Privacy policy

Who we are

HeronKeep is an independent service that holds encrypted documents in escrow and releases them if the uploader stops signing in. The operator of HeronKeep is the controller of any personal data you provide.

Data we collect

• Email address — used as your login and to send account-related email (confirmation, reminders, subscription notices).
• Password — stored only as a PBKDF2 hash; never in plaintext.
• Documents you upload — encrypted in your browser with AES-256-GCM before upload. HeronKeep only ever receives ciphertext; the decryption key is part of an access key shown to you once at upload and never leaves your session. Legacy documents uploaded before this change may still use server-side encryption and will be migrated as they are re-uploaded.
• Account metadata — countdown duration and expiry, subscription state, timestamps for confirmation, reminders and purges.
• Payment metadata (paid tiers only) — a subscription identifier returned by our payment processor; no card details are ever seen by HeronKeep.

HeronKeep does not set advertising or analytics cookies. The only cookies set are the session cookie after sign-in and, when enabled, a preview-access cookie.

Lawful basis

• Contract (Art. 6(1)(b)) — we process your account and documents to deliver the service you signed up for.
• Legal obligation (Art. 6(1)(c)) — we keep limited records to meet tax, accounting, and data-protection duties.
• Legitimate interest (Art. 6(1)(f)) — we use your email to send operational messages such as reminders and security notices.

Retention

• Active accounts — kept for as long as you use HeronKeep.
• Unconfirmed accounts — deleted within 8 hours of registration if the email is not confirmed.
• Released documents — deleted 30 days after they are released.
• Blocked documents on an expired paid plan — deleted 8 days after the subscription expires if not renewed.
• Deleted accounts — removed from the live database immediately; any encrypted copies in infrastructure backups are rotated out within 30 days.

Sub-processors

We use the following sub-processors to run HeronKeep. Each has its own data-processing agreement with us.

• Cloudflare, Inc. — application hosting (Workers), database (D1), object storage (R2), transactional email (Email Workers).
• Paddle.com Market Ltd. (paid tiers only) — subscription billing and merchant of record. Paddle receives only the data it needs to process payment; HeronKeep does not see card details.

Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, port, or object to processing of your personal data, and to lodge a complaint with a supervisory authority. You can exercise most of these rights directly from your dashboard:

• Access / portability — the "Export data" button returns a JSON copy of your account and document metadata.
• Rectification — change your email address from the "Change email" button.
• Erasure — the "Delete account" button irreversibly removes your account, documents, and encrypted blobs.

For any request we cannot process in-app, write to dpo@heronkeep.com.

Data protection officer

HeronKeep's data protection contact can be reached at dpo@heronkeep.com. This is also the address to use for GDPR requests, breach disclosures, and privacy complaints.

Changes

We may update this policy from time to time. Material changes will be announced by email to the address on your account before they take effect.