TeraStashalpha
Back to home

Privacy Policy

Last updated: May 6, 2026

1. Introduction

TeraStash (“we,” “us,” or “our”) operates an end-to-end encrypted file storage platform at terastash.io. This Privacy Policy explains what personal data we collect, why we collect it, and how we use it. Because TeraStash uses a zero-knowledge architecture, we have significantly less access to your data than traditional cloud storage services.

2. Data Controller

TeraStash is the data controller for the personal data described in this policy. You can reach us at [email protected].

3. Data We Collect

3.1 Account Data

When you create an account, we collect your email address, display name, and a securely hashed password. This data is required to authenticate you and provide the service.

3.2 Billing Data

Payments are processed by Paddle (Paddle.com Market Limited), which acts as our merchant of record. Paddle collects and processes your payment information (credit card, etc.) under their own privacy policy. TeraStash never receives or stores your full payment details — we only receive order confirmations, subscription status, and transaction identifiers from Paddle.

3.3 Encrypted File Data

Your files are encrypted on your device before being uploaded. We cannot decrypt your files. All encryption and decryption happens exclusively in your browser using keys that never leave your device. We store only opaque, encrypted blobs in EU data centers.

3.4 File Metadata

File metadata (names, content types, folder structure) is encrypted client-side alongside your files. The only plaintext metadata we store are file identifiers (random GUIDs), file sizes, and timestamps. We cannot see your file names, types, or folder organization.

3.5 Technical Logs

We collect minimal server logs including IP addresses, request timestamps, HTTP methods, and error codes. These logs are retained for 30 days and used solely for security monitoring, abuse prevention, and debugging. We never log file names, content types, decryption keys, vault passwords, or encrypted data bodies.

4. What We Do NOT Collect

  • No analytics or tracking scripts on our marketing website
  • No tracking cookies or third-party advertising trackers
  • No file contents, file names, or content types (all encrypted client-side)
  • No decryption keys or vault passwords

5. Legal Bases for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing your account data and storing your encrypted files is necessary to provide the service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): Collecting technical logs for security monitoring, fraud prevention, and service stability.
  • Legal obligation (Art. 6(1)(c)): Retaining certain data when required by law (e.g., tax records related to billing).

6. Data Storage & Transfer

All encrypted file data is stored in EU data centers. Account data is processed by Cloudflare Workers at edge locations with stored data residing in EU regions. We do not voluntarily transfer personal data outside the EU. Where sub-processors operate globally (e.g., Cloudflare edge computing), appropriate safeguards such as Standard Contractual Clauses (SCCs) are in place.

7. Paddle as Merchant of Record

Paddle (Paddle.com Market Limited) acts as the merchant of record for all payments. When you subscribe or make a purchase, you enter into a transaction with Paddle, who processes your payment under their own privacy policy. TeraStash receives only order confirmations, subscription status, and the data necessary to provision your account.

8. Data Retention

  • Account data: Retained while your account is active and for 30 days after account deletion to allow recovery.
  • Encrypted files: Deleted promptly upon your request or account deletion (after the 30-day grace period). Files removed through automated over-quota enforcement are permanently deleted and are not recoverable.
  • Technical logs: Automatically purged after 30 days.
  • Billing records: Retained as required by applicable tax and accounting laws.

9. Your Rights (GDPR)

If you are in the European Economic Area (EEA), you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your personal data.
  • Portability: Receive your data in a structured, machine-readable format.
  • Restriction: Request that we limit processing of your data.
  • Objection: Object to processing based on legitimate interest.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Note: Because your files are end-to-end encrypted and we cannot decrypt them, we cannot provide the content of your encrypted files in response to an access request. We can provide all plaintext data we hold (account information, file IDs, sizes, and timestamps).

10. Children’s Privacy

TeraStash is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13. If you are between 13 and 16 and reside in the EU, you need parental or guardian consent to use the service. If we become aware that we have collected data from a child under 13 without appropriate consent, we will delete that data promptly.

11. Security

We implement strong technical measures to protect your data:

  • End-to-end encryption: Files are encrypted in your browser before upload using AES-GCM. Encryption keys are derived client-side and never transmitted to our servers.
  • Zero-knowledge architecture: Our servers store only opaque encrypted blobs. Even in the event of a server breach, your file contents remain protected.
  • TLS in transit: All connections use TLS 1.3.
  • Secure authentication: Passwords are hashed using industry-standard algorithms. Sessions are managed with secure, HTTP-only cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you via email. We encourage you to review this page periodically.

13. Contact

If you have any questions about this Privacy Policy or our data practices, contact us at:

[email protected]