CifraGuard is built so that we know as little about you and your files as technically possible. This Privacy Policy explains what data we process, why we process it, who may process it on our behalf, and how long it is kept.

CifraGuard is operated by Marek Zarzycki under the project/portfolio name NubeCode.

NubeCode is a project name and is not a separate legal entity.

For GDPR purposes, Marek Zarzycki is the data controller for personal data processed by CifraGuard, unless stated otherwise.

Privacy contact: use the contact form and select the “Privacy Question” topic.

1. Your Files

Files are encrypted with AES-256-GCM in your browser before upload. We never receive or store the unencrypted contents of your files.

The encrypted file is held on our application server only for the time needed to request email delivery and is deleted from our application server immediately afterwards.

Email delivery providers and mail servers may temporarily process or retain email content, encrypted attachments, addresses, and delivery metadata according to their own systems, settings, and legal obligations.

Decryption keys are generated in your browser and are not stored on our application server. The key passes through our server and our email delivery provider, Mailgun, once in transit, solely so it can be emailed to the address you choose.

If the decryption key is lost, we cannot recover it because we do not keep a copy.

Decryption happens entirely in the recipient's browser. Nothing is uploaded to CifraGuard during decryption.

2. Data We Process

Email addresses

When you use CifraGuard to send a file, you provide two email addresses:

• the address that receives the encrypted file;
• the address that receives the decryption key.

These addresses are used by CifraGuard to request email delivery of the encrypted file and the decryption key.

We do not add these addresses to mailing lists. We do not sell them. We do not share them for marketing.

We do not store the full email addresses in our application logs. Our logs record only the email domain, such as gmail.com, outlook.com, or a company domain.

Our email delivery provider, Mailgun, and recipient mail servers may process the full email addresses as part of normal email delivery.

IP addresses

We process your IP address to:

• enforce rate limits;
• protect the service from abuse;
• reduce spam, automated misuse, and attacks;
• investigate technical or security issues.

The current rate limits are:

• 2 file transfers per hour per IP address;
• 1 contact message per hour.

Where we control the application logs, we minimise or sanitise IP addresses where possible. Some infrastructure providers, such as Cloudflare or the hosting provider, may process full IP addresses for security and delivery. Rate-limit records expire automatically after the one-hour rate-limit window.

Usage analytics

We keep privacy-safe, aggregated statistics to understand service load and improve the service.

These may include:

• approximate number of transfers per day;
• approximate number of contact messages per day;
• coarse country-level usage;
• general technical error counts.

We avoid storing statistics that are intended to identify individual users, recipients, files, or transfers.

Aggregated statistics may be kept indefinitely, provided they do not identify individual users or files.

File metadata

To process a transfer, CifraGuard may temporarily process technical file information such as:

• file size;
• file type or MIME type;
• original file name;
• encrypted attachment name;
• transfer status.

This information is used only to provide the service, enforce limits, troubleshoot issues, and protect the service from abuse.

Original file names are not stored in our application logs. File size, file extension, and transfer status may appear in application logs and aggregated statistics kept for security, troubleshooting, and service reliability.

Contact form

If you contact us through the contact form, we process the information you provide, such as:

• your name;
• your email address;
• your message;
• the topic you selected;
• basic technical metadata needed for security and abuse prevention.

We use this information solely to respond to your inquiry and handle any follow-up.

Contact messages are delivered to us by email and are not stored in a database.

You may also receive an automatic confirmation email.

Our application logs record only your email domain, not your full email address. The notification we receive contains a short hash of your IP address rather than the IP address itself.

Contact messages are not used for marketing.

3. Legal Bases

Where GDPR applies, we rely on the following legal bases.

Providing the service

We process the data needed to provide the file-transfer service you requested. Where GDPR applies, this processing is based on Article 6(1)(b) GDPR: processing necessary to provide the service requested by you.

Security, abuse prevention, rate limiting, and service reliability

We process limited technical data, including IP addresses and logs, based on Article 6(1)(f) GDPR: our legitimate interest in keeping CifraGuard secure, reliable, and protected against abuse.

Contact form messages

We process contact form messages so we can respond to your request. Where GDPR applies, this processing is based on Article 6(1)(b) GDPR where the message relates to the service you requested, or Article 6(1)(f) GDPR where we rely on our legitimate interest in responding to inquiries, handling abuse reports, and protecting the service.

Legal compliance

Where necessary, we may process or retain information to comply with applicable legal obligations, respond to lawful requests, or protect legal rights.

4. Cookies and Local Storage

We do not use tracking or profiling cookies.

Your light/dark theme preference may be stored in your browser's local storage. This preference stays on your device and is not sent to CifraGuard.

A session cookie may be used only for the password-protected admin area. The admin area is not part of the public file-transfer service.

We do not currently display advertising or use advertising cookies. If this changes, we will update this Privacy Policy and request consent where required.

CifraGuard does not use personal data for profiling or automated decision-making that produces legal or similarly significant effects.

5. Third-Party Services

CifraGuard may rely on third-party providers to operate the service.

Mailgun

Mailgun delivers the encrypted file email and the decryption key email on our behalf.

Mailgun may process:

• sender and recipient email addresses;
• encrypted attachments;
• email content;
• delivery metadata;
• bounce, rejection, and delivery-status information;
• technical logs required for email delivery and abuse prevention.

Mailgun processes this data as part of normal email delivery.

Cloudflare

Cloudflare may sit in front of CifraGuard for DDoS protection, security, performance, and content delivery.

Cloudflare may process connection metadata such as:

• IP address;
• browser and device metadata;
• request headers;
• security events;
• approximate location derived from network information.

Cloudflare processes this information as a network and security intermediary.

jsDelivr CDN

jsDelivr CDN may serve Bootstrap CSS/JS framework files used by the website.

When your browser requests these files, jsDelivr may receive technical request information such as your IP address, browser metadata, and requested file path.

Hosting provider

CifraGuard is hosted on server infrastructure provided by a hosting provider.

The hosting provider may process technical data necessary to run the service, including server logs, connection metadata, and security-related information.

6. Data Retention Summary

We keep data only for as long as needed for the purposes described in this Privacy Policy.

Current retention approach:

• Unencrypted files: never received or stored by CifraGuard.
• Encrypted files: deleted from our application server immediately after the delivery request is completed.
• Decryption keys: not stored on our application server.
• Rate-limit records: expire automatically after the one-hour rate-limit window.
• Application logs: kept only as long as needed for security, troubleshooting, abuse prevention, and service reliability.
• Full email addresses in application logs: not stored; only email domains are logged where needed.
• Contact messages: kept only as long as needed to respond to your inquiry and handle any follow-up, unless a longer period is needed for security, abuse prevention, or legal reasons.
• Aggregated statistics: may be kept indefinitely, provided they do not identify individual users or files.
• Third-party provider logs: retained according to the systems, settings, policies, and legal obligations of the relevant third-party providers.

7. Your Rights

Depending on where you live, including under the GDPR in the European Union, you may have rights regarding your personal data.

These may include the right to:

• access personal data we hold about you;
• correct inaccurate personal data;
• request deletion of personal data;
• object to certain processing;
• restrict certain processing;
• request a copy of your personal data;
• withdraw consent where processing is based on consent;
• lodge a complaint with a data protection authority.

Because CifraGuard is designed to store very little personal data, there may be little or no personal data available for us to access, correct, or delete.

If you have a privacy request, contact us via the contact page and select the "Privacy Question" topic.

We may need to verify your request before responding, especially if the request relates to email addresses, contact messages, abuse reports, or security logs.

8. Security

All traffic to CifraGuard is protected with HTTPS.

Files are encrypted in the browser using AES-256-GCM authenticated encryption before upload.

Decryption happens in the recipient's browser.

Executable file types are blocked from direct upload.

The service applies rate limiting, security headers, and abuse-prevention controls.

However, no system is perfectly secure. Email delivery itself is not end-to-end encrypted by CifraGuard. Email providers, mail servers, spam filters, and recipient inboxes may process or store emails according to their own systems and policies.

Treat decryption keys like passwords. Share them only with the intended recipient and use separate email addresses or channels for the encrypted file and the decryption key where possible.

9. Children

CifraGuard is not intended for children.

Do not use CifraGuard if you are not old enough to use online services lawfully in your country without parental or guardian permission.

10. International Transfers

Some third-party providers used by CifraGuard may process data outside your country of residence, including outside the European Economic Area.

Where required, such transfers should be protected by appropriate safeguards used by the relevant third-party provider, such as standard contractual clauses or equivalent transfer mechanisms.

11. Abuse, Security, and Legal Requests

We may process limited technical data to detect, prevent, or respond to abuse, spam, malware, attacks, unlawful activity, or security incidents.

Where legally required, we may preserve or disclose information in response to lawful requests from competent authorities.

We will not voluntarily inspect encrypted file contents because we do not have access to the unencrypted contents.

12. Changes to This Policy

We may update this Privacy Policy from time to time.

The date at the top of this page shows when the policy was last updated.

If we make material changes, we may highlight them on the CifraGuard website where appropriate.

Continued use of CifraGuard after changes take effect means you understand the updated Privacy Policy.

13. Contact

For privacy-related questions, requests, or concerns, please use the contact form and select the "Privacy Question" topic.

For abuse reports, please use the contact form and select the appropriate abuse or security-related topic, if available.