Who can I contact?

Filen Cloud Dienste UG (haftungsbeschränkt)
Breite Str. 27
45657 Recklinghausen
Germany

Phone: +49 02361 8491926
E-mail: support@filen.io

You can also contact our data protection coordinator using these contact details. If you have specific questions about your data, data deletion or your rights, you can contact our data protection coordinator directly via our support panel: https://filen.io/support. If you would like to submit a written request, simply include "Privacy Policy" in the subject line.

We are also GDPR compliant. The company's designated representative in the European Union (in particular for the purposes of Article 27 GDPR) is Filen Cloud Dienste UG (haftungsbeschränkt), Breite Str. 45657 Recklinghausen, Germany.

Important

We secure all data on servers hosted in Germany. No data is stored by us in third countries, except in the cases mentioned below by payment providers (payment).

Your data

When you upload a file, it is already encrypted on your device, so we do not know if it belongs to you or another person, if it refers to a company or other organization, or what it contains. We also create and store encrypted thumbnails of images, videos, and certain other file types. We collect a small amount of metadata about the file type, but it does not reveal anything about the content or information the file contains.

We collect your files because we need them to provide our encrypted cloud storage and collaboration services, which you have contracted for by agreeing to our terms.

All your files remain encrypted at all times while they are on our system. They will never be received, stored or otherwise processed by us in unencrypted form, as decryption will only occur on your device or that of another user to whom you have provided the file/folder links and keys that are created when you grant them access.

We will retain your files for as long as you are subscribed to our Services, but subject to our rights to suspend and terminate as set forth in our Terms of Service. You must keep copies/backups of your files. We do not guarantee that there will be no data loss or that the Services will be error-free.
You should download your files before you stop using our Services.
If you forget your password, you will lose access to all your files unless you have exported a recovery key. (https://drive.filen.io/#/account/security "Export master keys").

If you delete any of your files, it will be made inaccessible, marked for deletion, and removed at the next appropriate file cleanup, subject to retention as expressly permitted in this Policy or our Terms of Use. Upon account deletion, all of your files will be marked for deletion and removed at the next appropriate file cleanup, subject to any retention expressly permitted under this Policy or our Terms of Use.

We may, but are not obligated to, retain your files after your account is suspended or terminated. In particular, we may, but are not obligated to, retain your files if we need to do so for evidentiary purposes in connection with a violation of our Cookie Policy or our Terms of Use, or in light of ongoing or anticipated action by a competent law enforcement agency authorized by law.

What are my rights?

If you have any questions about your data protection rights or would like to exercise any of the following rights, you can contact us at any time:

1. Right of access according to Art. 15 GDPR (for example, if you would like to know what data we are storing about you, you can contact us).
2. Deletion according to Art. 17 GDPR (for example, you can contact us if you want certain data we have stored about you to be deleted)
3. Right of withdrawal according to Art. 7(3) GDPR (e.g. if you want to withdraw a given consent for email notifications, you can contact us).
4. Correction according to Art. 16 GDPR (e.g. in your customer dashboard you can independently correct or change your information at any time. If you need help, for example to change or replace an email address, you can contact us).
5. Restriction of processing according to Art. 18 GDPR (e.g. if you do not want to have your e-mail address deleted, but only use it to send certain e-mails, you can contact us).
6. Objection according to Art. 21 GDPR (e.g. if you do not agree with the analysis procedures mentioned in the privacy policy, please contact us).
7. Pursuant to GDPR Art 77 (1) right to lodge a complaint with a competent supervisory authority (e.g., in the event of a complaint, you can also contact the data protection supervisory authority directly).

Storage period and deletion of data

Unless otherwise specified, we delete data upon your notification or when the data is no longer needed for contractual purposes (no ongoing subscription, except for lifetime options) (e.g. e-mail address upon deletion of a user account). Your data will also be deleted after the legal retention periods have expired, unless, there is a need for further storage for the conclusion or fulfillment of a contract. For legal reasons, we may have to keep certain data longer. You can, of course, request information about stored data at any time.

Data Up and Download

Filen offers the ability to upload and store text files, documents, images, videos and other digital content to or from our servers via AES 256-bit end-to-end encryption. Strict internal privacy processes and security requirements govern and ensure that this digital content is not accessible to anyone (AES 256-bit end-to-end encryption allows only the account owner to see the data, as it is not readable or accessible to us). We never share this (encrypted) content with third parties unless required by applicable German law.

Cookies

Our Internet pages use so-called "cookies". Cookies are small data packets and do not cause any damage to your end device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your end device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or until they are automatically deleted by your web browser.

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. not having to log in again after each session restart). Other cookies are used to evaluate user behavior (in our case with Plausible Analytics) or to display advertising, if necessary.

Cookies that are necessary to carry out the electronic communication process, to provide certain functions that you have requested (e.g., as mentioned above, not having to log in again and again on our website https://filen.io/) or to optimize the website (e.g., cookies for measuring the web audience and processing by Plausile Analytics, which is self-hosted in Germany) (necessary cookies) are stored on the basis of Art. 6 (1) lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies for the technically error-free and optimized provision of its services. If consent to the storage of cookies and comparable recognition technologies has been requested, the processing will be based solely on this consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG); the consent can be revoked at any time (simply delete the cookies for https://filen.io in the browser settings and reload the page and select your preference again).

You can set your browser so that you are informed about the setting of cookies and allow cookies only in individual cases, exclude the acceptance of cookies for certain cases or in general, as well as activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be limited.

Insofar as cookies are used by third-party companies or for analysis purposes, we will inform you separately about this within the framework of this data protection declaration and, if necessary, request your consent.

Anonymity

If you have not submitted any personal data to Filen (https://filen.io) (e.g. for an optional invoice for purchased subscriptions), it is not possible for anyone to obtain such information. Only by law or by a court order could a conditional revocation of your anonymity be enforced. In such a case, we will have to transfer the payment process for the concerned Filen user account to the legitimate authority authorized by law.

If we become aware of any misuse of our service ((https://filen.io )(Filen) (Filen Cloud Dienste UG)), we will actively contribute to the investigation. (e.g. the distribution of illegal content under German and European law, or protected content that is protected by copyright and we accordingly receive a request from the rightful owner or authority).

Payment

PayPal

We use the online payment service PayPal on our website. The service provider is the American company PayPal Inc. The company PayPal Europe (S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg) is responsible for the European region.

PayPal also processes data from you in the USA, among other places. We would like to point out that according to the opinion of the European Court of Justice, there is currently no adequate level of protection for the transfer of data to the USA. This may be associated with various risks for the legality and security of the data processing.

As a basis for data processing at recipients located in third countries (outside the European Union, Iceland, Liechtenstein, Norway, thus especially in the USA) or a data transfer there, PayPal uses so-called standard contractual clauses (= Art. 46. para. 2 and 3 DSGVO). Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data comply with European data protection standards even if they are transferred to third countries (such as the USA) and stored there. Through these clauses, PayPal undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

For more information on the standard contractual clauses and on the data processed through the use of PayPal, please see the privacy policy at https://www.paypal.com webapps/mpp/ua/privacy-full.

Stripe

If you choose a payment method offered via the payment service provider "Stripe", the payment processing will be carried out via Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we will pass on your information provided during the ordering process together with the information about your order (name, address, account number, bank code, possibly credit card number, invoice amount, currency and transaction number) in accordance with Art. 6 (1) lit. b GDPR. Your data will only be passed on for the purpose of processing payments with Stripe Payments Europe Ltd. and only to the extent necessary for this purpose. You can find more information on the data protection of "Stripe" at the following Internet address: https://stripe.com/de/privacy#translation.

Stripe acts as a processor in order to be able to complete transactions within the payment networks. Within the scope of the order processing relationship, Stripe acts exclusively according to our instructions and has been contractually obligated within the meaning of Art. 28 GDPR to comply with the provisions of data protection law.

Stripe has implemented compliance measures for international data transfers. These apply to all global activities where Stripe processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs).

For more information on opt-out and redress options against Stripe, please visit: https://stripe.com/privacy-center/legal

Coinbase

We use the payment provider Coinbase on our website. The service provider is the American company Coinbase Inc. The Irish company Coinbase Europe Limited (70 Sir John Rogerson's Quay, Dublin D02 R296, Ireland) is responsible.

Coinbase also processes data from you in the USA, among other places. We would like to point out that according to the opinion of the European Court of Justice, there is currently no adequate level of protection for the transfer of data to the USA. This may be associated with various risks to the lawfulness and security of data processing.

As a basis for data processing with recipients located in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or a data transfer there, Coinbase uses so-called standard contractual clauses (e Art. 46. para. 2 and 3 GDPR). Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through these clauses, Coinbase undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the US. These clauses are based on an implementing decision of the EU Commission.

You can find the decision and the corresponding standard contractual clauses here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

You can learn more about the standard contractual clauses and the data processed through the use of Coinbase in the Privacy Policy on https://www.coinbase.com/de/legal/user_agreement/ireland_europe.

Plausible analytics

We use the web analytics service "Plausible Analytics" to continuously optimize our offer, both technically and in terms of content. Plausible is a trademark of Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia, Registration number 14709274, hereinafter referred to as "Plausible". Plausible Insights OÜ is fully compliant with the GDPR.

Plausible takes a particularly privacy-friendly approach to analyzing your visit. Plausible collects the following information, among others, for this purpose: Date and time of your visit, title and URL of the pages visited, incoming links, the country you are in and the user agent of your browser software. Plausible does not use or store "cookies" on your terminal device. All personal data (e.g. your IP address) is stored completely anonymously in the form of a so-called hash. A hash is an encryption of data that is not reversible, i.e. cannot be "decrypted". In this way, we can analyze your visit without storing personal data in a form that would be readable by us, Plausible or third parties.

Plausible Analytics is hosted by ourselves (Filen Cloud Dienste UG) in Germany.

To make transparent what data we collect, you can take a look at the full statistics of this page yourself: https://plausible.io/wemake.de.

You can find more information about the technical implementation here: https://plausible.io/privacy-focused-web-analytics.

You can find more information about data protection at Plausible at https://plausible.io/data-policy.

The legal basis for the processing is Art. 6 para. 1 lit. f) GDPR.

Sentry analytics

We use Sentry, an error management tool, for our website. The service provider is the American company Sentry Inc, San Francisco, 132 Hawthorne St, San Francisco, USA.
Sentry also processes data from you in the USA, among other things. We would like to point out that, according to the ruling of the European Court of Justice, there is currently no adequate level of protection for the transfer of data to the USA. This may be associated with various risks to the lawfulness and security of data processing.

Data processing associated.

As a basis for data processing with recipients in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular the USA) or a data transfer there, Sentry uses so-called standard contractual clauses (= Art. 46 para. 2 and 3 GDPR). Standard Contractual Clauses (SCC) are templates provided by the EU Commission to ensure that your data meets European data protection standards even when transferred and stored in third countries (such as the USA). With these clauses, Sentry commits to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the US. These clauses are based on an implementing decision of the EU Commission. The decision and the corresponding standard contractual clauses can be found here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

The data processing addendum corresponding to the standard contractual clauses can be found at https://sentry.io/legal/dpa/.
For more information about the data processed through the use of Sentry, please see the Privacy Policy at https://sentry.io/privacy/.

Disclosure for civil or criminal enforcement purposes

If we deem it necessary or we are required by law in any jurisdiction to do so, we may disclose your files, account information, and usage information to the appropriate authorities, even if those items are encrypted. We reserve the right to assist law enforcement authorities in any investigation, including disclosing information to them or their agents. We also reserve the right to comply with any legal process, including, but not limited to, data breach notification procedures, subpoenas, search warrants, and court orders initiated by law enforcement agencies or other third parties.
We may disclose your files, account information, and usage data to enforce or apply our Terms of Use, Cookie Policy, and this Policy or any other agreement we have with you, or to protect the rights, property, or safety of us or our other users, third parties, or the operation of our Services.

Communication & Messages

We may send invoices, security or service updates, and various other notifications by email to the email address specified in your account. You will be deemed to have received them in accordance with our Terms of Use.
In rare cases, a person may receive an email from us asking them to confirm their new Filen Account email address, but in fact they did not try to create an account at all - someone else started the process and used their email address either maliciously or by mistake. In these cases, we ((Filen)(https://filen.io)) have a volatile/incomplete account that can be used to upload files. Upon request and proof of ownership of the email address, we will delete and or re-enable the account.
Where applicable, some of these communications will contain unsubscribe information so that you can opt out of receiving further emails. We will honor any request to unsubscribe from emails (except those we need to send for billing, security or service updates).

Job posting

Online job applications / publication of job advertisements

We offer you the opportunity to apply to us via our website. For these digital applications, your applicant and application data will be collected and processed electronically by us for the purpose of handling the application process.
The legal basis for this processing is Section 26 (1) sentence 1 BDSG in conjunction with. Art. 88 para. 1 GDPR.
If an employment contract is concluded after the application process, we will store the data you provided during the application in your personnel file for the purpose of the usual organizational and administrative process - this, of course, in compliance with the more extensive legal obligations.
The legal basis for this processing is also Section 26 (1) sentence 1 BDSG in conjunction with. Art. 88 para. 1 GDPR.
If an application is rejected, we automatically delete the data provided to us two months after notification of the rejection. However, the deletion does not take place if the data requires longer storage of up to four months or until the conclusion of legal proceedings due to legal provisions, e.g. due to the obligation to provide evidence according to the AGG.
In this case, the legal basis is Art. 6 Para. 1 lit. f) GDPR and § 24 Para. 1 No. 2 BDSG. Our legitimate interest lies in the legal defense or enforcement.
If you expressly consent to a longer storage of your data, e.g. for your inclusion in a database of applicants or interested parties, the data will be further processed based on your consent. The legal basis is then Art. 6 para. 1 lit. a) GDPR. However, you can of course revoke your consent at any time in accordance with Art. 7 (3) GDPR by declaration to us with effect for the future.

No commercial sale of data

We will never sell your files, account data or usage data. We will not share or otherwise make available your files, account information or usage data to third parties or use your files, account information or usage data for any purpose not expressly permitted by this Policy, our Cookie Policy, Terms of Use or not related to the normal use of our Services.