Last Revised: February 7, 2014 (view archived versions)
The TRUSTe program review covers our collection, use and disclosure of information we collect through our website, www.personal.com, our mobile applications, platform, and the Personal Service and does not cover any information that may be collected through downloadable software you may encounter through the use of the Personal Service. The use of information collected through the Personal Service shall be limited to the purpose of providing the requested service to Owners.
“Personal information” uniquely identifies a visitor or Owner or otherwise contains personally identifiable information provided by or obtained from visitors or Owners. “Non-personal information” does not, by itself, identify a visitor or Owner as a specific individual. Rather, non-personal information provides technical data, such as an IP address and browser information that may provide information about your computer or your interaction with Personal.
Personal only collects non-personal information from visitors, including how you got to Personal, so visitors can remain generally anonymous to Personal.
To register, you must provide a username and email address. You use your username to log in. We may also collect certain non-personal information, such as an IP address or whether an Owner registers through the web or our native mobile app.
We may use this information to: deliver, administer and improve the Personal Service; provide customer service; improve and personalize your experience; better understand your needs and interests; fulfill requests you make; deliver special announcements and updates about the Personal Service; and contact you about any of the above as well as any changes to or notifications regarding your account. You may choose to stop receiving our newsletter or marketing emails by following the included “unsubscribe” instructions or you can contact us at privacy [at] personal [dot] com. You can also manage receipt of these emails and those regarding Data sharing and imports within your account on mobile (see “Settings”) or web (see “Account”).
We collect country-specific information derived from your IP address. We only use this information at an aggregate, generalized level. Other than that, we don’t ask you for, access or track any location-based information from your mobile device at any time while using the Personal Service or native mobile apps without your express permission.
Personal may collect non-personal information during your visit to the website or mobile site through our automatic data collection tools, which may include the use of “cookies” and other commonly used technologies.
Our web pages contain electronic images known as web beacons (sometimes called single-pixel gifs) and are used along with cookies to compile aggregated statistics to analyze how our site is used and may be used in some of our emails to let us know which emails and links have been opened by recipients. This allows us to gauge the effectiveness of our customer communications and marketing campaigns.
We or our service providers may use local shared objects, also known as Flash cookies, on public areas of the site, such as the blog, to store your preferences, display content based upon what you view on our site to personalize your visit, or collect and store usage information (not your Data from your Data Vault) to help us improve the Personal Service. Flash cookies are different from browser cookies because of the amount of, type of, and how data is stored. Cookie management tools provided by your browser will not remove Flash cookies. To learn how to manage privacy and storage settings for Flash cookies click here.
Yes. No one under 13 is allowed to register for the Personal Service. If we become aware that a person under 13 has registered, we will delete the account in accordance with the law.
Personal is globally available, but your use is subject to U.S. law. All visitors and Owners, including without limitation individuals in the European Union, acknowledge and hereby unambiguously consent to the collection and processing of such information in and transfer of it to the United States. You may not use the Personal Service if you do not agree to such transfer to, collection, and processing of your personal information in the United States.
If we post such testimonials, we will obtain your consent beforehand. If you change your mind later, you can contact us at privacy [at] personal [dot] com to request removal.
Yes. We’ll ask you for the person’s email address for the sole purpose of sending an invitation.
You do, just as our Owner Data Agreement says. Personal doesn’t collect or use your Data for any purpose other than to enable you to store, manage and choose how to use it through the Personal Service. And, you can always update your account information or permanently delete your account through your account setting options.
You do. We will never sell your Data, and we will only grant access to it with your explicit request. And we won’t otherwise grant any third party access to it except in limited circumstances, such as to comply with our legal obligations, resolve disputes, and enforce our agreements.
You may receive access to the Personal Service through a partner, such as a company or an organization. In some cases, you will already be a customer or member of that partner. In others, using Personal will help you register for that partner’s site.
While you (and never Personal) will always be able to choose whether to share Data from your Data Vault with a partner, please be aware that you may have a separate data relationship with the partner by virtue of being an existing customer or member of that organization. This could mean, for example, that the partner may already have information about you in their database or Data you share may be added to their systems. With respect to that information, you will be subject to the partner’s own data and privacy policies, and the partner may retain a copy of your Data in their database even if you choose to stop the partner’s ongoing access to it in your Data Vault.
In addition, we may share with partners aggregate level data about general usage of the Personal Service, including for co-branded products and services, such as registrations, logins, sharing, amount and general categories of Data created or imported, form-filling (such as numbers and categories of forms submitted and abandoned and commonly used data fields across categories), and other activities on our platform, as well as performance of joint marketing campaigns.
Personal provides APIs that allow third parties to request your Data from you. To ensure delivery only to parties with whom you’ve chosen to share it, Personal maintains permissions for your Data in the platform. Personal also uses third-party APIs to help you import your information from other sites into your Data Vault. This action is always initiated by you. At the point you initiate, you are authenticating against the third-party service so they know where you are and you know they’re exporting the Data you requested.
Other than sharing with our trusted service providers, we will only be in a position to disclose Data from your Data Vault in the following limited circumstances relating to abuse or misuse of the Personal Service or legal process. Even so, because we can’t access your sensitive Data (including any of your files), all of which is encrypted, we wouldn’t be able to share it under any circumstances.
(1) If Personal believes you’ve misused or abused the Personal Service or the Data of any Owner or visitor, or attempted to interfere with or harm the Personal Service, we will investigate and cooperate with appropriate law enforcement, including, if necessary or appropriate, by disclosing your name, registration information or IP address and any other relevant information, to protect our rights or property, or those of our visitors, Owners, partners, and others. We will cooperate fully with any legal process or criminal investigation into the misuse or abuse of the Personal Service.
(2) We may disclose as required by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property, or the rights, property or safety of our visitors, Owners or others.
Where your personal information has been requested by any governmental entity or other third party pursuant to subpoena or similar legal process, we will notify you as quickly as practicable before providing any such information, unless we are legally prohibited from doing so or we believe in good faith that disclosure is or may be necessary to protect life, avoid serious physical injury or property loss or damage, or to prevent or investigate an ongoing crime.
Where we disclose Data from your Data Vault under the above circumstances, we would only be able to produce limited information. Your sensitive Data (including all files) are encrypted, and, because we don’t store your password, we could only produce encrypted (and thus unreadable) material. Your non-sensitive Data is not encrypted, and we would be able to produce it. In addition, we would be able to disclose certain usage information about your account, such as logins and sharing history.
If Personal is involved in a merger, acquisition, sale, reorganization or liquidation or other disposition of all or a substantial portion of its assets, you will be notified via email and/or a prominent notice on our website of any change in ownership and choices you can make about your personal information. You can always choose to export and delete your Data from the Personal Service.
Personal applies filters to our entire platform to ensure your Data is never recorded in our logs, including our crash logs. This means that, after you’ve decided to delete your Data, it will be eliminated following the first backup rotation.
Personal will retain your account information and Data on your behalf as long as needed to provide you with the Personal Service and comply as necessary with our legal obligations, resolve disputes, and enforce our agreements.
In addition to privacy, security is built into your Data Vault and our platform, and we’re constantly working to improve it. It starts with the fact that we don’t store your password to your Data Vault. Only you know it, which means only you can unlock it and your encrypted Data (specifically, your sensitive Data and all your files). For extra protection, your password is hashed using bcrypt with salting and stretching.
Your sensitive Data and all your files are encrypted at rest using 256-bit AES encryption and RSA 2048 asymmetric key encryption - the same algorithms relied on by the U.S. military, the U.S. government, and banks.
We use Secure Socket Layer encryption using secure cookies with HTTPS to protect all your Data (whether sensitive or non-sensitive and all your files) in transit to our servers, meaning from browser to server, such as when you access your information or grant access to it to others. All pages and APIs involving the exchange of passwords or Data are safeguarded this way. We also enable forward secrecy in most browsers for additional protection. Please note that Personal can’t guarantee your ISP is not tracking your visits to Personal and other sites.
Your Data Vault is housed in a secure data center, which has 24/7 physical and biometric protections, firewalls, intrusion detection systems, and an array of other technological safeguards, and holds a number of certifications, including SSAE16 Type II SOC 1, SOC 2 and SOC 3 Reports, is Safe Harbor certified, and is PCI compliant.
Nevertheless, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, we can’t guarantee absolute security. If we discover a security incident that compromises your sensitive personal information, we will let you know about it, in accordance with applicable law. Please notify us immediately of any suspected or unauthorized use of your password or account or any other such incident at firstname.lastname@example.org.
If you forget your password and need to reset it, your sensitive data will be deleted. This is done for your protection. Non-sensitive data that isn’t encrypted will be unaffected.
We support the principle behind the California “Shine the Light” law, CA Civil Code § 1798.83, which gives consumers the right to know about certain personal information shared with third parties. We will never do that without your express permission. Moreso, you always choose the Data, if any, you’d like to share, so our platform actually gives you more protection and control than the law requires.
We welcome your questions and feedback and will work to improve our practices based on useful input we receive. Please contact us at privacy [at] personal [dot] com or via mail at:
Attn: Legal Department
1010 Wisconsin Ave., N.W.
Washington, DC 20007
PLEASE DO NOT SEND ANY SENSITIVE INFORMATION TO US VIA UNENCRYPTED EMAIL. Also, please note that we’ll need to verify and authenticate any emailed requests for access or changes to your personal or account information.