envstore

Terms of Service

Last updated: 11 May 2026

What this is

envstore is a service that stores end-to-end encrypted .env files on your behalf. You upload ciphertext that only you (and people you explicitly add) can decrypt. We can't read your secrets, even if we wanted to.

These Terms are an agreement between you and the operator listed in our Imprint ("we", "us"). By creating an account, you agree to them. If you don't, please don't sign up.

Eligibility

  • You must be at least 16 years old (18 in jurisdictions that require it).
  • You must provide accurate account information.
  • One person per account. Workspaces can be shared with teammates.

The service

envstore consists of:

  • The web dashboard at envstore.xyz
  • The envstore command-line tool
  • The API endpoints under /api/v1/*
  • The encrypted storage backing the above

We do our best to keep the service running but don't guarantee any specific uptime. We may run maintenance windows and announce them in advance when we can.

Your account

  • You're responsible for keeping your sign-in credentials and your local age private key safe.
  • envstore is for storing text-based environment variables. Binary files, images, and anything that isn't a real env file are blocked at the CLI and refused at the server (1 MB ciphertext cap).
  • If you lose every copy of your age private key, your data is permanently unrecoverable. There is no server-side recovery flow — that's the entire point of zero-knowledge.

Your content

You keep ownership of everything you upload. We need only the limited rights necessary to store and transmit your encrypted ciphertext on your behalf — nothing more. We do not analyse it, sell it, or share it with anyone outside the subprocessors named in our Privacy Policy.

By uploading content to envstore, you represent and warrant that:

  • You have all rights necessary to store and transmit it.
  • It does not violate any law that applies to you, or to the operator in Germany (see Imprint).
  • It does not infringe any third party's rights — including copyright, trade secrets, or other people's personal data without a lawful basis.

You are solely responsible for the content you upload, share, and pull through envstore. envstore is end-to-end encrypted: the server stores ciphertext that we cannot decrypt and cannot inspect. We have no technical way to pre-screen, moderate, or even know what is inside a given file. That responsibility — what gets stored, who gets invited to a workspace, what they then do with the data — rests with you.

If any third-party claim is made against us because of content you uploaded, shared, or distributed via envstore (for example: copyright, data-protection, or unlawful-content complaints), you agree to indemnify and hold us harmless, including reasonable legal costs — except where the claim is caused by our own breach of these Terms or applicable law. Nothing in this section limits any rights you have under mandatory consumer-protection law.

Our role as a hosting service

envstore is a hosting service in the sense of Article 3(g)(iii) of Regulation (EU) 2022/2065 (the Digital Services Act, "DSA"), implemented in Germany via the Digitale-Dienste-Gesetz (DDG, which replaced the relevant parts of the TMG on 14 May 2024). We store information provided by — and at the request of — our users.

Under Article 6 DSA and § 7 ff. DDG we are not liable for the content a user stores on the service as long as we do not have actual knowledge that it is illegal and, once we obtain such knowledge, act expeditiously to remove or disable access to it. Because envstore is end-to-end encrypted, we cannot in practice gain knowledge of the plaintext of any user file. We undertake no general monitoring obligation (Article 8 DSA).

Notice of illegal content. If you believe content stored on envstore is illegal, send a notice to legal@envstore.xyz including: identification of the content (workspace / project / version where possible), the law you believe is violated, your contact details, and — if you are a rights holder — proof of your standing. We will assess the notice and take appropriate action, which may include suspending the affected workspace or disabling access pending investigation. Knowingly false notices may give rise to liability under Article 23(2) DSA.

Acceptable use

You agree not to:

  • Use envstore as generic encrypted file hosting (it's not for that)
  • Reverse-engineer or attempt to bypass our rate limiting or auth gates beyond what's allowed by AGPL
  • Probe the service for vulnerabilities outside our coordinated disclosure scope (see SECURITY.md)
  • Send unsolicited invitations or otherwise abuse the invite flow
  • Interfere with other customers' service or data
  • Use the service for anything illegal under your or our jurisdiction

We may suspend accounts that violate these rules. For serious violations we may terminate without refund.

Pricing and billing

  • $1.99 per workspace per month. Each workspace you create gets its own billing line. Unlimited members per workspace.
  • Every new workspace starts with a 14-day free trial. No card required for the trial.
  • Subscriptions renew automatically until you cancel them.
  • Billing is processed by Paddle, our merchant of record. Paddle handles invoicing, taxes (including VAT), and chargebacks. Their buyer terms apply to the payment transaction.

Cancellation and refunds

You can cancel any workspace's subscription at any time from the dashboard. After cancellation, the workspace stays readable for 30 days so you can pull your data out; no further charges accrue.

Refund details — including our 14-day money-back guarantee — are documented separately in our Refund Policy.

Open source

envstore is licensed under AGPL v3. You can run your own instance. If you do, the AGPL requires that modifications you make available as a hosted service must also be open sourced.

Termination

  • You can delete your account at any time. Doing so soft-deletes your data; permanent deletion follows after the workspace's configured retention window.
  • We may terminate accounts that violate these Terms or that go unused for an extended period (no fewer than 12 months without a sign-in). We'll email you before doing so.
  • On termination, your subscription is cancelled and the cancellation policy above applies.

Liability

We provide envstore "as is" without warranties. To the maximum extent permitted by law, our liability for any claim related to your use of the service is capped at the amount you paid us in the 12 months preceding the claim. We aren't liable for indirect, consequential, or punitive damages.

We are not liable for losses caused by you losing your local age private key. We literally cannot recover it.

Nothing in these Terms limits our liability for fraud, willful misconduct, or for anything that can't be limited under applicable law (in the EU, that includes death, personal injury, and intent or gross negligence).

Changes

We may update these Terms. If a change is material — for example, affecting pricing or significant rights — we'll email you at least 14 days before it takes effect. Continued use after the effective date means you accept the change. If you don't, you can cancel.

Governing law and disputes

These Terms are governed by the laws of the operator's country of registration (see Imprint). Disputes will be handled by the competent courts there, unless mandatory consumer protection laws in your country of residence give you a stronger venue.

If you're a consumer in the EU, you have the right to use the European Commission's ODR platform. We don't currently participate in any alternative dispute resolution scheme.

Contact

Questions about these Terms: legal@envstore.xyz
Operator details: Imprint