Zum Hauptinhalt springen

AgileBits Privacy Policy

Much more than just a policy – 1Password is Private by Design.

Last updated: January 2, 2024

This Privacy Policy applies to the websites owned and operated (“Website”) by AgileBits Inc., doing business as 1Password (1Password, We, Us, or Our). This Privacy Policy describes how 1Password collects and uses the personal data collected through the Website (including, but not limited to, www.1Password.com, www.1Password.eu and www.1Password.ca) and Services located behind the logins of 1Password applications. It also describes individual rights regarding the use of, access to, and how to update, correct, or remove personal information. The use of information collected through Our Services shall be limited to the purpose of providing the Service for which 1Password is engaged.

If you have questions or complaints regarding this Privacy Policy or Our practices, please contact Us via email at [email protected].

Your privacy is important to us and we respect each individual’s right to privacy. This privacy policy explains the personal data that 1Password collects and processes, how it processes data and for what purposes it is collected and processed. This Privacy Policy further describes our commitment to preserving the privacy and security of your personal data. We will collect and use information through Our Website only in the ways disclosed in this Privacy Policy. We have created this Privacy Policy to let you know what information we collect when you visit Our Site, why we collect it, and how it is used. By using this website, you consent to the data practices prescribed in this Privacy Policy.

Who We Are and Our Commitment to Privacy

1Password is a Canadian company located at 4711 Yonge St, 10th Floor, Toronto, Ontario, M2N 6K8, Canada. At 1Password, we believe that the less information we know about you, the better. After all, it is impossible to lose, misuse, or abuse information we don’t have. To the extent that we have control over your data or data about you, we see ourselves as custodians of that data on your behalf.

We use your data solely to provide you with Services in which you enroll and to provide you an enhanced user experience when you visit our Website. Our business is providing 1Password products and Services to you, the customer. We have no desire or interest to use or transfer the limited data we acquire for any other purposes.

Who are You

Unless otherwise noted, we refer you, the Customer, as an owner or organizer of an individual, family, team, or business account.

If you represent an organization, such as a business or educational institution, that utilizes 1Password products or services through Enterprise accounts or if you are an end user of 1Password product or a 1Password account provided by your organization, please see the 1Password Enterprise Accounts section of this privacy statement to learn how we process your data.

Non-Owners

If you are a non-owner member of a team, business, or family account, your use of 1Password may be subject to your organization’s privacy policy or practices, if any. Non-owner members of an account transfer some of the rights described here to the account owners.

Information Collected Through the 1Password Services

We collect some data from you, in order to provide you with our 1Password products and Services, in addition to your use of our Website. You provide some data directly, such as when you create a 1Password account, when you register for a 1Password event or a webinar, or contact us for support. Such data is limited to your email address only. We get some limited data from your use of the 1Password products and services. Such data includes your IP address, and the make and model of your device through which you access or use 1Password products or services.

We use your personal data to provide you with services associated with the use of 1Password account and to provide you with a rich customer experience through our customer support. In particular, we use your data to provide 1Password services, which includes updating, securing and troubleshooting, and providing support.

The following is a more detailed description of the types of 1Password account user data:

We process two kinds of user data to deliver our services: (i) Secure Data and (ii) Service Data. Both are treated securely with respect for customer privacy and data confidentiality, but there are important technical and usage differences.

(i) Secure Data

Secure Data are the data that we are not capable of decrypting under any circumstance. It includes all information stored within vaults in 1Password accounts. These data are encrypted using secure cryptographic keys that exist only in the possession and under the control of our customers. We have no way of accessing or providing decrypted Secure Data, and we never receive copies of unencrypted Secure Data.

Your Secure Data is your property. We claim no rights to it beyond those necessary to deliver services to you. You may add, modify, and delete Secure Data at your discretion. If you do not have a 1Password account, you cannot provide us with Secure Data.

(ii) Service Data

We inevitably acquire Service Data about your usage of 1Password, your account, and your payments through operating our services. We retain only enough Service Data to operate and maintain the services. These data are never used for any other purpose.

Service Data are kept confidential. It is visible to our staff and includes, but is not limited to, server logs, billing information, client IP addresses, number of vaults and number of items in vaults, company or family name, and email addresses. Service data includes the name you provide us for your profile and any image that you may upload, at your option and discretion, as part of your profile.

As long as you are using our services, we retain the right to hold and use Service Data to provide our services, troubleshoot problems, analyze the performance and demands on our services, and to provide our payment processors with the information they need to process payments.

(iii) Diagnostic Data (Optional)

Diagnostic Data are a category of Service Data which are not automatically collected or required for operation of our services.

In some cases we seek diagnostic reports and other troubleshooting, bug, and crash reports from customers to help identify and solve problems with our products and services. This information is sent to us only on a case by case basis, or by users who explicitly opt into our beta software programs or who otherwise explicitly choose to provide diagnostic data to us.

Diagnostic Data may contain sensitive information about your devices and operating environment as well as personally identifying information. Although there may be occasions when we ask for Diagnostic Data to assist you with a problem, you are never obligated to provide it.

Diagnostic data never includes decrypted Secure Data. We will never ask for your Account Password or Secret Key.

Keeping Your Information Safe

We understand and accept our responsibility to protect Service Data and Secure Data. We use strict access control mechanisms, network isolation, and encryption to ensure that Secure and Service Data is only available to authorized personnel. Additionally, Secure Data cannot be decrypted even by those who do have access to it.

Information Collected from Your Use of Our Website

In a few areas on Our Website, We ask you to provide personal information that will enable Us to enhance your site visit, to assist you with technical support issues or to follow up with you after your visit. It is completely optional for you to participate. For example, We request information from you when you:

  • Subscribe to a newsletter

  • Participate in promotional offers

  • 1Password uses your information for specific purposes. Your information may be used to:

  • Send you requested information about 1Password

  • Provide support

  • Market 1Password products or Services to you

  • Provide you with access to 1Password Services

Personal information you provide will be kept confidential and used to support your customer relationship with Our company.

All email communication with you will be on an Opt-In basis. This is solely at your discretion. Occasionally, We will send you e-mail communications with information, which may be useful to you, including information about Our products and Services or about offerings from affiliates or business partners. When you first provide Us with your e-mail address, you will be given the option of not receiving any such e-mail communications. We will include instructions in Our e-mail messages on how to unsubscribe if you later decide you do not want to receive any future e-mail communications. At any time, you can easily opt-out of receiving further marketing from 1Password by contacting Us at the address below and requesting to have your name removed from Our lists.

Information Sharing and Disclosure to Third Parties

Agents or contractors of 1Password may have access to your personal information for the purpose of performing services on behalf of 1Password. All such agents or contractors who have access to your personal information have Data Processing and Confidentiality obligations to keep the information confidential and not use it for any other purpose than to carry out the services they are performing for 1Password.

Unless We tell you otherwise, or unless otherwise stated in this Privacy Policy or required by law, We do NOT sell or rent your personal information to any third parties. However, We might share your personal information with Our service providers, such as Our hosting services providers. If you choose to participate in a survey, a focus group etc., we may also share de-identified data with Our customers.

Information collected from you is only used to complete and support your purchases from 1Password and use of the Site and to comply with any requirements of law. 1Password may disclose personal information if required to do so by law or in the good faith belief that such action is necessary to: (1) conform to the edicts of the law or comply with legal process served on 1Password or this Site; (2) protect and defend the rights or property of 1Password; or (3) act in urgent circumstances to protect the personal safety of users of 1Password, its web sites or the public. We may collect and possibly share your information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Our terms and conditions posted on Our Websites, or as otherwise required by law.

If 1Password is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on Our Web site of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information. We may also disclose your personal information to any other third-party with your prior consent.

Compliance with the laws

AgileBits fully complies with applicable data protection laws. If you are affiliated to an organization who provides you with 1Password account through its Enterprise level account then there may be additional requirements for us to meet, based on the contracts with the organization. For further information, please read below the section 1Password Product or Account provided by your Organization.

Data Location

1Password.eu data are held on servers located within the European Union. Secure Data originating in the European Union remains within the European Union.

Customer support system

Our customer support and email services are hosted primarily in the United States. Any information you choose send us through email or our customer support system may pass through and be stored on a variety of intermediate services. If you wish, you may encrypt email to us using our PGP public key.

Third-Party Data Processors

Your Secure and Service data are held by third-party data processors, who provide us with hosting and other infrastructure services. The locations of these are described above. In many cases (but we cannot promise that this will always be the case) even Service data held by these entities is encrypted with keys held only by us.

Data needed to process payments is collected by our payment processor, Stripe, Inc., which conforms to the U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (collectively, the “DPF”). See https://stripe.com/legal/data-privacy-framework.

Contacting You

We may use your contact information, that is, the contact email address provided by you, to communicate with you about Service activity, provide support, and send you other information such as product updates and announcements. You may choose to stop receiving communications from us, except certain important notifications such as billing and account security alerts.

Your Responsibilities for Protecting Your Data

When you create a 1Password account you will receive a Secret Key and will be prompted to create a Account Password. Your Secret Key is generated on your computer and your Account Password is something you create yourself. For your protection, you should create a strong and unique Account Password to ensure that it is not easily guessed.

It is extremely important that you understand that anyone with both your Secret Key and Account Password can access your Secure Data. It is equally important that you keep a copy in a safe place for your own reference, because future access to your Secure Data depends on having access to both your Secret Key and your Account Password. We will never ask you for your Account Password or your full Secret Key, and you should never send it to us or anyone.

Due to the nature of our design and the sensitivity of the information you entrust to us (even in encrypted form), it may not be possible for us to help you with certain customer service requests unless you are listed as an account owner and are communicating from your verified email address. In the event that you change your email address, it is very important that you update your email on your 1Password account(s) or you may eventually lose access.

Data Protection Principles that We Practice

(i) Data Portability

We want happy customers, not trapped ones. We will not lock you out of your own data. However, we are unable to decrypt your Secure Data; you will need your Account Password and Secret Key to decrypt it.

You may export your 1Password data at any time you wish during the life of your account. If you discontinue payment, your account will enter a frozen (read-only) state for a period not less than six months during which you may still retrieve and export your data.

Export is limited to your Secure Data. Vault permissions, the structure of groups of individuals, and other information about the relationship between individuals and data is not guaranteed to be included in export.

(ii) Your Right to Know to What We Know

You have the right to know what we know about you and to see how that data is handled. You may request a screenshot of what we can see about you in our back office systems. However, to protect customer privacy, such requests must be carefully authenticated beyond demonstrating control of the customer’s email address.

(iii) Your Right to Have Your Data Erased

As we are merely custodians of your data, account owners have the right to instruct us to remove data permanently from our systems. To ensure that no one’s data is deleted without their consent, you must first delete your account through an authenticated session. After your account has been deleted, the account owner may contact us and ask for the data to be expunged. Once the request is authenticated, the data will be removed from our active systems within 72 hours.

Disaster recovery and data availability requirements mean that AgileBits has a legitimate interest in maintaining secure and immutable backups. Backups are kept for 35 days. Erasure requests will leave those backups untouched, and we will only remove data from backups if legally compelled to.

(iv) Your right to access and control your personal data

You can control your personal data and exercise your data protection rights by contacting AgileBits at [email protected].

In addition, you can add, remove, edit, change any data that are in the 1Password vault. If you are an affiliate of an organization which provides you with the access to 1Password account and services, there may be certain restrictions to the above, based on your affiliate organization’s privacy or other similar policies. For further details, please review below the section under 1Password Product or Account provided by your Organization.

Chat Bots

We use chat bots or automated communication tools to facilitate your communications with us across our Services. These tools may collect and record the contents of any communications you send through them. They may also collect analytics information, such as device and usage information. We may disclose this information to our relevant service providers for the purpose of providing these tools, improving our customer support and internal marketing purposes.

Cookies and Other Tracking Devices

We do not use third-party trackers in our web application (my.1password.com), or our client applications for macOS, Windows, Linux, Android or iOS. However, we set and use cookies (small text files placed on your device) and other tracking devices on our own domains and subdomains to store settings that assist with identifying your account for sign-in. For the purposes of this section, we will call both cookies and other tracking devices “cookies.” We also use third-party packages and trackers for our public pages that may set cookies on your computer. These cookies collect identifiable information that allows us to better understand our audience and serve more relevant advertisements to visitors once they leave the 1Password website. We also use these cookies to understand broad and anonymous user behavior when you visit the 1password.com websites. Such user behavior includes time spent by a visitor on the website, most visited webpage, etc.

What Types of Cookies Do We Use and Why?

The following information lists the different types of cookies implemented on 1Password.com websites, examples of who serves those cookies, and links to the privacy notices of those cookie servers. Because the specific cookies we use may vary over time, as well as differ by the specific page you are browsing, the information below is illustrative only.

Essential Cookies

Purpose: These cookies are essential for the website to function properly. They enable basic website functionality, such as account permissions and security.

Who Serves these Cookies: 1Password, Transcend, Google, Unleash

Functional Cookies

Purpose: Functional cookies are used to support and enhance website functionality. Information collected through functional cookies may be available to third parties.

Who Serves these Cookies : 1Password

Analytics Cookies

Purpose: Analytics cookies help us understand how visitors interact with our website, enabling us to improve user experience and optimize our content. Information collected through analytics cookies may be available to third parties.

Who Serves these Cookies: Google, Trade Desk

Marketing Cookies

Purpose: We use marketing cookies to personalize your experience, show you targeted ads, and analyze the effectiveness of our marketing campaigns. Information collected through marketing cookies may be available to third parties.

Who Serves these Cookies: Google, Trade Desk

We do not use cookies in a manner that discloses to third parties that a specific person viewed specific video materials. However, we may use embedded video content that provides you access to content hosted on third party websites. The hosts of such embedded videos may place cookies on your device when you view their content. Any cookies or other information collected through such embedded videos are subject to the terms of the provider’s privacy policy.

How Long Do Cookies Stay on My Device?

Some cookies operate from the time you visit the 1Password websites until the end of that particular browsing session. These cookies, which are called “session cookies,” expire and are automatically deleted when you close your Internet browser. Some cookies will stay on your device between browsing sessions and will not expire or automatically delete when you close your Internet browser. These cookies are called “persistent cookies” and the length of time they will remain on your device will vary from cookie to cookie. Persistent cookies are used for a number of purposes, such as storing your preferences so that they are available for your next visit and to keep a more accurate account of how often you visit the Website, how your use of the Services may change over time, and the effectiveness of advertising efforts.

Managing Cookies

You may disable cookies in your browser at any time. Please note that disabling all cookies may result in performance issues on our website. Client applications, including web browsers, will store information about your account to assist with future sign-ins and keep some information available to you when you are not signed in. Users may remove all such information from their devices, but doing so will require that they provide complete information (account details, Account Password, and Secret Key) on subsequent sign-ins. We also provide you with the ability to opt-out of non-essential cookies through the tools available in the footer of our webpage.

Consent for Underage Enrollment

Those under the age of 16 may not use the services without the consent or authorization of their parent or legal custodian. Family account organizers and team owners are responsible for that authorization when they add someone under the age of 16 to an account.

Disclosure

We will comply with applicable laws and the contracts with our customers to provide Service Data and encrypted Secure Data to law enforcement agencies. If permitted, we will notify you of such a request and whether or not we have complied. Your Secure Data remains encrypted with keys which we do not possess, and so we can only hand over Secure Data in encrypted form.

Some Service Data is made available to family account organizers and team owners. In some limited circumstances we may provide some information to non-owner members of these accounts. Account owners will be informed in these circumstances.

Breach Notification

In an event of a breach, we recognize our responsibility to our customers and to the public to disclose the nature of the risk and provide a transparent account of the events without undue delay. We follow applicable requirements under the laws, that is, the Canadian data privacy breach notification requirements and the requirements related to data breach notification under the GDPR.

1Password Product or Account provided by your Organization

When we offer 1Password products and services to you through your organization, we continue to adhere to applicable data protection laws, in addition to any requirements under the contracts with your organization, to ensure that your data are located, and if applicable, appropriately transferred.

If you use a 1Password product or 1Password account to access our products and services, and such 1Password product or 1Password account was provided by the organization that you are affiliated with, that organization is the controller or the administrator of your 1Password product or 1Password account. Your organization can access and process your data associated with your 1Password product or account. If your organization provides you with access to 1Password product or 1Password account, your use of the product or account is subject to your organisation’s policies, if any. You should direct your privacy inquiries, including any requests to exercise your data protection rights, to your organization’s administrator. We are not responsible for the privacy or security practices of your organization, which may differ from those set out in this privacy policy.

If you lose access to the organization that you are affiliated with (for example, if you change your employment), you may lose access to 1Password product or 1Password account and the content or data associated with such product or account.

Updates to our Privacy Policy

At our discretion, we may make changes to this Policy and note the date of the last revision. You should check here frequently if you need to know of updates to our Privacy Policy. We maintain the right to send you an email informing you of substantive changes. Previous versions will be made available from this page.

Kontaktieren Sie uns

If you have any questions about this Policy, you can contact us at [email protected] or write us by mail at:

Privacy Office

4711 Yonge St, 10th Floor,

Toronto, Ontario,

M2N 6K8

Kanada

Supervisory Authority

If you have concerns or complaints about this policy or practices with regard to that you do not feel you can resolve through contacting us, you should bring those concerns to your local regulatory authority.

Glossary

AgileBits, we, our, Service Provider

AgileBits Inc., a Canadian company located at 4711 Yonge St, 10th Floor, Toronto, Ontario, M2N 6K8, Canada. Owners and operators of 1Password. As Data Processors, we include AgileBits' employees and subcontractors appointed by AgileBits.

Data Processor

Data Processor as defined by the GDPR. We and the subprocessors (hosting services, payment processors) we appoint are the Data Processors.

Account Password

A user secret that, along with the user’s Secret Key, is necessary to decrypt Secure Data.

AgileBits staff, staff

Our Directors, employees, and subcontractors

GDPR

European Union’s General Data Protection Regulation

Decrypt

Decryption transforms encrypted data back to its original form. It cannot be performed without the appropriate cryptographic key.

Encrypt, Encryption

Encryption transforms usable data into a form that conceals all information contained in the original data. This data transformation uses a cryptographic key.

Owner, Organizer

Business and Family accounts, which allow for multiple members, will have Owners or Organizers. Owners and Organizers have some rights over the data belonging to members of the Business or Family.

Personal Data

As defined under applicable data protection laws.

Secret Key

A user secret typically stored on the user’s device that is necessary, along with the user’s Account Password to decrypt Secure Data.

Subprozessor

Anyone other than us who we have appointed to process customer data. Subprocessors can see no more data than we can see. Examples include our data hosting providers and payment processors.

Supervisory Authority

A local regulator under the GDPR which has the job of seeing that we protect your data properly.

Secure Data

Data encrypted with keys derived from the user’s Account Password and Secret Key. This data cannot be decrypted by AgileBits.

Service Data

Data about a user account, which is available to AgileBits.

You, Data Subject

You are the Data Subject as defined in the GDPR. In general, we are addressing “you” as the Owner or Organizer of an Individual, Family, Team, or Business account.

Change log

2024-01-02:

  • We have added a section explaining the use of Chatbots and have amended the section on Cookies and Tracking

2023-11-1:

  • We have updated various communication channels for questions and data subject access right requests

  • We have updated specific references to GDPR and Canadian privacy laws, with applicable data protection laws.

  • We have updated the references to US Privacy Shield to the “DPF.”

  • We have removed an outdated Supervisory Authority.

2023-06-22:

  • We have amended the “Data Location and Transfer” section to remove an unnecessary restriction on Service Data access.

2021-12-07:

  • We have added language regarding our use of third-party trackers on our web pages only (no in-app tracking)

2021-10-21:

  • We have added language clarifying the use of your 1Password websites' visits related data.

2021-04-15:

  • We changed our office address.

2019-07-03:

  • Added clarifying language related to GDPR.

2018-10-26:

  • We changed our office address.

2018-05-11:

  • List GDPR Supervisory Authority

  • Typographical error corrected. No change in meaning.

  • More explicitly include data processing agreement (GDPR)

  • Status of AgileBits contractors and employees wrt to data processing (GDPR)

  • More GDPR terms in the glossary.

  • Open with a statement of purpose of this document

  • Business accounts

  • Explicitly discuss philosophy that customer has rights to their own data (spirit of GDPR)

  • Right of Erasure (GDPR)

  • Right to Access (GDPR)

  • Breach notification (GDPR)

2017-09-07:

  • We clarified how we help you keep your data when we part ways.

  • We also expanded on how your Secure Data is handled on our end.

Archived versions