1Password X for Firefox was designed with a deep respect for your privacy. The data you save is encrypted and inaccessible to us. Anything else is only ever used to provide you with service and support.
We believe strongly that your data is yours and we don’t want to know anything about it. This is one of the fundamental beliefs 1Password was built upon.
Our business relies on trust and reputation. Earning the trust of millions of customers and security professionals over the course of the past decade took more than promises. It took an open security design that enforces privacy though encryption and proven mathematical principles.
Those principles ensure that you and your team are the only ones with the keys to your data. There are no back doors. We know so little about your data that we are proud to say we can’t reset your Master Password, even if you asked us to. This is what we call “Private By Design,” and it’s the basis of everything we do.
Thank you for trusting us with your most important information. We won’t let you down.
1Password X for Firefox and your privacy
EU GDPR Compliant
1Password X for Firefox, hereinafter referered to as 1Password, complies with the requirements of the European Union's General Data Protection Regulation (GDPR). Read our GDPR statement.
Data saved in 1Password
Your passwords, credit cards, notes, and all your other items are protected with strong encryption:
- All your passwords and other saved items are private. The vaults and items you save in 1Password are end-to-end encrypted with keys that only you possess.
- Your Master Password is private. We don't know your Master Password and can't reset it or bypass it to access your data.
- Your metadata is private. Metadata like titles, URLs, tags, and custom icons are also encrypted.
Personally identifiable information
We collect only the information necessary to provide our services and assist you in troubleshooting. We collect information about:
- Your 1Password account: What kind of account you signed up for, who owns that account, and how that account has been paid for.
- Your usage: When you log in, how many vaults you create, how many items are stored in your vaults, and how much storage space you use.
- You: Your IP address, the devices connected to your account, and the name, email address, and profile pictures that you have given to us.
Personally identifiable information is never shared with third parties.
Privacy features in 1Password
Some features in 1Password take additional measures to protect your privacy:
- Watchtower downloads the list of compromised sites to your device before checking if your logins are affected, so no information about your logins is shared with us. Integration with haveibeenpwned.com is provided on an opt-in basis. Learn more about Watchtower.
- Rich icons are downloaded for the logins you have saved in 1Password. Requests are made anonymously, discarded immediately, and not logged anywhere.
At AgileBits, we believe that the less information we know about you, the better. After all, it is impossible to lose, misuse, or abuse information we don't have. To the extent that we have control over your data or data about you, we see ourselves as custodians of that data on your behalf.
We use your data solely to provide you with services in which you enroll. Our business is providing 1Password products and services to you, the customer. We have no desire or interest to use or transfer the limited data we acquire for any other purposes.
As stated in our GDPR statment, the services offered through 1Password.eu and 1Password.ca fully comply with the requirements of the European Union's General Data Protection Regulation (GDPR).
Who We Are
AgileBits is a Canadian company located at Suite 303, 49 Spadina Ave, Toronto, Ontario, M5V 2J1, Canada. AgileBits complies with Canadian privacy laws. The European Union ("EU") recognizes Canada as a destination country with "adequate level of protection" for data privacy of individuals.
Who are You
Unless otherwise noted, we refer you, the Customer, as an owner or organizer of an individual, family, team, or business account.
Information We Keep and How We Use It
We retain two kinds of user information to deliver our services: Secure Data and Service Data. Both are treated securely with respect for customer privacy and data confidentiality, but there are important technical and usage differences.
Secure Data is data that we are not capable of decrypting under any circumstance. It includes all information stored within vaults in 1Password accounts. This data is encrypted using secure cryptographic keys that exist only in the possession and under the control of our customers. We have no way of accessing or providing decrypted Secure Data, and we never receive copies of unencrypted Secure Data.
Your Secure Data is your property. We claim no rights to it beyond those necessary to deliver services to you. You may add, modify, and delete Secure Data at your discretion. If you do not have a 1Password account, you cannot provide us with Secure Data.
We inevitably acquire Service Data about your usage of 1Password, your account, and your payments through operating our services. We retain only enough Service Data to operate and maintain the services. This data is never used for any other purpose.
Service Data is kept confidential. It is visible to our staff and includes, but is not limited to, server logs, billing information, client IP addresses, number of vaults and number of items in vaults, company or family name, and email addresses. Service data includes the name you provide us for your profile and any image that you may upload as part of your profile.
We retain the right to hold and use Service Data to provide our services, troubleshoot problems, analyze the performance and demands on our services, and to provide our payment processors with the information they need to process payments.
Diagnostic Data (Optional)
Diagnostic Data is a type of Service Data which is not automatically collected or required for operation of our services.
In some cases we solicit diagnostic reports and other troubleshooting, bug, and crash reports from customers to help identify and solve problems with our products and services. This information is sent to us explicitly on a case by case basis, or by users who explicitly opt into our beta software programs or who otherwise explicitly choose to provide diagnostic data to us.
Diagnostic Data may contain sensitive information about your devices and operating environment as well as personally identifying information. Although there may be occasions when we ask for Diagnostic Data to assist you with a problem, you are never obligated to provide it.
Diagnostic data never includes decrypted Secure Data. We will never ask for your Master Password or Secret Key.
Keeping Your Information Safe
We understand and accept our responsibility to protect Service Data and Secure Data. We use strict access control mechanisms, network isolation, and encryption to ensure that Secure and Service Data is only available to authorized personnel. Additionally, Secure Data cannot be decrypted even by those who do have access to it.
Data Processing Agreement (GDPR)
1Password.eu and 1Password.ca fully comply with the GDPR, including the third country data transfer requirements. 1Password.com complies with everything except for third country data transfer requirements.
Data Location and Transfer
- 1Password.eu data is held on servers located within the European Union. Service Data access is restricted to members of our staff residing in either the EU or Canada. The European Union recognizes Canada as a destination country with "adequate level of protection" for data privacy of individuals.
- 1Password.ca data is held on servers located Canada. Service Data access is restricted to members of our staff residing in Canada. The European Union recognizes Canada as a destination country with "adequate level of protection" for data privacy of individuals.
- 1Password.com data is held on servers located within the United States. Service Data is available to members of our staff irrespective of their location. The transfer of 1Password Service Data to the United States has not yet been shown to comply with Articles 44–50 of the GDPR, and therefore European users of 1Password.com must accept the risk of data transfers to the United States or use 1Password.ca or 1Password.eu.
Customer support system
Our customer support and email services are hosted primarily in the United States.
Any information you choose send us through email or our customer support system may pass through and be stored on a variety of intermediate services. If you wish, you may encrypt email to us using our PGP public key.
Third-Party Data Processors
Your Secure and Service data are held by third party data processors, who provide us with hosting and other infrastructure services. The locations of these are described above.
In many cases (but we cannot promise that this will always be the case) even Service data held by these entities is encrypted with keys held only by us.
Data needed to process payments is collected by our payment processor, Stripe, Inc., which conforms to a U.S.-E.U. Privacy Shield Framework. See https://stripe.com/privacy-shield-policy
We may use your contact information to communicate with you about Service activity, provide support, and send you other information such as product updates and announcements. You may choose to stop receiving communications from us, except certain important notifications such as billing and account security alerts.
Your Responsibilities for Protecting Your Data
When you create a 1Password account you will receive an Secret Key and create a Master Password. Your Secret Key is generated on your computer and your Master Password is something you create yourself. For your protection, you should create a strong and unique Master Password to ensure that it is not easily guessed.
It is extremely important that you understand that anyone with both your Secret Key and Master Password can access your Secure Data. It is equally important that you keep a copy in a safe place for your own reference, because future access to your Secure Data depends on having access to both your Secret Key and your Master Password. We will never ask you for your Master Password or your full Secret Key, and you should never send either to us.
Due to the nature of our design and the sensitivity of the information you entrust to us (even in encrypted form), it may not be possible for us to help you with certain customer service requests unless you are listed as an account owner and are communicating from your verified email address. In the event that you change your email address, is very important that you update your email on your 1Password account(s) or you may eventually lose access.
We want happy customers, not trapped ones. We will not lock you out of your own data. However, we are unable to decrypt your Secure Data; you will need your Master Password and Secret Key to decrypt it.
You may export your 1Password data at any time you wish during the life of your account. If you discontinue payment, your account will enter a frozen (read-only) state for a period not less than six months during which you may still retrieve and export your data.
Export is limited to your Secure Data. Vault permissions, the structure of groups of individuals, and other information about the relationship between individuals and data is not guaranteed to be included in export.
Your Right to Knowing to What We Know
You have the right to know what we know about you and to see how that data is handled. You may request a screenshot of what we can see about you in our back office systems. However, to protect customer privacy, such requests must be carefully authenticated beyond demonstrating control of the customer's email address.
Your Right to Have Your Data Erased
As we are merely custodians of your data, account owners have the right to instruct us to remove data permanently from our systems. To ensure that no one's data is deleted without their consent, you must first delete your account through an authenticated session. After your account has been deleted, the account owner may contact us and ask for the data to be expunged. Once the request is authenticated, the data will be removed from our active systems within 72 hours.
Disaster recovery and data availability requirements mean that AgileBits has a legitimate interest in maintaining secure and immutable backups. Erasure requests will leave those backups untouched, and we will only remove data from backups if legally compelled to.
Cookies and Tracking
We do not engage in or support cross-service tracking.
Client applications, including web browsers, will store information about your account to assist with future sign-ins and keep some information available to you when you are not signed in. Users may remove all such information from their devices, but doing so will require that they provide complete information (account details, Master Password, and Secret Key) on subsequent sign-ins.
Consent for Underage Enrollment
Those under the age of 16 may not use the services without the consent or authorization of their parent or legal custodian. Family account organizers and team owners are responsible for that authorization when they add someone under the age of 16 to an account.
We will comply with applicable law with respect to providing Service Data and encrypted Secure Data to law enforcement agencies. If permitted, we will notify you of such a request and whether or not we have complied. Your Secure Data remains encrypted with keys which we do not posses, and so we can only hand over Secure Data in encrypted form.
Some Service Data is made available to family account organizers and team owners. In some limited circumstances we may provide some information to non-owner members of these accounts. Account owners will be informed in these circumstances.
If the confidentiality of customer data is breached, we recognize our responsibility to our customers and to the public to disclose the nature of the risk and provide a transparent account of the events without undue delay. At a bare minimum, we must inform the applicable supervisory authorities as required by law and regulation.
If you have any questions about this Policy, you can contact our support team or write us by mail at:
Suite 303, 49 Spadina Ave
M5V 2J1, Canada
If you have concerns or complaints about this policy or practices with regard to that you do not feel you can resolve through contacting us, you should bring those concerns to your local regulatory authority.
For residents of the European Union, our primary Supervisory Authority is the Berlin Commissioner for Data Protection and Information Freedom.
Berliner Beauftragte für Datanschutz und Informationsfreiheit
10969 Berlin, Germany
Tel.: +49 30 13889-0
Fax: +49 30 2155050
Thanks for reading! <3