Privacy Statement
1. Who processes your data
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
Mick Beer, trading as Paramant
privacy@paramant.app
[ADDRESS TBD — to be added upon Chamber of Commerce registration]
For the contents of files transmitted via Paramant the situation is different: Paramant is not a processor within the meaning of GDPR Art. 28. The sender determines what is sent and to whom; Paramant only provides the transport mechanism. Because of end-to-end encryption via the SDK, Paramant has no access to file contents. For the data Paramant does process — account data, transport metadata, audit logs — Paramant itself is the data controller. This statement covers that latter category.
2. What data and why
2.1 Account registration
| Data | Required | Purpose |
|---|---|---|
| Email address | Yes | Authentication, account recovery, transactional email |
| Label / organisation name | No | Recognition in your own dashboard |
| TOTP secret (generated) | Yes | Two-factor authentication |
| Backup codes (generated) | Yes | Access recovery if authenticator is lost |
API key (generated, pgp_*) | Yes | Authentication to the Paramant API and SDK |
2.2 During use (per transport)
| Data | Purpose |
|---|---|
| Timestamp, hash prefix, byte size, device ID | Per-user audit log (in relay server memory only, see §4) |
| Sector (health/legal/finance/iot) | Routing to the correct sector relay |
| SHA-256 of encrypted payload + sector + timestamp | Public Certificate Transparency log (no party identity) |
We do not log: the contents of files, file names, recipient identity, or IP addresses in the transport chain.
2.3 IP addresses and User-Agent
For authentication and account management we temporarily record your IP address and User-Agent string. We use this for abuse detection (rate limiting), session display (so you can see your active sessions), and security incident handling. The nginx web server does not log access logs (access_log off).
For anonymous widget uploads (without an account) we retain IP addresses for a maximum of 7 days for abuse protection, after which they are automatically erased.
2.4 What we do not collect
Paramant does not collect passwords, phone numbers, payment data, biometric data, location data (other than IP), advertising identifiers, fingerprinting data, or analytics. There are no third-party trackers (such as Google Analytics, Facebook Pixel, or similar services) on the website.
3. Legal bases for processing
| Processing | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and managing an account | Performance of contract (1(b)) |
| Authentication and session management | Performance of contract (1(b)) |
| Audit log and security monitoring | Legitimate interest: integrity of the service (1(f)) |
| Abuse detection / rate limiting | Legitimate interest: security (1(f)) |
| Transactional email (verification, recovery) | Performance of contract (1(b)) |
| Compliance with legal obligations | Legal obligation (1(c)) |
We do not rely on consent as a legal basis for processing account data, because the processing is necessary to deliver the service you have requested. For cookies and local storage, see §9.
4. How long we keep data
| Category | Retention |
|---|---|
| Account data (email, label) | Until deletion request; automatic deletion after 24 months of inactivity, with email warning at 22 months |
| API key | Until revoked by user |
| TOTP secret and backup codes | Until reset or account deletion |
| Session tokens | 1 hour (rolling window) |
| Signup verification token | 24 hours |
| Setup token (after email verification) | 14 days |
| Reset and checkout tokens | 1 hour |
| Per-user audit chain (relay) | Maximum 1000 events or container restart, in working memory only |
| Global audit ZSET (admin) | 10,000 most recent events |
| Per-user audit ZSET (admin) | 1,000 most recent events |
| Encrypted payload (RAM) | According to TTL set by sender (max 7 days Enterprise, 24h Pro/Anonymous, 1h Dev). Burns after first download. |
| Certificate Transparency log | 10,000 entries in working memory |
| IP addresses for anonymous widget | Maximum 7 days |
| Container stdout logs (Docker) | Maximum 50 MB rolling per relay container |
We do not make automated backups of personal data to external locations.
5. Who we share data with (sub-processors)
Paramant uses the following sub-processors. All processors that personal data flows to are bound by a data processing agreement compliant with GDPR Art. 28.
| Sub-processor | Country | Purpose | Data flowing |
|---|---|---|---|
| Hetzner Online GmbH | Germany (Nuremberg, FSN1 datacenter) | Hosting (compute, storage, network) | All processing happens here: encrypted payloads (RAM), account data (Redis + file), audit logs |
| Resend Inc. | United States (Delaware) | Transactional email (verification, recovery, notifications) | Recipient email address, email content (tokens, confirmations) |
GitHub, PyPI, and npm are used for distribution of source code and SDK packages. No user data is processed there.
We do not add new sub-processors without announcing this on this page at least 14 days in advance.
6. Transfers outside the EU
One sub-processor is located outside the European Economic Area: Resend Inc. (United States). The transfer takes place on the basis of Standard Contractual Clauses (SCCs) as adopted in Commission Implementing Decision (EU) 2021/914, Module 1 (controller-to-controller).
We limit the data flowing to Resend to what is necessary for sending transactional email: email address and email content (tokens, confirmations). IP addresses, audit logs, and file contents are not forwarded to Resend.
All other processing — payloads, account storage, audit logs — takes place exclusively within the EU on Hetzner infrastructure in Germany. We do not use Cloudflare, Fly.io edge, AWS, Google Cloud, Azure, or other US-based infrastructure in the data processing chain.
7. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- End-to-end encryption of file contents via SDK and CLI (post-quantum: ML-KEM-768 for key exchange, ML-DSA-65 for signatures, AES-256-GCM for symmetric encryption)
- TLS 1.3 for all external connections
- TOTP secrets encrypted at rest with AES-256-GCM
- Backup codes stored as argon2id hashes
- RAM-only storage for payloads (no disk storage of file contents)
- Burn-on-read default for sent files
- Tamper-evident audit chain with ML-DSA digital signatures
- Rate limiting against brute-force attacks
- No access logs at the web server (
access_log off)
Browser and Outlook extensions operate via a server-side encryption path (TLS-protected transport, server-side post-quantum encryption). For full zero-knowledge end-to-end encryption, use the SDK or CLI.
8. Your rights
Under the GDPR you have the following rights regarding your personal data:
- Access (Art. 15): receive a copy of the data we process about you
- Rectification (Art. 16): have inaccurate data corrected
- Erasure (Art. 17): have your data erased
- Restriction (Art. 18): have processing restricted
- Portability (Art. 20): receive your data in a structured format
- Objection (Art. 21): object to processing based on legitimate interest
How do you exercise these rights?
The dashboard currently offers self-service for account deletion and (partial) audit log access. For the following actions, email privacy@paramant.app:
- Full access to all data (bundled subject access request export)
- Rectification of email address or label
- Complete deletion including all metadata, billing records, and audit history
- Restriction of processing
- Portability of data in machine-readable format
- Objection to processing
We respond within 30 days of receiving your request (GDPR Art. 12(3)). If we need more time (for example with complex requests) we will inform you within that period.
We verify your identity before executing a request, to prevent unauthorised access to your data. Verification takes place via the email address known to us.
We do not use automated decision-making or profiling within the meaning of GDPR Art. 22.
9. Cookies and local storage
Paramant places one cookie:
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
paramant_user_session |
Strictly necessary | Session management (HttpOnly, Secure, SameSite=Lax) | 1 hour (rolling) |
Strictly necessary cookies do not require consent (GDPR / Dutch Telecommunications Act art. 11.7a(3)). We do not place tracking, analytics, or advertising cookies.
The dashboard additionally uses IndexedDB and Local Storage in your browser to locally store encryption keys and session state. This data does not leave your device and is not read by Paramant. You can clear this data via your browser settings.
10. Changes to this statement
We may amend this privacy statement. For material changes that affect your rights or the processing of your data, we will inform registered users by email and announce the change on this page at least 14 days in advance.
The current version and publication date appear at the top of this page. Earlier versions are available on request via privacy@paramant.app.
11. Contact and complaints
Have a question, comment, or complaint about the processing of your data?
Contact Paramant first:
privacy@paramant.app
We aim to resolve every complaint within 30 days.
Not satisfied with our response? You have the right to lodge a complaint with the supervisory authority. Because Paramant is established in the Netherlands, the lead supervisory authority is:
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Postbus 93374
2509 AJ Den Haag
The Netherlands
autoriteitpersoonsgegevens.nl/en
If you reside in another EU/EEA member state, you may also lodge a complaint with your national data protection authority.