Legal

Privacy Policy

Last updated: April 2026

The short version

We collect the minimum data necessary to operate the service. Our zero-knowledge architecture means we architecturally cannot access the content of your files — not because of a policy, but because the design makes it technically impossible. What you store is yours.

What we collect

Waitlist

When you join our waitlist, we collect your email address. We use it only to notify you when early access opens. We will never sell, rent, or share it with third parties.

Account information

When you create an account, we collect your email address and a cryptographic verifier derived from your passphrase (using SRP-6a). Your passphrase is never transmitted to our servers.

Usage metadata

We store metadata necessary to operate the service: account creation date, storage usage in bytes, IP addresses for security logging, and timestamps. We do not store filenames, directory structure, file types, or any information about the content of your files.

What we cannot access

  • The content of any file you store
  • Your filenames or directory structure
  • How many files you have
  • What types of files you store
  • Your encryption passphrase (it never leaves your device)

This is not a policy commitment — it is an architectural guarantee. Even if compelled by a court order, we cannot produce the plaintext of your files because we do not have it.

Analytics

We use Plausible Analytics, a privacy-respecting analytics provider that does not use cookies, does not collect personal data, and is fully GDPR compliant by default. We use it to understand aggregate traffic patterns (page views, referral sources). No individual user is tracked.

Cookies

We use only technically necessary cookies (session authentication). We do not use advertising, tracking, or analytics cookies.

Data retention

We retain account data for as long as your account is active. If you delete your account, we delete your account data within 30 days. Encrypted file blobs are deleted immediately upon your request. Server logs are retained for 90 days.

Legal requests

We respond to valid legal process. We can provide metadata (email address, account creation date, storage usage, IP logs). We cannot decrypt your files. We publish an annual transparency report detailing the number and type of legal requests received.

GDPR & your rights

If you are in the European Economic Area, you have the right to access, rectify, port, and erase your data. To exercise these rights, contact us at privacy@blindstorage.com.

Contact

Questions about this policy: privacy@blindstorage.com