← Back to Secret

Privacy Policy

Our Commitment: Secret is built with privacy by design. We never store, log, or access your document content. Your data remains completely private.

1. Information We Collect

1.1 Data We DO NOT Collect

  • We never store or log the content of your PDF documents
  • We never store or log any data you send to our API
  • We never cache your document content

1.2 Technical Data We Collect

  • Anonymized website statistics (using Plausible Analytics)
  • API usage statistics (number of requests, response times, credits used)
  • Error logs (without your document content)
  • Your templates and settings
  • Authentication tokens and API keys
  • Billing and subscription information

2. How We Process Your Data

Zero-Knowledge Processing: Your documents are processed in real-time and immediately discarded after PDF generation. We have no ability to access or retrieve your document content after processing.

  • Document processing occurs in isolated, ephemeral containers
  • All processing memory is cleared after each request
  • No persistent storage of document content

3. Data Sharing and Disclosure

We never share, sell, or disclose your document content to third parties. Since we don't store your content, we have nothing to share.

Limited Sharing of Non-Content Data

  • Payment processing through secure payment providers
  • Analytics for service improvement (anonymized usage patterns only)
  • Legal compliance when required by law (limited to non-content data)

4. GDPR & HIPAA Compliance

GDPR Compliance

  • Right to access: We provide transparency about data processing
  • Right to deletion: Your data is automatically deleted after processing
  • Right to portability: You retain full control of your data
  • Data minimization: We only process data necessary for service delivery

HIPAA Compliance

  • No storage of Protected Health Information (PHI)
  • Secure transmission protocols

5. Security Measures

  • TLS 1.3 encryption for all data transmission
  • Isolated processing environments
  • Multi-factor authentication for administrative access
  • Regular security training for all team members
  • Incident response and breach notification procedures

6. Hosting and Third-Party Services

Hosting Infrastructure

  • API Infrastructure: Microsoft Azure - Enterprise-grade security, GDPR & HIPAA compliant infrastructure
  • Website Hosting: GitHub Pages - Fast, reliable static site hosting with SSL encryption

Third-Party Services

We use minimal third-party services, all carefully vetted for security and privacy:

  • Payment Processing: Industry-standard payment processor (Stripe) with no payment data stored by us
  • Analytics: Privacy-focused analytics (Plausible.io) with no personal data tracking

7. Your Rights

  • Request information about data processing
  • Request deletion of your account and associated data
  • Withdraw consent for marketing communications
  • Request data portability for account information
  • Lodge complaints with supervisory authorities

8. Data Retention

  • Document Content: Immediately deleted after processing (never stored)
  • API Logs: Kept for 30 days maximum (without document content)
  • Account Data: Retained while account is active, deleted within 30 days of account closure
  • Billing Records: Retained as required by law (typically 7 years)

9. International Data Transfers

While we process data globally for performance, we ensure all transfers comply with applicable data protection laws through appropriate safeguards such as Standard Contractual Clauses and adequacy decisions.

10. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. We will notify users of material changes through our website or email notifications. Continued use of our service constitutes acceptance of the updated policy.

11. Contact Information

Data Controller: The49 Ltd

Contact: For privacy-related questions, please contact us at [email protected]

Effective Date: November 2025