Privacy Policy

Last updated: 11 May 2026

The 30-second version

envstore is a zero-knowledge service. Your .env files are encrypted on your machine before they ever reach us. We store ciphertext, public keys, and the metadata required to bill you and operate the service. We never see plaintext secrets, never hold your private keys, and could not decrypt your data even if compelled.

Who's responsible

The data controller (in GDPR terms) is Michael Ketzer, a sole operator based in Germany trading as envstore (full operator address in our Imprint). Reach us at privacy@envstore.xyz.

What we collect

Account data

Email address: required to sign in and contact you about your account.
Name and avatar: optional, populated by your OAuth provider (GitHub or Google) if you sign in with one.
Provider account ID: from GitHub or Google, used to recognise you across sign-ins.

Workspace and project data

Workspace, project, and environment names and slugs you create
Membership and role information
Encrypted env file ciphertext — opaque bytes that only your local private key can read
Ciphertext metadata: size, SHA-256 checksum, version number, timestamps

Public encryption keys

Your age public recipient (e.g. age1...) is stored so other members can encrypt to you. Private keys never leave your machine.

Authentication tokens

Browser session cookies (signed JWT) issued by our authentication system
CLI tokens (stored hashed via SHA-256 — we cannot recover the plaintext)

Operational logs

Audit log of mutating actions (who did what, when) for security and debugging. Rows record the actor (user or workspace service token), the action, the resource it touched, and the timestamp. We deliberately do not store IP addresses or User-Agent strings on audit-log rows — both are personal data under GDPR, and the audit log doesn't need them to answer its core question.
For the short-lived CLI device-grant flow (the in-browser confirmation step of envstore login), we briefly store the requesting IP so you can verify "yes, this is my machine" on the approval page. That row is deleted as soon as the device-grant flow completes or expires (≤10 minutes).

Billing data

Billing is handled by our payment processor, Paddle, which acts as the merchant of record. Paddle collects the data required to process payment (name, billing address, card details, tax ID where applicable). We receive only a subscription identifier and status from Paddle — we never see your full card number or CVC. See Paddle's privacy notice for details.

What we do NOT collect

Plaintext env file contents. Encryption happens locally. Ciphertext that reaches us is bound to your recipient(s)' public keys — we cannot decrypt it.
Your age private key. It lives on your machine, in your OS keychain by default.
Payment card details. Paddle handles these.

How we use your data

To provide the service you signed up for (Art. 6(1)(b) GDPR — contract)
To bill you for paid workspaces (Art. 6(1)(b) — contract; handled via Paddle)
To secure the service against abuse — rate limiting, audit logging, security investigations (Art. 6(1)(f) — legitimate interest)
To send service emails (sign-in codes, invites, billing receipts — Art. 6(1)(b))

We do not use your data for advertising, do not sell it, and do not share it with third parties beyond the processors listed below.

Subprocessors

Neon (Postgres database hosting)
Cloudflare R2 (encrypted ciphertext storage)
Resend (transactional emails — sign-in codes, invites)
Paddle (billing, merchant of record)
Vercel (web hosting and CDN — for the dashboard)
OAuth providers (GitHub, Google) — only if you sign in through them

Data location

Neon and Vercel infrastructure is selected at deployment time. R2 objects are stored in the bucket region the operator configured (the EU jurisdiction is supported for EU-resident customers). Email is sent through Resend, which operates globally.

Retention

Account data: kept as long as your account is active. Deletion on request removes it within 30 days.
Environment ciphertext: kept until you delete the project / environment. Soft-deleted resources are hard-deleted by an automated daily sweep after the workspace's configured retention window (default 30 days), including the matching object-storage entries.
Audit logs: 12 months, then aggregated or deleted. No IP addresses or User-Agent strings are stored on these rows.
CLI device-grant approval rows: ≤10 minutes (deleted as soon as the flow completes or expires).
Billing records: retained as long as required by tax law (typically 10 years in the EU).

Your rights (GDPR)

You have the right to:

Access the data we hold about you
Correct inaccurate data
Delete your account and associated data ("right to be forgotten")
Export your data in a machine-readable format (portability)
Object to processing based on legitimate interest
Withdraw consent where processing is based on consent
Lodge a complaint with your supervisory authority (e.g. the German BfDI or your local DPA)

Email privacy@envstore.xyz to exercise any of these rights. We aim to respond within 30 days.

Cookies

We use only essential cookies — the session cookie that keeps you signed in, and CSRF tokens for form security. We don't run analytics tracking, advertising pixels, or any third-party cookies on our own pages.

Security

End-to-end encryption with age (X25519 + ChaCha20-Poly1305). Transport over HTTPS. CLI tokens stored as SHA-256 hashes. Bearer tokens scoped per user, revocable from the dashboard, with a default 90-day TTL. Rate limiting on authentication endpoints. Strict response headers including HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy. The source code is open and auditable: github.com/michael-ketzer/envstore.xyz.

Found something concerning? See our security policy — email security@envstore.xyz.

Changes to this policy

We'll post material changes at this page and, if the change is significant, email everyone with an active account at least 14 days before it takes effect.

Contact

Privacy questions: privacy@envstore.xyz
Operator details: Imprint