We adhere to a minimal collection policy to only collect what we absolutely need to deliver the service, and do not share data with others.
Data collection and use
On our external website (the SecureAppbox AB home page) we analyze visitor statistics that are not related to SecureAppbox accounts/users, such as what pages are most visited in order to improve usability and contents. These statistics do not track anything related to SecureAppbox accounts/users.
When you register as a user you are requested to provide us with personal data such as name, email address and phone number. This data is used purely to deliver the service to you, it is never shared with an external party. We may contact you in relation to delivering the service.
We temporarily log connection data for security analytics including the IP address to be able to for example detect an attacker causing many failed login attempts. These security connection logs are only available to the security team at SecureAppbox AB and are never shared.
Message metadata (i.e. meta data here is that user A sent a message to user B) is only available until the sender/receiver has deleted the message. Deleting the message also deletes the meta data. This meta data is only used to serve the correct message to the correct user and is never shared with anyone.
All data relating to the Service is stored encrypted on Amazon AWS servers in the EU. Messages are, if not separately agreed to, stored by default in Sweden. Organization accounts can select to change the storage location for where the encrypted messages are stored (please see the FAQ for information about regional storage). Messages are encrypted by SecureAppbox using strong symmetric AES encryption before storage (please see the FAQ for more details about encryption).
Messages are encrypted and not available to anyone except the sender and recipient. When a message is sent the recipient may, depending on his account settings, receive an email notification in his standard email about the message in SecureAppbox which may include the message subject. You can change your account settings so your notifications do not include the message subject or name of the sender; to avoid exposing it in normal unsecure email systems.
Disclosure and security
SecureAppbox AB will not lease, sell, or share personal data about you with other people or non-affiliated companies, but only deliver products or services you have required, except under the following circumstances, (i) SecureAppbox AB will share personal data if this is requested by a court of law or if it is necessary in order to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. (ii) SecureAppbox AB will share data in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of SecureAppbox AB Terms of Service (TOS), or as otherwise required by law. SecureAppbox AB limits access to your personal data to SecureAppbox AB employees or contractors under secrecy agreement and will use personal data only to provide the services to you or in order to do their jobs.
The general data protection regulation (GDPR), data controller and personal data assistant
In order to protect your personal data against unauthorized access, modification or destruction we store your personal data securely. Personal data here only relates to data such as your email address, name or phone number you submit when you sign up, and not the contents of messages or message attachments which are not available to SecureAppbox AB. We may for these purposes use another entity in order to fulfill our duties towards you as the controller of personal data. The entity we use is our personal data assistant. We have assured that the personal data assistant has in place the technical and organizational means to ensure security of your personal data. We will enter into a written agreement with the personal data assistant to ensure that all personnel follow the agreement and our instructions and that they at all times are informed of the GDPR. The personal data assistant may not process your personal data for any other purpose than to fulfill its duties according to this agreement. If you, an authority or a third party requests data from the personal data assistant regarding your personal data, such request shall be immediately forwarded to us. The personal data assistant may not surrender personal data or other information without our clear consent, unless required by mandatory law. Neither we nor the personal data assistant can access the content in messages you send, the data that may be surrendered is personal data such as name, email address and phone number and meta data.
Your rights to access and modify personal data
Your information is available to you in your account where you can see the data we have stored about you. You may also request information on any registered personally identifiable information about you.
Your information is available to you in your account where you can see the data we have stored about you and make corrections yourself. You may also contact us if you want to correct any entered or collected information about you.
Delete your account
You can at any time, without notice request a deletion of your account by, while logged in to your SecureMailbox account for identification purposes, sending a message to firstname.lastname@example.org with the request. Organizations are able to delete their own employee accounts themselves.
If this policy is updated SecureAppbox AB will send you a notification about the change. You can also at any time review the latest version at the SecureAppbox AB web site (https://www.securemailbox.com).
If you have any questions around the collection of personally identifiable information, you are welcome to contact us.
Customer Service, SecureAppbox AB, Engelbrektsgatan 7, 11432 Stockholm, Sweden or email@example.com.