← Back to home
Legal

Privacy Policy

Effective date: April 19, 2026  ·  Last updated: April 19, 2026
In plain language: We operate a zero-knowledge storage service. The contents of the files you upload, and their names, are encrypted on your device before they reach our servers — we cannot read them. This policy explains the limited personal data we do handle (such as email, billing and operational logs) and the rights you have over it.

1. Who we are

The data controller responsible for your personal data is [Company Name], registered in [Jurisdiction] at [Registered Address] ("WooCloud", "we"). You can reach our privacy team at privacy@woocloud.net.

2. What data we collect

We collect and process the following categories of personal data:

CategoryExamples
Account dataEmail address, hashed password verifier, public portion of your encryption key material, account creation timestamp.
Billing dataPlan, subscription status, billing history, last-four digits and expiry of the card (full card data is held by our payment processor, not by us).
Encrypted contentCiphertext blobs representing your files and file names. We cannot decrypt these.
Operational metadataStorage used, number of objects, upload/download byte counts, client type and version, approximate timestamps of sync events.
Technical logsIP address, request headers, error traces, rate-limit signals. Retained short-term for security and debugging (see Section 7).
Support dataMessages you send us, attachments you voluntarily share, and metadata of that correspondence.

We do not intentionally collect special-category personal data (such as health, political opinions or biometric data). You should not send such data through support channels in unencrypted form.

3. How and why we use it

  • Providing the Service — authenticating you, storing and synchronising your encrypted content, enforcing storage quotas.
  • Billing — issuing invoices, collecting subscription payments, preventing fraudulent transactions.
  • Security — detecting and mitigating abuse, brute-force attempts, credential-stuffing and denial-of-service attacks.
  • Support — responding to your enquiries and troubleshooting incidents you report.
  • Product improvement — understanding aggregate, non-identifying usage patterns to improve reliability and performance.
  • Compliance — meeting our legal, tax and accounting obligations.

We do not sell your personal data, and we do not use Your Content or account data to train machine-learning models.

Where the EU General Data Protection Regulation or the UK GDPR applies, we rely on the following legal bases:

  • Performance of a contract — for account creation, delivering the Service and billing.
  • Legitimate interests — for securing the Service, preventing abuse, and improving reliability, balanced against your rights.
  • Legal obligation — for retaining billing records and responding to valid legal process.
  • Consent — for optional communications such as product newsletters, which you can withdraw at any time.

5. Sharing and processors

We share personal data only with the following categories of recipients, under written data-processing agreements and only to the extent necessary:

  • Infrastructure providers — hosting, bandwidth and object storage vendors that operate the servers that hold your encrypted content.
  • Payment processor — to process card payments. We do not receive or store full card numbers.
  • Transactional email provider — to send account confirmations, security alerts and billing receipts.
  • Error-monitoring provider — to capture crash traces from our servers and clients (configured to scrub personal identifiers where technically possible).
  • Professional advisers — our accountants, auditors and lawyers, where necessary.
  • Authorities — where required by a binding legal order. Because of end-to-end encryption, we can only produce the limited account and operational data described in Section 2 — not the contents of your files.

6. International transfers

Some of our providers may process personal data outside your country of residence. Where personal data is transferred out of the EEA or UK, we rely on recognised safeguards such as Standard Contractual Clauses and, where applicable, supplementary technical and organisational measures.

7. Retention

  • Account data: for as long as your account is active and then up to 90 days after closure, to support recovery and fraud prevention.
  • Encrypted content: until you delete it or your account is closed. On closure we delete encrypted objects within 30 days unless a longer period is legally required.
  • Billing records: for the period required by applicable tax and accounting law (typically 7 years).
  • Technical logs: up to 30 days in rolling caches; aggregated, non-identifying statistics may be retained longer.
  • Support correspondence: up to 24 months after the ticket is closed.

8. Security measures

We protect personal data through a combination of technical and organisational measures:

  • End-to-end encryption of content and file names using industry-standard algorithms;
  • TLS for all network traffic between clients and our infrastructure;
  • Encryption of databases and backups at rest;
  • Least-privilege access controls and audit logging on internal systems;
  • Hardware-backed multi-factor authentication for staff with production access;
  • Regular independent security reviews and a public responsible-disclosure programme.

No system is perfectly secure. If we become aware of a personal-data breach likely to result in a risk to your rights, we will notify you and the relevant supervisory authority within the timeframes required by applicable law.

9. Your rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate personal data;
  • Erase personal data (note that due to E2EE we cannot selectively erase the readable contents of your files — only you can);
  • Restrict or object to certain processing;
  • Portability — receive a machine-readable export of the data you provided to us;
  • Withdraw consent where processing is based on consent;
  • Lodge a complaint with a supervisory authority in your place of residence, work, or alleged infringement.

You can exercise most rights directly from your account settings or by emailing privacy@woocloud.net. We will respond within the timeframes required by applicable law.

10. Children

The Service is not directed at children under the age of 16 (or the age of digital consent in your jurisdiction, whichever is higher). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy to reflect changes to the Service or to legal requirements. We will post the revised version on this page and update the "Last updated" date. If the changes are material, we will provide prominent notice, for example by email or an in-app banner, before they take effect.

12. Contact and complaints

For any privacy-related question, request or complaint, contact us at privacy@woocloud.net or by post to [Company Name], [Registered Address].

If you are in the EEA or UK and we have appointed a representative or Data Protection Officer, their contact details will be published here.