QNAP Cloud Security, Disclaimer, and Privacy Notice
Security and privacy are top concerns at QNAP. Every time you use any of our QNAP Cloud services, we make it a point to protect your data and ensure uninterrupted service availability. These are core principles embedded into the design of our products, technologies, processes, service expert training, as well as the very fabric of our enterprise.
Security
Through QNAP Cloud services, we deliver secure, resilient services to our customers all over the world. We do this in a number of ways.
Privacy
We understand that when you use our cloud services, you are entrusting us with your most valuable asset—your data. We are committed to keeping your personal data safe.
Cookies
We believe in being clear and open about how we collect and use data related to you. In the spirit of transparency, we would like to provide detailed information about how and when we use cookies for QNAP Cloud.
Services
QNAP Cloud consists of several services, which may collect different types of data for different purposes in different ways under the QNAP Privacy Policy. You may interact with QNAP Cloud services through its websites, mobile apps, software utilities, and QNAP devices. You can always review the specifications of each service and then decide what information you want to share with us.
Technical Information
Security
Privacy
Services
Cookies
Technical Information
Protected Data Transfer
All confidential data transferred between you and QNAP Cloud are authenticated and encrypted. The QNAP Cloud API uses HTTPS (HTTP over TLS), which is adopted as the standard for online transactions and banking. It provides authentication and protection against eavesdropping, tampering, and forgery of messages.
Protected Data Storage
QNAP Cloud data storage is protected by multiple layers of security in world-class data centers. Access to the data is restricted and logged for anomaly detection and auditing. Data is encrypted before being saved to the storage media, while encryption keys are stored and managed on separate media.
Authentication
Your account and device data can only be accessed after you authenticate your QNAP Account (QID). Your QID is further protected by two-factor authentication, which offers an extra layer of security to ensure that you are the only person who can access your account, even if someone guesses your password. In addition, your QID login password will never be stored on any device. Moreover, you can always revoke access rights granted to any device.
Account Activity Logging
The QNAP Cloud server keeps a detailed account log, which makes auditing capabilities possible for your QID. You can monitor your account activity logs to check abnormal account activity. You can receive audit messages through email when important changes occur on your account, such as sign-in attempts with QID using a new device.
Granular Security Control
We offer extensive services for remote access to your device and also provide mechanisms for you to control the services that are set to be made accessible or disabled, according to your network environments and security requirements. The granular control allows you to comply with the principle of least privilege.
World-class Operation
We run QNAP Cloud services on world-class data centers that provide excellent network connectivity and robust facilities. The services are hosted on redundant servers with the scale-out capability. Important data is replicated in real time and periodically backed up. We also deploy continuous service monitoring and log analysis systems, and so, any service degradation can be detected and recovered in a timely fashion.
Principles

Our privacy principles govern the way we design and implement our solutions and procedures to safeguard your privacy.

  • We only collect the data that we need in order to serve you or improve your service experience.
  • We put you in control of your privacy by equipping you with simple privacy options and easy-to-use tools.
  • When you opt out, terminate your service subscription, or delete your data, we will remove your data from our system. In case your data is required for legal purposes, we will keep your data in our system for no longer than six (6) months.
  • We at QNAP believe that your privacy is a fundamental human right. We aim to defend this right to the best of our ability, within the parameters of your local privacy laws.
  • We make sure that we are transparent about our data collection and processing so that you can make informed decisions concerning your data privacy.
Your Rights

You have certain rights with respect to the information that we hold about you, including:

  • The right to request that we erase your personal data where it is no longer necessary for us to retain such data.
  • The right to request that we correct any personal data if you find any part of it inaccurate or outdated.
  • The right to request that we erase your personal data where it is no longer necessary for us to retain such data.
  • The right to withdraw your consent to the processing of your data.
  • The right to restrict our processing of your personal data or to object to our use of your personal data.
  • The right to lodge a complaint regarding our processing of your data, with the competent authority where you reside or in which your data is processed.

Your rights may be restricted in circumstances where we have compelling legitimate grounds for processing your data which override your interests and rights, or if we need to continue processing the data for the establishment, exercise, or defense of legal claims.

Please also be advised that if you exercise your right to erase data, to restrict or object to our processing, or to withdraw your consent, we may not be able to continue providing our services to you if the data necessary for processing is missing.

Your Choices

We design our products and services to offer you flexibility to manage your data. You can choose what data to share, stop sharing, and delete anytime. We only transfer your data to QNAP Cloud when the feature is enabled. Only the data required for that specific feature will be transferred. If the data is stored in QNAP Cloud, you will be able to review and modify the data on your QNAP device, application, or website. If you decide to disable the feature, any of your data on QNAP Cloud related to feature will be deleted.

If you do not agree with the way a specific feature processes your data, you may choose not to use the feature. QNAP Cloud is designed to allow you to utilize most of its features without requiring you to supply all of your data. For example, you may still use your QID to access all the services even without providing a personal profile picture.

If you are not satisfied with the QNAP Cloud service, or if you have any questions, feel free to contact us.

Non-Personal Data
We also collect data in a form that does not, on its own, permit direct association with any specific individual. We may collect your activities on our website, cloud services, software, and hardware. The data is anonymized before being stored in our servers. We then aggregate this data to help us understand which parts of our website, products, and services are of most interest to you, and use those insights to deliver more useful information to you.
What is Cookie?
A cookie is a small file placed onto your device that enables QNAP Cloud features and functions. Cookies play an important role in making your web experience better. Without them, browsing the web would be frustrating.
Cookie Usage

We use cookies on our websites and mobile applications. Any browser used to visit these sites receives cookies from us. We use cookies for the following purposes:

  • Security: We use security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorized parties. We also use cookies to keep track of your trusted computers. This conveniently allows you to skip two-step verification.
  • Preferences: These cookies allow our websites to remember your preferences—such as your region and language—so we can better customize your experience.
  • Performance: We use this type of cookies to understand how visitors use our websites. This data is aggregated and anonymized. Data such as pages visits, loading time, and loading errors help us improve the design and functionality of our websites.
Do Not Track (DNT)
DNT is a concept promoted by regulatory agencies such as the U.S. Federal Trade Commission (FTC). It urges the internet industry to develop and implement mechanisms that allow internet users to control the tracking of their online activities across websites through browser settings. QNAP Cloud does not track customer activity over time and across third-party websites for targeted advertising purposes. Therefore, it does not respond to DNT signals.
Controlling Cookies

Most browsers automatically accept cookies by default. You can modify your browser settings to either reject our cookies or prompt you to accept a cookie. Most browsers also let you review and erase cookies. However, if a browser does not accept cookies or if you reject a cookie, it may also stop you from saving customized settings like login information, and some portions of our websites may not function properly.

Account Center (QID)

Your QID is the account ID you use for everything related to QNAP Cloud. You use it when: registering a QNAP NAS through myQNAPcloud in order to enable remote access service and event notifications, buying a license on the QNAP License Store, and using QNAP mobile apps to connect to your NAS.

When you create a QID in QNAP Account Center or link your QID to your other cloud accounts such as Facebook or Google, we may collect your name, email address, phone number, IP address, and profile photo. We also maintain your account preferences, including language and time zone, and log your account activities for security purposes.

We use your QID to check your identity, grant you access rights, and communicate with you. You and other users with QID can identify each other on QNAP Cloud using your QIDs. Your friends, for example, can create share links on their own QNAP NAS and send you email invites through the email address linked to your QID profile. Since your names and profile pictures are accessible to other users on QNAP Cloud, you can control your list of contacts based on their QIDs.

When you log in to any QNAP product, web interface, or mobile or PC application using your QID, we may collect the basic configurations and IP address of the software or device you used to log in.

You may log in to QNAP Account Center (https://account.qnap.com/) to view your QID profile data.

myQNAPcloud

myQNAPcloud provides the remote connection service to many QNAP products. When you register your device to myQNAPcloud, the basic configurations and remote connection data—such as IP address, port numbers, and URLs—are constantly transferred to and stored in QNAP Cloud. This allows you and your friends to connect to your QNAP device through QNAP software and websites using only your device name or URL. For your privacy, myQNAPcloud also allows you to control who can retrieve this data from your device. myQNAPcloud only provides the connection service and the access to the files or services. Your device still requires you to enter your user name and password.

  • DDNS
  • myQNAPcloud Link
  • Online Document Viewer
  • Supporting Services
If you use your myQNAPcloud DDNS name (device_name.myqnapcloud.com) to connect to your QNAP product, the connection is established directly between your client device and your QNAP product. myQNAPcloud only serves the DNS name query to provide the corresponding WAN IP address of your QNAP product. Normally, your internet service provider’s (ISP’s) DNS server forwards the DNS query, so QNAP Cloud servers do not store your device’s IP address. The servers also use masking to anonymize source IP addresses. You can disable DDNS on the user interface of your QNAP product anytime.
With myQNAPcloud Link, myQNAPcloud provides network address translation-traversal (NAT-T)-based remote connection service. In some network conditions that do not allow direct connection to your QNAP NAS, the data may traverse through our servers. Our servers only log the information connection for security purposes. The traffic data only passes through the servers without leaving any trace of the contents. You can disable myQNAPcloud Link on the user interface of your QNAP product anytime.
File Station and myQNAPcloud allow you to view your Microsoft Office files, like Word and Excel, on browsers. It is supported by the online doc viewer on Microsoft Office 365 or Google Doc website, depending on the service you choose on the user interface. In order to show the contents of your selected file on the browser, the file will be transferred to Microsoft or Google through myQNAPcloud myQNAPcloud Link. If your files contain confidential information, do not use the online doc viewer.
myQNAPcloud servers provide supporting services to QNAP products. It helps identify its WAN IP address and the location derived from the IP address. It also helps count the number of QTS app downloads. Because these supporting services are very simple and are essential to your user experience, we consider them anonymous services, and you do not need to have a QID in order to use them. For these types of services, our servers do not store any data that can be used to identify or locate your QNAP products.
Event Notifications

After registering your NAS to myQNAPcloud, you can enable push notifications for NAS events. When you enable notifications through mobile apps or browsers, your device or browser configuration data will be stored in QNAP Cloud servers. This is done so when there are new events, event data can be routed correctly to your mobile app or browser.

Event data is transferred to our servers and then forwarded to the respective push notification service providers, depending on the platform of the device receiving the notifications. Apple and Safari use the Apple Push Notification Service (APNs). Android, Chrome, and Firefox use Google Firebase Cloud Messaging (FCM). QNAP Cloud servers collect only the connection information, and do not store your event data.

You can go to your QNAP NAS user interface anytime to view and delete the devices that receive event data from QNAP Cloud. If you unregister your NAS from myQNAPcloud, the information for the mobile apps will be also deleted.

QTS Cloud Install

If your NAS with QTS is not initialized or powered up without any usable drives, your NAS will report the issue to QNAP Cloud so you can identify the NAS through Cloud Key or the Cloud Install website (https://install.qnap.com). If your NAS is not yet initialized, we may collect its connection information when it is connected to the internet.

If you connect to the Cloud Install website or your NAS, your browser may be redirected to the NAS user interface. The initial setting will be conducted through the direct connection between your browser and the NAS without the intervention of QNAP Cloud. However, if you are located on a different network, QNAP Cloud servers will need to route the traffic between your browser and the NAS. The servers log only the connection information for security purposes, while the traffic data only passes through the servers without leaving any traces of its contents. You may choose to stop the initial setting and relocate to the network of your NAS.

We advise you to keep your Cloud Key confidential and to not leave your NAS uninitialized for a long time. The connection of an uninitialized NAS to QNAP Cloud servers only lasts 24 hours. After that period, the data is deleted.

IFTTT Integration
You may install IFTTT Agent and grant IFTTT service access to your NAS so it can receive event messages from your NAS. The kinds of events may vary from when the NAS detects new files in a folder, executes actions, or downloads a file from other cloud services to a folder. QNAP Cloud interacts with the IFTTT service for authentication and protocol translation. The traffic between IFTTT and your NAS passes through the myQNAPcloud myQNAPcloud Link servers. The servers only log the connection information for security purposes, while the traffic data only passes through the servers without leaving any traces of the contents. You may disable the connection on the IFTTT website.
Auth Connector

You can connect your QNAP NAS to third-party cloud services in order to access, transfer, or synchronize your data. For example, Notification Center can send event messages to your Gmail account, or Hybrid Backup Sync can continuously synchronize your data between your NAS and your Dropbox account.

If a third-party cloud service requires you to grant access permissions to your QNAP NAS through an OAuth protocol, QNAP Cloud provides the connection service (https://connector.myqnapcloud.com) that facilitates the Oath operations between your NAS and the third-party cloud service. Once the operations are complete, your NAS can directly connect to the third-party cloud service without the intervention of QNAP Cloud. The servers collect only the connection information and do not store the data of the OAuth operations.

Online Payment

When you purchase licenses from the License Store or myQNAPcloud SSL certificates, we may collect your device and billing information, which may include your name, billing address, VAT, and payment method. We use this information to complete transactions, generate receipts, and report taxes, as well as for auditing, fraud prevention, and legal compliance.

We use certified third-party payment services to securely process your payment. Your detailed payment information, such as your credit card number, is not processed by our servers. The payment is processed by ECPay, if you are paying in New Taiwan dollars, and by PayPal, if you are paying in other currencies or with your PayPal account.

By deleting your QID, all your purchased items and payment records will be deleted. However, we will remove your transaction history after the minimum storage period based on our legal obligations.

License Service

When you install a license on a QNAP product, we may collect the hardware identification information of the QNAP product, including the serial number, firmware version, IP address, and MAC address. Your QNAP product will connect to QNAP Cloud servers from time to time to validate the installed licenses, if needed. If you have not installed any licenses on a QNAP product, it does not connect to QNAP Cloud servers.

Some products, such as McAfee antivirus or myQNAPcloud SSL certificates, are offered by third-party providers who require us to report device identification information for their billing and auditing purposes. The shared data is strictly only for aggregated statistics, such as counting the number of activated licenses. None of your QIDs or other device information are shared.

You may view the license information on the user interface of your QNAP product or on the License Store website (https://license.qnap.com). By deleting your QID, all your purchased licenses will become invalid. We will remove your transaction history after the minimum storage period based on our legal obligations.

KoiBot

KoiBot is a product of QNAP and IEI. IEI manufactures the hardware, while QNAP offers the software and the cloud service. The cloud services of KoiBot share certain infrastructure with other products like QID, device registration, and push notifications. You need to have a QID account to use KoiBot. KoiBot is currently only available in certain regions.

  • Voice Commands
  • Video Calls
  • Cloud Album
KoiBot provides voice commands which require speech recognition in QNAP Cloud to understand your queries, and in some cases, to execute commands. KoiBot only sends the recorded audio to QNAP Cloud after you explicitly instruct it to do so, by either using its touch panel and main button, or using wake words. KoiBot processes your wake words without sending your voice commands to QNAP Cloud. KoiBot also provides you with explicit audio and visual cues when it enters listening mode for your voice commands.
When you use KoiBot and KoiTalk for video calls, QNAP Cloud servers will help set up the call and will connect the calling peers to each other. In most cases, the traffic of your call data will be transferred directly between the peers. However, in some network conditions that do not allow direct connections between the peers, the data may traverse through our servers. Because your call data is encrypted before being sent out of the client applications, our servers are unable to decrypt the data. The servers only log the connection information for security purposes.
The photos and videos taken and recorded by KoiBot and KoiTalk are uploaded to your album in QNAP Cloud. All members of your user group will have access to that album. Files are stored for as long as you like. You may delete the files anytime. You can share files in your album to others, but the share link expires after a short period of time.
Communication

You will receive important notifications according to your QID profile settings. These notifications may include messages about system maintenance, security advisories, updates to the terms and policies of QNAP Cloud, your purchases, device registration, and password reset. Since these notifications are critical and not marketing-related, you may not opt out of receiving them.

By default, we communicate with you through email. However, in some cases, where you only provide your phone number, or when you enable two-step verification, we will send you messages through short message service (SMS). You are responsible for providing the correct email address and phone number on your QID profile to receive notifications.

We use Amazon Web Services (AWS) to deliver our email. For system-wide announcements, we may embed a tracker in the email to track if the emails were delivered successfully. For SMS, we use Twilio. The SMS messages are pure text.

If you are communicating with our support staff through Helpdesk (https://helpdesk.qnap.com), you can view its privacy policy on the Helpdesk website.

Data Anonymization

Data anonymization refers to a type of data processing that removes or modifies data to make it very difficult or impossible to identify a person or to associate data to a person. We have adopted this technique because it allows us to retain important data while keeping your privacy safe, and it minimizes the risk of security breach.

We apply different data anonymization techniques based on the sensitivity of the data and how it is used. For example, we may remove email addresses from our access logs while retaining other parts of the logs. This way, logs can still indicate NAS access without revealing who accessed the NAS. We may also modify the IP address in our access logs by masking the last byte. This way, we may still be able to roughly derive the origin location of the user accessing the NAS, but not the user’s identity or device.

Data Analytics

Data analytics is the process of examining datasets in order to draw conclusions about the characteristics of a group of entities instead of a specific entity. It allows us to make more informed decisions like budgeting and prioritizing features. The data generated from the data analytics is aggregated data, and does not contain personal information.

We may conduct data analytics based on the data generated directly or indirectly when you interact with QNAP Cloud. For example, we may derive the ratio of preferred languages in our user community based on the preferred language settings of each QID user. We may also count the number of connections based on the access logs in our servers.

In some cases, we may collect your usage data from QNAP products in order to help us understand how we can improve our products. The collected data may be transferred to QNAP cloud servers periodically. The data does not contain information that can be used to identify you or your device. The data may include your OS version, software settings, or the number of times you accessed a feature. It does not include your hardware serial number, your name, or the content stored in your device. QNAP software will start collecting the data only after receiving your explicit consent. You can stop the collection anytime through the product user interface. Because the collected data is anonymized, it is not considered personal data and cannot be exported or deleted.

QNAP Cloud may utilize third-party services to help us collect and analyze our data. Currently, we utilize Google Analytics to collect usage data for our websites. Some of our mobile apps use Fabric (a Google subsidiary) for analytics and crash report analysis. We follow the guidelines of the service providers to anonymize the collected data. We use Google Cloud to store and process the anonymized analytics data. Although the data is anonymized, we still have set policies governing its protection, retention, and access.

Data Location

It is important for customers to know the geographic location of the data they entrusted to a cloud service, especially for companies who operate in highly regulated industries or in countries with data protection laws.

QNAP is a global business, and we may transfer personal information to countries other than the country in which the data was originally collected. However, when we transfer your personal information to other countries, we will protect that information as described in our Privacy Policy.

QNAP Cloud services are delivered to our customers in different regions. We have servers around the globe that guarantee performance and reliability. The locations of core data servers are in Amazon Web Services (AWS) and Google Cloud Platform data centers in the United States. We also have regional servers in Linode, Digital Ocean, and Google Cloud to serve customers outside China, and in Alibaba Cloud and west.cn to serve customers in China. All the servers are directly managed by the QNAP Cloud operation team in Taiwan.

When you contact our customer service teams to help you utilize our products better or troubleshoot issues, we may share data related to your request with them. Customer service teams processing your request may be located in other countries.

Data Retention

The way your data is retained and deleted depends on the type of data and how it is used. Some of the data is automatically deleted by the predefined policy. Some data, you can delete anytime through your product user interface. We may retain some data for longer periods of time, when necessary. When you delete data, we follow a deletion policy to make sure that your data is safely and completely removed from our servers or retained only in anonymized form.

When you delete your data from our system, we immediately start the process of making it inaccessible to any user and programming interface. However, in order to protect our users and customers from accidental data loss, and to help us recover from potential disasters with minimized data loss, we may need to briefly delay the deletion or maintain a backup for your data. Your data may remain on our systems for up to six (6) months until the backup is deleted.

Sometimes, business and legal requirements oblige us to retain certain data for specific purposes and for an extended period of time, regardless of your deletion. For example, we need to maintain your payment and license data for longer periods of time as required for tax or accounting purposes, and your direct communications with QNAP.

In some cases, rather than provide a way to delete data, we store it for a predetermined period of time. For each type of data, we set retention timeframes based on the reason for its collection. For example, we keep non-anonymized access logs in servers for six (6) months in case we need to extract detailed information from the logs for troubleshooting. The logs are encrypted and are protected using strong access control measures.

As with any deletion process, things like routine maintenance, unexpected downtime, software defects, or data transfer issues, may cause delays in the process and the timeframes defined in this article. We maintain systems designed to detect and remediate such issues.