Privacy Policy

Last Updated: April 11, 2026

This Privacy Policy ("Policy") describes how Afina Systems Spółka z ograniczoną odpowiedzialnością (KRS: 0000884244, NIP: 5252852337, REGON: 388239950, VAT ID: PL5252852337), a company organized under the laws of the Republic of Poland, with its registered office at ul. Senatorska 2, 00-075 Warszawa, Poland ("SafeDisk," "Company," "we," "us," "our"), collects, uses, stores, shares, and protects your personal data when you use the SafeDisk software application, web management panel, and associated services (collectively, the "Service").

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Polish Act on the Protection of Personal Data, and other applicable data protection legislation.

BY CREATING AN ACCOUNT OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.

1. Data Controller

The data controller for the purposes of the GDPR is:

Afina Systems Spółka z ograniczoną odpowiedzialnością ul. Senatorska 2, 00-075 Warszawa, Poland KRS: 0000884244 | NIP: 5252852337 | REGON: 388239950 | VAT ID: PL5252852337 Email: support@safedisk.app

For all privacy-related inquiries, data subject requests, or complaints, please contact us at support@safedisk.app.

2. Data We Collect

We collect only the data necessary to provide, secure, and improve the Service. We organize collected data into the following categories:

2.1 Account Data

Data you provide when creating and managing your account:

We never store your account password in plaintext. Passwords are irreversibly hashed using the Argon2id algorithm before storage.

2.2 Encryption and Disk Data

Data generated when you create and use Encrypted Containers:

Critical distinction: We store the hashed version of your Master Password and Backup Password, and the encrypted version of the Disk Encryption Key. We cannot derive your actual passwords from these hashes. The Disk Encryption Key is encrypted with your device's RSA-4096 public key and can only be decrypted by the corresponding private key stored exclusively on your device.

We never have access to the files stored within your Encrypted Containers. All file encryption and decryption occurs locally on your device using operating system-native encryption (BitLocker XTS-AES-256 on Windows; AES-256 hdiutil on macOS). The contents of your Encrypted Containers never leave your device and are never transmitted to our servers.

2.3 Device Data

Data collected when you register a device with the Service:

Your device's private key is never transmitted to SafeDisk. The RSA-4096 private key is generated and stored exclusively on your device, protected by operating system-level encryption (DPAPI on Windows; Keychain on macOS).

2.4 Subscription and Billing Data

We do not store payment card numbers, bank account details, or other financial payment instruments. All payment processing is handled by Stripe, Inc. When you enter payment information, it is transmitted directly to Stripe and never passes through or is stored on SafeDisk servers. See Section 6 for Stripe's privacy practices.

2.5 Audit Log Data

Every significant action on your account is recorded in an audit log:

Audit logs serve as a security mechanism to help you and (where applicable) your Organization detect unauthorized access, investigate incidents, and comply with regulatory requirements. You can view your personal audit log through the Web Panel (Standard and Business plans).

2.6 Connection and Session Data

Session tokens are stored as httpOnly, secure, SameSite=strict cookies. Access tokens have a 15-minute TTL; refresh tokens have a 7-day TTL.

2.7 Two-Factor Authentication Data

TOTP secrets are encrypted before storage. Backup codes are irreversibly hashed using Argon2id. FIDO2/WebAuthn credentials store only cryptographic public keys — no biometric data is collected or processed.

2.8 Organization Data (Business Plan)

If you are part of an Organization:

Organization administrators have access to organization-level audit logs and member management data as described in the Terms of Service.

2.9 Trusted Person Data

Trusted Persons can see that they are designated as a trusted contact and can perform emergency lock and recovery blocking actions. They do not have access to the contents of your Encrypted Containers or your Disk Encryption Keys.

2.10 Legal Consent Records

2.11 Crash Reports (Optional)

The SafeDisk desktop application includes optional crash reporting via Sentry:

Crash reporting is entirely optional and opt-in. You are prompted for consent on the first crash event, and your preference is stored locally. You can change this preference at any time in the application settings. Crash report data is processed by Functional Software, Inc. (Sentry) and hosted in the European Union (Frankfurt, Germany).

3. Data We Do NOT Collect

To be explicit about the boundaries of our data collection:

• File contents: We never access, read, transmit, or store the files within your Encrypted Containers. All encryption and decryption happens locally on your device.
• Plaintext passwords: We never store your account password, Master Password, or Backup Password in plaintext. Only irreversible Argon2id hashes are stored.
• Device private keys: Your RSA-4096 private key never leaves your device.
• Payment card data: All payment information is handled directly by Stripe.
• Usage analytics or behavioral tracking: We do not use any analytics platforms (e.g., Google Analytics, Mixpanel, Segment, Amplitude) or advertising trackers. We do not track your browsing behavior, feature usage patterns, or in-app activity beyond the audit log.
• Advertising identifiers or cross-site tracking: We do not use advertising cookies, pixels, or any form of cross-site tracking.
• Biometric data: We do not collect or process biometric data. FIDO2/WebAuthn hardware security keys use cryptographic key pairs — any biometric authentication (e.g., fingerprint on the key) happens locally on the device and is never transmitted to SafeDisk.

4. How We Use Your Data

We process your personal data for the following purposes:

4.1 Service Provision (Legal Basis: Contract Performance — Art. 6(1)(b) GDPR)

• Creating and managing your account.
• Generating and securely delivering Disk Encryption Keys to your registered devices.
• Validating passwords for disk access.
• Managing your subscription, billing cycle, and feature access.
• Processing the Master Password Recovery flow (14-day waiting period).
• Enabling Trusted Person and Organization features.
• Sending transactional emails: verification codes, password reset links, subscription notifications, recovery alerts, and Trusted Person notifications.

4.2 Security and Fraud Prevention (Legal Basis: Legitimate Interest — Art. 6(1)(f) GDPR)

• Maintaining audit logs to detect and investigate unauthorized access.
• Rate limiting authentication endpoints to prevent brute-force attacks.
• Session fingerprinting (IP + user-agent binding) to detect session hijacking.
• Checking passwords against known breach databases (Have I Been Pwned) during registration.
• Enforcing account lockouts and 2FA challenges on suspicious activity.

Our legitimate interest in these processing activities is the security of our infrastructure and the protection of all Users' accounts and data. We have assessed that these interests are not overridden by your rights and freedoms, particularly given that the data processed is limited to what is necessary for security purposes and the processing directly benefits you by protecting your account.

4.3 Legal Compliance (Legal Basis: Legal Obligation — Art. 6(1)(c) GDPR)

• Maintaining consent records to demonstrate compliance with GDPR.
• Responding to lawful data access or deletion requests.
• Cooperating with law enforcement when required by a valid legal order.

4.4 Optional Crash Reporting (Legal Basis: Consent — Art. 6(1)(a) GDPR)

• Diagnosing and resolving software defects using crash reports, only if you have opted in.
• You may withdraw consent at any time by changing the crash reporting preference in the desktop application settings. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

5. Data We Do NOT Use

• We do not sell your personal data to anyone.
• We do not use your data for advertising, profiling, or targeted marketing.
• We do not make automated decisions or engage in profiling that produces legal or similarly significant effects on you.
• We do not share your data with data brokers.
• We do not use the contents of your Encrypted Containers for any purpose (we do not have access to them).

6. Third-Party Processors

We engage a limited number of third-party processors to operate the Service. Each processor processes only the data necessary for its function:

6.1 Stripe, Inc.

• Purpose: Payment processing and subscription management.
• Data shared: Email address and Stripe Customer ID. Payment card details are entered directly into Stripe's interface and never touch SafeDisk servers.
• Location: United States (with EU data processing commitments).
• Safeguards: Stripe is PCI-DSS Level 1 certified. Data transfers are covered by Standard Contractual Clauses (SCCs).
• Privacy Policy: https://stripe.com/privacy

6.2 Functional Software, Inc. (Sentry)

• Purpose: Optional crash reporting for the desktop application.
• Data shared: Crash stack traces and basic system information, only when you opt in.
• Location: European Union (Frankfurt, Germany).
• Safeguards: Data is hosted within the EU. Processing is based on your explicit consent.
• Privacy Policy: https://sentry.io/privacy/

6.3 DigitalOcean, LLC

• Purpose: Cloud infrastructure hosting (application servers, databases, networking).
• Data shared: All server-side data described in Section 2 is stored on DigitalOcean infrastructure.
• Location: European Union (Frankfurt, Germany — FRA1 datacenter region).
• Safeguards: SOC 2 Type II and ISO 27001 certified. Data transfers are covered by Standard Contractual Clauses (SCCs) and DigitalOcean's Data Processing Agreement.
• Privacy Policy: https://www.digitalocean.com/legal/privacy-policy

We do not share your personal data with any third party beyond those listed above, except where required by applicable law (see Section 10).

7. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA).

Where data is transferred outside the EEA (e.g., to Stripe, Inc. in the United States), we ensure that appropriate safeguards are in place as required by Chapter V of the GDPR, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where applicable.

You may request a copy of the applicable safeguards by contacting us at support@safedisk.app.

8. Data Retention

We retain your data only as long as necessary for the purposes described in this Policy:

8.1 After Subscription Expiry

When your subscription expires:

1. Grace Period (7 days): Full data retained; limited service access.
2. Blocked Status: Data retained but service access revoked.
3. Permanent Deletion (90 days after block): All disk-related data (Disk Encryption Keys, disk metadata, Trusted Person associations, pending commands) is permanently and irrevocably deleted from our servers. Your user account record is preserved to allow re-subscription.

You will receive data deletion warnings at approximately 60 and 83 days after your account is blocked.

8.2 Account Deletion

When you request account deletion:

• All associated data is deleted, including: disks, subscriptions, device registrations, Trusted Person relationships (as owner), active connections, and pending commands.
• Trusted Person relationships where you are the trusted party are updated to "removed" status.
• Account deletion is subject to a 30-day cooling period during which you may cancel the deletion.
• After the cooling period, deletion is permanent and irreversible.

8.3 Organization Member Removal

If you are removed from an Organization, your disk data is deleted according to the Organization's data retention policy:

• Immediately, 30 days, or 90 days after removal, as configured by the Organization administrator.

9. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR:

9.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data. You can access most of your data directly through the Web Panel (profile, audit logs, device list, disk list).

9.2 Right to Rectification (Art. 16 GDPR)

You have the right to correct inaccurate personal data. You can update your name and email address through the Web Panel.

9.3 Right to Erasure (Art. 17 GDPR)

You have the right to request deletion of your personal data. You can initiate account deletion through the Web Panel.

Important: Exercising this right will result in permanent loss of access to all your Encrypted Containers, as the Disk Encryption Keys stored on our servers will be deleted. This action cannot be undone. We recommend exporting all data from your Encrypted Containers before requesting deletion.

9.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing in the circumstances specified in Art. 18 GDPR (e.g., when you contest accuracy, when processing is unlawful, or when we no longer need the data but you need it for legal claims).

9.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format. You can export your audit logs in CSV or JSON format through the Web Panel (Standard and Business plans).

For other data categories, contact us at support@safedisk.app and we will provide your data in a machine-readable format within 30 days.

9.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing based on legitimate interest (Section 4.2). Upon receiving an objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

9.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent (crash reporting), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for SafeDisk is:

Prezes Urzędu Ochrony Danych Osobowych (PUODO) ul. Stawki 2, 00-193 Warszawa, Poland https://uodo.gov.pl

If you reside in another EU/EEA member state, you may also lodge a complaint with your local supervisory authority.

9.9 Exercising Your Rights

To exercise any of these rights, contact us at support@safedisk.app. We will respond within 30 days of receiving your request. If the request is complex or we receive a high volume of requests, we may extend this period by up to 60 additional days, in which case we will notify you within the initial 30-day period.

We may request verification of your identity before processing your request to prevent unauthorized access to personal data.

10. Disclosure of Data

We may disclose your personal data only in the following limited circumstances:

10.1 Legal Requirements

We may disclose data when required by applicable law, regulation, legal process, or enforceable governmental request. Where permitted by law, we will notify you of such a request.

10.2 Protection of Rights

We may disclose data when we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request.

10.3 With Your Consent

We may share data with third parties when you have given explicit consent.

10.4 What We Cannot Disclose

We cannot provide the contents of your Encrypted Containers to any party, including law enforcement, because we do not have access to them. Encryption and decryption occurs exclusively on your device. We do not possess your Master Password, Backup Password, or unencrypted Disk Encryption Keys.

If we receive a lawful request for the contents of your Encrypted Containers, we can only provide the encrypted Disk Encryption Keys and password hashes stored on our servers, which are useless without the corresponding device private key and user passwords. We will notify the requesting party of this technical limitation.

11. Security Measures

We implement the following technical and organizational measures to protect your personal data:

11.1 Encryption and Cryptography

• Passwords: Hashed using Argon2id (memory-hard, GPU-resistant algorithm).
• Key transport: RSA-4096 asymmetric encryption for Disk Encryption Key delivery.
• TOTP secrets: Encrypted before database storage.
• Backup codes: Irreversibly hashed using Argon2id.
• Disk encryption: Delegated to operating system-native subsystems (BitLocker XTS-AES-256 on Windows; AES-256 hdiutil on macOS).

11.2 Access Controls

• Authentication: Multi-factor authentication (TOTP via authenticator applications, FIDO2 hardware security keys) available and encouraged.
• Session management: Short-lived access tokens (15 minutes), session fingerprinting, token rotation on refresh.
• Rate limiting: Authentication endpoints are rate-limited to prevent brute-force attacks.
• Password breach checking: Registration passwords are checked against the Have I Been Pwned database.

11.3 Infrastructure Security

• HTTPS only: All data in transit is encrypted with TLS.
• Security headers: Helmet.js enforces HSTS, X-Frame-Options, X-Content-Type-Options, and other protective HTTP headers.
• Cookie security: httpOnly, Secure, SameSite=strict cookies for session management.
• Database: Encrypted at rest with provider-level disk encryption; SSL/TLS connections with certificate validation.

11.4 Sensitive Data Handling in Memory

The desktop application employs the following runtime protections:

• Sensitive strings (passwords, recovery keys) are stored in pinned memory arrays and explicitly zeroed using CryptographicOperations.ZeroMemory() upon disposal.
• Passwords are passed to system processes via stdin rather than command-line arguments to prevent exposure in process listings.

11.5 Organizational Measures

• Access to production data is restricted to authorized personnel on a need-to-know basis.
• We conduct regular security assessments of our infrastructure and codebase.

12. Cookies and Local Storage

12.1 Essential Cookies

We use the following essential cookies, which are strictly necessary for the Service to function:

These cookies are classified as "strictly necessary" under the ePrivacy Directive and do not require separate consent.

12.2 No Tracking Cookies

We do not use any tracking, advertising, analytics, or third-party cookies. We do not use cookie-based profiling or cross-site tracking.

12.3 Local Storage (Desktop Application)

The desktop application stores the following data locally on your device:

All locally stored sensitive data is encrypted using operating system-provided mechanisms.

13. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete that data promptly. If you believe a child under 16 has provided data to us, please contact us at support@safedisk.app.

14. Data Protection Impact

Given the nature of the Service (encryption of personal data, processing of sensitive security data), we have conducted a Data Protection Impact Assessment (DPIA) in accordance with Art. 35 GDPR. The assessment concluded that the risks to data subjects are adequately mitigated by the technical and organizational measures described in this Policy, particularly the zero-knowledge architecture that prevents SafeDisk from accessing encrypted file contents.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via:

• Email to your registered email address, at least 30 days before the changes take effect.
• A notice in the Web Panel or desktop application.

If a change materially affects how we process your existing data, we will seek your renewed consent where required by law. Your continued use of the Service after the effective date of the updated Policy constitutes acceptance of the changes.

We recommend reviewing this Policy periodically. The "Last Updated" date at the top indicates the most recent revision.

16. Contact Us

For any questions, concerns, or requests related to this Privacy Policy or your personal data:

Afina Systems Spółka z ograniczoną odpowiedzialnością ul. Senatorska 2, 00-075 Warszawa, Poland KRS: 0000884244 | NIP: 5252852337 | REGON: 388239950 | VAT ID: PL5252852337 Email: support@safedisk.app

For data protection complaints, you may also contact the Polish Data Protection Authority:

Prezes Urzędu Ochrony Danych Osobowych (PUODO) ul. Stawki 2, 00-193 Warszawa, Poland https://uodo.gov.pl

EU Online Dispute Resolution: https://ec.europa.eu/consumers/odr

SafeDisk — Your fortress in the digital world.