Privacy Policy

Last updated: June 27, 2025

Our Privacy Commitment

At Cryopost, privacy isn't just a policy—it's the foundation of our service. We believe that your messages should remain private, even from us. This Privacy Policy explains how we collect, use, and protect your information while providing our secure message delivery service.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Email address (for account creation and notifications)
  • Authentication tokens from third-party providers (Google, etc.)
  • Account preferences and settings

Message Metadata

We store minimal metadata necessary for service operation:

  • Delivery timestamps and schedules
  • Recipient email addresses (encrypted)
  • Message status (pending, delivered, etc.)
  • Check-in timestamps for dead-man switch functionality

Technical Information

  • IP addresses (for security and fraud prevention)
  • Browser and device information
  • Usage analytics (aggregated and anonymized)

2. What We DON'T Collect

🔒 Your Message Content: All messages are encrypted client-side before reaching our servers. We cannot and do not access the content of your messages.

  • The actual content of your encrypted messages
  • Your encryption keys (these never leave your browser)
  • Detailed browsing patterns or personal behavior tracking
  • Sensitive personal information beyond what's necessary for service operation

3. How We Use Your Information

We use the information we collect solely to provide and improve our service:

  • Deliver encrypted messages according to your specified conditions
  • Send notifications about message delivery and account status
  • Maintain the security and integrity of our service
  • Provide customer support when requested
  • Comply with legal obligations and prevent fraud
  • Improve our service through anonymized usage analytics

4. Data Security

Security is at the core of everything we do:

  • Client-side Encryption: Messages are encrypted in your browser using AES-GCM
  • Timelock Encryption: Uses drand beacons for cryptographically guaranteed time-based unlocking
  • Zero-Knowledge Architecture: We cannot decrypt your messages even if we wanted to
  • Secure Transmission: All data is transmitted over encrypted HTTPS connections
  • Access Controls: Strict access controls and monitoring for all systems
  • Regular Security Audits: Ongoing security assessments and improvements

5. Data Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties, except:

  • Service Providers: Trusted partners who help operate our service (email delivery, hosting)
  • Legal Requirements: When required by law or to protect our rights and safety
  • Business Transfers: In the event of a merger or sale (with user notification)

Note: Even in these cases, encrypted message content remains protected and inaccessible.

6. Data Retention

We retain your information only as long as necessary:

  • Encrypted Messages: Stored until delivery and then deleted
  • Account Data: Retained while your account is active
  • Delivery Logs: Kept for security and audit purposes (90 days)
  • Backup Data: Automatically purged according to our backup retention policy

7. Your Rights

You have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and associated data
  • Portability: Request your data in a portable format
  • Opt-out: Unsubscribe from non-essential communications

8. Cookies and Tracking

We use minimal cookies and tracking:

  • Essential Cookies: Required for login and service functionality
  • Analytics: Anonymized usage statistics to improve our service
  • No Third-party Tracking: We don't use advertising or social media trackers

🛡️ Privacy-First Analytics: We use strictly anonymised, cookie-free analytics (Plausible) that stores only hashed, non-identifiable IDs. We never share or sell your data, and no third-party ad pixels run inside the app.

9. International Users

Cryopost operates globally and complies with applicable privacy laws including GDPR, CCPA, and other regional privacy regulations. Data may be processed in different jurisdictions, but always with appropriate safeguards in place.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through email notifications or prominent notices on our service. Your continued use of Cryopost after such changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

  • Through our contact form on the website
  • By visiting our Terms of Service page for additional information

We're committed to addressing your privacy concerns and will respond to your inquiry promptly.