1. Who we are
DeepSecret ("DeepSecret", "we", "us", "our") provides an identity-to-identity end-to-end encrypted secret exchange platform delivered as a CLI and supporting web services available at deepsecret.io. This Privacy Policy applies to the DeepSecret service, website, and CLI (collectively, the "Service").
2. Scope of this policy
This policy covers personal data we collect from end users and account administrators when they sign in to DeepSecret, configure organizations, exchange secrets, or visit our website. It does not cover the plaintext content of secrets you exchange — that content is end-to-end encrypted and we cannot read it.
Zero-access by design. Secrets are encrypted on the sender's device using HPKE (RFC 9180) with a hybrid X25519MLKEM768 KEM and AES-256-GCM AEAD, addressed to recipients' public keys. Ciphertext is uploaded to a storage bucket you control. DeepSecret never holds the plaintext of your secrets, and never holds a private key capable of decrypting them.
3. Information we collect
3.1 Account information
- Identity profile from your Google account (see Section 4): your email address, full name, Google account ID, and (if available) profile picture URL.
- Organization metadata: organization name, verified domain, role assignments, and group membership for actors you add.
- Public cryptographic keys generated by your CLI on first sign-in: an Ed25519 signing key and an ML-DSA-65 signing key, plus your X25519 and ML-KEM-768 KEM public keys. Private keys never leave your device.
3.2 Operational data
- Storage configuration for your bring-your-own bucket: the endpoint URL, region, bucket name, and access credentials you provide. Credentials are encrypted at rest.
- Secret metadata: a per-secret identifier, sender, recipients, TTL, IP-lock policy (CIDR list), creation timestamp, and source (sender or organization policy). Metadata is required to route ciphertext and enforce policy. The plaintext content of secrets is not collected.
- Audit log entries: actor, target, action, source IP address, and status of each operation against the API. Used for security review and to satisfy enterprise audit requirements.
- Rate-limiting state: short-lived per-actor counters in Redis.
- API keys issued for CI/CD usage. Stored as one-way hashes; the secret value is shown once at creation and cannot be retrieved later.
3.3 Website & technical data
- Standard server logs (IP address, user agent, request path, timestamp) generated when you access the website or API.
- We do not use third-party advertising trackers and do not sell personal data.
4. Google account data
DeepSecret uses Google Sign-In (Google OAuth 2.0 / OpenID Connect) as our sole authentication method. When you sign in, we request the following scopes:
openid— to verify your identity.email— to identify your account and route invitations and verification.profile— your name and profile picture, displayed in-product so collaborators can recognize you.
We do not request access to Gmail, Google Drive, Google Calendar, Contacts, or any other Google user content. We receive only the basic profile fields above.
5. How we use information
- Authenticate you and bind your CLI to your account.
- Show you and your collaborators which actors are participating in an organization or exchange.
- Route encrypted ciphertext to its intended recipients via your storage bucket.
- Enforce per-secret and organization-wide policies (TTL, IP lock, role-based access).
- Maintain an audit trail and protect the Service from abuse.
- Bill organizations on paid plans (per-actor count).
- Send transactional service emails (verification, invitations, security notices). We do not send marketing email without separate consent.
Legal bases under GDPR where applicable: (a) performance of a contract; (b) legitimate interests in operating, securing, and improving the Service; (c) compliance with legal obligations; and (d) consent, where required.
6. Google API Services User Data Policy — Limited Use
DeepSecret's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, data obtained via Google APIs (your openid, email, and profile scopes) is used only to provide and improve user-facing features of DeepSecret — namely authentication and identity display. We do not:
- Use Google user data to serve advertising.
- Allow humans to read this data, except: (i) with your explicit consent for specific messages; (ii) for security purposes such as investigating abuse; (iii) to comply with applicable law; or (iv) where the data has been aggregated and anonymized for internal operations.
- Transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
- Use Google user data to train, improve, or develop generalized or non-personalized AI/ML models.
7. Sharing & disclosure
We share personal data only in these cases:
- Within your organization. Other actors in your DeepSecret organization can see your name, email, role, and public keys.
- Service providers (sub-processors). Vetted vendors that help us operate the Service: cloud hosting (compute and database), email delivery for transactional mail, payment processing for paid plans, and error/observability tooling. Each is bound by contract to confidentiality and data-protection terms equivalent to ours.
- Legal compliance. If required by law, court order, or to protect rights, property, or safety.
- Business transfers. In connection with a merger, acquisition, or sale of assets, with notice to affected users and continued protection of personal data.
We do not sell personal data, and we do not share it for cross-context behavioral advertising.
8. Storage & security
- Ciphertext lives in your bucket. The encrypted payload of every secret is uploaded directly to the S3-compatible bucket you configure (AWS S3, Cloudflare R2, DigitalOcean Spaces, MinIO, or any S3-compatible endpoint). DeepSecret does not retain a copy of your ciphertext.
- Account data is stored in encrypted databases in Tier-1 cloud regions. Bucket credentials are encrypted at rest with envelope encryption.
- Transport security: TLS 1.2+ for all API and web traffic.
- Access controls: least-privilege, MFA-enforced administrative access, and audited employee access to production systems.
- Cryptographic design follows current standards: HPKE per RFC 9180, dual signatures (Ed25519 per RFC 8032 and ML-DSA-65 per FIPS 204), and HKDF-SHA-256 key schedule.
No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the appropriate authorities as required by law.
9. Retention & deletion
- Account data is retained while your account is active.
- Secret metadata is retained until the secret expires (per its TTL) or is explicitly revoked, plus a short window for audit purposes.
- Audit logs are retained for up to 24 months, then deleted or anonymized.
- Server logs are retained for up to 30 days, then rotated.
- Account deletion. You can request deletion of your account at any time by emailing privacy@deepsecret.io. Within 30 days of a verified request, we will delete or irreversibly anonymize your personal data, subject to limited retention required by law (for example, billing records). Ciphertext stored in your own bucket is not affected by account deletion — you control that bucket.
10. Your rights
Depending on where you live, you may have the right to: access the personal data we hold about you; correct inaccurate data; delete your data; restrict or object to certain processing; receive a portable copy of your data; and withdraw consent where processing is based on consent. To exercise any of these rights, email privacy@deepsecret.io. You may also revoke DeepSecret's access to your Google account at any time at myaccount.google.com/permissions.
If you are in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data-protection authority. If you are a California resident, you may exercise the rights described in the CCPA/CPRA via the same contact channel.
11. International data transfers
Your data may be processed in countries other than the country in which you reside. Where required, we use appropriate safeguards (such as the European Commission's Standard Contractual Clauses) for international transfers.
12. Children's privacy
DeepSecret is not intended for children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us so we can delete it.
13. Changes to this policy
We may update this Privacy Policy as our practices evolve. Material changes will be communicated via email to account administrators or by a prominent notice on the website. The "Last updated" date at the top of this page indicates when it was last revised.
14. Contact us
For privacy questions, requests, or to exercise your rights, contact us at:
- Email: privacy@deepsecret.io
- General: hello@deepsecret.io