Privacy Policy

3.1 Information You Provide Directly

Account Registration:

• Full name
• Email address
• Password (cryptographically hashed; we never store plain text passwords)
• Phone number (optional, for account recovery and two-factor authentication)
• Profile picture (optional)

Creator and Monetization Program:

If you join our Creator Monetization Program, we collect:

• Legal name as it appears on government-issued identification
• Bank account details (account number, IFSC/SWIFT code, bank name)
• UPI ID (for Indian users)
• Tax identification numbers (PAN for India, SSN/EIN for US, VAT for EU, etc.)
• Payout address
• Tax residency information

Payment Information:

• Payment method details (processed by third-party payment processors)
• Transaction history
• Billing address
• Purchase records for in-app purchases and subscriptions

User-Generated Content:

• Channel names, descriptions, and thumbnails (public, not encrypted)
• Support communications and feedback
• Survey responses

3.2 Information Collected Automatically

Device and Technical Information:

• Device type, model, and manufacturer
• Operating system and version
• Unique device identifiers (where permitted by law and platform policies)
• IP address
• Browser type and version (for web access)
• Language and timezone settings
• Mobile network information

Usage Information:

• Storage usage and file sizes
• Upload and download frequency
• Feature usage patterns
• Session duration and frequency
• App crashes and performance data
• Interaction with advertisements

Monetization Metrics (for Creators):

• Number of Channel Unlocks
• Subscriber acquisition and retention rates
• Duration of channel access by subscribers
• User engagement metrics
• Revenue attribution data

Location Information:

• Approximate location based on IP address
• Country and region for compliance purposes
• We do not collect precise GPS location

3.3 Information from Third Parties

• Authentication providers (if you sign in with Google, Apple, or other providers)
• Payment processors (transaction confirmations)
• Advertising partners (aggregated campaign performance)
• Analytics providers (aggregated usage statistics)

5.1 Service Provision and Operations

• Create and manage your account
• Provide cloud storage services
• Process uploads, downloads, and file sharing
• Manage storage limits and quotas
• Enable Channel creation and subscription features
• Process payments and subscriptions

5.2 Cloud Coin Economy

• Track Cloud Coin balance and transactions
• Process coin purchases and redemptions
• Manage coin expiration
• Prevent fraud and abuse in the coin system

5.3 Creator Monetization

• Calculate Creator earnings based on the 15-Unlock Rule
• Verify Active Subscriber metrics
• Process monthly revenue payments
• Generate earnings reports
• Comply with tax reporting requirements

5.4 Security and Fraud Prevention

• Detect and prevent unauthorized access
• Identify suspicious activity patterns
• Prevent abuse of free storage (e.g., cryptocurrency plotting)
• Enforce Fair Usage Policy
• Protect against spam, malware, and illegal content

5.5 Service Improvement

• Analyze usage patterns to improve features
• Conduct research and development
• Test new features and updates
• Fix bugs and optimize performance

5.6 Communications

• Send service-related notifications
• Provide customer support
• Send marketing communications (with consent)
• Notify you of policy changes

5.7 Legal and Compliance

• Comply with applicable laws and regulations
• Respond to legal requests and court orders
• Protect our legal rights and interests
• Enforce our Terms of Service

6.1 Advertising Partners

To provide free storage, we display advertisements through the following partners:

These partners may collect:

• Advertising identifiers (Google Advertising ID, IDFA)
• Approximate location based on IP address
• Device information
• Ad interaction data (views, clicks, conversions)

6.2 Rewarded Advertisements

When you watch advertisements to earn Cloud Coins:

• We track ad completion to verify rewards
• Partners confirm successful ad views
• Reward credits are processed automatically

6.3 Analytics Services

Google Analytics and Firebase:

• App performance monitoring
• Crash reporting and diagnostics
• User retention analysis
• Feature usage statistics

Privacy Policy: https://policies.google.com/privacy

6.4 Controlling Advertising

You can limit ad tracking through:

Note: Opting out does not eliminate ads; it reduces ad personalization.

7.1 Service Providers

We engage trusted third parties to perform services on our behalf:

• Cloud infrastructure providers (for hosting encrypted data shards)
• Payment processors
• Customer support platforms
• Analytics providers
• Email service providers

All service providers are contractually bound to protect your data and use it only for specified purposes.

7.2 Legal Requirements

We may disclose information when required by law:

• Valid court orders or subpoenas
• Government or regulatory requests
• Law enforcement investigations involving illegal content
• Protection of safety or rights

Important: Even when legally compelled, we cannot provide decrypted file contents because we do not possess decryption keys.

7.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets:

• Your information may be transferred to the acquiring entity
• We will notify you before your data becomes subject to a different privacy policy
• You will have the opportunity to delete your account before transfer

7.4 With Your Consent

We may share information with third parties when you explicitly consent.

7.5 Aggregated or De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably identify you for research, analytics, or business purposes.

8.1 Global Sharding Architecture

CloudSave uses distributed infrastructure for security and reliability. Your encrypted files are:

• Split into fragments (shards)
• Encrypted individually
• Distributed across servers in multiple countries
• Replicated for redundancy

Due to this architecture, file fragments may reside in India, United States, European Union, Singapore, or other locations simultaneously. The exact location of all fragments at any moment cannot be determined.

8.2 Transfer Mechanisms

For transfers from the European Economic Area, United Kingdom, or Switzerland:

Standard Contractual Clauses (SCCs):

We use European Commission-approved SCCs for transfers to countries without adequacy decisions.

Adequacy Decisions:

Where applicable, we rely on adequacy decisions recognizing adequate protection in the recipient country.

Supplementary Measures:

• Zero-knowledge encryption ensures data remains protected regardless of location
• Encrypted data cannot be accessed by local authorities or providers
• Technical measures prevent unauthorized access

8.3 Your Acknowledgment

By using CloudSave, you acknowledge and agree that:

• Your data is transferred globally as a security feature
• File fragments may reside in multiple jurisdictions simultaneously
• Encryption protects your data regardless of physical location
• This distributed architecture enhances, rather than diminishes, your privacy

9.1 Active Accounts

• Account information: Duration of account existence
• Encrypted files: Until you delete them or your account
• Usage logs: 12 months (rolling)
• Payment records: Duration of account plus retention period

9.2 Deleted Accounts

• Private encrypted files: Permanently deleted within 30 days
• Backup metadata: Retained in immutable backups for up to 90 days for disaster recovery, then deleted
• Account information: Deleted within 30 days, except as required for legal compliance

9.3 Legal and Financial Records

• Transaction history: 7 years (Indian tax law compliance)
• Creator payout records: 7 years
• Tax documentation: As required by applicable law (typically 7-10 years)
• Legal hold data: Duration of legal matter plus required retention

9.4 Aggregated Data

De-identified, aggregated data may be retained indefinitely for analytics and research.

10.1 Rights for All Users

Regardless of your location, you have the following rights:

• Right to Access: Request a copy of the Personal Data we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete data.
• Right to Deletion: Request deletion of your account and associated data.
• Right to Withdraw Consent: Withdraw consent for processing based on consent.
• Right to Complain: Lodge a complaint with us or relevant authorities.

To exercise these rights, contact us at privacy@cloudsave.org or use the in-app settings.

Response Time: We will respond to requests within 30 days. Complex requests may require an extension of up to 60 additional days, with notification.

10.2 European Economic Area (GDPR)

If you are in the EEA, you have additional rights under the General Data Protection Regulation:

• Right to Rectification (Article 16): Correct inaccurate Personal Data.
• Right to Erasure (Article 17): Request deletion ("right to be forgotten") when data is no longer necessary, you withdraw consent, or processing is unlawful.
• Right to Restriction (Article 18): Restrict processing while we verify accuracy or assess legitimate grounds.
• Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format and transmit it to another controller.
• Right to Object (Article 21): Object to processing based on legitimate interests, including profiling and direct marketing.
• Rights Related to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing that significantly affect you, with exceptions.

Right to Lodge a Complaint: File a complaint with your local Data Protection Authority. A list of EEA DPAs is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

10.3 United Kingdom (UK GDPR)

UK residents have equivalent rights under the UK General Data Protection Regulation and Data Protection Act 2018.

10.4 California Residents (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to Know: Request disclosure of categories and specific pieces of Personal Information collected, sources, purposes, and third parties.
• Right to Delete: Request deletion of Personal Information, subject to exceptions.
• Right to Correct: Request correction of inaccurate Personal Information.
• Right to Opt-Out of Sale/Sharing: We do not sell Personal Information. We share data with advertising partners for cross-context behavioral advertising. You may opt out via email or in-app settings.
• Right to Limit Use of Sensitive Personal Information: Request limitation on use of sensitive categories.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

10.5 Brazil (LGPD)

If you are in Brazil, you have rights under the Lei Geral de Protecao de Dados:

• Confirmation of processing
• Access to your data
• Correction of incomplete or inaccurate data
• Anonymization, blocking, or deletion of unnecessary data
• Data portability
• Information about sharing with third parties
• Information about the possibility of denying consent
• Revocation of consent

Supervisory Authority: Autoridade Nacional de Protecao de Dados (ANPD) - https://www.gov.br/anpd

10.6 India (DPDP Act 2023)

If you are in India, you have rights under the Digital Personal Data Protection Act, 2023:

• Right to Access: Obtain a summary of your Personal Data and processing activities.
• Right to Correction and Erasure: Request correction of inaccurate data and erasure of data no longer necessary.
• Right to Grievance Redressal: Access our grievance redressal mechanism.
• Right to Nominate: Nominate another individual to exercise your rights in case of death or incapacity.

10.7 Other Jurisdictions

We respect privacy rights in all jurisdictions where we operate. If your jurisdiction provides additional rights not listed above, please contact us at privacy@cloudsave.org, and we will address your request in accordance with applicable law.

11.1 Encryption

• End-to-end, zero-knowledge encryption for private files
• AES-256 encryption standard for data at rest
• TLS 1.3 encryption for data in transit
• Client-side encryption before upload

11.2 Password Security

• Passwords are salted and hashed using industry-standard algorithms
• We never store passwords in plain text
• Support for two-factor authentication (2FA)

11.3 Access Controls

• Strict role-based access controls for employees
• Administrative tools show only metadata, never file contents
• Regular access reviews and audits
• Logging of all administrative access

11.4 Infrastructure Security

• Distributed architecture prevents single points of failure
• Regular security assessments and penetration testing
• DDoS protection
• Intrusion detection systems
• Regular backups with encryption

11.5 Organizational Measures

• Employee security training
• Background checks for employees with data access
• Confidentiality agreements
• Incident response procedures
• Regular security policy reviews

11.6 Incident Response

In case of a data breach:

• We will investigate immediately
• Affected users will be notified as required by law
• Relevant authorities will be notified within required timeframes
• We will take steps to mitigate harm

13.1 Fraud Detection

• Automated systems monitor for suspicious activity
• Patterns indicating abuse, bot farms, or manipulation are flagged
• Human review occurs before account actions

13.2 Content Moderation

• Automated scanning of Channel metadata (not encrypted files) for policy violations
• Hash-matching for known illegal content (CSAM, terrorism)
• Human review before content removal

13.3 Fair Usage Enforcement

• Automated monitoring of storage patterns
• Detection of prohibited uses (cryptocurrency plotting, illegal file sharing)
• Human review before enforcement actions

13.4 Your Rights

You have the right to:

• Request human review of automated decisions that significantly affect you
• Express your point of view
• Contest decisions

Automated decisions do not apply to encrypted file contents, which we cannot access.

14.1 Website Cookies

Our website uses cookies and similar technologies:

• Essential Cookies: Required for website functionality, security, and authentication. Cannot be disabled.
• Analytics Cookies: Help us understand how visitors use our website. Can be disabled.
• Advertising Cookies: Used by advertising partners to show relevant ads. Can be disabled.

14.2 Mobile App

Our mobile app uses:

• Advertising identifiers (can be reset or disabled in device settings)
• Analytics SDKs
• Crash reporting tools

14.3 Managing Cookies

• Browser Settings: Most browsers allow you to refuse or delete cookies.
• Our Cookie Banner: Use our cookie consent tool to manage preferences.
• Device Settings:
  • iOS: Settings > Privacy & Security > Tracking
  • Android: Settings > Google > Ads

Do Not Track: We currently do not respond to Do Not Track signals, as there is no industry standard for compliance.

16.1 Notification of Changes

Material Changes:

We will notify you via:

• Email to your registered address
• In-app notification
• Prominent notice on our website

Minor Changes:

Updated policy will be posted with a new "Last Updated" date.

16.2 Your Choices

After notification of material changes:

• Review the updated policy
• If you disagree, you may delete your account before the effective date
• Continued use after the effective date constitutes acceptance

16.3 Version History

We maintain a version history of this policy. Previous versions are available upon request.

18.1 Addendum for European Economic Area Users

This addendum supplements the main Privacy Policy for users in the EEA. In case of conflict, this addendum prevails for EEA users.

Cross-Border Transfers: We transfer data outside the EEA using Standard Contractual Clauses approved by the European Commission. Copies are available upon request.

18.2 Addendum for California Residents

This addendum provides additional disclosures required under CCPA/CPRA.

Financial Incentives: We do not offer financial incentives for the collection of Personal Information.

Shine the Light: California Civil Code Section 1798.83 permits California residents to request information about disclosure of Personal Information to third parties for direct marketing. We do not disclose Personal Information for third-party direct marketing.

18.3 Addendum for Brazilian Users

Data Controller: AXSA Technologies Private Limited

International Transfers: We transfer data internationally using contractual clauses that ensure equivalent protection to LGPD requirements.

18.4 Addendum for Indian Users

Data Fiduciary: AXSA Technologies Private Limited

This addendum supplements the main Privacy Policy in accordance with the Digital Personal Data Protection Act, 2023, and applicable rules.