At Shibolet, we strongly believe in an internet where privacy is the default. This Shibolet Privacy Policy (“Policy”) outlines the personal information that Shibolet, Ltd. (“Shibolet”, “we", the “Company”, “us”, or “our”) gathers, how we use that personal information, and the options you have to access, correct, or delete such personal information.
Our overriding policy is to collect as little user information (personal data included) as possible to ensure a private user experience when using the Services.
Data collection is limited to the following:
2.1 Account creation: When you register for an account, we collect contact and billing information. Depending on subscription level, this contact information may include your Customer name, the email address(es) of your account administrator(s), telephone number, and addresses necessary to process payment and delivery of Services. In addition, when you use the Services, we collect information about how you configure your account and the Services (e.g., firewall settings for the domains you administer). We refer to all of this information collectively as “Customer Account Information” for the purposes of this Policy. Customer Account Information is required to enable your access to your account and Services. By providing us with any personal information, you represent that you are the owner of such personal information or otherwise have the requisite consent to provide it to us.
In order to pursue our legitimate interest of preventing the creation of accounts by spam bots or human spammers, we use a variety of human verification methods. Verification may also be requested for some sensitive operations besides account creation in order to protect against brute-force attacks. You may be asked to verify using either Captcha, email, or SMS. IP addresses, email addresses, and phone numbers provided are saved temporarily in order to send you a verification code and for anti-spam purposes. The period of temporary data retention is determined by our legitimate interests of protecting the service from spam, and also by any applicable legal requirements we must comply with. If this data is saved permanently, it is always saved as a cryptographic hash, which ensures that the raw values cannot be deciphered by us.
2.2 Account activity: The processing activities carried out by Shibolet for the operation of our different Services may vary depending on the Service. These activities are described in the specific Services Privacy Policies. We may use the data mentioned above and below to detect abusive and fraudulent use of our services, and take appropriate measures. The legal basis of this processing is our legitimate interest to protect our service against non-compliant or fraudulent activities.
2.3 IP logging: By default, we do not keep permanent IP logs in relation with your Account. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our Terms of Service (e.g. spamming, DDoS attacks against our infrastructure, brute force attacks).
2.4 Communicating with Shibolet: Your communications with us, such as support requests, bug reports, or feature requests may be saved by our staff. The legal basis for processing is our legitimate interest to troubleshoot more efficiently and improve the quality of our Services. The information you provide when you contact our support team is processed for analytics purposes (such as to obtain aggregate statistics), but we do not do any targeted advertising or any profiling.
2.5 Communications from Shibolet: We mainly use your email address for account-related questions, communication, and recovery. By signing up to our Service, you agree to receive communications from us, which may include promotional emails. You can stop receiving emails from us by following the unsubscribe instructions included in every email we send. Alternatively, you can login to the Shibolet dashboard and adjust your email preferences under the ‘Account’ tab.
2.6 Payment information: We rely on Stripe to process payments. Strictly necessary information is shared with Stripe for credit card transactions in order for the payment to be successful and associated with your account. Stripe does not have access to your email or your Shibolet account information. We rely on third parties to process credit card transactions and must therefore share payment information with them. We do not retain full credit card details, we only save your name and the last 4 digits of the credit card number. Anonymous cash or Bitcoin payments and donations are accepted. We may use your account data for payment-related matters, including but not limited to sending you emails, invoices, receipts, notices of delinquency, and alerts to update payment information. The legal basis of these processing activities is the necessity to the execution of the contract to provide the Services. In order to respect the principle of data minimisation, we reserve our right to remove payment information from our systems that is no longer valid, without notice.
To provide the Services, we rely on different data processors, which process different categories of data. Processors never store data outside of the scope of their specific purpose. Notably, they do not store data in relation with the general day-to-day use of your Account and Services, which is exclusively processed by the Company. Processors are as follow:
Stripe, Inc.
We will only disclose the limited user data we possess if we are legally obligated to do so by a binding request coming from the competent Swiss authorities. We may comply with electronically delivered notices only when they are delivered in full compliance with the requirements of Swiss law. Our general policy is to challenge requests whenever possible and where there are doubts as to the validity of the request or if there is a public interest in doing so. In such situations, we will not comply with the request until all legal or other remedies have been exhausted. Under Swiss law, subjects of judicial procedures have to be notified of such procedures, although such notification has to come from the authorities and not from the Company.
Within the limits of applicable law, the Company reserves the right to review and change this Privacy Policy at any time. As long as you are using the Services, you are responsible for regularly reviewing this Privacy Policy. Continued use of the Services after such changes are performed shall constitute your consent to it.