CopyClap
Sign InGet Started
Back

Privacy Policy

Last updated: May 2026

1. Introduction

CopyClap ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our encrypted file storage service (the "Service"). By using the Service, you agree to the practices described in this policy.

2. Information We Collect

Account Information. When you register, we collect your email address and name. We use this solely for authentication, account management, and essential service communications.

File Metadata. We store metadata associated with your files, such as filenames, file sizes, MIME types, folder structures, and share link configurations. We do not store your vault password or encryption keys, and we cannot access the contents of your encrypted files.

Usage Data and Logs. Our servers automatically log certain information for security and operational purposes, including your IP address, request timestamps, user agent strings, and error reports. These logs are retained for a limited period to prevent abuse, enforce rate limits, investigate security incidents, and maintain service integrity.

Cookies and Local Storage. We use essential cookies and browser local storage to maintain your authenticated session and store client-side application preferences. We do not use cookies for advertising, profiling, or third-party tracking.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service;
  • Authenticate your identity and manage your account;
  • Enforce storage quotas, rate limits, and tier-based feature access;
  • Detect, prevent, and respond to security incidents, abuse, or fraud;
  • Communicate with you about your account, service changes, or security alerts;
  • Comply with applicable legal obligations.

4. Legal Basis for Processing

If you are located in the European Economic Area (EEA) or United Kingdom, our legal basis for processing your personal data depends on the context:

  • Performance of a contract — processing necessary to provide the Service to you;
  • Legitimate interests — security, fraud prevention, abuse detection, and service improvement;
  • Legal obligation — compliance with laws, regulations, or valid legal requests;
  • Consent — where you have explicitly consented (e.g., optional communications).

5. Cookies and Similar Technologies

We use strictly necessary cookies to manage your authentication session. These cookies are essential for the Service to function and cannot be disabled. We do not employ analytics cookies, advertising cookies, or third-party tracking scripts. You may configure your browser to refuse cookies, but doing so may prevent you from using certain features of the Service.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information. We share limited data only with trusted infrastructure providers necessary to operate the Service:

  • Backblaze B2 — encrypted file content and metadata are stored on Backblaze B2 cloud storage. Backblaze processes this data under our instructions and does not have access to decryption keys.
  • Cloudflare — we use Cloudflare for DDoS mitigation, CDN delivery of static assets, and DNS resolution. Cloudflare may process IP addresses and TLS metadata as part of their service.
  • Plunk — we use Plunk to send transactional emails (e.g., verification, password reset) and, if you contact us by email, to receive and process inbound messages. Plunk processes your email address and message content solely for email delivery and support handling on our behalf.

We may also disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of our users or the public.

7. Public Share Links

When you create a public share link, the file or folder name, size, and MIME type may be accessible to anyone with the link. The actual file contents remain encrypted and can only be decrypted by recipients who possess the corresponding decryption key (which is either embedded in the link or provided separately by you). You are responsible for controlling distribution of your share links.

8. Data Retention

Active Files. We retain your files and account data for as long as your account remains active or as needed to provide the Service.

Trash. Files moved to trash are permanently deleted after 30 days. During this period, you may restore them from the trash.

Over-Limit Storage. If your Pro subscription lapses and your stored data exceeds the free tier limit, you have a 60-day grace period to download or delete excess files before they may be subject to removal.

Content Moderation. If content is removed by our moderation team for violations of our Terms of Service, associated metadata may be retained for audit and legal compliance purposes.

Server Logs. Security and access logs are retained for a limited period (typically 90 days) and then automatically purged.

9. Data Security

Your files are encrypted with AES-256-GCM in your browser before upload. The server never sees your plaintext data, vault password, or unencrypted encryption keys. We implement industry-standard security measures for our infrastructure, including TLS encryption for data in transit, access controls, and regular security monitoring. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.

10. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you;
  • Correction — request that we correct inaccurate or incomplete data;
  • Deletion — request deletion of your personal data and account;
  • Portability — request export of your data in a machine-readable format;
  • Restriction — request that we limit processing of your data;
  • Objection — object to processing based on legitimate interests;
  • Withdraw Consent — withdraw consent where processing is based on consent.

To exercise these rights, please contact us using the information below. We will respond within the timeframe required by applicable law.

11. Children's Privacy

The Service is not intended for individuals under the age of 13 (or the minimum age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we learn that we have collected personal data from a child without verifiable parental consent, we will delete that information as quickly as possible.

12. International Data Transfers

Your data, including encrypted file content and metadata, may be transferred to and stored on servers located outside your country of residence, including in the United States and the European Union. By using the Service, you consent to such transfers. We ensure that any international transfers are subject to appropriate safeguards in accordance with applicable data protection laws.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us .