Privacy Policy

Last updated: June 2025

What This App Does

This app helps you securely store and recover your important secrets (like passwords or private keys) using a technique called "social recovery." Instead of relying on a single backup that could be lost or compromised, you split your secrets into pieces and share them with trusted friends or family members (your "guardians"). If you ever lose access to your account, your guardians can help you recover your secrets.

Your Privacy Matters

We built this app with privacy as our top priority. Here's what makes us different:

• We never see your secrets - All encryption happens on your device before anything reaches our servers
• We can't decrypt your data - Even if we wanted to, we don't have the keys
• Guardians only see encrypted pieces - Your friends can't see your actual secrets, just encrypted fragments

What Information We Collect

Information You Give Us

• Username: A name you choose to identify your account
• Password: We only store an encrypted version - we never see your actual password
• Public Key: A cryptographic key that others use to send you encrypted messages

Information We Generate

• Peer ID: A unique identifier for your account in our system
• Session Data: Information about when you're logged in (for security)

Information About Your Secrets

• Encrypted Secret Pieces: The encrypted fragments of your secrets that get shared with guardians
• Recovery Requests: Records of when you ask guardians to help recover your secrets
• Key Backups: Encrypted copies of your private keys (if you choose to back them up)

Why We Need This Information

We only collect information that's essential for the app to work:

• Creating and managing your account (Legal basis: Contract performance)
• Securely storing your encrypted secret pieces (Legal basis: Contract performance)
• Enabling recovery when you need it (Legal basis: Contract performance)
• Keeping your account secure (Legal basis: Legitimate interest in security)
• Meeting legal requirements (Legal basis: Legal obligation)

How We Protect Your Information

Technical Security

• Encryption: All sensitive data is encrypted using industry-standard methods
• Zero-Knowledge Architecture: Our servers never see your unencrypted secrets
• Secure Communication: All data travels over encrypted connections
• Access Controls: Only authorized systems can access the database

Organizational Security

• Limited Access: Only essential personnel can access our systems
• Security Training: Our team is trained in data protection practices
• Incident Response: We have procedures for handling security issues

Your Rights

Under GDPR, you have several important rights:

Right to Access

You can request a copy of all personal data we have about you. This includes:

• Your account information
• Your encrypted secret shares (metadata only)
• Your recovery request history
• Your key backup information

How to exercise: Contact us at [email] or use the "Download My Data" feature in your account settings.

Right to Correction

If any of your personal information is wrong, you can ask us to fix it.

How to exercise: Update your information in account settings or contact us.

Right to Deletion (&quote;Right to be Forgotten&quote;)

You can ask us to delete your personal data. When you delete your account:

• We remove all your personal information
• We delete your encrypted secret shares
• We notify your guardians that you're no longer using the service
• Some information may be kept for legal or security reasons (see "How Long We Keep Your Data")

How to exercise: Use the "Delete Account" feature in your account settings.

Right to Data Portability

You can get your data in a format that's easy to transfer to another service.

How to exercise: Use the "Export Data" feature in your account settings.

Right to Object

You can object to how we process your data, especially for marketing (though we don't do marketing).

Right to Restrict Processing

You can ask us to temporarily stop processing your data while we resolve a dispute.

To exercise any of these rights: Contact us at [email] or use the privacy controls in your account settings.

Sharing Your Information

With Your Guardians

When you choose someone as a guardian, we share encrypted pieces of your secrets with them. They can't see your actual secrets - only encrypted fragments that are useless without other pieces.

With Service Providers

We may use trusted third-party services to help run our app (like cloud hosting). These providers:

• Only receive the minimum data needed to provide their service
• Are contractually required to protect your data
• Cannot use your data for their own purposes

Legal Requirements

We may share information if required by law or to protect against fraud or security threats.

We Never

• Sell your personal data
• Share your data for marketing purposes
• Give anyone access to your unencrypted secrets

How Long We Keep Your Data

Contact Us

Technical Details (For the Technically Curious)

How Our Zero-Knowledge System Works

1. Your device encrypts your secrets before sending anything to our servers
2. Our servers only store encrypted pieces that are useless without other pieces
3. Guardians receive encrypted shares they can't read without your permission
4. Recovery happens by combining shares on your device - we never see the result

Encryption Standards

• Secret Sharing: Shamir's Secret Sharing Scheme
• Encryption: AES-256 with RSA key exchange
• Key Derivation: PBKDF2 with SHA-256
• Communication: TLS 1.3 encryption for all data in transit

This privacy policy is written in plain English to help you understand your rights. If you need clarification on anything, please don't hesitate to contact us.