Icon for 1Password

1Password

1Password is a privacy-focused password manager developed by AgileBits Inc.


Collection

Is it clear why the service collects the personal data that it does? Yes

10/10

Decided Aug. 27, 2019. This question accounts for 12% of the final score.

This question deals with transparency. Even if the service uses data for reasons that aren't ideal for privacy, provided they list all of those uses, the service can still receive full credit for this question. However, if they are not explicit about their uses (by employing language like "such as"), a lower score is assigned.

Possible Options

No0/10
Somewhat4/10
Mostly7/10
Yes10/10
No personal data is collected10/10

Citation

"We retain only enough Service Data to operate and maintain the services. These data are never used for any other purpose."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service collect personal data from third parties? No

10/10

Decided Aug. 27, 2019. This question accounts for 12% of the final score.

This includes the use of data brokers and independent verification authorities (such as background check providers).

Possible Options

Yes0/10
Only for critical data7/10
No10/10

Citation

"We do not collect or obtain data from third parties."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy list the personal data it collects? Yes, generally

7/10

Decided Aug. 27, 2019. This question accounts for 12% of the final score.

All general categories of collected personal data are listed, though not all types of personal data are explicitly mentioned (for example, the list might use a phrase like 'such as' when listing types of personal data).

Possible Options

No0/10
Only summarily3/10
Yes, generally7/10
Yes, exhaustively10/10

Citation

"We get some limited data from your use of the 1Password products and services. Such data includes your IP address, and the make and model of your device through which you access or use 1Password products or services."

"It is visible to our staff and includes, but is not limited to, server logs, billing information, client IP addresses, number of vaults and number of items in vaults, company or family name, and email addresses. Service data includes the name you provide us for your profile and any image that you may upload, at your option and discretion, as part of your profile."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow the user to control whether personal data is used or collected for non-critical purposes? On an opt-in basis

5/5

Decided Aug. 27, 2019. This question accounts for 6% of the final score.

Non-critical use of personal data is not enabled by default.

Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements.

Possible Options

No0/5
On an opt-out basis, but only for some non-critical data/uses1.5/5
On an opt-out basis, for all non-critical data/uses3/5
N/A (no data used for non-critical purposes)5/5
On an opt-in basis5/5

Citation

The only non-critical data collected is Diagnostic Data. "This information is sent to us only on a case by case basis, or by users who explicitly opt into our beta software programs or who otherwise explicitly choose to provide diagnostic data to us."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Transparency

Does the policy require users to be notified in case of a data breach? Yes, eventually

5/7

Decided Aug. 27, 2019. This question accounts for 8% of the final score.

Users will be notified in case of a data breach, but within an unspecified amount of time.

Note that all companies operating in the EU are subject to Art. 33 of the GDPR, which requires companies to notify their data protection authority of a data breach within 72 hours of discovering it.

Possible Options

No0/7
Yes, eventually5/7
Yes, within 72 hours7/7
N/A (the service collects so little personal data that notification would not be possible)7/7

Citation

"In an event of a breach, we recognize our responsibility to our customers and to the public to disclose the nature of the risk and provide a transparent account of the events without undue delay. We follow applicable requirements under the laws, that is, the Canadian data privacy breach notification requirements and the requirements related to data breach notification under the GDPR."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Is the policy's history made available? Yes, with revisions or a change-log

5/5

Decided Sept. 11, 2019. This question accounts for 6% of the final score.

Possible Options

No0/5
Only the date it was last modified3/5
Yes, with revisions or a change-log5/5

Note

Previous versions of the policy are available on 1Password's website.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Will the affected users be notified when the policy is meaningfully changed? Yes

5/5

Decided Aug. 27, 2019. This question accounts for 6% of the final score.

Possible Options

No0/5
Yes5/5
N/A (no personal data—or contact information—collected)5/5

Citation

"At our discretion, we may make changes to this Policy and note the date of the last revision. You should check here frequently if you need to know of updates to our Privacy Policy. We maintain the right to send you annoying email informing you of substantive changes. Previous versions will be made available from this page."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy outline the service's general security practices? Yes, including independent audits

3/3

Decided Sept. 13, 2019. This question accounts for 4% of the final score.

Independent "reviews," "monitoring," etc. also count as independent audits.

Possible Options

No0/3
Somewhat1/3
Yes2/3
Yes, including audits2.5/3
N/A (no personal data collected)3/3
Yes, including independent audits3/3

Citation

"We understand and accept our responsibility to protect Service Data and Secure Data. We use strict access control mechanisms, network isolation, and encryption to ensure that Secure and Service Data is only available to authorized personnel. Additionally, Secure Data cannot be decrypted even by those who do have access to it."

Note

PrivacySpy publishes its audits here, and while it does not release the results publicly, it is SOC 2 type 2 certified.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Handling

Does the service allow third-party access to private personal data? Yes, not all parties specified (but only to critical service providers)

7/10

Decided Aug. 27, 2019. This question accounts for 12% of the final score.

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Possible Options

Yes, not all parties specified0/10
Yes, all parties specified (including non-critical service providers such as advertisers)3/10
Yes, not all parties specified (but only to critical service providers)7/10
Yes, all parties specified (only to critical service providers)8/10
No10/10

Citation

"Your Secure and Service data are held by third party data processors, who provide us with hosting and other infrastructure services. The locations of these are described above. In many cases (but we cannot promise that this will always be the case) even Service data held by these entities is encrypted with keys held only by us."

"Data needed to process payments is collected by our payment processor, Stripe, Inc., which conforms to the U.S.-E.U. Privacy Shield Framework."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy allow personally-targeted or behavioral marketing? No

10/10

Decided Aug. 27, 2019. This question accounts for 12% of the final score.

Possible Options

Yes0/10
Yes, but you can opt-out3.5/10
Yes, but you must opt-in7/10
No10/10

Citation

"We use your personal data to provide you with services associated with the use of 1Password account and to provide you with a rich customer experience through our customer support. In particular, we use your data to provide 1Password services, which includes updating, securing and troubleshooting, and providing support."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


When does the policy allow law enforcement access to personal data? When reasonably requested

3/5

Decided Aug. 27, 2019. This question accounts for 6% of the final score.

Possible Options

Always0/5
Not specified0/5
When reasonably requested3/5
Only when required by a court order or subpoena4/5
N/A (no personal data to share)5/5
Never (special legal jurisdiction)5/5

Citation

"We will comply with applicable laws and the contracts with our customers to provide Service Data and encrypted Secure Data to law enforcement agencies. If permitted, we will notify you of such a request and whether or not we have complied."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow you to permanently delete your personal data? Yes, by contacting someone

3/5

Decided Aug. 27, 2019. This question accounts for 6% of the final score.

Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.

Possible Options

No0/5
Yes, by contacting someone3/5
Yes, using an automated mechanism5/5
N/A (no personal information collected)5/5

Citation

"We want happy customers, not trapped ones. We will not lock you out of your own data. However, we are unable to decrypt your Secure Data; you will need your Master Password and Secret Key to decrypt it."

"You may export your 1Password data at any time you wish during the life of your account. If you discontinue payment, your account will enter a frozen (read-only) state for a period not less than six months during which you may still retrieve and export your data."

"As we are merely custodians of your data, account owners have the right to instruct us to remove data permanently from our systems. To ensure that no one’s data is deleted without their consent, you must first delete your account through an authenticated session. After your account has been deleted, the account owner may contact us and ask for the data to be expunged. Once the request is authenticated, the data will be removed from our active systems within 72 hours."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.



Warnings

1Password has no warnings published on PrivacySpy. PrivacySpy publishes warnings when it learns a service has announced a data breach or is found misusing user data. If you believe a warning should be published for 1Password, submit one here.


Highlighted Policy Snapshot ALPHA

Highlighted policy snapshots are a highly experimental feature that provide an annotated version of the privacy policy (displayed in a simplified 'reader view') with automatically-generated highlights. This feature is still in its early stages, so apologies if things don't look right!

8.6/10

How we calculate ratings →


Version Added

Aug. 27, 2019

Ratings Updated

Sept. 15, 2019

Warnings

0

Maintained by

Admins

Original Location
Open in New Tab
Revisions