Privacy Policy
Effective 9 May 2026.
Cyaxios (“we”) operates tn-proto.org and the TN Cloud Vault (the “Service”). This policy describes what we collect, how we use it, and the rights you have over your data. We collect as little as we can.
1. What We Collect
| Category | Examples | Source |
|---|---|---|
| Account info | Name, email, optional company | You, at sign-up |
| Authentication | OAuth subject identifier (Google), passphrase or passkey credential metadata | You, at sign-up; your identity provider on sign-in |
| Encrypted material | Encrypted keystore bundles, attested log envelopes, signing metadata | Your SDK at runtime. Always ciphertext on the wire. |
| Operational metadata | Account creation timestamp, last-active timestamp, tier, share-link audit log, email-send log (recipient hashed) | The Service itself |
| Technical / usage | IP address, user agent, page URL, basic event analytics | Your browser and our analytics provider (PostHog) |
We do not sell personal information. We do not run advertising. We do not embed third-party tracking pixels.
2. What We Cannot See
By design, the Service does not have access to:
- Your master keys in plaintext.
- Your log entries or plaintext fields. The vault stores attested ciphertext only.
- Your passphrase. Authentication-time secrets stay on your device.
The full architectural commitment is in our Terms of Service, Section 3.
3. How We Use What We Collect
- Operating the Service. Authenticating you, routing your encrypted backups, syncing attestations, dispatching transactional email (sign-in invites, retention warnings).
- Security and abuse prevention. Rate-limiting, detecting and blocking misuse, retaining logs sufficient to investigate incidents.
- Improving the product. Aggregate, non-identifying analytics that tell us which pages and features are used. We use PostHog with first-party storage; no third-party advertising cookies are set by us.
- Legal compliance. Responding to lawful requests, enforcing our Terms, and protecting our rights and the rights of others.
4. Third-Party Processors
We use the following processors to deliver the Service. Each handles only the data necessary to perform their function:
- Cloudflare (provides edge serving, DNS resolution, and email routing). Receives request metadata and the encrypted material in transit.
- Google (provides optional OAuth sign-in). Receives the standard OAuth handshake data.
- MongoDB Atlas (provides secure database hosting). Holds account records and encrypted blobs.
- PostHog (provides product analytics tools). Receives pageview and click events.
- Stripe (provides secure payment processing). Receives the data necessary to charge a subscription. We do not store card details ourselves.
5. Cookies and Local Storage
We use first-party cookies and browser storage to keep you signed in, to remember your preferences, and to attribute analytics events to a stable anonymous identifier. We do not set third-party advertising cookies. You may disable cookies in your browser; some parts of the Service will not function correctly without them.
6. Data Retention
Retention follows the inactivity policy in our Terms of Service, Section 6:
- Free tier: 6 months of inactivity triggers a 14-day warning, then soft delete, then hard delete after a 30-day grace.
- Paid tiers: 2 years on the same cadence.
- Unclaimed initial uploads: 24-hour TTL.
- Logs and analytics: retained for up to 13 months, then deleted or aggregated.
You can delete your account at any time by signing in and using the “Delete account” control, or by submitting a request through the form below.
7. Your Rights
7.1. GDPR (European Economic Area, UK)
If you are in the EEA or UK, the General Data Protection Regulation (and the UK GDPR) gives you the following rights with respect to your personal data:
- Right of access. A copy of the personal data we hold about you.
- Right to rectification. Correction of inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”). Deletion of your data, subject to limited exceptions for compliance and legitimate interest.
- Right to restrict processing. Pause processing while a dispute is resolved.
- Right to data portability. A machine-readable copy of the data you provided.
- Right to object to processing based on legitimate interest.
- Right to lodge a complaint with your supervisory authority. We’d appreciate the chance to address concerns first.
The legal bases on which we process personal data are: contract performance (operating the Service for you), legitimate interest (security, abuse prevention, product improvement), consent (where you explicitly opt in), and legal obligation (where applicable).
7.2. CCPA / CPRA (California)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and the categories of recipients.
- Delete personal information we have collected from you, subject to permitted exceptions.
- Correct inaccurate personal information.
- Limit the use of sensitive personal information (we do not collect sensitive personal information beyond what is described above).
- Opt out of “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of, but the right exists if our practices ever change.
- Non-discrimination. We will not discriminate against you for exercising any of these rights.
7.3. How to Exercise Your Rights
Submit a request through our data-rights form. We aim to respond within 30 days. We may need to verify your identity by asking you to authenticate from a registered email or device. We do not charge fees for routine requests.
8. International Transfers
The Service operates from infrastructure located in the United States. By using the Service from outside the United States, you consent to the transfer of your data to and storage in the United States and to processing by our processors (Section 4) wherever they operate. For EEA / UK transfers we rely on Standard Contractual Clauses where applicable.
9. Security
We use encryption in transit and at rest, role-based access controls, audit logs, and the architectural protections described in our Terms. No system is perfect. If we become aware of a breach affecting your data, we will notify you in accordance with applicable law.
10. Children
The Service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.
11. Changes
We may update this policy. The Effective Date at the top of this page reflects the most recent change. Material changes will be notified by a banner in the Service or by email to your registered address.
12. Contact
Privacy questions: [email protected]. Data-rights requests: /legal/data-request.