1. Introduction

Ellipticc ("we," "us," "our," or "Company") is an end-to-end encrypted (E2EE), post-quantum cryptography (PQC), zero-knowledge cloud storage service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

Key Privacy Principle: We are designed to have zero knowledge of your file contents, filenames, or encryption keys. All encryption and decryption occur exclusively on your device, and we cannot access or decrypt any of your data, even if legally required.

Please read this Privacy Policy carefully. By accessing and using the Service, you acknowledge that you have read and understand this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account, we collect your name and email address. During registration, your password is never sent to or stored by our servers — not even as a hash. Instead, a cryptographic record derived from your password (created using the OPAQUE protocol) is securely stored to allow future authentication without revealing or retaining the actual password. For paid accounts, strictly necessary billing information is collected and processed securely by our third-party payment processor, Stripe. Ellipticc does not store your full credit card number or payment details on our servers.

2.2 User-Generated Content (Zero Knowledge)

You can upload files, documents, folders, and other content to the Service. However, Ellipticc has zero access to your content. Here's why:

All encryption occurs on your device before any data is transmitted to our servers.
Your filenames are encrypted on your device; we never see them in plain text.
Your encryption keys never leave your device — we cannot decrypt your files.
All decryption occurs on your device when you access your files.

2.3 Limited Metadata (Non-Identifying)

We automatically collect only the following non-identifying metadata for technical and operational purposes:

File type: Used to display files correctly in your interface.
File size: Used for storage management and billing calculations.
Timestamps: Used for syncing, version control, and file organization.
Encrypted filename (ciphertext only): Stored to allow you to organize and search your files on your device.

We cannot see the actual filenames or file contents. Even if we wanted to, the encrypted metadata provides no meaningful information about what your files contain.

2.4 Usage Analytics (Anonymized)

We collect anonymized usage data about your interactions with the Service (e.g., how often you access your files, total files uploaded, storage used). This helps us improve performance and reliability. Device information such as device type, operating system, and browser type is collected separately from any identifying information.

2.5 Cookies and Tracking Technologies

We use session cookies for authentication and security purposes only. These cookies do not contain personal information and expire after your session ends. You can disable cookies in your browser settings if you prefer, though this may affect Service functionality.

3. How We Use Your Information

3.1 Service Delivery

We use your information to create and maintain your account, authenticate your access, store and retrieve your encrypted data, enable collaboration features (via encrypted sharing), process transactions, and respond to support requests. We never view the contents of your encrypted files.

3.2 Communication

We may send transactional emails (password resets, confirmations, billing notifications) and respond to your support inquiries. With your consent, we may send promotional content and updates about new features.

3.3 Service Improvement and Analytics

We analyze anonymized usage patterns to improve Service performance, develop new features, troubleshoot technical issues, and understand general usage trends. This analysis never involves accessing your encrypted data or decrypting your files.

3.4 Security and Fraud Prevention

We use your information to detect and prevent fraud, abuse, and unauthorized access to your account, and to enforce our Terms of Service. Security monitoring operates at the system level and does not involve accessing your encrypted content.

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

We do not sell, trade, or rent your personal information or any metadata to third parties. This is a core principle of our zero-knowledge architecture.

4.2 Service Providers

We share limited information with trusted third parties who perform services on our behalf, including payment processors, email providers, analytics services, and hosting providers. These service providers are contractually obligated to maintain the confidentiality of your information and cannot access your encrypted files.

4.3 Legal Requirements and Limitations

While we comply with applicable laws and legal obligations, we are fundamentally limited in what we can provide. We cannot decrypt your files or provide unencrypted data, even if required by law, because we do not have access to your encryption keys. We may disclose encrypted data and account metadata when legally required by court orders or subpoenas, but the encrypted nature of your content provides inherent protection against unauthorized access.

5. Data Security & Post-Quantum Cryptography

5.1 End-to-End Encryption (E2EE)

All your files are encrypted on your device using encryption keys that never leave your device. We store only the encrypted data, making it impossible for us or any unauthorized third party to access your files.

5.2 Post-Quantum Cryptography (PQC)

Ellipticc uses post-quantum cryptographic algorithms aligned with NIST standards, including:

CRYSTALS-Kyber(ML-KEM768): For quantum-resistant key encapsulation and hybrid encryption.
CRYSTALS-Dilithium(ML-DSA65): For quantum-resistant digital signatures and data authentication.
X25519/Ed25519: For modern elliptic-curve cryptography complementing PQC protection.

These algorithms protect your data against both current and future quantum computing threats, ensuring your data remains secure for decades to come.

5.3 Transport Security

We use TLS/SSL encryption for all data in transit between your device and our servers. This protects your data from interception during transmission.

5.4 Key Management

Your encryption keys are derived from your password using secure key derivation functions and are never shared with us, stored on our servers, or transmitted unencrypted. You are responsible for protecting your password.

6. Zero-Knowledge Commitment

Ellipticc operates as a zero-knowledge service, meaning:

We cannot view your files: All content is encrypted on your device before transmission.
We cannot see your filenames: Filenames are encrypted using your device-side encryption keys.
We cannot access your encryption keys: Keys exist only on your device.
We cannot recover your data: If you lose your password or keys, we cannot help you recover your files, as we have no way to decrypt them.
We cannot comply with decryption requests: Even if legally required to provide data, we cannot decrypt it.

This design is intentional and is our core strength. Your privacy and security are maximized because we are technically incapable of accessing your data, regardless of external pressures or compromises.

7. Your Rights and Choices

7.1 Access and Portability

You have the right to access the personal information we hold about you (name, email, billing details) and request a copy of your account metadata in a portable format. You can export your encrypted files at any time through the Service.

7.2 Correction and Deletion

You have the right to correct inaccurate account information and request deletion of your account and associated encrypted data through your account settings or by contacting us. Upon deletion, encrypted data is securely removed from our servers. Please note that in accordance with our Terms of Service, we reserve the right to delete data associated with accounts that remain in a non-payment, over-quota state for an extended period.

7.3 Marketing Communications

You can opt out of promotional emails by clicking the unsubscribe link in any marketing email or adjusting your preferences in your account settings.

7.4 Cookies and Tracking

You can disable cookies in your browser settings. Note that disabling cookies may affect your ability to use certain Service features.

8. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will promptly delete such information.

If you are between 13 and 18 years old, you must have parental or guardian consent to use the Service.

9. International Data Transfers

Your encrypted files and account metadata may be transferred, stored, and processed in countries other than your country of residence. By using the Service, you consent to the transfer of your information for the purposes described in this Privacy Policy. Because your data is encrypted, international transfers provide no additional risk to your privacy.

10. Updates to This Privacy Policy

We may update this Privacy Policy at any time. The updated version will be effective upon posting. For material changes that reduce your privacy protections, we will notify you via email. Your continued use following notification constitutes your acceptance of the updated Privacy Policy.

11. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact:

Email: [email protected]

Support Email: [email protected]

Website: ellipticc.com

Thank you for your trust. Your privacy and security are fundamental to our design—not just a policy. We are committed to being the most privacy-respecting cloud storage service available.