Privacy Policy
Last updated: June 17, 2026
Core principle
PARAMANT collects only what is strictly required to operate your account and run the service.
An email address is required to create an account and recover access; it is personal data, and it is stored. No phone number. We do not log IP addresses for analytics or profiling; an IP is processed only transiently, for security and abuse-prevention (rate limiting, the session record, an audit log, and the DPA signature record). Only a strictly-necessary session cookie (no tracking cookies). No tracking pixels. No analytics. No advertisements. We never sell your data.
How Ghost Pipe & ParaShare work
All files are encrypted client-side in your browser using post-quantum cryptography (ML-KEM-768 + ECDH P-256 + AES-256-GCM + HKDF-SHA256) before they ever reach our servers. The relay never sees plaintext at any point.
Files are split into 5 MB encrypted chunks. Each chunk exists only in RAM on our relay server and is permanently and irreversibly destroyed after the first download (burn-on-read). Encrypted payload data is never written to disk. From a transfer, the only thing persisted to disk is cryptographic hashes in the public Certificate Transparency log: no file content, no keys, no plaintext. (Account data, listed below, is stored separately to run your account.)
Free tier blobs expire after 1 hour maximum. Pro blobs after 24 hours. Enterprise blobs after 7 days. All are destroyed earlier if downloaded.
What we process
| Data | Purpose | Storage | Shared |
|---|---|---|---|
| Encrypted blob (5 MB padded chunks) | One-time secure transfer | RAM only · burn-on-read | Never |
| SHA-256 hash of blob | Routing & delivery confirmation | RAM only · deleted on burn | Never |
| API key (Pro/Enterprise) | Authentication & rate limiting | Loaded from config at startup | Never |
| Device ID (SDK users) | Key routing between sender and receiver | RAM only · cleared on restart | Never |
| Device ID hash (CT log) | Public tamper-evident audit log | Disk · /data/ct-log.json · SHA-256 one-way hash only | Never |
| Aggregated relay statistics | System health monitoring | In-process counters only | Never |
| Email address | Account identity, login, recovery, signing-invite delivery | Stored (server) · also kept as a hash for rate-limiting | Email provider (Resend) for messages we send you |
| Sign-in factors: passkey public keys, TOTP secret (encrypted), recovery codes (hashed) | Account authentication | Stored (server) | Never |
| ParaSign signing public key + fingerprint | Verifiable signing identity | Stored (server) · public half only; the private key never leaves your browser | Public (its hash is in the CT log) |
| Plan + anonymised billing reference | Pro/Enterprise billing | Stored (server) | Payment processor (Mollie, EU) once billing is enabled |
| Client IP + user-agent | Security, rate limiting, audit log | Transient (session/rate-limit TTL; audit log volume-capped) | Never |
What we never do
- Sell your data, or use it for advertising or profiling
- Log or store IP addresses for analytics or profiling (an IP is used only transiently, for security and abuse-prevention)
- Use tracking cookies or browser fingerprinting (only a strictly-necessary session cookie is set after login)
- Run advertising or tracking scripts
- Share your data with third parties, except the operational subprocessors needed to run the service (hosting, transactional email, and payments when enabled, listed below)
- Write file data to disk at any point
- Load fonts, scripts, styles, or any other resource from a third party. Everything is self-hosted on paramant.app
No third-party requests
Every byte your browser loads on paramant.app comes from paramant.app. No web fonts from Google, no JavaScript or CSS from a CDN, no analytics, no tracking pixels, no embedded third-party widgets. Open your browser’s network inspector on any page: every request goes to one origin, and nowhere else.
This is deliberate. A single request to a third party leaks your IP address and the page you are viewing to that party before you have agreed to anything. So we self-host everything: fonts (a plain system font stack, zero font files downloaded), scripts, styles, and images all come from paramant.app.
What runs the service is operational, never tracking: our own edge (Caddy) terminates TLS directly on our server (see below); transactional email is sent server-side via our email provider; and a payment processor will handle billing on its own pages once that is enabled. None of these is loaded into the site, and none follows you across it.
Local storage in your browser
For technical functionality, the following data is stored locally in your browser only. It never leaves your device:
- ECDH + ML-KEM key pairs: generated locally for end-to-end encryption (SDK / Ghost Pipe sessions)
- Nonce registry: replay-attack protection (SDK sessions)
- Free tier usage counter (
ps_free_uses): today's date and upload count, used to enforce the 10/day limit client-side - Docs access key (
pm_docs_key): stored if you authenticate to the Docs with a paid API key - Passkey / WebAuthn credentials: your passkey’s private key is created and held by your device or password manager. PARAMANT only ever stores its public key, server-side; the private key never leaves your device.
- ParaSign signing vault (IndexedDB): if you sign documents, your post-quantum signing key (ML-DSA-65) is generated and kept in your browser’s IndexedDB, encrypted either with your passkey (WebAuthn-PRF → HKDF → AES-256-GCM) or, if your passkey provider cannot do that, with a passphrase (PBKDF2 → AES-256-GCM). The private key never leaves your device; only its public half is registered to your account.
You can delete all local data at any time: browser settings → paramant.app → Clear site data.
Servers & jurisdiction
All relay servers run on Hetzner infrastructure in Frankfurt, Germany (EU/DE). There is no infrastructure in the United States or outside the EU. No CLOUD Act exposure. All data is subject to EU/GDPR jurisdiction only.
Network edge
TLS is terminated by our own edge (Caddy), running on the same Hetzner infrastructure in Germany, with post-quantum key exchange. There is no third-party reverse proxy or CDN in front of the site: your connection reaches our server and nowhere else. Short-lived connection metadata (IP, timestamp) is processed transiently for security and abuse-prevention as described above, never for analytics.
Subprocessors
A few operational providers are needed to run the service. None is loaded into the site, and none is used for tracking:
- Hetzner (Germany, EU): hosting and infrastructure.
- Resend: transactional email only (account verification, signing invites, billing notices). It receives the recipient address and the message we send; it is never used for marketing.
- Mollie: payment processing for Pro/Enterprise. Billing is not yet live (current plans are arranged manually); once enabled, Mollie (a Dutch company, EU jurisdiction, GDPR-native) handles payment data on its own pages and PARAMANT never sees or stores card numbers, only your plan and an anonymised reference.
GDPR / AVG
We process the minimum personal data needed to run your account, on a lawful basis (performing the service you request, and our legitimate interest in keeping it secure). You can request access to, or deletion of, your account data by emailing us. For Pro and Enterprise customers we provide a Data Processing Agreement (DPA).
Temporary relay data is never retained longer than the applicable TTL (1 hour for Free, 24 hours for Pro, 7 days for Enterprise). In practice it is destroyed much earlier on download.
Children
PARAMANT is not directed at children under 13. We do not knowingly collect data from minors.
Changes to this policy
We may update this policy. Material changes will be noted via the "Last updated" date above. Continued use of the service after a change constitutes acceptance.
Contact
Questions about this Privacy Policy? Email info@paramant.app.