Privacy Policy

Last updated: 8/5/2025

This Privacy Policy describes how Zettler.host (“Zettler”, “we”, “us”) collects, uses, and protects information in connection with our zero‑trust, end‑to‑end encrypted file hosting service.

1. What we collect

  • Account data: email address, name, team and billing details, authentication metadata (e.g., sign‑in timestamps), and preferences.
  • Service telemetry: strictly necessary technical logs (e.g., request IDs, error traces, performance metrics) for reliability and security. We do not sell or use this for cross‑site advertising.
  • Encrypted content: when E2EE is enabled, files are encrypted in your browser and we store only ciphertext, file size, format, and routing metadata. We cannot access plaintext or per‑file keys.
  • Optional integrations: SSO identities, API usage, and webhooks metadata when you enable related features.

2. How we use information

  • Provide, secure, and improve the Service (including detecting abuse and ensuring availability).
  • Communicate about updates, invites, billing, and support.
  • Comply with law and enforce our Terms.

3. End‑to‑end encryption and keys

  • Files are encrypted client‑side with per‑file keys (e.g., AES‑GCM). Keys are wrapped by account keys and optional link passwords.
  • We do not possess plaintext keys unless you explicitly enable an escrow or recovery feature (e.g., enterprise HSM‑backed recovery).
  • If you opt into features requiring server‑side processing (e.g., malware scanning, thumbnails, content transformations), we will disclose the scope and ensure appropriate safeguards.

4. Data residency and transfers

You may choose hosting region(s) such as US/EU. We may process limited account data in other regions (e.g., for support) subject to appropriate safeguards, including standard contractual clauses where applicable.

5. Sharing

  • Vendors: We use service providers for infrastructure, billing, and support. They only receive the minimum necessary data.
  • Legal: We may disclose data if required by law, regulation, or legal process. For E2EE content, we can only provide encrypted data and available metadata.
  • Mergers: If involved in a merger or acquisition, we will notify you and continue to protect your data.

6. Retention

We retain account data for as long as your account is active and as needed to provide the Service. You can delete files and most related metadata via the dashboard or API. Backups are purged on a rolling schedule.

7. Your rights

Subject to local law (e.g., GDPR/CCPA), you may request access, correction, deletion, or portability of your personal data, and object to or restrict certain processing. Contact privacy@zettler.host.

8. Security

We implement technical and organizational measures including encryption in transit and at rest, E2EE for files when enabled, access controls, and regular testing. No system is perfectly secure; you should use strong authentication and manage keys carefully.

9. Children

The Service is not directed to children under 16. If you believe a child has provided personal data, contact us and we will take appropriate action.

10. International users

By using the Service, you acknowledge that your personal data may be processed in jurisdictions that may have different data protection laws than your country, subject to the safeguards described above.

11. Changes

We may update this Policy. If changes are material, we will provide reasonable notice (e.g., in‑app or email). Your continued use of the Service after the effective date constitutes acceptance.

12. Contact

Questions about privacy? Contact us at privacy@zettler.host.