercial communications, is based on your specific consent;
- when you send us a request relating to our service, or for the management of requests for assistance, in order to identify any server problems or other IT or network issues the processing of your data will be based on the performance of the contract;
If you have any questions or need further information regarding the legal basis on which we collect and use your personal information, please contact us using the contact details provided on our Help Page.
From time to time, Cubbit will communicate with you via email. There are two types of email you may receive:
- Service Emails
These are service related emails such as technical notices, updates, security alerts, support and administrative messages. You cannot opt out of receiving these messages, including necessary security alerts and legal notices, Push notifications (in-app) may be also sent to your device to notify you of Cubbit Cell disconnection or malfunctions as well as certain events or user actions regarding the user account or the user’s data, as they are part of the service which Cubbit provides to you.
- Marketing Emails
These will include Cubbit news, promotions and similar. Subscribing to this newsletter is optional and at any time you can subscribe or unsubscribe using the link contained in each email.
Who we share your personal information with
Your personal data will be processed by our team and will never be sold to third parties. However, we may also need to share certain information, including personal data, with third parties, who, in accordance with this policy, will be required to follow, in any case, the specific instructions we provide to them to ensure the security and confidentiality of your data.
- Complying with legal requirements
Cubbit may disclose your personal data if the applicable legal provisions so require, or when such action is necessary to comply with any laws, including to meet national security or law enforcement requirements. We may also need to share personal data for the protection of our rights and interests, to protect your safety or the safety of others or to investigate fraud and abuses, in accordance with the applicable laws.
In some cases, it may be necessary to comply with national security or law enforcement requirements, provide personal data to authorities: (a) if required by law or regulation, a court order or other judicial authorization, (b) in response to legitimate requests from public authorities, including to meet national security and law enforcement requirements; (c) in connection with the sale, transfer, merger, bankruptcy, restructuring or other reorganization of a business; (d) to protect or defend our rights, interests or property or that of a third party; (e) to investigate any unlawful act in connection with our products and services; and (f) to protect the vital interests of an individual.
However, we are not able to disclose the content of the data in your account to the authorities as we do not have access to your password and therefore we are not able to decrypt the files stored within it.
- Using third-party service providers
Users are aware that we may need to share certain information, including personal data, with our third party service providers that we use for development, backup, archiving, analysis and other services. In such cases, we require our third party service providers, as data processors, who also may have their registered office outside the EEA, to use the personal information we share with them only in connection with the services they provide to us, by signing Data Processing Agreements.
Your personal data is stored and processed by us primarily within the EEA territory.
However, we shall use the services offered by third parties, e.g. service companies, in particular in the development of marketing strategies, with technical companies (e.g. manufacturer and supplier of electronic components) or logistics companies (e.g. couriers) that may be based outside the EEA.
For this purpose it may therefore be necessary to transfer certain personal data to these Third Parties, who in such cases act as data controllers on our behalf. Such transfer and processing by third party companies, if based outside the EEA, takes place on the basis of an Adequacy Decision by the European Commission or by signing Standard Contractual Clauses adopted by the Commission.
Your encrypted personal and non-personal data will be split in several chunks and distributed over the peer-to-peer network and stored globally.
How long will we retain your information
- Your Personal Data
Your personal data will be kept only for the time necessary for the purposes described in this document, after which they will be kept only to comply with legal obligations (tax, accounting or other legal requirements).
When there is no legitimate need to process your personal data, we will delete or anonymize them, according to technical possibilities.
- Your stored Encrypted Content
For reasons of stability and technical sustainability of the network, the user's account only remains active as long as the Cubbit Cell stays connected to a working internet router.
IF THE CUBBIT CELL IS DISCONNECTED, FOR ANY REASON, YOU WILL RECEIVE WITHIN 36 HOURS ONE OR MORE NOTIFICATIONS FROM OUR SWARM SUPPORT TEAM BUT YOUR FILES WILL CONTINUE TO BE ACCESSIBLE TO YOU FOR A LIMITED PERIOD OF 30 DAYS FROM THE DATE OF THE FIRST WARNING.
AT THE END OF THE 30 DAY PERIOD, WITHOUT THE CUBBIT CELL BEING RECONNECTED TO THE NETWORK AND WITHOUT THE USER HAVING CONTACTED THE SWARM SUPPORT TEAM, OPENING A TICKET, AND PROVIDING ADEQUATE REASONS, ALL YOU FILES STORED ON THE CUBBIT NETWORK WILL BE DELETED AND WILL NO LONGER BE ACCESSIBLE TO THE USER.
Your right of control and choice
The data subject has the right to obtain the following from the data controller:
- confirmation whether or not his personal data is being processed and, if so, to obtain access to them (right of access);
- the rectification of inaccurate personal data, or the integration of incomplete personal data (right of rectification);
- the deletion of the data, if one of the reasons provided for in Article 17 of the Regulation applies (right of deletion);
- to limit the processing of one's own personal data, in the presence of one of the reasons provided for in art. 18 of the Regulation (right of limitation);
- to receive personal data provided in a structured format, in common use and readable by automatic device, and to transmit them to another data controller (right to portability).
Any data subject has the right to withdraw his or her consent to the processing of his or her personal data (where such consent has been previously given), at any time, without prejudice to the lawfulness of the processing based on the consent given before the withdrawal.
In accordance with applicable law, if you wish to exercise such rights, please write to firstname.lastname@example.org. We may ask you to verify your identity.
We also remind you that pursuant to Art. 77 GDPR you have the right to lodge a complaint to the National Authority for the Protection of Personal Data (please find a list of the Data Protection Authorities here) or bring an action to the court if you consider that your rights have been infringed as a result of the processing of your personal data pursuant to Art. 79 GDPR.
However, in order to find a quick and friendly resolution of any issues related to the processing of personal data, please get in touch with us first and we will do our best to solve your issue.
We will inform you if such changes are made and, where required by applicable law, you will be asked for your consent.
The notice may be sent by email to the address you provided to us during registration, posting the notice of such changes on our site and on our application, in accordance with applicable law.