Privacy Policy

Effective date: March 7, 2026

Plain English summary: Zephr cannot read your secrets. Encryption happens in your browser; the server stores only ciphertext. We collect your email address for authentication, usage counts for quota enforcement, and anonymized IP addresses for security logging. We do not sell your data or use tracking cookies.

1. Overview

Zephr is a zero-knowledge secret transport service. Before a secret leaves your device, it is encrypted using AES-GCM-256. The decryption key travels exclusively in the URL fragment (the part after #), which browsers do not transmit to servers per RFC 3986 §3.5. This means Zephr's servers only ever receive ciphertext — we are technically unable to read your secrets.

2. Information we collect

We collect the minimum information necessary to operate the service:

  • Account data: Your email address, used exclusively for passwordless authentication (magic links). We do not use it for marketing without your explicit consent.
  • Usage data: A count of secrets created per calendar month, per user. This is used solely for quota enforcement and resets on the first of each month.
  • API key metadata: The name you assign to an API key, plus its creation timestamp, last-used timestamp, and active status. Raw API key values are shown exactly once at creation and are never stored by Zephr.
  • Billing data: For paid subscribers, a Stripe customer ID, your subscription tier, and billing period end date. Zephr never stores payment card details — those are handled exclusively by Stripe.
  • Request logs: HTTP method, URL path, response status code, and response time. IP addresses are anonymized before logging: IPv4 addresses are truncated to the /24 prefix (last octet removed); IPv6 addresses are truncated to the /48 prefix. Full IP addresses are never stored.

3. Information we do not collect

  • Secret plaintext — encrypted client-side before being uploaded
  • Encryption or decryption keys — these exist only in the URL fragment, which is never transmitted to our servers
  • The identity of secret recipients — we record only a consumed timestamp when a link is used
  • Full IP addresses — only anonymized prefixes appear in logs
  • Browsing behavior, referral sources, or device fingerprints

4. Cookies and sessions

After you authenticate via magic link, we set one session cookie. It is configured as HttpOnly, Secure, and SameSite=Strict. The cookie has a 2-hour expiry. The authentication session stored within it (managed by Stytch) remains valid for 2 hours, after which you will be prompted to sign in again. This cookie is strictly necessary to keep you signed in — it has no analytics or tracking purpose.

We do not use advertising cookies, tracking pixels, or any third-party analytics scripts.

5. Third-party services

We integrate the following third-party services, each of which may receive limited data as described:

  • Stytch — handles passwordless authentication (magic links) and session management. Your email address is shared with Stytch to send the login link. Stytch's privacy policy governs their handling of that data.
  • Stripe — handles billing for paid subscribers. Your email address and subscription details are shared with Stripe. Stripe collects and processes payment card information directly; Zephr never sees card numbers. Stripe's privacy policy governs their data practices.
  • Sentry — optional error monitoring, enabled only when a Sentry DSN is configured. Error events and stack traces may be transmitted to Sentry. Sentry's privacy policy governs that data.
  • Google Fonts — used for typography. When your browser loads any Zephr page, it makes a request to fonts.googleapis.com and fonts.gstatic.com, which may expose your IP address to Google. Google's privacy policy governs that request.

6. Data retention

  • Secrets: Made permanently inaccessible immediately upon first retrieval. The encrypted record is physically removed from storage during the next scheduled cleanup run, which occurs within a 60-minute grace period. Secrets that have passed their expiry time are similarly removed within the same 60-minute grace period. There are no backups and no administrative mechanism to recover a consumed or expired secret.
  • Usage counts: Retained on a per-calendar-month basis.
  • API keys: When you deactivate an API key, it is marked inactive rather than hard-deleted, to preserve an audit trail. The raw key value is never stored.
  • User accounts: Retained until you request deletion. To request deletion of your account and associated data, email contact@zephr.io. We will respond within 30 days.
  • Logs: Retained according to the CloudWatch log retention policy configured for the service infrastructure.

7. Data location

All Zephr servers, databases, and log storage are located in the United States.

8. Your rights

You may request access to the personal data we hold about you, or request its deletion, at any time by emailing contact@zephr.io. We will respond within 30 days. Deleting your account will remove your email, API keys, and usage records; it does not affect secrets already consumed prior to deletion.

9. Children

Zephr is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us at contact@zephr.io and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email at least 14 days before the updated policy takes effect. Continued use of the service after the effective date constitutes acceptance of the revised policy.

11. Contact

Questions about this Privacy Policy? Email us at contact@zephr.io.