Privacy Policy

Last updated: April 29, 2026

1. Introduction

4EverFile ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our document management platform ("Service").

Our Service is built on a zero-knowledge architecture — we are structurally unable to access the contents of your encrypted documents. This policy describes what data we do collect and how we handle it.

2. Information We Collect

2.1 Account Information

When you register, we collect:

  • Email address — used for authentication, notifications, and account recovery
  • Full name — displayed in your profile and on certificates
  • Password — stored using bcrypt one-way hashing (we cannot read your password)

2.2 Document Metadata

When you upload documents, we store:

  • File name, size, type, and upload timestamp
  • SHA-256 cryptographic hash of the file contents
  • Organization and folder associations
  • Blockchain transaction identifiers (after anchoring)

Important: We do not read, analyze, or access the content of your documents. Documents are encrypted client-side before storage using your unique cryptographic keys.

2.3 Usage Data

We automatically collect:

  • IP address (used for rate limiting and security only)
  • Browser type and version
  • Pages visited and timestamps
  • Error logs and performance metrics

2.4 Payment Information

Payment processing is handled entirely by our third-party payment processor. We do not store credit card numbers, CVVs, or full bank account details on our servers. We receive only a payment confirmation token and transaction reference.

3. How We Use Your Information

We use collected information exclusively to:

  • Provide the Service — authenticate your identity, manage your documents, and process anchoring requests
  • Security — detect and prevent unauthorized access, abuse, and fraud
  • Communication — send transactional emails (password resets, approval requests, anchoring confirmations)
  • Improvement — analyze aggregated, anonymized usage patterns to improve platform performance
  • Legal compliance — respond to lawful requests from government authorities

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Zero-Knowledge Architecture

4EverFile employs a zero-knowledge design for document security:

  • Each user receives a unique RSA-4096 key pair upon registration
  • Document encryption occurs before data reaches our servers
  • We never possess the decryption keys for your documents
  • Even if our systems were compromised, your document contents remain encrypted and inaccessible

This architecture means we are structurally unable to access, read, or analyze the content of your encrypted documents — by design, not just policy.

5. Blockchain and Permanent Storage

5.1 Blockchain Anchoring

When you anchor a document, we record only the SHA-256 hash (not the document itself) on a public distributed ledger. This hash is:

  • Publicly visible on the blockchain
  • Permanently stored and cannot be deleted
  • Not linked to your personal identity on the public ledger

5.2 Permanent Storage

Documents uploaded to the Permanent Vault are stored on a decentralized storage network. Once stored permanently:

  • The document becomes publicly accessible
  • Neither we nor you can delete it from the network
  • You are responsible for ensuring content suitability before permanent storage

6. Data Sharing and Disclosure

We share your information only in the following circumstances:

  • Service Providers — infrastructure partners who help us operate the platform (hosting, email delivery, payment processing), bound by contractual confidentiality obligations
  • Legal Requirements — when required by law, subpoena, court order, or government regulation
  • Safety — to protect the rights, property, or safety of 4EverFile, our users, or the public
  • Business Transfers — in connection with a merger, acquisition, or sale of assets, with prior notice

We will never sell your personal data to advertisers or data brokers.

7. Data Security

We implement enterprise-grade security measures including:

  • TLS 1.2/1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • bcrypt password hashing with salt
  • Strict Content Security Policy (CSP) headers
  • Rate limiting on all API endpoints
  • 9-step file upload validation (magic bytes, extension whitelist, ZIP bomb detection, SVG XSS scanning)
  • Non-root Docker containers with resource isolation
  • Automated database backups with 7-day retention

8. Data Retention

  • Active accounts: Data is retained for the duration of your account
  • Deleted accounts: Personal data is purged within 30 days of account deletion
  • Blockchain records: On-chain transaction hashes are permanent and cannot be deleted
  • Permanent storage: Documents in the Permanent Vault are retained indefinitely by the storage network
  • Server logs: IP-based access logs are retained for 90 days for security purposes

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate personal data
  • Deletion — request deletion of your personal data (subject to blockchain immutability)
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing of your personal data

To exercise any of these rights, contact us at privacy@4everfile.com.

10. Cookies

We use a single, essential authentication cookie:

  • access_token — HttpOnly, Secure, SameSite=Strict cookie for session authentication. This cookie contains a JWT token and expires after 24 hours.

We do not use tracking cookies, advertising pixels, or third-party analytics scripts.

11. Children's Privacy

The Service is not intended for users under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete that data promptly.

12. International Data Transfers

Your information may be stored and processed in data centers located in the United States. By using the Service, you consent to the transfer of your information to jurisdictions that may have different data protection laws than your home country.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify registered users of material changes via email. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

For privacy-related inquiries, contact:

4EverFile — Privacy Team
Email: privacy@4everfile.com