Confirmed, Inc. (also “Confirmed”, “the company”, “we”, and “us”) collect the minimum data possible to ensure your data and privacy is protected.
Confirmed complies with the European Union’s General Data Protection Regulation (GDPR) for all users, regardless of location. In addition, we collect the minimum personal information required to provide the Confirmed service.
We do not sell or provide data to advertising services, and there are zero third party frameworks for marketing or re-marketing purposes. This includes any direct or indirect advertising frameworks by Facebook, Twitter, and Google, including Crashlytics, Fabric, Google Analytics, Facebook SDK, Firebase, and Twitter SDK.
INFORMATION WE COLLECT
Information From Website Browsers
If you are just browsing the Confirmed website, we do not store or log your IP address or use a cookie to track you.
Personal Information From Users With Accounts
If you create an account, we require some basic information at the time of account creation.
For all users, we record the creation date of the account and the active subscription plan for the account. While using the Confirmed service, we record the total amount of bandwidth consumed in the last thirty days. No website data or traffic is stored related to this metric. This bandwidth data is used only to throttle very high-bandwidth users and provide a fair distribution of resources to all users.
For mobile users, we require an App Store or Google Play receipt, which contains no personally identifying information. The sole purpose of this data is to to validate that the account has an active subscription for the Confirmed service.
For desktop users, we require a valid credit card that is processed and stored by Stripe, Inc., a PCI-compliant payment processor. We do not store your credit card number on our servers, nor can we access it. Stripe also will also store metadata related to your financial transaction that we can access, such as zip code and country of origin, primarily to validate the authenticity of the transaction and pay applicable local taxes (i.e., Value Added Tax in the European Union).
If you participate in our voluntary referral program, the Confirmed service will record each account that signed up with your referral code in your account data. This is solely to attribute active subscribers to your account and provide the applicable discount to your subscription plan. Please keep in mind that if you refer someone (or you were referred by someone), the referrer will receive an e-mail upon the referred user signing up for a trial as well as upon becoming a paid subscriber. The referrer always will be able to see whether you have an active subscription because it affects the pricing of his or her account.
We do not log or track any usage of our website, except for error messages on our server (such as accessing a page that does not exist). For these cases, we log the error (i.e., the URL attempted) and the time that it happened, but no personally identifying information such as a user’s IP address.
If an Acceptable Use provision is violated, the incident event is logged, which includes the specific abuse of service. THIS IS SPECIFICALLY USED FOR PREVENTING MALICIOUS USERS OR BOTS FROM ABUSING OTHER USERS, WEBSITES, AND OUR SERVICE. The rules are very specific and limited - we use industry standard "Emerging Threats" (https://doc.emergingthreats.net) to detect abusive behavior. Incidents are then given a temporary identifier, which cannot be used to identify the account without alerting the account holder first. All temporary identifiers reset upon reboot of the servers, or rotation of the servers. No other data is logged.
To associate the UIN with your account, we must perform a command that will automatically notify you that we have performed this mapping if you have provided us an e-mail address.
All rule violations and UINs are removed upon performing system and security updates for our servers. We estimate such updates every two to four weeks.
Openly Operated Principles
Data transmitted by the Confirmed service is encrypted using SSH, HTTPS, and SSL/TLS. The limited data we collect on our servers is encrypted with a key that we cannot access without automatically sending the user an alert to the user that we are accessing this data. By being an Openly Operated product, our architecture is open source and available for public audit to prove that we cannot access any personal data.
In the event of a data breach that affects your personal information, we will act promptly to mitigate the impact of the breach and notify any affected users without undue delay.
Confirmed may be legally required to disclose information to law enforcement in response to a valid subpoena, court order, warrant, or similar government order, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of third parties or the public at large.
In complying with court orders and similar legal processes, Confirmed strives for transparency and protection of user data. We will notify users of any disclosure of their information, unless we are prohibited by law or court order from doing so, or in rare, exigent circumstances.
Right to Erasure
Confirmed will retain your personal information for as long as your account is active or as needed to provide you services.
If you would like to delete your personal information, you may do so in your user profile. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, but barring legal requirements, we will delete your full profile (within reason) within 90 days of your request.