Thank you for using Wickr for Business, a suite of secure communications services, which consists of Wickr Plus, Wickr Pro and Wickr Enterprise (“Wickr Business Products”), administered through Wickr’s messaging network and the application downloaded by the user (collectively, the “Service” or "Services"). Wickr Inc.  (“Wickr”, “we”, or “us”) and the Service allow you to encrypt and send messages and place encrypted calls (in Beta) to facilitate collaboration within a secure ephemeral environment. 

This document, the Wickr for Business Privacy Policy (“Privacy Policy”), governs how we handle users’ data both in the Service itself and on our servers. For more information about our data handling practices for Wickr’s consumer product, please click here. There are a few core differences in these two products, so please read their respective privacy policies carefully. 

This Privacy Policy is incorporated into and is subject to the Wickr for Business Terms of Service (“Terms of Service”) and Terms of Use (“Terms of Use”), so please read these documents carefully. Your use of the Services indicates your consent to this Privacy Policy, the Terms of Service and the Terms of Use. If you do not want to be bound by these agreements, you may not use our Services. 

We work very hard to preserve your privacy and security, and we do our best to be as transparent as possible in explaining how we use your data in providing our Services. Please contact us if you have any questions at privacy@wickr.com. 

Our Privacy Practices in Brief 

Wickr has to collect some information about you in order to provide our Services to you, but we work to do so in a limited and secure way, as follows: 

  • Neither Wickr nor the organization with which you are affiliated have access to secure rooms and messages you transmit by using the Service. Your messages are protected with multiple layers of encryption before they are transmitted to our servers, which is intended to make the messages only accessible to the intended recipient(s). If additional users are added to a secure room by you or by another user, then those users will be able to see the messages shared within that room as well. Please note that users can only see the messages transmitted within a secure room from the moment they joined the conversation.
  • Information about you such as your email address and business affiliation will be provided to us by the organization that you are affiliated with for the purposes of creating your account. This information may also be available to other users of the service within your private enterprise network. For information about how the entity or organization that you are affiliated with uses this information, please consult directly with that entity or organization. 
  • You control how long your messages are viewable and how long secure rooms are active before they expire or are manually deleted. The upper limit of messages’ lifespans may vary depending on the Wickr service provided to you by the organization with which you are affiliated.
  • We do not share or sell any data about our customers for third party purposes.

Please review the rest of this Privacy Policy, below, for additional detail about the summary above. 

What Information Does Wickr Collect? 

We are committed to limiting our collection of your information to only what is necessary to provide you with the Services. An administrator for the entity or organization with which you are affiliated (“Administrator”) may provide us with personally identifiable information about you, such as your e-mail address, for purposes such as sending you an e-mail with a link to download the Service. The entity or organization with which you are affiliated with may retain this information for as long as you are affiliated with that organization or entity or as long it uses the Service. We also collect information from users as described in greater detail below: 

Mandatory User-Provided Information: You are required to provide limited information during the registration process to create a Wickr for Business account and to begin using the Service.  

  • Your ID: Your Wickr for Business ID is your e-mail address. Other users of the Service within the network of the entity or organization you are affiliated with will be able to look you up and contact you using your Wickr for Business ID.
  • Your Password: We require you to have a password to use the Service, but we never store your password on our servers and don’t store it in plain text on your device. You will be able to change your password at any time. In case you forget your password, you will be able to restore your access by resetting your account with a new password. You will be asked to verify either your email or phone number, depending on the settings set by the entity or organization with which you are affiliated. Please note that resetting your password will result in losing your existing conversations. For your security, we recommend that you use a long, unique password consisting of a mix of upper and lower-case letters, numbers, and symbols.

Optional User-Provided Information: We provide a few optional features for your convenience, and for the convenience of the entity or organization that you are affiliated with. Some of these features permit you to provide additional personal information at your or your organization's election.

  • Profile Information:  The Service may allow you or your organization to set up your profile, which may include your Wickr for Business ID, name, avatar, or other information entered by your Administrator.
  • Phone Number: If two-factor authentication is enabled by the Administrator, the confirmation code will be sent to your phone number provided to us by the organization with whom you are affiliated for the purposes of verifying your identity. We use a third party service to deliver a confirmation SMS to you, but that party will not receive any information about you other than your phone number, and the SMS message itself will contain no information except a confirmation code.
  • Key Verification: Depending on the settings selected by the Administrator, you may be required to verify your contacts within and/or outside the network with which you are affiliated. You may use video verification to validate the identity of your contacts when establishing connections. You will be asked to record a short ID verification videowhich will be used to validate your identity with your contacts. If the ID video verification you receive from any of your contacts does not appear authentic, you can decline to verify their identity, thus rejecting the connection to protect your network. Your verification video is disguised with multiple rounds of salted, cryptographic hashing before it is transmitted to our servers, which renders it inaccessible to Wickr and the Administrator. If you decide to re-record your ID verification video, your previous video is automatically deleted from our servers.
  • Push Notifications: When setting up your Wickr for Business account, we will ask if you want to receive notifications of new messages, software updates, and other administrative and technological developments. Push notifications are functions of your device’s operating system, so if you enable this feature, your device operating system’s provider will know that you are using the Service, but will not be able to see the content of the messages you transmit using the Service.  
  • File Sharing: The Service will allow you to share files you have on your device. The Service will make encrypted copies of such files when sending them as Wickr messages, which will expire depending on the message expiration settings you select. Depending on the settings of a shared file, it may be downloaded locally on user devices.
  • Contacts: As you join the network with which you are affiliated, you will see all contacts within your network populate your Wickr for Business contact list. Depending on the Wickr service you use and the settings selected by the entity with which you are affiliated, you may be able to add contacts from outside your network to your Wickr for Business account. If you allow the Service to access your device’s contacts, you will be able to see who among your contacts is on Wickr for Business. The Service will send disguised representations of your contacts’ phone numbers and email addresses to our servers, ensuring that our server never comes into contact with raw unaltered contact information from your device.  Upon receipt, our server will check those representations against our database to see whether that contact has an associated Wickr for Business ID. We never store those device contacts on our servers.
  • Customer Service:  Any information provided to us by a user voluntarily when they request customer support or provide feedback (e.g., an email address, the contents of their request) will be used to respond to that individual request, and may be may be logged as part of our effort to improve our customer service, solve any product-related issues or improve our Service.  

Automatically-Collected Information: Wickr collects the following information automatically during your setup and use of the Service: 

  • Device Information: The Service will collect a hashed representation of your mobile device’s hardware ID during registration. The Service will connect that information with your account and tie your account to your device.
  • Aggregate Usage Data: During the operation of the Service, we also collect basic usage statistics, such as the number of messages sent by Wickr users daily, types of messages sent (e.g., voice messages more often than text), and other key performance indicators. We never attempt to, and cannot, identify users associated with any of this information.
  • Crash Logs: For purposes of debugging, error correction, and system continuity, Wickr Apps transmit crash logs to a cloud-based bug reporting platform. The logs do not contain any user personal information and they pertain only to the Wickr Service.

How Is Information Used and Disclosed? 

The limited information that we collect, receive, or have access to is used to provide the Service, to allow you to send and receive messages and files, to respond to your requests, and to improve the Service. It may also be shared under valid legal process and with third party service providers for the limited purposes described below.

Legal Process

Wickr is committed to transparency and to limiting what we disclose in response to legal process.  Please see our full Legal Process Guidelines, but here are the highlights:

When we receive a request for customer data related to the Service, we always attempt to redirect the third party to obtain the requested data from our customer. For valid requests that we are not able to redirect to the customer, we disclose information only when we are legally compelled to do so, and we always make sure that we provide only the data specified in the legal order. We will always notify our customers of any third party requests for their information unless we are legally prohibited from doing so. As soon as legally permissible, we will notify our users of requests for their information. We require a warrant before handing over the contents of communications; however, because of the nature of our technology, the contents of communications will be encrypted and undecipherable if obtained.

 Third Party Service Providers

To improve the Service we engage with various service providers (“Partners”) that may have access to some user information described in this Privacy Policy. Wickr takes all reasonable steps to minimize the information to which our Partners have access. We carefully select each of our Partners based on Wickr’s commitment to user privacy and security. Our security team meticulously vets each prospective partner to ensure its policies and practices are on par with Wickr’s standards.  

Here are the Partners with whom we work to provide the Service: 

  • To accelerate resolution of the most frequent customer inquiries, Wickr’s support is automated in collaboration with Zendesk, a customer support platform. 
  • To maintain high-security, fast and reliable service delivery worldwide, Wickr partners with AWS, a global cloud computing service provider. 
  • To deliver a confirmation SMS as part of Wickr’s two-factor authentication process, we use Twillio, a cloud communications service.
  • To deliver email invitations, we use an email server hosted by Mailgun, an email service provider.
  • To ensure secure, reliable subscription management and payment processing, Wickr partners with Recurly and Braintree.
  • To enable app distribution, we use the official App Stores or private app distribution methods preferred by the organization with which you are affiliated.
  • To host our website, we partner with Squarespace, a content management platform.
  • To manage bug reports, we use Bugsnag, a cloud-based bug reporting platform.

Each of these companies has its own policies for handling user data. Please review the respective privacy policies for ZendeskAWSTwilioMailgunRecurly, Braintree, Bugsnug, and Squarespace for additional detail on their specific practices. 

Data Retention 

Data Retention on Wickrʼs Servers 

Depending on which Wickr-hosted business product you are using, our servers store the encrypted messages that you send and receive for a period of time up to the sender-defined expiration time of the message (but no longer than 30 days for Wickr Pro and 6 days for Wickr Plus) to ensure their reliable delivery to each device associated with your account and the accounts to which you transmit messages.

We retain certain account data (i.e., when a user account was provisioned, when a user registered, and account settings changes). User profile information is stored on our servers for as long as you use the Service, or until account deletion by an Administrator.

Data Retention by Your Entity or Organization

The entity or organization with which you are affiliated with may retain information about you and your use of the Service, such as your profile information, for as long as the entity or organization desires. Please consult the entity or organization with which you are affiliated with for additional detail about its specific data retention policies.

Data Retention on Your Device 

All messages are stored in encrypted form on user devices. Users select a retention policy for their messages by choosing how long a message is viewable before it is deleted (via the expiration time, burn-on read time). The “expiration” time is a length of time before content is destroyed on all devices from the time it is sent (this is the maximum time-to-live). The “burn-on-read” time is a length of time before content is destroyed across all user devices once it has been read by that user (this will never extend the “expiration” time). Your content may be available to you and the recipient(s) locally, on your device(s) until it expires even after we delete it from our servers; however, you will not be able to download pre-existing content to a new device.

In addition, Wickr’s “secure shredder” technology uses forensic deletion techniques to help reduce the risk of deleted messages and temporary data being recovered.

Users for Whom the Service Is Intended

The Service is designed for communication purposes by individuals associated with an entity or organization. The Service is not designed for children under the age of 13. If we learn that we have collected personally identifiable information from a child under 13, we will take appropriate steps to delete such information as soon as possible.   

Users Outside the US 

If you use our Services and reside outside the U.S., your information will be transferred to the U.S. and will be processed and stored there under U.S. privacy standards.  

You are responsible for complying with any laws or regulations in your country that govern use of applications and services like Wickr. 

We Are Serious About Security 

We are concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect information we process and maintain. For example, within our organization, we limit access to information about you and your use of the Service to authorized employees who need to know that information in order to operate, develop, or improve the Services. As described herein, we take every reasonable step to ensure that message contents are not retrievable by us or anyone else. 

However, we know that no security system can prevent all potential security breaches. Therefore, we have limited the potential implications of such a breach by designing our system so that in the event of a breah, we would have only limited information about you. 

Wickr’s network infrastructure and services are maintained in highly secure, strategically located data centers managed by AWS. Learn more about AWS security policies here

Revisions to the Privacy Policy

We may change this Privacy Policy, which pertains solely to our Wickr for Business Products, from time to time, for any reason. When we do, we will be sure to let you know one way or another by revising the date at the top of the Privacy Policy that’s available on our website and mobile application or we may provide you with additional notice (such as adding a statement to our websites’ home pages or providing you with an in-app notification). Your continued use of the Service following the posting or notice of any changed terms will denote your acceptance of such changes.

Contact Us if You Have Questions 

If you have any questions regarding privacy while using our Services, or have questions about our practices, please contact us via email at privacy@wickr.com.