Policy · v1.0

Metadata Policy

Encryption protects file content. Metadata is everything around it — sizes, timestamps, IDs. We minimize what we collect, encrypt what we can, and tell you exactly what remains.

Operating principle

We collect the minimum metadata needed to operate the service safely (deliver files, enforce quotas, detect abuse, comply with legal obligations). When a field can be encrypted client-side without breaking that, we encrypt it. When it must remain in the clear for the system to function, we keep it as opaque as possible.

The full list

File content
The bytes you upload
encrypted
Until you delete · 30-day trash
File name
Display in your vault
encrypted
Until you delete
File size (ciphertext)
Quota enforcement, bandwidth accounting
operational
Until you delete
Owner ID
Access control via RLS
operational
Account lifetime
Parent folder ID
Vault structure
operational
Until you delete
Sealed key envelope
Lets you (and only you) unwrap the file key
encrypted
With the file
Ciphertext SHA-256 hash
Verify integrity before decryption
operational
With the file
Mailbox subject
Search and display
encrypted
Until you delete
Mailbox blind-index tags
HMAC-based encrypted search
minimized
With the message
Email address
Login and account contact
operational
Account lifetime
Argon2id parameters
Reproducing master-key derivation
operational
Account lifetime
Account creation timestamp
Billing and lifecycle
operational
Account lifetime
Session creation timestamp + IP country (no IP)
Geo-anomaly detection on new sessions
minimized
365 days
Failed-login counters
Brute-force protection
minimized
30 days
Audit log entries
Security event trail (append-only)
operational
Account lifetime, immutable
Abuse-report metadata
Triage of reported shares
minimized
180 days
Anonymous share-view IP hash
Per-share rate limiting only
minimized
24 hours
CSP violation reports
Detect tampering with delivered frontend
operational
90 days

What we never store

  • Your password, in any form.
  • Your master key or any unwrapped file key.
  • Plaintext file content.
  • Decrypted file names, ever.
  • Anonymous-viewer IP addresses (only short-lived SHA-256 hashes for rate limiting).
  • Behavioral telemetry on what you store, view, or share.

Retention defaults

Operational logs
90 days, then purged.
Audit logs
Account lifetime, append-only — required for security event reconstruction.
Trash & versions
30 days from soft-delete, then hard purged.
Account deletion
30-day grace period, then irreversible cryptographic erasure.
Share view records
Per-share counters only, no per-viewer history.
Failed-login attempts
Auto-expire after 30 days.

We update this page whenever we change what we collect. See the security changelog for diffs.

Encrypted on your device · upload in 1 click
Upload