Privacy Policy

This Privacy Policy describes how Qpher LLC ("Qpher", "we", "us") collects, uses, stores, and shares personal data when you use the Qpher PQC Security Cloud platform, including the API (api.qpher.ai), User Portal (portal.qpher.ai), marketing site (qpher.ai), documentation (docs.qpher.ai), and the **Qpher Vault** mobile application available on the Apple App Store. We are committed to protecting your privacy and handling your data transparently. This policy applies to all users of the Service, including account holders, administrators, mobile-app subscribers, and visitors to our websites. **Two-Account Model**: Qpher operates two independent product lines with separate billing and separate user databases — (a) **SaaS API & User Portal** (web-based, Stripe billing, intended for developers and enterprises integrating PQC into their own products) and (b) **Qpher Vault** (iOS app, Apple In-App Purchase billing, intended for individuals encrypting personal documents). The same email address may be used for both products, but the two accounts remain isolated by design and are governed by the data handling rules described below.

Qpher acts in two distinct data roles depending on the category of data: **Controller**: Qpher is the data controller for customer account data (email, name, company), billing and payment data (invoices, payment history, Stripe customer ID), and API usage and audit logs (request counts, error logs, tenant activity). The legal bases are legitimate interest (GDPR Art. 6(1)(f)), contract performance (Art. 6(1)(b)), and legal obligation (Art. 6(1)(c)). **Processor**: Qpher is a data processor for customer-encrypted data (ciphertext processed via the KEM encrypt API), PQC cryptographic keys (Kyber768/Dilithium3 key pairs managed by the KMS), and customer plaintext submitted for encryption (transient, never stored or logged). The legal basis is contract performance (Art. 6(1)(b)). A Data Processing Agreement (DPA) is available at /legal/dpa.

**Account Information (SaaS)**: Email address, full name, company name, and password (stored as bcrypt hash with cost factor >= 12). **Billing Information (SaaS)**: Plan selection, billing interval, payment method metadata (card last four digits, expiry). Full payment card details are handled exclusively by Stripe and never reach Qpher servers. **Usage Data**: API request counts, endpoint usage, response times, error rates, and tenant-level activity logs. **Cryptographic Data (as Processor)**: Ciphertext produced by KEM encryption, digital signatures produced by Dilithium signing, and PQC key pairs (public keys stored in the database, private keys stored encrypted in the KMS secure enclave). Customer plaintext submitted to the /kem/encrypt endpoint is transient and is never stored, logged, or persisted. **iOS Vault App Data**: When you use the Qpher Vault iOS app, we additionally collect: - **Vault account credentials** (email address, display name, password hashed with bcrypt cost factor >= 12) — stored in a database table physically separated from SaaS API user accounts. - **Apple StoreKit transaction identifiers** (`apple_original_transaction_id`, `transaction_id`, and the subscribed `product_id`) for verifying active Personal or Personal Pro subscription status. - **Apple Sign In relay email addresses** (in the form `*@privaterelay.appleid.com`) when the user authenticates via Sign in with Apple. We never attempt to resolve relay addresses to a user's underlying real email. - **Encrypted document ciphertext** stored on Cloudflare R2 (see Section 6.5 for the encryption design and the operator-trust boundary — Qpher does not read document contents during normal service operation). - **Document metadata stored unencrypted in our PostgreSQL database** so the application can render your file list: document name (original filename), MIME type, original byte size, file hash, encryption algorithm identifier, key version, and timestamps. **Filenames are NOT encrypted** in this release — please avoid putting sensitive information directly in filenames if this matters to you. (Encrypted filenames are tracked as a v2.0 roadmap item.) - **Document-relationship records** including organization-membership rows (which Vault Team you belong to and your role), document-share records (recipients, permission level, expiration), pending-invitation records, and access audit logs (operations performed on your documents, with timestamps and the actor's user ID). - **Multi-Factor Authentication state**: an encrypted TOTP shared secret (server-side AES-256-GCM at rest), a count of unused recovery code hashes, and (where applicable) an email OTP delivery audit row. - **Refresh-token records** for keeping you signed in (a per-token UUID + revocation flag — the token itself is bcrypt-hashed before storage). - **Apple Push Notification Service (APNs) device tokens**, used solely to deliver MFA prompts and shared-document notifications. Tokens rotate when iOS revokes them and are deleted on account deletion. We do NOT collect, anywhere in the iOS Vault app: photo library content (we read pixel data into the encryption pipeline but never transmit raw photos), location data (no GPS, no Core Location), contacts, calendar, microphone, advertising identifiers (no IDFA), device identifier-for-vendor (no IDFV), analytics events (no Firebase, Mixpanel, Amplitude, or comparable SDK), crash telemetry beyond what Apple captures via TestFlight, or any third-party tracking data. **Website Analytics**: Page views, referrer information, and approximate country for the marketing site `qpher.ai` only (via Plausible Analytics, which is cookie-free and collects no personally identifiable information). The iOS Vault app does NOT use Plausible or any other analytics tool.

**Contract Performance (Art. 6(1)(b))**: Processing account data and cryptographic data is necessary to provide the Service as agreed in the Terms of Service. **Legitimate Interest (Art. 6(1)(f))**: Processing usage data and audit logs is necessary for platform security, abuse prevention, and service improvement. We have conducted a legitimate interest assessment and determined that these interests do not override data subject rights. **Legal Obligation (Art. 6(1)(c))**: Retaining billing records and invoices for 7 years is required for tax compliance. **Consent**: We rely on consent only where required by law (e.g., for optional marketing communications). Consent may be withdrawn at any time.

We use your data to: (a) provide and maintain the Service, including account management, authentication, and API access, (b) process billing and payments through Stripe, (c) enforce plan limits and rate limiting, (d) generate audit logs for security and compliance, (e) monitor platform performance and availability, (f) send transactional emails (account verification, password reset, security alerts, billing notifications), (g) improve the Service based on aggregated, anonymized usage patterns, and (h) comply with legal obligations. We do not sell personal information to third parties. We do not use customer cryptographic data (ciphertext, keys) for any purpose other than providing the requested cryptographic operations.

Qpher shares data with the following sub-processors: - **Stripe, Inc.** (USA, EU-US Data Privacy Framework): Payment processing for the SaaS API and User Portal. Receives customer name, email, billing address, and tokenized payment card data. - **Apple Inc.** (USA): App Store Connect billing and StoreKit subscription management for the Qpher Vault iOS application. Receives Apple ID, IAP transaction identifiers, and subscription metadata. Apple's handling of payment data is governed by the Apple Privacy Policy. - **Cloudflare, Inc.** (USA): R2 object storage for Qpher Vault encrypted documents. Receives the encrypted ciphertext bytes (which Cloudflare cannot read), and a small JSON metadata sidecar per document containing the original filename, byte size, and PQC algorithm identifier in plaintext (these metadata fields are stored unencrypted both on Cloudflare and in our PostgreSQL database — see Section 3 and Section 6.5). Cloudflare does not have access to the document contents themselves. - **Twilio SendGrid** (USA): Transactional email delivery (account verification, password reset, MFA email OTP, lifecycle notifications). Receives recipient email address and email content. - **Upstash, Inc.** (regional, configurable): Rate limiting via Redis. Receives hashed IP addresses and tenant IDs. - **Cloud Provider (AWS/GCP)**: Infrastructure hosting. All platform data is encrypted at rest and in transit. - **Plausible Analytics** (EU, Germany): Privacy-focused website analytics for the marketing site only (NOT used in the iOS app). Receives page views, referrer, and approximate country. No personally identifiable information or cookies. - **BetterStack** (EU): Uptime monitoring and status page. Receives API endpoint URLs and response times only. We provide 30 days advance notice via email and in-portal notification before adding new sub-processors. Enterprise customers with custom DPA terms may object per their contractual agreement.

The Qpher Vault iOS application encrypts your document content on-device before it leaves your phone. The encryption design — described in detail in our public Architecture Decision Records ADR-0023 (KEM-DEM scheme), ADR-0031 (hybrid PQC+classical algorithms), and ADR-0010 (private key boundary) — works as follows: 1. **On-device encryption**: When you upload a document, the Vault app generates a random AES-256-GCM data encryption key (DEK) on your device and encrypts the file locally. The plaintext content never leaves your device. 2. **Hybrid post-quantum key wrapping**: The DEK is wrapped using **X-Wing**, a hybrid scheme combining NIST-standardized post-quantum cryptography (ML-KEM-768, formerly Kyber768, FIPS 203) with classical X25519 elliptic-curve key agreement. This dual-layer design provides defense-in-depth against future cryptanalytic advances on either algorithm. Wrapping uses your tenant's public encapsulation key. 3. **Storage**: The encrypted ciphertext bytes and the wrapped DEK are uploaded to Cloudflare R2. The unwrapped DEK is never persisted server-side. A small JSON metadata sidecar containing the document's plaintext filename, byte size, and algorithm identifier accompanies the ciphertext on R2 and in our PostgreSQL database (see Section 3) — these metadata fields are NOT encrypted in this release. 4. **Decryption**: When you open a document, the Vault app authenticates and requests the wrapped DEK be unwrapped. The Qpher Key Management Service (KMS-Orchestrator) holds the tenant decapsulation private key inside an access-controlled secure enclave per ADR-0010, performs the KEM decapsulation, and returns the unwrapped DEK to your device, which then decrypts the file locally. The DEK exists in server memory only for the duration of the API call and is zeroed immediately afterward via explicit `ctypes.memset` calls (see ADR-0023 §C1). **Trust model — please read this carefully.** Qpher operates this release of the iOS Vault under an **operator-trusted** model: Qpher's Key Management Service holds the tenant decapsulation private key. This means that, under normal service operation, our automated infrastructure does NOT read the plaintext content of your documents — every decapsulation requires an authenticated request from your device, and the unwrapped DEK is returned to you and zeroed from server memory. However, a privileged Qpher operator with production KMS access could in principle perform a decapsulation outside the normal request flow. This model is the same one used by, for example, Dropbox, Box, and Apple iCloud's standard data protection — and is materially different from a true zero-knowledge model used by Apple's Advanced Data Protection, Bitwarden, or 1Password (where the encryption keys live only on the user's devices and the service operator cannot decrypt content even if compelled to). **What this means for you in practice.** - Forgetting your password and resetting it via email **does not lose your document access** — the encryption keys are managed by Qpher's KMS, not derived from your password. - Qpher is technically capable of complying with a valid legal order (subpoena, search warrant, court order) to decrypt the documents of a specific account. We have not been required to do so to date. We will publish a transparency report if and when we receive such legal demands, including aggregate counts and categories permitted to be disclosed under applicable law. We will notify the affected user unless prohibited by law. - **A true zero-knowledge mode ("Personal Pro Privacy Mode") is on the v2.0 product roadmap** as an opt-in for paid tiers. Once shipped, that mode will move the decapsulation key to your device and remove Qpher's ability to access content even with operator access. We will publish a separate ADR and updated Privacy Policy section before that capability ships. - App Store Privacy Nutrition Label: per Apple's guidance for apps using end-to-end-style encryption-at-rest where the service operator does not normally access content, we exclude document content from the "User Content" category in the App Store metadata. The metadata sidecar described above (filename, size, algorithm) is collected and disclosed in Section 3.

We retain data for the following periods: tenant metadata and API key hashes are retained while the account is active and permanently deleted 30 days after account deletion. PQC public keys follow the same retention. PQC private key files are securely deleted (overwritten with random data, then deleted) within 30 days. Audit logs are retained for 180 days on a rolling basis. Invoices and billing records are retained for 7 years for tax compliance. User personal data is deleted within 30 days of an account deletion request. Prometheus metrics are retained for 15 days (hot) and 90 days (cold), then anonymized by removing tenant_id labels. **Qpher Vault Soft-Delete Lifecycle (ADR-0048)**: When a Vault user requests account deletion from within the iOS app, the account enters a 30-day grace period during which it is soft-deleted but recoverable on next login. After 30 days (or upon explicit "Delete Now" by an organization administrator with no grace), all Vault data is permanently removed: vault_users database row, document metadata records, document_shares records, organization-membership records, MFA secrets and recovery code hashes, refresh-token records, APNs device tokens, and all encrypted ciphertext objects (and metadata sidecars) in Cloudflare R2 under the user's prefix. Apple StoreKit subscription cancellation is initiated as part of the finalize step. **Lifecycle audit events** (the immutable records of soft-delete, restore, and finalize transitions themselves — stored in our `lifecycle_events` table) are retained indefinitely under GDPR Art. 17(3)(e) for the establishment, exercise, or defense of legal claims and for incident-response forensics. These audit rows contain timestamps, user IDs, action types, actor identifiers, and correlation IDs — they do NOT contain document content, filenames, or other personal data beyond what is required to reconstruct the lifecycle decision. Audit rows for a given user are anonymized (user ID replaced with a one-way hash) 7 years after account finalization.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights: - **Right to Access (Art. 15)**: Request a copy of your personal data via the portal data export feature. - **Right to Rectification (Art. 16)**: Update your profile information in the portal settings. - **Right to Erasure (Art. 17)**: Request account deletion; processing completes within 30 days. - **Right to Restrict Processing (Art. 18)**: Request account suspension (API access disabled, data preserved). - **Right to Data Portability (Art. 20)**: Export your public keys and encrypted data via the portal export feature. - **Right to Object (Art. 21)**: Object to processing based on legitimate interest by contacting privacy@qpher.ai. To exercise these rights, use the portal settings or contact privacy@qpher.ai. We respond to requests within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA): - **Right to Know (Section 1798.100)**: Request information about the categories and specific pieces of personal information we collect. Use the same data export mechanism as GDPR Art. 15. - **Right to Delete (Section 1798.105)**: Request deletion of your personal information. We process requests within 30 days. - **Right to Opt-Out of Sale (Section 1798.120)**: Qpher does not sell personal information to third parties. - **Right to Non-Discrimination (Section 1798.125)**: We do not discriminate in pricing or service quality based on the exercise of privacy rights. Categories of personal information collected: identifiers (email, name), commercial information (billing records), and internet activity (API usage logs). To exercise your rights, use the portal settings or contact privacy@qpher.ai.

We implement the following security measures to protect your data: (a) all data in transit is encrypted via TLS 1.2+ (TLS 1.3 preferred), (b) all data at rest is encrypted, including PQC private keys encrypted with AES-256-GCM, (c) passwords are hashed with bcrypt (cost factor >= 12), (d) API keys are stored as HMAC-SHA256 hashes, never in plaintext, (e) application-level tenant isolation ensures no cross-tenant data access, (f) a zero trust policy engine evaluates every API request, (g) audit logs track all security-relevant operations with 180-day retention, and (h) the platform undergoes annual penetration testing by an independent third-party firm.

Qpher is based in the United States. If you are accessing the Service from outside the United States, your data may be transferred to and processed in the United States. For transfers from the EEA/UK to the US, we rely on: (a) the EU-US Data Privacy Framework (DPF) where our sub-processors are certified, (b) Standard Contractual Clauses (SCCs) as approved by the European Commission, and (c) supplementary technical measures including encryption in transit and at rest. Enterprise customers may negotiate additional data transfer safeguards in their DPA.

For privacy-related inquiries, data subject requests, or complaints: - **Privacy Team**: privacy@qpher.ai - **Security Team**: security@qpher.ai - **General Inquiries**: sales@qpher.ai - **Postal Address**: Qpher LLC, 8401 Mayland Dr Ste A, Richmond, VA 23294, USA We aim to respond to all privacy inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. Material changes will be communicated via email to the account holder and through an in-portal notification at least 30 days before taking effect. The current version of the Privacy Policy is always available at qpher.ai/legal/privacy. We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.