GDPR Compliance
Capsule is committed to complying with the General Data Protection Regulation (GDPR) and protecting the privacy rights of individuals in the European Economic Area.
Our Commitment
We designed Capsule with privacy at its core. Our zero-knowledge encryption architecture means we cannot access the content of your documents. We collect only the minimum data necessary to provide our service, and we give you full control over your information.
Data Processing
When you use Capsule, we process the following categories of personal data:
| Data Category | Purpose | Retention |
|---|---|---|
| Account information | Service delivery | Until account deletion |
| Usage analytics | Product improvement | 24 months |
| View/access logs | Analytics for senders | Until capsule deletion |
| Payment information | Billing | Per legal requirements |
| Encrypted documents | Core service | Until expiration or deletion |
Legal Basis for Processing
We process personal data under the following legal bases as defined by GDPR:
- Contract performance (Article 6(1)(b)): Processing necessary to provide the Capsule service, including account management, document storage, and sharing functionality.
- Legitimate interests (Article 6(1)(f)): Processing for security monitoring, fraud prevention, product improvement, and analytics. We balance these interests against your rights and freedoms.
- Consent (Article 6(1)(a)): Processing for optional marketing communications and non-essential cookies. Consent can be withdrawn at any time.
- Legal obligation (Article 6(1)(c)): Processing required to comply with applicable laws, such as tax and financial reporting requirements.
Data Subject Rights
Under the GDPR, you have the following rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you, including processing purposes and data categories.
Right to Rectification
Request correction of inaccurate personal data or completion of incomplete data.
Right to Erasure
Request deletion of your personal data when it is no longer necessary for the original purpose.
Right to Portability
Receive your data in a structured, machine-readable format and transfer it to another service.
Right to Object
Object to processing based on legitimate interests, including profiling and direct marketing.
Right to Restrict
Request restriction of processing while we verify the accuracy of your data or assess an objection.
To exercise any of these rights, contact our Data Protection Officer at the address below. We will respond to all requests within 30 days.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. When a capsule expires or is deleted, the encrypted content is permanently removed from our servers. Account data is retained for the lifetime of the account and deleted within 30 days of account closure.
Some data may be retained longer where required by law (e.g., billing records for tax purposes) or where necessary to resolve disputes or enforce our agreements.
International Data Transfers
Capsule may transfer personal data outside the European Economic Area to provide our services. When we do, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Additional technical measures including encryption at rest and in transit
Our zero-knowledge encryption provides an additional safeguard: even if data is transferred internationally, the document content remains encrypted and inaccessible to us and our infrastructure providers.
Sub-Processors
We use a limited number of sub-processors to provide our service. Each sub-processor is bound by Data Processing Agreements that require GDPR-equivalent protections. Our current sub-processors include cloud infrastructure providers, payment processors, and email delivery services. A detailed list is available upon request.
Data Protection Officer
For any GDPR-related inquiries, data subject requests, or to exercise your rights, please contact our Data Protection Officer:
- Email: dpo@capsule.technology
- Privacy inquiries: privacy@capsule.technology
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.