build 3.0.0 · aes-256-gcm / post-quantum · eu/de · ram only

Privacy Policy

Last updated: June 17, 2026

Core principle

PARAMANT collects only what is strictly required to operate your account and run the service.

An email address is required to create an account and recover access; it is personal data, and it is stored. No phone number. We do not log IP addresses for analytics or profiling; an IP is processed only transiently, for security and abuse-prevention (rate limiting, the session record, an audit log, and the DPA signature record). Only a strictly-necessary session cookie (no tracking cookies). No tracking pixels. No analytics. No advertisements. We never sell your data.

How Ghost Pipe & ParaShare work

All files are encrypted client-side in your browser using post-quantum cryptography (ML-KEM-768 + ECDH P-256 + AES-256-GCM + HKDF-SHA256) before they ever reach our servers. The relay never sees plaintext at any point.

Files are split into 5 MB encrypted chunks. Each chunk exists only in RAM on our relay server and is permanently and irreversibly destroyed after the first download (burn-on-read). Encrypted payload data is never written to disk. From a transfer, the only thing persisted to disk is cryptographic hashes in the public Certificate Transparency log: no file content, no keys, no plaintext. (Account data, listed below, is stored separately to run your account.)

Free tier blobs expire after 1 hour maximum. Pro blobs after 24 hours. Enterprise blobs after 7 days. All are destroyed earlier if downloaded.

What we process

DataPurposeStorageShared
Encrypted blob (5 MB padded chunks)One-time secure transferRAM only · burn-on-readNever
SHA-256 hash of blobRouting & delivery confirmationRAM only · deleted on burnNever
API key (Pro/Enterprise)Authentication & rate limitingLoaded from config at startupNever
Device ID (SDK users)Key routing between sender and receiverRAM only · cleared on restartNever
Device ID hash (CT log)Public tamper-evident audit logDisk · /data/ct-log.json · SHA-256 one-way hash onlyNever
Aggregated relay statisticsSystem health monitoringIn-process counters onlyNever
Email addressAccount identity, login, recovery, signing-invite deliveryStored (server) · also kept as a hash for rate-limitingEmail provider (Resend) for messages we send you
Sign-in factors: passkey public keys, TOTP secret (encrypted), recovery codes (hashed)Account authenticationStored (server)Never
ParaSign signing public key + fingerprintVerifiable signing identityStored (server) · public half only; the private key never leaves your browserPublic (its hash is in the CT log)
Plan + anonymised billing referencePro/Enterprise billingStored (server)Payment processor (Mollie, EU) once billing is enabled
Client IP + user-agentSecurity, rate limiting, audit logTransient (session/rate-limit TTL; audit log volume-capped)Never

What we never do

No third-party requests

Every byte your browser loads on paramant.app comes from paramant.app. No web fonts from Google, no JavaScript or CSS from a CDN, no analytics, no tracking pixels, no embedded third-party widgets. Open your browser’s network inspector on any page: every request goes to one origin, and nowhere else.

This is deliberate. A single request to a third party leaks your IP address and the page you are viewing to that party before you have agreed to anything. So we self-host everything: fonts (a plain system font stack, zero font files downloaded), scripts, styles, and images all come from paramant.app.

What runs the service is operational, never tracking: our own edge (Caddy) terminates TLS directly on our server (see below); transactional email is sent server-side via our email provider; and a payment processor will handle billing on its own pages once that is enabled. None of these is loaded into the site, and none follows you across it.

Local storage in your browser

For technical functionality, the following data is stored locally in your browser only. It never leaves your device:

You can delete all local data at any time: browser settings → paramant.app → Clear site data.

Servers & jurisdiction

All relay servers run on Hetzner infrastructure in Frankfurt, Germany (EU/DE). There is no infrastructure in the United States or outside the EU. No CLOUD Act exposure. All data is subject to EU/GDPR jurisdiction only.

Network edge

TLS is terminated by our own edge (Caddy), running on the same Hetzner infrastructure in Germany, with post-quantum key exchange. There is no third-party reverse proxy or CDN in front of the site: your connection reaches our server and nowhere else. Short-lived connection metadata (IP, timestamp) is processed transiently for security and abuse-prevention as described above, never for analytics.

Subprocessors

A few operational providers are needed to run the service. None is loaded into the site, and none is used for tracking:

GDPR / AVG

We process the minimum personal data needed to run your account, on a lawful basis (performing the service you request, and our legitimate interest in keeping it secure). You can request access to, or deletion of, your account data by emailing us. For Pro and Enterprise customers we provide a Data Processing Agreement (DPA).

Temporary relay data is never retained longer than the applicable TTL (1 hour for Free, 24 hours for Pro, 7 days for Enterprise). In practice it is destroyed much earlier on download.

Children

PARAMANT is not directed at children under 13. We do not knowingly collect data from minors.

Changes to this policy

We may update this policy. Material changes will be noted via the "Last updated" date above. Continued use of the service after a change constitutes acceptance.

Contact

Questions about this Privacy Policy? Email info@paramant.app.