SecureShare
by Cyberace
Back
LEGAL

Privacy Policy

Last updated: July 10, 2026

This page is maintained by CYBERACE LTD to answer common privacy questions about SecureShare. It is not a substitute for legal advice.

This Privacy Policy explains how CYBERACE LTD ("we") collects, uses, and protects the data processed through SecureShare, in accordance with Regulation (EU) 2016/679 ("GDPR") and applicable data protection law in the European Union.

§1. Data controller

Controller: CYBERACE LTD.
Contact: legal@cyberace.tech
Web: cyberace.tech

§2. What we process

  • Encrypted payload (ciphertext). Your password is encrypted in your browser (AES-GCM 256-bit) before it leaves your device. We only store the encrypted bytes. The decryption key is placed in the URL fragment (#…) and is never sent to our servers.
  • Secret metadata. Expiration timestamp, one-time flag, and the AES initialisation vector. Deleted when the secret is opened (if one-time) or when it expires.
  • Technical data (IP address, request headers). Processed transiently and solely to prevent abuse and keep the service available.

We do not use tracking cookies, advertising profiles, or analytics that identify you personally.

§3. Purposes and legal basis

  • Provide the sharing service. Performance of the service you request (Art. 6(1)(b) GDPR).
  • Security and abuse prevention. Legitimate interest in protecting the service (Art. 6(1)(f) GDPR).
  • Compliance with legal obligations where applicable (Art. 6(1)(c) GDPR).

We do not make automated decisions or profiling with your data, and we never sell it.

§4. Retention

  • Secrets. Until the expiration you choose (10 minutes, 1 hour, 24 hours, or 7 days) or until the first read for one-time secrets. Then permanently removed.
  • Abuse-prevention data. Very short retention; removed automatically by periodic cleanup jobs.

§5. Recipients and processors

We share only the minimum data required with the following processors, bound by a data processing agreement:

  • Lovable Cloud (Supabase - Europe Region). Database and server-function infrastructure.
  • Cloudflare. Content delivery and service-availability protection.

Some providers may process data outside the European Economic Area. In such cases, transfers are covered by adequacy decisions or Standard Contractual Clauses approved by the European Commission.

§6. Your rights

Under the GDPR you may exercise the rights of access, rectification, erasure, restriction of processing, objection, portability, and withdrawal of consent at any time — without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise them, write to legal@cyberace.tech. You may also lodge a complaint with your national data-protection supervisory authority.

§7. Security

We apply appropriate technical and organisational measures to protect personal data, including:

  • End-to-end encryption in your browser before transmission (AES-GCM 256-bit via WebCrypto).
  • TLS in transit.
  • A zero-knowledge architecture: the server never sees the password in cleartext.
  • Least-privilege access controls and hardened server-side validation.

§8. Changes

We may update this policy to reflect operational or legal changes. The date at the top indicates the most recent revision.

Encrypted in your browser · The server never sees your passwordlegal@cyberace.tech