Privacy Policy
Last updated: April 16, 2026 · Effective: April 16, 2026
StenVault is built on a zero-knowledge encryption architecture. We cannot access, read, or decrypt your files, filenames, or file contents — even if compelled by law. Your encryption keys never leave your device.
1. Introduction
This Privacy Policy explains how StenVault (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use our end-to-end encrypted cloud storage service (“Service”). StenVault is operated from Portugal and is subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Portuguese data protection law.
This policy also addresses rights under the Brazilian General Data Protection Law (LGPD, Lei 13.709/2018) for users located in Brazil.
This Privacy Policy is a complement to our Terms of Service.
2. Data Controller
The data controller responsible for your personal data is:
We do not currently have a formally appointed Data Protection Officer (DPO). For all privacy-related inquiries, please contact us at the email address above. We will appoint a DPO if and when required by applicable law.
3. What We Cannot Access (Zero-Knowledge)
Due to our zero-knowledge encryption architecture, the following data is encrypted on your device before being transmitted to our servers. We do not have the technical means to access:
- Your files and their contents
- Your filenames and folder names
- Your Encryption Password
- Your encryption keys (Master Key, file keys, folder keys)
- Trusted Circle Recovery secret shares (held by your trusted contacts, not by us)
All encryption uses AES-256-GCM for file content, Argon2id for key derivation, and hybrid post-quantum cryptography (X25519 + ML-KEM-768) for key exchange. Under no circumstances can we decrypt end-to-end encrypted content and disclose decrypted copies, even if legally compelled.
4. Data We Collect
4.1 Account Data
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email address | Account identification, notifications, billing | Contract performance (Art. 6(1)(b)) |
| Display name | Shown in shares | Contract performance (Art. 6(1)(b)) |
| OPAQUE registration record | Zero-knowledge authentication (password never leaves your device) | Contract performance (Art. 6(1)(b)) |
| Encrypted Master Key blob | Key wrapping — cannot be decrypted without your Encryption Password | Contract performance (Art. 6(1)(b)) |
| Subscription plan & status | Service delivery, feature access | Contract performance (Art. 6(1)(b)) |
4.2 Billing Data
Payment processing is handled entirely by Stripe. We do not store your full credit card number. We may receive and store:
- Stripe customer ID
- Subscription ID and status
- Stripe payment method ID (no full card data stored by us)
- Billing country (for VAT calculation)
- Invoice PDFs archived for 10 years in a dedicated Cloudflare R2 bucket (Portuguese tax law obligation: CIVA Art. 52 and DL 28/2019)
Legal basis: Contract performance (Art. 6(1)(b)) and legal obligation for tax compliance (Art. 6(1)(c)).
4.3 Technical Data
| Data | Purpose | Retention |
|---|---|---|
| IP address (rate limiting) | Abuse prevention, DDoS mitigation | 24 hours (Redis TTL) |
| IP address (audit logs) | Security event review (opt-in via Settings → Security → Session History, default OFF) | Up to 180 days when enabled; not stored at all when disabled |
| User agent string | Device identification, trusted device management | Up to 90 days after last use (trusted devices); same opt-in rule as IP for audit logs |
| Device metadata | Device approval workflow, session management | Until device is removed or 90 days after last use |
Legal basis: Legitimate interest in service security and fraud prevention (Art. 6(1)(f)). We are a micro-enterprise outside the scope of NIS2 mandatory retention, so our audit log retention is chosen to minimise personal data rather than to meet a security floor.
4.4 Analytics
We do not currently run any analytics tooling on the Service. Any aggregate page-view counts derive only from anonymized server access logs and are not tied to individual users.
No consent required as no personal data is processed.
4.5 File Metadata (Encrypted)
We store encrypted blobs containing your files. The following metadata is associated with each file but filenames are encrypted and unreadable by us:
- File size (needed for quota enforcement)
- Upload timestamp
- Encryption version identifier
- MIME type (encrypted or generic “application/octet-stream”)
4.6 Audit Logs
For security monitoring we retain audit logs of authentication events, file access, and configuration changes for 180 days, after which they are permanently deleted. These logs contain:
- User ID, email, action type, and timestamp
- IP address and user-agent string — captured only if you have enabled Session History in Settings → Security. This option is off by default (GDPR Art. 25, privacy by default). Turning it off also anonymises any entries we have already stored for you.
Legal basis: Art. 6(1)(f) — legitimate interest in service security.
5. Cookies
StenVault uses only essential cookies required for the Service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| Session token (JWT) | Authentication | Session / configurable expiry |
| CSRF token | Cross-site request forgery protection | Session |
We do not use advertising cookies, tracking cookies, or third-party cookies. No cookie consent banner is required as we only use strictly necessary cookies (ePrivacy Directive Art. 5(3) exemption).
6. Third-Party Data Processors
We use the following third-party services to operate StenVault. Each processor only receives the minimum data necessary for its function:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, name, payment details | US/EU (GDPR DPA) |
| Cloudflare (R2) | Encrypted file storage | Encrypted blobs only (unreadable) | EU |
| Resend | Transactional emails | Email address, display name | US (GDPR DPA) |
| Railway | Application hosting, database | Application data (DB encrypted at rest) | EU |
| Upstash | Redis (rate limiting, sessions) | IP hashes, session tokens (ephemeral) | EU |
All processors that handle personal data outside the EU do so under Standard Contractual Clauses (SCCs) or equivalent GDPR-compliant transfer mechanisms.
7. Data Retention
The schedule below is the authoritative retention reference. Each row maps to a specific retention job or endpoint in our codebase. Details are also published in our internal Record of Processing Activities (Art. 30 GDPR).
| Data | Retention Period | Legal Basis |
|---|---|---|
| Account data (email, name, OPAQUE record) | Until account deletion | Art. 6(1)(b) |
| Encrypted files + filenames | Until deleted by you or account deletion | Art. 6(1)(b) |
| Trash (soft-deleted files) | Free: 30 days · Pro: 90 days | Art. 6(1)(b) |
| Version history (Pro only) | Pro: 30 days | Art. 6(1)(b) |
| Billing records (Stripe invoice PDFs) | 10 years (CIVA Art. 52, DL 28/2019) | Art. 6(1)(c) |
| IP addresses (rate limiting) | 24 hours (Redis TTL) | Art. 6(1)(f) |
| IP addresses (audit logs) | Opt-in only (default OFF); up to 180 days when enabled | Art. 6(1)(f) |
| Audit logs | 180 days, then hard-deleted | Art. 6(1)(f) |
| Session tokens | Until refresh-token expiry (default 7 days). Inactivity timeout locks the vault but does not delete the session. | Art. 6(1)(b) |
| Device trust records | Auto-expire 90 days after last use, or when you remove them | Art. 6(1)(f) |
| Webhook event logs (Stripe idempotency) | 90 days | Art. 6(1)(b) |
| Inactive Free accounts | Deleted after 12 months of inactivity (with 3 notice emails) | Art. 5(1)(e) |
| Public Send archives | Anonymous: 24h default, 7 days max. Authenticated: up to 90 days. | Art. 6(1)(b) |
8. Your Rights
Under the GDPR (and LGPD for Brazilian users), you have the following rights regarding your personal data:
| Right | How to Exercise |
|---|---|
| Access | Request a copy of your personal data via the self-service export at Settings → Storage → Export Data, or email us. |
| Rectification | Update your name and email from account settings, or contact us. |
| Erasure (“Right to be Forgotten”) | Delete your account from Settings. All data is permanently removed. |
| Data Portability | Export your complete vault as a ZIP archive via Settings → Storage → Export Data. Files are decrypted locally by your browser before being added to the archive. A JSON metadata file (account.json) with your profile and storage information is included. |
| Restriction of Processing | Contact us to request restricted processing of your data. |
| Objection | Contact us to object to processing based on legitimate interest. |
| Withdraw Consent | Where processing is based on consent, withdraw at any time without affecting prior processing. |
To exercise any of these rights, contact us at privacy@stenvault.com. We will respond within 30 days as required by GDPR.
Note on encrypted data: Your encrypted files are technically inaccessible to us. “Erasure” of encrypted files means deleting the encrypted blobs from our storage. We cannot provide decrypted copies of your files as we do not possess the decryption keys.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. For Portugal: CNPD (Comissão Nacional de Proteção de Dados).
9. Data Security
We implement the following technical and organizational measures to protect your data:
- End-to-end encryption: AES-256-GCM for all file content, with keys derived via Argon2id (47 MiB memory cost).
- Post-quantum cryptography: Hybrid X25519 + ML-KEM-768 key exchange, Ed25519 + ML-DSA-65 signatures.
- Zero-knowledge authentication: OPAQUE protocol (RFC 9807) — your password is never transmitted to the server.
- Transport encryption: TLS 1.3 for all connections.
- Database encryption: PostgreSQL with encryption at rest.
- Multi-factor authentication: TOTP-based MFA available for all accounts.
- Rate limiting: IP-based rate limiting for authentication and API endpoints.
- Anti-fraud: Disposable email blocking, registration velocity limits, Stripe Radar (payment fraud detection).
10. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority (CNPD) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34).
- Document the breach, its effects, and remedial actions taken.
Important: Due to our zero-knowledge architecture, even in the event of a server breach, your file contents and filenames remain encrypted and unreadable. An attacker gaining access to our servers would obtain only encrypted blobs that cannot be decrypted without your Encryption Password.
11. International Data Transfers
Your encrypted files are stored in the European Union (Cloudflare R2, EU region). Our primary database is hosted in the EU (Railway, EU region).
Some of our processors (Stripe, Resend) may process limited personal data in the United States. These transfers are protected by:
- EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplementary technical measures (encryption in transit and at rest)
12. Children's Privacy
StenVault is not directed at children under 13. We do not knowingly collect personal data from children under 13. Users aged 13–16 in the European Union must have parental consent to use the Service.
If we discover that we have collected data from a child under 13 without appropriate consent, we will delete the account and associated data promptly. If you believe a child under 13 has created an account, please contact us at privacy@stenvault.com.
13. Law Enforcement and Disclosure
We may disclose personal data to law enforcement authorities only when:
- Required by a valid legal order from a court of competent jurisdiction in Portugal or the EU.
- Necessary to prevent imminent harm to individuals.
- Required by applicable law.
Under no circumstances can we disclose the content of your encrypted files. We do not possess your encryption keys and cannot decrypt your data. In response to a valid legal order, we can only provide:
- Account email address and display name
- Account creation date
- Subscription plan and billing information
- IP addresses (rate-limiting counters retained for 24 hours; authentication audit logs retained for up to 180 days only when Session History is enabled — off by default)
- Encrypted file metadata (sizes, timestamps — filenames are encrypted)
We will notify affected users of any law enforcement request unless legally prohibited from doing so (e.g., by a gag order). We publish a transparency report when applicable.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will notify you by email at least 30 days before changes take effect.
- We will update the “Last updated” date at the top of this page.
- We will provide a clear summary of what changed.
Previous versions of this policy will be archived and available upon request.
15. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:
Email: privacy@stenvault.com
Response time: Within 30 days (GDPR requirement)
For complaints, you may also contact the Portuguese data protection authority:
CNPD — Comissão Nacional de Proteção de Dados
StenVault · End-to-end encrypted cloud storage · Operated from Portugal