Privacy Policy
Last updated:
Privacy Policy
Ciphek, Inc. (“Ciphek”, “we”, “us”) operates a zero-knowledge encrypted media storage service at ciphek.com. This policy explains what data we collect, why, how long we keep it, and the rights you have over it under GDPR, the UK GDPR, and the California Consumer Privacy Act (CCPA) as amended by the CPRA.
The most important thing to understand about Ciphek’s privacy posture is that we cannot decrypt your media. Your master password derives your encryption keys in your browser; those keys never leave your device. We see ciphertext, byte counts, and the metadata listed in the table below. Nothing more.
What we can and cannot see
Ciphek’s data access boundary is technical, not policy-based. The table below states what the architecture allows and denies.
| What | Can Ciphek see it? | Why |
|---|---|---|
| Media content (video, photo, thumbnail, filename, tags, search index) | CANNOT SEE | Encrypted client-side with a key derived from your master password. The server stores opaque ciphertext and byte counts. |
| Account data (email hash, IP address, signup date, quota bytes consumed, payment metadata, encrypted TOTP secret) | CAN SEE | Required for authentication, billing, and abuse prevention. TOTP secret is encrypted at rest with a server-side key — Ciphek staff can technically decrypt it; we do not. |
| Master password and encryption keys | NEVER STORED | Derived in your browser by Argon2id and held only in your session memory. We never receive them. There is no recovery path if you lose the password and the recovery mnemonic. |
What data we collect
Account data
- Email address, stored as an Argon2id-hashed identifier for login lookup.
- Encrypted TOTP secret (encrypted at rest with a server-side key).
- Account creation timestamp and last sign-in timestamp.
- IP address of recent sign-ins, kept for 30 days for abuse prevention.
Encrypted vault content
- Opaque encrypted blobs: video chunks, photos, and thumbnails encrypted client-side before upload.
- Encrypted metadata blobs: filenames, tags, and search index, all encrypted client-side before storage.
- Per-file ciphertext byte counts, used for quota accounting.
Billing data
- Pro tier subscribers: Stripe customer ID, subscription state, and billing email passed to Stripe. Ciphek does not store card numbers; Stripe handles them directly.
- NOWPayments crypto subscribers: invoice IDs and on-chain settlement state.
Lawful basis (GDPR Article 13)
GDPR Article 13 requires that we identify the legal basis for each processing activity at the time we collect personal data. The table below maps each activity to its Article 6(1) basis and the applicable retention period.
| Processing activity | Lawful basis | Retention period |
|---|---|---|
| Account creation and authentication | Contract — Art. 6(1)(b) | Until account deletion |
| Encrypted blob storage and retrieval | Contract — Art. 6(1)(b) | Until user deletes the file or account |
| TOTP two-factor authentication | Legitimate interest — Art. 6(1)(f), security | Until 2FA is disabled or account deletion |
| Payment processing (Stripe / NOWPayments) | Contract — Art. 6(1)(b) and legal obligation — Art. 6(1)(c) for tax records | 7 years (US tax retention); subscription state until cancellation |
| Abuse and rate-limit logging (IP, request counts) | Legitimate interest — Art. 6(1)(f), fraud and abuse prevention | 30 days |
| Transactional email delivery (verification, billing) | Contract — Art. 6(1)(b) | Delivery logs retained 30 days by Resend |
| Service health and error logging | Legitimate interest — Art. 6(1)(f), service operation | 14 days |
Subprocessors (GDPR Article 28)
Ciphek processes the data above through the subprocessors below. Each is bound by a Data Processing Agreement that requires GDPR-equivalent protections. Cross-border transfers from the EU to the United States are governed by Standard Contractual Clauses except where noted.
| Vendor | Purpose | Data Processed | Region | Transfer Mechanism |
|---|---|---|---|---|
| Cloudflare R2 | Encrypted blob storage (video chunks, photos, thumbnails) | Ciphertext only — opaque encrypted bytes plus byte length | Global edge (data plane); account region: United States | Standard Contractual Clauses (EU → US) |
| Neon | PostgreSQL database for encrypted metadata, account records | Email hash, encrypted metadata blobs, encrypted TOTP secret, quota counters, billing references | United States (us-east-2) | Standard Contractual Clauses (EU → US) |
| Stripe | Card payment processing and subscription billing | Card details (handled directly by Stripe — never seen by Ciphek), billing email, subscription state | United States; EU data routed to Stripe's Irish entity | Standard Contractual Clauses + Stripe DPA |
| NOWPayments† | Cryptocurrency payment processing (BTC and other coins) | On-chain payment metadata, invoice identifiers, settlement status | European Economic Area (Estonia) | DPA pending verification — disclosed pre-checkout |
| Resend | Transactional email delivery (verification, password reset, billing receipts) | Email address, message subject, message body, delivery status | United States | Standard Contractual Clauses (EU → US) |
| Vercel | Frontend application hosting and edge runtime | Request metadata (IP, user agent, path), no plaintext media | Global edge; primary region United States | Standard Contractual Clauses + Vercel DPA |
| Fly.io | API server hosting (Hono on Bun) | Request metadata, encrypted blobs in transit, no plaintext media | Multi-region; primary iad (Ashburn, US) | Standard Contractual Clauses + Fly.io DPA |
- † NOWPayments:
- DPA pending verification — see footer note
Ciphek does not sell personal information as defined by the CCPA. We do not share personal information with third parties for cross-context behavioral advertising.
California rights (CCPA / CPRA 2026)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you the rights below. Most of these rights are also available to non-California users under GDPR.
- Right to know what personal information we hold about you and how it is used.
- Right to delete your personal information. Account deletion erases your encrypted vault, encrypted metadata, and account record; encrypted backups expire from R2 within 30 days.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information. Ciphek does not sell or share personal information, so there is nothing to opt out of, but the right is preserved on principle.
- Right to non-discrimination for exercising any of these rights. Ciphek does not offer financial incentives in exchange for personal information.
To exercise these rights, send a verifiable consumer request from the email address associated with your account to privacy@ciphek.com. We respond within 45 days. We may extend the window once by 45 days for complex requests, with notice.
Data retention and deletion
Per-activity retention periods are listed in the Lawful Basis table above. This section describes what happens when you request deletion.
Account deletion (vault → settings → delete account) erases your account record, encrypted vault, encrypted metadata, and encrypted TOTP secret. Encrypted blobs are removed from Cloudflare R2 within 30 days; backup snapshots expire on the same schedule. Billing records required for tax compliance (invoices, refund history) are retained for 7 years per US Internal Revenue Service regulations and may not be deleted on request.
Contact and complaints
Privacy questions, GDPR/CCPA requests, and breach notifications go to privacy@ciphek.com. The data controller for the purposes of GDPR is Ciphek, Inc. (a Delaware corporation), with its principal place of business in Delaware, USA.
If you are in the EU or UK and believe Ciphek has violated your privacy rights, you may lodge a complaint with your local supervisory authority. We prefer to resolve issues directly first — please contact us before escalating.