Legal

Privacy Policy

How we protect your privacy with zero-knowledge architecture and GDPR-first design.

Last updated: October 10, 2025

Zero-Knowledge Architecture

We mathematically cannot access your encrypted data—even if compelled by law or subpoena.

GDPR Compliant

Full compliance with EU GDPR, CCPA, and global privacy regulations. Data residency guarantees included.

No Third-Party Tracking

No Google Analytics, Facebook pixels, or advertising trackers. Your usage data stays private.

Quick Navigation

→ What We Collect → How We Use Data → Zero-Knowledge Guarantee → Your Privacy Rights → Data Retention → Security Measures → Cookie Policy → Third-Party Services → Contact Us

Introduction

NebulaProof, Inc. ("Nebula", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our encrypted backup API service.

Key Principle: Our zero-knowledge architecture means we cannot access your encrypted data—even if we wanted to. All encryption happens client-side with keys we never possess.

What Information We Collect

Important Distinction

We collect metadata about your service usage (account info, API logs, billing). We cannot and do not collect your encrypted file contents—they're encrypted with your keys before transmission.

1. Account Information (We Collect)

• Email address (for authentication and service communications)
• Full name and company name (optional, for billing)
• Password hash (PBKDF2 with 100,000+ iterations—we never store plaintext passwords)
• Payment information (processed by Stripe—we never see full card numbers)
• Cloud provider credentials (AWS/Azure/GCP access keys for BYOC deployments)

2. Usage Metadata (We Collect)

• API request logs (endpoints called, timestamps, response codes)
• File metadata: filename, size, upload timestamp, geographic region
• Storage pool configuration and shard distribution patterns
• Proof generation events and verification results
• Error logs and performance metrics (for system reliability)

3. Encrypted File Contents (We CANNOT Access)

Zero-Knowledge Guarantee: Your files are encrypted with AES-256-GCM using keys derived from your password via PBKDF2. We never receive your encryption keys. Even with physical access to our servers or a valid subpoena, we cannot decrypt your data.

Technical Details: Encryption happens in your browser/SDK before transmission. We only store encrypted shards (Reed-Solomon encoded ciphertext). The master encryption key never leaves your device.

4. Analytics & Diagnostics (Minimal Collection)

• Browser type and version (for compatibility testing)
• IP address (for rate limiting and abuse prevention—anonymized after 30 days)
• Session duration and feature usage (to improve UX)
• Error reports and crash logs (for debugging)

No Third-Party Trackers: We do not use Google Analytics, Facebook pixels, or advertising trackers. All analytics are processed in-house.

How We Use Your Information

Service Delivery & Operations

• Authenticate your identity and manage your account
• Process backup uploads and orchestrate shard distribution
• Generate cryptographic proofs (upload, deletion, residency, verification)
• Monitor storage node health and trigger failover when needed
• Provide customer support and respond to your inquiries

Compliance & Legal Obligations

• Generate GDPR deletion certificates (Article 17 compliance)
• Produce geographic residency attestations (GDPR Articles 44-49)
• Maintain audit logs for SOC 2, HIPAA, and ISO 27001 certifications
• Respond to valid legal requests (we can only provide metadata, not encrypted data)

Product Improvement

• Analyze usage patterns to improve performance and reliability
• Identify and fix bugs based on error reports
• Develop new features based on aggregate usage data
• Conduct A/B testing for UI/UX improvements (with opt-out available)

Communications

• Send service notifications (storage quota warnings, proof generation alerts)
• Deliver security advisories and critical updates
• Send monthly billing statements and payment receipts
• Share product announcements and technical blog posts (opt-in only)

Zero-Knowledge Architecture

The Mathematical Guarantee: We Cannot Access Your Data

How It Works

1.
Client-Side Encryption: Your browser/SDK generates a master encryption key from your password using PBKDF2 (100,000+ iterations). This key never leaves your device.
2.
Pre-Upload Encryption: Files are encrypted with AES-256-GCM (authenticated encryption) before transmission. We only receive ciphertext—unreadable data without your key.
3.
Erasure Coding: Encrypted data is sharded using Reed-Solomon (6+4) and distributed across multiple cloud providers. Even if we wanted to access a file, we'd need both your encryption key AND all the shards.
4.
No Key Escrow: We do not implement key escrow, backdoors, or "master keys." If you lose your password, we cannot recover your data—this is a feature, not a bug.

Legal Implications

Subpoenas and Court Orders: If we receive a valid legal request for your data, we can only provide metadata (account info, upload timestamps, file sizes). We cannotprovide encrypted file contents because we lack the decryption keys. This has been tested in court (see: United States v. Apple Inc., similar encryption debate).

Third-Party Audit Verification

Our zero-knowledge architecture has been independently audited by Cure53 (security audit, March 2025) and Trail of Bits (cryptography review, January 2025). Full audit reports available atnebulaproof.com/compliance.

Your Privacy Rights

Under GDPR (EU), CCPA (California), and other privacy laws, you have the following rights:

Right to Access

Request a copy of all personal data we hold about you (account info, API logs, metadata).

Right to Rectification

Correct inaccurate personal information in your account settings.

Right to Erasure

Delete your account and all associated data. Generates GDPR deletion certificate within 72 hours.

Right to Object

Opt out of marketing emails, analytics, or data processing (note: may limit service functionality).

Right to Portability

Export your encrypted backups in a machine-readable format (JSON metadata + raw shards).

Right to Restrict Processing

Temporarily suspend data processing while we investigate a complaint or accuracy dispute.

How to Exercise Your Rights

Email privacy@nebulaproof.com with your request. We'll respond within 30 days (GDPR requirement) or 45 days (CCPA). Identity verification required for security.

Data Retention & Deletion

Account Data

• Active accounts: Retained while account is active
• After deletion request: 30-day grace period, then permanent deletion
• Backup logs: Retained for 90 days, then archived for 7 years (SOC 2 requirement)
• Billing records: Retained for 7 years (tax/accounting requirements)

Encrypted Backup Data

• User-initiated deletion: All shards deleted within 24 hours, GDPR certificate generated
• Account closure: All backups deleted after 30-day grace period
• Legal holds: Deletion suspended if account is subject to litigation hold (we notify you)
• BYOC deployments: Data in YOUR cloud accounts—you control retention policies

Analytics & Logs

• IP addresses: Anonymized after 30 days (last octet replaced with .0)
• API request logs: Retained for 90 days, then aggregated (no PII)
• Error logs: Retained for 1 year for debugging, then deleted
• Usage analytics: Aggregated and anonymized—never contains PII

Security Measures

Encryption Standards

• AES-256-GCM for data encryption
• TLS 1.3 for data in transit
• PBKDF2 (100,000+ iterations) for key derivation
• RSA-4096 for proof signatures

Infrastructure Security

• SOC 2 Type II certified infrastructure
• ISO 27001 information security management
• Kubernetes with network policies & RBAC
• DDoS protection (Cloudflare)

Access Controls

• MFA required for all employee accounts
• Principle of least privilege (POLP)
• Zero standing access to production
• All access logged and audited

Monitoring & Response

• 24/7 security monitoring (SIEM)
• Automated intrusion detection
• Incident response plan (tested quarterly)
• Breach notification within 72 hours (GDPR)

Security Audits & Certifications

Our security posture is independently verified by third-party auditors:

• SOC 2 Type II: Annual audit by Deloitte (latest: September 2025)
• ISO 27001: Certified by BSI (expires: June 2026)
• Penetration testing: Cure53 (March 2025), Trail of Bits (January 2025)
• Bug bounty: HackerOne program with $500-$25,000 rewards

Cookie Policy

We use minimal cookies to provide essential functionality. We do not use advertising or tracking cookies.

Essential Cookies (Required)

• Session cookie: Maintains your login session (expires after 15 minutes of inactivity)
• CSRF token: Protects against cross-site request forgery attacks
• Preference cookie: Remembers dark mode and language settings

Optional Cookies (Opt-In)

• Analytics cookie: Tracks feature usage to improve UX (first-party only, no Google Analytics)
• Performance cookie: Monitors page load times and API latency

What We Don't Use

• ❌ Google Analytics or third-party analytics trackers
• ❌ Facebook Pixel or social media tracking
• ❌ Advertising cookies or retargeting pixels
• ❌ Cross-site tracking or fingerprinting

Third-Party Services

We use the following third-party services to operate NebulaProof. Each has been vetted for GDPR compliance and data security.

Stripe (Payment Processing)

Purpose: Process credit card payments and manage subscriptions

Data shared: Email, name, billing address (Stripe never shares full card numbers with us)
Privacy policy: stripe.com/privacy

AWS / Azure / GCP (Cloud Infrastructure)

Purpose: Host storage nodes (BYOC deployments) and infrastructure

Data shared: Encrypted backup shards (we control encryption keys in BYOC mode)
Data residency: You choose regions (e.g., eu-west-1 for GDPR compliance)

Postmark (Transactional Emails)

Purpose: Send account notifications, password resets, and security alerts

Data shared: Email address, first name
Privacy policy: postmarkapp.com/privacy-policy

Sentry (Error Monitoring)

Purpose: Monitor application errors and crashes

Data shared: Error stack traces, browser info (we scrub PII before sending)
Privacy policy: sentry.io/privacy

Data Processing Agreements: We have signed GDPR-compliant Data Processing Agreements (DPAs) with all third-party vendors. Copies available upon request to privacy@nebulaproof.com.

International Data Transfers

NebulaProof is headquartered in Delaware, USA. If you're located in the EU, your data may be transferred to the United States for processing.

GDPR Compliance for EU Users

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs for data transfers (Article 46)
• Data residency option: Professional/Enterprise tiers can restrict all storage to EU regions
• Zero-knowledge encryption: Even if data is transferred, it remains encrypted and unreadable
• Schrems II compliance: Our legal team monitors EU-US data transfer regulations

Children's Privacy

NebulaProof is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@nebulaproof.com, and we will delete it within 30 days.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

• Email you at least 30 days before the changes take effect
• Display a prominent notice in the dashboard
• Update the "Last Updated" date at the top of this page
• Archive previous versions (available upon request via privacy@nebulaproof.com)

Continued use of NebulaProof after the effective date constitutes acceptance of the updated Privacy Policy. If you disagree with the changes, you may close your account.

Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, please contact us:

Privacy Team

privacy@nebulaproof.com

Postal Mail:
NebulaProof, Inc.
Attn: Privacy Officer
1234 Encryption Way, Suite 500
Wilmington, DE 19801
United States

EU Representative (GDPR Article 27)

gdpr-rep@nebulaproof.com

EU Data Protection Officer
NebulaProof EU Representative
123 Avenue de la Compliance
75001 Paris, France

Response Times

• General inquiries: 3 business days
• Data access/deletion requests: 30 days (GDPR/CCPA requirement)
• Security incidents: 24 hours

Right to Lodge a Complaint

If you're located in the EU and believe we've violated GDPR, you have the right to lodge a complaint with your local data protection authority:

• EU Data Protection Authorities: Find your local DPA
• UK (post-Brexit): Information Commissioner's Office (ICO)
• California (CCPA): California Attorney General

Privacy-First Backup Infrastructure

Zero-knowledge encryption means we can't access your data—even if we wanted to.

Legal

Privacy Policy

How we protect your privacy with zero-knowledge architecture and GDPR-first design.

Last updated: October 10, 2025

Zero-Knowledge Architecture

We mathematically cannot access your encrypted data—even if compelled by law or subpoena.

GDPR Compliant

Full compliance with EU GDPR, CCPA, and global privacy regulations. Data residency guarantees included.

No Third-Party Tracking

No Google Analytics, Facebook pixels, or advertising trackers. Your usage data stays private.

Quick Navigation

→ What We Collect → How We Use Data → Zero-Knowledge Guarantee → Your Privacy Rights → Data Retention → Security Measures → Cookie Policy → Third-Party Services → Contact Us

Introduction

Key Principle: Our zero-knowledge architecture means we cannot access your encrypted data—even if we wanted to. All encryption happens client-side with keys we never possess.

What Information We Collect

Important Distinction

1. Account Information (We Collect)

• Email address (for authentication and service communications)
• Full name and company name (optional, for billing)
• Password hash (PBKDF2 with 100,000+ iterations—we never store plaintext passwords)
• Payment information (processed by Stripe—we never see full card numbers)
• Cloud provider credentials (AWS/Azure/GCP access keys for BYOC deployments)

2. Usage Metadata (We Collect)

• API request logs (endpoints called, timestamps, response codes)
• File metadata: filename, size, upload timestamp, geographic region
• Storage pool configuration and shard distribution patterns
• Proof generation events and verification results
• Error logs and performance metrics (for system reliability)

3. Encrypted File Contents (We CANNOT Access)

4. Analytics & Diagnostics (Minimal Collection)

• Browser type and version (for compatibility testing)
• IP address (for rate limiting and abuse prevention—anonymized after 30 days)
• Session duration and feature usage (to improve UX)
• Error reports and crash logs (for debugging)

No Third-Party Trackers: We do not use Google Analytics, Facebook pixels, or advertising trackers. All analytics are processed in-house.

How We Use Your Information

Service Delivery & Operations

• Authenticate your identity and manage your account
• Process backup uploads and orchestrate shard distribution
• Generate cryptographic proofs (upload, deletion, residency, verification)
• Monitor storage node health and trigger failover when needed
• Provide customer support and respond to your inquiries

Compliance & Legal Obligations

• Generate GDPR deletion certificates (Article 17 compliance)
• Produce geographic residency attestations (GDPR Articles 44-49)
• Maintain audit logs for SOC 2, HIPAA, and ISO 27001 certifications
• Respond to valid legal requests (we can only provide metadata, not encrypted data)

Product Improvement

• Analyze usage patterns to improve performance and reliability
• Identify and fix bugs based on error reports
• Develop new features based on aggregate usage data
• Conduct A/B testing for UI/UX improvements (with opt-out available)

Communications

• Send service notifications (storage quota warnings, proof generation alerts)
• Deliver security advisories and critical updates
• Send monthly billing statements and payment receipts
• Share product announcements and technical blog posts (opt-in only)

Zero-Knowledge Architecture

The Mathematical Guarantee: We Cannot Access Your Data

How It Works

1.
Client-Side Encryption: Your browser/SDK generates a master encryption key from your password using PBKDF2 (100,000+ iterations). This key never leaves your device.
2.
Pre-Upload Encryption: Files are encrypted with AES-256-GCM (authenticated encryption) before transmission. We only receive ciphertext—unreadable data without your key.
3.
Erasure Coding: Encrypted data is sharded using Reed-Solomon (6+4) and distributed across multiple cloud providers. Even if we wanted to access a file, we'd need both your encryption key AND all the shards.
4.
No Key Escrow: We do not implement key escrow, backdoors, or "master keys." If you lose your password, we cannot recover your data—this is a feature, not a bug.

Legal Implications

Third-Party Audit Verification

Your Privacy Rights

Under GDPR (EU), CCPA (California), and other privacy laws, you have the following rights:

Right to Access

Request a copy of all personal data we hold about you (account info, API logs, metadata).

Right to Rectification

Correct inaccurate personal information in your account settings.

Right to Erasure

Delete your account and all associated data. Generates GDPR deletion certificate within 72 hours.

Right to Object

Opt out of marketing emails, analytics, or data processing (note: may limit service functionality).

Right to Portability

Export your encrypted backups in a machine-readable format (JSON metadata + raw shards).

Right to Restrict Processing

Temporarily suspend data processing while we investigate a complaint or accuracy dispute.

How to Exercise Your Rights

Email privacy@nebulaproof.com with your request. We'll respond within 30 days (GDPR requirement) or 45 days (CCPA). Identity verification required for security.

Data Retention & Deletion

Account Data

• Active accounts: Retained while account is active
• After deletion request: 30-day grace period, then permanent deletion
• Backup logs: Retained for 90 days, then archived for 7 years (SOC 2 requirement)
• Billing records: Retained for 7 years (tax/accounting requirements)

Encrypted Backup Data

• User-initiated deletion: All shards deleted within 24 hours, GDPR certificate generated
• Account closure: All backups deleted after 30-day grace period
• Legal holds: Deletion suspended if account is subject to litigation hold (we notify you)
• BYOC deployments: Data in YOUR cloud accounts—you control retention policies

Analytics & Logs

• IP addresses: Anonymized after 30 days (last octet replaced with .0)
• API request logs: Retained for 90 days, then aggregated (no PII)
• Error logs: Retained for 1 year for debugging, then deleted
• Usage analytics: Aggregated and anonymized—never contains PII

Security Measures

Encryption Standards

• AES-256-GCM for data encryption
• TLS 1.3 for data in transit
• PBKDF2 (100,000+ iterations) for key derivation
• RSA-4096 for proof signatures

Infrastructure Security

• SOC 2 Type II certified infrastructure
• ISO 27001 information security management
• Kubernetes with network policies & RBAC
• DDoS protection (Cloudflare)

Access Controls

• MFA required for all employee accounts
• Principle of least privilege (POLP)
• Zero standing access to production
• All access logged and audited

Monitoring & Response

• 24/7 security monitoring (SIEM)
• Automated intrusion detection
• Incident response plan (tested quarterly)
• Breach notification within 72 hours (GDPR)

Security Audits & Certifications

Our security posture is independently verified by third-party auditors:

• SOC 2 Type II: Annual audit by Deloitte (latest: September 2025)
• ISO 27001: Certified by BSI (expires: June 2026)
• Penetration testing: Cure53 (March 2025), Trail of Bits (January 2025)
• Bug bounty: HackerOne program with $500-$25,000 rewards

Cookie Policy

We use minimal cookies to provide essential functionality. We do not use advertising or tracking cookies.

Essential Cookies (Required)

• Session cookie: Maintains your login session (expires after 15 minutes of inactivity)
• CSRF token: Protects against cross-site request forgery attacks
• Preference cookie: Remembers dark mode and language settings

Optional Cookies (Opt-In)

• Analytics cookie: Tracks feature usage to improve UX (first-party only, no Google Analytics)
• Performance cookie: Monitors page load times and API latency

What We Don't Use

• ❌ Google Analytics or third-party analytics trackers
• ❌ Facebook Pixel or social media tracking
• ❌ Advertising cookies or retargeting pixels
• ❌ Cross-site tracking or fingerprinting

Third-Party Services

We use the following third-party services to operate NebulaProof. Each has been vetted for GDPR compliance and data security.

Stripe (Payment Processing)

Purpose: Process credit card payments and manage subscriptions

Data shared: Email, name, billing address (Stripe never shares full card numbers with us)
Privacy policy: stripe.com/privacy

AWS / Azure / GCP (Cloud Infrastructure)

Purpose: Host storage nodes (BYOC deployments) and infrastructure

Data shared: Encrypted backup shards (we control encryption keys in BYOC mode)
Data residency: You choose regions (e.g., eu-west-1 for GDPR compliance)

Postmark (Transactional Emails)

Purpose: Send account notifications, password resets, and security alerts

Data shared: Email address, first name
Privacy policy: postmarkapp.com/privacy-policy

Sentry (Error Monitoring)

Purpose: Monitor application errors and crashes

Data shared: Error stack traces, browser info (we scrub PII before sending)
Privacy policy: sentry.io/privacy

Data Processing Agreements: We have signed GDPR-compliant Data Processing Agreements (DPAs) with all third-party vendors. Copies available upon request to privacy@nebulaproof.com.

International Data Transfers

NebulaProof is headquartered in Delaware, USA. If you're located in the EU, your data may be transferred to the United States for processing.

GDPR Compliance for EU Users

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs for data transfers (Article 46)
• Data residency option: Professional/Enterprise tiers can restrict all storage to EU regions
• Zero-knowledge encryption: Even if data is transferred, it remains encrypted and unreadable
• Schrems II compliance: Our legal team monitors EU-US data transfer regulations

Children's Privacy

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

• Email you at least 30 days before the changes take effect
• Display a prominent notice in the dashboard
• Update the "Last Updated" date at the top of this page
• Archive previous versions (available upon request via privacy@nebulaproof.com)

Continued use of NebulaProof after the effective date constitutes acceptance of the updated Privacy Policy. If you disagree with the changes, you may close your account.

Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, please contact us:

Privacy Team

privacy@nebulaproof.com

Postal Mail:
NebulaProof, Inc.
Attn: Privacy Officer
1234 Encryption Way, Suite 500
Wilmington, DE 19801
United States

EU Representative (GDPR Article 27)

gdpr-rep@nebulaproof.com

EU Data Protection Officer
NebulaProof EU Representative
123 Avenue de la Compliance
75001 Paris, France

Response Times

• General inquiries: 3 business days
• Data access/deletion requests: 30 days (GDPR/CCPA requirement)
• Security incidents: 24 hours

Right to Lodge a Complaint

If you're located in the EU and believe we've violated GDPR, you have the right to lodge a complaint with your local data protection authority:

• EU Data Protection Authorities: Find your local DPA
• UK (post-Brexit): Information Commissioner's Office (ICO)
• California (CCPA): California Attorney General

Privacy-First Backup Infrastructure

Zero-knowledge encryption means we can't access your data—even if we wanted to.

NebulaProof - Cryptographic Proof Storage Platform