Last Updated November 21, 2023
The Services enable those seeking to store data (“Customers”) with those providing space for decentralized cloud storage (“Node Operators”) (the “Storage Services”). Customers’ data is stored on third-party devices that have installed an open source, distributed storage software (“Software”). Data submitted by Customers to the Services for storage with Node Operators (“Storage Materials”) is encrypted, which prevents Storj and Node Operators from accessing the content of the Storage Materials.
Storj acts as a service provider/processor of Storage Materials on behalf of its Customers. Individuals whose data may be included in Storage Materials ultimately are subject to the privacy policies and practices of the Customer utilizing Storj for Storage Services. Accordingly, for the purposes of the European Union (“EU”) General Data Protection Regulation (“GDPR”), Customers act as the data controller with respect to the processing of the Storage Materials. Storj is not responsible for the privacy practices of Customers. Storj acts as the data controller and not a processor/service provider when, for example, Customers, Node Operators, and other Site visitors provide Storj with information, such as contact, account, and registration information.
- Collection of Information
- Use of Information
- Legal Bases for Use of Information
- Sharing of Information
- Cookies and Online Analytics
- Aggregate/De-Identified Information
- International Customers
- Additional Information for California Residents
- Additional Information for Nevada Residents
- Data Retention
- How We Protect Your Data and Our Services
- Third-Party Links and Features
- Children's Privacy
- Contact Information
1. Collection of Information
Information You Provide to Us
We collect information you provide directly to us. For example, we collect information you provide when you create an account, subscribe to our updates, respond to a survey, fill out a form, post on a forum, request customer support, or communicate with us. Types of information we may collect include, but are not limited to, telemetry data, your digital wallet address, email address, username and password, survey responses, and any other information you choose to provide.
If you are a Customer or otherwise use our Storage Services, a third-party service provider may collect your payment method information for use in connection with your payments for storage.
If you are a Storage Node Operator, we may require you to submit a tax form in connection with your receipt of payments from us. The tax form may require you to provide certain information, including your name, business name, address, and tax identification number (e.g., SSN or EIN). We will use this tax form information solely to submit relevant tax filings.
Information We Collect Automatically
When you use our Services, we may collect automatically information from your devices. For example, we may collect:
- Log Information: We collect log information when you use our Services, including access times, pages viewed, IP address, and the web page that referred you to our website.
- Device Information: We collect information about the computer or mobile device you use to access our Services, including the hardware model, operating system and version, your web browser, and device identifiers (including a network ID used to communicate with other nodes on the network).
- Location information: We collect and process general information about the location of the device from which you are accessing the Service (e.g., approximate geographic location inferred from an IP address).
- Telemetry Information: If you use the Software, we may collect the amount of free and used storage space on your device, bandwidth upload and download speeds, and other statistics about your device and network connection.
- Performance Information: If you are a Customer, we may collect the amount of data transferred via our Services, the contract associated with the transferred data, and a log of the outcome (success or failure) of audits performed on your node.
- Usage Information: If you use our Storage Services, we may collect metadata about your usage and the file shards that are distributed via the Storage Services (including shard size, number of shards, and frequency of access), and we may record instances in which you have used your private key to authenticate communications.
Information Collected by Cookies and Other Tracking Technologies via Our Services: We and our service providers use various technologies to collect information when you interact with our websites and mobile apps, including cookies and web beacons. Cookies are small data files that are stored on your device when you visit a website, which enable us to collect information about your device identifiers, web browsers used to access the Services, pages or features viewed, time spent on pages, mobile app performance and links clicked. Web beacons (or pixel tags) are electronic images that may be used in our web services or emails to help deliver cookies, count website visits, understand usage and determine the effectiveness of our email marketing campaigns. (Please see “5. Cookies and Online Analytics” below).
2. Use of Information
We may use information about you for various purposes, including to:
- Provide, maintain, deliver, and improve our Services;
- Develop new products and services;
- Personalize your experience;
- Respond to your requests for information;
- Send you technical notices as well as support and administrative messages;
- Subject to applicable legal obligations, communicate with you about products, services, promotions, events, and other news and information we think will be of interest to you;
- Monitor and analyze trends, usage, and activities in connection with our Services;
- Detect, investigate, and prevent suspected fraudulent transactions and other illegal activities, and protect the rights and property of Storj and others;
- Investigate good-faith, alleged violations of our Agreements;
- Secure our Services and Customers;
- Link or combine information we collect from or about you;
- Carry out any other purpose for which the information was collected; and,
- Fulfill other purposes with your consent or at your direction.
3. Legal Bases for Use of Information
If you are located in the European Economic Area (“EEA”), please note that the legal bases under the GDPR for using the information we collect through your use of the Services are as follows:
- Where use of your information is necessary to perform our obligations under a contract with you (for example, to comply with the Agreements which you accept by using the Services);
- Where use of your information is necessary for our legitimate interests or the legitimate interests of others (for example, to provide security for our Services; operate our Services; prevent fraud; analyze use of and improve our Services; and for similar purposes);
- Where use of your information is necessary to comply with a legal obligation; and,
- Where we have your consent to process data in a certain way.
4. Sharing of Information
- With service providers that perform work for us so that they can perform such work;
- When you use interactive areas of our Services, like our blog or other online forums, certain information you choose to share may be displayed publicly, such as your username, actions you take, and any content you post;
- In response to a request for information if we believe disclosure is in accordance with, or required by, an applicable law, regulation, or legal process;
- If we believe your actions are inconsistent with our Agreements or policies, or to protect the rights, property, and safety of Storj or others;
- In connection with, or during negotiations of, any merger, sale of Company assets, financing or acquisition of all or a portion of our business by another company;
- Between and among Storj and any current and future parents, affiliates, subsidiaries and other companies under common control and ownership; or,
- With your consent or at your direction.
Notice About Use of our Public Forums and Features
Certain features of our Services make it possible for you to share comments publicly with others, such as through our public forums, blogs, and message boards. You should be aware that any information you provide or post in these ways may be read, collected, and used by others who access them. We encourage you to be cautious about the information you submit (e.g., choose a username that does not disclose your personal identity). Whenever you post something publicly, it may be impossible to remove all instances of the posted information, for example, if someone has taken a screenshot of your posting.
Social Sharing Features
Our Services may offer social sharing features and other integrated tools. Your use of such features enables the sharing of information with your contacts or the public, depending on the settings you establish with the entity that provides the social sharing feature. For more information about the purpose and scope of data collection and processing in connection with social sharing features, please visit the privacy policies of the entities that provide these features.
5. Cookies and Online Analytics
We use first and third-party analytics tools to process the use of our site and products. If a person is accessing our site from an IP address outside the US, first- and third-party session cookies are applied only when a customer clicks to accept them. Visitors accessing our site from IP addresses within the US will be presented with the opportunity to opt out of having first- and third-party session cookies applied. Session cookies on our site provide for better business analysis and helpful insights for how the site is performing.
In addition, we use industry standard methods to understand website referral sources, visits per page, and page-to-page referrals on our site. Data collected using these methods is aggregated and is not attributed to individual site visitors.
When a website visitor accepts a session cookie, we place our cookie in the browsing session to gain a better understanding as to how visitors navigate through our site. When a user who accepts a session cookie creates an account, we then gain insights around product behavior in association to the referral source of this customer, enabling insights for marketing initiatives that will help grow our business.
Third-party tools are in use in our documentation to understand what pages are being used the most. We also use third-party email marketing tools for non-essential emails. These have analytics functionality that provide insights as to when emails are opened and what links are accessed. We do not sell or share this information with anyone else. The types of tracking and analytics tools we and our service providers use for these purposes are:
- “Local shared objects,” or “flash cookies,” may be stored on your computer or device using a media player or other software. Local shared objects operate much like cookies, but cannot be managed in the same way. Depending on how local shared objects are enabled on your computer or device, you may be able to manage them using software settings. For information on managing flash cookies, for example, click here.
- A “pixel tag” (also known as a “clear GIF” or “web beacon”) is a tiny image – typically just one pixel – that can be placed on a web page or in our electronic communications to you in order to help us measure the effectiveness of our content by, for example, counting the number of individuals who visit us online or verifying whether you’ve opened one of our emails or seen one of our web pages.
Do Not Track. Do Not Track (“DNT”) is a privacy preference that Customers can set in certain web browsers. We are committed to providing you with meaningful choices about the information collected on our website for online advertising and analytics purposes, and that is why we provide the variety of opt-out mechanisms listed above. However, we do not currently recognize or respond to browser-initiated DNT signals. Learn more about Do Not Track.
6. Aggregate/De-Identified Information
We may aggregate and/or de-identify information collected through the Services so that such information can no longer be linked to you or your device (“Aggregate/De-Identified Information”). We may use Aggregate/De-Identified Information for any purpose, including without limitation for research and marketing purposes, and may also share such data with third parties, including advertisers, promotional partners, and sponsors, at our discretion.
7. Your Choices and Rights
Account information. We encourage you to periodically review and update your settings and profile information by logging into your account.
Telemetry Information. Users of the Software can opt out of our collection of Telemetry Information. Please refer to the settings area of the Software to opt out of this collection.
8. International Customers
Personal Data Transfers Outside of the EEA
Storj may transfer some of your personal information outside of the EEA. Storj may transmit some of your personal information to a country where the data protection laws may not provide a level of protection equivalent to the laws in your jurisdiction, including the United States. As required by applicable law, Storj will provide an adequate level of protection for your personal data using various means, including, where appropriate:
- relying on a formal decision by the European Commission that a certain country ensures an adequate level of protection for personal data (a full list of such decisions may be accessed online here).
- entering into appropriate data transfer agreements based on language approved by the European Commission, such as the Standard Contractual Clauses (2010/87/EC and/or 2004/915/EC), which are available upon request at email@example.com (please note that this email address does not process requests related to “Data Subject Rights” below);
- implementing appropriate physical, technical, and organizational security measures to protect personal information against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and against unlawful forms of processing; and,
- taking other measures to provide an adequate level of data protection in accordance with applicable law.
Any onward transfer is subject to appropriate onward transfer requirements as required by applicable law.
Data Subject Rights
If you are an EEA resident, you may have a right to request from Storj access to and rectification or erasure of your personal data or restriction of processing concerning you, as well as the right to data portability under the GDPR. You also have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us, and we can be required to no longer process your personal data. In general, you have the right to object to our processing of your personal data for direct marketing purposes. If you have a right to object and you exercise this right, your personal data will no longer be processed for such purposes by us. You can exercise such rights by accessing the information in your account or by filling out the GDPR Data Subject Rights Webform.
Please also note that Storage Materials are encrypted, which prevents Storj and Node Operators from accessing the information. Those who wish to access or delete any personal information within Storage Materials must direct their queries to the relevant Customer.
If you have provided consent for cookies that are not strictly necessary, direct marketing emails or other data processing, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing or other activity based on consent before you withdraw it. You have the right to lodge a complaint with a supervisory authority.
9. Additional Information for California Residents
The California Consumer Privacy Act (“CCPA”) applies to certain companies based on thresholds set in the law. The CCPA applies to companies that meet at least one of the following: minimum annual gross revenue of $25M; collects the personal information of at least 50,000 “consumers” (as defined under the law), households, or devices; or, derives at least 50% of its revenue from the sale of consumers’ personal information. None of these currently apply to Storj. Companies that are subject to the CCPA, however, must provide California residents with some additional information regarding the collection, use, and sharing of “personal information” as defined in the CCPA. Although Storj currently is not subject to the CCPA, we voluntarily are providing certain additional information below for informational purposes only:
How We Source, Use, and Disclose Information for Business Purposes
The following chart describes the categories of personal information we collect, the sources of such personal information, and how we use and share such information for business purposes.
Your California Privacy Rights
If the CCPA were applicable to Storj, the CCPA would require us to provide certain information to California residents upon request. Specifically, the CCPA would allow California residents to request us to:
- Inform them about the categories of personal information we collect or disclose about them; the categories of sources of such information; the business or commercial purpose for collecting their personal information; and, the categories of third parties with whom we share/disclose personal information.
- Provide access to and/or a copy of certain personal information we hold about them.
- Delete certain personal information we have about them.
- Provide them with information about the financial incentives that we offer to them, if any.
The CCPA exempts certain information from some requests including, for example, a company may need certain information to provide the requested services or to comply with a legal obligation. In some circumstances if the consumer still asks for their information to be deleted, they may no longer be able to access or use the services offered. Notwithstanding, the CCPA protects a person making a request under the law to be free from discrimination for exercising their rights.
Companies subject to the CCPA should take reasonable steps to verify the consumer’s identity before responding to a request, including by asking for verification information to match at least two verification points with information already on file. If the consumer can’t be verified this way, a company has the right, but not the obligation, to request additional information from the consumer. The CCPA also permits consumers to designate an authorized agent to submit certain requests on their behalf. The authorized agent must have signed, written permission to make such requests or a power of attorney, and may be subject to additional verification before the authorized agent’s request is processed.
As noted above, Storage Materials are encrypted, which prevents Storj and Node Operators from accessing the encrypted data. If the CCPA applies, any person who wishes to access or delete personal information within Storage Materials must send their queries to the relevant Customer.
California “Shine the Light” Disclosure
The California “Shine the Light” law gives residents of California the right under certain circumstances to opt out of the sharing of certain categories of personal information (as defined in the Shine the Light law) with third parties for their direct marketing purposes. Storj’s policy and practice is to never share personal information with third parties for their direct marketing purposes. Accordingly, there is no need for Storj consumers to opt out.
10. Additional Information for Nevada Residents
Under Nevada law, certain Nevada residents may opt out of the “sale” of “covered information” (as those terms are defined under Nevada law) where the sale allows the person buying it to license or sell such information to additional persons. “Covered information” includes first and last name, address, email address, phone number, social security number, or an identifier that allows a specific person to be contacted either physically or online.
Storj does not sell consumer information as defined under Nevada law. Notwithstanding, if you are a Nevada resident who has purchased or leased goods or services from us, Nevada law permits you to submit a request to opt out of the sale of your covered information. To do so, you may email your request to firstname.lastname@example.org. Please note we will take reasonable steps to verify your identity and the authenticity of the request.
11. Data Retention
Storj keeps personal data as long as required to provide the Services you requested and as needed to comply with applicable laws and compliance practices.
12. How We Protect Your Data and Our Services
We take measures to protect your information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, and access. However, no method of transmission over the internet, and no means of electronic or physical storage, is absolutely secure. By using our Services, you acknowledge and accept that we cannot guarantee the security of your information and that use of our Services is at your own risk.
When you sign up for an account, you may be required to establish a username and password. If you create an account with us, you are responsible for maintaining the confidentiality of your account password and for any activity that occurs under your account. We are not responsible for any loss or damage arising from your failure to maintain the confidentiality of your password.
13. Third-Party Links and Features
The Services may contain links to third-party services, and you may also integrate our Services with third-party services. Our provision of such links does not signify our endorsement of such other websites, services, locations, or contents. If you choose to use these third-party services or features, you may disclose your information not just to those third parties but also to their users and customers and the public more generally, depending on how their services function. Storj is not responsible for the content or practices of such third-party services. The collection, use, and disclosure of your information will be subject to the privacy policies of the third-party services. We urge you to read the privacy and security policies of third parties.
14. Children's Privacy
The Services are not intended for children under 13 years of age and we do not knowingly collect, maintain, or use personal information from children under 13 years of age. We will take reasonable steps to delete personal information (as defined by the United States Children’s Online Privacy Protection Act) as soon as reasonably possible if we learn that we have inadvertently collected it from children under the age of 13 without parental consent.
If you learn that your child has provided us with personal information without your consent, you may alert us at email@example.com. If we learn that we have collected any personal information from children under 13, we will take steps promptly to delete such information and terminate the child’s account.
16. Contact Information