ExaVault Privacy Policy

Last Updated: 30 June 2022

Thank you for visiting this web site of ExaVault, LLC (“we”, “our”, "ExaVault"). We recognize that your data is very personal and sensitive. This Privacy Policy explains our commitment to protecting your privacy, with regard to your use of ExaVault.com (the “Site”) and the ExaVault asset hosting service (the “Service”).

By using this Service, you accept privacy practices contained in this Privacy Policy. You are encouraged to regularly review this Privacy Policy to make sure you understand how any personal information you provide will be used.

Information We Collect

Information You Provide to Us

• Site Content: The actual contents of the files you upload to the Service.
• Registration and Billing Data: Names, addresses, phone numbers, email addresses, and sometimes payment information.
• Correspondence Data: Information you send to us via email, our contact form, our chat widget, or other means of correspondence.

Information We Automatically Collect When You Use the Site and/or Service

• Site Metadata: We collect metadata about your Site Content that is distinct from the actual content itself. Site Metadata includes file and folder names, modification dates, permissions, size information, history notification, usernames, group names, user and group settings, and site-wide settings. Site Metadata does not include passwords used by users to access the Service.
• Usage Data: While using the Service, we also collect usage information customarily logged by web and FTP server software, including the date and time of your visit, the originating IP address, the pages and files requested, and other similar types of information.
• Device Data: We also collect information from and about the devices you use to access the Site and Service. This includes things like the type of browser and device you use, the web page you visited before coming to our sites, and identifiers associated with your devices.
• Cookie and Other Tracking Data (aka “Cookie Data”): Use of the Service and certain Site features require support for cookies, small pieces of data that are stored on your computer’s hard drive and transmitted back to us with each web page request. A cookie simply identifies your browser to the Service or Site by assigning it a unique ID number.

How Information is Used

We treat different types of information differently, and have a legitimate use for each type of data. - Site Content is stored securely and may only be accessed by users on who have been given the appropriate permissions to that Site Content by someone with account administrators permissions on the account. We will not access this data for any purpose, except as provided herein. For GDPR purposes, we are processors of Site Content.

• Site Metadata is used by our software systems to provide the Service and account administrators have the option of displaying Site Metadata to users on the account. We may use aggregated information about Site Metadata for the purpose of operating and improving the Service. We advise naming your files such that the mere names of files or folders do not reveal confidential information.
• Usage Data and Device Data are used to help us understand how the Service and Site are being used; improve the Site and Service; ensure compliance with the Terms of Service; and, detect, investigate, and prevent fraud and abuse.
• Correspondence Data is used to communicate with you regarding any questions, comments, or concerns relating to the Site or Service.
• Registration and Billing Data is used for billing purposes and to notify you about important service-related notices, include feature updates.
• Cookie Data enables us to associate your session with your account, and provide certain features, such as ensuring your selected language and currency options are maintained. Email or newsletters that we send electronically may use techniques such as web beacons or pixel tags to gather email metrics and information to improve the reader’s experience, such as the number of emails that are opened, whether they were forwarded or printed, the type of device from which they were opened, and the locations (e.g. city, state, and county) associated with the applicable IP address. Please note that you do have the option to configure most web browsers to not accept cookies. However, be aware that disabling cookies may keep you from having access to some functions or services on our Site or with our Service. Because there is not yet a consensus of how to interpret web browser-based “Do Not Track” signals other than cookies, we do not currently respond to “Do Not Track” signals that are undefined.
• E-Mail addresses collected will be used to communicate with you regarding the Service. We communicate such things as announcements of new features, changes to Terms of Use/Privacy Policy, information about pricing changes or systems outages, and other Service-related announcements. You can cancel your participation in any of these email lists at any time by clicking the Unsubscribe link or other unsubscribe option that is included in the respective email. We only send emails to people who have authorized us to contact them, either directly, or through a third party. We do not send unsolicited commercial emails, because we hate spam as much as you do. By submitting your email address, you also agree to allow us to use your email address for custom audience targeting on sites like Facebook, where we display custom advertising to specific people who have opted-in to receive communications from us.
• Telephones numbers you provide to us may used to contact you with any troubleshooting or billing issues.

All of the above information may be used to undertake accounting and administrative tasks, or manage legal claims.

All information may be disclosed when legally required to do so, at the request of governmental authorities conducting an investigation, to verify or enforce compliance with the Terms of Use and policies governing the Service and applicable laws or to protect against misuse or unauthorized use of the Service.

If the ownership of all or substantially all of ExaVault, or individual business units associated with the Service, were to change, your user information may be transferred to the new owner so the service can continue operations. In any such transfer of information, your user information would remain subject to the promises made in this Privacy Policy. In the event of such transaction, we will alert paying customers of such change via e-mail, and provide an opportunity to cancel or change your Service.

Sharing of Data With Third Parties

We use Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses cookies and other methods to help us study usage patterns on the Service. Information generated from your use of the Service will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of preparing reports regarding aggregate use of the Service.

We use Help Scout, a customer support helpdesk service, to manage and track customer requests.

We use other third parties to facilitate our business, such as server hosting, file hosting, customer communication, usage tracking, and payment processing. In connection with these offerings and business operations, our service providers may have access to your information for use for a limited time in connection with these business activities. Where we utilize third parties for the processing or storing of any information, we have ensured that they will fully comply with this Privacy Policy.

Other parties such as advertising partners and analytics companies may also be collecting information about your online activity across various websites over time. The information collected by those third parties may include identifiers that allow those third parties to tailor the ads that they serve to your computer or other device.

If you visit the Site or login to the Service and use OpenID or OAuth (such as Facebook or Google), you may also be sharing and integrating data with third-party social media sites, and we may track aggregate data about the number of visits to this site with an open ID, the number of items “liked” on this site, or items on this site that you choose to share with a third-party social media site.

Third party retargeting networks may also use cookies to display our advertisements to you on other sites. You can opt-put of a third-party vendor’s use of cookies by visiting the Network Advertising Initiative opt-out page, or you may try opting out at the websites of industry groups such as the Digital Advertising Alliance, or if located in the European Union, the European Interactive Digital Advertising Alliance. You may also be able to control advertising cookies provided by publishers, for example Google’s Ad Preference Manager. Note that even if you choose to opt out of receiving targeted advertising, you may still receive advertising, although it should not be tailored to your interests or activities.

If you use the Google Sign-In Integration, then we will use your email address and profile data for purposes of authenticating and signing-in to the Service. If you use the Google Cloud integration, then you are granting us the ability to access, modify, read, and delete your files on Google Cloud for purposes of syncing and transferring them between Google Cloud and the Service.

We have a data processing agreement with any third parties that process personally identifiable information that we control.

Our Access To Your Site Content and Metadata

We have implemented controls designed to prevent our employees and contractors from accessing or using your data except for the limited purposes set forth in this Privacy Policy. We promise not to access your Site Content for any purpose, except as set forth herein or as required by law.

When filing an authenticated support ticket, your Site administrators have the option to grant our customer success engineers temporary access to "Site Content'. Additionally, customer success engineers have access to “Site Metadata”, which they will only access for the purpose of providing support upon request. These customer success engineers are all ExaVault employees (not contractors) located in the United States who have agreed to uphold this Privacy Policy. If they fail to preserve this confidence, they are subject to disciplinary action, including losing their job, and potential criminal prosecution.

We feel compelled to note that due to the nature of the job, our software developers and database and server administrators may have access to your Site Content while logged in directly to our application servers. These people are all employees (not contractors) located in the United States who have agreed to uphold this Privacy Policy and its promise to not access your Site Content. If they fail to preserve this confidence, they are subject to disciplinary action, including losing their job, and potential criminal prosecution. All access to our application servers by our employees is logged.

Security

We use a variety of technical and organizational safeguards to prevent unauthorized access of your data, including:

• Wherever possible, browsing sessions to the Service are secured with SSL, to prevent eavesdropping, tampering, and message forgery. If SSL is enabled, you will see a lock icon in your browser. Account administrators may choose whether to disable SSL or require SSL for your connections to the Service. We recommend always using SSL.
• Passwords are stored in a salted, encrypted format.
  

Data Retention

You may use the Service to freely delete any of your Site Content, and doing so will remove such content from our active servers immediately. If you have configured backup retention after deletion for your Site Content, backups may remain on our backup servers for the period of time that you or your account administrator has specified as the backup retention period.

All of your Site Content and Site Metadata will be deleted from our active and backup servers within 7 days when you cancel your account.

Because of our efforts to ensure Service availability, we maintain backup copies of all Site Metadata. As a result, residual copies of your Site Metadata may remain on backup media, backup servers, and disk snapshots for up to 30 days after deletion or account cancellation.

Registration and Billing Data, Correspondence Data, Cookie Data, Device Data, and Usage Data will respectively be deleted or anonymized upon termination of the Service (if applicable), and when we have no ongoing legitimate business need to process your information. We take reasonable steps to limit the minimize the volume of data we collect from you and the length of time we retain your data. You have the right to obtain our confirmation of whether we maintain personal information relating to you. Upon request, we will provide you with access to the personal information that we hold about you. You may also may correct, amend, or delete the personal information we hold about you. Your right to access your personal data may be restricted in exceptional circumstances or vary based on where you reside. If we determine that your access should be restricted in a particular instance, we will provide you with an explanation of our determination.

For people residing in the EU, the GDPR provides certain rights. You may decline to share certain information with us, in which case we may not be able to provide some of the features and functionality of the Site and Service. These rights include, in accordance with applicable law, the right to object to or request the restriction of processing of your information, and to request access to, rectification, erasure and portability of your own information. Where we process your information on the basis of your consent, you have the right to withdraw that consent (noting that such withdrawal does not affect the lawfulness of any processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the processing of your personal information in reliance upon any other available legal bases). Requests should be submitted by contacting us using the contact details below. If you are within the EU and have any unresolved privacy concern that we have not addressed satisfactorily after contacting us, you have the right to contact the appropriate EU Supervisory Authority and lodge a complaint.

Minors

The Service and Site are not intended for use by children, especially those under 13. We do not knowingly collect personally identifiable information from children under 18 years of age. If your minor child has provided us with personally identifiable information, you may reach us using the contact information below if you want this information deleted from our records.

California Privacy Notice

If you live in the State of California, under the California Civil Code, you have the right to request that companies who conduct business in California provide you with a list of all third parties to which the company has disclosed Personal Information during the preceding year for direct marketing purposes.

Alternatively, the law provides that if a company has a Privacy Policy that gives either an opt-out (often referred to as “unsubscribe”) or opt-in choice for use of your Personal Information by third parties (such as advertisers or affiliated companies) for marketing purposes, that the company may instead provide you with information on how to exercise your disclosure choice options. This Site qualifies for the alternative option; it has a comprehensive Privacy Policy and provides you with details on how you may either opt-out or opt-in to the use of your Personal Information by third parties for direct marketing purposes. Therefore, we are not required to maintain or disclose a list of the third parties that received your Personal Information for marketing purposes during the preceding year.

If you are a California resident and want to request information about how to exercise your third party disclosure choices, you must send a request using the online contact form listed herein.

All requests must be labeled “Your California Privacy Rights” on the subject of the actual request. For all requests, please include your name, street address, city, state, and zip code. Please include your zip code for our own record-keeping. Requests that are improperly labeled or that are missing the required information will not be processed.

U.S.-EU Data Privacy Shield Framework

ExaVault complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. ExaVault has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

Our Privacy Shield commitment applies to the following types of data collected: “Site Content”, “Site Metadata”, and “Registration and Billing Data”. Under Privacy Shield, you have a right to remove, access, or correct this data. See Paragraph 6 of this Policy to learn how to remove your data. If ExaVault transfers personal information received under the Privacy Shield to a third party, the third party's access, use, and disclosure of the personal data must also be in compliance with ExaVault's Privacy Shield obligations, and ExaVault will remain liable under the Privacy Shield for any failure to do so by the third party unless ExaVault proves it is not responsible for the event giving rise to the damage.

In compliance with the EU-US Privacy Shield Principles, ExaVault commits to resolve complaints about your privacy and our collection or use of your personal information. European Union individuals with inquiries or complaints regarding this Privacy Policy should first contact ExaVault at the address, email, telephone, or website listed below. ExaVault is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). ExaVault may be required to disclose personal information that it handles under the Privacy Shield in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

ExaVault has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.

Other Provisions

Your use of the Service is governed by a Terms of Service, and potentially additional documents (e.g. a BAA or DPA) which will prevail in the event of a conflict with this document, except with respect to EU-US Privacy Shield, GDPR provisions, or other applicable legal requirements.

This Privacy Policy does not describe information collection practices on other third party sites, including those linked to or from the Site. We do not control and are not liable for actions of any third parties who we may promote and/or link to from this Site.

We take reasonable steps to ensure that your personally identifiable that we control is limited to that which is reasonably necessary in connection with the purposes set out in this Privacy Policy or as required to provide you services or access to the Site or Service.

You agree that by submitting your telephone contact information on this web site and/or registering to receive the Service offered herein, such act constitutes a purchase, an inquiry, and/or an application for the purposes of the Amended Telemarketing Sales Rule (ATSR), 16 CFR ‘310 et seq. and any applicable state and local “do not call” regulations. We retain the right to contact you via telemarketing in accordance with the ATSR and the applicable state regulations.

For additional information about our commitment to GDPR, you can visit our site.

Contact Us

ExaVault regularly reviews its compliance with this policy. Questions regarding the Privacy Policy or privacy-related requests should be sent by e-mail to us using our online contact form. Alternatively, you may call us at +1(510) 500-0245 or write to us at ExaVault, ATTN: Privacy Policy, 222 S Mill Ave, Suite 800, Tempe, AZ 85281, United States.

Our Data Protection Officer may be contacted at dpo@exavault.com.

Changes to this Privacy Policy

ExaVault reserves the right to change this Privacy Policy at any time by posting a new Privacy Policy at this location and alerting ExaVault paying customers of such change via E-Mail. Any change(s) to this Privacy Policy will take effect within thirty (30) days after such changes have been posted. Your continued use of the Service following such changes will indicate your acceptance of those changes.

This document was last updated according to the date at the top of this page.