envstore

Privacy Policy

Last updated: 11 May 2026

The 30-second version

envstore is a zero-knowledge service. Your .env files are encrypted on your machine before they ever reach us. We store ciphertext, public keys, and the metadata required to bill you and operate the service. We never see plaintext secrets, never hold your private keys, and could not decrypt your data even if compelled.

Who's responsible

The data controller (in GDPR terms) is the operator listed in our Imprint. Reach us at privacy@envstore.xyz.

What we collect

Account data

  • Email address: required to sign in and contact you about your account.
  • Name and avatar: optional, populated by your OAuth provider (GitHub or Google) if you sign in with one.
  • Provider account ID: from GitHub or Google, used to recognise you across sign-ins.

Workspace and project data

  • Workspace, project, and environment names and slugs you create
  • Membership and role information
  • Encrypted env file ciphertext — opaque bytes that only your local private key can read
  • Ciphertext metadata: size, SHA-256 checksum, version number, timestamps

Public encryption keys

Your age public recipient (e.g. age1...) is stored so other members can encrypt to you. Private keys never leave your machine.

Authentication tokens

  • Browser session cookies (signed JWT) issued by our authentication system
  • CLI tokens (stored hashed via SHA-256 — we cannot recover the plaintext)

Operational logs

  • Audit log of mutating actions (who created what, when) for security and debugging
  • Request IP addresses and user-agent strings, retained for up to 90 days

Billing data

Billing is handled by our payment processor, Paddle, which acts as the merchant of record. Paddle collects the data required to process payment (name, billing address, card details, tax ID where applicable). We receive only a subscription identifier and status from Paddle — we never see your full card number or CVC. See Paddle's privacy notice for details.

What we do NOT collect

  • Plaintext env file contents. Encryption happens locally. Ciphertext that reaches us is bound to your recipient(s)' public keys — we cannot decrypt it.
  • Your age private key. It lives on your machine, in your OS keychain by default.
  • Payment card details. Paddle handles these.

How we use your data

  • To provide the service you signed up for (Art. 6(1)(b) GDPR — contract)
  • To bill you for paid workspaces (Art. 6(1)(b) — contract; handled via Paddle)
  • To secure the service against abuse — rate limiting, audit logging, security investigations (Art. 6(1)(f) — legitimate interest)
  • To send service emails (sign-in codes, invites, billing receipts — Art. 6(1)(b))

We do not use your data for advertising, do not sell it, and do not share it with third parties beyond the processors listed below.

Subprocessors

  • Neon (Postgres database hosting)
  • Cloudflare R2 (encrypted ciphertext storage)
  • Resend (transactional emails — sign-in codes, invites)
  • Paddle (billing, merchant of record)
  • Vercel (web hosting and CDN — for the dashboard)
  • OAuth providers (GitHub, Google) — only if you sign in through them

Data location

Neon and Vercel infrastructure is selected at deployment time. R2 objects are stored in the bucket region the operator configured (the EU jurisdiction is supported for EU-resident customers). Email is sent through Resend, which operates globally.

Retention

  • Account data: kept as long as your account is active. Deletion on request removes it within 30 days.
  • Environment ciphertext: kept until you delete the project / environment. Soft-deleted resources are retained for the workspace's configured retention window (default 30 days) before permanent removal.
  • Audit logs: 12 months, then aggregated or deleted.
  • IP/user-agent logs: up to 90 days.
  • Billing records: retained as long as required by tax law (typically 10 years in the EU).

Your rights (GDPR)

You have the right to:

  • Access the data we hold about you
  • Correct inaccurate data
  • Delete your account and associated data ("right to be forgotten")
  • Export your data in a machine-readable format (portability)
  • Object to processing based on legitimate interest
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with your supervisory authority (e.g. the German BfDI or your local DPA)

Email privacy@envstore.xyz to exercise any of these rights. We aim to respond within 30 days.

Cookies

We use only essential cookies — the session cookie that keeps you signed in, and CSRF tokens for form security. We don't run analytics tracking, advertising pixels, or any third-party cookies on our own pages.

Security

End-to-end encryption with age (X25519 + ChaCha20-Poly1305). Transport over HTTPS. CLI tokens stored as SHA-256 hashes. Bearer tokens scoped per user, revocable from the dashboard, with a default 365-day TTL. Rate limiting on authentication endpoints. Strict response headers including HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy. The source code is open and auditable: github.com/michael-ketzer/envstore.xyz.

Found something concerning? See our security policy — email security@envstore.xyz.

Changes to this policy

We'll post material changes at this page and, if the change is significant, email everyone with an active account at least 14 days before it takes effect.

Contact

Privacy questions: privacy@envstore.xyz
Operator details: Imprint