Privacy Policy

1. Data Controller

Stormkey
Responsible person: Mike Wicki
Stadtstrasse 15
CH-6204 Sempach
Switzerland
Email: contact@stormkey.app

2. Principles of Processing

Stormkey processes personal data in accordance with the Swiss Federal Act on Data Protection and, where applicable, the GDPR. We process personal data only where necessary for operating the service, security, support, billing, abuse prevention, and communication.

Plaintext file contents and derived file-encryption keys are not stored on our servers. Encryption and decryption take place in the user's browser; separate sharing secrets may be processed temporarily for the selected flow.

3. Data We Process

3.1 Encryption and File Data

• Files and file-encryption passwords are processed client-side for encryption.
• Encrypted file objects and separate sharing secrets such as password links may be processed or stored temporarily for the selected sharing flow.
• Weather snapshots such as temperature, pressure, wind, location, and time are processed as contextual data.

3.2 Account, Usage, and Contact Data

• Email address, account creation time, plan status, and authentication data.
• Usage counters, technical events, and security logs without plaintext file contents or derived file-encryption keys.
• Contact form contents if a user sends a request.

3.3 Payment, Email, and Consent Data

• Payments are processed by Stripe; card data is not stored by Stormkey.
• For service, security, support, billing, and optional product emails, we process email address and delivery metadata.
• For marketing consent, we store status, timestamp, source, language, and consent version.

4. Purposes and Legal Bases

• Providing the service, account management, and support.
• Security, abuse prevention, system stability, and error analysis.
• Billing and compliance with statutory retention obligations.
• Marketing communication only with separate consent.

4a. Abuse Reports and Illegal Use

Reports of illegal content, CSAM concerns, malware, fraud, extortion, IP infringement, or other misuse can be submitted through the contact form with the subject Security / abuse or by email to contact@stormkey.app.

Where possible, a report should include the affected Stormkey link or account email, a short description, the alleged legal violation, contact details, and relevant evidence. Urgent security, CSAM, malware, fraud, and extortion reports are prioritized.

Stormkey reviews reports on a risk-based basis. It does not actively monitor all encrypted content.

5. Service Providers and Disclosure

Stormkey shares personal data only where required to operate the service, where legally required, or with consent. Current service providers may include Render, Neon Postgres, Cloudflare R2, Resend, Stripe, Open-Meteo, and Google Fonts.

6. International Transfers

If data is transferred outside Switzerland or the EEA, we rely on appropriate safeguards such as standard contractual clauses or recognized adequacy decisions.

7. Retention

• Account data: for the contract term and afterwards according to statutory obligations.
• Technical logs: time-limited and purpose-bound.
• Marketing data: until consent is withdrawn.
• Payment and accounting data: according to statutory retention obligations.

8. Data Subject Rights

Data subjects may request access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where legally available. Requests should be sent to contact@stormkey.app. A complaint may also be lodged with the competent supervisory authority; in Switzerland, this is the FDPIC.

9. Cookies, Local Storage, and Tracking

Stormkey uses technically necessary cookies and local browser storage for session, language, and display preferences. Google Analytics 4 is loaded only after active consent; without consent, no analytics tracking takes place.

10. Security and Updates

Stormkey protects data through TLS, access controls, technical security measures, and a client-side encryption approach. This privacy policy may be updated; the published version in force applies.