1. Who We Are
SecLink is operated by DataFort (datafort.cloud), based in India. DataFort is the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act) for all data processed through SecLink. For any privacy-related queries, contact us at privacy@datafort.cloud.
2. What Data We Collect and Why
We collect the absolute minimum required to operate the Service securely:
- Encrypted secret blob: The AES-256-GCM encrypted content of your secret. We store this to deliver it to the recipient. We cannot decrypt it — we do not hold the key. This is deleted automatically on expiry.
- Initialization Vector (IV): A random value required for AES-256-GCM decryption by the recipient's browser. Stored alongside the encrypted blob and deleted with it.
- Expiry metadata: The expiry type you selected (Single View, 1 Hour, 24 Hours, 7 Days). Required to schedule automatic deletion.
- Hashed IP address: When a secret is created or accessed, we apply a one-way cryptographic hash to your IP address. The original IP cannot be recovered. This is used solely for abuse prevention and rate limiting — not for identifying you.
- Timestamp and device type: Stored in access logs for abuse investigation. Purged after 90 days.
- Passcode hash: If you set a passcode, we store an irreversible hash of it to verify the recipient's entry. The passcode itself is never stored.
3. What We Never Collect
- The plaintext content of your secret — it never leaves your device unencrypted.
- The decryption key — it exists only in the link fragment (
#key) and is never transmitted to our servers. - Your name, email address, or any account information.
- Cookies — we use
localStorageonly for your theme preference and one-time Terms acceptance. No tracking cookies are set. - Payment or billing information — SecLink is currently free and collects no financial data.
4. Legal Basis for Processing
Under the DPDP Act, 2023 and the Information Technology (SPDI) Rules, 2011, we process data on the following basis:
- Contract performance: Processing your encrypted blob and metadata is necessary to deliver the Service you requested.
- Legitimate interest: Processing hashed IP addresses for abuse prevention and rate limiting is necessary to protect the integrity of the Service and other users.
5. Where Your Data Is Stored
All data processed by SecLink is stored on servers located in India. We do not transfer personal data outside India except where required by law or with your explicit consent.
6. Third-Party Processors
We do not sell your data. We use the following infrastructure provider to operate SecLink:
- Upstash (Redis): Used to store encrypted blobs and access logs. Upstash processes data under their own privacy policy. We have selected India-region storage where available.
No analytics services, advertising platforms, or tracking SDKs are used on SecLink.
7. Data Retention
- Encrypted secrets: Automatically and permanently deleted based on the expiry you chose at creation. Cannot be recovered after deletion.
- Access logs (hashed IP, timestamp, device type): Automatically purged after 90 days.
- localStorage entries (theme, terms acceptance): Stored only in your browser. You can clear them at any time via your browser settings.
8. Your Rights Under DPDP Act, 2023
As a Data Principal under the DPDP Act, you have the following rights:
- Right to information: You may request details about what data we hold related to you.
- Right to correction: You may request correction of inaccurate data.
- Right to erasure: You may request deletion of your data. For encrypted secrets, the fastest way is to open the link yourself (which permanently destroys it) or contact us with the Link ID.
- Right to grievance redressal: You may raise a complaint with our Grievance Officer (see Section 10).
Because SecLink is zero-knowledge and requires no account, we cannot identify which data belongs to you without the specific Link ID. Please include it in any request.
9. Children's Privacy
SecLink is not intended for users under the age of 18. We do not knowingly collect data from anyone under 18. If you believe a minor has used this Service, contact us at privacy@datafort.cloud and we will take appropriate action.
10. Grievance Officer
In accordance with the DPDP Act, 2023 and IT Rules, 2021, DataFort has appointed a Grievance Officer:
- Name: Nilesh Pathare
- Email: grievance@datafort.cloud
- Response time: Acknowledged within 24 hours, resolved within 15 days.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will always reflect the most recent version. Continued use of SecLink after changes are posted constitutes acceptance of the revised policy.
12. Contact
Privacy queries: privacy@datafort.cloud
Abuse reports: abuse@datafort.cloud
General: hello@datafort.cloud