Posted and effective as of 4 June, 2016
Note that SpiderOak has several different products and services:
- SpiderOak CrossClave, secure collaboration for teams
- SpiderOak One, consumer-focused cloud storage
- SpiderOak Groups, cloud storage for teams
- Enterprise Backup, cloud-based backup for companies
- SpiderOak Semaphor, a team collaboration tool
- SpiderOak Kloak, a private communications network
- SpiderOak Encryptr, a cloud-based password manager
When we collect, store, use, or share information differently among these products, we’ll note that below.
THE INFORMATION WE COLLECT
Account Information. When you create a SpiderOak account, we ask you to choose a username and passphrase. You may use your email address as your username, but it’s not required.
If you select a SpiderOak plan that requires payment, we’ll also ask you for billing information.
Information About Your Use of SpiderOak. We receive some information automatically when you use any SpiderOak product. This includes data about your device, software, and the operating system you use when accessing our service, approximate amount of data stored on our service, your Internet Protocol address, system-generated error messages for your account, and the date and time of each request you make to SpiderOak. Additionally, some of our products have access to your team or group name and the number of members in a team.
HOW WE USE YOUR INFORMATION
We use your personal information to keep SpiderOak running, understand how you use our service, customize your experience, prevent abuse, provide customer support, sell and market our products, and improve SpiderOak. We use your information internally only as necessary to accomplish these goals.
HOW WE DISCLOSE YOUR INFORMATION
We share your personally identifiable information only in the limited circumstances below. SpiderOak never sells your information or shares it with third-party advertisers.
With your permission. We may share your information with your consent, after letting you know what information will be shared and with whom.
In response to the law. We may disclose your information if we believe it is reasonably necessary to comply with a law, regulation, or valid legal process. If we are going to release your information, our policy is to provide you with notice unless we are prohibited from doing so by law or court order (e.g., an order under 18 U.S.C. § 2705(b)). We may disclose your information without giving you prior notice if we believe it’s necessary to prevent imminent and serious bodily harm to a person. Nothing in this policy is intended to limit any legal objections or defenses you might have to demands to compel disclosure of your information, including demands from the government.
With Groups, Enterprise Backup, and Semaphor admins. If you use our Groups, Enterprise Backup, or Semaphor products, your administrator may be able to access and control your account. Refer to your organization’s internal policies for more information.
With other users. When you share files with others through SpiderOak, your username, share id and/or first and last name may be visible to other people.
Aggregate information. We may disclose aggregate, non-identifying information about how our users use SpiderOak products.
WEB TRACKING POLICY
You can disable your SpiderOak account at any time by signing in and canceling it either online or in the application itself. This means your user account will no longer be active on our service, and your data will be automatically deleted in the normal course of business with no further notice to you.
SpiderOak products are designed to have several layers of security.
- We encrypt files that you upload to SpiderOak servers using the AES- 256 algorithm. You control your encryption keys, and SpiderOak does not have access to them.
- We use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to create a secure tunnel to protect data in transit between SpiderOak apps and servers.
- We don’t store your account passphrase on our servers in any form. Your passphrase is only on your device, and we hash and salt it to help protect it against possible compromise.
- We limit the number of SpiderOak employees who have access to user data through policy and technical access controls.
No transmission over the internet is completely secure, so we can’t absolutely guarantee that unauthorized parties won’t be able to defeat our security measures. You use SpiderOak at your own risk, and are responsible for taking reasonable measures to secure your account (such as choosing a strong, unique passphrase and keeping it secret).
We are always on the lookout for vulnerabilities in SpiderOak. If you discover a vulnerability in our service, we would be grateful for your report and encourage you to let us know immediately. If you give us reasonable time to respond to your report before making any information public, and make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not pursue any legal action against you or ask law enforcement to investigate your actions.
To report a security vulnerability, please email firstname.lastname@example.org.
CHANGES TO THIS POLICY
We would love to hear from you. SpiderOak welcomes questions, concerns, and feedback about this policy. If you have suggestions for us, let us know at email@example.com.