Privacy Policy

Last updated: January 15, 2026

This Privacy Policy explains how SpeedVault, Inc. ("SpeedVault," "we," "us," or "our") collects, uses, and protects your personal information when you use our cloud storage services, website, and related applications (collectively, the "Service").

1. Information We Collect

We collect information you provide directly to us:

  • Account Information: When you register, we collect your name, email address, and password. Your password is hashed and salted using bcrypt before storage and is never stored in plaintext.
  • Billing Information: If you subscribe to a paid plan, payment processing is handled by Stripe, Inc. We do not store full credit card numbers or bank details on our servers. Stripe receives your payment information directly under their Privacy Policy.
  • Profile Information: You may optionally provide a profile photo, organization name, and preferred display name.
  • File Metadata: We collect file names, sizes, types, and modification timestamps to provide the Service. In accordance with our zero-knowledge architecture, we do not read, access, or decrypt the content of your files (see Section 3).
  • Communications: If you contact our support team, we retain copies of your correspondence, including any information you voluntarily provide.

We also automatically collect certain technical information when you use the Service:

  • Usage Data: Pages visited, features used, upload/download volume, session duration, and referring URLs.
  • Device Information: IP address, browser type and version, operating system, device identifiers, and screen resolution.
  • Log Data: Server access logs including timestamps, requested resources, HTTP status codes, and error reports.

2. How We Use Your Information

We use the information we collect solely for the following purposes:

  • To provide, maintain, and improve the SpeedVault Service, including file synchronization, sharing, and version history.
  • To process payments, send invoices, and manage subscriptions through our payment processor Stripe.
  • To send service-related communications, including account verification, security alerts, and billing notifications.
  • To respond to your support requests, technical inquiries, and feedback.
  • To monitor and analyze usage trends, diagnose technical issues, and improve Service performance and reliability.
  • To detect, prevent, and address fraudulent, unauthorized, or illegal activity.
  • To comply with legal obligations and enforce our Terms of Service.

We do not use the content of your stored files for any purpose, including advertising, training machine learning models, data mining, or analytics. Your file content remains encrypted and inaccessible to us by design.

3. Zero-Knowledge Architecture

SpeedVault is built on a zero-knowledge architecture. This means:

  • Client-Side Encryption: Files are encrypted on your device using AES-256-GCM before transmission. Encryption keys are derived from your password using PBKDF2 with a minimum of 600,000 iterations.
  • Server Blindness: We store only encrypted ciphertext. Without access to your encryption keys, we are physically incapable of decrypting or reading your file contents.
  • Key Separation: File encryption keys are never transmitted to our servers. Public key cryptography (X25519) is used for shared files, allowing recipients to decrypt only files explicitly shared with them.
  • Metadata Protection: File names and folder structures are encrypted client-side before storage. We can see the size and type of files for operational purposes but cannot read their names or contents.

Because of this architecture, we cannot recover your password or files if you lose your credentials. We strongly recommend enabling account recovery options and maintaining offline backups of critical data.

4. Data Sharing & Third Parties

We do not sell your personal information. We share data only with specific subprocessors who help us operate the Service, and only under strict data processing agreements consistent with this Privacy Policy:

  • Stripe, Inc. — Payment processing. Your payment method, billing address, and transaction history are processed and stored by Stripe under their Privacy Policy. We receive only a payment token and the last four digits of your card.
  • Cloudflare, Inc. — Content delivery network (CDN) and DDoS protection. Encrypted file data passes through Cloudflare's edge network. Cloudflare has access only to encrypted ciphertext and cannot decrypt file content.
  • Amazon Web Services (AWS) — Cloud infrastructure. Encrypted file data and metadata are stored in AWS S3 and DynamoDB across our 12 global regions. AWS has no access to encryption keys.
  • Google Workspace — Internal business operations (email, documents). Limited to SpeedVault's internal team correspondence and does not include user file data.

We may also disclose your information if required by law, such as in response to a valid court order, subpoena, or government request. In such cases, we will notify you and provide the minimum information legally required. Due to our zero-knowledge architecture, we cannot produce the contents of your encrypted files even under legal compulsion.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention periods are:

  • Account Information: Retained until your account is deleted. You may request account deletion at any time from your account settings.
  • File Data: Encrypted files are retained for the duration of your subscription plus 30 days after account deletion, after which they are irrecoverably purged from all storage systems and backups.
  • Version History: File versions are retained for 30 days (Free and Pro) or 90 days (Team) from the date of modification, after which older versions are permanently deleted.
  • Log Data: Server access logs are retained for 90 days. Aggregated, anonymized analytics data may be retained indefinitely.
  • Backup Copies: Encrypted backups are rotated every 24 hours and retained for a maximum of 30 days.

6. Security Measures

We implement a comprehensive set of security measures to protect your data:

  • Encryption in Transit: All data transmitted between your devices and our servers uses TLS 1.3 with strong cipher suites. HTTP Strict Transport Security (HSTS) is enforced.
  • Encryption at Rest: Encrypted file data is stored in AWS S3 with server-side encryption using AWS KMS, layered on top of our client-side encryption.
  • Access Controls: Production access is restricted to authorized engineering personnel via short-lived credentials and multi-factor authentication. All access is logged and audited.
  • Vulnerability Management: We conduct regular penetration testing (quarterly), automated vulnerability scanning (weekly), and dependency audits (continuous).
  • Security Certifications: We maintain SOC 2 Type II compliance and are GDPR-compliant. Our encryption architecture has been reviewed by independent third-party security firms.

7. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you have the following rights regarding your personal information:

For all users:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your account and associated personal data.
  • Portability: Request export of your data in a machine-readable format (JSON).

For EEA/UK users (GDPR):

  • Restriction: Request restriction of processing under certain circumstances.
  • Objection: Object to processing based on legitimate interests or for direct marketing.
  • Withdrawal of Consent: Withdraw consent at any time where processing is based on consent.

For California residents (CCPA):

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected.
  • Right to Opt Out: Opt out of the sale of personal information. Note: SpeedVault does not sell personal information.
  • Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, contact our privacy team. We will respond within 30 days. Verification of identity may be required to process your request.

8. Cookies & Tracking

SpeedVault uses cookies and similar tracking technologies strictly for the operation and improvement of the Service:

  • Essential Cookies: Required for authentication, session management, and security. These cannot be disabled. Examples include session tokens and CSRF tokens.
  • Functional Cookies: Store your preferences, such as language selection, theme preference, and file view mode. These are not strictly essential but enhance your experience.
  • Analytics Cookies: We use privacy-preserving, first-party analytics to understand aggregate usage patterns. No personal data is sent to third-party analytics providers. IP addresses are anonymized at the network level.

We do not use tracking cookies for advertising, cross-site tracking, or behavioral profiling. No third-party advertising cookies are placed on our domain.

You can manage cookie preferences in your browser settings. Disabling essential cookies may prevent the Service from functioning correctly. You can also manage your cookie preferences at any time by clicking "Cookie Preferences" in the footer.

9. Children's Privacy

SpeedVault is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information and terminate the associated account.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately so we can take appropriate action.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes:

  • We will post the updated policy on this page and update the "Last updated" date at the top.
  • For material changes (changes that affect your rights or how we handle your data), we will notify you via email to the address associated with your account at least 14 days before the changes take effect.
  • Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically. If you do not agree with any changes, you may close your account before the changes take effect.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Email: Contact us via our Help Center
  • Data Protection Officer: Available via Help Center
  • Mail: SpeedVault, Inc., 1209 N Orange Street, Wilmington, DE 19801, United States
  • Response Time: We aim to respond to all privacy inquiries within 5 business days.

If you are located in the EEA or UK, you also have the right to lodge a complaint with your local data protection supervisory authority.