1. Data Controller
The data controller responsible for your personal data is:
If you have any questions or concerns about how your data is processed, please contact us at hello@cloud-enclave.com.
2. What Data We Collect
2.1 When You Visit Our Website (cloud-enclave.com)
Our landing page is a fully static website. We do not use analytics tools, tracking pixels, or advertising cookies. No personal data is collected directly by us. However, the following indirect processing occurs:
- Google Fonts: Our website loads the Inter typeface from Google's servers
(
fonts.googleapis.com). When your browser makes this request, your IP address is transmitted to Google. This is a technical necessity for font delivery. See Google's Privacy Policy.
2.2 When You Create an Account and Use the App (app.cloud-enclave.com)
When you register and use our application, we collect and store the following data:
| Category | Data | Purpose |
|---|---|---|
| Account | Username, password hash (bcrypt, never plaintext), account creation date | Authentication and account management |
| Session | Encrypted session identifier stored in a cookie | Keeping you logged in securely |
| Cloud Storage Connection | Google Drive account email address, encrypted OAuth access and refresh tokens | Connecting your cloud storage to the service |
| File Metadata | File name, MIME type, file size, encrypted file key and initialisation vectors, Google Drive file ID | Organising and accessing your encrypted files |
| Security | Failed login attempt count, account lock timestamp, per-session login challenges | Protecting your account from brute-force attacks |
| Billing | User ID, subscription plan name (e.g. "free", "enclave") | Managing access to features |
| Server Logs | User ID, username, IP address (via Cloudflare), operation name, timestamps, error details | Debugging, security monitoring, rate limiting |
| Feedback (optional) | Your written feedback message, email address (only if you choose to provide it) | Improving the service |
Zero-knowledge architecture: Your files are encrypted in your browser using AES-256-GCM before they are sent anywhere. We never have access to your file contents or your encryption key. File metadata (name, size, type) is stored to allow you to browse and manage your files within our app.
3. Legal Basis for Processing
We process your personal data under the following legal bases as defined in Article 6 of the GDPR:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b) GDPR) — necessary to provide the service |
| Session management (essential cookie) | Contract performance (Art. 6(1)(b) GDPR) — technically required for login |
| Google Drive connection and file metadata | Contract performance (Art. 6(1)(b) GDPR) — necessary core feature |
| Security logging, rate limiting, brute-force protection | Legitimate interest (Art. 6(1)(f) GDPR) — protecting users and platform integrity |
| Google Fonts loading on landing page | Legitimate interest (Art. 6(1)(f) GDPR) — correctly rendering the website |
| Billing and plan management | Contract performance (Art. 6(1)(b) GDPR) |
| Feedback email (if voluntarily provided) | Consent (Art. 6(1)(a) GDPR) — you choose whether to include your email |
4. Third-Party Services
We use the following third-party services that may process your personal data:
Google LLC
Google Fonts (landing page), Google Drive OAuth (app)
- Google Fonts: Your IP address is sent to Google when loading web fonts on our landing page.
- Google Drive OAuth: We request access to your Google Drive (limited to files created by Cloud Enclave) and your email address to identify your connection.
Cloudflare, Inc.
CDN, DDoS protection, Turnstile CAPTCHA
- All traffic to our services passes through Cloudflare, which processes IP addresses and request metadata to protect against attacks.
- Cloudflare Turnstile is used on authentication endpoints to detect automated bot traffic. It is a privacy-preserving CAPTCHA that does not use cookies or track users across sites.
We do not use advertising networks, social media trackers, or behavioural analytics tools.
6. International Data Transfers
Google LLC and Cloudflare, Inc. are headquartered in the United States. When we use their services, your personal data may be transferred to and processed in the United States or other countries outside the European Economic Area (EEA).
These transfers are carried out subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46 GDPR. Both Google and Cloudflare are certified under the EU–U.S. Data Privacy Framework.
No other international transfers of personal data take place.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (username, password hash) | Until you delete your account, or upon our reasonable judgment that the account is permanently inactive |
| Google Drive connection and tokens | Until you disconnect the integration or delete your account |
| File metadata | Until you delete the file or your account |
| Session data | Until sign-out or session expiry (short-lived, Redis-backed) |
| Server logs | Retained for a reasonable period necessary for security and debugging purposes |
| Feedback messages | For as long as necessary to review and act on the feedback |
After account deletion, your data is removed from our systems. Note that your actual files reside in your own Google Drive — deleting your Cloud Enclave account does not delete files from your cloud storage provider.
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at hello@cloud-enclave.com.
Right of Access
Request a copy of the personal data we hold about you (Art. 15 GDPR).
Right to Rectification
Ask us to correct inaccurate or incomplete data (Art. 16 GDPR).
Right to Erasure
Request deletion of your personal data ("right to be forgotten") (Art. 17 GDPR).
Right to Data Portability
Receive your data in a structured, machine-readable format (Art. 20 GDPR).
Right to Restriction
Ask us to restrict processing of your data in certain circumstances (Art. 18 GDPR).
Right to Object
Object to processing based on legitimate interest (Art. 21 GDPR). We will cease unless compelling grounds exist.
Right to withdraw consent: Where processing is based on consent (e.g. providing your email with feedback), you may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to Lodge a Complaint
If you believe your personal data is being processed unlawfully, you have the right to lodge a complaint with the Polish supervisory authority:
President of the Personal Data Protection Office (UODO)
Urząd Ochrony Danych Osobowych
ul. Stawki 2, 00-193 Warsaw, Poland
Email: kancelaria@uodo.gov.pl
Website: uodo.gov.pl
9. Minors
Cloud Enclave is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.
10. Contact & Updates
For any privacy-related questions or requests, please contact us at: hello@cloud-enclave.com.
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the service after changes are posted constitutes your acceptance of the revised policy.