Privacy Notice

August 7, 2018

This Privacy Notice describes how TunnelBear Inc. ("TunnelBear"), the company behind RememBear, handles your Personal Data when you use our RememBear services ("Services").

By using our Services and/or registering for an account, you are accepting the terms of this Privacy Notice and our Terms of Use which are integrated here by reference.

TunnelBear is a global company. Although our physical servers are located in many different countries around the world, TunnelBear does not store Personal Data outside of Canada's physical borders. By using our services, you authorize TunnelBear to use your information according to Canada's laws, regardless of which country you are located in.

If you have any questions or comments about this Privacy Notice, please contact us at: privacy (at) tunnelbear.com.

 Personal Data Collection and Use

As a provider of online privacy and security services, we ultimately strive to collect the minimal amount of information required to operate our service. This often means difficult trade-offs between the information we collect and the performance of our Service.

We believe in an open dialogue because this Privacy Notice is an evolving document. We welcome your thoughts and feedback on how we're doing.

  1. What is Personal Data?
  2. "Personal Data" means any information relating to an identified or identifiable natural person ("Individual") and includes information about you that you provide while using our Services. If we use or store Personal Data with information that is non-personal, we will consider the combination as Personal Data.

    The Personal Data we collect includes your Account Data, certain credit card or payment information and, in some circumstances may include Operational Data, as described below. We may also collect Personal Data you provide to us if you communicate with us, for example, to request support or information.

    We collect, use and disclose your Personal Data as necessary in order to provide you with the Services and for the other purposes identified below.

  3. Your RememBear Data
  4. RememBear was carefully engineered so that you and only you can access the information stored in RememBear. All items, such as passwords, credit cards, notes and any other types of data, stored by you in RememBear are end-to-end encrypted. No RememBear staff, including our support team and engineers, can view or access the information you store in RememBear.

    Your encrypted RememBear data will be stored on our servers in Canada so that you can sync between devices. Even though your data will be stored on our servers, it will only be accessible by you when you unlock it with your Master Password.

    TunnelBear does not own the data in your RememBear, this is your information and you can add to it, delete it and modify it anytime you choose.

  5. Account Data
  6. When you create or update your RememBear user account, we collect and store the following "Account Data". The Account Data is listed below in its entirety:

    Account Data
    What do we use it for?
    Email address

    Signing up for, providing support for and using your RememBear account.

    General communications, purchase receipts and occasional product news.

    Email confirmed
    Confirmation that your email address is valid.

  7. Operational Data
  8. TunnelBear also collects and stores "Operational Data" required to operate our Services. This is data that we collect and store when you connect to our Services. Operational Data is listed below in its entirety:

    Operational Data
    What do we use it for?
    OS Version

    e.g. iOS 7

    User support, troubleshooting and product planning
    RememBear App Version

    e.g. PC version 2.1.1

    User support and troubleshooting
    Feature activation

    e.g. Used RememBear extension

    Customer satisfaction, support and product planning
    Achievements

    e.g. Added a credit card

    Customer satisfaction, support and product planning
    Total number of items in RememBear

    e.g. 120 total items (no associated details)

    Customer satisfaction, support and product planning

  9. Personal and Financial Data Collected at Payment
  10. Making a purchase with a credit card on any of the Services will result in Personal Data being exchanged with payment processors.

    Credit Card Transactions

    TunnelBear processes credit card payment information securely through Stripe, a third party payment processor, whose use of your Personal Data is governed by their privacy notice. Stripe may store Personal Data associated with your financial transactions outside of Canada's borders, in which case such information will be subject to the laws of the jurisdiction in which it is held.

    When you pay with credit card, RememBear collects and stores the following information:

    Payment Data
    What do we use it for?
    Cardholder last name

    e.g. Smith

    For use in credit card fraud prevention
    Date of card use

    e.g. 2014/01/01

    For use in credit card fraud prevention
    Last four Numbers of Credit Card

    e.g. 5555

    For use in credit card fraud prevention

    TunnelBear does not store, but can securely login and view, the following information through our third party payment processor, Stripe:

    Payment Data
    What do we use it for?
    Card billing address
    For use in credit card fraud prevention
    Card expiry
    For use in credit card fraud prevention
    Last four Numbers of Credit Card
    For use in credit card fraud prevention
    Session information

    e.g. Device type, operating system, IP address at time of payment

    For use in credit card fraud prevention

    TunnelBear never stores your complete credit card number or your location at time of payment. To keep your payment information secure, we adopt all available security and multi-factor authentication measures available from our payment processors.

    TunnelBear operates exclusively with PCI compliant payment processors. Only our payment processors have the ability to collect, use and access your full credit card information and other financial information. They can use this information solely for the purpose of charging and invoicing you for our (paid) Services.

  11. Other Data TunnelBear Just does NOT Collect or have Access to:
  12. TunnelBear explicitly does NOT collect, store or log the following data:

    • IP addresses visiting our website
    • Your IP address when you use RememBear

    TunnelBear explicitly cannot access the following data:

    • Any passwords or credit cards you choose to store in your RememBear

  13. Cookies and Persistent Trackers
  14. Cookie Details
    Why do we store it?
    Cookie name: RB_ACCOUNT_MGMT
    Service: RememBear Authentication
    Cookie expiry: 30 days
    The account cookie is the authentication token for RememBear.com. It allows you to use your account without having to continuously login.
    Cookie name: RB_SESSION
    Service: RememBear website customization
    Cookie expiry: 30 days
    We send information to our website from our database and store it in this cookie. We use this information to customize the look of your RememBear account.
    For example, if we know you're logged in, the menu will change at the top of RememBear.com
    Cookie name: SERVERID
    Service: RememBear website load balancing
    Cookie expiry: 1 year
    Once you visit RememBear.com, we set this cookie to direct your traffic to the right place. While this cookie is active, it means you'll always visit the same server.
    Cookie name: _ga
    Service: Google Analytics – IP anonymization enabled
    Cookie expiry: 2 years
    To make our website better, we use Google Analytics (GA) to see how many people are visiting it. We have set GA to use the minimum available retention period and not store IP addresses.
    Cookie name: _gaid
    Service: Google Analytics – IP anonymization enabled
    Cookie expiry: 24 hours
    To make our website better, we use Google Analytics (GA) to see how many people are visiting it. We have set GA to use the minimum available retention period and not store IP addresses.
    Cookie name: _gat
    Service: Google Analytics – IP anonymization enabled
    Cookie expiry: 1 minute
    Google Analytics uses this cookie to limit the number of requests that we can make to their service in a given time period.
    Cookie name: _cfuid
    Service: DDoS protection - Cloudflare ID
    Cookie expiry: 1 year
    RememBear uses Cloudflare to protect our service from DDoS attacks. Cloudflare uses _cfuid in your browser so that once they have checked to see if you're a bot, they won't have to check again while you use our website.
    Cookie name: _stripe_mid
    Service: Payment provider - Stripe user
    Cookie expiry: 1 year
    RememBear uses Stripe to process credit card payments on our website. Stripe uses this cookie to help prevent fraud on RememBear.com.
    Cookie name: _stripe_sid
    Service: Payment provider - Stripe session
    Cookie expiry: 24 hours
    RememBear uses Stripe to process credit card payments on our website. Stripe uses this cookie to help prevent fraud on RememBear.com.

  15. Disclosure of Personal Information to Third Parties
  16. Except as described below or as required or permitted by law, TunnelBear will NOT disclose your Personal Data to any other third parties under any circumstance.

    Tunnelbear may disclose your Personal Data to third party service providers (e.g., payment processors as described above) to the extent necessary in order to provide you with the Services; in such case, we use contractual or other means to ensure that there is a comparable level of protection for any Personal Data that is processed for us by third parties.

    In the event TunnelBear is served with a valid subpoena, warrant or other legal document and applicable law requires TunnelBear to comply, the extent of disclosure is limited to the Personal Data listed within this Privacy Notice.

    As noted above, TunnelBear utilizes PCI-compliant third-party payment processors to collect your credit card and other billing information.

    If our organization structure changes (i.e., we undergo a restructuring or are acquired), we may need to migrate your Personal Data to a third party related to a business transaction, but, we will ensure that such a third party has entered into an agreement under which the use of your Personal Data is only related to purposes necessary for the transaction.

    TunnelBear does NOT store users originating IP addresses when connected to our Services and thus cannot identify users when provided IP addresses. Additionally, we cannot disclose information about the passwords, credit cards or other data our users store in their RememBear, as TunnelBear does NOT have access to this information.

     Commitment to Personal Data Principles

    Any Personal Data you provide to TunnelBear will be administered according to the following principles:

  1. Accountability
  2. TunnelBear is responsible for the Personal Data under our control and has designated one or more individuals to oversee Tunnelbear's privacy compliance. Should you have any questions, concerns or complaints about how your Personal Data is handled or questions about our Privacy Notice, feel free to contact us at privacy (at) tunnelbear.com.

  3. Consent and Legitimate Interest
  4. When you sign up for our Service and provide us Personal Data, you allow us to process that information in accordance with this Privacy Notice. We rely on legitimate interest for marketing, research, and fraud prevention. We will obtain your consent where required by law.

    You have the right to ask us not to contact you. To exercise your choices or ask questions about your Personal Data, please contact us by visiting our privacy center.

  5. Limiting Collection
  6. We take great care to not collect Personal Data indiscriminately and limit collection to the minimum necessary information required to operate our Services. By limiting the collection of Personal Data, we help to protect the privacy and security of your Personal Data.

  7. Limiting Use, Disclosure, and Retention
  8. We will not use or disclose your Personal Data for any purpose that you have not consented to. TunnelBear will NOT sell or trade Personal Data for commercial purposes.

    We store your Personal Data only as long as is necessary for the purposes for which it is collected to provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws. We erase or destroy the records containing Personal Data when they are no longer required; this will be done in ways that will protect your continued privacy.

  9. Accuracy
  10. It is your responsibility to inform TunnelBear of any relevant changes in your Personal Data by updating your account information.

  11. Safeguards
  12. TunnelBear uses strong safeguards to protect the privacy of all our records, including your Personal Data. We implement physical, business and technical security measures that are designed to prevent and protect against loss or theft as well as unauthorized access, disclosure, copying, use or modification to or of your Personal Data.

    Only TunnelBear's employees or Service providers with a business need to know or whose duties require access to Personal Data, are granted access to our customers' Personal Data. All such employees are required as a condition of employment to respect the confidentiality of our customers' Personal Data. No staff will ever be able to access, view or modify your RememBear data. We use contractual or other means to ensure that there is a comparable level of protection for any Personal Data that is processed for us by third parties.

    Your RememBear data is secured by a Master Password that you select. YOU ARE RESPONSIBLE FOR PROTECTING YOUR MASTER PASSWORD. If you forget your Master Password, TunnelBear can reset your account, but in doing so the backup of your RememBear data on our servers will be deleted.

  13. Openness and Transparency
  14. So that you can be confident that we are handling your Personal Data appropriately, we take extraordinary measures to document our policies and provide openness and transparency around the Personal Data we collect, why we collect it and how we use, disclose and otherwise handle it. To find out more information about our policies and practices with respect to the management of your Personal Data, contact us at: privacy (at) tunnelbear.com.

  15. Individual Access
  16. If at any time you have a question about our records containing your Personal Data, we will do our best to answer it. You have the right to be told about the kind of Personal Data we maintain and how it is used. Upon request, we will provide you with information regarding the existence, use and disclosure of your Personal Data.

    You can request access to your Personal Data, or challenge its accuracy and completeness and request amendments, as appropriate, by contacting us at: privacy (at) tunnelbear.com.

  17. Users in the European Union
  18. If you are visiting from the European Union, please note that by providing your Personal Data, you consent to any transfer of your Personal Data to Canada and processing of your Personal Data globally in accordance with this Privacy Notice.

    Rights of Access, Rectification, Erasure, and Restriction

    You have the right to inquire as to whether TunnelBear is Processing Personal Data about you, request access to Personal Data, and ask that we correct, amend or delete your Personal Data where it is inaccurate.

    Visit RememBear's privacy center to request access to, receive (port), seek rectification, or request erasure of Personal Data held about you by TunnelBear.

    To protect your privacy, TunnelBear will verify your identity when you login to your account with a username and password, before granting access to or making any changes to your Personal Data.

    TunnelBear makes good faith efforts to provide Individuals with the ability to delete their Personal Data, however there may be circumstances in which TunnelBear is unable to delete all your Personal Data. An example of this exception could be deleting your data from database backups, where the difficulty of deleting your Personal Data likely exceeds the risk to your privacy.

    If TunnelBear determines that your Personal Data cannot be deleted in any particular instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries.

  19. Addressing Comments and Concerns
  20. We believe in an open dialogue, and understand that this Privacy Notice is an evolving document. We welcome your thoughts and feedback on how we're doing. If you have any questions, concerns or complaints about this Privacy Notice or our privacy procedures, please contact us at privacy (at) tunnelbear.com.

    If your privacy concerns or complaints are not addressed to your satisfaction by TunnelBear you may contact the Office of the Privacy Commissioner of Canada for further guidance at:

    30 Victoria Street
    Gatineau, Quebec K1A 1H3
    Toll-free: 1-800-282-1376
    Phone: (819) 994-5444
    TTY: (819) 994-6591
    www.priv.gc.ca

  21. Changes to Our Privacy Notice
  22. We may need to change our Privacy Notice from time-to-time and all updates will be posted online at RememBear.com. Your continued use of our Services after the effective date of such changes constitutes your acceptance of such changes. We will post an effective date at the top of the page for your convenience. We welcome your thoughts and feedback.