Effective: 6 May 2019
Epi services are provided by Epi Technologies Limited (company number: 11877933; address: 130 Old Street, London, United Kingdom EC1V 9BD) (Epi), a company registered under the laws of the United Kingdom.
Personal: If you have a personal Epi user account, or if you correspond with us individually, we will be your data controller under EU law.
Teams: If your account is part of a Team, or you receive an Epi link from a user who is part of a Team, some decisions about your personal data will be made by the organisation that owns the Team. In these cases, that organisation is your data controller, and Epi is your data processor, acting upon the instructions of that organisation.
We may outsource some of our activities to third parties (data processors), who may also use your personal data when acting on our behalf. You can see our third party processors here.
We only collect and process personal information where:
When you register. During registration you submit some identification and contact data. This data is necessary for the provision of our services.
When you subscribe to our mailing list. When you subscribe to our mailing list (which you can do in some cases without registering for an Epi account) you submit some identification and contact data.
When you choose a paid plan. When you upgrade to a paid Epi plan, you provide your address, billing, and payment information. Payment information is collected via our payment processor. This data is necessary to provide you with paid Epi services.
When you use your account. During usage of your account, you also give us access to certain information (such as the name and the permission history of your Encrypted Content) that is necessary for the provision and maintenance of your user account. You may also provide additional personal data (such as a photo).
When you invite or are invited by another user. In order to send and deliver invitations, Epi collects some identification and contact data about the invitee.
When you contact us. You may decide to share other data, including personal data, with us when you contact our Support or Sales Teams, submit forms on our website, or otherwise communicate with us. It is solely your decision to share any data with us during such communications (such as log files or screenshots), so our processing of such data will be based on your consent.
When you use Epi apps. When you use Epi apps, we automatically collect some data for telemetry purposes. This includes your IP address and activity within the app.
Other Epi users. Other users may provide information about you when they use our service.
We may process your personal data for several purposes.
Services (Necessary | Legitimate Interest). We will use your personal data, such as registration and account information, for the provision and maintenance of your user account, for authentication purposes, and for providing the Epi service to you and to other registered Epi users.
Announcements (Necessary | Legitimate Interest). We will send you necessary technical notices, legal notices, security alerts, support, and administrative announcements.
Communications (Necessary | Legitimate Interest | Consent). Our service enables communications between you and others. In particular, sending and delivering invitations, and sharing of application content.
Billing (Necessary | Legitimate Interest). We will process your registration and billing information for billing purposes, i.e. to complete transactions, and send you related information, including purchase confirmations and invoices.
Development (Legitimate Interest). We may use data that we collect from you to help us understand and improve the quality of our website and services. We may also test new features with some users before rolling the feature out to all users.
Marketing (Legitimate Interest | Consent). With your consent, we may use your email address to send you marketing communications. We may use your personal data to personalize the content and experience you receive on our services or in our marketing communications. We may use your personal data when displaying Epi ads on other companies’ websites and applications.
Security (Legitimate Interest | Legal Obligation). We may use information that we collect from you to monitor suspicious activity on our website or services, or to identify violations of our Terms of Service.
Protecting our legitimate interests and legal rights (Legitimate Interest | Legal Obligation). Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we may use personal data in connection with legal claims, compliance, regulatory, and audit functions, or disclosures related to the acquisition, merger or sale of a business.
Telemetry (Legitimate Interest). We use in-house telemetry to allow us to better understand the functionality of our apps on your device. This software may record information such as: How often you use the apps, Events within the apps, Aggregated usage and performance data. We use differential privacy techniques to aggregate these insights, so such insights do not identify you.
Customer Support (Legitimate Interest | Consent). We may use personal data that you send us to resolve your customer support enquiries.
Other purposes (Legitimate Interest | Consent). We may also process your data (in accordance with applicable law) for any other purposes where you give us your consent.
Complying with legal requirements. We may share personal data if the applicable legal provisions so require, or when such action is necessary to comply with any laws, including to meet national security or law enforcement requirements. We may also need to share personal data for the protection of our rights and interests, to protect your safety or the safety of others or to investigate fraud, in accordance with applicable laws.
Third-party service providers. We may share personal data with our third-party providers for certain operations in accordance with this policy. We will never sell your personal data to third parties.
Sharing Epi content. When you share content with others using our service (for example, when you work with a Team), your personal data may be shared with them.
Receiving Epi content. When another Epi user shares content with you, certain aspects of your activity (e.g. your acceptance of the content, or your downloading of it) may be disclosed to the other party.
Team administrators. If your account is part of a Team, the relevant administrator(s) may be able to view certain information about your interactions with that Team. Such information may include your email and activity. If you have any questions about this, please refer to that Team’s policies.
Acquisition or bankruptcy. If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data among the assets transferred to any parties who acquire us. Any parties who acquire us may continue to use your personal information according to this policy.
Testimonials. We may post testimonials on our website that may contain personal data. We obtain your consent to post your name along with your testimonial. If you wish to update or delete your testimonial, you can contact us.
Invitations. If you invite someone to join Epi, we will automatically send them an email inviting them to join our service. We will store the relevant personal information for the purpose of sending this initial email, and tracking the progress of the invitation. We will only contact them once, unless you explicitly re-send an invitation through Epi. Your invitee may contact us to request that we remove their information from our database.
We may transfer your personal data to countries outside of the EU. All such personal data transfers are done in accordance with applicable laws.
How we protect your data.
Encryption. We protect your Encrypted Content with client-side end-to-end encryption. We protect data in transit with Transport Layer Security (TLS). We protect data at rest with server-side encryption. The Encrypted Content can only be accessed by you, by people who you explicitly share it with, and by your Team administrators. According to current public knowlege of end-to-end encryption, Epi cannot access the Encrypted Content, and so cannot use it to identify individuals.
Access control. We take appropriate technical measures to ensure that only authorized Epi users can access their respective account and Encrypted Content. We take appropriate technical and organizational measures to ensure that only authorized personnel can access our systems.
Data minimization. We only collect the minimum amount of data necessary. We never collect or store your Epi data, encryption keys, or passwords in an unencrypted form. We use differential privacy techniques to aggregate insights in a non-identifying way.
Backups. We take appropriate technical backup measures to protect your data against accidental loss.
Third party processors. When we transfer your personal data to our third party processors, they will protect it using their own techniques.
Personal. We will retain your personal data as long as it is needed to fulfill the purposes specified in this policy, unless a longer retention period is required or permitted by law.
Teams. If we hold your personal data on behalf of your organisation, we will retain such personal data in accordance with the terms and conditions of our data processing agreement with them, subject to applicable law.
When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize it as soon as it is technically possible.
As a registered user, you can access, edit or delete your Encrypted Content on the service. Once you initiate deletion, your Encrypted Content will also be automatically deleted within 7 days. After this date, your Encrypted Content will be destroyed in an unrecoverable way, and will not be available again to anyone, including you.
When you share all or a part of your Encrypted Content through our service with someone else, such content goes out of your Control and remains accessible by that person to the extent you granted them access, even if you delete or remove your Encrypted Content in future. Please pay special attention to whom you share your Encrypted Content with.
Right to information. You have the right to request details of the personal information that we hold about you.
Right to access. You have the right to request access to the personal data that we hold about you.
Right to data portability. You have the right to request your personal data in a machine-readable format, and send it to another data controller.
Right to correct. You have the right to request that we correct incorrect, inaccurate or incomplete personal data that we hold about you.
Right to erasure. You have the right to request that we erase your personal data where it is no longer necessary for the purposes for which it was originally collected, or if continued processing of it would be unlawful. (Please note that we may need to retain certain information for record keeping purposes, security purposes, or to comply with legal obligations.)
Right to object. You have the right to request that we stop processing your personal data in certain circumstances.
Right to restrict. You have the right to request the restriction of the processing of your personal data in certain circumstances.
If you would like to exercise your rights, please contact us. We will respond to your request within 30 days. We will consider your request in accordance with applicable laws. If we have grounds to decline your request, we will email you with our reasons for doing so. To protect your privacy and security, we may ask you to verify your identity before complying with the request. You also have the right to contact a regulatory body or data protection authority about your request.
Please note that if your account is part of a Team, we will not independently respond to your request without your organisation’s prior written consent, except where required by applicable law.
Our website may embed or link to the websites or services of third parties. This policy does not extend to those third parties, so please refer to their privacy policies.
We reserve the right to update this policy at any time. Please periodically review this policy to see the updates.
Your continued use of our website and services constitutes your agreement to be bound by such updates to this policy. If you do not accept the terms of this policy, your only recourse is to discontinue use of our website and services.