Privacy Policy Cifer Apps

Summary

Cifer is an e-mail app that follows a strict privacy-by-design approach. All communication data remains on the end devices or on the e-mail servers selected by the user.

Requirement Implementation
Confidentiality End-to-end encryption by implementing The Signal Double Ratchet Algorithm. User-friendly end-to-end encryption means that the requirements of the GDPR are already implemented at the technical level, Privacy by Design.
Data minimization No upload of contact lists from your phone.
Data avoidance No Cifer servers, no processing of personal data. All data remains with your e-mail provider.
Legal basis There is no need to obtain consent for address book matching, Art.7 GDPR, as no address book data is transferred. Therefore, no additional legal basis is required.
Data to third parties We only receive the token for the push notification and forward it to the provider of your operating system. If you don't want to receive push notifications, we won't forward a token.
Data from third parties Easy implementation in companies: Cifer does not process personal data on behalf of the controller and therefore does not require any instruction or data processing agreement. Easy connection with the own corporate e-mail server.
DPIA No data protection impact assessment needs to be carried out for Cifer Art.35 GDPR, as no specific additional data is processed beyond the e-mail messenger process. The risk to the rights and freedoms of natural persons is limited to the internal company data processing of the e-mail communication and that of the e-mail providers.
Documentation Inclusion of the measures implemented by Cifer in the record of processing activities may have a positive impact on possible evidence, Art.30 GDPR as well as certification processes, Art.25 (4) GDPR,Art.42 GDPR. The documentation of processing activities related to Messenger communication is omitted and shifts only to the record of processing activities of your e-mail provider, Art.30(2) GDPR.

Detailed data protection information

1. Processing when using the Cifer e-mail messenger

All data is stored locally on your device or with your e-mail provider. Neither we nor Cifer developers have any possibility to access the end user’s data, as all communication and data processing takes place on the end user’s device without Cifer servers being involved. Only for the optional Push Notification (see 1.2) the Push Notification Token is processed by Cifer servers without them having any knowledge about the messages themselves, not even in encrypted form.

1.1 Sign up with your e-mail provider

Cifer communication works through your e-mail account. In order to establish the connection, the app needs the access data. These are only stored locally on your end device:

The legal basis for the processing is Art.6 (1) lit.b GDPR, as you have a usage contract with us by using our services.

Security procedures are in place to protect the confidentiality of the data: Only the bare data needed to fulfil the user request of login are stored, encryption takes place as well as local sandboxing, see 2.3 for further details.

1.2 Heartbeat push notification

Push notifications can be sent to the user’s phone at regular intervals to enable receipt of messages while the Cifer app is not currently active. Current messages can then be retrieved on the end device. The token is only created if the user wants reliable receipt of messages even when the app is not active.

In order to use push notifications, a unique identifier or token (Push Notification Token) is created after the app is downloaded and installed. This token allows Cifer servers to send notifications to the user’s device. The token is generated and provided by the provider. The token is then stored on our systems and sent to the device at regular intervals to cause the app to retrieve new messages from the e-mail provider. Our systems have no knowledge of whether a message arrives or who may have sent a message.

The aforementioned data will only be processed with your consent, in accordance with Art.6 (1) lit.a GDPR.

1.3 Data in the app

The Cifer app works in a data-saving way. All relevant data is stored exclusively on the respective end devices:

- chat histories (text messages, voice messages, media, ...).
- contacts
- settings

Cifer servers have no access to this data, not even in encrypted form, as data processing takes place only on the end devices.

1.4 App permissions

Within the app, you can enter, manage, and edit various information, tasks, and activities. The app also requires the following permissions:

Permission Reason
Internet access This is needed to send the messages to the communication partner.
Camera access This is needed for you to take photos and send them via the app. In addition, the camera access allows you to scan QR codes.
Microphone access (optional) This permission allows you to send voice messages.
Location access (optional) This is needed if you want to share your location with a communication partner.
Background location access (optional) This will be needed if you want to share your location over a certain period of time.
Contact access (optional) This allows you to load and save contacts from your phone book into the app. The contact data is stored locally in the app and not forwarded and stored on Cifer server.
Storage (optional) You can save images and files from the app to your device.

The processing and use of the above permissions are performed to provide the service. The internet access is necessary for the use, therefore the legal basis of the processing is Art.6 (1) lit.a GDPR, as you have a usage contract with us by using our services.

The optional permissions only take place based on your consent according to Art.6 (1) lit.a GDPR and can also be reduced to individual services, e.g. only internet usage to send messages without pictures or location data. Cifer does not receive any access to this data.

2. Platform dependent processing

Certain information is already processed automatically as soon as you use the app. We have listed below which personal data is processed exactly:

When you download the app, certain required information is transmitted to the app store you use ( e.g. Google Play or Apple App Store), in particular the username, the email address, the customer number of your account, the time of the download, payment information as well as the individual device identification number may be processed. The processing of this data is carried out exclusively by the respective app store and is beyond our control.

For the rest, we refer to the data protection policies of the respective app store providers or responsible parties of the operating systems. We do not collect and/or process any other data.

Your personal data will not be transferred to third parties for purposes other than those listed below.

3. Rights of the data subject

As a data subject of a processing of personal data, you have the right to

  1. request information about your personal data processed by us in accordance with Art.15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
  2. in accordance with Art.16 GDPR of the GDPR, immediately request the correction of inaccurate or incomplete personal data stored by us;
  3. pursuant to Art.17 GDPR of the GDPR, to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims;
  4. pursuant to Art.18 GDPR, to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defence of legal claims or you have objected to the processing pursuant to Art.21 GDPR;
  5. pursuant to Art.20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller;
  6. in accordance with Art.7 (3) GDPR, to revoke your consent given to us at any time. This has the consequence that we may no longer continue the data processing based on this consent in the future; and
  7. complain to a supervisory authority in accordance with Art.77 GDPR of the GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office for this purpose. The supervisory authority responsible for our place of business is the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg in 70173 Stuttgart.

4. Google User Data

Cifer's use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. This section may be helpful for you if you use Cifer in conjunction with your Gmail account.

Permissions. When seeking access to your Google user data, all permission requests are being sent by Cifer App. Your authorized client credentials to access your Gmail account provided to us will be kept confidential. We request access only to the information we need; we will prompt you to refresh the access permissions if we implement new features. Where possible, we will use incremental auth.

Revoking access to Google User Data. You may revoke Cifer's access to your Gmail account by using Gmail settings: My Account -> Security tab -> Third-party apps with account access -> Manage third-party access -> Cifer -> Remove access.

If you decide to do so, we will lose access to your Gmail account in Cifer, and we will no longer be able to show you emails from it. Upon your request (and when you delete your Cifer account), we will delete all data collected from your Gmail account; however, in such a case, we may not be able to provide you with the ability to use Cifer features to work with your Gmail emails.

Types of data requested. We will list the types of data requested on the permission request webpage. If we need more (or less) permissions to run our Service, we will prompt a new permission request for you to review and consent (or reject). Not all Google User Data may contain personal data. Some statistical data will be anonymized.

Request purpose. The purpose for which the App requests your user data is to enable you to use Cifer features when working with your Gmail account emails. We do not use your Google User Data for any other purposes but to provide you with access and the ability to use the Cifer Service.

Disclaimer. We do not use Google User Data to display, sell, or distribute this data to any third party conducting surveillance. Cifer has no hidden features, services, or actions that are not mentioned in this Privacy Policy or the Terms of Service. Cifer takes reasonable and appropriate steps to protect all applications or systems that make use of Google User Data against unauthorized or unlawful access, use, destruction, loss, alteration, or disclosure. Cifer belongs to a Permitted Application Type as mentioned in the Google API Services User Data Policy (namely, an application that enhances the email experience for productivity purposes).

5. Up-to-dateness and modification of this data protection declaration

This data protection declaration is valid as of November 2023. Due to the further development of our website and offers or due to changed legal or official requirements, it may become necessary to revise this data protection declaration from time to time.