Privacy Policy

Your privacy and data security are our top priorities.

Last updated: January 2025

Our Commitment to Privacy

PoofKey is built on the principle of zero-knowledge architecture. This means we cannot access, read, or store your sensitive data in any readable format. This privacy policy explains our commitment to protecting your privacy across all our services.

Data We Collect

Encrypted Secrets

We store your secrets in encrypted form using AES-256-GCM authenticated encryption. We cannot decrypt or access the content of your secrets.

Account Information (Premium Users)

For registered users, we collect:

  • Email address (for account creation and login)
  • Password hash (encrypted, never stored in plain text)
  • Account creation date and subscription status
  • API keys (for programmatic access)

Payment Information

For premium subscriptions, we work with Stripe for payment processing:

  • Payment method information is handled securely by Stripe
  • We only receive confirmation of successful payments
  • We do not store credit card numbers or payment details
  • Stripe's privacy policy applies to payment data

Technical Information

We collect minimal technical information such as IP addresses for security purposes and basic usage analytics.

User Registration and Authentication

When you create an account with PoofKey:

  • Email Verification: We verify your email address to ensure account security
  • Password Security: Passwords are hashed using industry-standard bcrypt encryption
  • Session Management: We use secure session tokens for authentication
  • Account Recovery: Password reset functionality is available via email
  • Two-Factor Authentication: Available for enhanced security (coming soon)
Important: While we collect account information for registered users, your secrets remain encrypted and inaccessible to us even with an account.

Payment Processing and Billing

For premium subscriptions, we use Stripe as our payment processor:

  • Secure Processing: All payments are processed through Stripe's secure infrastructure
  • PCI Compliance: Stripe maintains PCI DSS Level 1 compliance
  • Data Minimization: We only receive payment confirmation, not payment details
  • Subscription Management: We store subscription status and expiration dates
  • Billing History: Basic billing information is stored for account management

Stripe's Role: Stripe processes your payment information according to their privacy policy. We recommend reviewing Stripe's Privacy Policy for details about how they handle your payment data.

How We Protect Your Data

  • End-to-End Encryption: All secrets are encrypted with AES-256-GCM before transmission and storage
  • Zero-Knowledge: We cannot access your decrypted data
  • Auto-Destruction: Secrets are automatically deleted after viewing or expiration
  • Time Limits: All secrets have configurable expiration times
  • Secure Infrastructure: Data is stored on encrypted, secure servers
  • Password Security: User passwords are hashed using bcrypt
  • HTTPS Encryption: All data transmission is encrypted

Data Sharing

We do not share, sell, or rent your data to third parties, except:

  • Payment Processing: Payment information is shared with Stripe for processing
  • Legal Requirements: We may be required to provide technical information (not secret content) in response to valid legal requests
  • Service Providers: We may use trusted third-party services for hosting and infrastructure (with appropriate data protection agreements)
Zero-Knowledge Protection: Even with account information, we cannot access your encrypted secrets due to our zero-knowledge architecture.

Analytics and Logging

We collect minimal analytics to improve our service:

  • Number of secrets created (not content)
  • Basic performance metrics
  • Error rates and system health
  • General usage patterns
  • Account creation and subscription metrics (aggregated)

We do not log or track the content of secrets or correlate secrets with specific users.

Cookies and Tracking

We use cookies for:

  • Session management and authentication
  • Security features and CSRF protection
  • User experience improvements
  • Basic analytics (non-personalized)

We do not use tracking cookies or third-party advertising cookies.

Your Rights

You have the following rights regarding your data:

  • Access: You can access your account information through your dashboard
  • Correction: You can update your account information at any time
  • Deletion: You can delete your account and all associated data
  • Portability: You can export your account data
  • Secrets: Your secrets are automatically deleted after use or expiration

International Data Transfers

Our service may be accessed from anywhere in the world. We implement appropriate safeguards to protect your data regardless of where it is processed or stored. For users in the European Union, we comply with GDPR requirements.

Contact Us

If you have questions about this privacy policy or our data practices, please contact us at contact@auglab.ai or refer to our Security page for more information.

Changes to This Policy

We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page and notify registered users of significant changes via email.