ShareGuard File Transfer Privacy Policy

Version 1.0

General

Hygiaso AG ("Hygiaso", "We", "Us", "Our") operates the ShareGuard web service (shareguard.me) and any associated sites and services which link to these terms, collectively the "Application." We own,develop, and operate the Application to provide secure file transfer services to its users ("You", "Yours").

This Privacy Policy describes how the Application collects, manages, uses, and shares Personal Data (PD).Personal Data is defined in the Swiss Federal Data Protection Act (FDPA) and the General DataProtection Regulation (GDPR) as "any information relating to an identified or identifiable person."

The Application is a web-based service with which you, as a private individual (Private User) or as aprofessional on behalf of your organization (Professional User), can transfer or receive data securely,store your data, and determine what you share with other users. We provide a secure data transferservice with end-to-end encryption. To facilitate these transfers, data is encrypted in your browserbefore being uploaded to secure cloud storage, and only decrypted in the recipient's browser.

Hygiaso is committed to protecting the privacy of our users. We strive to strengthen privacy and dataprotection and enable you to exercise your rights to your Personal Data. We minimize processing of yourpersonal data while providing you with the service you have chosen.

We manage personal data in compliance with the Swiss Federal Data Protection Act (FDPA) and theGeneral Data Protection Regulation (GDPR). You can contact us on data protection matters via dpo@shareguard.app.

In short, this is how we process your Personal Data (PD):

• Account and authentication data: We use your account and contact data to authenticate you and communicate with you.

• Subscription data: We track your resource usage within the subscription limits you've chosen.

• Contact information: We use contact data you enter to facilitate secure file transfers and send notifications.

• Encryption keys: Your encryption keys are stored in an encrypted database and are only accessible with your password that you control.

• Usage monitoring: We monitor resource usage to enforce subscription limits and may collect pseudonymous analytics to improve the service.

• Service providers: We use external partners to provide our service (e.g., cloud infrastructure, payment processing). We do not permit our service providers to sell or use your personal data for marketing purposes.

Our system is designed so that we have no means to access the contents of files you transfer. You arefully responsible for what you transfer, the processing of any Personal Data that you may transfer using our services, and your compliance with all applicable laws, including data protection laws.

Scope and Applicability

This Policy applies to the processing of Personal Data with the Application. The Application is currently released in Switzerland, and we require our subscribed users to be based in Switzerland to use the Application.

How We Process Your Personal Data

This is how we process your personal data more specifically, depending on the service we provide for you:

Your Account

As a user, you need an account with an associated email address. We will confirm that you control this email account with a confirmation message. You must use strong authentication (such as a robust password) to protect your account, data, and access.

We use the email address linked to your account to communicate with you regarding essential service information, such as subscription renewals, security notifications, and service updates.

We process this personal data based on legitimate interest and as necessary or legally required to provide our service to you. We are the Controller of your account data, but payment data is controlled by our payment service provider.

Your Subscriptions and Payment

For paid subscriptions, we require you to register payment details with our payment service provider. This data is used to prevent fraud and process subscription payments. Your payment details are not shared with Hygiaso directly, but information about your subscription status (paid, cancelled, etc.) is available to us for support purposes.

Our payment provider may exchange payment data with their partner institutions (e.g., credit card companies) for verification and risk management purposes. They employ appropriate safeguards for any international data transfers through approved data protection frameworks.

We process this personal data based on legitimate interest and as necessary or legally required to provide our service to you. We are the Controller of your subscription data, but our payment service provider controls your payment data.

You can find more details in the privacy policy of our payment provider (https://stripe.com/privacy).

Resource Usage Tracking

We track your resource consumption (transfers, storage, etc.) to ensure compliance with your subscription limits. We may notify you when you approach your subscription limits and will preventusage beyond those limits. You can change or upgrade your subscription at any time according to the terms of service.

We process this data based on legitimate interest and as necessary or legally required to provide our service. We are the Controller of your resource usage data.

Addressing Transfers and Communications

We use the email addresses you provide to address communications and facilitate data transfers between users. This information is used solely to enable the service functionality and is not used formarketing purposes.

We process this personal data based on legitimate interest and as necessary or legally required to provide our service to you.

Anylytics

We may use aggregate or pseudonymous analytics to understand service usage patterns and improve the Application. This data is not linked to your identity and is used solely for service improvement and security purposes. Aggregating analytics involves international transfer of analytics data and you agree to this.

We process this data based on legitimate interest and as necessary or legally required, or consented by you to provide our service to you.

Encryption

We employ multiple layers of encryption to protect your data:

• Transport encryption: All data transmission uses TLS/SSL encryption.

• Storage encryption: All data is stored in encrypted databases and encrypted cloud storage.

• End-to-end encryption: Any files you transfer with our service are encrypted in your browser before transmissionand can only be decrypted by the intended recipient.

• Key management: Each user has unique encryption keys. Your private key is encrypted with yourpassword, which only you know. We store your encrypted keys in our database but cannot accessyour private key without your password.

This architecture ensures that we have no technical means to access the contents of your transferred files. You are responsible for managing your password securely and for the security of data before upload and after download.

We process this personal data based on legitimate interest and as necessary to provide our service to you. We are the Controller of the encrypted keys we store for you, but you control your password.

File Transfer

When you transfer files, the system works as follows:

• Files are encrypted in your browser before upload.

• Encrypted files are stored in secure cloud storage.

• When sharing with another registered user, the encryption system ensures only the intendedrecipient can decrypt the file.

• The recipient must be or sign up as a registered user with their own encryption keys to access shared files.

We associate files with user accounts to enforce storage limits and manage access control. However, wehave no means to access the contents of the encrypted files.

Every user is allocated their personal cloud storage associated with their subscription, and resourceconsumption is tracked individually. Cloud service providers have no access to user accounts but onlysee pseudonymous identifiers. Cloud service providers control any addressing, traffic routing and configuration data they collect.

You are the Controller of any data you transfer and are responsible for ensuring that your use of ourservice complies with applicable laws and regulations.

International Transfer of Data

When you access the service from different locations, personal data may be transferred to your device in that location. If you share files with users who access the service from abroad, data may be transferred across borders.

Our cloud and payment service providers may transfer data internationally as necessary to provide their services. They employ appropriate safeguards such as the EU-US and Swiss-US Data Privacy Framework and Standard Contractual Clauses where required by law.

We process this personal data based on legitimate interest and necessity to provide our service to you, as well as your explicit consent if and when using the service from abroad.

Your Tasks and Processing Responsibility

The Application provides you with functionality to transfer files securely. You are responsible for:

• Ensuring that you correctly specify the recipients of your transfers.

• Complying with all applicable laws when using our service to transfer data.

• Establishing necessary legal bases or justifications before sharing personal data of others.

If you are a Professional User and use our services to transfer personal data of others (such as staff or clients), you are the Controller of that personal data and we process it on your behalf. We provide infrastructure only and have no access to the content of transfers. You remain responsible for complying with applicable data protection laws.

If you receive personal data through our service, you are responsible for processing it lawfully and as agreed with the sender. After downloading data from the Application, you become the sole Controller of that data, subject to your agreements with the sender..

Our Tasks and Processing Responsibility

As the Application provider, we are responsible for:

• Processing your Personal Data as described in this Policy.

• Maintaining necessary records of our data processing activities.

• Notifying you of any data breaches, instructions conflicting with the law and any legitimate disclosure request according to applicable law.

• Supporting you in meeting your data protection obligations.

We are not accountable for incorrect recipient selection or inappropriate data transfers if you instructed them.

Data Retention and Legal Basis

We process your personal data on different legal bases:

• Contract performance: To provide the service you've subscribed to.

• Legitimate interest: To manage accounts, prevent fraud, and improve our service.

• Legal requirements: To comply with legal obligations, such as keeping financial records.

We retain your account and subscription data for as long as you maintain an active account. Commercial records and transaction logs are kept for 10 years as required by Swiss commercial law. Your files remain available according to your subscription terms.

Key Contacts and Roles

Hygiaso AG
Malzgasse 18
4052 Basel, Switzerland
Registered in Basel-Stadt, CHE-340.712.953

You can contact Us on shareguard data protection matters via dpo@shareguard.app.

Cloud Service providers

Microsoft Switzerland Ltd. You can find more information on Microsoft Azure on (https://azure.microsoft.com/en-us/explore/trusted-cloud/privacy)

Cloudflare, Inc. You can find more information on Cloudflare on (https://www.cloudflare.com/privacypolicy/#cloudflare-privacy-policy) and contact Cloudflare for data protection matters via dpo@cloudflare.com

Payment Service provider

Stripe Payments Europe, Ltd. (for EEA / Switzerland). You can contact Stripe for data protection matters via privacy@stripe.com.

Analytics provider

PostHog, Inc. You can find more information on Hostdog on (https://posthog.com/docs/privacy).

Supervisory Authority

Federal Data Protection and Information Commissioner (FDPIC)
Feldweg 1, 3003 Bern, Switzerland
Telephone: +41 58 462 43 95

Your Rights

Under applicable data protection laws, you have the right to:

• Access your personal data

• Rectify inaccurate data

• Request deletion of your data

• Restrict processing

• Data portability

• Object to processing

To exercise these rights, please contact the specified Controller. You can contact us at dpo@shareguard.app.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the Application. Your continued use of the Application after such notifications constitutes your acceptance of the updated Policy.