Introduction

Chiff BV processes some personally identifiable information to be able to provide the services of Chiff BV, and/or because you provided the information directly to Chiff BV, for instance by filling out the contact form on the website. Chiff BV processes the following personally identifiable information about you:

• Username
• Email address
• IP-address
• Website on which User has an account
• Biometrical data

Chiff is designed with privacy and data security as a foundation. In this privacy policy you can find what information we need from you, why we need it and how we ensure its confidentiality.

Company information

Chiff BV has been founded to develop Chiff. Chiff allows you to log into any website using your phone, making logging in safer and simpler. We leverage the biometric authentication mechanisms (fingerprint and / or facial recognition) on your phone, so you don’t have to remember a single password anymore. Your fingerprint and / or the scan of your face are stored on your phone or tablet. You can set this accordingly. When logging in with fingerprint and / or face recognition, Chiff asks if it matches. The device only says “yes” or “no” to the app. The app does not store information about your fingerprint and / or the scan of your face. Your passwords are only stored locally on your phone, which becomes a factor in the login process. If you have any questions regarding Chiff’s privacy policy, you can contact us at:

Chiff BV
Langegracht 70
2312NV Leiden
The Netherlands
privacy [you know it] chiff dot app

Purpose data collection

Chiff has several purposes why your data is needed:

• Email marketing: If you subscribe to our mailing list, we use your email address to keep you informed about Chiff’s progress and development. Each email contains a link where you can unsubscribe from the mailing list.
• Mobile application: If you download the Chiff app, an application on your phone, you will be presented a seed consisting of twelve random words, a so called ‘paper backup’. You can find the paper backup at any time in your phone under 'Settings'. This seed is unique for each person and serves as the key to encrypt all your personal data. Since the seed never leaves your phone and passwords are only stored locally, your data is inaccessible to us. To make sure you can restore your accounts if you would lose your phone, Chiff needs to store some data remotely which will be used to generate the correct passwords. Before that data is sent to our server, it is encrypted on your phone with a cryptographic key derived from your seed. This ensures that we cannot read this data. Since we do not have the technical ability to decrypt your information, we are unable to hand over your data to third parties in an unencrypted form.

Data recipients

There are some third parties Keyn BV transfers personally identifiable information to:

• Mailchimp: Chiff BV uses Mailchimp as a service for email marketing. Therefore, Mailchimp processes your email address and optionally (if you have provided it), your name. Learn more about Mailchimp's privacy practices here.
• Apple: Apple processes push notifications that are sent to your Apple device. All content with personally identifiable information that is sent to your device is encrypted with the session keys, so it cannot be read by Apple. Learn more about Apple's privacy practices here.
• Google: Google processes push notifications that are sent to your Android device. All content with personally identifiable information that is sent to your device is encrypted with the session keys, so it cannot be read by Google. In addition, this website uses Google Analytics to collect statistics about visitors to this website. Learn more about Google's privacy practices here.
• Amazon: Chiff BV uses Amazon Web Services for its serverless backend infrastructure. Amazon processes your IP-address if requests are made to the backend. All communication between the browser extension and the mobile application is handled by Amazon. Furthermore, your backup data is stored with Amazon, but encrypted with a key that is derived from your seed, so it cannot be read by Amazon. Learn more about Amazon's privacy practices here.
• GitHub: Chiff BV uses GitHub to host the website chiff.app. This means that GitHub may process your IP-address whenever you visit the website. Learn more about GitHub's privacy policy.

User’s rights

Following the GDPR legislation, users have the right to access, change or delete personal identifiable information. Your backup data can be deleted by navigating to Settings -> Privacy -> Delete data in the Chiff app. This will delete all data locally and on the server. If you have any additional needs for accessing, changing or deleting your data, please send us an email to privacy [you know it] chiff dot app. We will respond as soon as possible, but always within four weeks, to answer your request. If you have a complaint about the way your data is processed, you can object via Autoriteit Persoonsgegevens.

Security

For Chiff BV information security is of major importance. Chiff BV takes technical and organizational measures to prevent abuse, loss or unlawful processing of personal data. In addition to standard measures such as using TLS for connections to the server, the website of Chiff BV uses TLS to encrypt communication for the website and backend. Additionally, the backup data stored on the server is encrypted. As a result, it is not possible for Chiff to view or share this data with third parties in an unencrypted state. If you are interested in the details of Chiff’s security, please read Bas's blog post.