Privacy Policy

Sefaly (“Sefaly”, “we”, “us”) operates a quantum-safe end-to-end encrypted cloud storage service at sefaly.com. The legal entity providing the service and acting as data controller is [CONTROLLER NAME, registered in the United States — TBD]. For privacy questions, requests under applicable law, or complaints, contact privacy@sefaly.com.

Sefaly is structured so that your file contents are encrypted in your browser before they reach our servers. We never receive, store, or have any technical means to decrypt your files. The categories of personal data we do collect are:

• Account information. Email address (used as your account identifier and for transactional notices).
• Authentication material. A cryptographic verifier derived from your password in your browser, plus an encrypted copy of your private key, the salt used for key derivation, and the encryption nonce. The plaintext password and unwrapped private key are never sent to us.
• Public key. Used to wrap (encrypt) the per-file keys to your account.
• File metadata. For each file you upload: original filename, MIME type (sanitized), size in bytes, the folder it lives in, and the encryption parameters (algorithm version, KEM type, ciphertext nonce, encapsulated key). The server uses metadata to list and route your files.
• Encrypted file contents. Stored as opaque ciphertext (AES-256-GCM with per-file keys wrapped via ML-KEM-768).
• Service data. Subscription tier, total storage used in bytes, account creation timestamp, file/folder timestamps.
• Billing information. If you subscribe to a paid plan, our payment processor collects payment-method details. We receive a customer/subscription identifier from the processor; we do not see or store your full card number.
• Session cookie. A single strictly-necessary cookie (sefaly_session) carrying a random session token. Marked HttpOnly + Secure + SameSite=Strict. The server stores only a SHA-256 hash of the token.
• IP address. Processed transiently for rate-limit enforcement and abuse prevention; not persisted to long-term logs.
• Service logs. Standard application logs (timestamps, request paths, status codes, error messages). Logs are scoped to short retention windows and do not include file contents or unwrapped keys.

We use the data above strictly to:

• Provide, maintain, and operate the storage service you signed up for.
• Authenticate you and route your requests to your encrypted files.
• Enforce storage quotas, rate limits, and abuse-prevention controls.
• Process payment for paid plans through our payment processor.
• Send transactional notices (password-reset notes, security alerts, billing receipts, service announcements).
• Detect and respond to security incidents, fraud, and violations of our Terms of Service.
• Comply with legal obligations and respond to lawful requests.

We do not sell personal data. We do not use your data to train AI models. We do not run advertising on the service and do not share data with advertising networks.

We share data only with:

• Hosting and infrastructure providers (Vercel for application hosting; Neon for managed PostgreSQL). They process data on our behalf under written data-processing agreements. They handle ciphertext only; they cannot read your file contents.
• Payment processor for paid plans (subscription billing identifier and customer reference only — no card numbers).
• Email delivery provider for transactional emails (your email address and the message body).
• Law enforcement or government agencies in response to valid legal process. Because file contents are end-to-end encrypted, we cannot produce plaintext file contents in response to any request — we can only produce account metadata and the ciphertext blobs themselves, which are useless without the user's password and private key.

[Final sub-processor list pending — confirm payment processor and email provider before launch and add them by name here.]

Sefaly is operated from the United States. Our hosting and database providers operate primarily in the United States. If you access the service from outside the United States, you understand that your data will be transferred to and processed in the United States.

For users in the European Economic Area, the United Kingdom, or Switzerland, transfers to the United States are conducted under [Standard Contractual Clauses incorporated into our sub-processors' DPAs — confirm at launch].

For users covered by the EU/UK GDPR, the lawful bases on which we process personal data are:

• Performance of a contract (Art. 6(1)(b)) — providing the storage service you signed up for, including authentication, file storage, and billing.
• Legitimate interests (Art. 6(1)(f)) — security, abuse prevention, rate limiting, and operating the service efficiently. We have assessed these interests and balanced them against your rights; you can object at any time by emailing privacy@sefaly.com.
• Legal obligation (Art. 6(1)(c)) — responding to lawful requests and meeting tax / accounting obligations for billing.

We do not currently rely on consent (Art. 6(1)(a)) for any processing.

Depending on where you live, you may have the following rights:

• Right to access. Download a JSON copy of all data we hold about you via Account → Privacy → “Download JSON”.
• Right to deletion. Permanently delete your account and all associated encrypted files via Account → Security → “Delete account”. Deletion is irreversible.
• Right to correction. We collect very little personal data beyond email. Contact us if you need a correction.
• Right to portability. The JSON export above is machine-readable. Because file contents are end-to-end encrypted, only your browser can decrypt them; the existing dashboard download lets you retrieve any file in plaintext.
• Right to object to processing based on legitimate interests.
• Right to lodge a complaint with a supervisory authority. EEA users: your local data-protection authority. UK users: the Information Commissioner’s Office. California users: the California Privacy Protection Agency.
• Right to non-discrimination. California (CPRA) users: we will not discriminate against you for exercising your privacy rights.

If you are a California resident, you have specific rights under the California Consumer Privacy Act and California Privacy Rights Act. The categories of personal information described in section 2 cover what we “collect” under these laws. We do not sell or share personal information for cross-context behavioral advertising.

To exercise your California rights (access, deletion, correction, opt-out of sale/sharing — though we do neither), email privacy@sefaly.com with subject line “California privacy request”. We verify requests by confirming control of the email address on file.

Sefaly is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children below those ages. If we learn that we have collected such data, we will delete it. If you believe a child has provided us with personal data, contact privacy@sefaly.com.

We retain account data while your account is active. When you delete your account, we immediately remove your records from primary storage (account row, folders, file metadata, sessions, and the queued ciphertext deletions). We retain backup copies for up to 30 days before they roll off; deletion requests are honoured against backups within that window so that a deleted account cannot be reconstructed from a backup older than 30 days.

Service logs (application logs, error reports, request audit trails) are retained for up to 90 days for security, debugging, and abuse-investigation purposes, then purged.

Used login-challenge nonces are retained for the 5-minute challenge lifetime, then purged. Rate-limit IP keys live in volatile in-memory state and are evicted automatically.

We apply industry-standard and where possible better-than-standard security practices:

• End-to-end encryption. File contents are encrypted in your browser with AES-256-GCM. Per-file keys are wrapped to your account using ML-KEM-768 (NIST FIPS 203 post-quantum key encapsulation). The server stores ciphertext only.
• Server-side hardening. Argon2id for password verifiers, TLS in transit, HttpOnly + Secure + SameSite=Strict session cookies, Content-Security-Policy, CSRF origin/referer validation, replay protection on auth challenges, transaction-isolated quota accounting.
• Operational controls. Production database access limited to a small set of operators. Application logs are scrubbed of high-cardinality identifiers where practical.
• Limitations. No system is perfectly secure. Your password and the integrity of your local device are critical to the security of your data — if your device is compromised or your password is weak or reused, the cryptographic guarantees above cannot protect your files. We recommend a strong, unique password and a current operating system.

We use one cookie: sefaly_session. It is strictly necessary for authentication and is set after you log in. Because it is essential to the service, we do not request consent for it under EU ePrivacy rules — but you can clear it anytime via your browser’s cookie controls (you will be logged out).

We do not use analytics cookies, advertising cookies, or third-party trackers.

We may update this policy from time to time. If we make material changes, we will notify you by email or through an in-app banner at least 30 days before the changes take effect, except where urgent changes are required by law. The “Last updated” date at the top of this page reflects the most recent revision.

For privacy questions, data-subject requests, or complaints: privacy@sefaly.com.

[Postal address of controller entity — TBD]