Privacy

Privacy Policy

Enqrypted is designed around a strict zero-knowledge model. We do not want your identity, your content, or your keys. This page explains exactly what we collect, what we do not collect, and how the cryptographic model works.

Last Updated: March 28, 2026 Zero knowledge No name or email required

Architecture

Zero knowledge

Encryption and decryption happen locally in your browser.

Personal data

No name or email required

No real-name profile, email, or phone is required. Limited account and operational data exists to run the service.

Storage model

Minimal and temporary

Encrypted payloads are temporary. Account and payment records exist only as needed to operate the service.

Cryptography

Client-side only

Argon2id and XChaCha20-Poly1305 run before data reaches the server.

Policy Map

A fast overview of the areas covered on this page.

1. General Provisions

At Enqrypted ('website'), privacy-first design and zero-knowledge handling of message and file contents are core principles. Content encryption and decryption run in your browser before readable data is shared. To operate accounts, paid plans, and one-time secure sharing, we do store limited server-side operational data such as encrypted payloads, share state, account identifiers, plan state, and payment or order references. We do not store plaintext content, passwords, or derived encryption keys on our servers.

Critical Security Notice: Share QR codes, links, and passwords only via secure, separate channels (never through the same communication method). Enqrypted cannot be held responsible for security incidents arising from improper sharing practices.

2. Information We Collect

Personal Data: No real-name identity required

Enqrypted does not require your real name, email address, phone number, profile photo, or public user profile to create and use an account. Instead, the service creates a random ENQ account ID. We do store limited account data needed to operate the product, such as plan type, activity timestamps, usage counters, and payment or order references when you purchase Pro.

Technical Data: Limited Operational Processing

To operate authentication, secure sharing, abuse prevention, and payments, our systems and infrastructure providers may process limited technical data such as account IDs, encrypted session state, CSRF tokens, share timestamps, read or delete status, failed-attempt counters, encrypted payload metadata, payment processor references, and bot-protection results. Infrastructure providers may also see IP and request data at the network layer as part of delivering the service.

We do not intentionally store plaintext messages, plaintext files, passwords, or derived encryption keys in application storage.

3. Cookies and Similar Technologies

We use security cookies for essential website functionality, specifically encrypted session authentication and CSRF protection. The main authentication cookie is HttpOnly and encrypted; a separate CSRF token cookie helps authorize sensitive browser actions.

We do not store message content, passwords, or encryption keys in cookies. The browser may keep a short-lived in-memory auth cache for convenience, while current localStorage use is limited to client-side rate-limit counters rather than your core session secret.

4. Purpose of Data Use

Our limited data processing serves only to: authenticate accounts; enforce plan rules; enable one-time secure shares for messages and files; track read, expiry, and failed-attempt state; prevent abuse and automated attacks; process payments; and maintain system performance and reliability.

We explicitly do not: intentionally store plaintext message or file content, passwords, or derived encryption keys; build advertising profiles; or sell personal data. Production error logging is minimized and designed to avoid plaintext secrets.

5. Security & Cryptography

Zero-Knowledge Architecture

All message and file encryption or decryption happens locally in your browser. The server receives encrypted packages plus limited account and share metadata needed to run the product. We never possess your plaintext password or the derived content key.

Cryptographic Specifications

Key Derivation: Argon2id

Time cost (t): 3 iterations; Memory cost (m): 256 MB; Parallelism: Adaptively selected per device; Unique, cryptographically secure random salt per secret/password
Authenticated Encryption: XChaCha20-Poly1305 (AEAD)

Unique 24-byte nonce per encryption; 128-bit authentication tag for tamper detection; 256-bit symmetric keys derived client-side
Randomness

All nonces and salts generated using cryptographically secure PRNG (Web Crypto API)

Security Guarantees

With our zero-knowledge content model and modern encryption design, anyone without the correct password should face unreadable ciphertext and an expensive guessing process. We cannot decrypt your content for you because we do not have your password or plaintext key material. Real-world security still depends on password strength, device security, and safe sharing practices.

6. User Responsibilities

Safeguard and transmit QR codes, links, and passwords via secure, separate channels; Use strong, unique passwords - lost passwords cannot be recovered; Understand that expired or single-use links become permanently inaccessible; Maintain good operational security practices on your devices.

Your overall security depends on these practices beyond our platform's technical protections.

7. Payments (Cryptocurrency Checkout)

Crypto checkout is handled through Coinbase Commerce. Enqrypted does not ask you for billing names, card details, or government ID. To credit your purchase, checkout records include your ENQ account ID, selected plan, order or charge identifiers, and payment status.

Note: Blockchain transactions and payment-provider records may be visible or retained outside Enqrypted under their own policies. Any wallet or payment-provider identity checks are controlled by those providers, not by Enqrypted.

8. Third-Party Service Providers

We rely on third-party infrastructure to operate the service, including Cloudflare services for application delivery, storage, and bot protection, plus Coinbase Commerce for crypto checkout. These providers may process limited operational data necessary to perform their role.

We do not intentionally share plaintext messages, plaintext files, passwords, or derived encryption keys with providers. Content sent to storage is encrypted before it leaves your browser.

9. Data Retention & Deletion

Encrypted messages and files are stored temporarily to enable one-time secure sharing and are deleted after a successful read, after three failed password attempts, or after 24 hours, whichever comes first. Account records store limited operational data such as plan state, activity timestamps, and usage counters. Free accounts are removed after 30 days of inactivity. Order and payment records are kept while needed to operate the account and purchase history.

Deletion is part of the product model, but limited operational records may exist while the account remains active.

10. Legal Compliance

Government Requests:

Because content encryption happens client-side, we do not possess plaintext messages, plaintext files, passwords, or derived content keys to hand over. We may still possess limited account, payment, and share metadata that exists to operate the service.

11. Disclaimer & Limitations

Platform Limitations:

While Enqrypted uses strong client-side encryption and layered session protections, overall security also depends on: password strength and device security; secure sharing practices for links, QR codes, and passwords; protection against phishing and social engineering attacks.

Liability:

Enqrypted cannot be held liable for security breaches arising from insecure handling practices outside our platform's technical controls.

12. Changes to This Policy

Significant changes will be published here with an updated 'Last Updated' date; Major policy changes will be announced prominently on the website; We recommend reviewing this policy periodically.

13. Contact & Transparency

Questions or Concerns:

Email us at enqryptedapp@proton.me.

Our Commitment:

We value complete transparency about our privacy practices and your absolute digital privacy. This policy reflects our genuine technical capabilities and limitations. We believe in honest privacy, not privacy theater.

Questions or concerns?

If you need clarification about our privacy model, reach us directly and we will answer in plain language.

Email us