YourKeep

Privacy Policy

Your privacy is central to everything we build. This policy explains what data we collect, why we collect it, how we protect it, and what control you have over it.

Last updated: March 22, 2026

1. Information We Collect

Account Information

When you create an account, we collect your full name and email address. Your password is hashed using bcrypt before storage — we never store plaintext passwords.

Files and Uploads

When files are uploaded (via QR code, shared link, or Drive), we store the file content, original file name, file type, file size, and upload timestamp. Drive files are encrypted at rest using AES-256-GCM encryption.

QR Sharing (Anonymous Senders)

When someone uploads a file to your QR code or shared link without an account, we collect their IP address (for rate limiting and abuse prevention), along with any sender name or notes they choose to provide. We do not require senders to create an account, share their email, or provide any personal contact information.

Locker (Password Vault)

When you use Locker in end-to-end encrypted mode, your passwords and credentials are encrypted in your browser before they reach our servers. We store only encrypted data, your public key, and a hash of your master password. We cannot read, access, or decrypt your vault contents. In server-managed mode, data is encrypted at rest using AES-256-GCM.

AI Assistant

When you use the AI Assistant, your search queries, file names, folder names, and conversation history are sent to our AI provider to generate responses. When you chat with PDFs or request summaries, the content of those files is sent to the AI provider for processing. Locker password values are never sent to the AI — only password entry names are used for search.

Usage Data

We track daily file counts, bytes transferred, and AI query usage per account to enforce plan limits. We also log your last active timestamp.

2. How We Use Your Information

  • Deliver and operate the service — file storage, sharing, encryption, and AI features.
  • Enforce plan limits — daily file quotas, storage caps, and AI query limits based on your subscription.
  • Prevent abuse — rate limiting by IP address to protect against spam and excessive usage.
  • Send transactional emails — OTP verification codes and password reset emails only. We do not send marketing emails.
  • Improve the service — understanding usage patterns to make the product better.

3. How We Protect Your Data

Encryption

  • Drive files are encrypted at rest using AES-256-GCM with a server-managed encryption key.
  • Locker (E2E mode) uses client-side encryption — your data is encrypted in your browser using keys derived from your master password. We operate on a zero-knowledge basis and cannot access your vault.
  • Passwords are hashed using bcrypt before storage.
  • All connections use HTTPS/TLS for data in transit.

Authentication

Sessions are managed through HTTP-only, secure cookies containing signed JWT tokens that expire after 7 days. Sensitive actions are protected by rate limiting.

Access Controls

Shared files and folders support granular permissions (view-only or download), expiration dates, and the ability to revoke access at any time. Locker Send links can be password-protected with configurable view limits.

4. Data Retention

Files received through QR codes and shared links are automatically deleted based on your plan:

  • Free plan — 3 days
  • Starter plan — 7 days
  • Business plan — 30 days
  • Pro plan — 90 days

Drive files, Locker entries, and account data are retained until you delete them or close your account. Expired shares, exhausted Send links, and expired sessions are cleaned up automatically.

5. Third-Party Services

We use the following third-party services to operate YourKeep. Each provider is bound by their own privacy policies and data protection practices:

  • Cloudflare R2 — encrypted file storage.
  • Neon — managed PostgreSQL database for account and metadata storage.
  • Google Gemini — AI-powered search, PDF chat, and document summaries. File names, search queries, PDF content, and conversation history are sent to Google for processing. No personal identifiers (email, user ID) are included in AI requests.
  • Upstash Redis — rate limiting and temporary OTP code storage. OTP codes expire after 10 minutes.
  • Resend — transactional email delivery for OTP codes and password resets only.

We do not sell, rent, or trade your personal data to any third party.

6. Cookies

We use a single HTTP-only authentication cookie (auth_token) to maintain your login session. This cookie is secure, same-site, and expires after 7 days. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

7. Your Rights and Controls

  • Access — view all your files, shares, and account data through your dashboard.
  • Delete — delete individual files, folders, Locker entries, or your entire account at any time.
  • Revoke sharing — disable or remove any active share, public link, or Send link at any time.
  • Control expiry — set expiration dates on shares and links, or let auto-deletion handle it based on your plan.

To request a full export or deletion of your data, contact us at support@yourkeep.in.

8. Children's Privacy

YourKeep is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 13, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. Continued use of YourKeep after changes constitutes acceptance of the updated policy.

10. Contact

For privacy-related questions, data requests, or concerns, contact us at support@yourkeep.in.