Privacy Policy
Last updated: 21-06-2026
Contents
- 1. Our Commitment to Privacy
- 2. Legal Framework
- 3. Data Controller
- 4. Data We Collect
- 5. Data We Do Not Collect
- 6. IP Address Policy
- 7. Cookies & Local Storage
- 8. Encryption & Security Measures
- 9. Data Storage & Retention
- 10. Legal Bases for Processing
- 11. Third-Party Services & Data Processors
- 12. International Data Transfers
- 13. Open Source & Transparency
- 14. Data Disclosure & Law Enforcement
- 15. Children's Privacy
- 16. Automated Decision-Making
- 17. Data Breach Notification
- 18. Your Rights Under GDPR & FADP
- 19. Social Media & External Links
- 20. Changes to This Policy
- 21. Contact Us
1. Our Commitment to Privacy
Ciphera is built on the principle that privacy is a fundamental right, not a feature. Your account is protected by zero-knowledge encryption: your password and account vault are encrypted on your device under keys we never hold, so we cannot read that data even if compelled to. For services where zero-knowledge encryption does not apply — such as our privacy-first analytics, support, and billing — we minimize what we collect by design. We collect the absolute minimum data necessary to operate our services, we never sell or share your data with advertisers, and we give you full control over your information.
This policy explains in detail what data we collect, why we collect it, how we protect it, and what rights you have. It should be read alongside our Terms of Service, which governs your use of our services. We encourage you to read both in full.
2. Legal Framework
Ciphera is operated by Ciphera B.V., a company incorporated under Belgian law (KBO/BCE: 1013.721.660), with registered offices at De Kleetlaan 2, 1831 Diegem, Belgium. Our operations are governed by:
- Belgian law — as our entity is incorporated in Belgium
- EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679, as we process data of individuals in the European Economic Area
- Swiss Federal Act on Data Protection (FADP) — as our data infrastructure is located in Switzerland
- ePrivacy Directive — Directive 2002/58/EC, as applicable to our electronic communications
Where these frameworks differ, we apply the standard that provides the strongest protection for your data. Belgian courts in Brussels hold exclusive jurisdiction for any disputes arising from this policy.
3. Data Controller
The data controller for all Ciphera services is:
Ciphera B.V.
KBO/BCE: 1013.721.660
De Kleetlaan 2
1831 Diegem, Belgium
Email: privacy@ciphera.net
Phone: +32 78 48 07 10
For privacy-specific inquiries, contact us at privacy@ciphera.net. For security concerns, contact security@ciphera.net.
Given the nature and scale of our current operations, a Data Protection Officer (DPO) has not been appointed under GDPR Article 37. All privacy inquiries are handled directly by our team at privacy@ciphera.net.
4. Data We Collect
We apply data minimization as a core design principle. Below is an exhaustive breakdown of every category of data we collect, organized by service.
4.1. Website (ciphera.net)
When you visit our website, we collect:
- Analytics data — Page views, referrer sources, UTM parameters, device type, browser, operating system, and country-level geographic data. Collected via our own Pulse analytics platform, which uses no cookies, no fingerprinting, and no personal identifiers. Data is aggregated and cannot be traced to individual visitors.
- Contact form submissions — Name, email address, subject, and message content, submitted voluntarily through our contact page.
- Newsletter subscriptions — Email address only, submitted voluntarily with explicit consent.
Legal basis: Legitimate interest (analytics), consent (contact form, newsletter).
4.2. Ciphera ID (Identity Provider)
When you create a Ciphera account, we collect:
- Email address — Used for account identification, verification, and security notifications. Your email is never stored on our servers in readable form: it is kept only inside your client-encrypted account vault, which we cannot decrypt. To sign you in, we match your account using a blind index — an irreversible keyed hash derived from your email on your device and hashed again on our servers — so we can find your account without ever holding your address.
- Display name — Chosen by you, used for display and identification purposes. Like your email, it is stored only inside your client-encrypted account vault and never held on our servers in readable form.
- Password — Your password never leaves your device. We use OPAQUE (RFC 9807), a password-authenticated key exchange: your password is strengthened on your device using Argon2id and proven to our servers without ever being sent. We store only an opaque credential record that cannot be reversed into your password — no password, no password hash, and no password-equivalent verifier. We cannot see, recover, or reset your password.
- Session metadata — Login timestamps, device type, and browser information for active session management.
- Account verification data — CAPTCHA responses during registration, processed by our privacy-first Ciphera Captcha service (not Google reCAPTCHA or any third-party provider).
Legal basis: Contract performance (account management), legitimate interest (security).
4.3. Ciphera Pulse (Privacy-First Analytics)
Pulse is our self-hosted analytics platform, designed as a privacy-first alternative to Google Analytics. For websites using Pulse, we collect:
- Page views — Aggregated page view counts per URL, not tied to individual visitors.
- Unique visitor estimates — Calculated using a privacy-safe hashing method that rotates daily. No persistent identifiers are stored.
- Referrer sources — The website or search engine that directed visitors to the site.
- UTM parameters — Campaign tracking parameters from URLs (utm_source, utm_medium, etc.).
- Technical metadata — Device type (mobile, desktop, tablet), browser name, and operating system. Derived from the User-Agent string, which is not stored.
- Country-level location — Determined from the IP address, which is then immediately discarded. We do not store IP addresses.
Pulse does not use cookies, does not use browser fingerprinting, does not track users across websites, and does not collect personally identifiable information by default. Custom event properties are defined by the website owner, who is responsible for ensuring they do not contain personal data. Pulse is designed to operate without cookies or persistent identifiers, so it does not set a cookie consent banner.
When website owners use Pulse on their websites, Ciphera B.V. acts as a data processor under GDPR Article 28. A Data Processing Agreement (DPA) is available upon request at privacy@ciphera.net.
Legal basis: Legitimate interest (anonymous website analytics).
4.4. Ciphera Captcha (Bot Protection)
Our CAPTCHA service protects Ciphera services from automated abuse. We collect:
- Challenge responses — Your interaction with the CAPTCHA challenge, used solely to verify you are human.
- Verification tokens — Short-lived tokens that confirm successful CAPTCHA completion, automatically expired after use.
- Behavioral insights — Mouse movement patterns, keystroke timing, scroll behavior, and touch input, collected solely to distinguish automated traffic from human visitors. This data is processed in-memory only, is never written to persistent storage, is automatically discarded within 15 minutes, and is not linked to user accounts.
Unlike third-party CAPTCHA services, Ciphera Captcha does not track users across pages or websites, does not set persistent cookies, and does not share data with advertising networks.
Legal basis: Legitimate interest (abuse prevention, service security).
4.5. Ciphera Relay (Email Infrastructure)
Relay handles transactional emails (account verification, security notifications, password resets) for Ciphera services. We collect:
- Recipient email addresses — Required to deliver transactional emails.
- Delivery metadata — Delivery status, bounce information, and timestamps for operational monitoring.
Relay does not send marketing emails, does not track email opens via tracking pixels, and does not share recipient data with third parties. Email content is transmitted over encrypted connections (TLS).
Legal basis: Contract performance (transactional communications).
5. Data We Do Not Collect
We believe it is equally important to state what we do not do:
- We do not use tracking cookies of any kind
- We do not use browser fingerprinting or cross-site device tracking
- We do not engage in cross-site tracking or retargeting
- We do not sell, trade, rent, or share your personal data with third parties for advertising or marketing purposes
- We do not use third-party analytics services (Google Analytics, Meta Pixel, etc.)
- We do not serve advertisements of any kind
- We do not build user profiles or behavioral profiles
- We do not use tracking pixels in emails
- We do not collect location data beyond country-level (and that is derived, not stored)
- We do not use any social media tracking widgets or embedded content that tracks visitors
6. IP Address Policy
IP addresses are inherently part of internet communications and are temporarily processed by our servers during request handling. Our policy regarding IP addresses is:
- No IP address storage — We do not store raw IP addresses in any database. All IP addresses are cryptographically hashed using HMAC-SHA256 before any persistence: for events tied to a signed-in account the hash is salted with a user-specific value, and for pre-authentication events (such as failed logins) it uses a server-side key. The original IP address is irreversibly discarded and cannot be recovered — not by us, not by anyone.
- Temporary processing — IP addresses may be temporarily held in server memory during active connections for rate limiting and abuse prevention. They are not written to persistent storage in their original form.
- Pulse analytics — IP addresses are used solely to derive country-level location data, then immediately discarded. The IP address itself is never stored.
- Security audit logs — Security events (logins, password changes, 2FA changes) are logged with a cryptographic hash of the IP address, not the IP itself. This allows detection of patterns (e.g., same device logging in repeatedly) without storing personally identifiable information. Audit logs are retained for up to 180 days, then permanently deleted.
- Server logs — Operational server logs that may contain IP addresses are access-controlled and retained only as long as necessary for security and operational purposes.
7. Cookies & Local Storage
The Ciphera marketing site (ciphera.net) sets no cookies or browser storage of its own. Our authenticated applications — Ciphera ID (id.ciphera.net) and Ciphera Pulse — use the minimum browser storage needed to keep you signed in, remember your interface preferences, and run features you ask for:
| Name | Type | Purpose | Duration |
|---|---|---|---|
| Authentication | |||
| access_token | HTTP-only cookie | Keeps you signed in | 15 minutes |
| refresh_token | HTTP-only cookie | Renews your session without re-entering your password | 30 days |
| csrf_token | Cookie (app-readable) | Protects against cross-site request forgery | 30 days |
| ciphera_pii | Cookie (across ciphera.net) | Carries your decrypted name and email between Ciphera apps after login, so they display without our servers storing them | Cleared on logout |
| Your profile | |||
| user | Local / session storage | Holds your decrypted name and email so the app can display them (your account on our servers holds neither) | Until logout / tab close |
| Interface & login | |||
| Sidebar, dashboard & dismissed-prompt settings | Local storage | Remember your layout and which prompts you have dismissed | Persistent |
| oauth_state, oauth_code_verifier | Local storage | Secure the login redirect (PKCE) | Cleared after login |
| Analytics (on websites that use Pulse) | |||
| pulse_ignore | Local storage | Lets a site owner exclude their own visits | Until turned off |
| ciphera_last_pv | Session storage | Prevents counting a page refresh twice | Tab session |
| Support chat | |||
| cw_* | Local storage | Keeps your support-chat session and recent messages while you use our help widget | Persistent |
We do not use advertising cookies or cross-site tracking cookies, and we do not share your data with advertisers. Because we use only storage that is strictly necessary to provide the services you request, no cookie consent banner is required under Article 5(3) of the ePrivacy Directive.
8. Encryption & Security Measures
Security is foundational to everything we build. Our technical measures include:
Client-Side Encryption
- Algorithm: AES-256-GCM (authenticated encryption)
- Key generation: Encryption keys are generated in your browser using the Web Crypto API and are never transmitted to our servers
- Zero-knowledge architecture: Our servers store only encrypted data. We have no technical capability to decrypt, read, or access the content of your files
Password Security
- Zero-knowledge authentication (OPAQUE): We use the OPAQUE protocol (RFC 9807), an asymmetric password-authenticated key exchange. Your password is stretched on your device with Argon2id and is never transmitted to our servers. Signing in proves knowledge of your password cryptographically, without sending it.
- What we store: Only an OPAQUE credential record that cannot be reversed into your password. We hold no password, no password hash, and no password-equivalent verifier.
- No password reset: Because we never hold your password, we cannot reset it. Account recovery requires the 24-word recovery phrase shown to you when you created your account. If you lose both your password and your recovery phrase, your account data cannot be recovered — by us or anyone else.
Account Data Encryption
- Stored in your vault, not on our servers: Your email address and display name are never stored on our servers in readable form. They live only inside your account vault, which is encrypted on your device under a key we never hold. Two-factor authentication secrets, which our servers need in order to verify your codes, are encrypted at rest using AES-256-GCM.
- Blind-index lookups: To find your account at sign-in, we use a blind index — an irreversible keyed hash of your email, computed on your device and hashed again on our servers. Your email is never stored in readable form.
- What a database breach would expose: Only encrypted vaults, keyed hashes, and your OPAQUE credential record — no plaintext email or display name, no password, and nothing that can be reversed into them.
Transport Security
- TLS encryption: All connections to our services are encrypted in transit using TLS
- HSTS: HTTP Strict Transport Security is enforced with a minimum 1-year max-age
- Security headers: X-Content-Type-Options, X-Frame-Options (DENY), Referrer-Policy (strict-origin-when-cross-origin), and Content Security Policy are enforced on all pages
Infrastructure Security
- Backups are encrypted at rest using AES-256 server-side encryption together with client-side encryption; your account data and files are protected by client-side encryption, so they remain unreadable to us regardless of the underlying storage
- Access to production systems requires multi-factor authentication
- We follow the principle of least privilege for all internal access
- Regular security reviews and dependency audits are performed
9. Data Storage & Retention
Storage Location
All primary data is stored on servers located in Switzerland, subject to the Swiss Federal Act on Data Protection (FADP). Switzerland has been recognized by the European Commission as providing an adequate level of data protection (adequacy decision under GDPR Article 45).
Retention Periods
We retain data only as long as necessary for the purpose it was collected:
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data | While the account is active; deleted immediately and irreversibly on a verified deletion request | Contract |
| Session data | Until logout or 30 days (refresh token expiry) | Contract |
| Analytics data (Pulse) | Aggregated indefinitely (no personal data) | Legitimate interest |
| Contact form messages | Not stored — forwarded to our team inbox | Consent |
| Newsletter subscriptions | Until unsubscribe | Consent |
| Security audit logs (hashed IPs only) | Up to 180 days, then permanently deleted | Legitimate interest |
| Server logs | Retained only as long as necessary for security and operational purposes | Legitimate interest |
| CAPTCHA verification tokens | Expired immediately after use | Legitimate interest |
| Email delivery metadata (Relay) | 30 days | Contract |
10. Legal Bases for Processing
Under GDPR Article 6, we process personal data on the following legal bases:
- Contract performance (Article 6(1)(b)): Processing necessary to provide the services you requested — account management, session management, and transactional emails.
- Legitimate interest (Article 6(1)(f)): Processing necessary for our legitimate interests, where those interests are not overridden by your rights — anonymous website analytics, abuse prevention, rate limiting, and service security. We conduct balancing tests for each legitimate interest processing activity.
- Consent (Article 6(1)(a)): Processing based on your freely given, specific, informed consent — newsletter subscriptions, contact form submissions, and optional communications. You may withdraw consent at any time.
- Legal obligation (Article 6(1)(c)): Processing necessary to comply with legal requirements — responding to valid law enforcement requests (see Section 14).
11. Third-Party Services & Data Processors
We minimize our reliance on third-party services. The services we use, and the data they may process, are listed below:
| Service | Purpose | Data Processed | Location |
|---|---|---|---|
| Exoscale | Compute and object storage | Encrypted data at rest | Switzerland |
| Bunny | CDN, DNS, DDoS protection, edge routing | IP addresses (transient) | Global (edge network) |
| GitHub | Source code hosting | Source code | United States |
| Mollie | Payment processing | Billing and subscription data | Netherlands |
All third-party processors are bound by Data Processing Agreements (DPAs) and are contractually required to process data only for the specified purpose. A complete list of sub-processor identities, including specific company names and registered addresses, is available upon request at privacy@ciphera.net. We do not use:
- Google Analytics, Google Tag Manager, or any Google tracking service
- Meta Pixel, Facebook SDK, or any Meta tracking service
- Third-party CAPTCHA services (we use our own Ciphera Captcha)
- Third-party email tracking services
- Advertising networks of any kind
- Customer data platforms (CDPs) or data brokers
12. International Data Transfers
Your data is primarily stored in Switzerland, which benefits from an EU adequacy decision. In limited cases, data may be processed in other jurisdictions:
- CDN/DNS services — Your requests may be routed through global edge servers for performance and DDoS protection. Only transient connection data (IP addresses) passes through these servers.
- GitHub — Public source code hosted in the United States. No personal user data is stored on GitHub.
Where personal data is transferred outside the EEA or Switzerland, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Article 46(2)(c), or transfers to countries with an adequacy decision under GDPR Article 45.
13. Open Source & Transparency
We believe transparency is essential to trust. The following are open source, allowing independent verification of our privacy claims:
- Pulse — Our privacy-first analytics platform is open source (AGPL-3.0), enabling independent audit of our analytics approach.
- This website — The source code for this website is publicly available.
Our open-source repositories are available at github.com/ciphera-net.
14. Data Disclosure & Law Enforcement
We will only disclose user data if legally compelled to do so by a valid and binding request from competent Belgian or Swiss authorities, in full compliance with applicable law.
Our disclosure policy:
- Challenge first: We will challenge any request that we believe is overbroad, legally insufficient, or not in the public interest.
- Minimum disclosure: If legally required to comply, we will disclose only the minimum data necessary to satisfy the specific request.
- Encrypted data limitation: Due to our zero-knowledge architecture, we cannot decrypt or provide access to the contents of encrypted files, even under legal compulsion. We can only provide metadata and encrypted data.
- User notification: Where legally permitted, we will notify affected users of data requests.
- No voluntary disclosure: We do not voluntarily share user data with any government, intelligence agency, or law enforcement body.
We do not comply with requests from foreign authorities unless they are processed through appropriate international legal assistance channels recognized by Belgian or Swiss law.
15. Children's Privacy
Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@ciphera.net and we will promptly delete the data.
16. Automated Decision-Making
We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you, as defined under GDPR Article 22. Our automated systems are limited to:
- Rate limiting — Automated throttling of excessive requests to protect service availability.
- CAPTCHA challenges — Automated bot detection during registration and certain interactions.
- File expiration — Automated deletion of files after user-configured expiration periods.
None of these automated processes result in decisions that produce legal effects or significantly affect any individual.
17. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.
- Document the breach, its effects, and the remedial actions taken.
Due to our zero-knowledge architecture, a breach of our servers would not expose the content of encrypted files, as we do not possess the decryption keys.
18. Your Rights Under GDPR & FADP
Under the EU General Data Protection Regulation and the Swiss Federal Act on Data Protection, you have the following rights regarding your personal data:
- Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data, and to receive a copy of that data in a commonly used, machine-readable format.
- Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data and completion of incomplete data.
- Right to Erasure (Article 17): You have the right to request deletion of your personal data. Account data is deleted immediately and irreversibly upon a verified request; because our authentication is zero-knowledge, deletion cannot be undone and your encrypted account data cannot be recovered afterwards.
- Right to Restriction of Processing (Article 18): You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of data.
- Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to Object (Article 21): You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
- Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing conducted before withdrawal.
- Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. The relevant authority for Ciphera is the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit), Rue de la Presse 35, 1000 Brussels, Belgium — www.dataprotectionauthority.be.
To exercise any of these rights, contact us at privacy@ciphera.net. We will respond to verified requests within 30 days, as required by law. We may ask you to verify your identity before processing your request.
19. Social Media & External Links
Our website and blog may contain links to external websites, including our GitHub repositories and social media profiles. We do not embed social media tracking widgets on our website. When you follow a link to an external site, you leave our services, and the external site's privacy policy governs your interaction with that site. We are not responsible for the privacy practices of external websites.
20. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our services, legal requirements, or best practices. When we make changes:
- The “Last updated” date at the top of this page will be revised.
- For material changes that affect your rights, we will provide prominent notice (such as a banner on our website or an email notification to account holders).
- Previous versions of this policy will be archived and available upon request.
We encourage you to review this policy periodically. Your continued use of our services after changes are posted constitutes acceptance of the updated policy. The English version of this policy prevails in case of any discrepancy with translations.
21. Contact Us
If you have any questions about this privacy policy, our data practices, or wish to exercise your rights, you can reach us through:
- Privacy inquiries: privacy@ciphera.net
- Security concerns: security@ciphera.net
- General inquiries: hello@ciphera.net
- Phone: +32 78 48 07 10
- Address: Ciphera, De Kleetlaan 2, 1831 Diegem, Belgium
We aim to respond to all inquiries within 5 business days, and to formal data rights requests within 30 days.