Privacy Policy for EnvSync

Last Updated: October 21, 2025 Thank you for using EnvSync ("we," "us," or "our"). This Privacy Policy explains how we collect, use, protect, and share your information when you use our environment variable management platform at https://envsync.app (the "Platform") and related services. By using our Platform, you agree to the collection and use of information in accordance with this Privacy Policy. 1. Our Privacy Commitment EnvSync is built with privacy and security as core principles. We implement a zero-knowledge architecture, meaning we never have access to your unencrypted environment variables or sensitive data. 2. Information We Collect 2.1 Account Information When you create an account, we collect: - Name and email address (for account identification and communication) - Profile picture (optional, from OAuth providers like Google) - Authentication information (processed by NextAuth.js) 2.2 Billing Information For paid plans, we collect: - Stripe customer ID and subscription details - Plan information (Solo Developer or Team) - Payment status and billing history Note: We do not store your payment card details. All payment processing is handled securely by Stripe. 2.3 Usage Data We collect minimal usage data to improve our services: - Account activity (login times, feature usage) - Service performance metrics - Error logs (without sensitive data) - Device information for synchronization 2.4 Encrypted Environment Variables We store your environment variables in encrypted form only: - All environment variables are encrypted client-side using AES-256-GCM - We never see your unencrypted environment variables - Encryption keys are generated and managed by users - Only encrypted data is transmitted and stored on our servers 2.5 Team Collaboration Data For team features, we collect: - Team membership information - Role assignments (owner, admin, member, viewer) - Invitation data (email addresses, roles, expiration times) - Team project access logs 2.6 Technical Data We automatically collect certain technical information: - IP addresses (for security and rate limiting) - Browser type and version - Device information for sync purposes - Session data (stored in secure HTTP-only cookies) 3. How We Use Your Information 3.1 Service Provision - Provide and maintain our environment variable management platform - Enable cross-device synchronization - Facilitate team collaboration features - Process payments and manage subscriptions 3.2 Security and Authentication - Verify user identity and prevent unauthorized access - Monitor for suspicious activity and potential security threats - Implement rate limiting and abuse prevention 3.3 Communication - Send important service updates and notifications - Provide customer support - Send billing-related communications - Respond to your inquiries and support requests 3.4 Service Improvement - Analyze usage patterns to improve our platform - Debug technical issues - Develop new features and functionality - Ensure optimal performance and reliability 4. Data Security and Encryption 4.1 Zero-Knowledge Architecture - All environment variables are encrypted on your device before transmission - We use industry-standard AES-256-GCM encryption - Your encryption keys are never transmitted to our servers - We cannot decrypt or access your environment variables 4.2 Team Encryption - Team projects use hybrid encryption with key wrapping - Each team member's access is secured with their personal encryption key - Removing a team member immediately revokes access through key management 4.3 Data Transmission and Storage - All data transmission uses HTTPS/TLS encryption - Encrypted data is stored in secure, encrypted databases - Regular security audits and penetration testing - Access controls and monitoring systems 5. Information Sharing and Disclosure 5.1 We Do Not Share Your Environment Variables We never share, sell, or disclose your environment variables or sensitive data to third parties, even in encrypted form. 5.2 Limited Third-Party Sharing We may share limited information only with: - Payment processors (Stripe) for billing purposes - Email service providers (Resend) for transactional emails - Analytics providers (anonymized usage data only) - Legal authorities (only when required by law) 5.3 Team Collaboration - Team members can only access projects they are explicitly granted access to - Team owners control all member permissions and access - All team access is logged and auditable 6. Data Retention 6.1 Account Data - We retain your account information as long as your account is active - Billing information is retained as required by law and for accounting purposes 6.2 Environment Variables - Encrypted environment variables are retained as long as your account is active - Upon account deletion, all data is permanently deleted within 30 days - Team data is retained as long as the team remains active 6.3 Audit Logs - Activity logs are retained for security and compliance purposes - Version history is retained according to your plan limits (7-30 days for free/solo, unlimited for team) 7. Your Rights and Choices 7.1 Data Access and Portability - You can export your environment variables at any time - You can view and update your account information - You can access your usage and billing history 7.2 Data Deletion - You can delete individual environment variables or entire projects - You can delete your account and all associated data - Team owners can delete team data and remove members 7.3 Communication Preferences - You can opt out of marketing communications - You can control notification settings - Essential service communications cannot be opted out 8. Cookies and Tracking 8.1 Essential Cookies We use essential cookies for: - User authentication and session management - Security features and fraud prevention - Basic functionality of our platform 8.2 Analytics Cookies We may use analytics cookies to: - Understand how our platform is used - Improve performance and user experience - Identify and fix technical issues 8.3 Cookie Management - You can control cookie settings in your browser - Disabling essential cookies may affect platform functionality - We do not use tracking cookies for advertising purposes 9. International Data Transfers Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers, including: - Standard contractual clauses - Adequacy decisions where applicable - Appropriate technical and organizational measures 10. Children's Privacy EnvSync is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. 11. California Privacy Rights (CCPA) If you are a California resident, you have additional rights: - Right to know what personal information we collect and how we use it - Right to delete your personal information - Right to opt-out of the sale of personal information (we do not sell personal information) - Right to non-discrimination for exercising your privacy rights 12. European Privacy Rights (GDPR) If you are in the European Economic Area, you have additional rights: - Right of access to your personal data - Right to rectification of inaccurate data - Right to erasure ("right to be forgotten") - Right to restrict processing - Right to data portability - Right to object to processing - Right to withdraw consent 13. Changes to This Privacy Policy We may update this Privacy Policy from time to time. We will notify you of any material changes by: - Posting the updated policy on our Platform - Sending an email notification to your registered email address - Displaying a notice on our Platform 14. Data Breach Notification In the unlikely event of a data breach that may affect your personal information, we will: - Notify affected users within 72 hours of discovery - Provide details about what information was affected - Explain steps we are taking to address the breach - Offer guidance on protective measures you can take 15. Contact Us If you have any questions about this Privacy Policy or our data practices, please contact us: Email: neca.danii@gmail.com Website: https://envsync.app For privacy-related requests or concerns, please include "Privacy" in your subject line. 16. Compliance and Certifications We are committed to maintaining high standards of data protection and are working towards: - SOC 2 Type II compliance - GDPR compliance - Regular third-party security audits - Industry best practices for data security By using EnvSync, you acknowledge that you have read and understood this Privacy Policy and agree to our data practices as described herein.