Privacy Policy

Redder Labs, the controller for the processing of data in the Noctcom service. For any privacy matter or to exercise your rights: [email protected].

Your files are encrypted on your device with keys derived from your password, which never leaves it. What reaches our servers is ciphertext that we cannot decrypt: neither the content, nor the file names, nor the metadata. It is not a promise of "not looking": it is a technical impossibility, verifiable in the open source code (AGPL-3.0).

We process the bare minimum necessary for the service to function:

• Hash of the email address (BLAKE2b). We do not store your email in plaintext. When we need to send you an email (verification, access code, recovery), your client sends us the email solely for that delivery and it is transmitted to our email provider; it is not stored in our database.
• Username that you choose (it may be a pseudonym).
• Encrypted content: file blobs, names and metadata, all end-to-end encrypted. To us they are opaque bytes.
• Technical security data: session and access-attempt logs with the hashed IP address (not in plaintext), to prevent abuse and brute force.
• Device information (e.g. the browser), stored encrypted so that you recognise your sessions.
• Error reports: in the event of an application failure, the technical error is logged (stack trace, browser) so that it can be fixed; this may include the IP address of the request. It does not include your content.

We do not create advertising profiles, we do not sell data, and we do not use tracking cookies (see the Cookie Policy).

• Providing the service (account, storage, synchronisation): performance of the contract (Art. 6(1)(b) GDPR).
• Security and abuse prevention (IP hashes, rate limits, logs): legitimate interest (Art. 6(1)(f)).
• Error correction (technical reports): legitimate interest (Art. 6(1)(f)), minimising data.
• Service communications (verification, codes, notices): performance of the contract.

To operate, we use providers that act as data processors. They handle only encrypted data or the minimum necessary:

• Render — application hosting.
• Neon — database (encrypted metadata and hashes).
• Backblaze B2 — storage of the encrypted blobs.
• Resend — email delivery (receives your email only to deliver the message).
• Google / Firebase — push notifications (if you enable them).
• GlitchTip — application error logging.
• Cloudflare — distribution network and protection against attacks.

Some providers may process data outside the European Economic Area (e.g. the USA). In such cases, the transfers are covered by the safeguards provided for under the GDPR (standard contractual clauses or applicable adequacy frameworks). Given the zero-knowledge design, what these providers store is, for the most part, encrypted and unreadable to them.

• Account and encrypted content: for as long as your account exists. When you delete it, they are removed.
• Access-attempt logs: automatically purged after 30 days.
• Sessions: until they expire or are revoked.
• Backups: retained for a limited window and rotated; the content remains encrypted.

You may exercise at any time your rights of:

• Access and rectification.
• Erasure: you can delete your account and data from the settings.
• Portability: export your entire vault whenever you wish.
• Objection and restriction of processing.

To exercise them, write to us at [email protected]. You also have the right to lodge a complaint with the competent supervisory authority (in Spain, the Spanish Data Protection Agency).

Note: due to zero-knowledge encryption, we cannot access the content of your account to handle a request about specific files; you retain that access with your keys.

Noctcom is not directed at children under 14 years of age. If you believe that a minor has provided us with data without the appropriate consent, contact us and we will resolve it.

We may update this policy. Substantial changes will be communicated through the available channels. The "last revised" date above indicates the version in force.