Privacy Policy

Privacy at a Glance

General Notes

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally. Detailed information on data protection can be found in our privacy policy listed below.

Data Collection on This Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. You can find the operator's contact details in the section "Information on the Data Controller" in this privacy policy.

How do we collect your data?

Your data is collected partly because you provide it to us. This may, for example, include data that you enter into a contact form.

Other data is collected automatically or with your consent when you visit the website by our IT systems. This is mainly technical data (e.g. internet browser, operating system or time of page request). The collection of this data takes place automatically as soon as you enter this website.

What do we use your data for?

Some of the data is collected in order to ensure error-free provision of the website and to protect it against abuse.

What rights do you have regarding your data?

You have the right to obtain information free of charge at any time about the origin, recipient and purpose of your stored personal data. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data under certain circumstances. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

Data Controller

The data controller responsible for the processing of personal data on this website is:

Erseni Ltd
Archiepiskopou Makariou III, 59
MOUYIAS TOWER, 3rd floor, Flat/Office 301
6017 Larnaca
Cyprus
Email: hello@erseni.com

The data controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

Hosting

We operate our website on our own servers, hosted by the following infrastructure provider:

Hetzner Online GmbH

Infrastructure provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen

We have full control over the servers and the data stored on them. The infrastructure provider only supplies the hardware and the network connection.

When you visit our website, information is automatically saved on our servers in server log files, which your browser transmits to us.

Details on the infrastructure provider's privacy policy: https://www.hetzner.com/legal/privacy-policy/

A data processing agreement pursuant to Art. 28 GDPR exists with the infrastructure provider.

The use of the server infrastructure is based on Art. 6 (1) (f) GDPR. We have a legitimate interest in a reliable and secure provision of our website.

Server Log Files

Our web server automatically saves information in so-called server log files, which your browser automatically transmits to us. These are:

  • Browser type and version
  • Operating system used
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the server request
  • IP address (stored for a maximum of 14 days for abuse prevention on the basis of Art. 6 (1) (f) GDPR)

This data is not merged with other data sources.

Server log files are stored for a maximum of 14 days and then automatically deleted, unless a specific security incident requires longer retention.

The collection of this data is based on Art. 6 (1) (f) GDPR. We have a legitimate interest in the technically error-free presentation and optimisation of our website – for this purpose, the server log files must be collected.

SSL/TLS Encryption

This website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Cookies

Our website exclusively uses technically necessary cookies (in particular a session cookie and a CSRF protection cookie). These cookies are required for the operation of the website and enable basic functions.

Session Cookie

The session cookie is automatically deleted when you close your browser. It is used exclusively to maintain your session and does not contain any personal data.

The storage of this cookie is based on Art. 6 (1) (f) GDPR and § 25 (2) (2) TDDDG. We have a legitimate interest in the technically error-free provision of our website.

You can set your browser to inform you about the setting of cookies or to generally reject cookies. If cookies are disabled, the functionality of this website may be limited.

Processing in the Zero-Knowledge Secret Exchange

When you share or request a secret via this service, our server only processes encrypted data. The key required for decryption is transmitted exclusively in the URL fragment (the part after the #) and never sent to our server. For this reason, we are technically unable to read the contents of your secret (zero-knowledge architecture).

No tracking

No analytics, no advertising cookies, no tracking pixels. Server logs are used only for security and operation.

Categories of Data Processed

We process the following data:

  • The encrypted content (ciphertext) of your secret. Without the key contained in the URL fragment, we cannot decrypt the content.
  • A randomly generated token (22 characters) that identifies the secret.
  • For secret requests: the public key of the recipient (X25519). The corresponding private key remains in the recipient's browser.
  • Timestamps: creation, expiry and, where applicable, fulfilment and retrieval.
  • A hashed form (HMAC-SHA256) of your IP address kept in cache to limit abuse (retention 60 seconds, automatic deletion afterwards).

Retention Period

Encrypted content is irreversibly and atomically deleted from our database when it is retrieved for the first time (hard delete). If a secret is not retrieved, we delete it at the latest after the validity period you have chosen (by default, a maximum of 7 days). Status metadata (no ciphertext, only the timestamps of creation, expiry and, where applicable, retrieval) is retained for up to 24 hours after expiry so that the status of a secret remains verifiable; after that, this metadata is also deleted.

Legal Basis

The legal basis for the processing is Art. 6 (1) (f) GDPR. Our legitimate interest lies in providing the secret exchange in a privacy-preserving zero-knowledge form.

Your Rights in this Context

Because we deliberately do not maintain any user account and the stored ciphertext has no personal reference, rights to information, rectification and erasure cannot be exercised in practice – we cannot attribute secrets to an individual user. You can irreversibly delete your own secret at any time by retrieving it yourself via the recipient link (hard delete on first read).

Your Rights

Right of Access

You have the right to obtain information free of charge at any time about the personal data stored about you, its origin and recipients, and the purpose of the data processing (Art. 15 GDPR).

Right to Rectification

You have the right to request the correction of inaccurate personal data (Art. 16 GDPR).

Right to Restriction of Processing

You have the right under certain circumstances to request the restriction of the processing of your personal data (Art. 18 GDPR).

Right to Erasure

You have the right to request the deletion of your personal data, unless statutory retention obligations conflict with this (Art. 17 GDPR).

Right to Data Portability

You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format (Art. 20 GDPR).

Right to Object

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR. You may also object at any time, without giving reasons, to the processing of your data for direct marketing purposes (Art. 21 GDPR).

Right to Lodge a Complaint with the Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data (Art. 77 GDPR).

In our case (registered office in the Republic of Cyprus), the competent supervisory authority is:
Office of the Commissioner for Personal Data Protection
Iasonos 1, 1082 Nicosia, Cyprus
www.dataprotection.gov.cy

Automated Decision-Making

Automated decision-making, including profiling within the meaning of Art. 22 GDPR, does not take place on this website.