Privacy Policy

Last updated: March 8, 2026

1. Data Controller

SealedFor ("we," "us," "our") operates the website sealedfor.com and is the data controller responsible for your personal data. For questions, contact support@sealedfor.com.

2. What We Collect & Legal Basis

SealedFor collects only data strictly necessary to provide the service:

Data	Purpose	Legal Basis (GDPR Art. 6)
Sender email address	Edit token delivery, Guardian Release check-ins, token recovery	Contract performance (Art. 6(1)(b))
Sender display name	Shown in delivery emails to recipients	Contract performance (Art. 6(1)(b))
Recipient email address(es)	Capsule delivery only — max 10 per capsule	Legitimate interest (Art. 6(1)(f))
Capsule files (videos, photos, audio, documents)	Encrypted at rest with AES-256-GCM — stored only for delivery	Contract performance (Art. 6(1)(b))
Capsule text message	Stored as plaintext in database — not encrypted in either mode	Contract performance (Art. 6(1)(b))
Payment data	Processed entirely by Paddle (Merchant of Record) — we store only Paddle transaction IDs	Contract performance (Art. 6(1)(b))
IP address	Rate limiting and abuse prevention only — not stored persistently	Legitimate interest (Art. 6(1)(f))
Locale preference	Language selection (essential cookie)	Contract performance (Art. 6(1)(b))

3. What We Do NOT Collect

No advertising cookies or retargeting trackers
No sale of personal data to advertisers or data brokers
No invasive device fingerprinting or cross-site profiling
No social media trackers
No browsing history beyond your session

4. How We Use Your Data

Delivering capsules to specified recipients at the scheduled time
Sending Guardian Release check-in emails to verify sender activity
Token recovery when requested by you
Abuse prevention via automated rate limiting (IP-based, ephemeral)
Privacy-friendly, aggregated product analytics to measure core usage and performance
Anonymized, aggregated statistics (total capsules created, storage usage) — no personal data

5. Data Storage & Encryption

All capsule files are encrypted with AES-256-GCM using server-side envelope encryption. Each file receives a unique per-file encryption key, which is itself encrypted with a master key. Encryption keys are stored separately from file data.

Data is stored across:

Cloudflare R2 (temporary upload buffer, encrypted hot storage, and file delivery to recipients)
AWS S3 Glacier Deep Archive (long-term encrypted storage, US region)
Supabase (PostgreSQL database, US region)

6. Data Retention

Active capsules: stored for the purchased duration (up to 150 years)
Delivered capsules: recipient access for 7 days after first open (extendable via purchase), then content permanently deleted after 30-day grace period
Cancelled capsules: content deleted immediately, metadata retained for 30 days for support, then permanently deleted
Recipient emails: hashed (irreversibly anonymized) after 2 years per GDPR data minimization
Statistical data: anonymized and retained indefinitely — not traceable to individuals
Rate limiting data: stored in memory only, expires automatically

7. Third-Party Processors

We share data only with processors necessary to deliver the service:

Processor	Role	Data Shared	Location
Paddle.com	Merchant of Record — payment processing, tax compliance, invoicing	Payment info (collected directly by Paddle)	UK/US
AWS (Amazon Web Services)	Encrypted file storage (S3 Glacier Deep Archive)	Encrypted files only — AWS cannot read content	US (us-east-1)
Cloudflare	Encrypted file storage (R2) and delivery to recipients	Encrypted files only	US/Global Edge
Resend (via AWS SES)	Transactional email delivery	Recipient email, subject, email body	US
Supabase	Database hosting (PostgreSQL)	All metadata, encrypted encryption keys	US (us-east-1)
Vercel	Application hosting	Request handling — no persistent data storage	US/Global Edge
Umami	Privacy-friendly web analytics	Aggregated page and event analytics without advertising cookies	Provider infrastructure

8. International Data Transfers

Our services are primarily hosted in the United States. If you are located in the EU/EEA, your data is transferred to the US under the EU–US Data Privacy Framework (where applicable) and Standard Contractual Clauses (SCCs) with our processors. All capsule files are encrypted before transfer — processors cannot access file content. The written text message is stored unencrypted in the database.

9. Your Rights (GDPR / EU Users)

If you are in the EU/EEA, you have the following rights under GDPR:

Right of Access (Art. 15): Request a copy of your personal data
Right to Rectification (Art. 16): Correct inaccurate data via your edit token
Right to Erasure (Art. 17): Cancel your capsule via your edit token — all content is permanently deleted
Right to Restriction (Art. 18): Request we limit processing of your data
Right to Data Portability (Art. 20): Receive your data in a machine-readable format
Right to Object (Art. 21): Object to processing based on legitimate interests
Right to Withdraw Consent: Where consent is the legal basis, withdraw at any time

To exercise these rights, email support@sealedfor.com. We will respond within 30 days as required by GDPR.

10. Your Rights (US Users)

Depending on your state, you may have rights under the CCPA (California), CPA (Colorado), CTDPA (Connecticut), VCDPA (Virginia), or similar state privacy laws:

Right to Know: Request what personal data we collect and how we use it
Right to Delete: Request deletion of your personal data
Right to Opt-Out of Sale: We do not sell personal data to third parties
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, email support@sealedfor.com.

11. Cookies

SealedFor uses essential cookies and privacy-friendly analytics scripts:

NEXT_LOCALE — stores your language preference (EN/DE/PL/ES)

We do not use advertising cookies, retargeting cookies, or social media tracking pixels. We do use privacy-friendly analytics tooling to measure aggregate traffic and product usage. If your jurisdiction requires consent for analytics technologies, configure a consent layer before enabling those scripts in production.

12. Admin Access to Content

SealedFor staff never access capsule content during normal operations. In the case of a recipient report (e.g., suspected illegal content), admin may view content only if the recipient explicitly consents via a checkbox in the report form. Without consent, admin sees only metadata (dates, status, file types). All admin actions are logged.

13. Children's Privacy

SealedFor is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has used our service, contact us and we will delete the data promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.

15. Contact & Complaints

For privacy inquiries: support@sealedfor.com

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, CNIL in France, BfDI in Germany, UODO in Poland).