Privacy Policy

1. Information We Collect

Account Information

When you sign in with Google or Facebook, we collect:

• Your name
• Your email address
• OAuth provider ID

Secret Data

You provide:

• Secret titles and content (encrypted at rest)
• Recipient names and email addresses
• Health check interval preferences (how often you're checked)
• Health check expiration preferences (how long you have to respond)

Usage Data

We automatically collect:

• Health check events and confirmations
• Secret delivery events
• Audit logs of account actions

2. How We Use Your Information

We use your information to:

• Operate the Service and send health check emails
• Deliver secrets to your designated recipients when health checks are missed
• Process payments via Stripe
• Communicate with you about your account
• Improve the Service and fix bugs
• Comply with legal obligations

3. Data Storage and Security

Encryption

All secrets are encrypted at rest using AES-256-GCM encryption - the same standard used by governments and banks. We cannot read your encrypted secrets.

Database

Data is stored in a PostgreSQL database with industry-standard security practices including:

• Encrypted connections (SSL/TLS)
• Regular security updates
• Access controls and authentication
• Regular backups

Infrastructure

Our infrastructure is hosted with reputable providers that maintain SOC 2 compliance.

4. Third-Party Services

We use the following third-party processors:

Stripe (Payment Processing)

Processes subscription payments. We do not store credit card information. See Stripe's Privacy Policy.

SendGrid (Email Delivery)

Sends health check and secret reveal emails. Email content passes through this provider but is deleted after delivery.

Google & Facebook (Authentication)

Used for OAuth login. We do not store your password. These providers have their own privacy policies.

5. Email Recipients

When you designate recipients for your secrets, we will send emails containing your decrypted secrets to those email addresses if you miss a health check. Recipients are not users of our Service and are not subject to our Terms or Privacy Policy.

Important: Choose recipients carefully. Once delivered, we have no control over how they use the information.

6. Data Retention

We retain your data for as long as your account is active. When you delete your account:

• All secrets are permanently deleted immediately
• All recipient information is deleted immediately
• Account data is deleted within 30 days
• Audit logs may be retained for up to 1 year for legal compliance
• Payment records are retained as required by law (typically 7 years)

7. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the right to:

• Access: View your data via the dashboard
• Portability: Export your data in machine-readable format
• Rectification: Update incorrect information
• Erasure: Delete your account and all associated data
• Restriction: Limit processing by pausing your subscription
• Object: Opt out by canceling your subscription

To exercise these rights, contact us at [email protected].

8. Data Sharing

We do not sell your data. We share data only:

• With your designated secret recipients (when health checks are missed)
• With service providers (Stripe, SendGrid) as necessary to operate the Service
• When required by law or to protect rights and safety

9. International Data Transfers

Your data may be processed in countries outside your residence, including the United States and European Union. We ensure appropriate safeguards are in place for international transfers. By using the Service, you consent to such transfers.

10. Cookies

We use essential cookies for:

• Authentication and session management
• Security (CSRF protection)
• Remembering your preferences

We do not use tracking or advertising cookies.

11. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes via email. The "Last Updated" date at the top indicates when changes were made. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy questions, to exercise your rights, or to report concerns, contact us at:

Email: [email protected]

We will respond to all requests within 30 days as required by GDPR.