Legal

Privacy Policy

Last updated: March 15, 2026

1. Information We Collect

We collect the minimum information necessary to provide the Service:

Account Information

  • Name and email address (provided during registration)
  • Authentication data (password hash or Google OAuth identifier)
  • Subscription and billing status

Usage Information

  • Document access logs (who accessed shared documents, when, and from what device)
  • Device information and IP address (for security monitoring and suspicious activity detection)
  • Error reports (stack traces and diagnostic data, sent to Sentry)

What We Do Not Collect

We do not collect, access, or store the contents of your documents. All documents are encrypted on your device before upload using AES-256-GCM encryption. We operate on a zero-knowledge architecture—we physically cannot read your files.

2. How We Use Your Information

  • To authenticate you and maintain your session
  • To send transactional emails (document requests, sharing notifications, trial/subscription reminders)
  • To detect and prevent suspicious activity on shared documents
  • To diagnose and fix errors in the Service
  • To process payments and manage your subscription

We do not sell, rent, or share your personal information with third parties for marketing purposes.

3. Zero-Knowledge Encryption

Every document uploaded to Unexposed is encrypted in your browser using a unique AES-256-GCM key before it leaves your device. The encryption key is then wrapped with your personal Key Encryption Key (KEK) and stored separately from the encrypted data. At no point do our servers have access to your unencrypted documents or raw encryption keys. This means that even in the event of a data breach, your documents remain unreadable.

4. Third-Party Services

We use the following third-party services to operate Unexposed:

Sentry

Error monitoring and diagnostics. Receives error reports and stack traces only. No document content, user-identifiable data, or session recordings are sent. Encryption keys are scrubbed from all reports before transmission.

Resend

Transactional email delivery. Receives recipient email addresses solely for sending notifications you have triggered (sharing invitations, request reminders, subscription updates).

Tigris (S3-compatible)

Object storage for encrypted document blobs. Stores only encrypted data—Tigris cannot decrypt your files.

Polar

Payment processing for subscriptions and one-time purchases. Handles billing information directly; we do not store credit card numbers.

Google

OAuth authentication (optional). Used only to verify your identity during sign-in. We receive your name and email address from Google; no other data is shared.

5. Cookies

Unexposed uses only strictly necessary cookies for authentication session management. We do not use analytics, advertising, or tracking cookies. For details, see our Cookie Policy.

6. Data Retention

Account dataRetained for as long as your account is active.
Encrypted documentsRetained until you delete them or delete your account.
Access logsRetained for 90 days for security monitoring purposes.
Error reportsRetained by Sentry for 90 days.

When you delete your account, all your data—including encrypted documents, metadata, and access logs—is permanently removed from our servers.

7. Your Rights

You have the right to:

  • Access your personal data through your account settings
  • Export your documents at any time by downloading them
  • Delete your account and all associated data
  • Correct inaccurate account information

To exercise these rights, visit your account settings or contact us at support@unexposed.app.

8. HIPAA Considerations

Unexposed is designed with healthcare document security in mind. While we provide tools suitable for managing sensitive medical documents, individual users are responsible for ensuring their own compliance with applicable healthcare regulations. Our zero-knowledge encryption architecture means that protected health information (PHI) in your documents is never accessible to Unexposed or our infrastructure providers.

9. Children’s Privacy

Unexposed is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children. If you believe a child under 13 has provided us with personal information, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact

If you have questions about this Privacy Policy or our data practices, contact us at support@unexposed.app.

Terms of Service

Usage terms and conditions

Cookie Policy

What cookies we use